System Administration Guide: Security Services
Previous Next

Configuring RBAC

RBAC can be configured with the following utilities:

  • Solaris Management Console GUI – The preferred method for performing RBAC-related tasks is through the GUI. The console tools for managing the RBAC elements are contained in the Users Tool collection.

  • Solaris Management Console commands – With the Solaris Management Console command-line interfaces, such as smrole, you can operate on any name service. The Solaris Management Console commands require authentication to connect to the server. As a result, these commands are not practical for use in scripts.

  • Local commands – With the user* and role* set of command-line interfaces, such as useradd, you can operate on local files only. The commands that operate on local files must be run by superuser or by a role with the appropriate privileges.

How to Plan Your RBAC Implementation

RBAC can be an integral part of how an organization manages its information resources. Planning requires a thorough knowledge of the RBAC capabilities as well as the security requirements of your organization.

  1. Learn the basic RBAC concepts.

    Read Role-Based Access Control (Overview). Using RBAC to administer a system is very different from using conventional UNIX administrative practices. You should be familiar with the RBAC concepts before you start your implementation. For greater detail, see Chapter 10, Role-Based Access Control (Reference).

  2. Examine your security policy.

    Your organization's security policy should detail the potential threats to your system, measure the risk of each threat, and have a strategy to counter these threats. Isolating the security-relevant tasks through RBAC can be a part of the strategy. Although you can install the recommended roles and their configurations as is, you might need to customize your RBAC configuration to adhere to your security policy.

  3. Decide how much RBAC your organization needs.

    Depending on your security needs, you can use varying degrees of RBAC, as follows:

    • No RBAC – You can perform all tasks as root user. In this configuration, you log in as yourself. Then, you type root as the user when you select a Solaris Management Console tool.

    • Single Role Only – This method adds one role. The one role is assigned the Primary Administrator rights profile. This method is similar to the superuser model, in that the role has superuser capabilities. However, this method enables you to track the user who has assumed the role.

    • Recommended Roles – This method creates three roles that are based on the following rights profiles: Primary Administrator, System Administrator, and Operator. The roles are suitable for organizations with administrators at different levels of responsibility.

    • Custom Roles – You can create your own roles to meet the security requirements of your organization. The new roles can be based on existing or customized rights profiles. To customize rights profiles that enforce separation of duty, see Creating Roles and Users in Trusted Extensions in Solaris Trusted Extensions Administrator’s Procedures.

    • Root User as a Role – This method prevents any user from logging in as root. Instead, users must log in as ordinary users prior to assuming the root role. For details, see How to Make root User Into a Role.

  4. Decide which recommended roles are appropriate for your organization.

    Review the capabilities of the recommended roles and default rights profiles. Default rights profiles enable administrators to configure a recommended role by using a single profile.

    Three default rights profiles are available for configuring the recommended roles:

    • Primary Administrator rights profile – For configuring a role that can perform all administrative tasks, can grant rights to others, and can edit rights that are associated with administrative roles. A user in this role can assign this role to other users, and can grant rights to other users.

    • System Administrator rights profile – For configuring a role that can perform most administrative tasks that are not related to security. For example, the System Administrator can add new user accounts, but cannot set passwords or grant rights to other users.

    • Operator rights profile – For configuring a role that can perform simple administrative tasks, such as media backup and printer maintenance.

    To further examine rights profiles, read one of the following:

    • In the /etc/security directory, read the contents of the prof_attr database and the exec_attr database.

    • In the Solaris Management Console, use the Rights tool to display the contents of a rights profile.

    • In this book, refer to Contents of Rights Profiles for summaries of some typical rights profiles.

  5. Decide if any additional roles or rights profiles are appropriate for your organization.

    Look for other applications or families of applications at your site that might benefit from restricted access. Applications that affect security, that can cause denial-of-service problems, or that require special administrator training are good candidates for RBAC. You can customize roles and rights profiles to handle the security requirements of your organization.

    1. Determine which commands are needed for the new task.
    2. Decide which rights profile is appropriate for this task.

      Check if an existing rights profile can handle this task or if a separate rights profile needs to be created.

    3. Determine which role is appropriate for this rights profile.

      Decide if the rights profile for this task should be assigned to an existing role or if a new role should be created. If you use an existing role, check that the other rights profiles are appropriate for users who are assigned to this role.

  6. Decide which users should be assigned to the available roles.

    According to the principle of least privilege, you should assign users to roles that are appropriate to their level of trust. When you prevent users from access to tasks that the users do not need to perform, you reduce potential problems.

How to Create and Assign a Role by Using the GUI

To create a new role, you can be superuser, or you can use the Primary Administrator role. In this procedure, the creator of the new role has assumed the role of Primary Administrator.

Before You Begin
  1. Start the Solaris Management Console.
    # /usr/sbin/smc &

    For login instructions, see How to Assume a Role in the Solaris Management Console.

  2. Click the Administrative Roles icon.
  3. Select Add Administrative Role from the Action menu.
  4. Create a new role by filling in the fields in the series of dialog boxes.

    For possible roles, see Example 9-1 to Example 9-4.


    Tip - All tools in the Solaris Management Console display information in the bottom section of the page or at the left side of a wizard panel. Choose Help at any time to find additional information about performing tasks in this interface.


  5. Assign the role to a user.

    Tip - After filling in the properties of the role, the last dialog box prompts you for a user for the role.


  6. In a terminal window, restart the name service cache daemon.
    # svcadm restart system/name-service-cache

    For more information, see the svcadm(1M) and nscd(1M) man pages.

Example 9-1 Creating a Role for the System Administrator Rights Profile

In this example, the new role can do system administration tasks that are not connected to security. The role is created by performing the preceding procedure with the following parameters:

  • Role name: sysadmin

  • Role full name: System Administrator

  • Role description: Performs non-security admin tasks

  • Rights profile: System Administrator

    This rights profile is at the top of the list of profiles that are included in the role.

Example 9-2 Creating a Role for the Operator Rights Profile

The Operator rights profile can manage printers and back up the system to offline media. You might want to assign the role to one user on each shift. To do so, you would select the role mailing list option in the Step 1: Enter a Role Name dialog box. The role is created by performing the preceding procedure with the following parameters:

  • Role name: operadm

  • Role full name: Operator

  • Role description: Backup operator

  • Rights profile: Operator

    This rights profile must be at the top of the list of profiles that are included in the role.

Example 9-3 Creating a Role for a Security-Related Rights Profile

By default, the only rights profile that contains security-related commands and rights is the Primary Administrator profile. If you want to create a role that is not as powerful as Primary Administrator, but can handle some security-related tasks, you must create the role.

In the following example, the role protects devices. The role is created by performing the preceding procedure with the following parameters:

  • Role name: devicesec

  • Role full name: Device Security

  • Role description: Configures Devices

  • Rights profile: Device Security

In the following example, the role secures systems and hosts on the network. The role is created by performing the preceding procedure with the following parameters:

  • Role name: netsec

  • Role full name: Network Security

  • Role description: Handles IPsec, IKE, and SSH

  • Rights profile: Network Security

Example 9-4 Creating a Role for a Rights Profile With Limited Scope

A number of rights profiles are of limited scope. In this example, the sole task of the role is to manage DHCP. The role is created by performing the preceding procedure with the following parameters:

  • Role name: dhcpmgt

  • Role full name: DHCP Management

  • Role description: Manages Dynamic Host Config Protocol

  • Rights profile: DHCP Management

Example 9-5 Modifying a User's Role Assignment

In this example, a role is added to an existing user. The user's role assignment is modified by clicking the User Accounts icon in the Users tool in the Solaris Management Console, double-clicking the user, and following the online help to add a role to the user's capabilities.

Troubleshooting

Check the following if the role does not have the capabilities that it should:

  • Are the role's rights profiles listed in the GUI from most to least powerful?

    For example, if the All rights profile is at the top of the list, then no commands are run with security attributes. A profile that contains commands with security attributes must precede the All rights profile in the list.

  • Do the commands in the role's rights profiles have the appropriate security attributes?

    For example, when the policy is suser, some commands require uid=0 rather than euid=0.

  • Is the rights profile defined in the appropriate name service scope? Is the role operating in the name service scope where the rights profile is defined?

  • Has the name service cache, svc:/system/name-service-cache, been restarted?

    The nscd daemon can have a lengthy time-to-live interval. By restarting the daemon, you update the name service with current data.

How to Create a Role From the Command Line

The Solaris Management Console GUI is the preferred method for managing RBAC. To use the GUI, see How to Create and Assign a Role by Using the GUI. You can also use the command-line interfaces, as described in this procedure.


Note - Do not attempt to administer RBAC with the command line and the graphical user interface at the same time. Conflicting changes could be made to the configuration, and the behavior would be unpredictable. You can use both tools to administer RBAC, but you cannot use both concurrently.


Before You Begin

To create a role, you must either assume a role that includes the Primary Administrator rights profile, or switch to the user root.

  1. Assume the Primary Administrator role, or become superuser.

    The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

  2. Choose one of the following commands to create a role on the command line.
    • For roles in the local name service scope, use the roleadd command.

      Note - The roleadd command is more limited than the Solaris Management Console GUI or command-line interfaces. After running the roleadd command, you must run the usermod command to assign the role to a user. And, the user then must set the password for the role, as shown in How to Assign a Role to a Local User.


      # roleadd -c comment \
      -g group -m homedir -u UID -s shell \
      -P profile rolename
      -c comment

      Is a comment that describes rolename.

      -g group

      Is the group assignment for rolename.

      -m homedir

      Is the path to the home directory for rolename.

      -u UID

      Is the UID for rolename.

      -s shell

      Is the login shell for rolename. This shell must be a profile shell.

      -P profile

      Is one or more rights profiles for rolename.

      rolename

      Is the name of the new local role.

    • Use the smrole add command.

      This command creates a role in a distributed name service, such as NIS, NIS+, or LDAP. This command runs as a client of the Solaris Management Console server.

      $ /usr/sadm/bin/smrole -D domain-name \ 
      -r admin-role -l <Type admin-role password> \
      add -- -n rolename -a rolename -d directory\
      -F full-description -p profile
      -D domain-name

      Is the name of the domain that you want to manage.

      -r admin-role

      Is the name of the administrative role that can modify the role. The administrative role must have the solaris.role.assign authorization. If you are modifying a role that you have assumed, the role must have the solaris.role.delegate authorization.

      -l

      Is the prompt for the password of admin-role.

      --

      Is the required separator between authentication options and subcommand options.

      -n rolename

      Is the name of the new role.

      -c comment

      Is the comment that describes the capabilities of the role.

      -a username

      Is the name of the user who can assume rolename.

      -d directory

      Is the home directory for rolename.

      -F full-description

      Is the full description for rolename. This description is displayed in the Solaris Management Console GUI.

      -p profile

      Is a rights profile that is included in the capabilities of rolename. This option gives commands with administrative capabilities to the role. You can specify multiple -p profile options.

  3. To put the changes into effect, see How to Assign a Role to a Local User.
Example 9-6 Creating a Custom Operator Role by Using the smrole Command

The smrole command specifies a new role and its attributes in a name service. In the following example, the Primary Administrator creates a new version of the Operator role. The role includes the standard Operator rights profile as well as the Media Restore rights profile. Note that the command prompts you for a password for the new role.

% su - primaryadm
Password: <Type primaryadm password> 
$ /usr/sadm/bin/smrole add -H myHost -- -c "Backup and Restore Operator" \
-n operadm2 -a janedoe -d /export/home/operadm \
-F "Backup/Restore Operator" -p "Operator" -p "Media Restore"
Authenticating as user: primaryadm

Type /? for help, pressing <enter> accepts the default denoted by [ ]
Please enter a string value for: password :: <Type primaryadm password>

Loading Tool: com.sun.admin.usermgr.cli.role.UserMgrRoleCli from myHost
Login to myHost as user primaryadm was successful.
Download of com.sun.admin.usermgr.cli.role.UserMgrRoleCli from myHost was successful.

Type /? for help, pressing <enter> accepts the default denoted by [ ]
Please enter a string value for: password ::<Type operadm2 password>

$ svcadm restart system/name-service-cache

The smrole command with the list subcommand is used to display the new role:

$ /usr/sadm/bin/smrole list --
Authenticating as user: primaryadm

Type /? for help, pressing <enter> accepts the default denoted by [ ]
Please enter a string value for: password :: <Type primaryadm password>

Loading Tool: com.sun.admin.usermgr.cli.role.UserMgrRoleCli from myHost
Login to myHost as user primaryadm was successful.
Download of com.sun.admin.usermgr.cli.role.UserMgrRoleCli from myHost was successful.
root                    0             Superuser
primaryadm            100             Most powerful role
sysadmin              101             Performs non-security admin tasks
operadm               102             Backup Operator
operadm2              103             Backup/Restore Operator

How to Assign a Role to a Local User

This procedure assigns a local role to a local user, restarts the name cache daemon, and then shows how the user can assume the role.

To assign a role to a user in a distributed name service, see How to Create a Role From the Command Line and How to Change the Properties of a Role.

Before You Begin

You have added a local role, as described in How to Create a Role From the Command Line. You must have assumed the role of Primary Administrator or have switched to superuser.

  1. Assign the role to a local user.

    If you added a local role with the roleadd command, this step is required. This step is optional when you use the smrole command and the Solaris Management Console to create a role.

    # usermod -u UID -R rolename
    -u UID

    Is the UID of the user.

    -R rolename

    Is the role that is being assigned to the user.

  2. To put the changes into effect, restart the name service cache daemon.
    # svcadm restart system/name-service-cache

    If you added a role with a Solaris Management Console interface, go to Using Roles (Task Map). Otherwise, continue with the next step.

  3. (Optional) To unlock the role account, the user must create a password.

    If you added a local role with the roleadd command, this step is required.

    % su - rolename
    Password: <Type rolename password>
    Confirm Password: <Retype rolename password>
    $
Example 9-7 Creating and Assigning a Local Role From the Command Line

In this example, a role is created to administer the Solaris Cryptographic Framework. The Crypto Management rights profile contains the cryptoadm command for administering hardware and software cryptographic services on a local system.

# roleadd -c "Cryptographic Services manager" \
-g 14 -m /export/home/cryptoadm -u 104 -s pfksh \
-P "Crypto Management" cryptomgt
# usermod -u 1111 -R cryptomgt
# svcadm restart system/name-service-cache
% su - cryptomgt
Password: <Type cryptomgt password>
Confirm Password: <Retype cryptomgt password>
$ /usr/ucb/whoami
cryptomgt
$

For information about the Solaris Cryptographic Framework, see Chapter 13, Solaris Cryptographic Framework (Overview). To administer the framework, see Administering the Cryptographic Framework (Task Map).

How to Audit Roles

The actions that a role performs can be audited. Included in the audit record is the login name of the user who assumed the role, the role name, and the action that the role performed. The 6180:AUE_prof_cmd:profile command:ua,as audit event collects the information. By preselecting the as class or the ua class, you can audit role actions.

  1. Plan for auditing and edit the audit configuration files.

    For more information, see Solaris Auditing (Task Map).

  2. Include the ua class or the as class in the flags line of the audit_control file.
    # audit_control file
    dir:/var/audit
    flags:lo,as
    minfree:20
    naflags:lo

    The ua class and the as class include other audit events. To see the audit events that are included in a class, read the audit_event file. You can also use the bsmrecord command, as shown in Example 30-25.

  3. Finish configuring the auditing service, then enable auditing.

    For more information, see Configuring and Enabling the Auditing Service (Tasks).

How to Make root User Into a Role

This procedure shows how to change root from a login user to a role. When you complete this procedure, you can no longer directly log in to the system as root, except in single-user mode. You must be assigned the root role and su to root.

By changing the root user into a role, you prevent anonymous root login. Because a user must log in and then assume the root role, the user's login ID is provided to the auditing service and is in the sulog file.

In this procedure, you create a local user and assign the root role to the user. To prevent users from assuming the role, see Example 9-8.

  1. As a regular user, log in to the target system.
  2. Assume the Primary Administrator role, or become superuser.

    The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Using the Solaris Management Tools With RBAC (Task Map) in System Administration Guide: Basic Administration.

  3. Create a local user who can assume the root role.

    For safety, at least one local user should be assigned the root role.

    $ useradd -c comment -u uid -d homedir username
    -c comment

    Is the comment that describes the user.

    -d homedir

    Is the home directory of the user. This directory should be on the local system.

    -u uid

    Is the user identification number.

    username

    Is the name of the new local user.

    # useradd -c "JDoe's local account" -u 123 -d /export/home1 jdoe-local
  4. Give the user a password.
    # passwd -r files jdoe-local
    New Password:    <Type password>
    Re-enter new Password: <Retype password>
    passwd: password successfully changed for jdoe-local
    #
  5. Make sure that you are not logged in as root.
    # who
    jdoe    console      May 24 13:51    (:0)
    jdoe    pts/5        May 24 13:51    (:0.0)
    jdoe    pts/4        May 24 13:51    (:0.0)
    jdoe    pts/10       May 24 13:51    (:0.0)
  6. Change root user into a role.
    # usermod -K type=role root
  7. Verify that root is a role.

    The root entry in the user_attr file should appear similar to the following:

    # grep root /etc/user_attr
    root::::type=role;auths=solaris.*,solaris.grant;profiles=...
  8. Assign the root role to your local account.
    # usermod -R root jdoe-local

    Caution - If you do not assign the root role to a user, no one can become superuser, except in single-user mode. You must type a root password to enter single-user mode.


  9. Configure the name service to return in case of failure.
    1. Open a new terminal window and assume the root role.
      % whoami
      jdoe
      % su - jdoe-local
      Enter password:   <Type jdoe-local password>
      % roles
      root
      % su - root
      Enter password:   <Type root password>
      #
    2. Edit the nsswitch.conf file.

      For example, the following entries in the nsswitch.conf file would enable the name service to return.

      passwd:  files nis [TRYAGAIN=0 UNAVAIL=return NOTFOUND=return]
      group:  files nis [TRYAGAIN=0 UNAVAIL=return NOTFOUND=return]
  10. (Optional) Assign the root role to selected user accounts in the name service.

    For the procedure, see How to Change the RBAC Properties of a User.

Example 9-8 Preventing the root Role From Being Used to Configure a System

In this example, site security policy requires that several discrete roles configure the system. These discrete roles have been created and tested. To prevent the root account from being used to configure the system, the security administrator changes root into a role, but does not assign the role. The root role retains a password to enter the system in single-user mode.

First, the administrator verifies that root is not an assigned role.

% whoami
jdoe-local
% su - root
Password: a!2@3#4$5%6^7
# grep roles /etc/user_attr
jdoe-local::::type=normal;roles=secadmin
kdoe-local::::type=normal;roles=sysadmin

Still in the root account, the administrator changes root into a role.

# usermod -K type=role root

Then, the administrator verifies the change in the root entry in the user_attr file.

# grep root /etc/user_attr
root::::type=role;auths=solaris.*,solaris.grant;profiles=...
Example 9-9 Changing the root Role Back Into the root User

In this example, the administrator is decommissioning a system and wants to log in to the desktop as superuser. The system has been removed from the network.

First, the administrator assumes the root role to remove all root role assignments.

% whoami
jdoe-local
% su - root
Password: a!2@3#4$5%6^7
# grep roles /etc/user_attr
jdoe-local::::type=normal;roles=root
kdoe-local::::type=normal;roles=root
# usermod -R "" jdoe-local
# usermod -R "" kdoe-local
# grep roles /etc/user_attr
#

Still in the root role, the administrator changes root into a user.

# rolemod -K type=normal root

Then, the administrator verifies the change in the root entry in the user_attr file.

# grep root /etc/user_attr
root::::type=normal;auths=solaris.*,solaris.grant;profiles=...
Troubleshooting

In a desktop environment, you cannot directly log in as root when root is a role. A diagnostic message indicates that root is a role on your system. If you do not have a local account that can assume the root role, create one. As root, log in to the system in single-user mode, create a local user account, and assign the root role to the new account. Then, log in as the new user and assume the root role.

No one can become superuser if you change the root user into a role and fail to make one of the following assignments:

  • Assign the root role to a valid user.

  • Assign a rights profile that is equivalent to root's rights profile to a valid user. The Primary Administrator profile is an equivalent rights profile for root capabilities.

  • Create a role that has the capabilities of root and assign the role to a valid user. A role that is assigned the Primary Administrator profile is equivalent to the root role.

Previous Next