Trusted AIX system management
Guidelines for proper management of a Trusted AIX® system must be followed to ensure system security.
Trusted AIX system management
is performed by certain users whose accounts are associated with administrative
roles. These users are called the Information System Security Officer
(ISSO), the System Administrator (SA), and the System Officer (SO),
and each of these users has authorizations that allow them to perform
a specific subset of administrative tasks. These users are associated
with the system defined roles isso, sa, and so, respectively. The terms ISSO, SA, and
SO are used to refer to users having the isso, sa, and so roles, respectively. Some administrative
duties can only be carried out by two of the three system managers
working together, because one manager acting alone does not possess
sufficient authorizations to complete these duties. For example, when
adding a new user to the system, only the SA can add a new user account
and only the ISSO can establish the user's password, clearance, and
audit mask. This division of labor is known as the two-man rule.
isso, sa, and so are associated with the following Trusted AIX authorizations
by default. Proper care should be taken if these associations are
changed as this could make the system vulnerable.
| isso | sa | so |
|---|---|---|
| aix.mls.login | ||
| aix.mls.printer | ||
| aix.mls.network.config | ||
| aix.mls.network.init | ||
| aix.mls.network.config | ||
| aix.mls.login | ||
| aix.mls.pdir | ||
| aix.mls.system.label | ||
| aix.mls.tpath | ||
| aix.mls.label | ||
| aix.mls.system.config | ||
| aix.mls.proc | ||
| aix.mls.clear | ||
| aix.mls.lef | ||
| aix.mls.stat | ||
| aix.mls.printer |