3 HP-UX Role-Based Access Control
The information in this chapter describes HP-UX Role-Based Access Control (HP-UX RBAC). This chapter addresses the following topics:
•“Overview”
•“Access Control Basics”
•“HP-UX RBAC Components”
•“Planning the HP-UX RBAC Deployment”
•“Configuring HP-UX RBAC”
•“Using HP-UX RBAC”
•“Troubleshooting HP-UX RBAC”
Overview
Security—especially platform security—has always been an important issue for enterprise infrastructure. Even so, many organizations often neglected or overlooked such security concepts as individual accountability and least privilege in the past. However, recently introduced legislation in the United States—including the Health Insurance Portability and Accountability Act (HIPAA) and Sarbanes-Oxley—has helped to highlight the importance of these security concepts.
Most enterprise environments have systems administered by multiple users. Typically this is accomplished by providing the administrators with the password to a common, shared account, known as root. While the root account simplifies access control management by enabling administrators with the root password to perform all operations—the root account also presents several inherent obstacles for access control management, for example:
•After providing administrative users with the root password, there is no easy way to further constrain those users.
•In the best case, revoking access for a single administrator requires changing the common password and notifying other administrators. More realistically, simply changing the password is probably not sufficient to effectively revoke access because alternative access mechanisms might have already been implemented.
•Individual accountability with a shared root account is virtually impossible to achieve. Consequently, proper analysis after a security event becomes difficult—and in some cases impossible.
The HP-UX Role-Based Access Control (RBAC) feature resolves these obstacles by providing the capability to assign sets of tasks to ordinary—but appropriately configured—user accounts. HP-UX RBAC also mitigates the management overhead associated with assigning and revoking individual authorizations on a per-user basis.
HP-UX RBAC Versus Other RBAC Solutions
HP-UX RBAC offers several advantages over other role-based access control solutions available today, including:
•Predefined configuration files specific to HP-UX, for a quick and easy deployment
•Flexible re-authentication via Plugable Authentication Module (PAM), to allow restrictions on a per command basis
•Integration with HP-UX (C2) audit system, to produce a single, unified audit trail
•Pluggable architecture for customizing access control decisions
•Simplified usability through integration with the HP-UX shells
•Graphical, Web-based management through HP System Management Homepage
