Being curious, I googled "AIX RBAC examples". Top hits:
- Article from developerworks, 2009 - which I'll comment on below
- Link to RBAC documentation, AIX 6.1 Infocenter (no comments)
- Link to (my) SecuringAIX RBAC example from a few weeks back (see below)
- BLOG article as quick primer on RBAC in 2007 - when it was real new! (see below)
- AIXmind article describing howto create a role (see below)
These five articles, are, sadly to say, pretty much - what there is on the internet - when it comes to really working with RBAC on AIX. Sad because it is a great technology and too few are using it and/or writing about it. The most common excuse I hear is that Linux does not have it. Funny thing is, when I talk with Linux admins who are serious about security, and have a few AIX systems - that does not prevent them from using Linux mechanisms. Others take what I consider to be the weaker solution: only use what is available on both; or the weakest solution - on all platforms (e.g., including MS, MacOS, Linux (redhat, Novel/Suse, debian, etc), AIX, and what else do we have). Bad choice: operating system technologies are generally going to be different when you get to the specifics. Better is to develop/write policy that is not dependent on any system (goals and requirements) and then implement in the best (i.e. native) mechanism and maybe spend some time getting the results into a common format.
However, I diverge from today's topic: what can we find on the internet?
Understanding advanced AIX features: Role-based access control in simple steps
This is written by an IMBer in India, probably (then) part of the AIX security development team. I like his introduction "Security Management Overview". Few words, right to the heart of the matter. We approach the core concepts from slightly different viewpoints - accent is probably a better word. My accent is to put more emphasis on authorizations.
Infocenter AIX Security
, AIX 6.1
Not going to comment here: it is a manual, meant to be the
reference (or the AIX 7.1 version).
, September 2012
Rather than just name the commands I try to place the commands more in context. I am happy it is scoring so well on Google. If I focus on the content - it is different, but similar to what is already available. And some of that was because my editor told me to shorten it. I see it as my quick and dirty methodolgy - which is also what #4 and #5 wanted to do. Touch on what needs to be done. The key weakness with #3, #4 and #5 is the lack of a quick summary - and the assumption that everything goes write the first time. That is not reality.
My hint to you: keep watching IBM SystemsMagazine - AIX
because around 12 October my "more detailed" article/example will go live.
I have to complement the author. He did cover all the topics, and color coded what "root" does, and what "non-root" users do. But, just like #1 - he blesses the standard three roles (isso, sa, so) - which were roles that always frustrated me because I never knew what was up or down when using sa/so. This year I found, and lost, a paragraph in #2 (the MANUAL) that isso, sa, and so are intended to server as "examples" as to how RBAC could be implemented - implying - not as finished!
Yes - he runs you through the commands in the right order. Yes, it is short and to the point. No, does not instill me with any understanding of how to use this on a larger scale nor why it could be really important to me as a system administrator or business owner. So, if you already understand the concepts, and what you want to accomplish this article may help you get your initial scripts written.
Til next time,
Michael AM (Michael in the Morning)