| Skip Navigation Links | |
| Exit Print View | |
|
Oracle Solaris 11.1 Administration: Security Services Oracle Solaris 11.1 Information Library |
| Skip Navigation Links | |
| Exit Print View | |
|
|
Oracle Solaris 11.1 Administration: Security Services Oracle Solaris 11.1 Information Library |
1. Security Services (Overview)
Part II System, File, and Device Security
2. Managing Machine Security (Overview)
3. Controlling Access to Systems (Tasks)
4. Virus Scanning Service (Tasks)
5. Controlling Access to Devices (Tasks)
6. Verifying File Integrity by Using BART (Tasks)
7. Controlling Access to Files (Tasks)
Part III Roles, Rights Profiles, and Privileges
8. Using Roles and Privileges (Overview)
9. Using Role-Based Access Control (Tasks)
10. Security Attributes in Oracle Solaris (Reference)
Order of Search for Assigned Security Attributes
Authorization Naming Conventions
Delegation Authority in Authorizations
RBAC Databases and the Naming Services
Selected Commands That Require Authorizations
Administrative Commands for Handling Privileges
Files With Privilege Information
Prevention of Privilege Escalation
Legacy Applications and the Privilege Model
Part IV Cryptographic Services
11. Cryptographic Framework (Overview)
12. Cryptographic Framework (Tasks)
Part V Authentication Services and Secure Communication
14. Using Pluggable Authentication Modules
17. Using Simple Authentication and Security Layer
18. Network Services Authentication (Tasks)
19. Introduction to the Kerberos Service
20. Planning for the Kerberos Service
21. Configuring the Kerberos Service (Tasks)
22. Kerberos Error Messages and Troubleshooting
23. Administering Kerberos Principals and Policies (Tasks)
24. Using Kerberos Applications (Tasks)
25. The Kerberos Service (Reference)
This section describes some typical rights profiles. Rights profiles are convenient collections of authorizations and other security attributes, commands with security attributes, and supplementary rights profiles. Oracle Solaris provides many rights profiles. If they are not sufficient for your needs, you can modify existing ones and create new ones.
Rights profiles must be assigned in order, from most to least powerful. For more information, see Order of Search for Assigned Security Attributes.
System Administrator rights profile – Provides a profile that can do most tasks that are not connected with security. This profile includes several other profiles to create a powerful role. Note that the All rights profile is assigned at the end of the list of supplementary rights profiles. The profiles command displays the contents of the profile.
% profiles -p "System Administrator" info
Operator rights profile – Provides limited capabilities to manage files and offline media. This profile includes supplementary rights profiles to create a simple role. The profiles command displays the contents of the profile.
% profiles -p Operator info
Printer Management rights profile – Provides a limited number of commands and authorizations to handle printing. This profile is one of several profiles that cover a single area of administration. The profiles command displays the contents of the profile.
% profiles -p "Printer Management" info
Basic Solaris User rights profile – Enables users to use the system within the bounds of security policy. This profile is listed by default in the policy.conf file. Note that the convenience that is offered by the Basic Solaris User rights profile must be balanced against site security requirements. Sites that need stricter security might prefer to remove this profile from the policy.conf file or assign the Stop rights profile. The profiles command displays the contents of the profile.
% profiles -p "Basic Solaris User" info
Console User rights profile – For the workstation owner, provides access to authorizations, commands, and actions for the person who is seated at the computer. The profiles command displays the contents of the profile.
% profiles -p "Console User" info
All rights profile – For roles, provides access to commands that do not have security attributes. This profile can be appropriate for users with limited rights. The profiles command displays the contents of the profile.
% profiles -p All info
Stop rights profile – Is a special rights profile that stops the evaluation of further profiles. This profile prevents the evaluation of the AUTHS_GRANTED, PROFS_GRANTED, and CONSOLE_USER variables in the policy.conf file. With this profile, you can provide roles and users with a restricted profile shell.
Note - The Stop profile affects privilege assignment indirectly. Rights profiles that are listed after the Stop profile are not evaluated. Therefore, the commands with privileges in those profiles are not in effect. To use this profile, see How to Restrict an Administrator to Explicitly Assigned Rights.
The profiles command displays the contents of the profile.
% profiles -p Stop info
Each rights profile has an associated help file. The help files are in HTML and are customizable. The files reside in the /usr/lib/help/profiles/locale/C directory.
You have three views into the contents of rights profiles.
The getent command enables you to view the contents of all of the rights profiles on the system. For sample output, see How to View All Defined Security Attributes.
The profiles -p "Profile Name" info command enables you to view the contents of a specific rights profile.
The profiles -l account-name command enables you to view the contents of the rights profiles that are assigned to a specific user or role.
For more information, see the getent(1M) and profiles(1) man pages.
|