role-based access Control in AIX, part 3rd

Protecting the root user's security

The following sections describe how to disable the root user when running in Enhanced RBAC mode.

Choose to protect the root user's security

When the AIX system is running in enhanced RBAC mode, the system can be configured so that the root user does not have Superuser privileges and is disabled so that the root account loses logon rights.

Typically, in AIX, the root user has a UID value of 0, which the operating system takes as a privilege uid, and allows the root user to bypass mandatory security checks. You can effectively remove these operating system checks by disabling the root user.

After the root user is disabled, the root user is restricted from being allowed access to the system, although it will still retain the DAC ownership of the file (if it can access the account). Although the root user can still own a file object, it cannot access the root user through the SU command, or remotely, or from the defined system console.

Traditional UNIX management relies on enabling root users to execute certain privileged commands, and for attackers, they want to enable root users and focus all their power on the root user.

An attacker could attempt to gain access to the root user, and if the integrity of the root user were compromised, the attacker would be free to execute any privileged commands for malicious purposes. If access to unauthorized root users is obtained, the attacker can cause widespread and unrestricted damage to the system. This deliberate damage is called malicious root.

In an enhanced RBAC system with root users disabled, it is possible to minimize the harm that an attacker can cause, because the root user is disabled. Even if an attacker destroys an existing network security facility and receives a login prompt, the attacker cannot access the root account remotely, either at the console, or through the SU command.

After the root user is disabled, the system administration task must be performed by a user other than the root user. You need to access the privileged commands and files owned by the root user through one or more other user accounts.

Using the predefined Isso, so, and SA roles in AIX V6 is an example of this approach.

Important: The Isso, so, and SA roles may not include all privileged commands or authorizations required to administer the system.

Therefore, before attempting to disable the root user's functionality, you should carefully analyze the system and the applications that are being used in the system.

Disable root user

The setsecconf command enables you to disable various features of the root user.

In this scenario, we first assign the Isso role to the Oper1 user, so that we can test the Oper1 user to execute the privileged commands required to disable or enable root user mode.

Oper1 users still have shutdown_reboot roles, so oper1 users can still execute reboot and shutdown commands to reboot the system.

Execute the following command, and then reboot the system to disable the root user's functionality:

1. Log in as a oper1 user and perform the Swrole command to enable the Isso role:

Swrole Isso