This is the second part of my blog series about AIX Advanced RBAC.
In this part I will show you how to use the default pre-defined roles, and authorizations and how to create new custom roles that reuse the pre-defined authorizations.
In the other part 3 I will explain how to create your own authorizations and custom roles and how to store everything on an central LDAP server.
Default roles:
At this moment of writing there are on AIX 7.3 there are 18 default pre-defined roles see list below:
AccountAdmin dfltmsg=User and Group Account Administration
BackupRestore dfltmsg=Backup and Restore Administration
CacheAdm dfltmsg=SSD Cache Device Administrator
DomainAdmin dfltmsg=Remote Domain Administration
FSAdmin dfltmsg=File System Administration
SecPolicy dfltmsg=Security Policy Administration
SysBoot dfltmsg=System Boot Administration
SysConfig dfltmsg=System Configuration Administration
auditadm dfltmsg=Audit Administrator
fsadm dfltmsg=File System Administrator
isso dfltmsg=Information System Security Officer
pkgadm dfltmsg=Software Package Administrator
sa dfltmsg=System Administrator
secadm dfltmsg=Security Administrator
so dfltmsg=System Operator
svcadm dfltmsg=Service Administrator
sysop dfltmsg=System Operator
useradm dfltmsg=User Administrator
Command to get this list: lsrole -R files -a dfltmsg ALL
These roles are standard, and can directly assigned to an user.
Command for assigning a default role to a user:
chuser -R files <username> role_name
See example below:
chuser -R LDAP roles=sa csonne
In the above example the standard role sa (system administrator) is now assigned to user csonne
This can be checked with the lsuser command
lsuser -R files -f csonne
When user csonne is logged in he can now switch to this role assigned to him with
swrole sa
See example below:
swrole sa
csonne's Password:
on the prompt you can now check the role with lsrole -a
Also on the prompt you can verify witch command’s he now can execute with the rolerpt command see below:
rolerpt -a |more
role:
sa
commands:
/sbin/helpers/jfs2/chfs
/sbin/helpers/jfs2/chfs64
/sbin/helpers/jfs2/lsfs
/usr/sbin/swapoff
~and in total for the sa role 283 lines~
You can assing more roles one user just user a , separator between the roles like:
chuser -R files roles=sa,role2,role3 csonne
However there can be only one role active, to switch between roles use the swrole command.
You will notice that for every switch between roles you have to authenticate again.
There is one exception however, a user can be assigned to a default_role.
Rules for this is that the user must have the same role assigned in the roles=… also.
After login the user is then assigned to the default_role and only have to authenticate during the login process, if he likes to switch to another role he can use the swrole command again, and has to authenticate again.
So That’s about it about default roles and how to use them, please look carefully at the description of those default roles, also look at the list of commands that belongs to a default role.
Pitfall here is that default roles have much to many commands and that you give to much away to a user!
But default roles can be nice in emergency situations, where you give temporally access for a set of commands to a user. After the incident you can just modify the user again to revoke access to the role.
Next section is something about the build in authorizations
The same as for default roles AIX has also a lot of default authorizations
To list the complete list:
lsauth -R files ALL |wc -l
337
And to walk through them to get a nice impression what they are and list them in stanza format
lsauth -R files -f ALL
But why are those standard authorizations so usefully?
case:
Suppose the following, and application manager is responsible for their own LPAR and needs to set certain volume groups offline and online.
He needs this only during some time windows. What can RBAC solve in this situation?
Well first we look at the command’s this user needs varyonvg and varyoffvg
lssecattr -c -F /usr/sbin/varyoffvg
this learns us the following:
/usr/sbin/varyoffvg:
euid=0
egid=0
accessauths=aix.lvm.manage.varyoff
innateprivs=PV_AZ_ROOT,PV_DAC_R,PV_DAC_W,PV_DAC_X inheritprivs=PV_AU_ADD,PV_AU_PROC,PV_DAC_O,PV_DEV_QUERY,PV_FS_MKNOD,PV_KER_ACCT,PV_KER_LVM,PV_PROC_PRIV,PV_TCB
secflags=FSF_EPS
Please take a close look at the line accessauths= you see here that the authorizations are stored hierarchical, I will come back on this later when I show you to create your own authorizations.
For now we only have to remember this line and you probably can guess the next authorization we need aix.lvm.manage.varyon
Those two standard IBM authorizations can be assigned to a new role for example vgrole.
To do so you can use:
mkrole -R files authorizations=aix.lvm.manage.varyon,aix.lvm.manage.varyoff dfltmsg='test vg’ vgrole
Assing this vgrole now to the application user that need this role:
chuser -R files roles=vgrole <username>
What we have to do know is let the kernel “know” that we have new RBAC definitions, otherwise it will not load those so run al ISSO user or root the command:
setkst
The user can now login and switch to the role vgrole
rolelist -e ß shows the effective role at this moment.
vgrole
rolerpt -a ß reports all the commands and if defined files that can be executed, or for files (read,write)
role:
vgrole
commands:
/usr/sbin/lvaryoffvg
/usr/sbin/varyoffvg
/usr/sbin/lvaryonvg
/usr/sbin/varyonvg
files:
the user can now use the varyon varyoff command to do his job.
For enable this role only during a specific time window you can user the at command in combination with the chuser command.
NOTE:
Default roles and authorizations are ideal for giving uses temporary access to a set of predefined commands an files. Also for authorizations reuse be carefull what you can do with that authorization.
Creating your own roles with standard authorizations, is straight forward, disadvantage is that you have no control, and you might give to much access to a role.
Creating your own roles and a reused authorization helps, but take care and check if you not gain to much access. with the chosen authorization.
In my next part I will explain how to create your own authorizations and roles and how you can add your own scripts or executables to the databases.
Please feel free to give me feed back on this subject.