Академический Документы
Профессиональный Документы
Культура Документы
## id
id
uid=0(root)
uid=0(root) gid=0(system)
gid=0(system)
groups=2(bin),3(sys),7(security),8(cron),10(audit),11(lp)
groups=2(bin),3(sys),7(security),8(cron),10(audit),11(lp)
system security
Rights to
printq administrative
adm functions
audit
shutdown
staff Ordinary
users
## chuser
chuser login=false
login=false root
root
/etc/passwd
User verification check /etc/security/passwd
no
Login failed Valid?
yes /etc/environment
Log entry in: /etc/security/environ
/etc/security/failedlogin Set up the environment. /etc/security/limits
/etc/security/user
/etc/profile
Enter login shell $HOME/.profile
© Copyright IBM Corporation 2009
User initialization process
IBM Power Systems
LOGIN
nimmaster:/
nimmaster:/
© Copyright IBM Corporation 2009
Security & Users
IBM Power Systems
# smit security
Security
Security && Users
Users
Move
Move cursor
cursor to
to desired
desired item
item and
and press
press Enter.
Enter.
Users
Users
Groups
Groups
Passwords
Passwords
Login
Login Controls
Controls
PKI
PKI
LDAP
LDAP
Role
Role Based
Based Access
Access Control
Control (RBAC)
(RBAC)
Trusted Execution
Trusted Execution
# smit users
Users
Users
Move
Move cursor
cursor to
to desired
desired item
item and
and press
press Enter.
Enter.
Add
Add aa User
User
Change
Change aa User's
User's Password
Password
Change
Change / Show Characteristics of
/ Show Characteristics of aa User
User
Lock / Unlock a User's Account
Lock / Unlock a User's Account
Reset
Reset User's
User's Failed
Failed Login
Login Count
Count
Remove a User
Remove a User
List
List All
All Users
Users
Example:
## lsuser
lsuser -a
-a id
id home
home ALL
ALL
root id=0 home=/
root id=0 home=/
daemon
daemon id=1
id=1 home=/etc
home=/etc
bin id=2 home=/bin
bin id=2 home=/bin
sys
sys id=3
id=3 home=/usr/sys
home=/usr/sys
adm id=4 home=/var/adm
adm id=4 home=/var/adm
uucp
uucp id=5
id=5 home=/usr/lib/uucp
home=/usr/lib/uucp
guest
guest id=100
id=100 home=/home/guest
home=/home/guest
alex id=333 home=/home/mancunian
alex id=333 home=/home/mancunian
## rm
rm -r
-r /home/team01
/home/team01
# smit groups
Groups
Groups
Move
Move cursor
cursor to
to desired
desired item
item and
and press
press Enter.
Enter.
List
List All
All Groups
Groups
Add
Add a Group
a Group
Change
Change // Show
Show Characteristics
Characteristics of
of aa Group
Group
Remove a Group
Remove a Group
Example:
## lsgroup
lsgroup –f
–f -a
-a id
id users
users ALL
ALL
system:
system:
id=0
id=0
users=root,esaadmin,pconsole
users=root,esaadmin,pconsole
staff:
staff:
id=1
id=1
users=ipsec,ted,sshd,alex,local,tyrone,daemon
users=ipsec,ted,sshd,alex,local,tyrone,daemon
bin:
bin:
id=2
id=2
users=root,bin
users=root,bin
...
...
© Copyright IBM Corporation 2009
Add a Group
IBM Power Systems
# smit mkgroup
mkgroup -A id=101 users=alex,tyrone techies
Add
Add aa Group
Group
Type
Type or
or select
select values
values in
in entry
entry fields.
fields.
Press
Press Enter AFTER making all desired
Enter AFTER making all desired changes.
changes.
[Entry
[Entry Fields]
Fields]
** Group
Group NAME
NAME [techies]
[techies]
ADMINISTRATIVE
ADMINISTRATIVE group?
group? false
false ++
Group
Group ID
ID [101]
[101] ##
USER
USER list
list [alex,tyrone]
[alex,tyrone] ++
ADMINISTRATOR
ADMINISTRATOR list
list []
[] ++
Projects
Projects []
[] ++
Initial
Initial Keystore
Keystore Mode
Mode []
[] ++
Keystore
Keystore Encryption
Encryption Algorithm
Algorithm []
[] ++
Keystore
Keystore Access
Access []
[] ++
# smit chgroup
chgroup users=alex,tyrone,ted adms=alex techies
Change
Change aa Group
Group
Type
Type or
or select
select values
values in
in entry
entry fields.
fields.
Press
Press Enter AFTER making all desired
Enter AFTER making all desired changes.
changes.
[Entry
[Entry Fields]
Fields]
** Group
Group NAME
NAME [techies]
[techies]
ADMINISTRATIVE
ADMINISTRATIVE group?
group? false
false ++
Group
Group ID
ID [101]
[101] ##
USER
USER list
list [alex,tyrone,ted]
[alex,tyrone,ted] ++
ADMINISTRATOR
ADMINISTRATOR list
list [alex]
[alex] ++
Projects
Projects []
[] ++
Initial
Initial Keystore
Keystore Mode
Mode []
[] ++
Keystore
Keystore Encryption
Encryption Algorithm
Algorithm []
[] ++
Keystore
Keystore Access
Access []
[] ++
## cat
cat /etc/passwd
/etc/passwd
root:!:0:0::/:/usr/bin/ksh
root:!:0:0::/:/usr/bin/ksh
daemon:!:1:1::/etc:
daemon:!:1:1::/etc:
bin:!:2:2::/bin:
bin:!:2:2::/bin:
sys:!:3:3::/usr/sys:
sys:!:3:3::/usr/sys:
adm:!:4:4::/var/adm:
adm:!:4:4::/var/adm:
uucp:!:5:5::/usr/lib/uucp:
uucp:!:5:5::/usr/lib/uucp:
guest:!:100:100::/home/guest:
guest:!:100:100::/home/guest:
nobody:!:4294967294:4294967294::/:
nobody:!:4294967294:4294967294::/:
pconsole:*:8:0::/var/adm/pconsole:/usr/bin/ksh
pconsole:*:8:0::/var/adm/pconsole:/usr/bin/ksh
sshd:*:202:201::/var/empty:/usr/bin/ksh
sshd:*:202:201::/var/empty:/usr/bin/ksh
alex:!:333:1::/home/alex:/usr/bin/ksh
alex:!:333:1::/home/alex:/usr/bin/ksh
tyrone:!:204:1::/home/tyrone:/usr/bin/ksh
tyrone:!:204:1::/home/tyrone:/usr/bin/ksh
ted:*:205:1::/home/ted:/usr/bin/ksh
ted:*:205:1::/home/ted:/usr/bin/ksh
! = Passwd is set
/etc/security/passwd
* = no password set
## cat
cat /etc/security/passwd
/etc/security/passwd
root:
root:
password
password == etNKvWlXX5EFk
etNKvWlXX5EFk
lastupdate
lastupdate == 1145381446
1145381446
flags =
flags =
daemon:
daemon:
password
password == **
bin:
bin:
password
password == **
alex:
alex:
password
password == XAkhucsiyVwAA
XAkhucsiyVwAA
lastupdate
lastupdate = 1225381869
= 1225381869
flags
flags ==
tyrone:
tyrone:
password
password == RWWoFp5iuL.JI
RWWoFp5iuL.JI
lastupdate
lastupdate == 1225381903
1225381903
flags = ADMCHG,ADMIN,NOCHECK
flags = ADMCHG,ADMIN,NOCHECK
default:
default: ** default
default continued
continued ...
...
admin
admin == false
false
login
login == true
true maxage
maxage == 00
susu == true
true maxexpired
maxexpired == -1
-1
daemon
daemon == true
true minalpha
minalpha == 00
rlogin
rlogin == true
true minother
minother == 00
sugroups
sugroups == ALL
ALL minlen
minlen == 00
admgroups
admgroups == mindiff
mindiff == 00
ttys
ttys == ALL
ALL maxrepeats
maxrepeats == 88
auth1
auth1 == SYSTEM
SYSTEM dictionlist
dictionlist ==
auth2
auth2 == NONE
NONE pwdchecks
pwdchecks ==
tpath
tpath == nosak
nosak root:
root:
umask
umask == 000
000 admin
admin == true
true
expires
expires == 00 SYSTEM
SYSTEM == "compat"
"compat"
SYSTEM
SYSTEM == "compat"
"compat" loginretries
loginretries == 00
logintimes
logintimes == account_locked
account_locked == false
false
pwdwarntime
pwdwarntime == 00 registry
registry == files
files
account_locked
account_locked == false
false admgroups
admgroups ==
loginretries
loginretries == 00 alex:
alex:
histexpire
histexpire == 00 admin
admin == false
false
histsize
histsize == 00
minage
minage == 00
## cat
cat /etc/group
/etc/group
system:!:0:root,esaadmin,pconsole
system:!:0:root,esaadmin,pconsole
staff:!:1:ipsec,sshd,alex,tyrone,ted
staff:!:1:ipsec,sshd,alex,tyrone,ted
bin:!:2:root,bin
bin:!:2:root,bin
sys:!:3:root,bin,sys
sys:!:3:root,bin,sys
adm:!:4:bin,adm
adm:!:4:bin,adm
uucp:!:5:nuucp,uucp
uucp:!:5:nuucp,uucp
...
...
## cat
cat /etc/security/group
/etc/security/group
system:
system:
admin
admin == true
true
staff:
staff:
admin
admin == false
false
bin:
bin:
admin
admin == true
true
...
...
techies:
techies:
admin
admin == false
false
adms
adms == alex
alex
© Copyright IBM Corporation 2009
/etc/security/login.cfg file
IBM Power Systems
default:
default:
herald
herald == "Authorized
"Authorized use
use only.\n\rlogin:"
only.\n\rlogin:"
logintimes
logintimes = =
logindisable
logindisable == 00
logininterval
logininterval == 00
loginreenable
loginreenable == 00
logindelay
logindelay == 00
** Other
Other security
security attributes
attributes (usw
(usw stanza):
stanza):
usw:
usw:
shells
shells == /bin/sh,/bin/bsh,/bin/csh,/bin/ksh,/bin/tsh
/bin/sh,/bin/bsh,/bin/csh,/bin/ksh,/bin/tsh
/bin/ksh93,/usr/bin/sh,/usr/bin/bsh,/usr/bin/csh,/usr/bin
/bin/ksh93,/usr/bin/sh,/usr/bin/bsh,/usr/bin/csh,/usr/bin
/ksh,/usr/bin/tsh,/usr/bin/ksh93,/usr/bin/rksh,/usr/bin/r
/ksh,/usr/bin/tsh,/usr/bin/ksh93,/usr/bin/rksh,/usr/bin/r
ksh93,/usr/sbin/uucp/uucico,/usr/sbin/sliplogin,/usr/sbin
ksh93,/usr/sbin/uucp/uucico,/usr/sbin/sliplogin,/usr/sbin
/snappd
/snappd
maxlogins
maxlogins == 32767
32767
logintimeout
logintimeout == 6060
auth_type
auth_type == STD_AUTH
STD_AUTH
• Identify the different types of users and what data they will
need to access.
– Consider using enhanced RBAC with AIX 6.1 to perform system
administration tasks (as opposed to using root).
• Organize groups around the type of work that is to be done.
• Organize ownership of data to fit with the group structure.
• Set SVTX on shared directories.
• Note: Further topics, such as LDAP, SSH,
trusted execution, encrypted filesystems, aixpert,
RBAC (detailed), and IPSec, are covered in the
AIX Security course: AU47G Security
Security
Policy and
Policy and
Setup
Setup