Skip Navigation Links | |
Exit Print View | |
Oracle Solaris Administration: Security Services Oracle Solaris 11 Information Library |
1. Security Services (Overview)
Part II System, File, and Device Security
2. Managing Machine Security (Overview)
3. Controlling Access to Systems (Tasks)
4. Virus Scanning Service (Tasks)
5. Controlling Access to Devices (Tasks)
6. Using the Basic Audit Reporting Tool (Tasks)
7. Controlling Access to Files (Tasks)
Part III Roles, Rights Profiles, and Privileges
8. Using Roles and Privileges (Overview)
9. Using Role-Based Access Control (Tasks)
10. Security Attributes in Oracle Solaris (Reference)
Viewing the Contents of Rights Profiles
Order of Search for Assigned Security Attributes
Authorization Naming Conventions
Example of Authorization Granularity
Delegation Authority in Authorizations
Selected Commands That Require Authorizations
Administrative Commands for Handling Privileges
Files With Privilege Information
Prevention of Privilege Escalation
Legacy Applications and the Privilege Model
Part IV Cryptographic Services
11. Cryptographic Framework (Overview)
12. Cryptographic Framework (Tasks)
Part V Authentication Services and Secure Communication
14. Network Services Authentication (Tasks)
17. Using Secure Shell (Tasks)
19. Introduction to the Kerberos Service
20. Planning for the Kerberos Service
21. Configuring the Kerberos Service (Tasks)
22. Kerberos Error Messages and Troubleshooting
23. Administering Kerberos Principals and Policies (Tasks)
24. Using Kerberos Applications (Tasks)
25. The Kerberos Service (Reference)
The following databases store the data for the RBAC elements:
Extended user attributes database (user_attr) – Associates users and roles with authorizations, privileges, keywords, and rights profiles
Rights profile attributes database (prof_attr) – Defines rights profiles, lists the profiles' assigned authorizations, privileges, and keywords, and identifies the associated help file
Authorization attributes database (auth_attr) – Defines authorizations and their attributes, and identifies the associated help file
Execution attributes database (exec_attr) – Identifies the commands with security attributes that are assigned to specific rights profiles
The policy.conf database contains authorizations, privileges, and rights profiles that are applied to all users. For more information, see policy.conf File.
The name service scope of the RBAC databases is defined in the SMF service for the naming service switch, svc:/system/name-service/switch. The properties in this service for the RBAC databases are auth_attr, password, and prof_attr. The password property sets the naming service precedence for the passwd and user_attr databases. The prof_attr property sets the naming service precedence for the prof_attr and exec_attr databases.
In the following output. the auth_attr, password, and prof_attr entries are not listed. Therefore, the RBAC databases are using the files naming service.
# svccfg -s name-service/switch listprop config config application config/value_authorization astring solaris.smf.value.name-service.switch config/default astring files config/host astring "files ldap dns" config/printer astring "user files ldap"
The user_attr database contains user and role information that supplements the passwd and shadow databases.
The following security attributes can be set by using the roleadd, rolemod, useradd, usermod, and profiles commands:
For a user, the roles keyword assigns one or more defined roles.
For a role, the user value to the roleauth keyword enables the role to authenticate with the user password rather than with the role password. By default, the value is role.
For a user or role, the following attributes can be set:
audit_flags keyword - Modifies the audit mask. For reference, see the audit_flags(5) man page.
auths keyword - Assigns authorizations. For reference, see the auths(1) man page.
defaultpriv keyword - Adds privileges or removes them from the default basic set of privileges. For reference, see How Privileges Are Implemented.
limitpriv keyword - Adds privileges or removes them from the default limit set of privileges. For reference, see How Privileges Are Implemented.
These privileges are always in effect, they are not attributes of a command. For reference, see the privileges(5) man page and How Privileges Are Implemented.
projects keyword - Adds a default project. For reference, see the project(4) man page.
lock_after_retries keyword - If the value is yes, the system is locked after the number of retries exceeds the number that is allowed in the /etc/default/login file.
profiles keyword - Assigns rights profiles.
For more information, see the user_attr(4) man page. To view the contents of this database, use the getent user_attr command. For more information, see the getent(1M) man page and How to View All Defined Security Attributes.
All authorizations are stored in the auth_attr database. Authorizations can be assigned to users, to roles, or to rights profiles. The preferred method is to place authorizations in a rights profile, to include the profile in a role's list of profiles, and then to assign the role to a user.
To view the contents of this database, use the getent prof_attr command. For more information, see the getent(1M) man page and How to View All Defined Security Attributes.
The prof_attr database stores the name, description, help file location, privileges, and authorizations that are assigned to rights profiles. The commands and security attributes that are assigned to rights profiles are stored in the exec_attr database. For more information, see exec_attr Database.
For more information, see the prof_attr(4) man page. To view the contents of this database, use the getent exec_attr command. For more information, see the getent(1M) man page and How to View All Defined Security Attributes.
The exec_attr database defines commands that require security attributes to succeed. The commands are part of a rights profile. A command with its security attributes can be run by roles or users to whom the profile is assigned.
For more information, see the exec_attr(4) man page. To view the contents of this database, use the getent command. For more information, see the getent(1M) man page and How to View All Defined Security Attributes.
The policy.conf file provides a way of granting specific rights profiles, specific authorizations, and specific privileges to all users. The relevant entries in the file consist of key=value pairs:
AUTHS_GRANTED=authorizations – Refers to one or more authorizations.
PROFS_GRANTED=rights profiles – Refers to one or more rights profiles.
CONSOLE_USER=Console User– Refers to the Console User rights profile. This profile is delivered with a convenient set of authorizations for the console user. You can customize this profile. To view the profile contents, see Rights Profiles.
The following example shows some typical values from a policy.conf database:
# grep AUTHS /etc/security/policy AUTHS_GRANTED=solaris.device.cdrw # grep PROFS /etc/security/policy PROFS_GRANTED=Basic Solaris User # grep PRIV /etc/security/policy #PRIV_DEFAULT=basic #PRIV_LIMIT=all
For more information about privileges, see Privileges (Overview).