Go to main content

Securing the Network in Oracle® Solaris 11.3

Exit Print View

Updated: March 2018
 
 

How to Configure a Role for Network Security

If you are using the rights feature of Oracle Solaris to administer your systems, use this procedure to provide a network management role or network security role.

Before You Begin

You must assume the root role to create and assign a role. Regular users can list and view the contents of available rights profiles.

  1. List the available network-related rights profiles.
    % getent prof_attr | grep Network | more
    ...
    Network Management:RO::Manage the host and network configuration...
    Network Security:RO::Manage network and host security...:profiles=Network Wifi
    Security,Network Link Security,Network IPsec Management...
    Network Wifi Management:RO::Manage wifi network configuration...
    Network Wifi Security:RO::Manage wifi network security...
    Network Link Security:RO::Manage network link security...
    Network IPsec Management:RO::Manage IPsec and IKE...
    System Administrator:RO::Can perform most non-security administrative tasks:
    profiles=...Network Management...
    Information Security:RO::Maintains MAC and DAC security policies:
    profiles=...Network Security...

    The Network Management profile is a supplementary profile in the System Administrator profile. If you have included the System Administrator rights profile in a role, then that role can execute the commands in the Network Management profile.

  2. List the commands in the Network Management rights profile.
    % profiles -p "Network Management" info
    ...
    cmd=/usr/sbin/dladm
    cmd=/usr/sbin/dlstat
    ...
    cmd=/usr/sbin/svcadm
    cmd=/usr/sbin/svccfg
    cmd=/usr/sbin/dumpcap
  3. Decide the scope of the network security roles at your site.

      Use the definitions of the rights profiles in Step 1 to guide your decision.

    • To create a role that handles all network security, use the Network Security rights profile.

    • To create a role that handles IPsec and IKE only, use the Network IPsec Management rights profile.

    • To create a role that handles network management and security, use the Network Security or the Network IPsec Management rights profile, in addition to the Network Management profile.

  4. Create the role and assign the role to one or more users.

    For the steps, see Creating a Role in Securing Users and Processes in Oracle Solaris 11.3 and Example 40, Enabling a Trusted User to Configure and Manage IPsec.

Example 38  Creating and Assigning a Network Management and Security Role

In this example, the administrator assigns to a role two rights profiles, Network Management and Network Security. Then the administrator assigns the role to a trusted user.

# roleadd -c "Network Mgt and Security" \
-S ldap -K profiles="Network Management Plus" netmgtsec
# passwd netmgtsec
New Password: xxxxxxxx
Confirm password: xxxxxxxx
# usermod -R netmgtsec jdoe

The rights in the profiles are available to the user jdoe after jdoe assumes the netmgtsec role.

% su - netmgtsec
Password: xxxxxxxx
#
Example 39  Dividing Network Security Responsibilities Between Roles

In this example, the administrator divides network security responsibilities between two roles. One role administers Wifi and link security and another role administers IPsec and IKE. Each role is assigned to three people, one person per shift.

    The roles are created by the administrator as follows:

  1. The administrator names the first role LinkWifi.

  2. The administrator assigns the Network Wifi, Network Link Security, and Network Management rights profiles to the role.

  3. The administrator assigns the LinkWifi role to the appropriate users.

  4. The administrator names the second role IPsec Administrator.

  5. The administrator assigns the Network IPsec Management and the Network Management rights profiles to the role.

  6. The administrator assigns the IPsec Administrator role to the appropriate users.

Example 40  Enabling a Trusted User to Configure and Manage IPsec

In this example, the administrator gives one user responsibility for configuring and managing IPsec.

In addition to the Network Management and IPsec Network Management rights profiles, the administrator gives the user the ability to edit the hosts file and the ability to read the logs.

  1. The administrator creates two rights profiles, one for editing files and the other for reading logs.

    # profiles -p -S LDAP "Hosts Configuration"
    profiles:Network Configuration> set desc="Edits root-owned network files"
    ...Configuration> add auth=solaris.admin.edit/etc/hosts
    ...Configuration> commit
    ...Configuration> end
    ...Configuration> exit
    
    # profiles -p -S LDAP "Read Network Logs"
    profiles:Read Network Logs> set desc="Reads root-owned network log files"
    ...Logs> add cmd=/usr/bin/more
    ...Logs:more>set privs={file_dac_read}:/var/user/ikeuser/*
    ...Logs:more>set privs={file_dac_read}:/var/log/ikev2/*
    ...Logs:more> set privs={file_dac_read}:/etc/inet/ike/*
    ...Logs:more> set privs={file_dac_read}:/etc/inet/secret/*
    ...Logs:more>end
    ...Logs> add cmd=/usr/bin/tail
    ...Logs:tail>set privs={file_dac_read}:/var/user/ikeuser/*
    ...Logs:tail>set privs={file_dac_read}:/var/log/ikev2/*
    ...Logs:tail>set privs={file_dac_read}:/etc/inet/ike/*
    ...Logs:tail> set privs={file_dac_read}:/etc/inet/secret/*
    ...Logs:tail>end
    ...Logs> add cmd=/usr/bin/page
    ...Logs:page>set privs={file_dac_read}:/var/user/ikeuser/*
    ...Logs:page>set privs={file_dac_read}:/var/log/ikev2/*
    ...Logs:page>set privs={file_dac_read}:/etc/inet/ike/*
    ...Logs:page> set privs={file_dac_read}:/etc/inet/secret/*
    ...Logs:page>end
    ...Logs> exit

    The rights profile enables the user to use the more, tail, and page commands to read the logs. The cat and head commands cannot be used.

  2. The administrator creates the rights profile that enables the user to perform all configuration and management tasks for IPsec and its keying services.

    # profiles -p "Site Network Management"
    profiles:Site Network Management> set desc="Handles all network files and logs"
    ...Management> add profiles="Network Management"
    ...Management> add profiles="Network IPsec Management"
    ...Management> add profiles="Hosts Configuration"
    ...Management> add profiles="Read Network Logs"
    ...Management> commit; end; exit
  3. The administrator creates a role for the profile, assigns it a password, and assigns the role to a trusted user who understands networking and security.

    # roleadd -S LDAP -c "Network Management Guru" \
    -m -K profiles="Site Network Management" netadm
    # passwd netadm
    Password: xxxxxxxx
    Confirm password: xxxxxxxx
    # usermod -S LDAP -R +netadm jdoe
  4. Out of band, the administrator supplies jdoe with the role password.