XCAT_zVM_Security
There is a newer version of this page. You can find it here.
Document Abstract
This document provides a guide to security for xCAT on z/VM and Linux on System z. For technical support, please post your question(s) on the mailing-list.
User Access Control
This section provides details on how to add users to xCAT and limit their privileges.
- Create an entry in the policy table
# chtab priority=6.1 policy.name=fred policy.rule=allow
The policy table controls access for a specific user. Each priority number should be unique. Verify that the priority number you selected is not in use. In the example above, a user named fred is added to xCAT with a priority number of 6.1.
- By default, all commands are allowed for a user. To restrict the user to certain commands, you have to set their policy.commands attribute. Select the command from the list of xCAT Commands that are appropriate for the user.
# chtab priority=6.1 policy.commands="rpower;mkvm;rmvm;lsvm;chvm;mkdef;lsdef;rscan;rinv;nodeadd"
Multiple commands can be specified. Each command is separated by a semi-colon. Be sure to use the correct priority number when setting the commands.
- Generate an encrypted password
# perl -e "print crypt('rootpw', rand(12345678))" 48aVyK0x4vqCc
The password being encrypted is rootpw. It uses the perl crypt routine with a random number between 0 and 12345678 as a seed.
- Create an entry in the passwd table using the encrypted password created above
# chtab username=fred passwd.key=xcat passwd.password=48aVyK0x4vqCc
More information can be found by going to Granting Users xCAT Privileges.
No Root Login
This section provides details on how to setup no root login for xCAT and virtual machines provisioned by xCAT.
