1z0-821 Oracle Solaris 11 System Administration – System and File Access

1. Exam Objectives

During this particular part of the course, we’re going to discuss something very important to all system administrators and those are the topics of security, specifically access control. During this part we talk about system and file access and what we want to do is discuss how to control access to systems and files. Now, there’s a lot of different ways we can do this with permissions, right? Privileges, user accounts and different authentication methods. And we’ll talk about each of these as we go through the next few sessions. We’ll look at controlling access to systems, in other words, how users log in, why the password is important, some of the different authentication methods and so forth that we use. We’ll also look at controlling access to files. So we’ll discuss typical Unix and Linux permissions and how they’re implemented on Solaris Eleven.

And finally we’ll look at using authentication and how that works to both provide user authentication into the system and authentication for things like roles and other privileges. Then we’ll look at troubleshooting access and authentication issues because sometimes things can go wrong. Perhaps a user can’t get to a resource they are supposed to due to a permissions issue, or maybe an authentication mechanism fails occasionally, so these things do happen. So we’ll look at troubleshooting, how to take care of those things, look at a few extra things too, that aren’t necessarily in the OCA objectives, but things that you probably need to know in order to achieve some of the other types of objectives on the exam. So we’ll give you some extra things to think about and look at as well. So having said all that, let’s go ahead and get started.

2. Access Control Basics

Now we’re going to cover some access control basics. I thought it would be a good idea to talk about this before we get into the nitty gritty of access control with systems and files and so forth, just to cover the basics of what access control means. For those of you who may not have done extensive security before or even as a refresher. For those of you who have. Now access control basically means, means to keep unauthorized users from accessing and using resources. And these resources could be the system itself, files, services, hardware and so forth. Now, like most operating systems, Solaris Eleven controls access through user accounts. And when we say user accounts, we’re talking usernames passwords or possibly even smart cards, tokens and so forth. Either way, the user account is tied to access control and we typically grant access to an individual, to a resource or whatever based upon rights, privileges and permissions. Now this access can be granted directly to a user or a user account rather, but we typically don’t want to do this.

And the reason is that we might have several users who require the same access and it would be better if we didn’t have to give that access, the same identical access ten different times to ten different accounts. So we may assign them a role or put them in a group. Now, rights and privileges are better granted to roles in Solaris Eleven. You can actually have roles that are granted the right authorizations to complete tasks such as managed systems and so forth. And then you would assign that role to different user accounts. So you’d only have to assign those rights and privileges one time and that would be to the role. And then whenever you choose, you can assign the role to different users. Now, one thing we need to mention here is that the principle of least privilege applies and that basically says that a user only needs the right amount of rights, privileges and permissions and so forth, that they need to do their job and no more the minimum amount necessary.

And Solaris Eleven allows you to do that with roles by default. There’s one role created when the system is installed and that’s the root role. And if that root role is assigned to a particular user, they can effectively become root. So using the principle of least privilege, we don’t really want to do that. We would rather create additional roles that have lesser privileges that can do specific tasks. That way we can assign that role to a user and they can only do certain things on the system, not everything. So that’s what that principle of least privilege means. Now, while we’re talking about rights and privileges, let’s kind of define what things are. And these terms are actually used a lot interchangeably even amongst security folks. Rights and privileges are basically actions that can be performed on the system.

Those are things you do shut down the system, stop services, start services, and so forth. Whereas permissions, again, these terms are used interchangeably quite often, permissions are typically to a resource, and they control what level of access you have on that resource. For example, if it’s a file, permissions may grant you the ability to read the file or write to the file or execute the file, for example. So you’ll hear these terms switch down a lot, but they actually mean different things. Always think of permissions tied to a resource and rights and privileges, things you can do on the system itself. Now, resource permissions are typically assigned to groups, and we’ll go into how these permissions are assigned a little bit more in depth later. But the three entities that you assign permissions to are typically the owner, a group, and others.

And we’ll go over that again when we talk about file access control. Now, Solaris Eleven is installed with certain security features that are turned on by default in some cases, that will control access for us or give us the ability to easily control access. First of all, right out of the box. Solaris Eleven enables very restrictive access to the system and the files. Only the root role typically has that access right out of the box. No other accounts do. Something we haven’t talked about is secure networking. But during installation, only a secure local secure shell connection is allowed during the installation, so there won’t be any untrusted network connections to the box, and that’s a default right out of the box security feature that Solaris Eleven has. Solaris Eleven also installs right out of the box RBAC role based access control. And we’ve seen examples of that already when we talked about root as a role versus just an account that you get permissions to use.

We can actually have other roles that we define very easily that have different levels of access. Solaris Eleven also has the ability to encrypt file system objects right out of the box. Nothing else needs to be added or configured, and we can do that with file systems when we create them. We talked about that one particular security feature that Solaris Eleven has that a lot of Unix and Linux distributions don’t have is that root can’t be logged into directly after the installation. During the install, you can afterwards, you can’t typically you have to be given rights to log in as the root role after that point. Now, you can change roles in different GUI applications that you can use by clicking little padlock. If you’re at a guide command prompt or command shell, you typically would use the sudo or the sue command if you need root access at the shell prompt, and we’ll talk about sudo and sue a little bit later. So those are the access control basics before we get deep into the weeds on controlling access to systems and files.

3. Control Access to Systems pt. 1

Now we’re going to look at controlling access to the system itself. Now a lot of times when we’re talking about access control the system, we think typically of just logging in with the username and password and yes, that is a small part of it, but we’re not just talking about that, we’re really talking about system hardening. And for the next few minutes we’re going to discuss several means to harden your system and over the next few sessions, how to implement some of these system hardening techniques on your box. Now, hardening the system involves actually several things. We mentioned user accounts and that is one of the important things. Having a user account that they can log into is the fundamental. However, user accounts also control privileges, rights, permissions. As we’ve seen earlier, we also need to look at privileged roles. We need to adhere to the principle of least privilege and make sure that users can’t do any more on the system than they absolutely need to to do their job. We create privileged roles and then assign the roles to the users and we only assign roles that have enough privileges just to do their job, no more.

Everyone, for example, does not need to have the root role assigned to them. Typically the first user created on the box does have this assigned by default, but you can remove it. Another thing you might want to look at is verifying the software you install on it. That’s kind of a no brainer, but it’s something that a lot of people don’t do. You can use the package verify command to do that. Now this would actually let you verify your software with the publisher, with the repository to ensure that you’re getting quality software from who they say it’s coming from. Another thing we need to do is removing unneeded services. And it’s going to be a complicated thing simply because there are so many services that run on the solaris box or even a Windows or a Linux box that we may not know which services we need. And that’s where sometimes trial and error comes into play, but also really knowing your system and really knowing the services that you’re running and what you really need. So this is something you shouldn’t do as a novice.

This is something you should do when you learn what services really are and which ones you really need. You remove these services so that they don’t provide an extra attack avenue for a hacker possibly, or a malicious user. You also could look at reducing your user rights in general. Not every user needs to be able to shut the system down, for example. So you might look at removing only those rights they don’t need and keeping only the ones they do need to do their job. Other things you could do and some of these things we’ll talk about as we go through the next few sessions security messages like warning banners, and so forth. We can implement to warn the user what their responsibilities are before they log into the system and to remind them that they have certain responsibilities. We also may look at password policies to harden the system and in fact, in a couple of sessions we’ll actually look at how to do that. Auditing is another thing that’s very important to security that we need to do now. It’s out of the scope of this course and the OCA exam, but auditing can be turned on and managed such that you can audit certain events, certain security related events, and go back and correlate those logs and determine who did what, when. And that’s what you really want. You’re after accountability.

Patch management. We mentioned verifying packages, but patch management in general is very important because we can harden the system by patching it in case there are any vulnerabilities discovered on some of the software or even the OS itself that we’ve installed. And this does happen from time to time that vulnerabilities are discovered. Let’s go ahead and take a look at just a few quick things we can do to help harden the system. And some of this will be a rehash of things we’ve talked about and some of it will be new stuff. So let’s go ahead and take a look at this. Okay, we’re in user manager on our solaris box and a couple of things I want to take a look at and show you are the roles and authorizations. So let’s change to the roles scope or the roles type rather. And we know that we have a role already created on here and that’s the role information and what we have are the authorizations for that role and the rights profiles and so forth. And we gave this person these rights maintenance and repair, media catalog, media restore, because that was the backup role.

The authorizations are the down to the nitty gritty, broken down, no kidding, this is the lowest level you can get tasks that you can do, they’re called authorizations and you can assign these on a granular basis, individually or in groups to roles and users. You really don’t want to assign them to users, you’d rather assign them to roles.

And we can do this through this facility here. We can assign authorizations to roles, but I’m going to show you how to do this a little bit later in the course for roles and services as well. So I just want to look at them now and we’re going to do that command line later as well. So we have these roles here and these authorizations, let’s say cancel to this. And what I want to do really quickly is change back to the user perspective and create a user called Oscar. We’re going to create Oscar here and we’ll give him his username of Oscar and full name of Oscar and we’re going to say, okay, we’re just going to leave that the way it is. And what I want to do is, now that we’ve done that, I want to go to the command prompt and show you something. I want to show you a command called auths, and that gives us the authorizations for the root account. Now, let’s see what Oscar has. And he has very few minimal rights, so keep this in mind as we go into the next session and continue talking about roles, authorizations, privileges, and so forth.

• Category: Uncategorized