Friday Jan 11, 2013

What's new in User Rights Management

Per-user Security Attributes 

Way back in Solaris 8 we introduced an extensible database, user_attr(4), where we could maintain the security attributes of each user. Originally the database included just three properties: roles, auths, and profiles. These were exposed as the options -R, -A, and -P on the useradd(1M) man page. Since then we have been adding new properties in each Solaris release, while preserving backward compatibility in both the file /etc/user_attr and the corresponding LDAP schema. To avoid dealing with an alphabet full of new options, we standardized on the -K option, which can be used to set the values of any property.

Some of the more recently added properties are:

audit_flags

Specifies per-user audit preselection flags as colon-separated always-audit-flags and never-audit-flags. As in, audit_flags=always-audit-flags:never-audit-flags. See audit_flags(5).

pam_policy

Specifies the PAM policy to apply to a user. pam_policy must be either an absolute pathname to a pam.conf(4) -formatted file or the name of a pam.conf-formatted file located in/etc/security/pam_policy.

roleauth

Specifies whether the assigned role requires a role password or the password of the user who is assuming the role. Valid values are role and user. If roleauth is not specified, roleauth=role is implied.

and two previously existing properties now take more fine-grained values:

auths

Authorization names can be specified using an object, such as solaris.admin.edit/etc/motd, which grants permission to edit the file /etc/motd.

defaultpriv

 An Extended Policy can be specified that qualifies the objects for which the privileges are granted. See privileges(5).

Practical Examples

I've developed three hands-on labs that demonstrate how to take advantage of some of these new features.

  • The first lab demonstrates how to apply Extended Policy applies to individual privileges.
  • The second lab demonstrates how fine-grained user authorizations can be applied to managing services.
  • The third lab demonstrates how authentication policies can be customized for specific users.

 Give them a try and use the comments field to let me know what you think.


About

This blog explores some of the security features of Oracle Solaris. In particular, topics such as Role-Based Access Control and Labeled Security are my special interests.

Search

Categories
Archives
« January 2013 »
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
  
       
Today
Bookmarks