Certification Summary

The role-based access control (RBAC) security model offers a more secure and flexible security system by allowing the superuser to create multiple administrators with different capabilities. This model is based on roles that can be assigned to non-root users. The roles get their power from profiles, which are collections of security rights such as authorizations and commands with security attributes. A user, once logged into the system, can assume the role that has already been assigned to that user. A user can assume only one role at a time; to assume another role, the user must exit from the current role.

The RBAC information resides in multiple files called databases. The /etc/security/auth_attr database defines the authorizations, whereas the /etc/security/exec_attr assigns the commands with security attributes to specific profiles. The /etc/security/prof_attr database defines the rights profiles and identifies the authorizations for the profiles, whereas the /etc/user_attr database assigns profiles to the roles and roles to the users. These users and roles are defined in the /etc/passwd and /etc/shadow files. The RBAC can be managed with a number of commands such as roleadd, rolemod, and roledel, which are used to create, modify, and delete roles; they work the same way as the useradd, usermod, and userdel commands.

Applications and processes create error messages when something goes wrong, and those messages are directed to message files or the system console by the syslog daemon, syslogd. The configuration file for this daemon is syslog.conf. You can manage syslog either through the syslogd command or through the SMF command svcadm by using the SMF service identifier for syslog: svc:/system/system-log:default.

In this chapter, we have explored how to control access to the system by using roles and how to monitor errors reported by the applications and the processes running on the system. One source of errors is the effect of one process on another running on the same machine. Solaris 10 offers a technology called zone partitioning, which allows you to create multiple zones on the same system. The processes running in one zone are isolated and secure from the processes running in other zones. We explore how to install and configure zones in the next chapter.

Inside The Exam

Comprehend

• Security rights (authorizations and commands with security attributes) are typically assigned to a profile, a profile to a role, and a role to a user. More than one profile can be assigned to a role.

• You can use the /etc/security/policy.conf file to grant default rights profiles, authorizations, and privileges to all users.

• The syslog is managed by the Service Management Facility (SMF); therefore, you can use the SMF command svcadm to manage it by the service identifier svc:/system/system-log:default. You can also use the syslogd command.

Look Out

• Assigning a role to a user and the user's assuming the role are two different things. A role must be assigned to a user before the user can assume that role.

• The rights profile name is case sensitive.

• You cannot assign a role to a role; that means you cannot use the -R option with the roleadd command, because unlike the useradd command, there is no -R option available for the roleadd command.

Memorize

• More than one user can assume the same role, but more than one role. cannot be assumed by the same user simultaneously—that is, a user has to exit the current role before assuming another role.

• A user cannot log in as a role, but can assume a role after logging in as a non-RBAC user.

• The user_attr file lives in the /etc directory whereas the auth_attr, exec_attr, and prof_attr files live in the /etc/security directory.

• The roleadd, roledel, and rolemod commands work the same way as the useradd, userdel, and usermod commands—that is, they have the same options.

• The configuration information for the syslogd daemon resides in the syslog.conf file.