Manualshelf

User's Manual

ManualsBrandsSolaris ManualsSoftwareCX-310-301
51525354555657585960
Solaris 9 Security CX-310-301 54
¾ SULOG – Normally set to /var/adm/sulog defines the log file that is written to when the su
command is run
¾ CONSOLE – Normally commented out, but is set to /dev/console. If set, this sends a message to
the console when su is run. It is recommended that this line be uncommented, so the system
administrator can monitor its usage
¾ PATH – Normally commented out, but is set to /usr/bin. This should be set to a minimum number
of entries to restrict the commands that can be run
¾ SUPATH – Normally commented out, but is set to /usr/sbin:/usr/bin. Defines the PATH that is set
when the su is to root. This should be inspected to make sure the current directory “.” Is not
included (Note that the presence of a trailing “:” character also implies the current directory too)
¾ SYSLOG – Normally set to YES so that su usage is automatically logged by syslog.
Role Based Access Control
RBAC is a tool supplied with the Solaris operating system that provides the facility to give users root
privileges for a specified command or set of commands, without having to reveal the root password.
It provides a fine level of control in that it is fully configurable to suit most requirements. For example, the
system administrator wants to delegate backups and cron management to a junior system administrator.
This is simple to achieve using roles and profiles within RBAC, the only disadvantage is that the junior
system administrator will have a new password to remember.
Additional privileges are achieved through the creation of roles.
A role is a type of user account and is the mechanism by which access is granted to commands using the
privileges of another user (normally root ). There is no direct login to a role, it can only be accessed via the
su command. Roles are defined in /etc/user_attr and also has an entry in /etc/passwd, the same as a normal
user account.
A profile is the mechanism where commands can be grouped together to make management and
implementation easier. One or more profiles will be associated with a role, and a profile can be associated
with multiple roles. Profiles are stored in the file /etc/security/prof_attr.
An execution attribute contains the actual command to run as well as the user under which it runs. It also
associates the profile to which the command belongs. Executions are stored in the file
/etc/security/exec_attr.
A user account is assigned to a role using the usermod command and an entry is also added to
/etc/user_attr.
RBAC was covered in detail as part of the Solaris 9 system administrator certification, and is not
introduced here.