Unit 9 Security and user administration - MSU
Transcript of Unit 9 Security and user administration - MSU
Course materials may not be reproduced in whole or in part without the prior written permission of IBM. 5.2
© Copyright IBM Corporation 2009
Unit 9Security and user administration
© Copyright IBM Corporation 2009
IBM Power Systems
Unit objectives
After completing this unit, you should be able to:
• Define the concepts of users and groups, and explain how and when these should be allocated on the system
• Describe ways of controlling root access on the system
• Explain the uses of SUID, SGID, and SVTX permission bits
• Administer user accounts and groups
• Understand the basic concepts and implementation of RBAC
• Identify the data files associated with users and security
© Copyright IBM Corporation 2009
IBM Power Systems
User accounts
• Each user has a unique name, numeric ID, and password.
• File ownership is determined by a numeric user ID.
• The owner is usually the user who created the file, but ownership can be transferred by root.
• Default users:– root Superuser– adm, sys, bin, ... IDs that own system files but
cannot be used for login
# iduid=0(root) gid=0(system)
groups=2(bin),3(sys),7(security),8(cron),10(audit),11(lp)
# iduid=0(root) gid=0(system)
groups=2(bin),3(sys),7(security),8(cron),10(audit),11(lp)
© Copyright IBM Corporation 2009
IBM Power Systems
Groups
• A group is a set of users, all of whom need access to a given set of files.
• Every user is a member of at least one group and can be a member of several groups.
• The user has access to a file if any group in the user’s groupset provides access. To list the groupset, use the groups command.
• The user's real group ID is used for file ownership on creation.To change the real group ID, use the newgrp command.
• Default groups:– System administrators: system– Ordinary users: staff
© Copyright IBM Corporation 2009
IBM Power Systems
Group hierarchy
system security
printqadm audit
shutdown
staff
Rights to administrative
functions
Ordinary users
© Copyright IBM Corporation 2009
IBM Power Systems
Controlling access to the root account
• Restrict access to privileged logins.
• Root's passwords should be changed on an unannounced schedule by the system administrator.
• Assign different root passwords to different machines.
• System administrators should always login as themselves first and then su to root instead of logging in as root. This helps provide an audit trail for root usage.
• Do not include unsecured directories in root's PATH.
# chuser login=false root# chuser login=false root
© Copyright IBM Corporation 2009
IBM Power Systems
Security logs
/var/adm/sulog
/var/adm/wtmp
/etc/security/failedlogin
/etc/utmp
Audit trail of su activity
Log of successful logins
List of users currently logged in
Information on failed login attempts
© Copyright IBM Corporation 2009
IBM Power Systems
User and group administration
After completing this topic, you should be able to:
• Understand the login sequence from a system console• Understand the login initialization process• Add, list, change, and delete users and groups• Set and change passwords
– Recover root password if lost or forgotten• Understand the key elements of RBAC and configure a
simple RBAC implementation
© Copyright IBM Corporation 2009
IBM Power Systems
Console login sequencegetty process
Login: userid and passwd
Spawned by inittab
User verification check
Set up the environment.
Display /etc/motd
Enter login shell
Valid?yes
noLogin failed
Settings in/etc/security/login.cfg
/etc/passwd/etc/security/passwd
/etc/environment/etc/security/environ/etc/security/limits/etc/security/user
$HOME/.hushlogin
/etc/profile$HOME/.profile
Log entry in:/etc/security/failedlogin
© Copyright IBM Corporation 2009
IBM Power Systems
User initialization process
LOGIN
/etc/environment
/etc/profile
$HOME/.kshrc
Establishes base environment sets PATH, TZ, LANG, and NLSPATH
Shell script run at all logins sets TERM, MAILMSG, and MAIL
User's personal file tocustomize their environmentPATH, ENV, PS1
$HOME/.profile
User's personal file to customizethe Korn shell environmentset –o vi, alias
© Copyright IBM Corporation 2009
IBM Power Systems
Message of the day
• The file /etc/motd contains text that is displayed every time a user logs in.
• This file should only contain information necessary for the users to see.
• If the $HOME/.hushlogin file exists in a user's home directory, then the contents of the /etc/motd file are not displayed to that user.
******************************************************************* ** ** AIX Version 6.1 TL 02 HACMP 5.5.0.0. + WPAR ckp ** ** Eduction AIX AN12 Build version 318 ** ** *******************************************************************
nimmaster:/
******************************************************************* ** ** AIX Version 6.1 TL 02 HACMP 5.5.0.0. + WPAR ckp ** ** Eduction AIX AN12 Build version 318 ** ** *******************************************************************
nimmaster:/
© Copyright IBM Corporation 2009
IBM Power Systems
Security & Users
# smit security
Security & Users
Move cursor to desired item and press Enter.
UsersGroupsPasswordsLogin ControlsPKILDAPRole Based Access Control (RBAC)Trusted Execution
Security & Users
Move cursor to desired item and press Enter.
UsersGroupsPasswordsLogin ControlsPKILDAPRole Based Access Control (RBAC)Trusted Execution
© Copyright IBM Corporation 2009
IBM Power Systems
SMIT users
# smit users
Users
Move cursor to desired item and press Enter.
Add a UserChange a User's PasswordChange / Show Characteristics of a UserLock / Unlock a User's AccountReset User's Failed Login CountRemove a UserList All Users
Users
Move cursor to desired item and press Enter.
Add a UserChange a User's PasswordChange / Show Characteristics of a UserLock / Unlock a User's AccountReset User's Failed Login CountRemove a UserList All Users
© Copyright IBM Corporation 2009
IBM Power Systems
Listing users
The lsuser command:lsuser [-c | -f] [-a attribute …] {ALL | username …}
Example:
# lsuser -a id home ALLroot id=0 home=/daemon id=1 home=/etcbin id=2 home=/binsys id=3 home=/usr/sysadm id=4 home=/var/admuucp id=5 home=/usr/lib/uucpguest id=100 home=/home/guestalex id=333 home=/home/mancunian
# lsuser -a id home ALLroot id=0 home=/daemon id=1 home=/etcbin id=2 home=/binsys id=3 home=/usr/sysadm id=4 home=/var/admuucp id=5 home=/usr/lib/uucpguest id=100 home=/home/guestalex id=333 home=/home/mancunian
© Copyright IBM Corporation 2009
IBM Power Systems
Add a user to the system
# smit mkuser
Add a User
Type or select values in entry fields.Press Enter AFTER making all desired changes.
[TOP] [Entry Fields]* User NAME [alex]User ID [333] #ADMINISTRATIVE USER? false +Primary GROUP [] +Group SET [] +ADMINISTRATIVE GROUPS [] +ROLES [] +Another user can SU TO USER? true +SU GROUPS [ALL] +HOME directory []Initial PROGRAM []User INFORMATION []
[MORE...32]
Add a User
Type or select values in entry fields.Press Enter AFTER making all desired changes.
[TOP] [Entry Fields]* User NAME [alex]User ID [333] #ADMINISTRATIVE USER? false +Primary GROUP [] +Group SET [] +ADMINISTRATIVE GROUPS [] +ROLES [] +Another user can SU TO USER? true +SU GROUPS [ALL] +HOME directory []Initial PROGRAM []User INFORMATION []
[MORE...32]
mkuser id=333 alex
© Copyright IBM Corporation 2009
IBM Power Systems
Change/Show characteristics of a user
# smit chuser
Change / Show Characteristics of a User
[Entry Fields]* User NAME alexUser ID [333] #
ADMINISTRATIVE USER? false +Primary GROUP [staff] +Group SET [staff,security] +ADMINISTRATIVE GROUPS [] +ROLES [] +Another user can SU TO USER? true +SU GROUPS [ALL] +HOME directory [/home/alex]Initial PROGRAM [/usr/bin/ksh]User INFORMATION []EXPIRATION date (MMDDhhmmyy) [0]Is this user ACCOUNT LOCKED? false +User can LOGIN? true +User can LOGIN REMOTELY(rsh,tn,rlogin)? true +[MORE...48]
Change / Show Characteristics of a User
[Entry Fields]* User NAME alexUser ID [333] #
ADMINISTRATIVE USER? false +Primary GROUP [staff] +Group SET [staff,security] +ADMINISTRATIVE GROUPS [] +ROLES [] +Another user can SU TO USER? true +SU GROUPS [ALL] +HOME directory [/home/alex]Initial PROGRAM [/usr/bin/ksh]User INFORMATION []EXPIRATION date (MMDDhhmmyy) [0]Is this user ACCOUNT LOCKED? false +User can LOGIN? true +User can LOGIN REMOTELY(rsh,tn,rlogin)? true +[MORE...48]
chuser groups='staff,security' alex
© Copyright IBM Corporation 2009
IBM Power Systems
Remove a user from the system
• The rmuser command or SMIT can be used to delete a user from the system
• When you remove a user, that user’s home directory is not deleted. Therefore, you must remember to manually clean up the directories of users you remove. Remember to back up important files first!
# rmuser –p team01# rmuser –p team01
# rm -r /home/team01# rm -r /home/team01
© Copyright IBM Corporation 2009
IBM Power Systems
Passwords• A new user ID cannot be used until a password is
assigned.
• Two commands for changing passwords:
• SMIT invokes the passwd command for root and the pwdadm if non-root.• An ordinary user can use the passwd command to
change own password
• Only root or member of security group can change password of another user
# pwdadm <username>OR# passwd [username]
# pwdadm <username>OR# passwd [username]
root or security (group) only
© Copyright IBM Corporation 2009
IBM Power Systems
Regaining root's password
1. Boot from optical media, NIM, or a bootable tape.
2. Select Access a Root Volume Group from the Maintenance menu.
3. Follow the options to activate the root volume group and obtain a shell.
4. Once a shell is available, execute the passwd command to change root's password.
5. Enter the following command:# sync ; sync
6. Reboot the system.
Maintenance
>>> 1 Access a Root Volume Group2 Copy a System Dump to Removable Media3 Access Advanced Maintenance Functions4 Erase Disks
Maintenance
>>> 1 Access a Root Volume Group2 Copy a System Dump to Removable Media3 Access Advanced Maintenance Functions4 Erase Disks
© Copyright IBM Corporation 2009
IBM Power Systems
SMIT groups
# smit groups
Groups
Move cursor to desired item and press Enter.
List All GroupsAdd a GroupChange / Show Characteristics of a GroupRemove a Group
Groups
Move cursor to desired item and press Enter.
List All GroupsAdd a GroupChange / Show Characteristics of a GroupRemove a Group
© Copyright IBM Corporation 2009
IBM Power Systems
Listing groups
The lsgroup command:lsgroup [-c | -f] [-a attribute …] {ALL | groupname …}
Example:
# lsgroup –f -a id users ALLsystem:
id=0users=root,esaadmin,pconsole
staff:id=1users=ipsec,ted,sshd,alex,local,tyrone,daemon
bin:id=2users=root,bin
...
# lsgroup –f -a id users ALLsystem:
id=0users=root,esaadmin,pconsole
staff:id=1users=ipsec,ted,sshd,alex,local,tyrone,daemon
bin:id=2users=root,bin
...
© Copyright IBM Corporation 2009
IBM Power Systems
Add a Group
# smit mkgroup
Add a Group
Type or select values in entry fields.Press Enter AFTER making all desired changes.
[Entry Fields]* Group NAME [techies]ADMINISTRATIVE group? false +Group ID [101] #USER list [alex,tyrone] +ADMINISTRATOR list [] +Projects [] +Initial Keystore Mode [] +Keystore Encryption Algorithm [] +Keystore Access [] +
Add a Group
Type or select values in entry fields.Press Enter AFTER making all desired changes.
[Entry Fields]* Group NAME [techies]ADMINISTRATIVE group? false +Group ID [101] #USER list [alex,tyrone] +ADMINISTRATOR list [] +Projects [] +Initial Keystore Mode [] +Keystore Encryption Algorithm [] +Keystore Access [] +
mkgroup -A id=101 users=alex,tyrone techies
© Copyright IBM Corporation 2009
IBM Power Systems
Change or remove a group
# smit chgroup
Change a Group
Type or select values in entry fields.Press Enter AFTER making all desired changes.
[Entry Fields]* Group NAME [techies]ADMINISTRATIVE group? false +Group ID [101] #USER list [alex,tyrone,ted] +ADMINISTRATOR list [alex] +Projects [] +Initial Keystore Mode [] +Keystore Encryption Algorithm [] +Keystore Access [] +
Change a Group
Type or select values in entry fields.Press Enter AFTER making all desired changes.
[Entry Fields]* Group NAME [techies]ADMINISTRATIVE group? false +Group ID [101] #USER list [alex,tyrone,ted] +ADMINISTRATOR list [alex] +Projects [] +Initial Keystore Mode [] +Keystore Encryption Algorithm [] +Keystore Access [] +
chgroup users=alex,tyrone,ted adms=alex techies
To remove a group: # rmgroup techies
© Copyright IBM Corporation 2009
IBM Power Systems
Security files
After completing this topic, you should be able to:
• Identify and understand key security files• Understand how to validate the user environment• Document the system security policy and set-up
© Copyright IBM Corporation 2009
IBM Power Systems
Security files introduction
• Files used to contain user attributes and control access:
– /etc/passwd Valid users (not passwords)– /etc/group Valid groups
– /etc/security Directory not accessible to normal users
– /etc/security/passwd User passwords– /etc/security/user User attributes, password
restrictions– /etc/security/group Group attributes– /etc/security/limits User limits– /etc/security/environ User environment settings– /etc/security/login.cfg Console Login settings
© Copyright IBM Corporation 2009
IBM Power Systems
/etc/passwd file
# cat /etc/passwd
root:!:0:0::/:/usr/bin/kshdaemon:!:1:1::/etc:bin:!:2:2::/bin:sys:!:3:3::/usr/sys:adm:!:4:4::/var/adm:uucp:!:5:5::/usr/lib/uucp:guest:!:100:100::/home/guest:nobody:!:4294967294:4294967294::/:pconsole:*:8:0::/var/adm/pconsole:/usr/bin/kshsshd:*:202:201::/var/empty:/usr/bin/kshalex:!:333:1::/home/alex:/usr/bin/kshtyrone:!:204:1::/home/tyrone:/usr/bin/kshted:*:205:1::/home/ted:/usr/bin/ksh
# cat /etc/passwd
root:!:0:0::/:/usr/bin/kshdaemon:!:1:1::/etc:bin:!:2:2::/bin:sys:!:3:3::/usr/sys:adm:!:4:4::/var/adm:uucp:!:5:5::/usr/lib/uucp:guest:!:100:100::/home/guest:nobody:!:4294967294:4294967294::/:pconsole:*:8:0::/var/adm/pconsole:/usr/bin/kshsshd:*:202:201::/var/empty:/usr/bin/kshalex:!:333:1::/home/alex:/usr/bin/kshtyrone:!:204:1::/home/tyrone:/usr/bin/kshted:*:205:1::/home/ted:/usr/bin/ksh
! = Passwd is set /etc/security/passwd* = no password set
© Copyright IBM Corporation 2009
IBM Power Systems
/etc/security/passwd file
# cat /etc/security/passwdroot:
password = etNKvWlXX5EFklastupdate = 1145381446flags =
daemon:password = *
bin:password = *
alex:password = XAkhucsiyVwAAlastupdate = 1225381869flags =
tyrone:password = RWWoFp5iuL.JIlastupdate = 1225381903flags = ADMCHG,ADMIN,NOCHECK
# cat /etc/security/passwdroot:
password = etNKvWlXX5EFklastupdate = 1145381446flags =
daemon:password = *
bin:password = *
alex:password = XAkhucsiyVwAAlastupdate = 1225381869flags =
tyrone:password = RWWoFp5iuL.JIlastupdate = 1225381903flags = ADMCHG,ADMIN,NOCHECK
© Copyright IBM Corporation 2009
IBM Power Systems
/etc/security/user file
default:admin = falselogin = truesu = truedaemon = truerlogin = truesugroups = ALLadmgroups =ttys = ALLauth1 = SYSTEMauth2 = NONEtpath = nosakumask = 000expires = 0SYSTEM = "compat"logintimes =pwdwarntime = 0account_locked = falseloginretries = 0histexpire = 0histsize = 0minage = 0
default:admin = falselogin = truesu = truedaemon = truerlogin = truesugroups = ALLadmgroups =ttys = ALLauth1 = SYSTEMauth2 = NONEtpath = nosakumask = 000expires = 0SYSTEM = "compat"logintimes =pwdwarntime = 0account_locked = falseloginretries = 0histexpire = 0histsize = 0minage = 0
* default continued ...
maxage = 0maxexpired = -1 minalpha = 0minother = 0minlen = 0mindiff = 0maxrepeats = 8dictionlist =pwdchecks =
root:admin = trueSYSTEM = "compat"loginretries = 0account_locked = falseregistry = filesadmgroups =
alex:admin = false
* default continued ...
maxage = 0maxexpired = -1 minalpha = 0minother = 0minlen = 0mindiff = 0maxrepeats = 8dictionlist =pwdchecks =
root:admin = trueSYSTEM = "compat"loginretries = 0account_locked = falseregistry = filesadmgroups =
alex:admin = false
© Copyright IBM Corporation 2009
IBM Power Systems
Group files
# cat /etc/groupsystem:!:0:root,esaadmin,pconsolestaff:!:1:ipsec,sshd,alex,tyrone,tedbin:!:2:root,binsys:!:3:root,bin,sysadm:!:4:bin,admuucp:!:5:nuucp,uucp...
# cat /etc/groupsystem:!:0:root,esaadmin,pconsolestaff:!:1:ipsec,sshd,alex,tyrone,tedbin:!:2:root,binsys:!:3:root,bin,sysadm:!:4:bin,admuucp:!:5:nuucp,uucp...
# cat /etc/security/groupsystem:
admin = truestaff:
admin = falsebin:
admin = true...techies:
admin = falseadms = alex
# cat /etc/security/groupsystem:
admin = truestaff:
admin = falsebin:
admin = true...techies:
admin = falseadms = alex
© Copyright IBM Corporation 2009
IBM Power Systems
/etc/security/login.cfg file
default:herald = "Authorized use only.\n\rlogin:"logintimes =logindisable = 0logininterval = 0loginreenable = 0logindelay = 0
* Other security attributes (usw stanza):usw:
shells = /bin/sh,/bin/bsh,/bin/csh,/bin/ksh,/bin/tsh /bin/ksh93,/usr/bin/sh,/usr/bin/bsh,/usr/bin/csh,/usr/bin/ksh,/usr/bin/tsh,/usr/bin/ksh93,/usr/bin/rksh,/usr/bin/rksh93,/usr/sbin/uucp/uucico,/usr/sbin/sliplogin,/usr/sbin/snappdmaxlogins = 32767logintimeout = 60auth_type = STD_AUTH
default:herald = "Authorized use only.\n\rlogin:"logintimes =logindisable = 0logininterval = 0loginreenable = 0logindelay = 0
* Other security attributes (usw stanza):usw:
shells = /bin/sh,/bin/bsh,/bin/csh,/bin/ksh,/bin/tsh /bin/ksh93,/usr/bin/sh,/usr/bin/bsh,/usr/bin/csh,/usr/bin/ksh,/usr/bin/tsh,/usr/bin/ksh93,/usr/bin/rksh,/usr/bin/rksh93,/usr/sbin/uucp/uucico,/usr/sbin/sliplogin,/usr/sbin/snappdmaxlogins = 32767logintimeout = 60auth_type = STD_AUTH
© Copyright IBM Corporation 2009
IBM Power Systems
Validating the user environment• pwdck verifies the validity of local authentication information:
– pwdck {-n|-p|-t|-y} {ALL | username}
– Verifies that /etc/passwd and /etc/security/passwd are consistentwith each other and with /etc/security/login.cfg and /etc/security/user
• usrck verifies the validity of a user definition:– usrck {-l|-b|-n|-p|-t|-y} {ALL | username}
– Checks each user name in /etc/passwd, /etc/security/user, /etc/security/limits and /etc/security/passwd
– Checks are made to ensure that each has an entry in /etc/group and /etc/security/group.
• grpck verifies the validity of a group:– grpck {-n|-p|-t|-y} {ALL | groupname }
– Verifies that the files /etc/passwd, /etc/security/user, /etc/groupand /etc/security/group are consistent
© Copyright IBM Corporation 2009
IBM Power Systems
Documenting security policy and setup
• Identify the different types of users and what data they will need to access.– Consider using enhanced RBAC with AIX 6.1 to perform system
administration tasks (as opposed to using root).
• Organize groups around the type of work that is to be done.
• Organize ownership of data to fit with the group structure.
• Set SVTX on shared directories.
• Note: Further topics, such as LDAP, SSH, trusted execution, encrypted filesystems, aixpert, RBAC (detailed), and IPSec, are covered in the AIX Security course: AU47G
SecurityPolicy and
Setup
SecurityPolicy and
Setup
© Copyright IBM Corporation 2009
IBM Power Systems
Unit summary
Having completed this unit, you should be able to:
• Define the concepts of users and groups, and explain how and when these should be allocated on the system
• Describe ways of controlling root access on the system
• Explain the uses of SUID, SGID, and SVTX permission bits
• Administer user accounts and groups
• Understand the basic concepts and implementation of RBAC
• Identify the data files associated with users and security