|
As with any operating system, one must administer users and groups. On most UNIX systems, the user with unlimited privilege and responsibility is the root user, also known as the superuser. In IPSO, the user admin takes the place of the root user but has all the same privileges. Whenever you need to make changes to your NSP, you log in as admin because this account has read/write capability to system configuration files and full system access. In this section, we show you how to change the password on your admin account, how to create and delete user accounts, and how to configure groups on your UNIX system.
To manage users on your Nokia system, log in to Voyager and click Config. From here, click Users under the Security and Access Configuration heading. You should be presented with a screen like the one shown in Figure 20.11.
Figure 20.11: Managing Users
As mentioned previously, the admin user is the superuser on the system. If you review some of the settings for admin in the User Management display, you will see that admin has a UID and a GID of 0. UID stands for user ID, and GID stands for group ID. These ID values determine that the admin user has superuser privileges on the system. These values mean the same thing on almost all UNIX systems. Other information listed on this page is the host directory, which is /var/admin, and the shell that admin uses—/bin/csh, pronounced "C-shell."
You configure a password for the admin user during the initial configuration of your Nokia platform. If you want to change the password for this user, follow this procedure:
From the User Management screen, fill in the Old password, New password, and New password (verify) fields, as shown in Figure 20.11.
Click Apply.
Click Save and you will be presented with a login prompt to reauthenticate.
Enter admin and the new password.
Click Save again, if the option is still available.
You have the option of accepting or requiring S/key authentication for the admin user on this screen as well.
Note | Using CLISH, you can change the admin user password with the following command: |
The monitor user is available in IPSO as a read-only user. Once this user is enabled, you can log in as monitor through Voyager to view system configuration and resources, but you cannot make any changes to the configuration. This account is predefined in Voyager with the following values:
Name: Monitor
UID: 102
GID: 10
Home Directory: /var/monitor
Shell: /bin/csh
Password: None (cannot log in)
By default, the monitor user has no password and cannot log in to the system. To enable the monitor user visible in Voyager, fill in the new password fields and click Apply and then click Save.
You can create other users to log in to the IPSO system and Voyager. If you create a user with UID 0, that user will have read/write access through Voyager and the same permissions that the admin user has in IPSO. Other read-only user accounts can be created too. Simply use a new UID for each new account. To create another user from the User Manager configuration screen:
Scroll down to the Add new user section and type a username, UID, and home directory for the new user. For another superuser, enter a UID of 0.
Click Apply.
Next, enter a password into the New password text boxes for the new user and click Apply again.
Click Save.
Users without admin access will not be able to run the new command-line shell CLISH, but they can log in to IPSO and run commands to view system resources and configuration settings. These users will not be able to make any changes that will affect the system. If you would like to give some of these users certain privileges, you could do so by setting up groups, which is discussed in the next section.
You can view the users who are logged in to your system with the command w. If you type w while logged in to your Nokia, you should see output similar to the following. This output includes the current time, the time that has passed since the system was last rebooted, the number of users logged in to the system, and the system CPU load average over 1-, 5-, and 15-minute intervals.
gatekeeper[cherie]# w 10:28PM up 2 days, 11 mins, 4 users, load averages: 0.03, 0.05, 0.00 USER TTY FROM LOGIN@ IDLE WHAT admin d0 - Thu10PM 11:09 -csh (csh) monitor p0 10.10.10.3 Fri07PM 1:26 -csh (csh) fwadmin p1 10.10.10.3 9:01PM - -csh (csh) cherie p2 10.10.10.3 10:28PM - w
Note | Use the following commands to add a new user using CLISH: |
One way that you can give privileges to users without giving them carte blanche access to your system is to create groups of users. Then you can assign certain permissions to these groups, so that any user who is a member of the group will have the ability to perform certain functions. For example, if you are running Check Point FireWall-1, only admin users can run the programs in $FWDIR/bin. However, if you want to allow a couple of other users the ability to log in and stop or start firewall services or add licenses to the firewall (FireWall-1 4.1 only), you could create an fwadmin group (see the Group Management screen in Voyager in Figure 20.12). After the group is created, you can go into the cpconfig utility and set group permissions on the $FWDIR directories. If you have Check Point FireWall-1 4.1 installed, follow these steps to set up group permissions on your Nokia firewall:
Figure 20.12: Group Management
Log in to Voyager and click Config.
Click Groups under the Security and Access Configuration heading.
Fill in the Group Name: fwadmin under the Add Group Name heading and enter a new GID of 100. See Figure 20.12 for an example.
Click Apply. You will now see a new group listed along with the default groups other and wheel.
The next step is to add users to your fwadmin group. To do this, enter an existing user account into the field labeled Add new member. For our example, let's add a user called sysadmin that was created previously.
Click Apply and then click Save.
Now log in to IPSO as admin and run cpconfig. You will be presented with the following options:
gatekeeper[cherie]# cpconfig This program will let you re-configure your Check Point products configuration. Configuration Options: ---------------------- (1) Licenses (2) Administrators (3) GUI clients (4) SNMP Extension (5) Groups (6) PKCS#11 Token (7) Random Pool (8) Certificate Authority (9) Automatic start of Check Point Products (10) Exit Enter your choice (1-10) :
Enter 5 to configure groups. You will be presented with the following output:
Configuring Groups... ===================== Check Point access and execution permissions ------------------------------------------- Usually, a Check Point module is given group permission for access and execution. You may now name such a group or instruct the installation procedure to give no group permissions to the Check Point module. In the latter case, only the Super-User will be able to access and execute the Check Point module. Please specify group name [<RET> for no group permissions]:
Type fwadmin and press Enter.
The system will ask, "Group fwadmin will be used. Is this ok (y/n) [y]?" Press Enter to accept the default value y for yes.
The group permissions will then be set on the $FWDIR directories, and you will see the confirmation message, "Setting Group Permissions... Done." on the screen. Then you will be presented with the cpconfig menu again, as in step 7. Type 10 to exit the configuration tool.
You will now be presented with the option of restarting FireWall-1 services. Press Enter to accept the default setting y for yes.
Warning | With Check Point FireWall-1 Next Generation, this process doesn't seem to work properly. Although the $FWDIR group permissions are changed, a user in the fwadmin group receives errors when trying to run fw commands. |
In order to set group permissions on files and directories from the command line, use the chgrp tool. For example, if you want to set the fwadmin group on all files and directories under the $FWDIR/bin directory, you could change directories into the $FWDIR directory and issue the command chgrp –R fwadmin bin. The capital R will cause a recursive change on all files and directories under the bin directory, inclusive.
Two groups are created by default on your Nokia Security Platform: the other group and the wheel group. Any users without full system access, such as monitor, will be members of the other group by default. Your admin user will be a member of the wheel group. If you want your other users to have the ability to use the su command (this command, short for superuser, allows users with limited privileges to become the admin or superuser on the system), you will need to add them into the wheel group.
Note | Use the following syntax in CLISH to add a user to the wheel group: |
|