5.1.1 Privilege escalation: enhanced RBAC

Information

The recommendation is to configure RBAC to reflect the privileged command access requirements for all users of the system. RBAC is a default component of AIX 7.1.

Rationale:

Privileged command access should be limited to and defined by a user's individual needs. Access to a root command prompt should limited, wherever possible, to minimize the risk of inadvertent or deliberate misuse of the account.

The choice between sudo and enhanced RBAC revolves around whether or not the environment is heterogeneous in nature, running different flavors of UNIX, or perhaps different versions of AIX. It may be that sudo is the standard tool of choice for managing privileged command access across an entire UNIX estate. However, if the environment is AIX 6.1+ only, it is recommended that enhanced RBAC is used as the tool of choice. Some implementations however may benefit from a combined approach, utilizing both sudo and enhanced RBAC.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Enhanced RBAC improves on its legacy implementation by allowing greater flexibility around command lists and authorization definitions, which can be customized. The definitions are also saved to a kernel table rather than in flat files, which improves security.
The implementation of RBAC is role based, allowing users to be specifically granted access to the privileged commands they need to perform their day to day tasks. The tool can be used to replace sudo in many instances, or indeed to work alongside it.
A successful implementation may also allow the root account to be deprecated.
The RBAC definition files:

/etc/security/privcmds
/etc/security/privfiles
/etc/security/privdevs

The command used to list the active RBAC definitions, i.e. those loaded into the kernel:

lskst

The command used to update RBAC definitions in the kernel table:

setkst

Further details regarding planning and implementation of RBAC can be found within the IBM AIX 7.1 Infocentre:
https://www.ibm.com/docs/en/aix/7.1?topic=control-aix-rbac
NOTE: The configuration of enhanced RBAC is completely dependent on the unique requirements of a given environment.

Default Value:

N/A

See Also

https://workbench.cisecurity.org/files/4119

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: Unix

Control ID: 757face9f88a99c15e5f4772405428c3c7f14cece422af0560de91a3d87d8c69