Unit 12

Security and user administration

Copyright IBM Corporation 2009

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.

5.2

Unit objectives
IBM Power Systems

After completing this unit, you should be able to:

Define the concepts of users and groups, and explain how and
when these should be allocated on the system
Describe ways of controlling root access on the system
Explain the uses of SUID, SGID, and SVTX permission bits
Administer user accounts and groups
Understand the basic concepts and implementation of RBAC
Identify the data files associated with users and security

Security and user concepts

After completing this topic, you should be able to:

Understand user accounts and groups

Describe the role of RBAC
Identify key security logs
Understand and apply file permissions
Including the role of the umask parameter

Change file ownership and group assignment

IBM Power Systems

User accounts
IBM Power Systems

Each user has a unique name, numeric ID, and password.

File ownership is determined by a numeric user ID.
The owner is usually the user who created the file, but
ownership can be transferred by root.
Default users:
root

Superuser

adm, sys, bin, ... IDs that own system files but
cannot be used for login
## id
id
uid=0(root)
uid=0(root) gid=0(system)
gid=0(system)
groups=2(bin),3(sys),7(security),8(cron),10(audit),11(lp)
groups=2(bin),3(sys),7(security),8(cron),10(audit),11(lp)

Groups
IBM Power Systems

A group is a set of users, all of whom need access to a given

set of files.
Every user is a member of at least one group and can be a
member of several groups.
The user has access to a file if any group in the users
groupset provides access. To list the groupset, use the
groups command.
The user's real group ID is used for file ownership on creation.
To change the real group ID, use the newgrp command.
Default groups:
System administrators: system
Ordinary users: staff

Group hierarchy
IBM Power Systems

security

system
adm

printq
audit

Rights to
administrative
functions

shutdown
staff

Ordinary
users

User hierarchy
IBM Power Systems

As well as admin groups, AIX has admin users.

An admin user has the admin group system (guid 0) set as
the primary group.
Only root can add, remove, or change an admin user or admin
group.
Any user on the system can be defined as an admin user
regardless of the group they are in.
This approach is limited. AIX 6 includes enhanced RBAC.
root
admin user
(admin flag set to true)

normal user

Role based access control

IBM Power Systems

Enhanced RBAC is a major new feature in AIX 6.

With Enhanced RBAC:
Authorizations can be hierarchical.
root can be disabled altogether.
Can limit or eliminate UNIX based security add-ons like sudo
Definitions are stored in the kernel table to enhance security.
Applies also to devices and files
Support for WPARs

Authorizations, such as the ability to shutdown the system, are

assigned to roles
Roles such as System Administrator, are assigned to users
1

Roles
Authorizations

Users
Roles

Controlling access to the root account

IBM Power Systems

Restrict access to privileged logins.

Root's passwords should be changed on an unannounced
schedule by the system administrator.
Assign different root passwords to different machines.
System administrators should always login as themselves first
and then su to root instead of logging in as root. This helps
provide an audit trail for root usage.
## chuser
chuser login=false
login=false root
root

Do not include unsecured directories in root's PATH.

Security logs
IBM Power Systems

/var/adm/sulog

Audit trail of su activity

/var/adm/wtmp

Log of successful logins

/etc/utmp

List of users currently

logged in

/etc/security/failedlogin

Information on failed
login attempts

File/Directory permissions
IBM Power Systems

File

Perm. Bit

Directory

Read content of file

List content of directory

Modify content of file

Create and remove files in

directory

Use file name to execute as

a command

Give access to directory

Run program with effective

UID of owner

SUID

Run program with effective

GID of group

SGID

Files created in directory

inherit the same group as
the directory

--------

SVTX

Must be owner of files to

delete files from directory

--------

Reading permissions
IBM Power Systems

owner
r

group
x

other

SUID
+x

SGID
only

SUID
only

SGID
+x

sticky
bit
only

sticky
bit
+x

## ls
ls -ld
-ld /usr/bin/passwd
/usr/bin/passwd /usr/bin/crontab
/usr/bin/crontab /tmp
/tmp
-r-sr-xr-x
-r-sr-xr-x
-r-sr-sr-x
-r-sr-sr-x
drwxrwxrwt
drwxrwxrwt

root
root security
security ...
...
root
cron
...
root cron
...
bin
bin
...
bin
bin
...

/usr/bin/passwd
/usr/bin/passwd
/usr/bin/crontab
/usr/bin/crontab
/tmp
/tmp

Changing permissions
IBM Power Systems

4
SUID

2
SGID

owner
r w x
4 2 1

group
r w x
4 2 1

1
SVTX
other
r w x
4 2 1

# chmod

4 7 7 7 file1

SUID

# chmod

2 7 7 7 file1

SGID

# chmod

1 7 7 7 dir1
OR
u+s file1

SVTX

# chmod

SUID

# chmod

g+s

file1

SGID

# chmod

+t

dir1

SVTX

umask
IBM Power Systems

The umask governs permissions on new files and directories.

System default umask is 022.
022 calculation

Files:
umask:

666
022
644

Directories:
umask:

rw-r--r--

777
022
755
rwxr-xr-x

A umask of 027 is recommended.

027 calculation

Files:
umask:

666
027
640
rw-r-----

Directories:
umask:

777
027
750
rwxr-x---

/etc/security/user specifies default and individual user umask

values.

Changing ownerships and groups

IBM Power Systems

The chown command:

## chown
chown fred
fred file1
file1

The chgrp command:

## chgrp
chgrp staff
staff file1
file1

Changing both user and group ownership:

##
-##

chown
chown
OR
OR -chown
chown

fred:staff
fred:staff file1
file1
fred.staff
fred.staff file1
file1

Checkpoint
IBM Power Systems

1. Which file contains an audit trail of su activity?

_____________________________
2. If the following command was run:
chmod 6754 file1
What would the file permissions be for file1?
___ ___ ___
3. A binary executable with the SUID flag set is owned by user root.
User michael executes the binary. The executable runs under
which user, root or michael?
_______________
4. A shared directory is created on the system. What flag must be
set to ensure only the owner of the files can delete them?
_______________
5. Why is an umask of 027 recommended?
________________________________________________

Checkpoint solutions
IBM Power Systems

1. Which file contains an audit trail of su activity?

/var/adm/sulog
2. If the following command was run:
chmod 6754 file1
What would the file permissions be for file1?
r w s r w- r - 3. A binary executable with the SUID flag set is owned by user root.
User michael executes the binary. The executable runs under
which user, root or michael?
root
4. A shared directory is created on the system. What flag must be set
to ensure only the owner of the files can delete them?
SVTX or sticky bit
5. Why is an umask of 027 recommended?
This value removes all permission bits for the others
category, which enhances security.

Topic summary
IBM Power Systems

Having completed this topic, you should be able to:

Understand user accounts and groups

Describe the role of RBAC
Identify key security logs
Understand and apply file permissions
Including the role of the umask attribute

Change file ownership and group assignment

User and group administration

IBM Power Systems

After completing this topic, you should be able to:

Understand the login sequence from a system console

Understand the login initialization process
Add, list, change, and delete users and groups
Set and change passwords
Recover root password if lost or forgotten

Understand the key elements of RBAC and configure a

simple RBAC implementation

Console login sequence

IBM Power Systems

getty process

Spawned by inittab
Settings in
/etc/security/login.cfg

Login: userid and passwd

User verification check

Login failed

no

Valid?
yes

Log entry in:

/etc/security/failedlogin

/etc/passwd
/etc/security/passwd

Set up the environment.

/etc/environment
/etc/security/environ
/etc/security/limits
/etc/security/user

Display /etc/motd

$HOME/.hushlogin

Enter login shell

/etc/profile
$HOME/.profile

User initialization process

IBM Power Systems

LOGIN

/etc/environment

/etc/profile

Establishes base environment

sets PATH, TZ, LANG, and
NLSPATH
Shell script run at all logins
sets TERM, MAILMSG, and
MAIL

$HOME/.profile

User's personal file to

customize their environment
PATH, ENV, PS1

$HOME/.kshrc

User's personal file to customize

the Korn shell environment
set o vi, alias

Message of the day

IBM Power Systems

The file /etc/motd contains text that is displayed every time a

user logs in.
This file should only contain information necessary for the
users to see.
If the $HOME/.hushlogin file exists in a user's home directory,
then the contents of the /etc/motd file are not displayed to that
user.
******************************************************************
******************************************************************
**
**
**
**
** AIX
Version
6.1
TL
02
HACMP
5.5.0.0.
+
WPAR
ckp
**
AIX Version 6.1 TL 02 HACMP 5.5.0.0. + WPAR ckp
**
**
** Eduction
**
Eduction AIX
AIX AN12
AN12 Build
Build version
version 318
318
**
**
**
**
******************************************************************
******************************************************************

nimmaster:/
nimmaster:/

Security & Users

IBM Power Systems

# smit security
Security
Security && Users
Users
Move
Move cursor
cursor to
to desired
desired item
item and
and press
press Enter.
Enter.
Users
Users
Groups
Groups
Passwords
Passwords
Login
Login Controls
Controls
PKI
PKI
LDAP
LDAP
Role
Role Based
Based Access
Access Control
Control (RBAC)
(RBAC)
Trusted
Execution
Trusted Execution

SMIT users
IBM Power Systems

# smit users
Users
Users
Move
Move cursor
cursor to
to desired
desired item
item and
and press
press Enter.
Enter.
Add
Add aa User
User
Change
Change aa User's
User's Password
Password
Change
/
Show
Characteristics
Change / Show Characteristics of
of aa User
User
Lock
/
Unlock
a
User's
Account
Lock / Unlock a User's Account
Reset
Reset User's
User's Failed
Failed Login
Login Count
Count
Remove
a
User
Remove a User
List
List All
All Users
Users

Listing users
IBM Power Systems

The lsuser command:

lsuser [-c | -f] [-a attribute ] {ALL | username }

Example:
## lsuser
lsuser -a
-a id
id home
home ALL
ALL
root
id=0
home=/
root id=0 home=/
daemon
daemon id=1
id=1 home=/etc
home=/etc
bin
id=2
home=/bin
bin id=2 home=/bin
sys
sys id=3
id=3 home=/usr/sys
home=/usr/sys
adm
id=4
home=/var/adm
adm id=4 home=/var/adm
uucp
uucp id=5
id=5 home=/usr/lib/uucp
home=/usr/lib/uucp
guest
id=100
guest id=100 home=/home/guest
home=/home/guest
alex
alex id=333
id=333 home=/home/mancunian
home=/home/mancunian

Add a user to the system

IBM Power Systems

# smit mkuser

mkuser id=333 alex

Add
Add aa User
User

Type
Type or
or select
select values
values in
in entry
entry fields.
fields.
Press
Enter
AFTER
making
all
Press Enter AFTER making all desired
desired changes.
changes.
[TOP]
[TOP]
** User
User NAME
NAME
User
User ID
ID
ADMINISTRATIVE
ADMINISTRATIVE USER?
USER?
Primary
Primary GROUP
GROUP
Group
Group SET
SET
ADMINISTRATIVE
ADMINISTRATIVE GROUPS
GROUPS
ROLES
ROLES
Another
Another user
user can
can SU
SU TO
TO USER?
USER?
SU
GROUPS
SU GROUPS
HOME
HOME directory
directory
Initial
Initial PROGRAM
PROGRAM
User
User INFORMATION
INFORMATION
[MORE...32]
[MORE...32]

[Entry
[Entry Fields]
Fields]
[alex]
[alex]
[333]
[333]
false
false
[]
[]
[]
[]
[]
[]
[]
[]
true
true
[ALL]
[ALL]
[]
[]
[]
[]
[]
[]

##
++
++
++
++
++
++
++

Change/Show characteristics of a user

IBM Power Systems

# smit chuser

chuser groups='staff,security' alex

Change
Change // Show
Show Characteristics
Characteristics of
of aa User
User
** User
User NAME
NAME
User
User ID
ID
##
ADMINISTRATIVE
ADMINISTRATIVE USER?
USER?
Primary
Primary GROUP
GROUP
Group
Group SET
SET
ADMINISTRATIVE
ADMINISTRATIVE GROUPS
GROUPS
ROLES
ROLES
Another
Another user
user can
can SU
SU TO
TO USER?
USER?
SU
GROUPS
SU GROUPS
HOME
HOME directory
directory
Initial
Initial PROGRAM
PROGRAM
User
User INFORMATION
INFORMATION
EXPIRATION
EXPIRATION date
date (MMDDhhmmyy)
(MMDDhhmmyy)
Is
this
user
Is this user ACCOUNT
ACCOUNT LOCKED?
LOCKED?
User
User can
can LOGIN?
LOGIN?
User
User can
can LOGIN
LOGIN REMOTELY(rsh,tn,rlogin)?
REMOTELY(rsh,tn,rlogin)?
[MORE...48]
[MORE...48]

[Entry
[Entry Fields]
Fields]
alex
alex
[333]
[333]
false
false
[staff]
[staff]
[staff,security]
[staff,security]
[]
[]
[]
[]
true
true
[ALL]
[ALL]
[/home/alex]
[/home/alex]
[/usr/bin/ksh]
[/usr/bin/ksh]
[]
[]
[0]
[0]
false
false
true
true
true
true

++
++
++
++
++
++
++

++
++
++

Remove a user from the system

IBM Power Systems

The rmuser command or SMIT can be used to delete a user

from the system
## rmuser
rmuser p
p team01
team01

When you remove a user, that users home directory is not

deleted. Therefore, you must remember to manually clean up
the directories of users you remove. Remember to back up
important files first!
## rm
rm -r
-r /home/team01
/home/team01

Passwords
IBM Power Systems

A new user ID cannot be used until a password is

assigned.
Two commands for changing passwords:
## pwdadm
pwdadm
OR
OR
## passwd
passwd

<username>
<username>

root or security
(group) only

[username]
[username]

SMIT invokes the passwd command for root and the

pwdadm if non-root.
An ordinary user can use the passwd command to
change own password
Only root or member of security group can change
password of another user

Regaining root's password

IBM Power Systems

1. Boot from optical media, NIM, or a bootable tape.

2. Select Access a Root Volume Group from the Maintenance menu.

Maintenance
Maintenance
>>>
>>> 11 Access
Access aa Root
Root Volume
Volume Group
Group
22 Copy
Copy aa System
System Dump
Dump to
to Removable
Removable Media
Media
33 Access
Advanced
Maintenance
Access Advanced Maintenance Functions
Functions
44 Erase
Erase Disks
Disks

3. Follow the options to activate the root volume group and obtain a shell.
4. Once a shell is available, execute the passwd command to change root's
password.
5. Enter the following command:
# sync ; sync
6. Reboot the system.

SMIT groups
IBM Power Systems

# smit groups
Groups
Groups
Move
Move cursor
cursor to
to desired
desired item
item and
and press
press Enter.
Enter.
List
List All
All Groups
Groups
Add
a
Group
Add a Group
Change
Change // Show
Show Characteristics
Characteristics of
of aa Group
Group
Remove
a
Group
Remove a Group

Listing groups
IBM Power Systems

The lsgroup command:

lsgroup [-c | -f] [-a attribute ] {ALL | groupname }

Example:
## lsgroup
lsgroup f
f -a
-a id
id users
users ALL
ALL
system:
system:
id=0
id=0
users=root,esaadmin,pconsole
users=root,esaadmin,pconsole
staff:
staff:

bin:
bin:
...
...

id=1
id=1
users=ipsec,ted,sshd,alex,local,tyrone,daemon
users=ipsec,ted,sshd,alex,local,tyrone,daemon
id=2
id=2
users=root,bin
users=root,bin

Add a Group
IBM Power Systems

# smit mkgroup
mkgroup -A id=101 users=alex,tyrone techies
Add
Add aa Group
Group
Type
Type or
or select
select values
values in
in entry
entry fields.
fields.
Press
Press Enter
Enter AFTER
AFTER making
making all
all desired
desired changes.
changes.
** Group
Group NAME
NAME
ADMINISTRATIVE
ADMINISTRATIVE group?
group?
Group
Group ID
ID
USER
USER list
list
ADMINISTRATOR
ADMINISTRATOR list
list
Projects
Projects
Initial
Initial Keystore
Keystore Mode
Mode
Keystore
Keystore Encryption
Encryption Algorithm
Algorithm
Keystore
Keystore Access
Access

[Entry
[Entry Fields]
Fields]
[techies]
[techies]
false
false
[101]
[101]
[alex,tyrone]
[alex,tyrone]
[]
[]
[]
[]
[]
[]
[]
[]
[]
[]

++
##
++
++
++
++
++
++

Change or remove a group

IBM Power Systems

# smit chgroup
chgroup users=alex,tyrone,ted adms=alex techies
Change
Change aa Group
Group
Type
Type or
or select
select values
values in
in entry
entry fields.
fields.
Press
Enter
AFTER
making
all
Press Enter AFTER making all desired
desired changes.
changes.
** Group
Group NAME
NAME
ADMINISTRATIVE
ADMINISTRATIVE group?
group?
Group
Group ID
ID
USER
USER list
list
ADMINISTRATOR
ADMINISTRATOR list
list
Projects
Projects
Initial
Initial Keystore
Keystore Mode
Mode
Keystore
Keystore Encryption
Encryption Algorithm
Algorithm
Keystore
Keystore Access
Access

To remove a group:

[Entry
[Entry Fields]
Fields]
[techies]
[techies]
false
false
[101]
[101]
[alex,tyrone,ted]
[alex,tyrone,ted]
[alex]
[alex]
[]
[]
[]
[]
[]
[]
[]
[]

# rmgroup techies

++
##
++
++
++
++
++
++

RBAC overview
IBM Power Systems

RBAC configuration is stored within the Kernel Security Tables

(KST).

Roles

Authorizations
Manage Devices

Create
System WPARs
Operating System Administration

Users
Privileged commands and files
Command= /usr/sbin/shutdown
Auth = aix.system.boot.shutdown

Roles
System Operator
User and Group Account
Administration

System
Administrator

RBAC defined roles and authorizations

IBM Power Systems

## lsrole
lsrole -c
-c -a
-a dfltmsg
dfltmsg ALL
ALL |grep
|grep -v
-v "#name"|grep
"#name"|grep ":"
":"
AccountAdmin:User
and
Group
Account
Administration
AccountAdmin:User and Group Account Administration
BackupRestore:Backup
BackupRestore:Backup and
and Restore
Restore Administration
Administration
DomainAdmin:Remote
Domain
DomainAdmin:Remote Domain Administration
Administration
FSAdmin:File
FSAdmin:File System
System Administration
Administration
SecPolicy:Security
SecPolicy:Security Policy
Policy Administration
Administration
SysBoot:System
SysBoot:System Boot
Boot Administration
Administration
SysConfig:System
SysConfig:System Configuration
Configuration Administration
Administration
isso:Information
System
isso:Information System Security
Security Officer
Officer
sa:System
sa:System Administrator
Administrator
so:System
so:System Operator
Operator
## lsauth
lsauth -f
-f ALL
ALL |grep
|grep dfltmsg
dfltmsg |sed
|sed 's:dfltmsg=::g'
's:dfltmsg=::g'
Operating
System
Administration
Operating System Administration
Device
Device Administration
Administration
Configure
Configure Devices
Devices
Configure
Configure the
the Random
Random Device
Device
Configure
TTY
Devices
Configure TTY Devices
Manage
Manage Devices
Devices
Change
Change Attributes
Attributes of
of aa Device
Device
.removed
for
clarify
.removed for clarify

roles

authorizations

RBAC (basic) implementation steps

IBM Power Systems

Steps to configure RBAC

1. Ensure RBAC is enabled (default true, AIX6.1).
## lsattr
lsattr -El
-El sys0
sys0 |grep
|grep RBAC
RBAC
enhanced_RBAC
true
Enhanced
enhanced_RBAC
true
Enhanced RBAC
RBAC Mode
Mode

2. Plan which predefined administration roles need to be assigned to

users.
3. Assign AIX predefined roles to the relevant users.

Using chuser command

4. User would then switch to the role and perform the necessary
operations.

To switch roles, use swrole command

RBAC example (1 of 2)
IBM Power Systems

Example: Let's give permission for user, alex, to start, stop,

and reboot the system.
First, find the predefined role.
## lsrole
lsrole -f
-f -a
-a authorizations
authorizations dfltmsg
dfltmsg ALL
ALL |grep
|grep -p
-p dfltmsg
dfltmsg || \\
grep
-p
shutdown
grep -p shutdown
SysBoot:
SysBoot:
authorizations=aix.system.boot.halt,aix.system.boot.info,aix.system.
authorizations=aix.system.boot.halt,aix.system.boot.info,aix.system.
boot.reboot,aix.system.boot.shutdown
boot.reboot,aix.system.boot.shutdown
dfltmsg=System
dfltmsg=System Boot
Boot Administration
Administration

Add the SysBoot role to user alex.

## chuser
chuser roles=SysBoot
roles=SysBoot alex
alex
## rolelist
rolelist -u
-u alex
alex
SysBoot
System
SysBoot
System Boot
Boot Administration
Administration

Confirm the
SysBoot role has
been allocated to
user alex.

RBAC example (2 of 2)
IBM Power Systems

As user, alex, shut down and reboot the system

alex
alex $$ rolelist
rolelist
SysBoot
System
SysBoot
System Boot
Boot Administration
Administration

Lists the assigned

roles

alex
alex $$ rolelist
rolelist -e
-e
rolelist:
rolelist: There
There is
is no
no active
active role
role set
set

Lists the active

roles

alex
alex $$ rolelist
rolelist -a
-a
SysBoot
aix.system.boot.create
SysBoot
aix.system.boot.create
aix.system.boot.halt
aix.system.boot.halt
aix.system.boot.info
aix.system.boot.info
aix.system.boot.reboot
aix.system.boot.reboot
aix.system.boot.shutdown
aix.system.boot.shutdown

Lists the assigned

authorizations

alex
alex $$ swrole
swrole SysBoot
SysBoot
alex
$
alex's
alex $ alex's Password:
Password:

Switch to role
SysBoot

alex
alex $$ rolelist
rolelist -e
-e
SysBoot
System
SysBoot
System Boot
Boot Administration
Administration
alex
alex $$ shutdown
shutdown Fr
Fr

Perform a system
reboot.

SysBoot role is
now active

Checkpoint
IBM Power Systems

1. What is the difference between the commands, pwdadm

and passwd?
___________________________________________
2. Which password change command does SMIT use?
3. True or False: When you delete a user from the system,
all the user's files and directories are also deleted.
4. True of False: RBAC is disabled by default on AIX 6.1.

Checkpoint solutions
IBM Power Systems

1. What is the difference between the commands, pwdadm

and passwd?
The pwdadm command can only be run by a member
of the security group
2. Which password change command does SMIT use?
passwd
3. True or False: When you delete a user from the system,
all the user's files and directories are also deleted.
4. True or False: RBAC is disabled by default on AIX 6.1.

Topic summary
IBM Power Systems

Having completed this topic, you should be able to:

Understand the login sequence from a system console

Understand the login initialization process
Add, list, change, and delete users and groups
Set and change passwords
Recover root password if lost or forgotten

Understand the key elements of RBAC and configure a simple

RBAC implementation

Security files
After completing this topic, you should be able to:
Identify and understand key security files
Understand how to validate the user environment
Document the system security policy and set-up

IBM Power Systems

Security files introduction

IBM Power Systems

Files used to contain user attributes and control access:

/etc/passwd
/etc/group

Valid users (not passwords)

Valid groups

/etc/security

Directory not accessible

to normal users

/etc/security/passwd
/etc/security/user

User passwords
User attributes, password
restrictions
Group attributes
User limits
User environment settings
Console Login settings

/etc/security/group
/etc/security/limits
/etc/security/environ
/etc/security/login.cfg

/etc/passwd file
IBM Power Systems

## cat
cat /etc/passwd
/etc/passwd
root:!:0:0::/:/usr/bin/ksh
root:!:0:0::/:/usr/bin/ksh
daemon:!:1:1::/etc:
daemon:!:1:1::/etc:
bin:!:2:2::/bin:
bin:!:2:2::/bin:
sys:!:3:3::/usr/sys:
sys:!:3:3::/usr/sys:
adm:!:4:4::/var/adm:
adm:!:4:4::/var/adm:
uucp:!:5:5::/usr/lib/uucp:
uucp:!:5:5::/usr/lib/uucp:
guest:!:100:100::/home/guest:
guest:!:100:100::/home/guest:
nobody:!:4294967294:4294967294::/:
nobody:!:4294967294:4294967294::/:
pconsole:*:8:0::/var/adm/pconsole:/usr/bin/ksh
pconsole:*:8:0::/var/adm/pconsole:/usr/bin/ksh
sshd:*:202:201::/var/empty:/usr/bin/ksh
sshd:*:202:201::/var/empty:/usr/bin/ksh
alex:!:333:1::/home/alex:/usr/bin/ksh
alex:!:333:1::/home/alex:/usr/bin/ksh
tyrone:!:204:1::/home/tyrone:/usr/bin/ksh
tyrone:!:204:1::/home/tyrone:/usr/bin/ksh
ted:*:205:1::/home/ted:/usr/bin/ksh
ted:*:205:1::/home/ted:/usr/bin/ksh
! = Passwd is set
/etc/security/passwd
* = no password set

/etc/security/passwd file
IBM Power Systems

## cat
cat /etc/security/passwd
/etc/security/passwd
root:
root:
password
password == etNKvWlXX5EFk
etNKvWlXX5EFk
lastupdate
=
lastupdate = 1145381446
1145381446
flags
flags ==
daemon:
daemon:
password
password == **
bin:
bin:
password
password == **
alex:
alex:
password
password == XAkhucsiyVwAA
XAkhucsiyVwAA
lastupdate
=
lastupdate = 1225381869
1225381869
flags
flags ==
tyrone:
tyrone:
password
password == RWWoFp5iuL.JI
RWWoFp5iuL.JI
lastupdate
lastupdate == 1225381903
1225381903
flags
=
ADMCHG,ADMIN,NOCHECK
flags = ADMCHG,ADMIN,NOCHECK

/etc/security/user file
IBM Power Systems

default:
default:
admin
admin == false
false
login
login == true
true
su
su == true
true
daemon
daemon == true
true
rlogin
rlogin == true
true
sugroups
sugroups == ALL
ALL
admgroups
admgroups ==
ttys
ttys == ALL
ALL
auth1
auth1 == SYSTEM
SYSTEM
auth2
auth2 == NONE
NONE
tpath
tpath == nosak
nosak
umask
umask == 000
000
expires
expires == 00
SYSTEM
SYSTEM == "compat"
"compat"
logintimes
logintimes ==
pwdwarntime
pwdwarntime == 00
account_locked
account_locked == false
false
loginretries
loginretries == 00
histexpire
histexpire == 00
histsize
histsize == 00
minage
minage == 00

** default
default continued
continued ...
...

root:
root:

alex:
alex:

maxage
maxage == 00
maxexpired
maxexpired == -1
-1
minalpha
minalpha == 00
minother
minother == 00
minlen
minlen == 00
mindiff
mindiff == 00
maxrepeats
maxrepeats == 88
dictionlist
dictionlist ==
pwdchecks
pwdchecks ==
admin
admin == true
true
SYSTEM
SYSTEM == "compat"
"compat"
loginretries
loginretries == 00
account_locked
account_locked == false
false
registry
registry == files
files
admgroups
admgroups ==
admin
admin == false
false

Group files
IBM Power Systems

## cat
cat /etc/group
/etc/group
system:!:0:root,esaadmin,pconsole
system:!:0:root,esaadmin,pconsole
staff:!:1:ipsec,sshd,alex,tyrone,ted
staff:!:1:ipsec,sshd,alex,tyrone,ted
bin:!:2:root,bin
bin:!:2:root,bin
sys:!:3:root,bin,sys
sys:!:3:root,bin,sys
adm:!:4:bin,adm
adm:!:4:bin,adm
uucp:!:5:nuucp,uucp
uucp:!:5:nuucp,uucp
...
...
## cat
cat /etc/security/group
/etc/security/group
system:
system:
admin
admin == true
true
staff:
staff:
admin
admin == false
false
bin:
bin:
admin
admin == true
true
...
...
techies:
techies:
admin
admin == false
false
adms
adms == alex
alex

/etc/security/login.cfg file
IBM Power Systems

default:
default:
herald
herald == "Authorized
"Authorized use
use only.\n\rlogin:"
only.\n\rlogin:"
logintimes
=
logintimes =
logindisable
logindisable == 00
logininterval
logininterval == 00
loginreenable
loginreenable == 00
logindelay
logindelay == 00
** Other
Other security
security attributes
attributes (usw
(usw stanza):
stanza):
usw:
usw:
shells
shells == /bin/sh,/bin/bsh,/bin/csh,/bin/ksh,/bin/tsh
/bin/sh,/bin/bsh,/bin/csh,/bin/ksh,/bin/tsh
/bin/ksh93,/usr/bin/sh,/usr/bin/bsh,/usr/bin/csh,/usr/bin
/bin/ksh93,/usr/bin/sh,/usr/bin/bsh,/usr/bin/csh,/usr/bin
/ksh,/usr/bin/tsh,/usr/bin/ksh93,/usr/bin/rksh,/usr/bin/r
/ksh,/usr/bin/tsh,/usr/bin/ksh93,/usr/bin/rksh,/usr/bin/r
ksh93,/usr/sbin/uucp/uucico,/usr/sbin/sliplogin,/usr/sbin
ksh93,/usr/sbin/uucp/uucico,/usr/sbin/sliplogin,/usr/sbin
/snappd
/snappd
maxlogins
maxlogins == 32767
32767
logintimeout
logintimeout == 60
60
auth_type
auth_type == STD_AUTH
STD_AUTH

Validating the user environment

IBM Power Systems

pwdck verifies the validity of local authentication information:

pwdck {-n|-p|-t|-y} {ALL | username}
Verifies that /etc/passwd and /etc/security/passwd are consistent
with each other and with /etc/security/login.cfg and /etc/security/user

usrck verifies the validity of a user definition:

usrck {-l|-b|-n|-p|-t|-y} {ALL | username}
Checks each user name in /etc/passwd, /etc/security/user,
/etc/security/limits and /etc/security/passwd
Checks are made to ensure that each has an entry in /etc/group and
/etc/security/group.

grpck verifies the validity of a group:

grpck {-n|-p|-t|-y} {ALL | groupname }
Verifies that the files /etc/passwd, /etc/security/user, /etc/group
and /etc/security/group are consistent

Documenting security policy and setup

IBM Power Systems

Identify the different types of users and what data they will
need to access.
Consider using enhanced RBAC with AIX 6.1 to perform system
administration tasks (as opposed to using root).

Organize groups around the type of work that is to be done.

Organize ownership of data to fit with the group structure.
Set SVTX on shared directories.
Note: Further topics, such as LDAP, SSH,
trusted execution, encrypted filesystems, aixpert,
RBAC (detailed), and IPSec, are covered in the
AIX Security course: AU47G

Security
Security
Policy and
Policy and
Setup
Setup

Checkpoint
IBM Power Systems

1. If an ordinary user forgets their password, can the system

administrator find out by querying the system as to what the
user's password was set to?
______
Why or why not?
_______________________________________
2. True or False: An asterisk mary:*: in the second field of the
/etc/passwd file, means there is a vaild password set in the
shadow password file for user mary.
3. Password restrictions are set in which of the following files?
/etc/passwd
/etc/security/passwd
/etc/security/restrictions
/etc/security/user

Checkpoint solutions
IBM Power Systems

1. If an ordinary user forgets their password, can the system

administrator find out by querying the system as to what the user's
password was set to?
No
Why or why not?

Because the passwords are held in encrypted format, so even

the system administrator cannot tell what the password was set
to.
2. True or False: An asterisk mary:*: in the second field of the
/etc/passwd file, means there is a vaild password set in the shadow
password file for user mary.
3. Password restrictions are set in which of the following files?
/etc/passwd
/etc/security/passwd
/etc/security/restrictions
/etc/security/user

Topic summary
IBM Power Systems

Having completed this topic, you should be able to:

Identify and understand key security files
Understand how to validate the user environment
Document the system security policy and set-up

Exercise 12
IBM Power Systems

Security and user

administration

Unit summary
IBM Power Systems

Having completed this unit, you should be able to:

Define the concepts of users and groups, and explain how and
when these should be allocated on the system
Describe ways of controlling root access on the system
Explain the uses of SUID, SGID, and SVTX permission bits
Administer user accounts and groups
Understand the basic concepts and implementation of RBAC
Identify the data files associated with users and security