Migrating user information to RSBAC

Migrating existing users and groups

Before RSBAC can be used to manage security the existing security infrastructure needs to be imported. This can be accomplished with the following commands:

lisa ~ # rsbac_groupadd -v -O

Adding old group root with gid 0

Adding group root member root

Adding old group bin with gid 1

Adding group bin member root

lisa ~ # rsbac_useradd -v -O

Account root seems to be disabled, disabling password

Adding old user root

Account bin seems to be disabled, disabling password

Adding old user bin

Account daemon seems to be disabled, disabling password

Adding old user daemon

...

Resetting passwords

As you may have noticed during the above procedure the password has been disabled for all accounts. This is because we have selected SHA1 password hashing and the PAM system uses MD5. Before anyone can login to the system their password will need to be reset.

lisa ~ # rsbac_passwd -n
lisa ~ # rsbac_passwd -n secoff
lisa ~ # rsbac_passwd -n audit

This includes the passwords which were assigned to the Security Officer and Auditor accounts earlier.

Replacing existing tools

As you have probably noticed from the above commands RSBAC provides new applications for managing users, groups and passwords. To ensure that these commands are used to manage security settings from now on it is a good idea to mask the existing tools using symbolic links in a path directory with higher priority. This way calls to these tools will be "intercepted" and passed to the RSBAC tools instead.