If you are using the rights feature of Oracle Solaris to administer your systems, use this procedure to provide a network management role or network security role.
Before You Begin
You must assume the root role to create and assign a role. Regular users can list and view the contents of available rights profiles.
$ getent prof_attr | grep Network | more ... Network Management:RO::Manage the host and network configuration... Network Security:RO::Manage network and host security...:profiles=Network Wifi Security,Network Link Security,Network IPsec Management... Network Wifi Management:RO::Manage wifi network configuration... Network Wifi Security:RO::Manage wifi network security... Network Link Security:RO::Manage network link security... Network IPsec Management:RO::Manage IPsec and IKE... System Administrator:RO::Can perform most non-security administrative tasks: profiles=...Network Management... Information Security:RO::Maintains MAC and DAC security policies: profiles=...Network Security...
The Network Management profile is a supplementary profile in the System Administrator profile. If you have included the System Administrator rights profile in a role, then that role can execute the commands in the Network Management profile.
$ profiles -p "Network Management" info ... cmd=/usr/sbin/dladm cmd=/usr/sbin/dlstat ... cmd=/usr/sbin/svcadm cmd=/usr/sbin/svccfg cmd=/usr/sbin/dumpcap
Use the definitions of the rights profiles in Step 1 to guide your decision.
To create a role that handles all network security, use the Network Security rights profile.
To create a role that handles IPsec and IKE only, use the Network IPsec Management rights profile.
To create a role that handles network management and security, use the Network Security or the Network IPsec Management rights profile, in addition to the Network Management profile.
For the steps, see Creating a Role in Securing Users and Processes in Oracle Solaris 11.4 and Example 27, Enabling a Trusted User to Configure and Manage IPsec.
In this example, the administrator assigns to a role two rights profiles, Network Management and Network Security. Then the administrator assigns the role to a trusted user.
# roleadd -c "Network Mgt and Security" \ -S ldap -K profiles="Network Management Plus" netmgtsec # passwd netmgtsec New Password: xxxxxxxx Confirm password: xxxxxxxx # usermod -R netmgtsec jdoe
The rights in the profiles are available to the user jdoe after jdoe assumes the netmgtsec role.
$ su - netmgtsec Password: xxxxxxxx $Example 26 Dividing Network Security Responsibilities Between Roles
In this example, the administrator divides network security responsibilities between two roles. One role administers Wifi and link security and another role administers IPsec and IKE. Each role is assigned to three people, one person per shift.
The roles are created by the administrator as follows:
The administrator names the first role LinkWifi.
The administrator assigns the Network Wifi, Network Link Security, and Network Management rights profiles to the role.
The administrator assigns the LinkWifi role to the appropriate users.
The administrator names the second role IPsec Administrator.
The administrator assigns the Network IPsec Management and the Network Management rights profiles to the role.
The administrator assigns the IPsec Administrator role to the appropriate users.
In this example, the administrator gives one user responsibility for configuring and managing IPsec.
In addition to the Network Management and IPsec Network Management rights profiles, the administrator gives the user the ability to edit the hosts file and the ability to read the logs.
The administrator creates two rights profiles, one for editing files and the other for reading logs.
$ profiles -p -S LDAP "Hosts Configuration"
profiles:Network Configuration> set desc="Edits root-owned network files"
...Configuration> add auth=solaris.admin.edit/etc/hosts
...Configuration> commit
...Configuration> end
...Configuration> exit
# profiles -p -S LDAP "Read Network Logs"
profiles:Read Network Logs> set desc="Reads root-owned network log files"
...Logs> add cmd=/usr/bin/more
...Logs:more>set privs={file_dac_read}:/var/user/ikeuser/*
...Logs:more>set privs={file_dac_read}:/var/log/ikev2/*
...Logs:more> set privs={file_dac_read}:/etc/inet/ike/*
...Logs:more> set privs={file_dac_read}:/etc/inet/secret/*
...Logs:more>end
...Logs> add cmd=/usr/bin/tail
...Logs:tail>set privs={file_dac_read}:/var/user/ikeuser/*
...Logs:tail>set privs={file_dac_read}:/var/log/ikev2/*
...Logs:tail>set privs={file_dac_read}:/etc/inet/ike/*
...Logs:tail> set privs={file_dac_read}:/etc/inet/secret/*
...Logs:tail>end
...Logs> add cmd=/usr/bin/page
...Logs:page>set privs={file_dac_read}:/var/user/ikeuser/*
...Logs:page>set privs={file_dac_read}:/var/log/ikev2/*
...Logs:page>set privs={file_dac_read}:/etc/inet/ike/*
...Logs:page> set privs={file_dac_read}:/etc/inet/secret/*
...Logs:page>end
...Logs> exit
The rights profile enables the user to use the more, tail, and page commands to read the logs. The cat and head commands cannot be used.
The administrator creates the rights profile that enables the user to perform all configuration and management tasks for IPsec and its keying services.
# profiles -p "Site Network Management" profiles:Site Network Management> set desc="Handles all network files and logs" ...Management> add profiles="Network Management" ...Management> add profiles="Network IPsec Management" ...Management> add profiles="Hosts Configuration" ...Management> add profiles="Read Network Logs" ...Management> commit; end; exit
The administrator creates a role for the profile, assigns it a password, and assigns the role to a trusted user who understands networking and security.
# roleadd -S LDAP -c "Network Management Guru" \ -m -K profiles="Site Network Management" netadm # passwd netadm Password: xxxxxxxx Confirm password: xxxxxxxx # usermod -S LDAP -R +netadm jdoe
Out of band, the administrator supplies jdoe with the role password.