#!/usr/bin/ksh93 # Create rbac role for dba AIX commands # first setup c.s. # checked free role_id = 20018 # Making the opensource tooling (aixosrc) rbac aware # role now only yum set -x #Module="files" Module="LDAP" trustchk -p te=off # create extra authoristions for non AIX scripts / binaries lsauth -R ${Module} aixosrc if [[ $? != 0 ]]; then mkauth -R ${Module} dfltmsg='dba authorisations' id=10080 aixosrc fi lsauth -R ${Module} aixosrc.app if [[ $? != 0 ]]; then mkauth -R ${Module} dfltmsg='dba Application auths' id=10081 aixosrc.app fi lsauth -R ${Module} aixosrc.app.exec if [[ $? != 0 ]]; then mkauth -R ${Module} dfltmsg='dba Application execute' id=10082 \ aixosrc.app.exec fi lsauth -R ${Module} aixosrc.app.exec.cmd if [[ $? != 0 ]]; then mkauth -R ${Module} dfltmsg='dba Application execute cmds' id=10083 \ aixosrc.app.exec.cmd fi echo "" ## Authorisations for yum below: yumauth=`lssecattr -R LDAP -c /opt/freeware/bin/yum |awk '{print $1}'` case ${yumauth} in /opt/freeware/bin/yum) echo "/bin/yum already ok!" ;; *) setsecattr -R ${Module} -c \ innateprivs=PV_DAC_R,PV_DAC_X,PV_PROC_SIG,PV_NET_PORT,PV_DAC_W,PV_DAC_O,PV_NET_CNTL,PV_FS_CHOWN,PV_AU_PROC,PV_KER_CONF,PV_AU_ADD,PV_AZ_ROOT \ accessauths=aixosrc.app.exec.cmd \ euid=0 \ secflags=FSF_EPS \ /opt/freeware/bin/yum ;; esac echo "" echo "create or update the role" ## create or update the role ! lsrole -R ${Module} yumrole if [[ $? != 0 ]]; then echo "role does not exist creating it!" mkrole -R ${Module} \ authorizations=aixosrc.app.exec.cmd \ id=20081 \ dfltmsg="rol t.b.v Yum opensource on AIX" \ yumrole else echo "role exist updating now!" chrole -R ${Module} \ authorizations=aixosrc.app.exec.cmd \ yumrole fi echo "" echo "" echo "update the kernel extentions setkst" setkst