[rsbac] Default Role for New Created Users

Ahmed Alzhrani alzhrani.a at yahoo.com
Mon Aug 17 22:53:19 CEST 2020 

I was wondering, besides the wrapper script to add users and assign their default role, I have developed other automation scripts and CLU/TUI programs that execute various system commands/programs. Let’s say, these scripts are owned by “admin-user” (or root?) but will need to run as sudo. 

In addition to using DAC permissions, how should
I apply RC to fully control these types of programs? 

I figured that I should create RC types for all system commands used within each automation script I have, and then assign type compatibilities/permissions to the scripts’ forced roles. This might break other programs in the server since they will need new permissions to the new RC types..

Is it better to just create the RC types and roles then run the RC Learning Mode to accelerate the hardening process?

Any advice is highly appreciated,
—alzhrani 






> On Aug 11, 2020, at 3:31 AM, Ahmed Alzhrani <alzhrani.a at yahoo.com> wrote:
> 
> 
> 
> Your suggestion is appreciated. Thank you.
> 
> Regarding your question, I plan to use UM in near future but right now I am using the traditional Linux shadow/passwd. My understanding is that you strongly recommend switching to UM. 
> 
> Regards,
> Alzhrani 
> 
>>> On Aug 10, 2020, at 11:28 AM, Amon Ott <ao at rsbac.org> wrote:
>>> 
>> Am 09.08.20 um 01:49 schrieb Ahmed Alzhrani:
>>> I would like for all new users that will be created later with (a specific Linux group or maybe a range of UIDs) to be assigned a default RC role.
>>> Currently, a default role is General User for all users, but I would like to change that with my own custom role. Is this possible?Or do you think ACL is the way to go? 
>>> A brief explanation would be great!
>> 
>> You can use a wrapper script that automatically sets the role after
>> creation and restrict adding a user to this script's force role.
>> 
>> Are you using RSBAC User Management or something else?
>> 
>> Amon.
>> -- 
>> https://www.rsbac.org
>> GnuPG: E25D2F7B0C561382570DB487DC2A69DA870FE7FF 2018-03-20
>> _______________________________________________
>> rsbac mailing list
>> rsbac at rsbac.org
>> http://www.rsbac.org/mailman/listinfo/rsbac

More information about the rsbac mailing list