Discretionary Access Control: TCP Connections (DA.4)
TCP based services can be protected with ACLs as well. By specifying port, host/network,user combinations, ports can be restricted to specific hosts and/or users. For example specifying port 6000, machine colorado and user joe, only this user coming from machine colorado will be able to connect to the X server. The remote hosts use TCP AH headers to send the information about the user together with the connection request. AIX 5.2 I checks /etc/security/acl for permitted
clients.
With the DACinet Feature of AIX 5.2 I the concept of privileged ports (ports that can only be opened by the superuser,typically all ports below 1024) is extended so that any port now can be a privileged port. A bitmap of privileged ports is defined to hold information on whether a port is privileged. A system administrator can modify this bitmap.
This function contributes to satisfy the security requirement FDP_ACC.1, FDP_ACF.1, FMT_MSA.1, FMT_SMF.1 and FMT_MSA.3.
Main command which is used for maintaining ACL control on TCPIP is dacinet command.
dacinet Command
Purpose
Administers security on TCP ports in CAPP/EAL4+ configuration.
Syntax
dacinet aclflush
dacinet aclclear Service | Port
dacinet acladd Service | [-] addr [/prefix_length] [u:user | uid | g:group | gid]
dacinet acldel Service | [-] addr [/prefix_length] [u:user | uid | g:group | gid]
dacinet aclls Service | Port
dacinet setpriv Service | Port
dacinet unsetpriv Service | Port
dacinet lspriv
Description
The dacinet command is used to administer security on TCP ports. See the Subcommands section for details of the various functions of dacinet.
Subcommands
acladd Adds ACL entries to the kernel tables holding access control lists used by DACinet. The syntax of the parameters for the acladd subcommand is:
[-]addr[/length][u:user|uid| g:group|gid]
The parameters are defined as follows:
addr
A DNS hostname or an IP v4/v6 address. A "-" before the address means that this ACL entry is used to deny access rather than to allow access.
length
Indicates that addr is to be used as a network address rather than host address, with its first length bits taken from addr.
u:user|uid
Optional user identifier. If the uid is not specified, all users on the specified host or subnet are given access to the service. If supplied, only the specified user is given access.
g:group|gid
Optional group identifier. If the gid is not specified, all users on the specified host or subnet are given access to the service. If supplied, only the specified group is given access.
aclclear Clears the ACL for specified service or port.
acldel Deletes ACL entries from the kernel tables holding access control lists used by DACinet. The dacinet acldel subcommand deletes an entry from an ACL only if it is issued with parameters that exactly match the ones that were used to add the entry to the ACL. The syntax of the parameters for the acldel subcommands is as follows:
[-]addr[/length][u:user|uid| g:group|gid]
Khurram,
ReplyDeleteCan you show us , how to use this feature on AIX to restrict let's say telnet or FTP or some other protocol for a specific user?
James Shazely