United States-English |
|
|
HP-UX Reference > Rrbac(5)HP-UX 11i Version 3: February 2007 |
|
NAMErbac: RBAC — role-based access control DESCRIPTIONRBAC (Role-Based Access Control) is an alternative to the all-or-nothing security model of traditional root user-based systems. With RBAC, an administrator can assign roles to non-root users or UNIX groups. Each role has authorizations composed of an operation and object, where the operation is an action that can be performed on an object, and the object is an object the user can access with a given operation. HP-UX RBAC database files are installed in the /etc/rbac directory. The following is a list of the HP-UX RBAC commands, presented in the sequence they are typically used:
DATABASESIn each of the HP-UX RBAC databases, white space is ignored within an entry. (This excludes the newline (\n) character, which is used as a record separator.) All of the fields in the HP-UX RBAC databases are case sensitive. The following is a list of the HP-UX RBAC databases are currently provided:
There are two HP-UX RBAC database files which define valid roles and authorizations. The /etc/rbac/roles database defines valid roles, and the /etc/rbac/auths database defines valid authorizations. The authorizations are specified in the form of (operation, object) pairs. Two additional database files assign roles to users or UNIX groups and authorizations to roles. /etc/rbac/user_role maps users or UNIX groups to their assigned role(s). /etc/rbac/role_auth defines a set of authorizations or subroles for each role. The /etc/rbac/cmd_priv database associates commands or files with authorizations. The /etc/rbac/cmd_priv database associates commands or files with authorizations. /etc/rbac/cmd_privThe /etc/rbac/cmd_priv file contains the required authorizations needed to execute certain commands or edit certain files. It also has the resulting privileges (real and effective UID and GID, Fine grained privileges, and compartment) associated with the command. If the user is required to re-authenticate prior to successful authorization, a PAM service name is specified in this file indicating how privrun or privedit should identify itself to PAM. The file contains any number of entries, where each entry is specified on a single line and in the following format: command | file: arguments : (operation, object) : ruid/euid/rgid/ egid : compartment : privs : pam service : flags These fields are explained in privrun(1M) and privedit(1M). There may be multiple entries with the same command line (with different authorizations required and resulting privileges.) privrun and privedit evaluate each entry sequentially in the order specified in the file, continuing on to the next entry only if the user does not have the required authorization. If the user desires a particular entry, they can use command-line options with privrun or privedit to specify the set of privileges or authorization for a particular entry. Note that only authorizations can be specified to privedit. See privrun(1M) or privedit(1M) for more information on /etc/rbac/cmd_priv database. /etc/rbac/rolesThe /etc/rbac/roles database contains definitions of all valid roles in the system. An administrator must define new roles in this file before the roles can be assigned to a user. The roles are added and removed from the /etc/rbac/roles file by authorized users using the roleadm command (see roleadm(1M)). The /etc/rbac/roles database contains any number of entries, where each entry is defined on a single line in the following format: rolename[:comment] These fields are defined as follows:
For example: administrator:uri=http://www.site.com/adm.html The following example has just the role name, no comment or optional uri: SecurityOfficer /etc/rbac/authsThe /etc/rbac/auths database contains definitions of all valid authorizations in the form of (operation, object) pairs in the system. An administrator must define new (operation, object) pairs in this file before the (operation, object) pairs can be assigned to a role. The authorizations are added and removed from the /etc/rbac/auths file by authorized users using the authadm command (see authadm(1M)). The /etc/rbac/auths database contains any number of entries, where each entry is defined on a single line in the following format: (operation, object)[:comment] These fields are defined as follows:
For example: (hpux.printer.add, bldg7printer): Add printers in building 7. (hpux.printer.delete, *): uri=http://foo.bar.com/printerauths.htm (hpux.fs.backup, /dev/rdsk/c0t1d0): Backup physical disk 1 Note: The operations specified in /etc/rbac/auths file must be fully-qualified and cannot use wildcards; however, the objects can be be specified with a wildcard using the asterisk character (*). Authorizations that contain wildcard operations are validated using a match operation. At least one operation must match the wildcard to assign the authorization to the role. /etc/rbac/user_roleThe /etc/rbac/user_role database defines the roles allowed for each specified user or UNIX group. The user to role definitions are added and removed in the /etc/rbac/user_role file by authorized users using the roleadm command (see roleadm(1M)). The /etc/rbac/user_role database contains any number of entries, where each entry is defined on a single line in the following format:
These fields are used as follows:
The example below shows that user Michael has roles of an administrator and a programmer. Also, it shows user Jenny has the SecurityOfficer role assigned. Lastly, it shows that the UNIX group users has the RegularUser role assigned: # roleadm list Michael: Administrator, Programmer Jenny: SecurityOfficer &users: RegularUser /etc/rbac/role_authThe /etc/rbac/role_auth file defines the authorizations and/or subroles for each specified role. Each authorization is specified in the form of (operation, object) pairs. The authorization pairs are defined in the /etc/rbac/auths database file. A subrole is just another role with authorizations. When a subrole is assigned to a role, the role inherits all the authorizations of the subrole. The subrole name must be defined in the /etc/rbac/roles database file. No recursive role definition is permitted. For example, if "role1" has a subrole of "role2", and if users roleassign "role1" to "role2", this will cause a recursive definition of both "role1" and "role2", and the roleassign command will fail. Authorized users can use the authadm command to specify the authorizations and/or subroles for each role in /etc/rbac/role_auth (Refer to authadm(1M) for more information). All authorizations and/or subroles associated with a role must be specified in a single entry. This entry can be more than one line; however, each individual authorization pair must not exceed one line. Lines that begin with alphanumeric characters followed by semicolons (:) are considered new entries. The entries are in the following format:
These fields are defined as follows:
The following line states that the role of SecurityOfficer has authorization of (hpux.passwd, /etc/passwd) which means that the operation, hpux.passwd, can access the object, /etc/passwd. SecurityOfficer also has the ability to add and delete system users. SecurityOfficer: (hpux.passwd, /etc/passwd) (hpux.user.add, *) (hpux.user.del, *) The PrinterAdm has authorization to perform hpux.printer.add on all objects. PrinterAdm: (hpux.printer.add, *) The Administrator has subroles SecurityOfficer and PrinterAdm, and therefore, has all the authorizations of both subroles as shown in the preceding examples. Administrator: SecurityOfficer PrinterAdm /etc/rbac/aud_filterThe /etc/rbac/aud_filter file defines role and authorization audit filtering. Audit records will be generated for users whose role and associated authorization is found in this file. If a user's role and associated authorization is not found in the file, then no audit records specific to role and authorization will be generated. Each authorization is specified in the form of operation, object pairs. Authorized users (as specified in /etc/rbac/cmd_priv database file) can edit /etc/rbac/aud_filter to specify the role and authorization to be audited. All authorizations associated with a role must be specified in a single entry. Only one authorization may be specified per role. The entries are of the following format:
These fields are defined as follows:
The following line specifies auditing the role of SecurityOfficer with authorization of (hpux.passwd, /etc/passwd). The PrinterAdm role with authorization to perform hpux.printer.add on all objects is also specified for auditing. SecurityOfficer, hpux.passwd, /etc/passwd PrinterAdm, hpux.printer.add, * EXAMPLESThe following example shows how a root user uses the RBAC administrative commands to allow non-root user John to execute the /usr/sbin/useradd command.
AUDITINGThese commands, privrun(1M), roleadm(1M), authadm(1M) and cmdprivadm(1M) all generate audit records. The audit records include a caller's username, UID, role, authorizations, object, time of the event, success or failure of the event, etc. You can provide an audit filter database file (/etc/rbac/aud_filter) which allows a user to specify the role and the authorization (operation, object) to be audited. Role-to-authorization audit records will be generated only if the caller's role and authorization matches one of the entries in the /etc/rbac/aud_filter database. If the audit filter database file does not exist, or is not accessible, then the audit records will still be generated. However, if the audit filter database file exists, but is empty, then no audit records will be generated. The following is an example of how to generate and display the audit records for roleadm: # audevent -Pfe admin # audsys -f # audsys -n -c /tmp/aud.out -s 2048 # roleadm add new_role_1 # audsys -f # audisp /tmp/aud.out See audit(5), audevent(1M), audsys(1M), and audisp(1M) to learn more about generating and displaying audit records. FILES
|
Printable version | ||
|