AIX security commands, Part 2
Advanced AIX security commands
This content is part # of # in the series: AIX security commands, Part 2
This content is part of the series:AIX security commands, Part 2
Stay tuned for additional content in this series.
The AIX 6.1 operating system is enabled with a vast variety of security features. This article provides a list of AIX security commands which are available with AIX 6.1 and 7.1. The commands listed are grouped by the security feature.
Role-based access control (RBAC) mechanism
In an operating system, administrators are responsible for managing systems. In AIX, the "root" user has the maximum privileges among all users. With the introduction of role-based access control (RBAC), root user privileges can be delegated to other users. With those additional privileges, non-root users are able to manage some of the administrative tasks on a system.
RBAC is available from AIX 4.2.1 release and onwards. However, it provides limited support till AIX 5.3. Starting with AIX 6.1, RBAC features are expanded. This provides fine granular control of access mechanism on an operating system.
RBAC operates in two modes:
- Legacy RBAC mode
- Enhanced RBAC mode
By default, AIX 6.1 system is enabled with enhanced RBAC mechanism.
- How do you enable enhanced RBAC mechanism on AIX?
Use the chdev command to change attributes of sys0 device:
# chdev -l sys0 -a enhanced_RBAC=true
chdev enables the enhanced RBAC mode mechanism on AIX system. After running the previous command, reboot the system for the changes to take effect.
- How do you check the state of RBAC on AIX?
The lsattr command provides attributes information of sys0 device:
# lsattr -El sys0 -a enhanced_RBAC
If the status displays as true, enhance RBAC mode is enabled. If the status displays as false, legacy RBAC mode is enabled.
- How do you create a role on AIX?
The mkrole command creates a new role on the system. The role definitions are in the /etc/security/roles file.
To create a role on AIX, type:
mkrole dfltmsg="description of role" <role name>
- How do you change attributes of the created role?
The chrole command lets you change the attributes of an existing created role on the system:
chrole <attribute=value> <rolename>
- How do you list the roles that exist on the system?
The lsrole command lists the roles that exist on the system:
lsrole <role name>
- How do you remove a role on the system?
Use the rmrole command to remove the role definition from the system:
- How do you load the role definitions into the AIX kernel?
The setkst command updates role, authorizations, privilege, device, domains and domain object definitions in to kernel tables. RBAC security checking is performed at kernel level. So, whenever a change happens to RBAC table in userspace, it needs to be updated to kernel to be effective.
To update all the tables, type the following:
To update specific RBAC tables into kernel, use the "-t" option with the setkst command:
setkst –t <table name>
The table name can be "role", "auth", "cmd", "dev", "dom" and "domobj".
- How do you create an authorization on AIX?
The mkauth command creates an authorization on the system. AIX systems are shipped with some predefined authorizations. Authorizations, created using the mkuath command, will be stored in the /etc/security/authorizations file.
Type following command to create authorization:
mkauth <authorization name>
- How do you list an authorization on AIX?
The lsauth command lists the authorizations on the system.
lsauth <authorization name>
To list all authorizations on the system, type the following:
This prints all authorizations that are defined on the system.
To get the system defined authorizations, type the following:
To get user defined authorization, type the following:
- How do you remove an authorization on the system?
Use the rmauth command to remove authorization on the system:
rmauth <authorization name>
To remove hierarchical authorization (ex: aix.security.create.test), type the following:
rmauth -h <authorization name>
- How do you change authorization attributes on the system?
The chauth command modifies user defined authorization attributes. chauth command can not be used for modifying system defined authorizations.
The following command modifies user defined authorization attributes on the system:
chauth <attribute=value> <authorization name>
Once you make changes to any authorizations, use the setkst command to update the RBAC tables in the AIX kernel for the changes to take effective.
- How do you check the calling process authorizations on the system?
The ckauth command checks the current user session for an authorization.
Use the following command to check authorizations for a current session:
ckauth <authorization name>
The ckauth command returns 0, when the calling process has any of the listed authorization.
To check the multiple authorizations, use the –A flag with ckauth:
ckauth -A <authorizationname 1>,<authorization name2>
- How do you set RBAC security attributes to a command on AIX?
The setsecattr command sets RBAC attributes to a command. Type the following command to set attributes to a command:
setsecattr -c <attribute = value> <command name>
The setsecattr command updates privileged command information to /etc/security/privcmds privileged command database. The command name should be an absolute path of the command. Modifications made to the privileged command database are not used until the database is sent to the kernel security tables using the setkst command.
- How do you set RBAC attributes to a device on AIX?
The setsecattr command sets RBAC attributes to a device. Type the following command to set attributes to a device:
setsecattr –d <attribute = value> <device name>
The setsecattr command updates privileged device information to /etc/security/privdevs privileged device database. Modifications made to the privileged device database are not used until the database is sent to the kernel security tables using the setkst command.
- How do you set RBAC attributes to a file on AIX?
The setsecattr command sets RBAC attributes to a file. Type the following to set RBAC attributes to a file:
setsecattr -f <attribute = value> <file name>
The setsectattr command sets security attributes to a privileged file on the system. It updates the information to /etc/security/privfiles privileged file database. Modifications made to the privileged file database are not used until the database is sent to the kernel security tables using the setkst command.
- How do you display RBAC attributes of a privileged file/device/command on a system?
The lssecattr command displays RBAC attributes of a privileged command, device, file or process. Type the following command to display RBAC attributes of a file/device/command/process:
lssecattr -c/-d/-f <privileged filename/command/device name>
- How do you remove RBAC attributes of a privileged file/device/command on a system?
The rmsecattr command removed RBAC attributes of a privileged command, device or file.
rmsecattr -c/-d/-f <privileged file name/command/device name>
The rmsecattr command only removes RBAC attributes from command/device/file. It doesn't remove the actual command, device or file from the system. Modifications made by this command are not used for the security considerations until the databases are sent to the kernel security tables using the setkst command.
- How do you display role information for a user or process?
The rolelist command displays role information for a user or process. Type the following command on a user session to find out roles active on that session.
The rolelist command displays the roles which are assigned to the user with the description:
rolelist -eprovides effective active role set of the session;
rolelist -aprovides authorizations which are assigned to role.
- How do you activate the role on a user session?
The swrole command activates role on the session.
To activate all the roles assigned to user, use the ALL keyword. However, if a user has more than eight roles, only the first eight roles are assigned to the role session when the ALL keyword is specified.
Domain RBAC is a mechanism to restrict the access of unauthorized users on resources. In general, domain RBAC provides object isolation for privileged and authorized users with a given role.
Domain RBAC requires Enhanced RBAC to be enabled and does not work in legacy RBAC mode. Domain RBAC is enabled by default on enhanced RBAC mode systems. Domain RBAC available on AIX 6.1 Tl07 and AIX 7.1 Tl01 releases onwards.
Domain RBAC commands
- How do you create a domain on a system?
The mkdom command creates a new domain in the domain RBAC database. Users can specify domain attributes with mkdom command. Type the following command to create a domain on the system:
mkdom <domain name>
mkdom creates domain definition in domain RBAC database /etc/security/domains.
- How do you list domain on a system?
The lsdom command lists the domains that exist in the domain database. Type the following command to list domains on the system:
lsdom <domain name>
This list domain information for the <domain name>. To get all the domains that exist in domain database, specify the ALL keyword with the lsdom command.
- How do you remove domains on a system?
The rmdom command removes domain definitions from the domain database. Type the following command to remove a domain:
rmdom <domain name>
- How do you change domain attributes on a system?
Use the chdom command to change domain attributes information on a system:
chdom <attribute = value> <domain name>
- How do you create domain attributes to an object?
The setsecattr command adds or modifies domain attributes of an object:
setsecattr -o <attributes> <object name>
This commands updates the files, devices, network ports object information in /etc/security/domobjs file.
- How do you list domain attributes for a domain object?
The lssecattr command lists domain attributes of an object:
lssecattr -o <object name>
- How do you remove domain attributes for a domain object?
Use the rmsecattr command to remove domain attributes from domain object:
rmsecattr –o <object name>
rmsecattr only removes domain attributes of an object. It does not remove the actual object from the system.
- How do you assign domains to a user?
Use the mkuser command to add domains information to a user while creating the user. The chuser command is used to add domain information to an existing user:
mkuser -a domains=<domain name> <user name>
chuser domains=<domain name> <username>
- How do you load a domain database into the kernel?
Use the setkst command to load domain table into the kernel. setkst without any options loads all RBAC and domain RBAC tables into kernel.
The following commands loads domain and domain object tables into kernel:
setkst -t dom,domobj
Modification to any domain or domain object takes effect after updating the changes to the kernel.
- What are the RBAC databases on a system?
The following files maintain RBAC information:
- /etc/security/roles: Maintains user defined and pre-defined roles
- /etc/security/privcmds: Maintains privileged commands information
- /etc/security/privdevs: Maintains privileged devices information
- /etc/security/privfiles: Maintains privileged files information
- /etc/security/domains: Maintains domains information
- /etc/security/domobjs: Maintains domain object information
- How do you migrate RBAC and domain RBAC database to LDAP server?
The rbactoldif command reads RBAC information from local RBAC database and converts it into LDIF format:
rbactoldif -d <base DN>
This displays information on stdout, but it can be redirected to a file. Use the -s option to convert to a specific RBAC table. Specify at least one of the following letters, each letter representing a table name:
Letter Table name a Specifies the authorization table. c Specifies the privileged command table. d Specifies the privileged device table. r Specifies the role table. f Specifies the privileged file table. e Specifies the domain file table. o Specifies the domain object table.
Load LDIF file information to LDAP server, using ldapadd or idsldapadd command:
ldapadd –h <ldap server> -D <bind dn> -w <bind password > -i <file name>
Before loading RBAC database to LDAP server, load RBAC schema on LDAP server.
All RBAC and domain RBAC commands support LDAP. Use -R LDAP option to create RBAC and domain RBAC information on LDAP server.
Encrypted File System (EFS)
An Encrypted File System (EFS) enables individual users on the system to encrypt their data on a file system through their individual key stores. Each user is associated with a key, and these keys are stored in a cryptographically protected key store. With the user's successful login, the user's keys are loaded into the kernel and associated with the processes credentials.
- How do you enable EFS on a system?
The efsenable command enables EFS file system on a system:
Before enabling EFS file system, install the clic.rte fileset on the system. This EFS command also requires that RBAC is enabled on the system. This command creates an /efs directory under /var filesystem. It also updates EFS attributes in the /etc/security/user and /etc/security/group files.
- How do you get a list of algorithms and ciphers that is supported by the EFS?
Type following command to get a list of algorithms and ciphers supported by EFS:
- Where are EFS key stores created on the system?
- EFS keystores are created under /var/efs directory.
- User keystores are created under /var/efs/users directory.
- Group keystores are created under /var/efs/groups directory.
- EFS admin keystore is created under /var/efs/efs_admin directory.
User keystores are protected with the user's password. If the user's login password and keystore password is the same, then keys are loaded automatically to the kernel.
Admin keystore and group keystores are not protected by password, but with an access key.
- How do you manage EFS keystores on an AIX system?
efskeymgrmanages user and group keystores on system.
efskeymgr -vdisplays keystore content for the logged in user on a system.
efskeymgr -Vdisplays the list of keys which are loaded into the kernel.
- How do you manage encryption and decryption on files for an EFS?
efsmgrencrypts and decrypts the files on the EFS.
efsmgr -c <cipher>sets the cipher for encryption.
efsmgr -e <file>encrypts the file.
efsmgr -d <file>decrypts the file.
- How do you migrate an EFS database to an LDAP server?
The efskstoldif command reads information from a local database and converts into the LDIF file format:
efskstoldif -d <ldap basedn> >> /tmp/efs.ldif
It exports all the users and groups keystore content to an ldif format with the base DN to the file /tmp/efs.ldif. The file name is a user defined file name. Export this file to an LDAP server using ldapadd command. For more information on EFS, see the Related topics section
Loadable Password Algorithms (LPA)
AIX 6.1 provides password hashing algorithms. These algorithms provide facility to create a password with 256 characters. LPA is also supported from AIX 5.3 Tl06 release onwards. The following password hashing algorithms are provided:
- SHA 1
- SHA 256, SHA 512
Password hashing algorithms are defined in the /etc/security/pwdalg.cfg file. Administrators need to declare a password hashing algorithm under the usw stanza in /etc/security/login.cfg file. These algorithms are used whenever the password is set for the user with the passwd or pwdadm command.
MD5 and SHA supports password length up to 255 characters and Blowfish supports password lengths up to 72 characters.
- How do you set a password hashing algorithm on a system?
chsec -f /etc/security/login.cfg -s usw -a pwd_algorithm=<algorithm name>
- How do you list a password hashing algorithm that is set on system?
lssec -f /etc/security/login.cfg -s usw -a pwd_algorithm
If no algorithm is displayed, then the default algorithm "crypt" is used. For additional information on LPA, see the Related topics section.
Trusted Execution (TE)
Trusted Execution (TE), implemented from AIX 6.1 release onwards, provides trusted level information about a system. It monitors integrity of the system and implements advance security policies. TE is a more powerful and enhanced mechanism that overlaps some of the Trusted Computing Base (TCB) functionality. Trusted Execution introduces a new and more advanced concept of verifying and guarding the system integrity.
TE supports the following features:
- Managing Trusted Signature Database (TSD)
- Configuring Security Policies
- Trusted Execution Path and Trusted Library Path
- Auditing integrity of the Trusted Signature Database
- How does TE maintain critical or trusted files information?
TE uses the Trusted Signature Database (TSD) that resides under /etc/security/tsd/tsd.dat file. Use the trustchk command to add, delete, or list entries from the TSD.
- How do you check the integrity of all the files stored in the TSD against the system?
trustchk -n ALL
- How do you enable TE on the system?
trustchk –p TE=ON
- How do you disable TE on the system?
trustchk -p TE=OFF
- How do you enable a policy to check executable on a system?
Configure the policy by entering the following command:
trustchk -p CHKEXEC=ON
Activate the policy by entering the following command:
trustchk -p TE=ON
The policies are active only when Trusted Execution is ON.
- How do you list current hash algorithm of TSD?
- What are the lists of hash algorithms supported by TSD?
The following algorithms are supported by TSD:
- SHA 1
- SHA 256
- SHA 512
- Where are the TE policies stored?
TE policies are stored in the /etc/security/tsd/tepolicies.dat file.
- How do you migrate the TSD and TE policies database to an LDAP server?
Type the following command to convert locally defined information into an LDIF file format:
tetoldif –d <base DN>
This converts both Trusted Signature Database (TSD) and Trusted Execution Policy database information into LDIF file format.
To convert only TSD, specify "-s" option. To covert only Trusted Execution Policy database, specify "-p" option.
- What are the differences between TE and Trusted Computing Base (TCB)?
Trusted Computing Base (TCB) Trusted Execution (TE) Enabled during system installation. Enabled during runtime. Uses /etc/security/sysck.cfg file as database. Uses /etc/security/tsd/tsd.dat and /etc/security/tsd/tepolicies.dat files. It can't be disabled once installed. It can be disabled at any point of time. tcbck command is used to manage Trusted Computing Database. trustchk command is used to managed Trusted Signature Database.
For more information about Trusted Execution, see the Related topics section.
AIX 6.1 Security features provide fine, granular access control mechanisms and enables integrity checking of a system dynamically. Some of the security commands introduced in AIX 6.1 and existing commands are expanded with new options to support the advanced security features in an operating system.
- See the AIX 6.1 Info Center for more information on:
- Try out IBM software for free. Download a trial version, log into an online trial, work with a product in a sandbox environment, or access it through the cloud. Choose from over 100 IBM product trials.