Monday, July 13, 2009

RBAC (Role Based Access Control)

RBAC (Role Based Access Control)


/etc/user_attr -- The extended user attributes database, which associates users and roles with
authorizations and right profiles in addition to the /etc/passwd, /etc/group,
and /etc/shadow files
/etc/security/prof_attr -- The rights profile attributes database, which defines profiles, lists
the profile’s assigned authorizations and any nested rights profiles,
and identifies the associated help files.
/etc/security/exec_attr -- The execution attributed database, which defines the privileged
commands and scripts assigned to a profile.
/etc/security/auth_attr -- The authorization attributes database, which defines authorizations
and their attributes. This database also identifies the associated
help file.
/etc/security/policy.conf -- File provides system default authorizations for users


The /etc/user_attr Database

user:qualifier(reserved):res1(reserved):res2(reserved):attr

attr : An optional list of semicolon separated (;) key value pairs that describe the security attributes to be applied when the user runs commands.
type -- Can be normal or role. A role is assumed after the user has logged in.
auths -- Specifies a list of authorization chosen from names defined in the auth_attr DB
profiles -- Specifies a list of profile names chosen from the /etc/security/prof_attr DB
roles -- Specifies a list of role names defined in the same /etc/user_attr DB. Roles are
indicated by setting the type value to role. Roles cannot be assigned to other roles.

sysadmin::::type=role;profiles=Device Management,Filesystem Management,Printer Management
johndoe::::type=normal;auth=solaris.system.date;roles=sysadmin


The /etc/security/prof_attr Database

profname:res1:res2:desc(description):attr

attr : The security attrinutes to apply to the object upon execution. You can specify zero or more key. The two valid keys are help and auths.

# grep ‘Printer Management’ /etc/security/prof_attr
Printer Management:::manage Printers, daemns, \
……………………;auths=solaris.admin.printer.read, \

The Printer Management profile, which is defined in the /etc/security/prof_attr DB, is assigned to the sysadmin role in the /etc/user_attr DB.

The Printer management profile is defined in the prof_attr DB as having all authorizations, beginning with the solaris.admin.printer.string, assigned to it. These authorizations are defined in the /etc/security/auth_attr DB.
solaris.admin.printer.read:::view printer information::\



The /etc/security/exec_attr Database

name:policy:type:res1:res2:id:attr

name -- Name of the profile
policy -- The security policy associated with this entry. The suser (superuser policy model)
is the only valid policy entry.
type -- The type of entity. Whose attributes are specified. The only valid type is cmd
id -- a string identifying the entity. Command should have full path or a path with wildcard
attr -- euid and uid | egid and gid

Printer Management:suser:cmd:::/usr/sbin/accept:euid=lp


The /etc/security/auth_attr Database

You can assign authorization directly to users or roles in the /etc/user_attr DB. You can also assign authorizations to rights profiles, which are assigned to roles.

authname:res1:res2:short_desc:long_desc:attr

authname -- A unique character string that identifies the authorization in the prefix.suffix[.] format.


The /etc/security/policy.conf file

This file lets you grant specific rights profiles and authorization to all users. Two types of entries in the file are
AUTHS_GRANTED=authorizations
PROFS_GRANTED=right_profiles

# cat policy.conf
AUTHS_GRANTED=solaris.device.cdrw
PROFS_GRANTED=Basic Solaris Users

# roleadd –m –d /export/home/tarback –m –c “Privileged tar backup role” –p “Media Backup, Media Restore” tarback
-A authorization and -p profile -- Assign authorization and profiles respectively to the role.

# rolemod –A auth1,auth2 –p profile1,profile2 role1


Additional Commands Used to Perform RBAC Functions

auths Displays authorizations for a user
makedbm Makes a dbm file
nscd Identifies the name service. Useful for caching the 4 RBAC DB details
pam_roles Identifies the role account management module for password authentication
module (PAM)
pfexec Identifies the profile shells used to execute commands with attributes specifies
in exec_attr
policy.conf Identifies the config file for the security policy. Lists granted authorization
profiles Displays profiles for a specified user
roles Displays roles granted to a user
roleadd Adds a role account to the system
rolemod Modifies the role’s account info in the system
roledel Deletes a role’s account from the system


Example

Profile -- Privilege to profile -- Creating Role -- Role to profile -- Role to user

/etc/security/prof_attr -- Contains profile details

Creating profile in prof_attr
uadd::Profile for user admin
init:::Profile for init process

/etc/security/exec_attr -- Privilege to profile
uadd:suser:cmd:::/usr/sbin/useradd:euid=0
uadd:suser:cmd:::/usr/sbin/usermod:euid-0
init:suser:cmd:::/usr/sbin/init:euid=0
init:suser:cmd:::/usr/sbin/shutdown:euid=0


Creating Role
# roleadd –d /export/home/role1 –m role1
# passwd role1

Role to Profile
# rolemod –P uadd,init role1

Adding role to user
# usermod –R role1 user1

/etc/user_attr -- Details about role & user to role

 Login as normal user
 Switch to role profile & use the privilege command

/etc/security/auth_attr -- Authorization file -- Config file for users & this roles

No comments:

Custom Search

Feeds from my other blog

Samsung S2 Brand new for 25900 White piece sealed box

For Sale, Mobile Phones - Accessories in India, Andhra Pradesh, Hyderabad. Date September 17

For Sale in Hyderabad