Thursday, August 4, 2011

RBAC (Role Based Access Control)


/etc/user_attr  à  The extended user attributes database, which associates users
and roles with    authorizations and right profiles in addition to the /etc/passwd, /etc/group,  and /etc/shadow files

/etc/security/prof_attr  à  The rights profile attributes database, which defines
profiles, lists the profile’s assigned authorizations and any nested rights profiles,  and identifies the associated help files.

/etc/security/exec_attr  à  The execution attributed database, which defines the
                                                privileged   commands and scripts assigned to a profile.

/etc/security/auth_attr  à  The authorization attributes database, which defines
authorizations and their attributes. This database also identifies the associated help file.

/etc/security/policy.conf  à  File provides system default authorizations for users


The /etc/user_attr Database


user:qualifier(reserved):res1(reserved):res2(reserved):attr

attr :   An optional list of semicolon separated (;) key value pairs that describe the
            security attributes to be applied when the user runs commands.
type  à  Can be normal or role. A role is assumed after the user has logged in.
auths  à  Specifies a list of authorization chosen from names defined in the
                  auth_attr DB
profiles  à  Specifies a list of profile names chosen from the /etc/security/prof_attr
                        DB
roles  à  Specifies a list of role names defined in the same /etc/user_attr DB.
Roles are   indicated by setting the type value to role. Roles cannot be assigned to other roles.

sysadmin::::type=role;profiles=Device Management,Filesystem Management,Printer

Management
johndoe::::type=normal;auth=solaris.system.date;roles=sysadmin

The /etc/security/prof_attr Database


profname:res1:res2:desc(description):attr
attr : The security attributes to apply to the object upon execution. You can specify zero or more key. The two valid keys are help and auths.
# grep ‘Printer Management’ /etc/security/prof_attr
   Printer Management:::manage Printers, daemns, \
……………………;auths=solaris.admin.printer.read, \

The Printer Management profile, which is defined in the /etc/security/prof_attr DB, is assigned to the sysadmin role in the /etc/user_attr DB.

The Printer management profile is defined in the prof_attr DB as having all authorizations, beginning with the solaris.admin.printer.string, assigned to it. These authorizations are defined in the /etc/security/auth_attr DB.

solaris.admin.printer.read:::view printer information::\

 

The /etc/security/exec_attr Database

name:policy:type:res1:res2:id:attr

name  à  Name of the profile
policy  à  The security policy associated with this entry. The suser
       (superuser policy model)  is the only valid policy entry.
type  à  The type of entity. Whose attributes are specified. The only valid type is
                 cmd
id  à  a string identifying the entity. Command should have full path or a path with wildcard
attr  à  euid and uid   |   egid and gid

Printer Management:suser:cmd:::/usr/sbin/accept:euid=lp

The /etc/security/auth_attr Database


You can assign authorization directly to users or roles in the /etc/user_attr DB. You can also assign authorizations to rights profiles, which are assigned to roles.

authname:res1:res2:short_desc:long_desc:attr

authname  à  A unique character string that identifies the authorization in the prefix.suffix[.] format.

The /etc/security/policy.conf file


This file lets you grant specific rights profiles and authorization to all users. Two types of entries in the file are
AUTHS_GRANTED=authorizations
PROFS_GRANTED=right_profiles

# cat policy.conf
   AUTHS_GRANTED=solaris.device.cdrw
   PROFS_GRANTED=Basic Solaris Users

# roleadd –m –d /export/home/tarback –m –c “Privileged tar backup role” –p “Media Backup, Media Restore” tarback
-A authorization and -p profile  à  Assign authorization and profiles respectively to
     the role.

# rolemod –A auth1,auth2 –p profile1,profile2 role1


Additional Commands Used to Perform RBAC Functions


auths             Displays authorizations for a user
makedbm     Makes a dbm file
nscd               Identifies the name service. Useful for caching the 4 RBAC DB details
pam_roles    Identifies the role account management module for password
                        authentication  module (PAM)

pfexec           Identifies the profile shells used to execute commands with
                        attributes specifies   in exec_attr
policy.conf   Identifies the config file for the security policy. Lists granted
                        authorization
profiles          Displays profiles for a specified user
roles               Displays roles granted to a user
roleadd          Adds a role account to the system
rolemod        Modifies the role’s account info in the system
roledel           Deletes a role’s account from the system

Example

Profile  à  Privilege to Profile  à  Role  à  Profile to Role  à  Role to User

/etc/security/prof_attr  à  Contains profile details

Creating profile in prof_attr
uadd:::Profile for user admin
init:::Profile for init process

/etc/security/exec_attr  à  Privilege to profile
uadd:suser:cmd:::/usr/sbin/useradd:euid=0
uadd:suser:cmd:::/usr/sbin/usermod:euid-0
init:suser:cmd:::/usr/sbin/init:euid=0
init:suser:cmd:::/usr/sbin/shutdown:euid=0

Creating Role
# roleadd –d /export/home/role1 –m role1
# passwd role1

Role to Profile
# rolemod –P uadd,init role1

Adding role to user
# usermod –R role1 user1
/etc/user_attr  à  Details about role & user to role
à Login as normal user
à Switch to role profile & use the privilege command

/etc/security/auth_attr  à  Authorization file  à  Config file for users & this roles
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)