Friday, December 20, 2013

Configuring RBAC (Role Based Access Control) on Solaris10:


 As I stated at the end of my last posting, here I had discussed configuring RBAC on Solaris 10.
Although we have the option to duplicate the root UID 0 to other user, it’s NOT highly recommended on security grounds.  Hence to achieve, perform the selective roles/profile of the root user, we move forward and learn Role Based Access Control (RBAC).

RBAC is an alternative method to delegate privilege to a non-root user through authorization or role or  profile.

My personal notice–
1.     Even though configuring RBAC involves bit more files, steps to delegate privileges to a user than SUDO, there is a password security enabled.

2.     Another difference I observed is that – whenever we use granted commands through SUDO privilege the activity/commands are logged to the file /var/adm/messages by default (you can also customize the same by editing the file /usr/local/etc/sudoers) whereas when we perform activity, execute commands though RBAC either by holding authorization, profile or roles the activity/commands are NOT logged.

3.     When a user switch to an assigned role using su, then the /var/adm/sulog is updated. However, this will NOT show what commands had been executed by that role.  We able to know only the information that a user is switched to play a role.


Configuration files:
/etc/user_attr:
- Extended user attributes database.
- Associates users and roles with authorizations and profiles.

NOTE:
When creating a new user account with no rights profiles, authorizations or roles, nothing is added to the file.

/etc/security/auth_attr:
- Authorization attributes database.
- Defines authorizations and their attributes and identifies the associated help file.

/etc/security/prof_attr:
- Rights profile attributes database.
- Defines profiles, lists the profile's assigned authorizations.

/etc/security/exec_attr:
- Profile attributes database.
- Defines the privileged operations assigned to a profile.

Roles:
- Will have an entry to the file /etc/passwd and /etc/shadow
- Similar to user account
- Collection of profiles


Profiles:
- Will have a dedicated shell.
- Profile shells will assigned
- Bourne Shell & Kron shell have profile shells.
- pfsh (bourne profile shell), pfksh (korn profile shell).
- Contains collection of number of commands.

NOTE:
1. If the user/role changes from the specified profile shell then they are NOT permitted to execute the granted commands.
2. Although the entry is found /etc/passwd and /etc/shadow file, using role – login in NOT allowed to the system.
3. A role can only be used by switching the user to the role with "su" command.
4. We can also set up the "root" user as a role through a manual process. This approach prevents
users from logging in directory as the root user. Therefore, they must login as themselves first, and then use the su command to assume the role.

We can perform RBAC by 3 ways to a user:
1. Directly adding the authorization to the user account
2. Creating a profile and adding the profile to the user account
3. Creating a profile, adding it to role, and then adding the role to the user account.
4. Adding authorization to role and adding the role to an user

I. Adding authorization to a user account:
# useradd -m -d /export/home/NewUser -s /usr/bin/pfsh \
-A solaris.admin.usermgr.pswd \
solaris.system.shutdown \
solaris.system.admin.fsmgr.write NewUser

# passwd NewUser

Here, we had added the existing authorization to the user account using -A option with  # useradd command.
Note:
The shell assigned is profile shell.


Output:
bash-3.00# su – NewUser
sunfire1% echo $SHELL
/usr/bin/pfsh

sunfire1% auths
solaris.admin.usermgr.pswd,solaris.system.shutdown,solaris.admin.fsmgr.write,sol
aris.device.cdrw,solaris.profmgr.read,solaris.jobs.users,solaris.mail.mailq,sola
ris.admin.usermgr.read,solaris.admin.logsvc.read,solaris.admin.fsmgr.read,solari
s.admin.serialmgr.read,solaris.admin.diskmgr.read,solaris.admin.procmgr.user,sol
aris.compsys.read,solaris.admin.printer.read,solaris.admin.prodreg.read,solaris.
admin.dcmgr.read,solaris.snmp.read,solaris.project.read,solaris.admin.patchmgr.r
ead,solaris.network.hosts.read,solaris.admin.volmgr.read
sunfire1% profiles
Basic Solaris User
All
sunfire1% profiles -l
All:
*
sunfire1% roles
No roles


# roles
- Returns the information about, to which roles the user is authorized to login.


# profiles
- Returns the information about, to which profile the user is authorized to execute.

# profiles -l
- Returns the detailed information about the permitted commands that can be executed by a User.


# auths
- Returns the information about the permitted authorization mapped to the user account.
When a user is created with additional information like authorization, profiles or roles, # useradd
command update the entry to the file /etc/user_attr


Output Truncated here:
NewUser::::type=normal;auths=solaris.admin.usermgr.pswd,solaris.system.shutdown,s
olaris.admin.fsmgr.write


Note:
We cannot see an entry to the file for a normal user.
II. Creating a profile and adding it to a user account.

What To Do:
1. Determine the name of the profile
2. Determine what commands has to be added to the profile
3. Edit the file /etc/security/prof_attr file accordingly
4. Edit the file /etc/security/exec_attr file by providing the list of
commands to the profile
5. Map the profile to the user

How To Do:
Eample-1:
Profile name=testprofile
Commands added to the profile=shutdown,format,useradd,passwd

Step-1: Adding/Creating a profile
# vi /etc/security/prof_attr
testprofile:::This is a test profile to test RBAC
1                                                          2
Here,
1 = Name of the profile
2 = Comment about the profile (Optional)


Step-2: Mapping the list of commands to the created profile
# vi /etc/security/exec_attr
testprofile:suser:cmd:::/usr/sbin/shutdown:uid=0
testprofile:suser:cmd:::/usr/sbin/format:uid=0
testprofile:suser:cmd:::/usr/sbin/useradd:uid=0
testprofile:suser:cmd:::/usr/bin/passwd:uid=0



Step-3: Mapping the profile to the user account
# useradd -m -d /export/home/TestUser -s /usr/bin/pfksh -P testprofile TestUser
Here we have added the profile named "testprofile" to the user.

Output:
bash-3.00# su - TestUser

sunfire1% echo $SHELL
/usr/bin/pfksh
sunfire1% roles
No roles


sunfire1% profiles
testprofile
Basic Solaris User
All
sunfire1% profiles -l
testprofile:
/usr/sbin/shutdown uid=0
/usr/sbin/format uid=0
/usr/sbin/useradd uid=0
/usr/bin/passwd uid=0
All:
*
 
Example-2
Profile name: complete
List of commands added: Creating a profile with all root privileges

Step-1: Adding/Creating a profile
# vi /etc/security/prof_attr
complete:::This is to test the duplication of root profile
        1                           2
Here,
1 = Name of the profile
2 = Comment about the profile (Optional).



Step-2: Mapping the list of commands to the created profile
# vi /etc/security/exec_attr
complete:suser:cmd:::*:uid=0


Step-3: Mapping the user to the profile
# useradd -m -d /export/home/ -s /usr/bin/pfsh -P complete KingUser

 Output:
bash-3.00# su - KingUser

sunfire1# echo $USER
root

sunfire1# roles
No roles

sunfire1# profiles
Web Console Management
All
Basic Solaris User
sunfire1# profiles -l | more
Web Console Management:
/usr/share/webconsole/private/bin/smcwebstart uid=noaccess,
gid=noaccess,
privs=proc_audit
All:
*
 
Note:
1. The output of the commands
# profiles
# profiles -l
will be similar for the root user.
2. From the above output, we can also observe the change in the shell of the user. Normally for
the user the shell is $, but since the all the privilege is given to the user, the shell is #

III. Creating a role, profile and mapping it to the user account.
What To Do:
1. Determine the name of the user
2. Create the role
3. Assign the password to the role

Note:
a. Role should have a password to it.
b. Without having a password it's not possible to login to that role
4. Create a profile
5. Add the list of commands to the profile
6. Add the profile to the role
7. Add the role to the user

Note:
This method has some more layer of security by assigning a password to a role.

 


How To Do:
Step-1: Create a role
# roleadd -m -d /export/home/policy -s /usr/bin/pfsh policy
1. This command will update the following files
a. /etc/passwd
b. /etc/shadow
c. /etc/user_attr


Output:
bash-3.00# roleadd -m -d /export/home/policy -s /usr/bin/pfsh policy
80 blocks

bash-3.00# passwd policy
New Password:
Re-enter new Password:
passwd: password successfully changed for policy

bash-3.00# grep policy /etc/passwd
policy:x:112:1::/export/home/policy:/usr/bin/pfsh

bash-3.00# grep policy /etc/shadow
policy:xXuxPLl/Wt13Q:14512::::::

bash-3.00# grep policy /etc/user_attr
policy::::type=role;profiles=All



Step-2: Creating a profile
Note: To create a profile please do refer II Creating a profile.
Let's make use of the above existing profile.
For instance, let's take the profile "testprofile"


Step-3: Adding the profile to the role
# rolemod -P testprofile,All policy

Adds the profile named "testprofile" to the existing role "quality".
Now we can observe the changes to the file /etc/user_attr


Output:
quality::::type=normal;roles=complete;auths=solaris.admin.usermgr.pswd,
solaris.system.shutdown,solaris.admin.fsmgr.write


Step-4: Mapping the role to the user:
# useradd -m -d /export/home/NewBoy -R policy -s /bin/bash NewBoy
Adding a role to the user.

Output:
bash-3.00# useradd -m -d /export/home/NewBoy -R policy -s /bin/bash NewBoy
80 blocks

bash-3.00# passwd NewBoy
New Password:
Re-enter new Password:

passwd: password successfully changed for NewBoy
bash-3.00# su – NewBoy
sunfire1% auths
solaris.device.cdrw,solaris.profmgr.read,solaris.jobs.users,solaris.mail.mailq,s
olaris.admin.usermgr.read,solaris.admin.logsvc.read,solaris.admin.fsmgr.read,sol
aris.admin.serialmgr.read,solaris.admin.diskmgr.read,solaris.admin.procmgr.user,
solaris.compsys.read,solaris.admin.printer.read,solaris.admin.prodreg.read,solar
is.admin.dcmgr.read,solaris.snmp.read,solaris.project.read,solaris.admin.patchmg
r.read,solaris.network.hosts.read,solaris.admin.volmgr.read
sunfire1% profiles
Basic Solaris User
All
sunfire1% profiles -l
All:
*
sunfire1% roles
policy
sunfire1% su policy
Password:
sunfire1% profiles
testprofile
All
Basic Solaris User
sunfire1% profiles -l
testprofile:
/usr/sbin/shutdown uid=0
/usr/sbin/format uid=0
/usr/sbin/useradd uid=0
/usr/bin/passwd uid=0
All:
*

Note:
Authorized activity can be performed by the user, only after switch to the role.
Role user account CANNOT be directly logged into the system.


Output:
bash-3.00# su – NewBoy
sunfire1% su policy
Password:
$ /usr/sbin/shutdown -g 180 -i 5
Shutdown started. Fri Sep 25 17:26:01 IST 2009
Broadcast Message from root (pts/3) on sunfire1 Fri Sep 25 17:26:01...


The system sunfire1 will be shut down in 3 minutes


Note:
Default auths is assigned to an used is defined in the file /etc/security/policy.conf
bash-3.00# grep -i auths /etc/security/policy.conf
AUTHS_GRANTED=solaris.device.cdrw
Posted by at No comments:
Subscribe to: Posts (Atom)