Unit 9 Security and user administration - MSU

Course materials may not be reproduced in whole or in part without the prior written permission of IBM. 5.2

© Copyright IBM Corporation 2009

Unit 9Security and user administration


IBM Power Systems

Unit objectives

After completing this unit, you should be able to:

• Define the concepts of users and groups, and explain how and when these should be allocated on the system

• Describe ways of controlling root access on the system

• Explain the uses of SUID, SGID, and SVTX permission bits

• Administer user accounts and groups

• Understand the basic concepts and implementation of RBAC

• Identify the data files associated with users and security


IBM Power Systems

User accounts

• Each user has a unique name, numeric ID, and password.

• File ownership is determined by a numeric user ID.

• The owner is usually the user who created the file, but ownership can be transferred by root.

• Default users:– root Superuser– adm, sys, bin, ... IDs that own system files but

cannot be used for login

# iduid=0(root) gid=0(system)

groups=2(bin),3(sys),7(security),8(cron),10(audit),11(lp)

# iduid=0(root) gid=0(system)

groups=2(bin),3(sys),7(security),8(cron),10(audit),11(lp)


IBM Power Systems

Groups

• A group is a set of users, all of whom need access to a given set of files.

• Every user is a member of at least one group and can be a member of several groups.

• The user has access to a file if any group in the user’s groupset provides access. To list the groupset, use the groups command.

• The user's real group ID is used for file ownership on creation.To change the real group ID, use the newgrp command.

• Default groups:– System administrators: system– Ordinary users: staff


IBM Power Systems

Group hierarchy

system security

printqadm audit

shutdown

staff

Rights to administrative

functions

Ordinary users


IBM Power Systems

Controlling access to the root account

• Restrict access to privileged logins.

• Root's passwords should be changed on an unannounced schedule by the system administrator.

• Assign different root passwords to different machines.

• System administrators should always login as themselves first and then su to root instead of logging in as root. This helps provide an audit trail for root usage.

• Do not include unsecured directories in root's PATH.

# chuser login=false root# chuser login=false root


IBM Power Systems

Security logs

/var/adm/sulog

/var/adm/wtmp

/etc/security/failedlogin

/etc/utmp

Audit trail of su activity

Log of successful logins

List of users currently logged in

Information on failed login attempts


IBM Power Systems

User and group administration

After completing this topic, you should be able to:

• Understand the login sequence from a system console• Understand the login initialization process• Add, list, change, and delete users and groups• Set and change passwords

– Recover root password if lost or forgotten• Understand the key elements of RBAC and configure a

simple RBAC implementation


IBM Power Systems

Console login sequencegetty process

Login: userid and passwd

Spawned by inittab

User verification check

Set up the environment.

Display /etc/motd

Enter login shell

Valid?yes

noLogin failed

Settings in/etc/security/login.cfg

/etc/passwd/etc/security/passwd

/etc/environment/etc/security/environ/etc/security/limits/etc/security/user

$HOME/.hushlogin

/etc/profile$HOME/.profile

Log entry in:/etc/security/failedlogin


IBM Power Systems

User initialization process

LOGIN

/etc/environment

/etc/profile

$HOME/.kshrc

Establishes base environment sets PATH, TZ, LANG, and NLSPATH

Shell script run at all logins sets TERM, MAILMSG, and MAIL

User's personal file tocustomize their environmentPATH, ENV, PS1

$HOME/.profile

User's personal file to customizethe Korn shell environmentset –o vi, alias


IBM Power Systems

Message of the day

• The file /etc/motd contains text that is displayed every time a user logs in.

• This file should only contain information necessary for the users to see.

• If the $HOME/.hushlogin file exists in a user's home directory, then the contents of the /etc/motd file are not displayed to that user.

******************************************************************* ** ** AIX Version 6.1 TL 02 HACMP 5.5.0.0. + WPAR ckp ** ** Eduction AIX AN12 Build version 318 ** ** *******************************************************************

nimmaster:/

******************************************************************* ** ** AIX Version 6.1 TL 02 HACMP 5.5.0.0. + WPAR ckp ** ** Eduction AIX AN12 Build version 318 ** ** *******************************************************************

nimmaster:/


IBM Power Systems

Security & Users

# smit security

Security & Users

Move cursor to desired item and press Enter.

UsersGroupsPasswordsLogin ControlsPKILDAPRole Based Access Control (RBAC)Trusted Execution

Security & Users


UsersGroupsPasswordsLogin ControlsPKILDAPRole Based Access Control (RBAC)Trusted Execution


IBM Power Systems

SMIT users

# smit users

Users


Add a UserChange a User's PasswordChange / Show Characteristics of a UserLock / Unlock a User's AccountReset User's Failed Login CountRemove a UserList All Users

Users


Add a UserChange a User's PasswordChange / Show Characteristics of a UserLock / Unlock a User's AccountReset User's Failed Login CountRemove a UserList All Users


IBM Power Systems

Listing users

The lsuser command:lsuser [-c | -f] [-a attribute …] {ALL | username …}

Example:

# lsuser -a id home ALLroot id=0 home=/daemon id=1 home=/etcbin id=2 home=/binsys id=3 home=/usr/sysadm id=4 home=/var/admuucp id=5 home=/usr/lib/uucpguest id=100 home=/home/guestalex id=333 home=/home/mancunian

# lsuser -a id home ALLroot id=0 home=/daemon id=1 home=/etcbin id=2 home=/binsys id=3 home=/usr/sysadm id=4 home=/var/admuucp id=5 home=/usr/lib/uucpguest id=100 home=/home/guestalex id=333 home=/home/mancunian


IBM Power Systems

Add a user to the system

# smit mkuser

Add a User

Type or select values in entry fields.Press Enter AFTER making all desired changes.

[TOP] [Entry Fields]* User NAME [alex]User ID [333] #ADMINISTRATIVE USER? false +Primary GROUP [] +Group SET [] +ADMINISTRATIVE GROUPS [] +ROLES [] +Another user can SU TO USER? true +SU GROUPS [ALL] +HOME directory []Initial PROGRAM []User INFORMATION []

[MORE...32]

Add a User


[TOP] [Entry Fields]* User NAME [alex]User ID [333] #ADMINISTRATIVE USER? false +Primary GROUP [] +Group SET [] +ADMINISTRATIVE GROUPS [] +ROLES [] +Another user can SU TO USER? true +SU GROUPS [ALL] +HOME directory []Initial PROGRAM []User INFORMATION []

[MORE...32]

mkuser id=333 alex


IBM Power Systems

Change/Show characteristics of a user

# smit chuser

Change / Show Characteristics of a User

[Entry Fields]* User NAME alexUser ID [333] #

ADMINISTRATIVE USER? false +Primary GROUP [staff] +Group SET [staff,security] +ADMINISTRATIVE GROUPS [] +ROLES [] +Another user can SU TO USER? true +SU GROUPS [ALL] +HOME directory [/home/alex]Initial PROGRAM [/usr/bin/ksh]User INFORMATION []EXPIRATION date (MMDDhhmmyy) [0]Is this user ACCOUNT LOCKED? false +User can LOGIN? true +User can LOGIN REMOTELY(rsh,tn,rlogin)? true +[MORE...48]

Change / Show Characteristics of a User

[Entry Fields]* User NAME alexUser ID [333] #

ADMINISTRATIVE USER? false +Primary GROUP [staff] +Group SET [staff,security] +ADMINISTRATIVE GROUPS [] +ROLES [] +Another user can SU TO USER? true +SU GROUPS [ALL] +HOME directory [/home/alex]Initial PROGRAM [/usr/bin/ksh]User INFORMATION []EXPIRATION date (MMDDhhmmyy) [0]Is this user ACCOUNT LOCKED? false +User can LOGIN? true +User can LOGIN REMOTELY(rsh,tn,rlogin)? true +[MORE...48]

chuser groups='staff,security' alex


IBM Power Systems

Remove a user from the system

• The rmuser command or SMIT can be used to delete a user from the system

• When you remove a user, that user’s home directory is not deleted. Therefore, you must remember to manually clean up the directories of users you remove. Remember to back up important files first!

# rmuser –p team01# rmuser –p team01

# rm -r /home/team01# rm -r /home/team01


IBM Power Systems

Passwords• A new user ID cannot be used until a password is

assigned.

• Two commands for changing passwords:

• SMIT invokes the passwd command for root and the pwdadm if non-root.• An ordinary user can use the passwd command to

change own password

• Only root or member of security group can change password of another user

# pwdadm <username>OR# passwd [username]

# pwdadm <username>OR# passwd [username]

root or security (group) only


IBM Power Systems

Regaining root's password

1. Boot from optical media, NIM, or a bootable tape.

2. Select Access a Root Volume Group from the Maintenance menu.

3. Follow the options to activate the root volume group and obtain a shell.

4. Once a shell is available, execute the passwd command to change root's password.

5. Enter the following command:# sync ; sync

6. Reboot the system.

Maintenance

>>> 1 Access a Root Volume Group2 Copy a System Dump to Removable Media3 Access Advanced Maintenance Functions4 Erase Disks

Maintenance

>>> 1 Access a Root Volume Group2 Copy a System Dump to Removable Media3 Access Advanced Maintenance Functions4 Erase Disks


IBM Power Systems

SMIT groups

# smit groups

Groups


List All GroupsAdd a GroupChange / Show Characteristics of a GroupRemove a Group

Groups


List All GroupsAdd a GroupChange / Show Characteristics of a GroupRemove a Group


IBM Power Systems

Listing groups

The lsgroup command:lsgroup [-c | -f] [-a attribute …] {ALL | groupname …}

Example:

# lsgroup –f -a id users ALLsystem:

id=0users=root,esaadmin,pconsole

staff:id=1users=ipsec,ted,sshd,alex,local,tyrone,daemon

bin:id=2users=root,bin

...

# lsgroup –f -a id users ALLsystem:

id=0users=root,esaadmin,pconsole

staff:id=1users=ipsec,ted,sshd,alex,local,tyrone,daemon

bin:id=2users=root,bin

...


IBM Power Systems

Add a Group

# smit mkgroup

Add a Group


[Entry Fields]* Group NAME [techies]ADMINISTRATIVE group? false +Group ID [101] #USER list [alex,tyrone] +ADMINISTRATOR list [] +Projects [] +Initial Keystore Mode [] +Keystore Encryption Algorithm [] +Keystore Access [] +

Add a Group


[Entry Fields]* Group NAME [techies]ADMINISTRATIVE group? false +Group ID [101] #USER list [alex,tyrone] +ADMINISTRATOR list [] +Projects [] +Initial Keystore Mode [] +Keystore Encryption Algorithm [] +Keystore Access [] +

mkgroup -A id=101 users=alex,tyrone techies


IBM Power Systems

Change or remove a group

# smit chgroup

Change a Group


[Entry Fields]* Group NAME [techies]ADMINISTRATIVE group? false +Group ID [101] #USER list [alex,tyrone,ted] +ADMINISTRATOR list [alex] +Projects [] +Initial Keystore Mode [] +Keystore Encryption Algorithm [] +Keystore Access [] +

Change a Group


[Entry Fields]* Group NAME [techies]ADMINISTRATIVE group? false +Group ID [101] #USER list [alex,tyrone,ted] +ADMINISTRATOR list [alex] +Projects [] +Initial Keystore Mode [] +Keystore Encryption Algorithm [] +Keystore Access [] +

chgroup users=alex,tyrone,ted adms=alex techies

To remove a group: # rmgroup techies


IBM Power Systems

Security files

After completing this topic, you should be able to:

• Identify and understand key security files• Understand how to validate the user environment• Document the system security policy and set-up


IBM Power Systems

Security files introduction

• Files used to contain user attributes and control access:

– /etc/passwd Valid users (not passwords)– /etc/group Valid groups

– /etc/security Directory not accessible to normal users

– /etc/security/passwd User passwords– /etc/security/user User attributes, password

restrictions– /etc/security/group Group attributes– /etc/security/limits User limits– /etc/security/environ User environment settings– /etc/security/login.cfg Console Login settings


IBM Power Systems

/etc/passwd file

# cat /etc/passwd

root:!:0:0::/:/usr/bin/kshdaemon:!:1:1::/etc:bin:!:2:2::/bin:sys:!:3:3::/usr/sys:adm:!:4:4::/var/adm:uucp:!:5:5::/usr/lib/uucp:guest:!:100:100::/home/guest:nobody:!:4294967294:4294967294::/:pconsole:*:8:0::/var/adm/pconsole:/usr/bin/kshsshd:*:202:201::/var/empty:/usr/bin/kshalex:!:333:1::/home/alex:/usr/bin/kshtyrone:!:204:1::/home/tyrone:/usr/bin/kshted:*:205:1::/home/ted:/usr/bin/ksh

# cat /etc/passwd

root:!:0:0::/:/usr/bin/kshdaemon:!:1:1::/etc:bin:!:2:2::/bin:sys:!:3:3::/usr/sys:adm:!:4:4::/var/adm:uucp:!:5:5::/usr/lib/uucp:guest:!:100:100::/home/guest:nobody:!:4294967294:4294967294::/:pconsole:*:8:0::/var/adm/pconsole:/usr/bin/kshsshd:*:202:201::/var/empty:/usr/bin/kshalex:!:333:1::/home/alex:/usr/bin/kshtyrone:!:204:1::/home/tyrone:/usr/bin/kshted:*:205:1::/home/ted:/usr/bin/ksh

! = Passwd is set /etc/security/passwd* = no password set


IBM Power Systems

/etc/security/passwd file

# cat /etc/security/passwdroot:

password = etNKvWlXX5EFklastupdate = 1145381446flags =

daemon:password = *

bin:password = *

alex:password = XAkhucsiyVwAAlastupdate = 1225381869flags =

tyrone:password = RWWoFp5iuL.JIlastupdate = 1225381903flags = ADMCHG,ADMIN,NOCHECK

# cat /etc/security/passwdroot:

password = etNKvWlXX5EFklastupdate = 1145381446flags =

daemon:password = *

bin:password = *

alex:password = XAkhucsiyVwAAlastupdate = 1225381869flags =

tyrone:password = RWWoFp5iuL.JIlastupdate = 1225381903flags = ADMCHG,ADMIN,NOCHECK


IBM Power Systems

/etc/security/user file

default:admin = falselogin = truesu = truedaemon = truerlogin = truesugroups = ALLadmgroups =ttys = ALLauth1 = SYSTEMauth2 = NONEtpath = nosakumask = 000expires = 0SYSTEM = "compat"logintimes =pwdwarntime = 0account_locked = falseloginretries = 0histexpire = 0histsize = 0minage = 0

default:admin = falselogin = truesu = truedaemon = truerlogin = truesugroups = ALLadmgroups =ttys = ALLauth1 = SYSTEMauth2 = NONEtpath = nosakumask = 000expires = 0SYSTEM = "compat"logintimes =pwdwarntime = 0account_locked = falseloginretries = 0histexpire = 0histsize = 0minage = 0

* default continued ...

maxage = 0maxexpired = -1 minalpha = 0minother = 0minlen = 0mindiff = 0maxrepeats = 8dictionlist =pwdchecks =

root:admin = trueSYSTEM = "compat"loginretries = 0account_locked = falseregistry = filesadmgroups =

alex:admin = false

* default continued ...

maxage = 0maxexpired = -1 minalpha = 0minother = 0minlen = 0mindiff = 0maxrepeats = 8dictionlist =pwdchecks =

root:admin = trueSYSTEM = "compat"loginretries = 0account_locked = falseregistry = filesadmgroups =

alex:admin = false


IBM Power Systems

Group files

# cat /etc/groupsystem:!:0:root,esaadmin,pconsolestaff:!:1:ipsec,sshd,alex,tyrone,tedbin:!:2:root,binsys:!:3:root,bin,sysadm:!:4:bin,admuucp:!:5:nuucp,uucp...

# cat /etc/groupsystem:!:0:root,esaadmin,pconsolestaff:!:1:ipsec,sshd,alex,tyrone,tedbin:!:2:root,binsys:!:3:root,bin,sysadm:!:4:bin,admuucp:!:5:nuucp,uucp...

# cat /etc/security/groupsystem:

admin = truestaff:

admin = falsebin:

admin = true...techies:

admin = falseadms = alex

# cat /etc/security/groupsystem:

admin = truestaff:

admin = falsebin:

admin = true...techies:

admin = falseadms = alex


IBM Power Systems

/etc/security/login.cfg file

default:herald = "Authorized use only.\n\rlogin:"logintimes =logindisable = 0logininterval = 0loginreenable = 0logindelay = 0

* Other security attributes (usw stanza):usw:

shells = /bin/sh,/bin/bsh,/bin/csh,/bin/ksh,/bin/tsh /bin/ksh93,/usr/bin/sh,/usr/bin/bsh,/usr/bin/csh,/usr/bin/ksh,/usr/bin/tsh,/usr/bin/ksh93,/usr/bin/rksh,/usr/bin/rksh93,/usr/sbin/uucp/uucico,/usr/sbin/sliplogin,/usr/sbin/snappdmaxlogins = 32767logintimeout = 60auth_type = STD_AUTH

default:herald = "Authorized use only.\n\rlogin:"logintimes =logindisable = 0logininterval = 0loginreenable = 0logindelay = 0

* Other security attributes (usw stanza):usw:

shells = /bin/sh,/bin/bsh,/bin/csh,/bin/ksh,/bin/tsh /bin/ksh93,/usr/bin/sh,/usr/bin/bsh,/usr/bin/csh,/usr/bin/ksh,/usr/bin/tsh,/usr/bin/ksh93,/usr/bin/rksh,/usr/bin/rksh93,/usr/sbin/uucp/uucico,/usr/sbin/sliplogin,/usr/sbin/snappdmaxlogins = 32767logintimeout = 60auth_type = STD_AUTH


IBM Power Systems

Validating the user environment• pwdck verifies the validity of local authentication information:

– pwdck {-n|-p|-t|-y} {ALL | username}

– Verifies that /etc/passwd and /etc/security/passwd are consistentwith each other and with /etc/security/login.cfg and /etc/security/user

• usrck verifies the validity of a user definition:– usrck {-l|-b|-n|-p|-t|-y} {ALL | username}

– Checks each user name in /etc/passwd, /etc/security/user, /etc/security/limits and /etc/security/passwd

– Checks are made to ensure that each has an entry in /etc/group and /etc/security/group.

• grpck verifies the validity of a group:– grpck {-n|-p|-t|-y} {ALL | groupname }

– Verifies that the files /etc/passwd, /etc/security/user, /etc/groupand /etc/security/group are consistent


IBM Power Systems

Documenting security policy and setup

• Identify the different types of users and what data they will need to access.– Consider using enhanced RBAC with AIX 6.1 to perform system

administration tasks (as opposed to using root).

• Organize groups around the type of work that is to be done.

• Organize ownership of data to fit with the group structure.

• Set SVTX on shared directories.

• Note: Further topics, such as LDAP, SSH, trusted execution, encrypted filesystems, aixpert, RBAC (detailed), and IPSec, are covered in the AIX Security course: AU47G

SecurityPolicy and

Setup

SecurityPolicy and

Setup


IBM Power Systems

Unit summary

Having completed this unit, you should be able to:

• Define the concepts of users and groups, and explain how and when these should be allocated on the system

• Describe ways of controlling root access on the system

• Explain the uses of SUID, SGID, and SVTX permission bits

• Administer user accounts and groups

• Understand the basic concepts and implementation of RBAC

• Identify the data files associated with users and security

Unit 9 Security and user administration - MSU

Documents

Transcript of Unit 9 Security and user administration - MSU