One of the main feature of the AIX6.
Giving others a ROOT PASSWORD, SUID programs and other tricks are very bad for security.
Enhanced RBAC is the answer to overcome the above situation
1. Make ROOT programs, root only (perms = rwx------)
2. Then use Kernal enforce RBAC for access
3. Use RBAC commands to add
a) New roles to users to gain access to limited function (eg: Manage, Delete, Add)
b) Start controlling new commands/application (eg: NMON)
4. Enabling RBAC is simple
a) chdev -l sys0 -a enhanced_RBAC=true
b) Then REBOOT
Commands and Purpose:
lsrole -a All --> To list all the available roles
Eg:
AccountAdmin
BackupRestore
DomainAdmin
FSAdmin (Filesystem Admin)
SecPolicy
SysBoot
SysConfig
isso (Informations Security officer)
sa (System Administrator)
so (System Operator)
lsrole FSadmin --> To list what is inside the FSAdmin Role
lsauth aix.fs.manage.change --> To list what is inside the aix.fs.manage.change Authorization
lssecattr -c -a accessauths All --> To list all the commands related to RBAC access authorization
Eg:
/usr/sysv/bin/lprm accessauths=aix.device.config.printer
/usr/sysv/bin/lpstat accessauths=aix.device.config.printer
lssecattr -c -a accessauths ALL |grep aix.fs.manage.change --> To list only the Fislsystem related attributes
Sample Exercise:
Enable the "Filesystem Expansion" permission to normal user "mohi":
Login as root:
1. chuser roles=FSAdmin mohi
2. setkst --> To update the kernel otherwise the above command will not effect.
Login as mohi:
1. swrole FSAdmin --> Switch role to effect the recent changes
it will prompt for password
thats it !! now the user "mohi" can increase the /var filesystem.
Enable to Access the NMON application/command for the user "mohi":
Login as root:
p10:root:/> ls -l /usr/bin/nmon
-rwx------ 1 root system 616360 Dec 12 08:32 /usr/bin/nmon
Currently "root" only can run the "nmon" hence now We are going to give the permission to user "mohi" to run this "nmon"
Current Permission for "mohi":
login as "mohi":
$ nmon
ksh: nmon: cannot execute
Login as root:
1. We need to add this nmon into our RBAC database
2. mkauth custom, mkauth custom.nmon --> Creates a new custom authority for "nmon"
3. setsecattr -c accessauths=custom.nmon /usr/bin/nmon --> Include the nmon program into the RBAC security attribute.
4. mkrole authorizations=custom.nmon nmonrole --> Creates a new role for the above nmon authority
5. chuser roles=nmonrole mohi --> Assigning the new role to the user "mohi"
6. setkst --> update the Kernel
Login as "mohi"
1. swrole nmonrole
it will prompt for password
thats it!! now "mohi" can also run the nmon program !!!
No comments:
Post a Comment