AIX 5L SysAdmin I: (Unit 13 – Part 3) – AIX 5.1 Security and User Administration

Security Files:
/etc/passwd – valid users (not passwords)
/etc/group – valid groups
/etc/security – directory not accessible to normal users

/etc/security/passwd – user passwords
/etc/security/user – user attributes, password restrictions

/etc/security/group – group attributes
/etc/security/limits – user limits
/etc/security/environ – user environment settings
/etc/security/login.cfg – login settings by terminals

/etc/passwd File
# cat /etc/passwd

Line Format:
user:password:UID:GID:MessageField:home directory:starting program (default korn shell)
root:!:0:0::/:/bin/ksh – root always has a UID and GID of zero 0

! – password exists
* – user is locked

/etc/security/passwd File
# cat /etc/security/passwd – users passwords are stored in this file

/etc/security/user File
# cat /etc/security/user – default stanza

Note: The default stanza contains all settings which apply to everyone. Any other user stanzas listed will only display those settings that are different than the default stanza.

Group Files:
# more /etc/group
Format – group:!:UID,Group Members

# more /etc/security/group

/etc/security/login.cfg File (by terminal)
default stanza
Note: Can limit access to a specific terminal at specific times.

Validating the User Environment
pwdck – verifies the validity of local authentication information.
pwdck {-n|-p|-t|-y} {ALL | username}
Verifies that /etc/passwd and /etc/security/passwd are consistent with each other and with /etc/security/login.cfg and /etc/security/user

usrck – verifies the validity of a user definition.
usrck {-n|-p|-t|-y} {ALL | username}
Checks each user name in /etc/passwd, /etc/security/user, /etc/security/limits and /etc/security/passwd. Also, checks are made to ensure that each has an entry in /etc/group and /etc/security/group.

grpck – verifies the validity of a group
grpck {-n|-p|-t|-y} {ALL | username}
Verifies that the files /etc/passwd, /etc/security/user, /etc/group and /etc/security/group are consistent

System Management Services

PCI RS/6000 Passwords
Power On – Entry, Remove, Remote
Privileged(Supervisory Password) – Entry, Remove

Documenting Security Policy and Setup
–> Identify the different types of users and what data they will need access
–> Organize groups around the type of work that is to be done
–> Organize ownership of data to fit with the group structure
–> Set SVTX on shared directories (sticky bit)
–> Remember that UNIX/AIX has no concept of application ownership

Leave a Reply

Your email address will not be published. Required fields are marked *