Question : authexec, authqry, authrpt  and rbac

OK, Theses commands are not part of RBAC, at least they are not include on RBAC redbook. Question

Can you explain me a little bithow these commands are useful to use (or not) on my servers? Specially authexec. Thanks tons.

Answer : authexec, authqry, authrpt  and rbac

Hi again,

first, "rbac" doesn't seem to exist. Where did you get that information from? At least it's not a command.

authexec - is used to run a command  under RBAC control in a special way.

The command must be in privcmds with "authroles = <some role>".

This is kind of a "four eyes" thing - one user invokes authexec, and a second user being authorized for a required role authenticates - then the command is run. "Four eyes" - because the invoking user and the authenticating user must be different!

authqry - this is a command I've not been aware of up to now!

It is used to configure auditing for a particular user in regard to authorization usage (remember our cases dealing with AUDIT and RBAC?)

With the "-c" flag authqury adds the specified userid  (enabled for class "rbacqury") to audit/config and adds the class rbacqury ("PROC_SetRoles,PROC_ChkAuth,SEC_ChkAuth") as well, if it's not already present.

With "-q" usage of authorizations of the specified user  is queried and listed. ("-t" specifies number of days to report.)

Additionally, "-s" starts or restarts the audit subsystem.

authrpt - reports on authorizations: depending on the flags "-c, -f, -u, -r" a report on commands, files, users or roles is generated for the specified authorization. Without flags a report on all of the above is generated.

Example:

> authrpt aix.system.config.cron

authorization:
aix.system.config.cron
commands:
/usr/bin/atrm
/usr/bin/cronadm
/usr/sbin/cron
files:
/etc/cronlog.conf
/var/adm/cron/at.allow
/var/adm/cron/at.deny
roles:
sa
users:
user1
user2

Good question, by the way!

 wmp

Random Solutions  
 
programming4us programming4us