Manualshelf

HP-UX 11i Security Containment Administrator's Guide for HP-UX 11i v2

ManualsBrandsHP ManualsSoftwareHP-UX 11i Security Containment Software
21222324252627282930
3 HP-UX Role-Based Access Control
The information in this chapter describes HP-UX Role-Based Access Control (HP-UX RBAC).
This chapter addresses the following topics:
“Overview”
Access Control Basics”
“HP-UX RBAC Components”
“Planning the HP-UX RBAC Deployment”
“Configuring HP-UX RBAC”
“Using HP-UX RBAC”
“Troubleshooting HP-UX RBAC”
Overview
Security—especially platform security—has always been an important issue for enterprise
infrastructure. Even so, many organizations often neglected or overlooked such security concepts
as individual accountability and least privilege in the past. However, recently introduced
legislation in the United States—including the Health Insurance Portability and Accountability
Act (HIPAA) and Sarbanes-Oxley—has helped to highlight the importance of these security
concepts.
Most enterprise environments have systems administered by multiple users. Typically this is
accomplished by providing the administrators with the password to a common, shared account,
known as root. While the root account simplifies access control management by enabling
administrators with the root password to perform all operations—the root account also presents
several inherent obstacles for access control management, for example:
After providing administrative users with the root password, there is no easy way to further
constrain those users.
In the best case, revoking access for a single administrator requires changing the common
password and notifying other administrators. More realistically, simply changing the
password is probably not sufficient to effectively revoke access because alternative access
mechanisms might have already been implemented.
Individual accountability with a shared root account is virtually impossible to achieve.
Consequently, proper analysis after a security event becomes difficult—and in some cases
impossible.
The HP-UX Role-Based Access Control (RBAC) feature resolves these obstacles by providing the
capability to assign sets of tasks to ordinary—but appropriately configured—user accounts.
HP-UX RBAC also mitigates the management overhead associated with assigning and revoking
individual authorizations on a per-user basis.
HP-UX RBAC Versus Other RBAC Solutions
HP-UX RBAC offers several advantages over other role-based access control solutions available
today, including:
Predefined configuration files specific to HP-UX, for a quick and easy deployment
Flexible re-authentication via Plugable Authentication Module (PAM), to allow restrictions
on a per command basis
Integration with HP-UX (C2) audit system, to produce a single, unified audit trail
Pluggable architecture for customizing access control decisions
Simplified usability through integration with the HP-UX shells
Graphical, Web-based management through HP System Management Homepage
Overview 27