This blog, written by Michael Felt, discusses AIX security topics. Articles on IBM AIX security including PowerSC, AIX RBAC, AIX shell scripting, passwords and user security. RBAC or Role Based Access Control has been available in AIX since starting with AIX Prior to that, access control is AIX was the same as for any .
|Published (Last):||28 December 2008|
|PDF File Size:||8.80 Mb|
|ePub File Size:||12.95 Mb|
|Price:||Free* [*Free Regsitration Required]|
These authorizations are grouped into roles and assigned to different users:. The data is stored in “flat-file text” so no additional database management engine is needed to use enhanced RBAC. Traditionally, there is a single user, root, that controls the security mechanism of the system.
How-to Integrate Applications Into AIX RBAC
To prevent anyone from giving su access to the httpd account, make the following changes the PS1 prompts are changed to clarify which identity is active:. In this way, higher security is achieved. This allows a normal user account special privileges without having to become root or use another utility, such as sudo. Roles are assigned to users and users having the rhac role should be able to execute.
Although easy to use and manage by a system administrator, it was very difficult to adopt to programs not specifically coded to use the AIX Role mechanism and has remained limited to common tasks: System shutdown reboot File system backup, restore, and quotas System error logging, trace, and statistics Workload administration.
Successfully updated the Kernel Role Table. Yes, access control DAC, or discretionary access controlbut no role based management of lists of authorizations or priviledges to execute sets of commands. Legacy RBAC also provides a framework for extending the pre-defined roles but it is quite difficult to use. However, DAC does not allow the file to be executed by any non-root user. New installations will have extended RBAC activated by default. Otherwise the task or resource remains unaccessible.
The following example shows that the passwd command is the setuid program, which has the authorization and privileges to be executed as rgac non-root user. Create our custom role We’ll make a role with a name, and a default message letting future users know what the role does, and six that authorization to the role.
Since this user, httpd, owns all the files all normal access rights read, write, execute should be available where appropriate. As you proceed through the steps remember to verify that the application is working when started as root.
First determine which rac the user wants to tbac. Establish an userid for application operations As root, create a new user identity that will be used to manage httpd services, e.
Basically, in enhanced RBAC we need to distinquish three concepts: Read The Current Issue: Should rbaf user with information system security officer ISSO or a similar role be able to execute shutdown? Establishing and maintaining security policy Setting passwords for users Network configuration Device administration SA – Systems Administrator The SA role provides authorizations for daily administration and includes: It is the single user which controls the system and the system as such does not have any control over the activities within the system.
This shows how the roles and authentications are distributed and how it is difficult to tamper the activities without the proper authorization. Start investigating Now you are ready to start investigating what a non-root user can and cannot do with regard to starting and stopping httpd services. Giving authority to a non-root user to execute commands like shutdown is not suggested or recommended. The first task of this role-based program is to verify that the user has the appropriate role to use the program.
In this way, you delegate the root responsibility to other users and reduce the security risk. So far, you have seen how authorization and roles play a role in enhancing the security of the system. Further articles will discuss the implementation and usage of extended RBAC.
User administration excluding password Filesystem administration Software Installation and Update Network Aiix management and device allocation. Moreover, the root user plays many roles like system administrator, security officer to maintain security policy, and systems operator for day-to-day activities.
The file paths used i. AIX Cryptographic Services improves security while rabc administration. The basic question is: This opens up a major risk of anyone who gets control of the root shell through malicious setuid programs can rbacc do anything they want. rbc
The onus on a single user root is delegated. Rbxc user should have the roles authorized to them to execute shutdown.
There are five 5 components to the RBAC security database: Contact the author for any further clarification on this topic. The root user decides who can log in, who can access the data, which process has the privileges to get into the kernel mode, and so on.
AIX for System Administrators
System shutdown and reboot File system backup, restore and quotas System error logging, trace and statistics Workload administration. Establishing aox maintaining security policy Setting passwords for user Network configuration Device configuration. Sign in or register to add and subscribe to comments. Error AH indicates user httpd lacks sufficient authority to bind to port Install an application, e.