Skip Navigation Links | |
Exit Print View | |
System Administration Guide: Security Services Oracle Solaris 10 8/11 Information Library |
1. Security Services (Overview)
Part II System, File, and Device Security
2. Managing Machine Security (Overview)
3. Controlling Access to Systems (Tasks)
4. Controlling Access to Devices (Tasks)
5. Using the Basic Audit Reporting Tool (Tasks)
6. Controlling Access to Files (Tasks)
7. Using the Automated Security Enhancement Tool (Tasks)
Part III Roles, Rights Profiles, and Privileges
8. Using Roles and Privileges (Overview)
9. Using Role-Based Access Control (Tasks)
How to Plan Your RBAC Implementation
How to Create and Assign a Role by Using the GUI
How to Create a Role From the Command Line
How to Assume a Role in a Terminal Window
How to Assume a Role in the Solaris Management Console
How to Change the Password of a Role
How to Change the Properties of a Role
How to Create or Change a Rights Profile
How to Change the RBAC Properties of a User
How to Add RBAC Properties to Legacy Applications
10. Role-Based Access Control (Reference)
Part IV Cryptographic Services
13. Oracle Solaris Cryptographic Framework (Overview)
14. Oracle Solaris Cryptographic Framework (Tasks)
15. Oracle Solaris Key Management Framework
Part V Authentication Services and Secure Communication
16. Using Authentication Services (Tasks)
19. Using Oracle Solaris Secure Shell (Tasks)
20. Oracle Solaris Secure Shell (Reference)
21. Introduction to the Kerberos Service
22. Planning for the Kerberos Service
23. Configuring the Kerberos Service (Tasks)
24. Kerberos Error Messages and Troubleshooting
25. Administering Kerberos Principals and Policies (Tasks)
26. Using Kerberos Applications (Tasks)
27. The Kerberos Service (Reference)
Part VII Oracle Solaris Auditing
28. Oracle Solaris Auditing (Overview)
29. Planning for Oracle Solaris Auditing
30. Managing Oracle Solaris Auditing (Tasks)
RBAC can be configured with the following utilities:
Solaris Management Console GUI – The preferred method for performing RBAC-related tasks is through the GUI. The console tools for managing the RBAC elements are contained in the Users Tool collection.
Solaris Management Console commands – With the Solaris Management Console command-line interfaces, such as smrole, you can operate on any name service. The Solaris Management Console commands require authentication to connect to the server. As a result, these commands are not practical for use in scripts.
Local commands – With the user* and role* set of command-line interfaces, such as useradd, you can operate on local files only. The commands that operate on local files must be run by superuser or by a role with the appropriate privileges.
RBAC can be an integral part of how an organization manages its information resources. Planning requires a thorough knowledge of the RBAC capabilities as well as the security requirements of your organization.
Read Role-Based Access Control (Overview). Using RBAC to administer a system is very different from using conventional UNIX administrative practices. You should be familiar with the RBAC concepts before you start your implementation. For greater detail, see Chapter 10, Role-Based Access Control (Reference).
Your organization's security policy should detail the potential threats to your system, measure the risk of each threat, and have a strategy to counter these threats. Isolating the security-relevant tasks through RBAC can be a part of the strategy. Although you can install the recommended roles and their configurations as is, you might need to customize your RBAC configuration to adhere to your security policy.
Depending on your security needs, you can use varying degrees of RBAC, as follows:
No RBAC – You can perform all tasks as root user. In this configuration, you log in as yourself. Then, you type root as the user when you select a Solaris Management Console tool.
Single Role Only – This method adds one role. The one role is assigned the Primary Administrator rights profile. This method is similar to the superuser model, in that the role has superuser capabilities. However, this method enables you to track the user who has assumed the role.
Recommended Roles – This method creates three roles that are based on the following rights profiles: Primary Administrator, System Administrator, and Operator. The roles are suitable for organizations with administrators at different levels of responsibility.
Custom Roles – You can create your own roles to meet the security requirements of your organization. The new roles can be based on existing or customized rights profiles. To customize rights profiles that enforce separation of duty, see Creating Roles and Users in Trusted Extensions in Oracle Solaris Trusted Extensions Configuration Guide.
Root User as a Role – This method prevents any user from logging in as root. Instead, users must log in as ordinary users prior to assuming the root role. For details, see How to Make root User Into a Role.
Review the capabilities of the recommended roles and default rights profiles. Default rights profiles enable administrators to configure a recommended role by using a single profile.
Three default rights profiles are available for configuring the recommended roles:
Primary Administrator rights profile – For configuring a role that can perform all administrative tasks, can grant rights to others, and can edit rights that are associated with administrative roles. A user in this role can assign this role to other users, and can grant rights to other users.
System Administrator rights profile – For configuring a role that can perform most administrative tasks that are not related to security. For example, the System Administrator can add new user accounts, but cannot set passwords or grant rights to other users.
Operator rights profile – For configuring a role that can perform simple administrative tasks, such as media backup and printer maintenance.
To further examine rights profiles, read one of the following:
In the /etc/security directory, read the contents of the prof_attr database and the exec_attr database.
In the Solaris Management Console, use the Rights tool to display the contents of a rights profile.
In this book, refer to Contents of Rights Profiles for summaries of some typical rights profiles.
Look for other applications or families of applications at your site that might benefit from restricted access. Applications that affect security, that can cause denial-of-service problems, or that require special administrator training are good candidates for RBAC. You can customize roles and rights profiles to handle the security requirements of your organization.
Check if an existing rights profile can handle this task or if a separate rights profile needs to be created.
Decide if the rights profile for this task should be assigned to an existing role or if a new role should be created. If you use an existing role, check that the other rights profiles are appropriate for users who are assigned to this role.
According to the principle of least privilege, you should assign users to roles that are appropriate to their level of trust. When you prevent users from access to tasks that the users do not need to perform, you reduce potential problems.
To create a new role, you can be superuser, or you can use the Primary Administrator role. In this procedure, the creator of the new role has assumed the role of Primary Administrator.
Before You Begin
You have already created users who can assume a role at your site. If the users are not yet created, create them by following the instructions in Using the Solaris Management Tools With RBAC (Task Map) in System Administration Guide: Basic Administration.
You have been assigned the Primary Administrator role by following the procedures in Using the Solaris Management Tools With RBAC (Task Map) in System Administration Guide: Basic Administration.
# /usr/sbin/smc &
For login instructions, see How to Assume a Role in the Solaris Management Console.
For possible roles, see Example 9-1 to Example 9-4.
Tip - All tools in the Solaris Management Console display information in the bottom section of the page or at the left side of a wizard panel. Choose Help at any time to find additional information about performing tasks in this interface.
Tip - After filling in the properties of the role, the last dialog box prompts you for a user for the role.
# svcadm restart system/name-service-cache
For more information, see the svcadm(1M) and nscd(1M) man pages.
Example 9-1 Creating a Role for the System Administrator Rights Profile
In this example, the new role can do system administration tasks that are not connected to security. The role is created by performing the preceding procedure with the following parameters:
Role name: sysadmin
Role full name: System Administrator
Role description: Performs non-security admin tasks
Rights profile: System Administrator
This rights profile is at the top of the list of profiles that are included in the role.
Example 9-2 Creating a Role for the Operator Rights Profile
The Operator rights profile can manage printers and back up the system to offline media. You might want to assign the role to one user on each shift. To do so, you would select the role mailing list option in the Step 1: Enter a Role Name dialog box. The role is created by performing the preceding procedure with the following parameters:
Role name: operadm
Role full name: Operator
Role description: Backup operator
Rights profile: Operator
This rights profile must be at the top of the list of profiles that are included in the role.
Example 9-3 Creating a Role for a Security-Related Rights Profile
By default, the only rights profile that contains security-related commands and rights is the Primary Administrator profile. If you want to create a role that is not as powerful as Primary Administrator, but can handle some security-related tasks, you must create the role.
In the following example, the role protects devices. The role is created by performing the preceding procedure with the following parameters:
Role full name: Device Security
Role description: Configures Devices
Rights profile: Device Security
In the following example, the role secures systems and hosts on the network. The role is created by performing the preceding procedure with the following parameters:
Role full name: Network Security
Role description: Handles IPsec, IKE, and SSH
Rights profile: Network Security
Example 9-4 Creating a Role for a Rights Profile With Limited Scope
A number of rights profiles are of limited scope. In this example, the sole task of the role is to manage DHCP. The role is created by performing the preceding procedure with the following parameters:
Role name: dhcpmgt
Role full name: DHCP Management
Role description: Manages Dynamic Host Config Protocol
Rights profile: DHCP Management
Example 9-5 Modifying a User's Role Assignment
In this example, a role is added to an existing user. The user's role assignment is modified by clicking the User Accounts icon in the Users tool in the Solaris Management Console, double-clicking the user, and following the online help to add a role to the user's capabilities.
Troubleshooting
Check the following if the role does not have the capabilities that it should:
Are the role's rights profiles listed in the GUI from most to least powerful?
For example, if the All rights profile is at the top of the list, then no commands are run with security attributes. A profile that contains commands with security attributes must precede the All rights profile in the list.
Do the commands in the role's rights profiles have the appropriate security attributes?
For example, when the policy is suser, some commands require uid=0 rather than euid=0.
Is the rights profile defined in the appropriate name service scope? Is the role operating in the name service scope where the rights profile is defined?
Has the name service cache, svc:/system/name-service-cache, been restarted?
The nscd daemon can have a lengthy time-to-live interval. By restarting the daemon, you update the name service with current data.
The Solaris Management Console GUI is the preferred method for managing RBAC. To use the GUI, see How to Create and Assign a Role by Using the GUI. You can also use the command-line interfaces, as described in this procedure.
Note - Do not attempt to administer RBAC with the command line and the graphical user interface at the same time. Conflicting changes could be made to the configuration, and the behavior would be unpredictable. You can use both tools to administer RBAC, but you cannot use both concurrently.
Before You Begin
To create a role, you must either assume a role that includes the Primary Administrator rights profile, or switch to the user root.
The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.
Note - The roleadd command is more limited than the Solaris Management Console GUI or command-line interfaces. After running the roleadd command, you must run the usermod command to assign the role to a user. And, the user then must set the password for the role, as shown in How to Assign a Role to a Local User.
# roleadd -c comment \ -g group -m homedir -u UID -s shell \ -P profile rolename
Is a comment that describes rolename.
Is the group assignment for rolename.
Is the path to the home directory for rolename.
Is the UID for rolename.
Is the login shell for rolename. This shell must be a profile shell.
Is one or more rights profiles for rolename.
Is the name of the new local role.
This command creates a role in a distributed name service, such as NIS, NIS+, or LDAP. This command runs as a client of the Solaris Management Console server.
$ /usr/sadm/bin/smrole -D domain-name \ -r admin-role -l <Type admin-role password> \ add -- -n rolename -a rolename -d directory\ -F full-description -p profile
Is the name of the domain that you want to manage.
Is the name of the administrative role that can modify the role. The administrative role must have the solaris.role.assign authorization. If you are modifying a role that you have assumed, the role must have the solaris.role.delegate authorization.
Is the prompt for the password of admin-role.
Is the required separator between authentication options and subcommand options.
Is the name of the new role.
Is the comment that describes the capabilities of the role.
Is the name of the user who can assume rolename.
Is the home directory for rolename.
Is the full description for rolename. This description is displayed in the Solaris Management Console GUI.
Is a rights profile that is included in the capabilities of rolename. This option gives commands with administrative capabilities to the role. You can specify multiple -p profile options.
Example 9-6 Creating a Custom Operator Role by Using the smrole Command
The smrole command specifies a new role and its attributes in a name service. In the following example, the Primary Administrator creates a new version of the Media Backup role. The role includes the standard Media Backup rights profile as well as the FTP Management rights profile. Note that the command prompts you for a password for the new role.
% su - primaryadm Password: <Type primaryadm password> $ /usr/sadm/bin/smrole add -H myHost -- -c "FTP and Backup Operator" \ -n operadm2 -a janedoe -d /export/home/operadm \ -F "Backup/FTP Operator" -p "Media Backup" -p "FTP Management" Authenticating as user: primaryadm Type /? for help, pressing <enter> accepts the default denoted by [ ] Please enter a string value for: password :: <Type primaryadm password> Loading Tool: com.sun.admin.usermgr.cli.role.UserMgrRoleCli from myHost Login to myHost as user primaryadm was successful. Download of com.sun.admin.usermgr.cli.role.UserMgrRoleCli from myHost was successful. Type /? for help, pressing <enter> accepts the default denoted by [ ] Please enter a string value for: password ::<Type operadm2 password> $ svcadm restart system/name-service-cache
The smrole command with the list subcommand is used to display the new role:
$ /usr/sadm/bin/smrole list -- Authenticating as user: primaryadm Type /? for help, pressing <enter> accepts the default denoted by [ ] Please enter a string value for: password :: <Type primaryadm password> Loading Tool: com.sun.admin.usermgr.cli.role.UserMgrRoleCli from myHost Login to myHost as user primaryadm was successful. Download of com.sun.admin.usermgr.cli.role.UserMgrRoleCli from myHost was successful. root 0 Superuser primaryadm 100 Most powerful role sysadmin 101 Performs non-security admin tasks operadm 102 Backup Operator operadm2 103 Backup/FTP Operator
Note that rights profiles that include Media Backup or Media Restore provide a role with access to the entire root file system. Therefore, the administrator must assign such rights profiles to trusted users. Alternatively, the administrator can choose to not assign these rights profiles. In this scenario, only superuser can back up and restore.
This procedure assigns a local role to a local user, restarts the name cache daemon, and then shows how the user can assume the role.
To assign a role to a user in a distributed name service, see How to Create a Role From the Command Line and How to Change the Properties of a Role.
Before You Begin
You have added a local role, as described in How to Create a Role From the Command Line. You must either assume a role that includes the Primary Administrator rights profile, or switch to the user root.
If you added a local role with the roleadd command, this step is required. This step is optional when you use the smrole command and the Solaris Management Console to create a role.
# usermod -u UID -R rolename login-name
Is the UID of the user.
Is the role that is being assigned to the user.
Is the user's login name.
# svcadm restart system/name-service-cache
If you added a role with a Solaris Management Console interface, go to Using Roles (Task Map). Otherwise, continue with the next step.
If you added a local role with the roleadd command, this step is required.
% su - rolename Password: <Type rolename password> Confirm Password: <Retype rolename password> $
Example 9-7 Creating and Assigning a Local Role From the Command Line
In this example, a role is created to administer the Oracle Solaris Cryptographic Framework. The Crypto Management rights profile contains the cryptoadm command for administering hardware and software cryptographic services on a local system.
# roleadd -c "Cryptographic Services manager" \ -g 14 -m /export/home/cryptoadm -u 104 -s pfksh \ -P "Crypto Management" cryptomgt # usermod -u 1111 -R cryptomgt # svcadm restart system/name-service-cache % su - cryptomgt Password: <Type cryptomgt password> Confirm Password: <Retype cryptomgt password> $ /usr/ucb/whoami cryptomgt $
For information about the Oracle Solaris Cryptographic Framework, see Chapter 13, Oracle Solaris Cryptographic Framework (Overview). To administer the framework, see Administering the Cryptographic Framework (Task Map).
The actions that a role performs can be audited. Included in the audit record is the login name of the user who assumed the role, the role name, and the action that the role performed. The 6180:AUE_prof_cmd:profile command:ua,as audit event collects the information. By preselecting the as class or the ua class, you can audit role actions.
For more information, see Oracle Solaris Auditing (Task Map).
## audit_control file flags:lo,as naflags:lo plugin:name=audit_binfile.so; p_dir=/var/audit
The ua class and the as class include other audit events. To see the audit events that are included in a class, read the audit_event file. You can also use the bsmrecord command, as shown in Example 30-27.
For more information, see Configuring and Enabling the Audit Service (Tasks).
This procedure shows how to change root from a login user to a role. When you complete this procedure, you can no longer directly log in to the system as root, except in single-user mode. You must be assigned the root role and su to root.
By changing the root user into a role, you prevent anonymous root login. Because a user must log in and then assume the root role, the user's login ID is provided to the auditing service and is in the sulog file.
In this procedure, you create a local user and assign the root role to the user. To prevent users from assuming the role, see Example 9-8.
Before You Begin
You cannot perform this procedure when you are directly logged in as root. You must log in as yourself, then su to root.
The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Using the Solaris Management Tools With RBAC (Task Map) in System Administration Guide: Basic Administration.
For safety, at least one local user should be assigned the root role.
$ useradd -c comment -u uid -d homedir username
Is the comment that describes the user.
Is the home directory of the user. This directory should be on the local system.
Is the user identification number.
Is the name of the new local user.
# useradd -c "JDoe's local account" -u 123 -d /export/home1 jdoe-local
# passwd -r files jdoe-local New Password: <Type password> Re-enter new Password: <Retype password> passwd: password successfully changed for jdoe-local #
# who jdoe console May 24 13:51 (:0) jdoe pts/5 May 24 13:51 (:0.0) jdoe pts/4 May 24 13:51 (:0.0) jdoe pts/10 May 24 13:51 (:0.0)
# usermod -K type=role root
The root entry in the user_attr file should appear similar to the following:
# grep root /etc/user_attr root::::type=role;auths=solaris.*,solaris.grant;profiles=...
# usermod -R root jdoe-local
Caution - If you do not assign the root role to a user, no one can become superuser, except in single-user mode. You must type a root password to enter single-user mode. |
% whoami jdoe % su - jdoe-local Enter password: <Type jdoe-local password> % roles root % su - root Enter password: <Type root password> #
For example, the following entries in the nsswitch.conf file would enable the name service to return.
passwd: files nis [TRYAGAIN=0 UNAVAIL=return NOTFOUND=return] group: files nis [TRYAGAIN=0 UNAVAIL=return NOTFOUND=return]
For the procedure, see How to Change the RBAC Properties of a User.
Example 9-8 Preventing the root Role From Being Used to Configure a System
In this example, site security policy requires that several discrete roles configure the system. These discrete roles have been created and tested. To prevent the root account from being used to configure the system, the security administrator changes root into a role, but does not assign the role. The root role retains a password to enter the system in single-user mode.
First, the administrator verifies that root is not an assigned role.
% whoami jdoe-local % su - root Password: a!2@3#4$5%6^7 # grep roles /etc/user_attr jdoe-local::::type=normal;roles=secadmin kdoe-local::::type=normal;roles=sysadmin
Still in the root account, the administrator changes root into a role.
# usermod -K type=role root
Then, the administrator verifies the change in the root entry in the user_attr file.
# grep root /etc/user_attr root::::type=role;auths=solaris.*,solaris.grant;profiles=...
Example 9-9 Changing the root Role Back Into the root User
In this example, the administrator is decommissioning a system and wants to log in to the desktop as superuser. The system has been removed from the network.
First, the administrator assumes the root role to remove all root role assignments.
% whoami jdoe-local % su - root Password: a!2@3#4$5%6^7 # grep roles /etc/user_attr jdoe-local::::type=normal;roles=root kdoe-local::::type=normal;roles=root # usermod -R "" jdoe-local # usermod -R "" kdoe-local # grep roles /etc/user_attr #
Still in the root role, the administrator changes root into a user.
# rolemod -K type=normal root
Then, the administrator verifies the change in the root entry in the user_attr file.
# grep root /etc/user_attr root::::type=normal;auths=solaris.*,solaris.grant;profiles=...
Troubleshooting
In a desktop environment, you cannot directly log in as root when root is a role. A diagnostic message indicates that root is a role on your system. If you do not have a local account that can assume the root role, create one. As root, log in to the system in single-user mode, create a local user account, and assign the root role to the new account. Then, log in as the new user and assume the root role.
No one can become superuser if you change the root user into a role and fail to make one of the following assignments:
Assign the root role to a valid user.
Assign a rights profile that is equivalent to root's rights profile to a valid user. The Primary Administrator profile is an equivalent rights profile for root capabilities.
Create a role that has the capabilities of root and assign the role to a valid user. A role that is assigned the Primary Administrator profile is equivalent to the root role.