Manualshelf

Securing Virtual Partitions with HP-UX Role-Based Access Control

ManualsBrandsHP ManualsSoftwareHP-UX vPars and Integrity VM v6
12345678910
8
Planning HP-UX RBAC Deployment
The information in the following sections explain the steps to deploy HP-UX RBAC for securing virtual
partitions.
Step 1: Defining Roles for Users
The first step in using HP-UX RBAC to secure vPars is to plan an appropriate set of roles for the users of
the target system. For example, consider the aforementioned roles and their descriptions:
Operator:
o administers a particular virtual partition
o logs in as non-root user
o has limited system administration capability
o can at most execute virtual partition commands for local virtual partition.
BoxAdmin:
o manages the entire system and has physical access to each virtual partition
o logs in as root
o has full system administration capability
o can execute virtual partition commands for any virtual partition.
Step 2: Defining Authorizations
After defining roles, you can plan the authorizations associated with each role. For example, you might
add a new authorization, hpux.vpar.admin, because it’s not included in the supplied
/etc/rbac/cmd_priv sample database.
Be careful not to accidentally grant Operators authorizations that will lead to unconstrained root
privileges. For example, the following entries documented in /etc/rbac/cmd_priv are known to be
equivalent to granting unconstrained root. Specifically, the commands may be used to obtain an
account with uid=0. Therefore, no such authorizations should be granted to Operators.
#/usr/sbin/useradd :dflt :(hpux.user.add,*) :0/0// :dflt :dflt :dflt :
#/usr/sbin/usermod :dflt :(hpux.user.modify,*) :0/0// :dflt :dflt :dflt :
#/usr/sbin/groupadd :dflt :(hpux.user.group.add,*) :0/0// :dflt :dflt :dflt :
#/usr/sbin/groupmod :dflt :(hpux.user.group.modify,*) :0/0// :dflt :dflt :dflt :
#/sbin/mount :dflt :(hpux.fs.mount,*) :0/0// :dflt :dflt :dflt :
#/usr/sbin/vipw :dflt :(hpux.user.modify,*) :0/0// :dflt :dflt :dflt :
#/sbin/restore :dflt :(hpux.fs.restore,*) :0/0// :dflt :dflt :dflt :
#/usr/sbin/update-ux :dflt :(hpux.admin.software.update,*) :0/0// :dflt :dflt :dflt :
Step 3: Planning Command Mappings
The final step in planning your HP-UX RBAC deployment is to define any commands that are commonly
used by any of the defined roles, but that do not exist in the pre-defined /etc/rbac/cmd_priv file
that is provided. For example, various virtual partition commands should be mapped to the
hpux.vpar.admin authorization.