HP UX 11i Role-based Access Control (RBAC) Software manual

Page 42

Also be aware that circular role definitions are not allowed. For example, assigning RoleA to RoleB, RoleB to RoleC, and RoleC to RoleA, is not allowed. The authadm command will detect an attempt to perform such a circular definition and will report an error.

Configuring HP-UX RBAC with Fine-Grained Privileges

NOTE: HP-UX RBAC Version B.11.23.01 does not support the Fine-Grained Privileges component of the HP-UX 11i Security Containment feature.

Applications communicate with the system's resources using system calls, as this allows the operating system access to the system's resources. Certain system calls require special, elevated privileges for the application to access the operating system and system hardware. Before the release of the HP-UX 11i Security Containment feature—and specifically the Fine-Grained Privileges component of the HP-UX 11i Security Containment feature—UID=0would satisfy as a special, elevated privilege for certain system calls. If the UID was not 0, the system call was denied and an application error returned.

HP-UX RBAC—and specifically the privrun wrapper command—provide the means for non-root users to acquire the level of special privileges or UID=0 required for running certain applications. In addition to providing UID=0 to a non-root user in certain circumstances to run a particular application, HP-UX RBAC can also use the Fine-Grained Privileges component of the HP-UX 11i Security Containment feature to run applications with additional privileges—but without UID=0.

If the Fine-Grained Privileges component is installed and enabled on the system, you can use HP-UX RBAC to configure commands to run with only a select set of privileges and with different sets of privileges for different users, all without UID=0. For example, an administrator might need to run the foobar command with several privileges, and a normal user might need far fewer privileges to run foobar.

Think of fine-grained privileges as "system call access control check keys." Rather than checking for UID=0, the system call checks for a particular privilege. These fine-grained privileges provide the ability to "lock" system calls and to control application access to the operating system and hardware resources. Also, by splitting privileges into finely-grained privileges, applications do not require all privileges to run—only a specific privilege or set or privileges. Should an application process running with a particular set of privileges be compromised, the potential damage is far less than it would be if the process was running with UID=0.

NOTE: Refer to privileges(5) for more information on the Fine-Grained Privileges component of the HP-UX 11i Security Containment feature.

Use the cmdprivadm command and the privs option to configure commands for privrun to wrap and run only with the specified privileges. The following is an example cmdprivadm command that configures the /usr/bin/ksh command to run with the BASICROOT compound privilege and that requires the (hpux.adm.mount, *) authorization:

# cmdprivadm add cmd=/etc/mount op=hpux.adm.mount object='*' privs=BASICROOT

The preceding cmdprivadm command creates an entry in the /etc/rbac/cmd_priv file as follows:

#--------------------------------------------------------------------------------------------------------

 

 

 

 

 

 

# Command

: Args

:Authorizations

:U/GID

:Cmpt

:Privs

:Auth

:Flags

#----------------

:--------

:---------------------

:------

:-------

:----------

:------

:-------------------

/etc/mount

:dflt

:(hpux.adm.mount,*)

:///

:dflt

:BASICROOT

:dflt

:

After you create the entry using cmdprivadm and using privrun to wrap the

command,/etc/mount will run with the elevated privilege of the BASICROOT compound

42 HP-UX Role-Based Access Control

Page 41 Page 43
Image 42
Page 41 Page 43
Contents HP-UX 11i Security Containment Administrators Guide Copyright 2007 Hewlett-Packard Development Company, L.P Table of Contents Fine-Grained Privileges Index Page List of Figures Page List of Tables Page List of Examples Page New and Changed Information in This Edition About This DocumentIntended Audience Publishing HistoryTypographic Conventions HP-UX Release Name and Release IdentifierUserInput Related Information HP Encourages Your CommentsHP-UX 11i Releases Page Conceptual Overview AuthorizationHP-UX 11i Security Containment Introduction Account Policy ManagementIsolation Features and BenefitsDefined Terms AuditingFeatures Benefits Installation Installing HP-UX 11i Security ContainmentPrerequisites and System Requirements # swverify SecurityExt Verifying the HP-UX 11i Security Containment Installation# swlist -d @ /tmp/securitycontainmentbundle.depot # swlist -a state -l fileset SecurityExtInstalling HP-UX Standard Mode Security Extensions Installing HP-UX Role-Based Access ControlVerifying the HP-UX Role-Based Access Control Installation # swverify Rbac# swverify TrustedMigration Uninstalling HP-UX 11i Security ContainmentUninstalling HP-UX Rbac # swlist -a state -l fileset TrustedMigrationUninstalling HP-UX Standard Mode Security Extensions # swremove Rbac# swremove TrustedMigration Page HP-UX Role-Based Access Control HP-UX Rbac Versus Other Rbac SolutionsOverview Access Control Basics Simplifying Access Control with RolesExample of Authorizations Per User Example of Authorizations Per Role HP-UX Rbac ComponentsHP-UX Rbac Commands HP-UX Rbac Access Control Policy SwitchHP-UX Rbac Configuration Files HP-UX Rbac Configuration FilesHP-UX Rbac Architecture HP-UX Rbac CommandsHP-UX Rbac Manpages HP-UX Rbac ManpagesHP-UX Rbac Example Usage and Operation HP-UX Rbac ArchitecturePlanning Authorizations for the Roles Planning the HP-UX Rbac DeploymentPlanning the Roles Planning Command Mappings HP-UX Rbac Limitations and RestrictionsConfiguring HP-UX Rbac Configuring Roles Creating RolesExample Planning Results Configuring Authorizations Assigning Roles to UsersAssigning Roles to Groups Configuring Additional Command Authorizations and Privileges Is mainly intended for scripts Overview Example Roles Configuration in HP-UX Rbac B.11.23.02Hierarchical Roles Examples of Hierarchical RolesExample 3-2 Example of the authadm Command Usage Changes to the authadm Command for Hierarchical RolesExample 3-1 The authadm Command Syntax Hierarchical Roles ConsiderationsConfiguring HP-UX Rbac with Fine-Grained Privileges Configuring HP-UX Rbac with Compartments CommandMatches the following /etc/rbac/cmdpriv entries Configuring HP-UX Rbac to Generate Audit Trails GIDProcedure for Auditing HP-UX Rbac Criteria Using HP-UX Rbac Following is the privrun command syntax# privrun ipfstat HP-UX Rbac in Serviceguard Clusters Customizing privrun and privedit Using the Acps Troubleshooting HP-UX Rbac Rbacdbchk Database Syntax ToolPrivrun -v Information Fine-Grained Privileges CommandsFine-Grained Privileges Commands Fine-Grained Privileges ComponentsFine-Grained Privileges Manpages Available PrivilegesManpages Available PrivilegesConfiguring Applications with Fine-Grained Privileges Or launch policyPrivilege Model Compound Privileges# setfilexsec options filename Security Implications of Fine-Grained Privileges Fine-Grained Privileges in HP Serviceguard ClustersTroubleshooting Fine-Grained Privileges Privilege Escalation# getprocxsec options pid Compartments Compartment ArchitectureCompartment Architecture Default Compartment Configuration Planning the Compartment Structure# setrules -p Modifying Compartment ConfigurationActivating Compartments # cmpttune -eChanging Compartment Rules Compartment Configuration FilesCompartment Components Changing Compartment NamesCompartment Commands Compartment CommandsCompartment Configuration Files Compartment ManpagesCompartment Rules and Syntax Compartment DefinitionFile System Rules IPC Rules PermissionlistNetwork Rules IPC mechanism in the current compartmentAccess Miscellaneous Rules InterfaceConfiguring Applications in Compartments Troubleshooting CompartmentsExample Rules File Configured rules are loaded into the kernel # vhardlinksCompartments in HP Serviceguard Clusters Do not configure standby LAN interfaces in a compartmentStandard Mode Security Extensions Security Attributes and the User Database Configuring Systemwide AttributesConfiguration Files System Security AttributesCommands AttributesManpages Auditing Configuring Attributes in the User DatabaseTroubleshooting the User Database Auditing ComponentsPlanning Your Auditing Implementation Audit CommandsAuditing Your System Enabling AuditingMonitoring Audit Files # audevent -P -F -e admin -e login -e moddacAUDEVENTARGS1 = -P -F -e admin -e login -e moddac #audsys -n -c primaryauditfile -sPerformance Considerations Guidelines for Administering Your Auditing SystemAuditing Users #audsys -fStreamlining Audit Log Data Audevent command optionsAuditing Events # /usr/sbin/userdbset -u user-nameAUDITFLAG=1Audit Log Files Self-auditing processesConfiguring Audit Log Files Viewing Audit Logs#/usr/sbin/audisp auditfile Examples of Using the audisp Command Page Symbols IndexSecurity attribute defining
Related manuals
Manual 10 pages 36.76 Kb
Top Page Image Contents