Use Role access control to make the Solaris server more secure

Article Title: Use Role access control to make the Solaris server safer. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.

I. Role Overview

For traditional Unix security models, superusers have full superuser privileges, while other users do not have sufficient permissions to solve their own problems. With role-based access control (RBAC), you can replace the traditional security model. With RBAC, Super Users can divide their capabilities into different packages and assign them to the individual who share management tasks. When RBAC is used to classify Super User privileges, users can have different levels of access permissions and control the authorization for privileged operations of other users. RBAC includes the following features.

　　1. Role: A special type of user account that can be used to execute a set of management tasks.

By default,Solaris supports three different system management roles.

　　Master Administrator (PA, Primary Administrator ):Assigns permissions to other users and is responsible for system security issues. It is equivalent to a powerful role of root user or Super User.

　System Administrator (SA, System Administrator ):Responsible for routine management work unrelated to security.

Operator ):Perform backup and device maintenance.

The difference between PA and SA mainly depends on the Local Security Policy. For example, although the default PA role has the permissions to add users and modify passwords, the default SA role does not have the permissions to modify passwords, but in many places, it may be unrealistic to disable SA password access. One of the biggest advantages of RBAC is that it can easily assign permissions according to local requirements.

　　2. profile ):A balancer system that groups authorization and commands with special attributes. For example, use the user and group ID.

A feature file is a specific set of commands used for authorization. These authorizations are connected together to form a role and then establish associations with a user or some different users. We can create a new user account for each role. These accounts have their own home directories and passwords. When executing commands in the feature file, you must use the su command to enter the role account, because such Role users are not allowed to log on directly. The difference between using the su command to access a role account and using the su command to access a common account is its audit function, that is, all operations it performs when accessing a role through the su command, together with the user's original UID, logs are recorded. In this way, user operations of each access role are clearly recorded in logs and audited.

　　3. Authorization:A permission is used to grant access to restricted functions.

Authorization is the privilege granted to a role to perform an operation. It is defined in the/etc/security/auth_attr file. The authorization definition is very similar to the Internet domain name. The leftmost part of the authorization is the enterprise name, followed by the software packages and functional content in sequence. By default, all the software packages provided by Solaris are identified by the prefix Solaris. For example, the authorization for password modification is Solaris. admin. usermgr. pswd: Many authorization policies are very detailed. It may only allow read access, but not write access, and vice versa. For example, the primary Administrator (PA) may have Solaris. admin. usermgr. read and Solaris. admin. usermgr. write authorization, so you can read and write access to the user configuration file respectively. The system administrator (SA) may have Solaris. admin. usermgr. read authorization, but he does not have Solaris. admin. usermgr. write authorization, so he can read the user configuration file, but not write.

[1] [2] [3] Next page