Previous Topic: Generic Login Program InterceptionNext Topic: Restricting Terminals for Root Users


Defining User Authority to Use Terminals

One of the most effective ways to block intruders from accessing the system is by terminal protection, that is, the source of the login. The source can be the host or the terminal (such as an X terminal or a console) from which the user logs in.

In today's modern architecture, a terminal is no longer the teletype machine UNIX was developed for. On most sites, a “pseudo terminal” is allocated through the pseudo terminal server (PTS) or by the X window manager, and the terminal's name is meaningless symbol for the security system. CA ControlMinder protects what we understand as a terminal. CA ControlMinder implements terminal protection during the login stage, when CA ControlMinder defines a terminal in one of three ways:

You can define login rules for a specific host by defining this host in the TERMINAL class and adding the appropriate users and groups to the object's access list. For each login source, you can also limit the days and hours in which login from this host or terminal is allowed by setting the day and time restrictions for the TERMINAL object. You can also use wildcards in the TERMINAL class to define hosts that match a pattern (host name or IP address).

In most cases, highly authorized users such as the superuser or system administrators must be restricted to terminals that are located in secure places. Intruders and hackers who wish to enter the system as superuser are not able to do it from their own remote stations; they have to work from one of the authorized terminals, which should be in a secured location.

When logging in from the network, you cannot be certain that the user is indeed sitting in front of the host console. The user could be sitting in front of any terminal attached to that host or communicating from any other node in the network authorized to receive services from the requesting host. Permitting a user to log in from another host implies that we permit login to that user not only from that specific station but also from any other terminal authorized by that station. To ensure isolation between departments, define terminal groups and allow users of each department to work only from the terminal group of their department.

Unlike other resources, in terminal authorizations the more the user is authorized to access information, the lower the user's terminal authorization should be. The superuser must be the most restricted user in terminal access to ensure that nobody can log in as root from remote unsafe terminals.

When defining terminals, CA ControlMinder requires you to explicitly specify the owner of the terminal definition. The reason is that if root, as the security administrator, becomes the owner of the terminal by default, it makes the terminal eligible for superuser login. In most cases, this is not wanted. To guard you from making such mistakes that may unintentionally cause loopholes, CA ControlMinder makes you define an owner when defining the terminal.

To define the terminal tty34, use the following command:

newres TERMINAL tty34 defaccess(none) owner(userA)

This command creates a record for the terminal tty34, sets its default access to NONE, and defines userA as its owner. Note that userA, as the owner of the terminal, is automatically allowed to enter the system through terminal tty34.

To prevent all users from logging in from the terminal tty34, specify “nobody” as the owner:

newres TERMINAL tty34 defaccess(none) owner(nobody)

To permit a user to log in from a particular terminal, enter the following command:

authorize TERMINAL tty34 uid(USR1)

This command permits USR1 to log in from terminal tty34.

Permission to use a terminal can also be granted to a group. For example, the following command permits members of the group DEPT1 to use the terminal tty34:

authorize TERMINAL tty34 gid(DEPT1)

To define a group of terminals (known as a terminal group), enter the following command:

newres GTERMINAL TERM.DEPT1 owner(ADM1)

To add member terminals to terminal group TERM.DEPT1, enter the following command:

chres GTERMINAL TERM.DEPT1 mem(tty34, tty35)

To authorize USR1 to use this terminal group, enter the following command:

authorize GTERMINAL TERM.DEPT1 uid(USR1)

This grants USR1 the authority to use both tty34 and tty35.