How to Configure a Role for Network Security

If you are using role-based access control (RBAC) to administer your systems, you use this procedure to provide a network management role or network security role.

1. Find the Network rights profiles in the local prof_attr database.

   % cd /etc/security % grep Network prof_attr Network IPsec Management:::Manage IPsec and IKE... Network Link Security:::Manage network link security... Network Management:::Manage the host and network configuration... Network Security:::Manage network and host security... Network Wifi Management:::Manage wifi network configuration... Network Wifi Security:::Manage wifi network security...

   The Network Management profile is a supplementary profile in the System Administrator profile. If you have included the System Administrator rights profile in a role, then that role can execute the commands in the Network Management profile.

2. Determine which commands are in the Network Management rights profile.

   % grep "Network Management" /etc/security/exec_attr Network Management:solaris:cmd:::/usr/sbin/ifconfig:privs=sys_net_config … Network Management:suser:cmd:::/usr/sbin/snoop:uid=0

   The solaris policy commands run with privilege (privs=sys_net_config). The suser policy commands run as superuser (uid=0).

3. Decide the scope of the network security roles at your site.

   Use the definitions of the rights profiles in Step 1 to guide your decision.

   • To create a role that handles all network security, use the Network Security rights profile.

   • To create a role that handles IPsec and IKE only, use the Network IPsec Management rights profile.

4. Create a network security role that includes the Network Management rights profile.

   A role with the Network Security or the Network IPsec Management rights profile, in addition to the Network Management profile, can execute the ifconfig, snoop, ipsecconf, and ipseckey commands, among others, with appropriate privilege.

   To create the role, assign the role to a user, and register the changes with the name service, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

Example 19–4 Dividing Network Security Responsibilities Between Roles

In this example, the administrator divides network security responsibilities between two roles. One role administers wifi and link security and another role administers IPsec and IKE. Each role is assigned to three people, one person per shift.

To create the roles, the administrator uses the Solaris Management Console.

• The administrator names the first role LinkWifi.

  • The administrator assigns the Network Wifi, Network Link Security, and Network Management rights profiles to the role.

  • Then, the administrator assigns the LinkWifi role to the appropriate users.

• The administrator names the second role IPsec Administrator.

  • The administrator assigns the Network IPsec Management and the Network Management rights profiles to the role.

  • Then, the administrator assigns the IPsec Administrator role to the appropriate users.