Unit 9

Security and user administration

© Copyright IBM Corporation 2009

Course materials may not be reproduced in whole or in part without the prior written permission of IBM. 5.2
Unit objectives
IBM Power Systems

After completing this unit, you should be able to:

• Define the concepts of users and groups, and explain how and
when these should be allocated on the system
• Describe ways of controlling root access on the system
• Explain the uses of SUID, SGID, and SVTX permission bits
• Administer user accounts and groups
• Understand the basic concepts and implementation of RBAC
• Identify the data files associated with users and security

© Copyright IBM Corporation 2009

User accounts
IBM Power Systems

• Each user has a unique name, numeric ID, and password.

• File ownership is determined by a numeric user ID.
• The owner is usually the user who created the file, but
ownership can be transferred by root.
• Default users:
– root Superuser
– adm, sys, bin, ... IDs that own system files but
cannot be used for login

## id
id
uid=0(root)
uid=0(root) gid=0(system)
gid=0(system)
groups=2(bin),3(sys),7(security),8(cron),10(audit),11(lp)
groups=2(bin),3(sys),7(security),8(cron),10(audit),11(lp)

© Copyright IBM Corporation 2009

Groups
IBM Power Systems

• A group is a set of users, all of whom need access to a given

set of files.
• Every user is a member of at least one group and can be a
member of several groups.
• The user has access to a file if any group in the user’s
groupset provides access. To list the groupset, use the
groups command.
• The user's real group ID is used for file ownership on creation.
To change the real group ID, use the newgrp command.
• Default groups:
– System administrators: system
– Ordinary users: staff

© Copyright IBM Corporation 2009

Group hierarchy
IBM Power Systems

system security
Rights to
printq administrative
adm functions
audit
shutdown

staff Ordinary
users

© Copyright IBM Corporation 2009

Controlling access to the root account
IBM Power Systems

• Restrict access to privileged logins.

• Root's passwords should be changed on an unannounced
schedule by the system administrator.
• Assign different root passwords to different machines.
• System administrators should always login as themselves first
and then su to root instead of logging in as root. This helps
provide an audit trail for root usage.

## chuser
chuser login=false
login=false root
root

• Do not include unsecured directories in root's PATH.

© Copyright IBM Corporation 2009

Security logs
IBM Power Systems

/var/adm/sulog Audit trail of su activity

/var/adm/wtmp Log of successful logins

/etc/utmp List of users currently

logged in

/etc/security/failedlogin Information on failed

login attempts

© Copyright IBM Corporation 2009

User and group administration
IBM Power Systems

After completing this topic, you should be able to:

• Understand the login sequence from a system console

• Understand the login initialization process
• Add, list, change, and delete users and groups
• Set and change passwords
– Recover root password if lost or forgotten
• Understand the key elements of RBAC and configure a
simple RBAC implementation

© Copyright IBM Corporation 2009

Console login sequence
IBM Power Systems

getty process Spawned by inittab

Settings in
/etc/security/login.cfg
Login: userid and passwd

/etc/passwd
User verification check /etc/security/passwd

no
Login failed Valid?
yes /etc/environment
Log entry in: /etc/security/environ
/etc/security/failedlogin Set up the environment. /etc/security/limits
/etc/security/user

Display /etc/motd $HOME/.hushlogin

/etc/profile
Enter login shell $HOME/.profile
© Copyright IBM Corporation 2009
User initialization process
IBM Power Systems

LOGIN

Establishes base environment

/etc/environment sets PATH, TZ, LANG, and
NLSPATH

Shell script run at all logins

/etc/profile sets TERM, MAILMSG, and
MAIL

User's personal file to

$HOME/.profile customize their environment
PATH, ENV, PS1

User's personal file to customize

$HOME/.kshrc the Korn shell environment
set –o vi, alias

© Copyright IBM Corporation 2009

Message of the day
IBM Power Systems

• The file /etc/motd contains text that is displayed every time a

user logs in.
• This file should only contain information necessary for the
users to see.
• If the $HOME/.hushlogin file exists in a user's home directory,
then the contents of the /etc/motd file are not displayed to that
user.
******************************************************************
******************************************************************
** **
** **
** AIX Version 6.1 TL 02 HACMP 5.5.0.0. + WPAR
AIX Version 6.1 TL 02 HACMP 5.5.0.0. + WPAR ckp ckp **
** **
** Eduction
Eduction AIX
AIX AN12
AN12 Build
Build version
version 318
318 **
** **
** **
******************************************************************
******************************************************************

nimmaster:/
nimmaster:/
© Copyright IBM Corporation 2009
Security & Users
IBM Power Systems

# smit security

Security
Security && Users
Users

Move
Move cursor
cursor to
to desired
desired item
item and
and press
press Enter.
Enter.

Users
Users
Groups
Groups
Passwords
Passwords
Login
Login Controls
Controls
PKI
PKI
LDAP
LDAP
Role
Role Based
Based Access
Access Control
Control (RBAC)
(RBAC)
Trusted Execution
Trusted Execution

© Copyright IBM Corporation 2009

SMIT users
IBM Power Systems

# smit users

Users
Users

Move
Move cursor
cursor to
to desired
desired item
item and
and press
press Enter.
Enter.

Add
Add aa User
User
Change
Change aa User's
User's Password
Password
Change
Change / Show Characteristics of
/ Show Characteristics of aa User
User
Lock / Unlock a User's Account
Lock / Unlock a User's Account
Reset
Reset User's
User's Failed
Failed Login
Login Count
Count
Remove a User
Remove a User
List
List All
All Users
Users

© Copyright IBM Corporation 2009

Listing users
IBM Power Systems

The lsuser command:

lsuser [-c | -f] [-a attribute …] {ALL | username …}

Example:
## lsuser
lsuser -a
-a id
id home
home ALL
ALL
root id=0 home=/
root id=0 home=/
daemon
daemon id=1
id=1 home=/etc
home=/etc
bin id=2 home=/bin
bin id=2 home=/bin
sys
sys id=3
id=3 home=/usr/sys
home=/usr/sys
adm id=4 home=/var/adm
adm id=4 home=/var/adm
uucp
uucp id=5
id=5 home=/usr/lib/uucp
home=/usr/lib/uucp
guest
guest id=100
id=100 home=/home/guest
home=/home/guest
alex id=333 home=/home/mancunian
alex id=333 home=/home/mancunian

© Copyright IBM Corporation 2009

Add a user to the system
IBM Power Systems

# smit mkuser mkuser id=333 alex

Add
Add aa User
User
Type
Type or
or select
select values
values in
in entry
entry fields.
fields.
Press
Press Enter AFTER making all desired
Enter AFTER making all desired changes.
changes.
[TOP]
[TOP] [Entry
[Entry Fields]
Fields]
** User
User NAME
NAME [alex]
[alex]
User
User ID
ID [333]
[333] ##
ADMINISTRATIVE
ADMINISTRATIVE USER?
USER? false
false ++
Primary
Primary GROUP
GROUP []
[] ++
Group
Group SET
SET []
[] ++
ADMINISTRATIVE
ADMINISTRATIVE GROUPS
GROUPS []
[] ++
ROLES
ROLES []
[] ++
Another
Another user
user can
can SU
SU TO
TO USER?
USER? true
true ++
SU GROUPS
SU GROUPS [ALL]
[ALL] ++
HOME
HOME directory
directory []
[]
Initial
Initial PROGRAM
PROGRAM []
[]
User
User INFORMATION
INFORMATION []
[]
[MORE...32]
[MORE...32]

© Copyright IBM Corporation 2009

Change/Show characteristics of a user
IBM Power Systems

# smit chuser chuser groups='staff,security' alex

Change
Change // Show
Show Characteristics
Characteristics of
of aa User
User
[Entry
[Entry Fields]
Fields]
** User
User NAME
NAME alex
alex
User
User ID
ID [333]
[333]
##
ADMINISTRATIVE
ADMINISTRATIVE USER?
USER? false
false ++
Primary
Primary GROUP
GROUP [staff]
[staff] ++
Group
Group SET
SET [staff,security]
[staff,security] ++
ADMINISTRATIVE
ADMINISTRATIVE GROUPS
GROUPS []
[] ++
ROLES
ROLES []
[] ++
Another
Another user
user can
can SU
SU TO
TO USER?
USER? true
true ++
SU GROUPS
SU GROUPS [ALL]
[ALL] ++
HOME
HOME directory
directory [/home/alex]
[/home/alex]
Initial
Initial PROGRAM
PROGRAM [/usr/bin/ksh]
[/usr/bin/ksh]
User
User INFORMATION
INFORMATION []
[]
EXPIRATION
EXPIRATION date
date (MMDDhhmmyy)
(MMDDhhmmyy) [0]
[0]
Is
Is this user ACCOUNT
this user ACCOUNT LOCKED?
LOCKED? false
false ++
User
User can
can LOGIN?
LOGIN? true
true ++
User
User can
can LOGIN
LOGIN REMOTELY(rsh,tn,rlogin)?
REMOTELY(rsh,tn,rlogin)? true
true ++
[MORE...48]
[MORE...48]

© Copyright IBM Corporation 2009

Remove a user from the system
IBM Power Systems

• The rmuser command or SMIT can be used to delete a user

from the system
## rmuser
rmuser –p
–p team01
team01

• When you remove a user, that user’s home directory is not

deleted. Therefore, you must remember to manually clean up
the directories of users you remove. Remember to back up
important files first!

## rm
rm -r
-r /home/team01
/home/team01

© Copyright IBM Corporation 2009

Passwords
IBM Power Systems

• A new user ID cannot be used until a password is

assigned.
• Two commands for changing passwords:
root or security
## pwdadm <username> (group) only
pwdadm <username>
OR
OR
## passwd
passwd [username]
[username]

• SMIT invokes the passwd command for root and the

pwdadm if non-root.
• An ordinary user can use the passwd command to
change own password
• Only root or member of security group can change
password of another user
© Copyright IBM Corporation 2009
Regaining root's password
IBM Power Systems

1. Boot from optical media, NIM, or a bootable tape.

2. Select Access a Root Volume Group from the
Maintenance menu.
Maintenance
Maintenance
>>> 1 Access a Root Volume Group
>>> 1 Access a Root Volume Group
2 Copy a System Dump to Removable Media
2 Copy a System Dump to Removable Media
3 Access Advanced Maintenance Functions
3 Access Advanced Maintenance Functions
4 Erase Disks
4 Erase Disks

3. Follow the options to activate the root volume group and

obtain a shell.
4. Once a shell is available, execute the passwd command to
change root's password.
5. Enter the following command:
# sync ; sync
6. Reboot the system. © Copyright IBM Corporation 2009
SMIT groups
IBM Power Systems

# smit groups

Groups
Groups

Move
Move cursor
cursor to
to desired
desired item
item and
and press
press Enter.
Enter.

List
List All
All Groups
Groups
Add
Add a Group
a Group
Change
Change // Show
Show Characteristics
Characteristics of
of aa Group
Group
Remove a Group
Remove a Group

© Copyright IBM Corporation 2009

Listing groups
IBM Power Systems

The lsgroup command:

lsgroup [-c | -f] [-a attribute …] {ALL | groupname …}

Example:
## lsgroup
lsgroup –f
–f -a
-a id
id users
users ALL
ALL
system:
system:
id=0
id=0
users=root,esaadmin,pconsole
users=root,esaadmin,pconsole

staff:
staff:
id=1
id=1
users=ipsec,ted,sshd,alex,local,tyrone,daemon
users=ipsec,ted,sshd,alex,local,tyrone,daemon

bin:
bin:
id=2
id=2
users=root,bin
users=root,bin
...
...
© Copyright IBM Corporation 2009
Add a Group
IBM Power Systems

# smit mkgroup
mkgroup -A id=101 users=alex,tyrone techies

Add
Add aa Group
Group
Type
Type or
or select
select values
values in
in entry
entry fields.
fields.
Press
Press Enter AFTER making all desired
Enter AFTER making all desired changes.
changes.
[Entry
[Entry Fields]
Fields]
** Group
Group NAME
NAME [techies]
[techies]
ADMINISTRATIVE
ADMINISTRATIVE group?
group? false
false ++
Group
Group ID
ID [101]
[101] ##
USER
USER list
list [alex,tyrone]
[alex,tyrone] ++
ADMINISTRATOR
ADMINISTRATOR list
list []
[] ++
Projects
Projects []
[] ++
Initial
Initial Keystore
Keystore Mode
Mode []
[] ++
Keystore
Keystore Encryption
Encryption Algorithm
Algorithm []
[] ++
Keystore
Keystore Access
Access []
[] ++

© Copyright IBM Corporation 2009

Change or remove a group
IBM Power Systems

# smit chgroup
chgroup users=alex,tyrone,ted adms=alex techies
Change
Change aa Group
Group
Type
Type or
or select
select values
values in
in entry
entry fields.
fields.
Press
Press Enter AFTER making all desired
Enter AFTER making all desired changes.
changes.
[Entry
[Entry Fields]
Fields]
** Group
Group NAME
NAME [techies]
[techies]
ADMINISTRATIVE
ADMINISTRATIVE group?
group? false
false ++
Group
Group ID
ID [101]
[101] ##
USER
USER list
list [alex,tyrone,ted]
[alex,tyrone,ted] ++
ADMINISTRATOR
ADMINISTRATOR list
list [alex]
[alex] ++
Projects
Projects []
[] ++
Initial
Initial Keystore
Keystore Mode
Mode []
[] ++
Keystore
Keystore Encryption
Encryption Algorithm
Algorithm []
[] ++
Keystore
Keystore Access
Access []
[] ++

To remove a group: # rmgroup techies

© Copyright IBM Corporation 2009
Security files
IBM Power Systems

After completing this topic, you should be able to:

• Identify and understand key security files

• Understand how to validate the user environment
• Document the system security policy and set-up

© Copyright IBM Corporation 2009

Security files introduction
IBM Power Systems

• Files used to contain user attributes and control access:

– /etc/passwd Valid users (not passwords)
– /etc/group Valid groups

– /etc/security Directory not accessible

to normal users

– /etc/security/passwd User passwords

– /etc/security/user
– /etc/security/group
– /etc/security/limits
– /etc/security/environ
– /etc/security/login.cfg
User attributes, password
restrictions
Group attributes
User limits
User environment settings
Console Login settings

© Copyright IBM Corporation 2009

/etc/passwd file
IBM Power Systems

## cat
cat /etc/passwd
/etc/passwd

root:!:0:0::/:/usr/bin/ksh
root:!:0:0::/:/usr/bin/ksh
daemon:!:1:1::/etc:
daemon:!:1:1::/etc:
bin:!:2:2::/bin:
bin:!:2:2::/bin:
sys:!:3:3::/usr/sys:
sys:!:3:3::/usr/sys:
adm:!:4:4::/var/adm:
adm:!:4:4::/var/adm:
uucp:!:5:5::/usr/lib/uucp:
uucp:!:5:5::/usr/lib/uucp:
guest:!:100:100::/home/guest:
guest:!:100:100::/home/guest:
nobody:!:4294967294:4294967294::/:
nobody:!:4294967294:4294967294::/:
pconsole:*:8:0::/var/adm/pconsole:/usr/bin/ksh
pconsole:*:8:0::/var/adm/pconsole:/usr/bin/ksh
sshd:*:202:201::/var/empty:/usr/bin/ksh
sshd:*:202:201::/var/empty:/usr/bin/ksh
alex:!:333:1::/home/alex:/usr/bin/ksh
alex:!:333:1::/home/alex:/usr/bin/ksh
tyrone:!:204:1::/home/tyrone:/usr/bin/ksh
tyrone:!:204:1::/home/tyrone:/usr/bin/ksh
ted:*:205:1::/home/ted:/usr/bin/ksh
ted:*:205:1::/home/ted:/usr/bin/ksh
! = Passwd is set
/etc/security/passwd
* = no password set

© Copyright IBM Corporation 2009

/etc/security/passwd file
IBM Power Systems

## cat
cat /etc/security/passwd
/etc/security/passwd
root:
root:
password
password == etNKvWlXX5EFk
etNKvWlXX5EFk
lastupdate
lastupdate == 1145381446
1145381446
flags =
flags =
daemon:
daemon:
password
password == **
bin:
bin:
password
password == **
alex:
alex:
password
password == XAkhucsiyVwAA
XAkhucsiyVwAA
lastupdate
lastupdate = 1225381869
= 1225381869
flags
flags ==
tyrone:
tyrone:
password
password == RWWoFp5iuL.JI
RWWoFp5iuL.JI
lastupdate
lastupdate == 1225381903
1225381903
flags = ADMCHG,ADMIN,NOCHECK
flags = ADMCHG,ADMIN,NOCHECK

© Copyright IBM Corporation 2009

/etc/security/user file
IBM Power Systems

default:
default: ** default
default continued
continued ...
...
admin
admin == false
false
login
login == true
true maxage
maxage == 00
susu == true
true maxexpired
maxexpired == -1
-1
daemon
daemon == true
true minalpha
minalpha == 00
rlogin
rlogin == true
true minother
minother == 00
sugroups
sugroups == ALL
ALL minlen
minlen == 00
admgroups
admgroups == mindiff
mindiff == 00
ttys
ttys == ALL
ALL maxrepeats
maxrepeats == 88
auth1
auth1 == SYSTEM
SYSTEM dictionlist
dictionlist ==
auth2
auth2 == NONE
NONE pwdchecks
pwdchecks ==
tpath
tpath == nosak
nosak root:
root:
umask
umask == 000
000 admin
admin == true
true
expires
expires == 00 SYSTEM
SYSTEM == "compat"
"compat"
SYSTEM
SYSTEM == "compat"
"compat" loginretries
loginretries == 00
logintimes
logintimes == account_locked
account_locked == false
false
pwdwarntime
pwdwarntime == 00 registry
registry == files
files
account_locked
account_locked == false
false admgroups
admgroups ==
loginretries
loginretries == 00 alex:
alex:
histexpire
histexpire == 00 admin
admin == false
false
histsize
histsize == 00
minage
minage == 00

© Copyright IBM Corporation 2009

Group files
IBM Power Systems

## cat
cat /etc/group
/etc/group
system:!:0:root,esaadmin,pconsole
system:!:0:root,esaadmin,pconsole
staff:!:1:ipsec,sshd,alex,tyrone,ted
staff:!:1:ipsec,sshd,alex,tyrone,ted
bin:!:2:root,bin
bin:!:2:root,bin
sys:!:3:root,bin,sys
sys:!:3:root,bin,sys
adm:!:4:bin,adm
adm:!:4:bin,adm
uucp:!:5:nuucp,uucp
uucp:!:5:nuucp,uucp
...
...

## cat
cat /etc/security/group
/etc/security/group
system:
system:
admin
admin == true
true
staff:
staff:
admin
admin == false
false
bin:
bin:
admin
admin == true
true
...
...
techies:
techies:
admin
admin == false
false
adms
adms == alex
alex
© Copyright IBM Corporation 2009
/etc/security/login.cfg file
IBM Power Systems

default:
default:
herald
herald == "Authorized
"Authorized use
use only.\n\rlogin:"
only.\n\rlogin:"
logintimes
logintimes = =
logindisable
logindisable == 00
logininterval
logininterval == 00
loginreenable
loginreenable == 00
logindelay
logindelay == 00

** Other
Other security
security attributes
attributes (usw
(usw stanza):
stanza):
usw:
usw:
shells
shells == /bin/sh,/bin/bsh,/bin/csh,/bin/ksh,/bin/tsh
/bin/sh,/bin/bsh,/bin/csh,/bin/ksh,/bin/tsh
/bin/ksh93,/usr/bin/sh,/usr/bin/bsh,/usr/bin/csh,/usr/bin
/bin/ksh93,/usr/bin/sh,/usr/bin/bsh,/usr/bin/csh,/usr/bin
/ksh,/usr/bin/tsh,/usr/bin/ksh93,/usr/bin/rksh,/usr/bin/r
/ksh,/usr/bin/tsh,/usr/bin/ksh93,/usr/bin/rksh,/usr/bin/r
ksh93,/usr/sbin/uucp/uucico,/usr/sbin/sliplogin,/usr/sbin
ksh93,/usr/sbin/uucp/uucico,/usr/sbin/sliplogin,/usr/sbin
/snappd
/snappd
maxlogins
maxlogins == 32767
32767
logintimeout
logintimeout == 6060
auth_type
auth_type == STD_AUTH
STD_AUTH

© Copyright IBM Corporation 2009

Validating the user environment
IBM Power Systems

• pwdck verifies the validity of local authentication information:

– pwdck {-n|-p|-t|-y} {ALL | username}
– Verifies that /etc/passwd and /etc/security/passwd are consistent
with each other and with /etc/security/login.cfg and /etc/security/user

• usrck verifies the validity of a user definition:

– usrck {-l|-b|-n|-p|-t|-y} {ALL | username}
– Checks each user name in /etc/passwd, /etc/security/user,
/etc/security/limits and /etc/security/passwd
– Checks are made to ensure that each has an entry in /etc/group and
/etc/security/group.

• grpck verifies the validity of a group:

– grpck {-n|-p|-t|-y} {ALL | groupname }
– Verifies that the files /etc/passwd, /etc/security/user, /etc/group
and /etc/security/group are consistent

© Copyright IBM Corporation 2009

Documenting security policy and setup
IBM Power Systems

• Identify the different types of users and what data they will
need to access.
– Consider using enhanced RBAC with AIX 6.1 to perform system
administration tasks (as opposed to using root).
• Organize groups around the type of work that is to be done.
• Organize ownership of data to fit with the group structure.
• Set SVTX on shared directories.
• Note: Further topics, such as LDAP, SSH,
trusted execution, encrypted filesystems, aixpert,
RBAC (detailed), and IPSec, are covered in the
AIX Security course: AU47G Security
Security
Policy and
Policy and
Setup
Setup

© Copyright IBM Corporation 2009

Unit summary
IBM Power Systems

Having completed this unit, you should be able to:

• Define the concepts of users and groups, and explain how and
when these should be allocated on the system
• Describe ways of controlling root access on the system
• Explain the uses of SUID, SGID, and SVTX permission bits
• Administer user accounts and groups
• Understand the basic concepts and implementation of RBAC
• Identify the data files associated with users and security

© Copyright IBM Corporation 2009