Documente Academic
Documente Profesional
Documente Cultură
Part one
## id
id
uid=0(root)
uid=0(root) gid=0(system)
gid=0(system)
groups=2(bin),3(sys),7(security),8(cron),10(audit),11(lp)
groups=2(bin),3(sys),7(security),8(cron),10(audit),11(lp)
• root’s password:
– Carefully guard
– Non-trivial passwords
– Changed on an unannounced schedule
• Assign different root passwords to different machines.
• Always log in as an ordinary user first and then su to root
instead of logging in as root.
– audit trail in /var/adm/sulog
– Enforce use of the su method to use root authority:
## chuser
chuser login=false
login=false su=true
su=true sugroup=system
sugroup=system root
root
system security
Rights to
printq administrative
adm functions
audit
shutdown
staff Ordinary
users
1 Roles 2 Users
Authorizations Roles
• Domain RBAC
– Controls which objects can be administered
Internet interface
© Copyright IBM Corporation 2009, 2013. All Rights Reserved.
US Government Users Restricted Rights - Use duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp
File/directory permissions
IBM Power Systems
s s t
S S T
-r-sr-xr-x
-r-sr-xr-x root
root security
security ...
... /usr/bin/passwd
/usr/bin/passwd
-r-sr-sr-x
-r-sr-sr-x root
root cron
cron ...
... /usr/bin/crontab
/usr/bin/crontab
drwxrwxrwt
drwxrwxrwt bin
bin bin
bin ...
... /tmp
/tmp
© Copyright IBM Corporation 2009, 2013. All Rights Reserved.
US Government Users Restricted Rights - Use duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp
Changing permissions
IBM Power Systems
4 2 1
SUID SGID SVTX
owner group other
r w x r w x r w x
4 2 1 4 2 1 4 2 1
• Identify the different types of users and what data they will
need to access.
– Consider using enhanced RBAC roles to perform system
administration tasks (as opposed to using root).
• Organize groups around the type of work that is to be done.
• Organize ownership of data to fit with the group structure.
• Set SVTX on shared directories.
• Security policy and implementation design should be formally
documented.
Security
Security
policy
policyand
and
setup
setup
/etc/security/user
chuser vi
/etc/security/passwd /etc/security/limits
/etc/passwd /etc/security/user
Syntax:
chsec –f filename -s stanza_name -a attribute_name=value
lssec –f filename -s stanza_name -a attribute_name
Example:
# lssec –f /etc/security/user -s default -a umask
default umask=22
# chsec –f /etc/security/user -s default -a umask=027
© Copyright IBM Corporation 2009, 2013. All Rights Reserved.
US Government Users Restricted Rights - Use duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp
User and group administration hierarchy
IBM Power Systems
root
administer
root
admin user or group
root or administer
security group standard user or group
# smit security
Security
Security && Users
Users
Move
Move cursor
cursor to
to desired
desired item
item and
and press
press Enter.
Enter.
Users
Users
Groups
Groups
Passwords
Passwords
Login
Login Controls
Controls
PKI
PKI
LDAP
LDAP
Role
Role Based
Based Access
Access Control
Control (RBAC)
(RBAC)
Trusted
Trusted Execution
Execution
# smit users
Users
Users
Move
Move cursor
cursor to
to desired
desired item
item and
and press
press Enter.
Enter.
Add
Add aa User
User
Change
Change aa User's
User's Password
Password
Change
Change // Show
Show Characteristics
Characteristics of
of aa User
User
Lock
Lock // Unlock
Unlock aa User's
User's Account
Account
Reset
Reset User's
User's Failed
Failed Login
Login Count
Count
Remove
Remove aa User
User
List
List All
All Users
Users
Example:
## lsuser
lsuser -a
-a id
id home
home ALL
ALL
root
root id=0
id=0 home=/
home=/
daemon
daemon id=1
id=1 home=/etc
home=/etc
bin
bin id=2
id=2 home=/bin
home=/bin
sys
sys id=3
id=3 home=/usr/sys
home=/usr/sys
adm
adm id=4
id=4 home=/var/adm
home=/var/adm
uucp
uucp id=5
id=5 home=/usr/lib/uucp
home=/usr/lib/uucp
guest
guest id=100
id=100 home=/home/guest
home=/home/guest
alex
alex id=333
id=333 home=/home/alex
home=/home/alex
OR
OR
## passwd
passwd [username]
[username] root only
OR
OR
## smit
smit passwd
passwd root or security
group
Maintenance
Maintenance
>>>
>>> 11 Access
Access aa Root
Root Volume
Volume Group
Group
22 Copy
Copy aa System
System Dump
Dump to
to Removable
Removable Media
Media
33 Access
Access Advanced
Advanced Maintenance
Maintenance Functions
Functions
44 Erase
Erase Disks
Disks
3. Follow the options to activate the root volume group and obtain a shell.
4. Once a shell is available, execute the passwd command to change
root’s password.
5. Enter the following command:
# sync ; sync
6. Reboot the system.
Format: name:password:UID:principleGID:Gecos:HomeDirectory:Shell
## cat
cat /etc/passwd
/etc/passwd
root:!:0:0::/:/usr/bin/ksh
root:!:0:0::/:/usr/bin/ksh
daemon:!:1:1::/etc:
daemon:!:1:1::/etc:
bin:!:2:2::/bin:
bin:!:2:2::/bin:
sys:!:3:3::/usr/sys:
sys:!:3:3::/usr/sys:
adm:!:4:4::/var/adm:
adm:!:4:4::/var/adm:
uucp:!:5:5::/usr/lib/uucp:
uucp:!:5:5::/usr/lib/uucp:
guest:!:100:100::/home/guest:
guest:!:100:100::/home/guest:
nobody:!:4294967294:4294967294::/:
nobody:!:4294967294:4294967294::/:
pconsole:*:8:0::/var/adm/pconsole:/usr/bin/ksh
pconsole:*:8:0::/var/adm/pconsole:/usr/bin/ksh
sshd:*:202:201::/var/empty:/usr/bin/ksh
sshd:*:202:201::/var/empty:/usr/bin/ksh
alex:!:333:1::/home/alex:/usr/bin/ksh
alex:!:333:1::/home/alex:/usr/bin/ksh
tyrone:!:204:1::/home/tyrone:/usr/bin/ksh
tyrone:!:204:1::/home/tyrone:/usr/bin/ksh
ted:*:205:1::/home/ted:/usr/bin/ksh
ted:*:205:1::/home/ted:/usr/bin/ksh ! = Passwd is set in
/etc/security/passwd
* = no password set
© Copyright IBM Corporation 2009, 2013. All Rights Reserved.
US Government Users Restricted Rights - Use duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp
/etc/security/passwd file
IBM Power Systems
## cat
cat /etc/security/passwd
/etc/security/passwd
root:
root:
password
password == etNKvWlXX5EFk
etNKvWlXX5EFk
lastupdate
lastupdate == 1145381446
1145381446
flags
flags ==
daemon:
daemon:
password
password == **
bin:
bin:
password
password == **
alex:
alex:
password
password == XAkhucsiyVwAA
XAkhucsiyVwAA
lastupdate
lastupdate == 1225381869
1225381869
flags
flags ==
tyrone:
tyrone:
password
password == RWWoFp5iuL.JI
RWWoFp5iuL.JI
lastupdate
lastupdate = 1225381903
= 1225381903
flags = ADMCHG,ADMIN,NOCHECK
flags = ADMCHG,ADMIN,NOCHECK
© Copyright IBM Corporation 2009, 2013. All Rights Reserved.
US Government Users Restricted Rights - Use duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp
SMIT groups
IBM Power Systems
# smit groups
Groups
Groups
Move
Move cursor
cursor to
to desired
desired item
item and
and press
press Enter.
Enter.
List
List All
All Groups
Groups
Add
Add aa Group
Group
Change
Change // Show
Show Characteristics
Characteristics of
of aa Group
Group
Remove
Remove aa Group
Group
Example:
## lsgroup
lsgroup –f
–f -a
-a id
id users
users ALL
ALL
system:
system:
id=0
id=0
users=root,esaadmin,pconsole
users=root,esaadmin,pconsole
staff:
staff:
id=1
id=1
users=ipsec,ted,sshd,alex,local,tyrone,daemon
users=ipsec,ted,sshd,alex,local,tyrone,daemon
bin:
bin:
id=2
id=2
users=root,bin
users=root,bin
...
...
© Copyright IBM Corporation 2009, 2013. All Rights Reserved.
US Government Users Restricted Rights - Use duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp
Add or change a group
IBM Power Systems
Add
Add aa Group
Group
Type
Type or
or select
select values
values in
in entry
entry fields.
fields.
Press
Press Enter AFTER making all desired changes.
Enter AFTER making all desired changes.
[Entry
[Entry Fields]
Fields]
** Group
Group NAME
NAME [techies]
[techies]
ADMINISTRATIVE
ADMINISTRATIVE group?
group? false
false ++
Group
Group ID
ID [101]
[101] ##
USER
USER list
list [alex,tyrone]
[alex,tyrone] ++
ADMINISTRATOR
ADMINISTRATOR list
list []
[] ++
Projects
Projects []
[] ++
Initial
Initial Keystore
Keystore Mode
Mode []
[] ++
Keystore
Keystore Encryption Algorithm
Encryption Algorithm []
[] ++
Keystore
Keystore Access
Access []
[] ++
## cat
cat /etc/group
/etc/group
system:!:0:root,esaadmin,pconsole
system:!:0:root,esaadmin,pconsole
staff:!:1:ipsec,sshd,alex,tyrone,ted
staff:!:1:ipsec,sshd,alex,tyrone,ted
bin:!:2:root,bin
bin:!:2:root,bin
sys:!:3:root,bin,sys
sys:!:3:root,bin,sys
adm:!:4:bin,adm
adm:!:4:bin,adm
uucp:!:5:nuucp,uucp
uucp:!:5:nuucp,uucp
...
...
## cat
cat /etc/security/group
/etc/security/group
system:
system:
admin
admin == true
true
staff:
staff:
admin
admin == false
false
bin:
bin:
admin
admin == true
true
...
...
techies:
techies:
admin
admin == false
false
adms
adms == alex
alex
© Copyright IBM Corporation 2009, 2013. All Rights Reserved.
US Government Users Restricted Rights - Use duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp
Remove a user or group from the system
IBM Power Systems
## rmuser
rmuser –p
–p user01
user01
## rmgroup
rmgroup finance
finance
2. A binary executable with the SUID flag set is owned by user root.
User michael executes the binary. The executable runs under
which user, root or michael?
The answer is root.
7. True or False: When you delete a user from the system, all
the user’s files and directories are also deleted.
7. True or False: When you delete a user from the system, all the user’s
files and directories are also deleted.
The answer is false.