1. AIX user security concept
AIX each user has a unique user name, user ID and password, the owner of the file depends on the user ID; root can change the owner of the file; the default root for the super-user; user adm, sys, bin not allowed to log in; You need to share the same type of files users can be classified in the same group; the most common group two, system administrator for the group, staff for the general user group.
The basic principles of system security: the user is given a unique user name, user ID (UID) and password. After the user logs on, the legality of file access depends on the UID.
When a file is created, UID is automatically generated as the file owner. Only the owner and root can modify access permissions. Users need to share the same set of files can be included in the same group. Each user can belong to multiple groups. Each group is assigned a unique group name and group ID (GID), GID has also been assigned to the newly created file.
Should be particularly emphasized that the root privilege control:
Should be strictly limited number of people using root privileges;
root password to the system administrator should not change the disclosure period;
Different machines with different root password;
The system administrator should log in as a normal user, and then use the su command to enter the privileged;
PATH environment variable and root systems used by major security relationship.
Security system security log is an important guarantee for experienced system administrators often use it to do security checks. Results Su command stored in / var / adm / sulog; the user logon and logoff log records stored in / var / adm / wtmp, and / etc / utmp, the available who command; illegal and failed logins records stored in / etc / security / failedlogin, the same command with who, unknown login name recorded as unknown.
2. The access permissions for files and directories
File and directory has a set of permission bits, using standard read, write, and execute permissions to define three levels: user (file owner), group, and others, in addition to three additional permission bits is SUID, SGID and SVTX (sticky bit).
Executable files with the SUID bit means that the file runs, it runs in the process effective UID file. Shell does not support SUID, SUID directory meaningless; executable files with SGID bits means that file is run, the process in an effective GID file is a group of run; create a directory with SGID represented in the directory file / directory directory will inherit the group ID, while ignoring the creator is a group; AIX the sticky bit of meaningless file, directory with the sticky bit of meaning: even if the directory has write permissions (such as / tmp), the user can not just deleted files directory, unless the owner of the file or directory owner.
Permission bits file directory
R user has permission to read the user list directory contents
W user can modify the contents of the file users can create or delete files in the directory
X user executable file that users can cd to that directory and reference that directory in the PATH
When executing the program SUID file is valid UID has the Lord -
File has SGID program is running under effective GID directory file group created directories inherit GID
SVTX - only the file or directory owner the right to delete files in the directory
3. The security file
Storing user attributes and control access permissions of files and directories as follows:
/ Etc / passwd contains a valid user (without password)
/ Etc / group contains a valid group;
/ Etc / security contained Ordinary users can not access the security file;
/ Etc / security / passwd contains the user password;
/ Etc / security / user contains the user attributes, passwords and other constraints;
/ Etc / security / limits contains user resource limits;
/ Etc / security / environ contains user environment settings;
/etc/security/login.cfg contains login settings;
/ Etc / security / group included property group.
4. Check the legitimacy of the user's environment
Here are three commands to check the legality of the user environment:
pwdck native authentication information to verify the legality of checks / etc / passwd and etc / security / passwd consistency /, as well as /etc/security/login.cfg and / etc / security / user of consistency;
usrck verify the legitimacy of user-defined, check the / etc / passwd, / etc / security / user, / etc / security / limits and / etc / security / passwd user information, also check the / etc / group and / etc / security / group, in order to ensure data consistency.
grpck verify the legitimacy of the group, check the / etc / group, / etc / Data Consistency security / group and / etc / security / user between.
The above command is executed by root or a member of the security group for the user to modify the configuration after doing cleanup work.