rbacqry Command

Purpose

Reports a set of used privileges and authorizations for a process.

Syntax

/usr/sbin/rbacqry [-T |-C] -n programname [ -i auditfile] -u username [-t timeperiod]

/usr/sbin/rbacqry -c [-s]-u username -S

Description

The rbacqry command is used as a monitor utility to enable role based access control (RBAC) for applications. The rbacqry command reports the privileges and authorizations used by a program after the program is run. It uses the audit subsystem to log the privileges and authorizations of all processes that are created by the program and its spawning process.

The rbacqry command operates when the system is operating in the enhanced RBAC mode. The privileges obtained from this report can be assigned to the innateprivs and inheritprivs attributes for the application by using the setsecattr command, which enables the command for RBAC. You can consolidate the privileges for the children of a process and provide it under inheritprivs attribute or have separate entries for the children in the /etc/security/privcmds file for RBAC enablement.

Notes:
  • The rbacqry command depends on the audit report that is generated by the AIX® auditing subsystem.
  • The rbac audit class is added to the/etc/security/audit/config file when the rbacqry –c command is run. The audit class can be configured manually.
  • When you are tracing privileges and authorizations by using this utility, assign the rbac audit class to a specific user in the /etc/security/audit/config file to avoid creating large audit logs.
  • The rbacqry command does not suggest or provide any RBAC roles as part of the output. The command provides only the privileges and authorizations used by the specified program.
  • When you are tracing shell scripts by using the rbacqry tool, the shell interpreter (for example: #!/usr/bin/ksh) must be mentioned in the first line of the script that is being traced.

Flags

Item Description
-c Configures the /etc/security/audit/config file with the rbac class for the specified user.
-C Provides a set of used privileges and authorization for the process tree in a comma-separated list of the set. This option is mutually exclusive with the –T option.
-i auditfile Specifies the audit trail file to be processed by the rbacqry command. If not specified, the flag uses the /audit/trail file by default.
-n programname Specifies the target program name that must be traced for used privileges.
-s Starts the auditing subsystem if it is turned off. Restarts the audit subsystem if it is already on.
-S Prints the output in stanza format.
-T Provides a set of used privileges and authorizations for the processes in a tree format.
-t timeperiod Accepts a value that is equal to the number of days from when the used privilege report must be generated from the current system date.
-u username Specifies the user name. This option is required to configure the audit events for the user, and to query the process run by the user.

Exit status

Error Value Descriptor
= 0 Successful completion
> 0 An error

Security

On Trusted AIX systems, only authorized users can run the restore command.
Item Descriptor
aix.fs.manage.restore Required to run this command.
Attention RBAC users and Trusted AIX users: This command can perform privileged operations. Only privileged users can run privileged operations. For more information about authorizations and privileges, see Privileged Command Database in Security. For a list of privileges and the authorizations associated with this command, see the lssecattr command or the getcmdattr subcommand.

Examples

  1. To determine the privileges and authorizations that are used by a program, use one of the following methods:
    1. When a program or application is run by a non-root user for which the rbacqry command must be run, complete the following steps:
      1. Enable the program for RBAC temporarily under a root or an authorized user's shell, by running the setsecattr command:
        setsecattr -c accessauths=ALLOW_ALL innateprivs=PV_ROOT secflags=FSF_EPS progpath
        Note: The program path must be a full pathname of the program for which the rbacqry command is run.
      2. Run setkst -t cmd (as root or authorized user) to make the above changes effective.
      3. Run the rbacqry command under a root or authorized user’s shell to configure the user for auditing:
        rbacqry -c -s -u username
      4. Run the specified program or application as non-root user.
      5. When the program execution completes, run the rbacqry command under a root or authorized user’s shell to collect used privileges and authorizations:
        rbacqry -n program -u username (additional options can also be used)
      6. Remove the program entry from the /etc/security/privcmds file that was added from step (i) by running the following commands as a root or authorized user:
        rmsecattr -c progpath; setkst -t cmd
    2. When a program or application is executed by a root user (as root login or switching to a root by using the su command) and for which the rbacqry command must be run, complete these steps:
      1. Run the rbacqry command under a root or authorized user’s shell to configure the user for auditing: 
        rbacqry -c -s -u root
      2. Run the specified program or application as a root user.
      3. When the program execution completes, run the rbacqry command under a root or authorized user’s shell to collect used privileges and authorizations:
        rbacqry -n program -u root (additional options can also be used)
        Note: When tracing a program or application that was executed by switching to a root user by using the su command after following steps i and ii, run the rbacqry command as follows:
        rbacqry -n program -u user_name (additional options can also be used)
  2. To determine the privileges and authorizations that are used by the chfs command (which was executed by user Scooby with aix authorization) and its spawning processes in a tree-formatted output, run the following command:
    # rbacqry -n chfs -u scooby -T
CMD                     AUTHORIZATIONS                  USED_PRIVS
----------------------------------------------------------------------------------
chfs                    aix.fs.manage.change
|                                                       PV_FS_RESIZE
|
|\extendlv              aix.lvm.manage.extend
|  |                                                    PV_AU_ADMIN            PV_KER_ACCT
|  |
|  |\putlvcb            aix.lvm.manage
|  |  |                                                 PV_FS_MKNOD            PV_PROC_PRIV
|  |  |                                                 PV_KER_LVM             PV_DEV_QUERY
|  |  |
|  |\lextendlv          aix.lvm.manage.extend
|  |  |                                                 PV_AU_ADD              PV_AU_PROC
|  |  |                                                 PV_FS_MKNOD            PV_PROC_PRIV
|  |  |                                                 PV_KER_ACCT            PV_KER_LVM
|  |  |                                                 PV_DEV_QUERY           PV_SU_UID
|  |  |
|  |  |\savebase        aix.system.boot.create
|  |  |  |                                              PV_AU_PROC             PV_FS_MKNOD
|  |  |  |                                              PV_PROC_PRIV           PV_KER_ACCT
|  |  |  |                                              PV_KER_LVM             PV_DEV_QUERY
|  |  |  |                                              PV_SU_UID
|  |  |  |
|  |  |  |\compress     aix.fs.manage.backup
|  |  |  |  |                                           PV_KER_ACCT            PV_SU_UID
|  |  |  |  |
.....
  3. To display the privileges and authorizations that are used by the chfs command (which was executed by user Scooby with aix authorization) from a different audit trail file, run the following command:
    # rbacqry -u scooby -n chfs -i /audit/trail_example
CMD           AUTHORIZATIONS                USED_PRIVS
----------------------------------------------------------------------------------
chfs          Used_Auth:                    PV_DAC_O              PV_FS_CHOWN
              aix.fs.manage.change          PV_FS_RESIZE
              Checked_Auths:
  4. To obtain a comma-separated list of privileges that are used by the chfs command (which was executed by user Scooby with aix authorization), run the following command:
    # rbacqry -n chfs -u scooby -C
CMD                     AUTHORIZATIONS          USED_PRIVS
----------------------------------------------------------------------------------
chfs                    aix.fs.manage.change
                                                PV_FS_RESIZE
extendlv                aix.lvm.manage.extend
                                                PV_AU_ADMIN,PV_KER_ACCT
putlvcb                 aix.lvm.manage
                                                PV_FS_MKNOD,PV_PROC_PRIV,PV_KER_LVM,PV_DEV_QUERY
lextendlv               aix.lvm.manage.extend
                                                PV_AU_ADD,PV_AU_PROC,PV_FS_MKNOD,PV_PROC_PRIV,
                                                PV_KER_ACCT,PV_KER_LVM,PV_DEV_QUERY,PV_SU_UID
savebase                aix.system.boot.create
                                                PV_AU_PROC,PV_FS_MKNOD,PV_PROC_PRIV,PV_KER_ACCT,
                                                PV_KER_LVM,PV_DEV_QUERY,PV_SU_UID
compress                aix.fs.manage.backup
                                                PV_KER_ACCT,PV_SU_UID
.......
    This output format is useful when the USED PRIVS set is added to the privileged command in the /etc/security/privcmds database.
    Note: The system authorization and custom authorizations can be traced. If the system authorizations must be displayed in the output, a higher authorization (example aix authorization) must be assigned to the user.
  5. To configure the user scooby for auditing, run the following command:
    1. To configure the user and to start the auditing for that user, run the following command:
      #/usr/sbin/rbacqry -c -s -u scooby
      Audit subsystem started.
    2. To configure the user for auditing without restarting the auditing, run the following command:
      #/usr/sbin/rbacqry -c -u scooby
      Note: The user scooby is not traced by the auditing subsystem because the auditing is not restarted. An entry for scooby is made in the /etc/security/audit/config file. You must restart the auditing subsystem manually to allow the auditing to trace the user, or you must run the rbacqry command as follows:
      #/usr/sbin/rbacqry -c -s -u scooby
      User scooby already configured for audit. Audit subsystem started
  6. To show the following stanza for the -S format, run the following command:
    # rbacqry -u scooby -n chfs -S chfs:
				Used_Auth=aix.fs.manage.change
        Checked_Auths=
        Used_Privs=PV_DAC_O,PV_FS_CHOWN,PV_FS_RESIZE
  7. To execute the rbacqry command without any format options, run the following command:
    # rbacqry -u scooby -n chfs
CMD           AUTHORIZATIONS                USED_PRIVS
----------------------------------------------------------------------------------
chfs          Used_Auth:                    PV_DAC_O              PV_FS_CHOWN
              aix.fs.manage.change          PV_FS_RESIZE
              Checked_Auths:
    Note: The checked_Auths parameter are blank when no checked Auths parameters are present. If not the rbacqry command displays the checked_auths parameters as below:
    # rbacqry -u scooby -n lsuser
CMD             AUTHORIZATIONS                   USED_PRIVS
----------------------------------------------------------------------------------
lsuser          Used_Auth:                       PV_AZ_CHECK          PV_DAC_R
                ALLOW_ALL                        PV_DAC_X
                Checked_Auths:
                aix.security.user.list
                aix.security.user.audit
                aix.security.efs

Files

File path Description
/audit/trail Specifies the audit file to capture the audit logs.