- We will create the PAM access rights required for our roles
- We will create a privileged command for the system administrators
- We will create and configure the roles
- We will assign the roles to the appropriate Groups in AD.
We will use the PDCA methodology outlined in the previous basics post, to address business problem # 1. in which we agreed that there will be 3 groups of users: System Admins, Web Server Users and Database Server Users. After the PDCA table-top exercise, the Security, UNIX and Windows leads came up with this table:
Planning Question
|
Roles | |
Super User
|
Regular User
|
|
What is the role supposed to allowed do?
|
To allow super users perform actions as root
|
To allow the member to perform user activities
|
What is their UNIX experience? (controlled or flexible)
|
Flexible
|
|
What is the role NOT supposed be allowed to do or know?
|
Users don’t need to know the root password
|
No privileged commands
|
Are there any time/day restrictions to this role?
|
No restrictions
|
No restrictions
|
How is the role supposed to access the UNIX system?
|
All protocols including the console.
|
SSH access only
|
Are there any particular platform implications?
|
None
|
SOL1 uses sshd-kbdinit fork.
|
Are any additional controls required when privileges are used?
|
Authentication required
|
N/A
|
Is this assignment temporary or permanent?
|
Permanent
|
Permanent
|
What is the scope of this assignment?
|
All Systems (Zone)
|
Database Servers – for DB Users
Web Servers – for web users
|
Will this role be audited?
|
Yes
|
Yes
|
Will we have a group of people or a single individual have this role?
|
Group: UNIX System Admins
|
Group(s)
UNIX Database Server Users
UNIX Web Server Users
|
Create the Oracle Solaris SSH daemon PAM access right
- Log on to CLIENT1 as Jessie Matthews
- Open Access Manager and navigate to the HQ zone/Authorization/UNIX Rights, right click PAM Access and select Add PAM access right.
- Create the SSH daemon for Solaris. The name and application is sshd-kdbinit press OK
- In Access Manager and navigate to the HQ zone/Authorization/UNIX Rights, right click PAM Access and select New Command.
- In the General tab, name the command (e.g. run any command as root), and in the command box, type the wildcard character (*); and in Match Path, select Specific path, and type the wildcard again. This makes it *.*
- In the Restricted Shell tab, uncheck the checkbox.
- In the Run As tab, make sure the root account is selected
- In the Attributes tab, make sure you check the "Authentication Required" box and select the user's password. Press OK.
- In Access Manager and navigate to the HQ zone/Authorization/UNIX Rights, right click Role Definitions and select Add Role.
- In the General Tab, give the role a name (UNIX System Admins)
- In the System Rights, UNIX rights section, check:
Password login and non-password (SSO) login are allowed
Non-Password (SSO) is allowed
Login with a Non-Restricted Shell - Press OK
Now the role is created, but it doesn't have any rights. - Right-click on the newly created role, and select Add Right. Check the following:
login-all: this will enable the role to log in via any PAM module including the console.
run any command as root: this is the previously created privileged command.
Then press OK. - This role is complete.
- In Access Manager and navigate to the HQ zone/Authorization/UNIX Rights, right click Role Definitions and select Add Role.
- In the General Tab, give the role a name (UNIX Regular User)
- In the System Rights, UNIX rights section, check:
Password login and non-password (SSO) login are allowed
Non-Password (SSO) is allowed
Login with a Non-Restricted Shell - Press OK
Now the role is created, but it doesn't have any rights. - Right-click on the newly created role, and select Add Right. Check the following:
ssh: ssh daemon for Debian and Ubuntu
sshd: ssh daemon for all Linux and UNIX distributions except for above
sshd-kbdinit: ssh daemon for Solaris
Then press OK. - This role is complete.
Remember - sysadmins manage all systems; DB and Web Server users can only sign-in to their Server Groups.
- In Access Manager and navigate to the HQ zone/Authorization and right click Role Assignments and select Assign Role, select the UNIX System Admin role and press OK
- Click AD Account and in the Find drop box, select Group.
- In the Name, type the UNIX and press Find. In the results select the UNIX Super Users group and press OK Twice.
Note: before performing the following assignments, make sure you have created the corresponding AD security groups. - Expand the Computer Roles node, then expand the Database Servers group, right click Role assignments and select Assign Role. Select the UNIX Regular User role and press OK.
- Click AD Account and in the Find drop box, select Group.
- In the Name, type the UNIX and press Find. In the results select the UNIX Database Servers Users group and press OK Twice.
- Repeat 4-6 for Web Servers. Use the same role (UNIX Regular User) and assign it to the UNIX Web Server users AD Group.
From this point on, assigning (or removing) roles in UNIX will be performed by adding (or removing) users from those groups in AD (you can use ADUC, PowerShell, Access Manager, vbscript and anything that can manipulate Groups in AD)
We have performed the Plan-Do. In a later post we will perform the Check-Adjust.
No comments:
Post a Comment