Monday, February 15, 2010

Secuirty Administration : RBAC


RBAC - Role Based Acess Control:

RBAC is an alternative method to assign special privilidge to a non-root user as an authorization or as role or as profile.


Note:
In Linux the same implementation is said to be us SUDO.

Configuration files:
/etc/user_attr:
- Extended user attributes Database
- Associates users and roles with authrizations and profiles
NOTE:
When creating a new user account with no rights profiles, authorizations or roles, nothing is added to the file.

/etc/security/auth_attr:
- Authrization attributes Database
- Defines authorizations and their attributes and identifies the associated help file


/etc/security/prof_attr:
- Rights profile attributes database
- Defines profiles, lists the profile's assigned authorizations, and identifies the associated help


/etc/security/exec_attr:
- Profile attributes database
- Defines the privileged operations assinged to a profile

Roles:
- Will have an entry to the file /etc/passwd and /etc/shadow
- Similar to user account
- Collection of profiles

Profiles:
- Will have a dedicated shell
- Profile shells will assingned
- Bourne Shell & Kron shell have profile shells
- pfsh (bourne profile shell), pfksh (korn profile shell)
- Is collection of numbner of commands.

NOTE:

1. If the user/role change from the specified profile shell then they are not permitted to execute the authorized commands
2. It's not possible to login to the system directly using role.
A role can only be used by switching the user to the role with "su" command.
3. We can also set up the "root" user as a role through a manaul process. This approach prevents users from logging in directory as the root user. Therefore, they must login as themselves first, and then use the su command to assume the role.



We can perform RBAC by three ways to an user:
1. Directly adding the authorization to the user account
2. Creating a profile, and adding the profile to the user account
3. Creating a profile, adding it to role, then adding the role to the user account.
4. Adding authorization to role and adding the role to an user


I. Adding authorization to an user account:

# useradd -m -d /export/home/shyam -s /usr/bin/pfsh \
-A solaris.admin.usermgr.pswd \
solaris.system.shutdown \
solaris.system.admin.fsmgr.write shyam


# passwd shyam

Here, we had added the existing authorization to the user account using -A option with #useradd command

Note:
The shell assinged is profile shell.

Output:
bash-3.00# su – shyam

sunfire1% echo $SHELL
/usr/bin/pfsh

sunfire1% auths
solaris.admin.usermgr.pswd,solaris.system.shutdown,solaris.admin.fsmgr.write,solaris.device.cdrw,solaris.profmgr.read,solaris.jobs.users,solaris.mail.mailq,solaris.admin.usermgr.read,solaris.admin.logsvc.read,solaris.admin.fsmgr.read,solaris.admin.serialmgr.read,solaris.admin.diskmgr.read,solaris.admin.procmgr.user,solaris.compsys.read,solaris.admin.printer.read,solaris.admin.prodreg.read,solaris.admin.dcmgr.read,solaris.snmp.read,solaris.project.read,solaris.admin.patchmgr.read,solaris.network.hosts.read,solaris.admin.volmgr.read
sunfire1% profiles
Basic Solaris User
All

sunfire1% profiles -l

All:
*

sunfire1% roles
No roles


# roles
- Returns the information about, to which roles the user is authorized to login

# profiles
- Returns the information about, to which profile the user is authorized to execute


# profiles -l
- Retuns the detailed information about the permitted commands that can be executed by the user

# auths
- Returns the information about the permitted autorization mapped to the user account.


When a user is created with addittional information like authrization, profiles or roles, # useradd command update the entry to the file
/etc/user_attr


Output: (Relevant to the topic)
prabhu::::type=normal;auths=solaris.admin.usermgr.pswd,solaris.system.shutdown,solaris.admin.fsmgr.write


Note:
We cannot see an entry to the file for a normal user.



II. Creating a profile and adding it to an user account:

WTD:
1. Determine the name of the profile
2. Determine what commands has to be added to the profile
3. Edit the file /etc/security/prof_attr file accodingly
4. Edit the file /etc/security/exec_attr file by providing the list of
commands to the profile
5. Map the profile to the user

HTD:
Eample-1:
Profile name=testprofile
Commands added to the profile=shutdown,format,useradd,passwd

Step-1: Adding/Creating a profile
# vi /etc/security/prof_attr
testprofile:::This is a test profile to test RBAC
1 2

Here,
1 = Name of the profile
2 = Comment about the profile (Optional)



Step-2: Mapping the list of commands to the created profile
# vi /etc/security/exec_attr
testprofile:suser:cmd:::/usr/sbin/shutdown:uid=0
testprofile:suser:cmd:::/usr/sbin/format:uid=0
testprofile:suser:cmd:::/usr/sbin/useradd:uid=0
testprofile:suser:cmd:::/usr/bin/passwd:uid=0


Step-3: Mapping the profile to the user account
# useradd -m -d /export/home/accel -s /usr/bin/pfksh -P testprofile accel

Here we have added the profile named "testprofile" to the user.

Output:
bash-3.00# su - accel
sunfire1% echo $SHELL
/usr/bin/pfksh

sunfire1% roles
No roles

sunfire1% profiles
testprofile
Basic Solaris User
All

sunfire1% profiles -l

testprofile:
/usr/sbin/shutdown uid=0
/usr/sbin/format uid=0
/usr/sbin/useradd uid=0
/usr/bin/passwd uid=0
All:
*



Example-2
Profile name: complete
List of commands added: Creating a profile with all root privilidges

Step-1:
Step-1: Adding/Creating a profile
# vi /etc/security/prof_attr
complete:::This is to test the duplication of root profile
1 2

Here,
1 = Name of the profile
2 = Comment about the profile (Optional)



Step-2: Mapping the list of commands to the created profile
# vi /etc/security/exec_attr
complete:suser:cmd:::*:uid=0

Step-3: Mapping the user to the profile
# useradd -m -d /export/home/aita -s /usr/bin/pfsh -P complete aita




Output:
bash-3.00# su - aita
sunfire1# echo $USER
root

sunfire1# roles
No roles

sunfire1# profiles
Web Console Management
All
Basic Solaris User

sunfire1# profiles -l | more

Web Console Management:
/usr/share/webconsole/private/bin/smcwebstart uid=noaccess,
gid=noaccess,
privs=proc_audit
All:
*


Note:
1. The output of the commands
# profiles
# profiles -l
will be similar for the root user.

2. From the above output, we can also observe the change in the shell of the user. Normally for the user the shell is $, but since the all the privilidge is given to the user, the shell is #


III. Creating a role, profile and mapping it to the user account.
WTD:
1. Determine the name of the user
2. Create the role
3. Assign the password to the role
Note:
a. Role should have a password to it.
b. Without having a password it's not possible to login to that role

4. Create a profile
5. Add the list of commands to the profile
6. Add the profile to the role
7. Add the role to the user

Note:
This method has some more layer of security by assiging a password to a role.








HTD:
Step-1: Create a role

# roleadd -m -d /export/home/policy -s /usr/bin/pfsh policy

1. This command will update the following files
a. /etc/passwd
b. /etc/shadow
c. /etc/user_attr

Output:
bash-3.00# roleadd -m -d /export/home/policy -s /usr/bin/pfsh policy
80 blocks

bash-3.00# passwd policy
New Password:
Re-enter new Password:
passwd: password successfully changed for policy

bash-3.00# grep policy /etc/passwd
policy:x:112:1::/export/home/policy:/usr/bin/pfsh

bash-3.00# grep policy /etc/shadow
policy:xXuxPLl/Wt13Q:14512::::::

bash-3.00# grep policy /etc/user_attr
policy::::type=role;profiles=All



Step-2: Creating a profile

Note: To create a profile pls do refer II Creating a profile.

Let's make use of the above existing profile.
For eg, let's take the profile "testprofile"


Step-3: Adding the profile to the role

# rolemod -P testprofile,All policy

Adds the profile named "testprofile" to the existing role "quality".


Now we can observe the changes to the file /etc/user_attr
Output:
quality::::type=normal;roles=complete;auths=solaris.admin.usermgr.pswd,

solaris.system.shutdown,solaris.admin.fsmgr.write


Step-4: Mapping the role to the user:
# useradd -m -d /export/home/nokia -R policy -s /bin/bash nokia

Adding a role to the user.

Output:
bash-3.00# useradd -m -d /export/home/nokia -R policy -s /bin/bash nokia
80 blocks

bash-3.00# passwd nokia
New Password:
Re-enter new Password:
passwd: password successfully changed for nokia

bash-3.00# su – nokia

sunfire1% auths
solaris.device.cdrw,solaris.profmgr.read,solaris.jobs.users,solaris.mail.mailq,solaris.admin.usermgr.read,solaris.admin.logsvc.read,solaris.admin.fsmgr.read,solaris.admin.serialmgr.read,solaris.admin.diskmgr.read,solaris.admin.procmgr.user,solaris.compsys.read,solaris.admin.printer.read,solaris.admin.prodreg.read,solaris.admin.dcmgr.read,solaris.snmp.read,solaris.project.read,solaris.admin.patchmgr.read,solaris.network.hosts.read,solaris.admin.volmgr.read

sunfire1% profiles
Basic Solaris User
All
sunfire1% profiles -l

All:
*

sunfire1% roles
policy

sunfire1% su policy
Password:

sunfire1% profiles
testprofile
All
Basic Solaris User

sunfire1% profiles -l

testprofile:
/usr/sbin/shutdown uid=0
/usr/sbin/format uid=0
/usr/sbin/useradd uid=0
/usr/bin/passwd uid=0
All:
*


Note:
Authorized acitivity can be performed by the user, only after switch to the role.
Role user account CANNOT be directly logged into the system.



Output:
bash-3.00# su – nokia

sunfire1% su policy
Password:
$ /usr/sbin/shutdown -g 180 -i 5

Shutdown started. Fri Sep 25 17:26:01 IST 2009

Broadcast Message from root (pts/3) on sunfire1 Fri Sep 25 17:26:01...
The system sunfire1 will be shut down in 3 minutes



Note:

Default auths is assigned to an used is defined in the file /etc/security/policy.conf

bash-3.00# grep -i auths /etc/security/policy.conf
AUTHS_GRANTED=solaris.device.cdrw
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)