How to Configure a Role for Network Security

If you are using role-based access control (RBAC) to administer your systems, you use this procedure to provide a network management role or network security role.

1. Find the Network rights profiles in the local prof_attr database.

   In the current release, the output appears similar to the following:

   % cd /etc/security % grep Network prof_attr Network IPsec Management:::Manage IPsec and IKE... Network Link Security:::Manage network link security... Network Management:::Manage the host and network configuration... Network Security:::Manage network and host security... Network Wifi Management:::Manage wifi network configuration... Network Wifi Security:::Manage wifi network security...

   If you are running a release prior to the Solaris 10 4/09 release, the output appears similar to the following:

   % cd /etc/security % grep Network prof_attr Network Management:::Manage the host and network configuration   Network Security:::Manage network and host security   System Administrator::: Network Management

   The Network Management profile is a supplementary profile in the System Administrator profile. If you have included the System Administrator rights profile in a role, then that role can execute the commands in the Network Management profile.

2. Determine which commands are in the Network Management rights profile.

   % grep "Network Management" /etc/security/exec_attr Network Management:solaris:cmd:::/usr/sbin/ifconfig:privs=sys_net_config … Network Management:suser:cmd:::/usr/sbin/snoop:uid=0

   The solaris policy commands run with privilege (privs=sys_net_config). The suser policy commands run as superuser (uid=0).

3. Decide the scope of the network security roles at your site.

   Use the definitions of the rights profiles in Step 1 to guide your decision.

   • To create a role that handles all network security, use the Network Security rights profile.

   • In the current release, to create a role that handles IPsec and IKE only, use the Network IPsec Management rights profile.

4. Create a network security role that includes the Network Management rights profile.

   A role with the Network Security or the Network IPsec Management rights profile, in addition to the Network Management profile, can execute the ifconfig, snoop, ipsecconf, and ipseckey commands, among others, with appropriate privilege.

   To create the role, assign the role to a user, and register the changes with the name service, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

Example 20–5 Dividing Network Security Responsibilities Between Roles

In this example, the administrator divides network security responsibilities between two roles. One role administers wifi and link security and another role administers IPsec and IKE. Each role is assigned to three people, one person per shift.

The roles are created by the administrator as follows:

• The administrator names the first role LinkWifi.

  • The administrator assigns the Network Wifi, Network Link Security, and Network Management rights profiles to the role.

  • Then, the administrator assigns the LinkWifi role to the appropriate users.

• The administrator names the second role IPsec Administrator.

  • The administrator assigns the Network IPsec Management and the Network Management rights profiles to the role.

  • Then, the administrator assigns the IPsec Administrator role to the appropriate users.