Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
5.2
Unit objectives
IBM Power Systems
User accounts
IBM Power Systems
Superuser
adm, sys, bin, ... IDs that own system files but
cannot be used for login
## id
id
uid=0(root)
uid=0(root) gid=0(system)
gid=0(system)
groups=2(bin),3(sys),7(security),8(cron),10(audit),11(lp)
groups=2(bin),3(sys),7(security),8(cron),10(audit),11(lp)
Groups
IBM Power Systems
Group hierarchy
IBM Power Systems
security
system
adm
printq
audit
Rights to
administrative
functions
shutdown
staff
Ordinary
users
User hierarchy
IBM Power Systems
normal user
Roles
Authorizations
Users
Roles
Security logs
IBM Power Systems
/var/adm/sulog
/var/adm/wtmp
/etc/utmp
/etc/security/failedlogin
Information on failed
login attempts
File/Directory permissions
IBM Power Systems
File
Perm. Bit
Directory
SUID
SGID
--------
SVTX
--------
Reading permissions
IBM Power Systems
owner
r
group
x
other
SUID
+x
SGID
only
SUID
only
SGID
+x
sticky
bit
only
sticky
bit
+x
## ls
ls -ld
-ld /usr/bin/passwd
/usr/bin/passwd /usr/bin/crontab
/usr/bin/crontab /tmp
/tmp
-r-sr-xr-x
-r-sr-xr-x
-r-sr-sr-x
-r-sr-sr-x
drwxrwxrwt
drwxrwxrwt
root
root security
security ...
...
root
cron
...
root cron
...
bin
bin
...
bin
bin
...
/usr/bin/passwd
/usr/bin/passwd
/usr/bin/crontab
/usr/bin/crontab
/tmp
/tmp
Changing permissions
IBM Power Systems
4
SUID
2
SGID
owner
r w x
4 2 1
group
r w x
4 2 1
1
SVTX
other
r w x
4 2 1
# chmod
4 7 7 7 file1
SUID
# chmod
2 7 7 7 file1
SGID
# chmod
1 7 7 7 dir1
OR
u+s file1
SVTX
# chmod
SUID
# chmod
g+s
file1
SGID
# chmod
+t
dir1
SVTX
umask
IBM Power Systems
Files:
umask:
666
022
644
Directories:
umask:
rw-r--r--
777
022
755
rwxr-xr-x
Files:
umask:
666
027
640
rw-r-----
Directories:
umask:
777
027
750
rwxr-x---
chown
chown
OR
OR -chown
chown
fred:staff
fred:staff file1
file1
fred.staff
fred.staff file1
file1
Checkpoint
IBM Power Systems
Checkpoint solutions
IBM Power Systems
Topic summary
IBM Power Systems
getty process
Spawned by inittab
Settings in
/etc/security/login.cfg
no
Valid?
yes
/etc/passwd
/etc/security/passwd
/etc/environment
/etc/security/environ
/etc/security/limits
/etc/security/user
Display /etc/motd
$HOME/.hushlogin
/etc/profile
$HOME/.profile
LOGIN
/etc/environment
/etc/profile
$HOME/.profile
$HOME/.kshrc
nimmaster:/
nimmaster:/
# smit security
Security
Security && Users
Users
Move
Move cursor
cursor to
to desired
desired item
item and
and press
press Enter.
Enter.
Users
Users
Groups
Groups
Passwords
Passwords
Login
Login Controls
Controls
PKI
PKI
LDAP
LDAP
Role
Role Based
Based Access
Access Control
Control (RBAC)
(RBAC)
Trusted
Execution
Trusted Execution
SMIT users
IBM Power Systems
# smit users
Users
Users
Move
Move cursor
cursor to
to desired
desired item
item and
and press
press Enter.
Enter.
Add
Add aa User
User
Change
Change aa User's
User's Password
Password
Change
/
Show
Characteristics
Change / Show Characteristics of
of aa User
User
Lock
/
Unlock
a
User's
Account
Lock / Unlock a User's Account
Reset
Reset User's
User's Failed
Failed Login
Login Count
Count
Remove
a
User
Remove a User
List
List All
All Users
Users
Listing users
IBM Power Systems
Example:
## lsuser
lsuser -a
-a id
id home
home ALL
ALL
root
id=0
home=/
root id=0 home=/
daemon
daemon id=1
id=1 home=/etc
home=/etc
bin
id=2
home=/bin
bin id=2 home=/bin
sys
sys id=3
id=3 home=/usr/sys
home=/usr/sys
adm
id=4
home=/var/adm
adm id=4 home=/var/adm
uucp
uucp id=5
id=5 home=/usr/lib/uucp
home=/usr/lib/uucp
guest
id=100
guest id=100 home=/home/guest
home=/home/guest
alex
alex id=333
id=333 home=/home/mancunian
home=/home/mancunian
# smit mkuser
Type
Type or
or select
select values
values in
in entry
entry fields.
fields.
Press
Enter
AFTER
making
all
Press Enter AFTER making all desired
desired changes.
changes.
[TOP]
[TOP]
** User
User NAME
NAME
User
User ID
ID
ADMINISTRATIVE
ADMINISTRATIVE USER?
USER?
Primary
Primary GROUP
GROUP
Group
Group SET
SET
ADMINISTRATIVE
ADMINISTRATIVE GROUPS
GROUPS
ROLES
ROLES
Another
Another user
user can
can SU
SU TO
TO USER?
USER?
SU
GROUPS
SU GROUPS
HOME
HOME directory
directory
Initial
Initial PROGRAM
PROGRAM
User
User INFORMATION
INFORMATION
[MORE...32]
[MORE...32]
[Entry
[Entry Fields]
Fields]
[alex]
[alex]
[333]
[333]
false
false
[]
[]
[]
[]
[]
[]
[]
[]
true
true
[ALL]
[ALL]
[]
[]
[]
[]
[]
[]
##
++
++
++
++
++
++
++
# smit chuser
Change
Change // Show
Show Characteristics
Characteristics of
of aa User
User
** User
User NAME
NAME
User
User ID
ID
##
ADMINISTRATIVE
ADMINISTRATIVE USER?
USER?
Primary
Primary GROUP
GROUP
Group
Group SET
SET
ADMINISTRATIVE
ADMINISTRATIVE GROUPS
GROUPS
ROLES
ROLES
Another
Another user
user can
can SU
SU TO
TO USER?
USER?
SU
GROUPS
SU GROUPS
HOME
HOME directory
directory
Initial
Initial PROGRAM
PROGRAM
User
User INFORMATION
INFORMATION
EXPIRATION
EXPIRATION date
date (MMDDhhmmyy)
(MMDDhhmmyy)
Is
this
user
Is this user ACCOUNT
ACCOUNT LOCKED?
LOCKED?
User
User can
can LOGIN?
LOGIN?
User
User can
can LOGIN
LOGIN REMOTELY(rsh,tn,rlogin)?
REMOTELY(rsh,tn,rlogin)?
[MORE...48]
[MORE...48]
[Entry
[Entry Fields]
Fields]
alex
alex
[333]
[333]
false
false
[staff]
[staff]
[staff,security]
[staff,security]
[]
[]
[]
[]
true
true
[ALL]
[ALL]
[/home/alex]
[/home/alex]
[/usr/bin/ksh]
[/usr/bin/ksh]
[]
[]
[0]
[0]
false
false
true
true
true
true
++
++
++
++
++
++
++
++
++
++
Passwords
IBM Power Systems
<username>
<username>
root or security
(group) only
[username]
[username]
Maintenance
Maintenance
>>>
>>> 11 Access
Access aa Root
Root Volume
Volume Group
Group
22 Copy
Copy aa System
System Dump
Dump to
to Removable
Removable Media
Media
33 Access
Advanced
Maintenance
Access Advanced Maintenance Functions
Functions
44 Erase
Erase Disks
Disks
3. Follow the options to activate the root volume group and obtain a shell.
4. Once a shell is available, execute the passwd command to change root's
password.
5. Enter the following command:
# sync ; sync
6. Reboot the system.
SMIT groups
IBM Power Systems
# smit groups
Groups
Groups
Move
Move cursor
cursor to
to desired
desired item
item and
and press
press Enter.
Enter.
List
List All
All Groups
Groups
Add
a
Group
Add a Group
Change
Change // Show
Show Characteristics
Characteristics of
of aa Group
Group
Remove
a
Group
Remove a Group
Listing groups
IBM Power Systems
Example:
## lsgroup
lsgroup f
f -a
-a id
id users
users ALL
ALL
system:
system:
id=0
id=0
users=root,esaadmin,pconsole
users=root,esaadmin,pconsole
staff:
staff:
bin:
bin:
...
...
id=1
id=1
users=ipsec,ted,sshd,alex,local,tyrone,daemon
users=ipsec,ted,sshd,alex,local,tyrone,daemon
id=2
id=2
users=root,bin
users=root,bin
Add a Group
IBM Power Systems
# smit mkgroup
mkgroup -A id=101 users=alex,tyrone techies
Add
Add aa Group
Group
Type
Type or
or select
select values
values in
in entry
entry fields.
fields.
Press
Press Enter
Enter AFTER
AFTER making
making all
all desired
desired changes.
changes.
** Group
Group NAME
NAME
ADMINISTRATIVE
ADMINISTRATIVE group?
group?
Group
Group ID
ID
USER
USER list
list
ADMINISTRATOR
ADMINISTRATOR list
list
Projects
Projects
Initial
Initial Keystore
Keystore Mode
Mode
Keystore
Keystore Encryption
Encryption Algorithm
Algorithm
Keystore
Keystore Access
Access
[Entry
[Entry Fields]
Fields]
[techies]
[techies]
false
false
[101]
[101]
[alex,tyrone]
[alex,tyrone]
[]
[]
[]
[]
[]
[]
[]
[]
[]
[]
++
##
++
++
++
++
++
++
# smit chgroup
chgroup users=alex,tyrone,ted adms=alex techies
Change
Change aa Group
Group
Type
Type or
or select
select values
values in
in entry
entry fields.
fields.
Press
Enter
AFTER
making
all
Press Enter AFTER making all desired
desired changes.
changes.
** Group
Group NAME
NAME
ADMINISTRATIVE
ADMINISTRATIVE group?
group?
Group
Group ID
ID
USER
USER list
list
ADMINISTRATOR
ADMINISTRATOR list
list
Projects
Projects
Initial
Initial Keystore
Keystore Mode
Mode
Keystore
Keystore Encryption
Encryption Algorithm
Algorithm
Keystore
Keystore Access
Access
To remove a group:
[Entry
[Entry Fields]
Fields]
[techies]
[techies]
false
false
[101]
[101]
[alex,tyrone,ted]
[alex,tyrone,ted]
[alex]
[alex]
[]
[]
[]
[]
[]
[]
[]
[]
# rmgroup techies
++
##
++
++
++
++
++
++
RBAC overview
IBM Power Systems
Roles
Authorizations
Manage Devices
Create
System WPARs
Operating System Administration
Users
Privileged commands and files
Command= /usr/sbin/shutdown
Auth = aix.system.boot.shutdown
Roles
System Operator
User and Group Account
Administration
System
Administrator
## lsrole
lsrole -c
-c -a
-a dfltmsg
dfltmsg ALL
ALL |grep
|grep -v
-v "#name"|grep
"#name"|grep ":"
":"
AccountAdmin:User
and
Group
Account
Administration
AccountAdmin:User and Group Account Administration
BackupRestore:Backup
BackupRestore:Backup and
and Restore
Restore Administration
Administration
DomainAdmin:Remote
Domain
DomainAdmin:Remote Domain Administration
Administration
FSAdmin:File
FSAdmin:File System
System Administration
Administration
SecPolicy:Security
SecPolicy:Security Policy
Policy Administration
Administration
SysBoot:System
SysBoot:System Boot
Boot Administration
Administration
SysConfig:System
SysConfig:System Configuration
Configuration Administration
Administration
isso:Information
System
isso:Information System Security
Security Officer
Officer
sa:System
sa:System Administrator
Administrator
so:System
so:System Operator
Operator
## lsauth
lsauth -f
-f ALL
ALL |grep
|grep dfltmsg
dfltmsg |sed
|sed 's:dfltmsg=::g'
's:dfltmsg=::g'
Operating
System
Administration
Operating System Administration
Device
Device Administration
Administration
Configure
Configure Devices
Devices
Configure
Configure the
the Random
Random Device
Device
Configure
TTY
Devices
Configure TTY Devices
Manage
Manage Devices
Devices
Change
Change Attributes
Attributes of
of aa Device
Device
.removed
for
clarify
.removed for clarify
roles
authorizations
4. User would then switch to the role and perform the necessary
operations.
RBAC example (1 of 2)
IBM Power Systems
Confirm the
SysBoot role has
been allocated to
user alex.
RBAC example (2 of 2)
IBM Power Systems
alex
alex $$ rolelist
rolelist -e
-e
rolelist:
rolelist: There
There is
is no
no active
active role
role set
set
alex
alex $$ rolelist
rolelist -a
-a
SysBoot
aix.system.boot.create
SysBoot
aix.system.boot.create
aix.system.boot.halt
aix.system.boot.halt
aix.system.boot.info
aix.system.boot.info
aix.system.boot.reboot
aix.system.boot.reboot
aix.system.boot.shutdown
aix.system.boot.shutdown
alex
alex $$ swrole
swrole SysBoot
SysBoot
alex
$
alex's
alex $ alex's Password:
Password:
Switch to role
SysBoot
alex
alex $$ rolelist
rolelist -e
-e
SysBoot
System
SysBoot
System Boot
Boot Administration
Administration
alex
alex $$ shutdown
shutdown Fr
Fr
Perform a system
reboot.
SysBoot role is
now active
Checkpoint
IBM Power Systems
Checkpoint solutions
IBM Power Systems
Topic summary
IBM Power Systems
Security files
After completing this topic, you should be able to:
Identify and understand key security files
Understand how to validate the user environment
Document the system security policy and set-up
/etc/security
/etc/security/passwd
/etc/security/user
User passwords
User attributes, password
restrictions
Group attributes
User limits
User environment settings
Console Login settings
/etc/security/group
/etc/security/limits
/etc/security/environ
/etc/security/login.cfg
/etc/passwd file
IBM Power Systems
## cat
cat /etc/passwd
/etc/passwd
root:!:0:0::/:/usr/bin/ksh
root:!:0:0::/:/usr/bin/ksh
daemon:!:1:1::/etc:
daemon:!:1:1::/etc:
bin:!:2:2::/bin:
bin:!:2:2::/bin:
sys:!:3:3::/usr/sys:
sys:!:3:3::/usr/sys:
adm:!:4:4::/var/adm:
adm:!:4:4::/var/adm:
uucp:!:5:5::/usr/lib/uucp:
uucp:!:5:5::/usr/lib/uucp:
guest:!:100:100::/home/guest:
guest:!:100:100::/home/guest:
nobody:!:4294967294:4294967294::/:
nobody:!:4294967294:4294967294::/:
pconsole:*:8:0::/var/adm/pconsole:/usr/bin/ksh
pconsole:*:8:0::/var/adm/pconsole:/usr/bin/ksh
sshd:*:202:201::/var/empty:/usr/bin/ksh
sshd:*:202:201::/var/empty:/usr/bin/ksh
alex:!:333:1::/home/alex:/usr/bin/ksh
alex:!:333:1::/home/alex:/usr/bin/ksh
tyrone:!:204:1::/home/tyrone:/usr/bin/ksh
tyrone:!:204:1::/home/tyrone:/usr/bin/ksh
ted:*:205:1::/home/ted:/usr/bin/ksh
ted:*:205:1::/home/ted:/usr/bin/ksh
! = Passwd is set
/etc/security/passwd
* = no password set
/etc/security/passwd file
IBM Power Systems
## cat
cat /etc/security/passwd
/etc/security/passwd
root:
root:
password
password == etNKvWlXX5EFk
etNKvWlXX5EFk
lastupdate
=
lastupdate = 1145381446
1145381446
flags
flags ==
daemon:
daemon:
password
password == **
bin:
bin:
password
password == **
alex:
alex:
password
password == XAkhucsiyVwAA
XAkhucsiyVwAA
lastupdate
=
lastupdate = 1225381869
1225381869
flags
flags ==
tyrone:
tyrone:
password
password == RWWoFp5iuL.JI
RWWoFp5iuL.JI
lastupdate
lastupdate == 1225381903
1225381903
flags
=
ADMCHG,ADMIN,NOCHECK
flags = ADMCHG,ADMIN,NOCHECK
/etc/security/user file
IBM Power Systems
default:
default:
admin
admin == false
false
login
login == true
true
su
su == true
true
daemon
daemon == true
true
rlogin
rlogin == true
true
sugroups
sugroups == ALL
ALL
admgroups
admgroups ==
ttys
ttys == ALL
ALL
auth1
auth1 == SYSTEM
SYSTEM
auth2
auth2 == NONE
NONE
tpath
tpath == nosak
nosak
umask
umask == 000
000
expires
expires == 00
SYSTEM
SYSTEM == "compat"
"compat"
logintimes
logintimes ==
pwdwarntime
pwdwarntime == 00
account_locked
account_locked == false
false
loginretries
loginretries == 00
histexpire
histexpire == 00
histsize
histsize == 00
minage
minage == 00
** default
default continued
continued ...
...
root:
root:
alex:
alex:
maxage
maxage == 00
maxexpired
maxexpired == -1
-1
minalpha
minalpha == 00
minother
minother == 00
minlen
minlen == 00
mindiff
mindiff == 00
maxrepeats
maxrepeats == 88
dictionlist
dictionlist ==
pwdchecks
pwdchecks ==
admin
admin == true
true
SYSTEM
SYSTEM == "compat"
"compat"
loginretries
loginretries == 00
account_locked
account_locked == false
false
registry
registry == files
files
admgroups
admgroups ==
admin
admin == false
false
Group files
IBM Power Systems
## cat
cat /etc/group
/etc/group
system:!:0:root,esaadmin,pconsole
system:!:0:root,esaadmin,pconsole
staff:!:1:ipsec,sshd,alex,tyrone,ted
staff:!:1:ipsec,sshd,alex,tyrone,ted
bin:!:2:root,bin
bin:!:2:root,bin
sys:!:3:root,bin,sys
sys:!:3:root,bin,sys
adm:!:4:bin,adm
adm:!:4:bin,adm
uucp:!:5:nuucp,uucp
uucp:!:5:nuucp,uucp
...
...
## cat
cat /etc/security/group
/etc/security/group
system:
system:
admin
admin == true
true
staff:
staff:
admin
admin == false
false
bin:
bin:
admin
admin == true
true
...
...
techies:
techies:
admin
admin == false
false
adms
adms == alex
alex
/etc/security/login.cfg file
IBM Power Systems
default:
default:
herald
herald == "Authorized
"Authorized use
use only.\n\rlogin:"
only.\n\rlogin:"
logintimes
=
logintimes =
logindisable
logindisable == 00
logininterval
logininterval == 00
loginreenable
loginreenable == 00
logindelay
logindelay == 00
** Other
Other security
security attributes
attributes (usw
(usw stanza):
stanza):
usw:
usw:
shells
shells == /bin/sh,/bin/bsh,/bin/csh,/bin/ksh,/bin/tsh
/bin/sh,/bin/bsh,/bin/csh,/bin/ksh,/bin/tsh
/bin/ksh93,/usr/bin/sh,/usr/bin/bsh,/usr/bin/csh,/usr/bin
/bin/ksh93,/usr/bin/sh,/usr/bin/bsh,/usr/bin/csh,/usr/bin
/ksh,/usr/bin/tsh,/usr/bin/ksh93,/usr/bin/rksh,/usr/bin/r
/ksh,/usr/bin/tsh,/usr/bin/ksh93,/usr/bin/rksh,/usr/bin/r
ksh93,/usr/sbin/uucp/uucico,/usr/sbin/sliplogin,/usr/sbin
ksh93,/usr/sbin/uucp/uucico,/usr/sbin/sliplogin,/usr/sbin
/snappd
/snappd
maxlogins
maxlogins == 32767
32767
logintimeout
logintimeout == 60
60
auth_type
auth_type == STD_AUTH
STD_AUTH
Identify the different types of users and what data they will
need to access.
Consider using enhanced RBAC with AIX 6.1 to perform system
administration tasks (as opposed to using root).
Security
Security
Policy and
Policy and
Setup
Setup
Checkpoint
IBM Power Systems
Checkpoint solutions
IBM Power Systems
Topic summary
IBM Power Systems
Exercise 12
IBM Power Systems
Unit summary
IBM Power Systems