RBAC (Role Based Access Control)
/etc/user_attr -- The extended user attributes database, which associates users and roles with
authorizations and right profiles in addition to the /etc/passwd, /etc/group,
and /etc/shadow files
/etc/security/prof_attr -- The rights profile attributes database, which defines profiles, lists
the profile’s assigned authorizations and any nested rights profiles,
and identifies the associated help files.
/etc/security/exec_attr -- The execution attributed database, which defines the privileged
commands and scripts assigned to a profile.
/etc/security/auth_attr -- The authorization attributes database, which defines authorizations
and their attributes. This database also identifies the associated
help file.
/etc/security/policy.conf -- File provides system default authorizations for users
The /etc/user_attr Database
user:qualifier(reserved):res1(reserved):res2(reserved):attr
attr : An optional list of semicolon separated (;) key value pairs that describe the security attributes to be applied when the user runs commands.
type -- Can be normal or role. A role is assumed after the user has logged in.
auths -- Specifies a list of authorization chosen from names defined in the auth_attr DB
profiles -- Specifies a list of profile names chosen from the /etc/security/prof_attr DB
roles -- Specifies a list of role names defined in the same /etc/user_attr DB. Roles are
indicated by setting the type value to role. Roles cannot be assigned to other roles.
sysadmin::::type=role;profiles=Device Management,Filesystem Management,Printer Management
johndoe::::type=normal;auth=solaris.system.date;roles=sysadmin
The /etc/security/prof_attr Database
profname:res1:res2:desc(description):attr
attr : The security attrinutes to apply to the object upon execution. You can specify zero or more key. The two valid keys are help and auths.
# grep ‘Printer Management’ /etc/security/prof_attr
Printer Management:::manage Printers, daemns, \
……………………;auths=solaris.admin.printer.read, \
The Printer Management profile, which is defined in the /etc/security/prof_attr DB, is assigned to the sysadmin role in the /etc/user_attr DB.
The Printer management profile is defined in the prof_attr DB as having all authorizations, beginning with the solaris.admin.printer.string, assigned to it. These authorizations are defined in the /etc/security/auth_attr DB.
solaris.admin.printer.read:::view printer information::\
The /etc/security/exec_attr Database
name:policy:type:res1:res2:id:attr
name -- Name of the profile
policy -- The security policy associated with this entry. The suser (superuser policy model)
is the only valid policy entry.
type -- The type of entity. Whose attributes are specified. The only valid type is cmd
id -- a string identifying the entity. Command should have full path or a path with wildcard
attr -- euid and uid | egid and gid
Printer Management:suser:cmd:::/usr/sbin/accept:euid=lp
The /etc/security/auth_attr Database
You can assign authorization directly to users or roles in the /etc/user_attr DB. You can also assign authorizations to rights profiles, which are assigned to roles.
authname:res1:res2:short_desc:long_desc:attr
authname -- A unique character string that identifies the authorization in the prefix.suffix[.] format.
The /etc/security/policy.conf file
This file lets you grant specific rights profiles and authorization to all users. Two types of entries in the file are
AUTHS_GRANTED=authorizations
PROFS_GRANTED=right_profiles
# cat policy.conf
AUTHS_GRANTED=solaris.device.cdrw
PROFS_GRANTED=Basic Solaris Users
# roleadd –m –d /export/home/tarback –m –c “Privileged tar backup role” –p “Media Backup, Media Restore” tarback
-A authorization and -p profile -- Assign authorization and profiles respectively to the role.
# rolemod –A auth1,auth2 –p profile1,profile2 role1
Additional Commands Used to Perform RBAC Functions
auths Displays authorizations for a user
makedbm Makes a dbm file
nscd Identifies the name service. Useful for caching the 4 RBAC DB details
pam_roles Identifies the role account management module for password authentication
module (PAM)
pfexec Identifies the profile shells used to execute commands with attributes specifies
in exec_attr
policy.conf Identifies the config file for the security policy. Lists granted authorization
profiles Displays profiles for a specified user
roles Displays roles granted to a user
roleadd Adds a role account to the system
rolemod Modifies the role’s account info in the system
roledel Deletes a role’s account from the system
Example
Profile -- Privilege to profile -- Creating Role -- Role to profile -- Role to user
/etc/security/prof_attr -- Contains profile details
Creating profile in prof_attr
uadd::Profile for user admin
init:::Profile for init process
/etc/security/exec_attr -- Privilege to profile
uadd:suser:cmd:::/usr/sbin/useradd:euid=0
uadd:suser:cmd:::/usr/sbin/usermod:euid-0
init:suser:cmd:::/usr/sbin/init:euid=0
init:suser:cmd:::/usr/sbin/shutdown:euid=0
Creating Role
# roleadd –d /export/home/role1 –m role1
# passwd role1
Role to Profile
# rolemod –P uadd,init role1
Adding role to user
# usermod –R role1 user1
/etc/user_attr -- Details about role & user to role
Login as normal user
Switch to role profile & use the privilege command
/etc/security/auth_attr -- Authorization file -- Config file for users & this roles
No comments:
Post a Comment