armor - authorization roles managed on RBAC
/etc/security/prof_attr.d/armor
ARMOR defines a number of roles and the administrative functions configured for each of those roles.
Audit Administrator
The Audit Administrator role configures the system's auditing and logging policies. This includes both per-user and system-wide attributes. The role can view the audit trail. The role can also specify polices for remote auditing and logging.
File System Administrator
The File System Administrator role creates file systems and makes them available. Operations relating to availability includes specifying mount policies, sharing policies, quotas, compression, RAID, and file system formats. The role can also archive file systems and specify archiving policies.
Software Package Administrator
The Software Package Administrator role installs, updates, and removes system software. This can include upgrading a system to a new release or reverting it to a previous release. The role can be constrained to only load software from approved repositories or media.
Security Administrator
The Security Administrator role assigns non-default rights to users and roles. The rights can include membership in groups and roles, authorizations, privileges, and clearances. The role can assign passwords for new accounts and unlock locked accounts. The role also assigns non-default security attributes to system objects. The attributes can include security labels, access control lists, ownership, and membership.
Service Administrator
The Service Administrator role enables, configures, and disables system services. The role can specify networking attributes such as IP addresses and routes, as well as firewall policies. The role can specify which services are available to local and remote clients and service configuration properties.
System Operator
The System Operator role runs system diagnostics and performs routine system maintenance. These tasks can include purging log files and print queues, shutting down systems and restarting systems, and bringing hardware online or offline.
User Administrator
The User Administrator role creates, modifies, and deletes the accounts for users defined by default security settings. The role can also create additional roles with default security settings. The role does not manage passwords. This can include the administration of non-local users.
To see the Rights Profiles of the useradm role:
profiles useradm
To see details of the authorizations and commands with security attributes of the sysop role:
profiles -l sysopExample 2 Assigning ARMOR Roles to Users
To assign the secadm role to user alice :
usermod -R+secadm aliceExample 3 Displaying Assigned Roles
To display to roles assigned to user bob, including ARMOR roles:
roles bobExample 4 Assuming an ARMOR Role
If a active user has the svcadm role assigned:
su - svcadm
The home directory of each of the ARMOR roles is a ZFS dataset in /export/home.
See attributes(5) for descriptions of the following attributes:
|
attributes(5), profiles(1), rbac_chkauth(3C), roles(1), su(1M), usermod(1M)