Skip Navigation Links | |
Exit Print View | |
System Administration Guide: Security Services Oracle Solaris 11 Express 11/10 |
1. Security Services (Overview)
Part II System, File, and Device Security
2. Managing Machine Security (Overview)
3. Controlling Access to Systems (Tasks)
4. Virus Scanning Service (Tasks)
5. Controlling Access to Devices (Tasks)
6. Using the Basic Audit Reporting Tool (Tasks)
7. Controlling Access to Files (Tasks)
Part III Roles, Rights Profiles, and Privileges
8. Using Roles and Privileges (Overview)
9. Using Role-Based Access Control (Tasks)
10. Role-Based Access Control (Reference)
Order of Search for Assigned Security Attributes
System Administrator Rights Profile
Printer Management Rights Profile
Basic Solaris User Rights Profile
Viewing the Contents of Rights Profiles
Authorization Naming and Delegation
Authorization Naming Conventions
Example of Authorization Granularity
Delegation Authority in Authorizations
Commands That Require Authorizations
Part IV Oracle Solaris Cryptographic Services
13. Oracle Solaris Cryptographic Framework (Overview)
14. Oracle Solaris Cryptographic Framework (Tasks)
15. Oracle Solaris Key Management Framework
Part V Authentication Services and Secure Communication
16. Using Authentication Services (Tasks)
19. Using Solaris Secure Shell (Tasks)
20. Solaris Secure Shell (Reference)
21. Introduction to the Kerberos Service
22. Planning for the Kerberos Service
23. Configuring the Kerberos Service (Tasks)
24. Kerberos Error Messages and Troubleshooting
25. Administering Kerberos Principals and Policies (Tasks)
26. Using Kerberos Applications (Tasks)
27. The Kerberos Service (Reference)
Part VII Oracle Solaris Auditing
28. Oracle Solaris Auditing (Overview)
29. Planning for Oracle Solaris Auditing
30. Managing Oracle Solaris Auditing (Tasks)
The following four databases store the data for the RBAC elements:
Extended user attributes database (user_attr) – Associates users and roles with authorizations, privileges, and rights profiles
Rights profile attributes database (prof_attr) – Defines rights profiles, lists the profiles' assigned authorizations, keywords, and privileges, and identifies the associated help file
Authorization attributes database (auth_attr) – Defines authorizations and their attributes, and identifies the associated help file
Execution attributes database (exec_attr) – Identifies the commands with security attributes that are assigned to specific rights profiles
The policy.conf database contains authorizations,privileges, and rights profiles that are applied to all users. For more information, see policy.conf File.
Each RBAC database uses a key=value syntax for storing attributes. This method accommodates future expansion of the databases. The method also enables a system to continue to operate if the system encounters a keyword that is unknown to its policy. The key=value contents link the files. The following linked entries from the four databases illustrate how the RBAC databases work together.
Example 10-1 Showing RBAC Database Connections
In the following example, the user jdoe gets the capabilities of the Audit Control rights profile through being assigned the role audcontrol.
The role audcontrol is created and assigned the Audit Control rights profile.
# roleadd -P "Audit Control" audcontrol
The user jdoe is assigned the audcontrol role. the userattr command verifies the assignment.
# usermod -R audcontrol jdoe # userattr -v roles jdoe user_attr : audcontrol
The Audit Control rights profile is defined in the prof_attr database. This rights profile includes one authorization.
## prof_attr - rights profile definitions and assigned authorizations Audit Control:::Control Solaris Audit:auths=solaris.smf.manage.audit;help=RtAuditCtrl.html
The authorization is defined in the auth_attr database.
## auth_attr - authorization definitions solaris.smf.manage.audit:::Manage Audit Service States::help=SmfManageAudit.html
The Audit Control profile rights profile is assigned one command with security attributes in the exec_attr database.
# profiles -l jdoe Audit Control /usr/sbin/audit privs=proc_owner,sys_audit
The name service scope of the RBAC databases is defined in the /etc/nsswitch.conf file on the local host. The following entries in the nsswitch.conf file determine whether an RBAC database uses the files naming service or the LDAP naming service:
auth_attr entry – Sets the naming service precedence for the auth_attr database.
passwd entry – Sets the naming service precedence for the user_attr database.
prof_attr entry – Sets the naming service precedence for the prof_attr database. Also sets the naming service precedence for the exec_attr database.
For example, if a command with security attributes is assigned to a rights profile that exists in two naming services, only the entry in the first service is used.
The user_attr database contains user and role information that supplements the passwd and shadow databases. The user_attr database contains extended user attributes such as authorizations, rights profiles, privileges, and assigned roles. For information about the format of the database, see the user_attr(4) man page.
The following security attributes can appear in a user_attr entry:
For a user, the roles keyword lists one or more defined roles.
For a role, the roleauth=user entry enables the role to authenticate with the user password rather than with the role password. By default, the value is role.
For a user or role, the following attributes can be set:
audit_flags keyword. Lists audit flags that are in effect when this rights profile is in effect. For reference, see the audit_flags(5) man page.
auths keyword. Listed authorizations are directly assigned, that is, not assigned through a rights profile. For reference, see the auth_attr(4) man page.
defaultpriv keyword. Listed privileges add to or take away from the default basic set of privileges.
limitpriv keyword.. Listed privileges take away from the default limit set of privileges.
privs keyword. Listed privileges are directly assigned, that is, not attributes of a command nor assigned through a rights profile. For reference, see the privileges(5) man page.
projects keyword. Default project for the user or role. For reference, see the project(4) man page.
lock_after_retries keyword. If yes, the system is locked after the number of retries exceeds the number that is allowed in the /etc/default/login file.
profiles keyword. Listed values are from the prof_attr database.
roleauth=user keyword. If user, a user can use the user's password rather than the role's password when assuming a role.
All authorizations are stored in the auth_attr database. Authorizations can be assigned to users, to roles, or to rights profiles. The preferred method is to place authorizations in a rights profile, to include the profile in a role's list of profiles, and then to assign the role to a user. For information about the format of the database, see the auth_attr(4) man page.
The following example shows an auth_attr database with some typical values:
% grep network /etc/security/auth_attr solaris.network.:::Network::help=NetworkHeader.html ... solaris.network.link.security:::Link Security::help=LinkSecurity.html solaris.network.vrrp:::Administer VRRP::help=NetworkVRRP.html solaris.network.wifi.config:::Wifi Config::help=WifiConfig.html solaris.network.wifi.wep:::Wifi Wep::help=WifiWep.html
Note that solaris.network. is defined as a heading, because the authorization name ends in a dot (.). Headings are used by the GUIs to organize families of authorizations.
The prof_attr database stores the name, description, help file location, privileges, and authorizations that are assigned to rights profiles. The commands and security attributes that are assigned to rights profiles are stored in the exec_attr database. For more information, see exec_attr Database. For information about the format of the database, see the prof_attr(4) man page.
The following security attributes can appear in a prof_attr entry:
audit_flags keyword. Lists audit flags that are in effect when this rights profile is in effect. For reference, see the audit_flags(5) man page.
auths keyword. Listed authorizations are directly assigned, that is, not assigned through a rights profile. For reference, see the auth_attr(4) man page.
defaultpriv keyword. Listed privileges add to or take away from the default basic set of privileges.
limitpriv keyword.. Listed privileges take away from the default limit set of privileges.
privs keyword. Listed privileges are directly assigned, that is, not attributes of a command nor assigned through a rights profile. For reference, see the privileges(5) man page.
profiles keyword. Listed values are from the prof_attr database.
The following example shows two typical prof_attr database entries. Note that the Network IPsec Management rights profile is a supplementary rights profile of the Network Security rights profile. The example is wrapped for display purposes.
% grep 'Network IPsec Management' /etc/security/prof_attr Network IPsec::: Name of rights profile Manage IPsec and IKE: Description help=RtNetIPsec.html; Help file auths=solaris.smf.manage.ipsec, Authorizations solaris.smf.value.ipsec ... Network Security::: Name of rights profile Manage network and host security: Description profiles=Network Wifi Security,Network Link Security, Network IPsec Management Supplementary rights profiles; help==RtNetSecure.html Help file
The exec_attr database defines commands that require security attributes to succeed. The commands are part of a rights profile. A command with its security attributes can be run by roles or users to whom the profile is assigned. For information about the format of the database, see the exec_attr(4) man page.
The name of a rights profile from the prof_attr database starts an exec_attr entry. Security attributes in the exec_attr entry can reduce or extend the process' initial inheritable set, add a privilege, and can limit its limit set. The full path to the command or program must be specified. Each command can be assigned UNIX security attributes or privileges as security attributes. UNIX security attributes include UID, GID, EUID, and EGID. The value can be a name or a numeric value. Privilege-aware programs can be directly assigned one or more privileges.
The following example shows a typical exec_attr entry. Note the addition of privileges (privs) to the process, and the addition of two privileges and the removal of five privileges from the limit set (limitprivs) of the gnome-netstatus-wifi-info command.
% grep 'Network Wifi' /etc/security/exec_attr Network Wifi Info:solaris:cmd:::/usr/lib/gnome-netstatus-wifi-info: privs=net_rawaccess,file_dac_read;limitprivs=net_rawaccess,file_dac_read, !proc_session,!proc_fork,!proc_exec,!proc_info,!file_link_any…
The policy.conf file provides a way of granting specific rights profiles, specific authorizations, and specific privileges to all users. The relevant entries in the file consist of key=value pairs:
AUTHS_GRANTED=authorizations – Refers to one or more authorizations.
PROFS_GRANTED=rights profiles – Refers to one or more rights profiles.
CONSOLE_USER=Console User– Refers to the Console User rights profile. This profile is delivered with a convenient set of authorizations for the console user. You can customize this profile. To view the profile contents, see Console User Rights Profile.
The following example shows some typical values from a policy.conf database:
# grep AUTHS /etc/security/policy AUTHS_GRANTED=solaris.device.cdrw # grep PROFS /etc/security/policy PROFS_GRANTED=Basic Solaris User # grep PRIV /etc/security/policy #PRIV_DEFAULT=basic #PRIV_LIMIT=all
For more information about privileges, see Privileges (Overview).