The following guidelines are for system administrators who need to implement and maintain system security.
Attention: Any operating environment may have unique security requirements that are not addressed in these guidelines. To ensure a secure system, system administrators may need to implement additional security measures not discussed here.
This information does not provide security guidelines for all operational environments. It is impossible to create a single set of guidelines for all security requirements. These guidelines are not intended to represent the only requirements for achieving a secure system.
It is helpful to plan and implement your security policies before you begin using the system. Security policies are very time consuming to change later, so a little planning now can save a lot of time later.
The security guidelines by category are:
Every system should maintain the level of security represented by these basic security policies.
Many attributes can be set for each user account, including password and login attributes. (For a list of configurable attributes, see "Managing Users and Groups" .) The following are recommended:
When a file is created, the operating system assigns the user ID of the new file the effective user ID of the process that created it. The group ID of the file is either the effective group ID of the process or the group ID of the directory that contains the file, based on the set group ID (SUID) bit of that directory.
File ownership can be changed with the chown command.
The id command shows your user ID (UID), group ID (GID), and the names of all groups you belong to.
In file listings (such as the listings shown by the li or ls command), the three groups of users are always represented in the following order: user, group, and others. If you need to find out your group name, the groups command shows all the groups for a user ID.
The "File Ownership and User Groups" in AIX Version 4.3 System User's Guide: Operating System and Devices contains more information about file and directory access modes.
Groups are collections of users who can share access permissions for protected resources. Plan your system groups before you begin creating them. Groups can make administration easier, but once you start using the system, it is harder to change your group organization. There are three types of groups: user, system administrator, and system-defined.
In general, create as few user groups as possible.
Groups should be made for people who need to share files on the system, such as people who work in the same department, or people who are working on the same project.
For example, consider a small engineering office with three sets of people in the office: office support personnel, system administrators, and engineers. Only two user groups, one for each function in the office, are needed: OFFICE (for the office management staff), and ENGINEER (for the engineers). Later, for example, if a small group of engineers begins work on a special project, a new group called PROJECT can be created and those engineer user IDs can be added to the PROJECT group. Though users can be in more than one group at a time, as in this case, they can only have one primary group at a time. Users can change their primary group with the newgrp command.
It is also recommended for simple systems that you do not set the admin characteristic when creating groups. If a group has admin=true set in the /etc/security/group file, only the root user can administer that group.
System administrators should be members of the SYSTEM group. SYSTEM group membership allows an administrator to perform some system maintenance tasks without having to operate with root authority.
There are several system-defined groups. The STAFF group is the default group for all nonadministrative users created in the system. You can change the default group by using the chsec command to edit the /usr/lib/security/mkuser.default file.
The SECURITY group is a system-defined group having limited privileges for performing security administration. SECURITY group members have access to programs and files in /etc/security directory. SECURITY group members can change most attributes for nonadministrative users and groups, such as the user's login shell or the membership of a nonadministrative group.
Most systems do not need to use this group; only multiuser systems with many users should consider using this group. Otherwise, system administrators can perform the same tasks as SECURITY group members by using the su command to gain root privilege.
The other system-defined groups are used to control certain subsystems. Consult the subsystem information to see if certain users should be defined as a member of those groups. The system-defined groups and users appear in the /etc/group file.
All file system objects (including files, directories, special files, link files, symbolic link files, and pipes) have security mechanisms associated with them. The most commonly used is the access control list (ACL), but the following additional ways of controlling file security can also be used:
| Base ACLs | Specifies the permissions for the owner, group, and others. These permissions are controlled through the chmod command. |