La commande 'lssec' permet d'afficher les attributs de sécurité d'un système AIX.
La modification de ces paramètres s'effectue au travers de la commande 'chsec'.
La syntaxe officielle est donnée ci-dessous :
lssec Command
Purpose
Lists attributes in the security stanza files.
Syntax
lssec [ -c ] [ -f File ] [ -s Stanza ] [ -a Attribute ... ]
Description
The lssec command lists attributes stored in the security configuration stanza files. The
following security configuration files contain attributes that you can specify with the
Attribute parameter:
* /etc/security/environ
* /etc/security/group
* /etc/security/audit/hosts
* /etc/security/lastlog
* /etc/security/limits
* /etc/security/login.cfg
* /usr/lib/security/mkuser.default
* /etc/nscontrol.conf
* /etc/security/passwd
* /etc/security/portlog
* /etc/security/pwdalg.cfg
* /etc/security/roles
* /etc/security/smitacl.user
* /etc/security/smitacl.group
* /etc/security/user
* /etc/security/user.roles
* /etc/security/rtc/rtcd_policy.conf
following security configuration files contain attributes that you can specify with the
Attribute parameter:
* /etc/security/environ
* /etc/security/group
* /etc/security/audit/hosts
* /etc/security/lastlog
* /etc/security/limits
* /etc/security/login.cfg
* /usr/lib/security/mkuser.default
* /etc/nscontrol.conf
* /etc/security/passwd
* /etc/security/portlog
* /etc/security/pwdalg.cfg
* /etc/security/roles
* /etc/security/smitacl.user
* /etc/security/smitacl.group
* /etc/security/user
* /etc/security/user.roles
* /etc/security/rtc/rtcd_policy.conf
When listing attributes in the /etc/security/environ, /etc/security/lastlog,
/etc/security/limits, /etc/security/passwd, and /etc/security/user files, the stanza name
specified by the Stanza parameter must be either a valid user name or default. When listing
attributes in the /etc/security/group file, the stanza name specified by the Stanza
parameter must be either a valid group name or default. When listing attributes in the
/usr/lib/security/mkuser.default file, the Stanza parameter must be either admin or user.
When listing attributes in the /etc/security/portlog file, the Stanza parameter must be a
valid port name. When listing attributes in the /etc/security/login.cfg file, the Stanza
parameter must be either a valid port name, a method name, or the usw attribute.
/etc/security/limits, /etc/security/passwd, and /etc/security/user files, the stanza name
specified by the Stanza parameter must be either a valid user name or default. When listing
attributes in the /etc/security/group file, the stanza name specified by the Stanza
parameter must be either a valid group name or default. When listing attributes in the
/usr/lib/security/mkuser.default file, the Stanza parameter must be either admin or user.
When listing attributes in the /etc/security/portlog file, the Stanza parameter must be a
valid port name. When listing attributes in the /etc/security/login.cfg file, the Stanza
parameter must be either a valid port name, a method name, or the usw attribute.
You cannot list the password attribute of the /etc/security/passwd file with the lssec
command.
command.
Only the root user or a user with PasswdAdmin authorization can list the lastupdate and
flags attributes for administrative users.
flags attributes for administrative users.
Flags
Item
Description
-c
Specifies that the output should be in colon-separated format.
-f File
Specifies the name of the stanza file to list.
-s Stanza
Description
-c
Specifies that the output should be in colon-separated format.
-f File
Specifies the name of the stanza file to list.
-s Stanza
Specifies the name of the stanza to list.
-a Attribute
Specifies the attribute to list.
-a Attribute
Specifies the attribute to list.
Security
Access Control: This command grants execute access only to the root user and the security
group. The command has the trusted computing base attribute and runs the setuid subroutine
for the root user to access the security databases.
group. The command has the trusted computing base attribute and runs the setuid subroutine
for the root user to access the security databases.
Attention RBAC users and Trusted AIX users: This command can perform privileged operations.
Only privileged users can run privileged operations. For more information about
authorizations and privileges, see Privileged Command Database in Security. For a list of
privileges and the authorizations associated with this command, see the lssecattr command
or the getcmdattr subcommand. To get the full functionality of the command, besides the
accessauths, the role should also have the aix.security authorization.
Only privileged users can run privileged operations. For more information about
authorizations and privileges, see Privileged Command Database in Security. For a list of
privileges and the authorizations associated with this command, see the lssecattr command
or the getcmdattr subcommand. To get the full functionality of the command, besides the
accessauths, the role should also have the aix.security authorization.
On a Trusted AIX system, only users with authorization aix.mls.clear.read can list
clearance attributes of other users. Only users with authorization aix.mls.tty.read can
list port attributes.
clearance attributes of other users. Only users with authorization aix.mls.tty.read can
list port attributes.
Files Accessed:
Mode
File
r
/etc/security/environ
r
/etc/security/group
r
/etc/security/audit/hosts
r
/etc/security/lastlog
r
/etc/security/limits
r
/etc/security/login.cfg
r
/usr/lib/security/mkuser.default
r
/etc/nscontrol.conf
r
/etc/security/passwd
r
/etc/security/portlog
r
/etc/security/pwdalg.cfg
r
/etc/security/roles
r
/etc/security/smitacl.user
r
/etc/security/smitacl.group
r
/etc/security/user
r
/etc/security/user.roles
r
/etc/security/domains
Mode
File
r
/etc/security/environ
r
/etc/security/group
r
/etc/security/audit/hosts
r
/etc/security/lastlog
r
/etc/security/limits
r
/etc/security/login.cfg
r
/usr/lib/security/mkuser.default
r
/etc/nscontrol.conf
r
/etc/security/passwd
r
/etc/security/portlog
r
/etc/security/pwdalg.cfg
r
/etc/security/roles
r
/etc/security/smitacl.user
r
/etc/security/smitacl.group
r
/etc/security/user
r
/etc/security/user.roles
r
/etc/security/domains
rw
/etc/security/rtc/rtcd_policy.conf
/etc/security/rtc/rtcd_policy.conf
Examples
1 To list the number of unsuccessful login attempts by the root user since the last
successful login of the root user, enter:
1 To list the number of unsuccessful login attempts by the root user since the last
successful login of the root user, enter:
lssec -f /etc/security/lastlog -s root -a unsuccessful_login_count
The system displays the result as follows:
The system displays the result as follows:
root unsuccessful_login_count=15
2 To list the times that logins are allowed on the /dev/tty2 port, enter:
2 To list the times that logins are allowed on the /dev/tty2 port, enter:
lssec -f /etc/security/login.cfg -s /dev/tty2 -a logintimes
The system displays the result as follows:
The system displays the result as follows:
/dev/tty0 logintimes=!january1,!july4,!december25
3 To list the default setting for the tpath attribute and the ttys attribute in colon
format,
4 enter:
3 To list the default setting for the tpath attribute and the ttys attribute in colon
format,
4 enter:
lssec -c -f /etc/security/user -s default -a tpath -a ttys
The system displays the result as follows:
The system displays the result as follows:
#name:tpath:ttys
default:nosak:ALL
default:nosak:ALL
Files
Item
Description
/usr/bin/lssec
Specifies the path to the lssec command.
/etc/security/environ
Contains the environment attributes of users.
/etc/security/group
Contains extended attributes of groups.
/etc/security/audit/hosts
Contains host and processor IDs.
/etc/security/lastlog
Defines the last login attributes for users.
/etc/security/limits
Defines resource quotas and limits for each user.
/etc/security/login.cfg
Contains port configuration information.
/usr/lib/security/mkuser.default
Contains the defaults values for new users.
/etc/nscontrol.conf
Contains configuration information of some name services.
/etc/security/passwd
Contains password information.
/etc/security/portlog
Contains unsuccessful login attempt information for each port.
/etc/security/pwdalg.cfg
Contains configuration information for loadable password algorithms (LPA).
/etc/security/roles
Contains a list of valid roles.
/etc/security/smitacl.user
Description
/usr/bin/lssec
Specifies the path to the lssec command.
/etc/security/environ
Contains the environment attributes of users.
/etc/security/group
Contains extended attributes of groups.
/etc/security/audit/hosts
Contains host and processor IDs.
/etc/security/lastlog
Defines the last login attributes for users.
/etc/security/limits
Defines resource quotas and limits for each user.
/etc/security/login.cfg
Contains port configuration information.
/usr/lib/security/mkuser.default
Contains the defaults values for new users.
/etc/nscontrol.conf
Contains configuration information of some name services.
/etc/security/passwd
Contains password information.
/etc/security/portlog
Contains unsuccessful login attempt information for each port.
/etc/security/pwdalg.cfg
Contains configuration information for loadable password algorithms (LPA).
/etc/security/roles
Contains a list of valid roles.
/etc/security/smitacl.user
Contains user ACL definitions.
/etc/security/smitacl.group
Contains group ACL definitions.
/etc/security/user
Contains the extended attributes of users.
/etc/security/user.roles
Contains a list of roles for each user.
/etc/security/enc/LabelEncodings
Contains label definitions for the Trusted AIX system.
/etc/security/domains
Contains the valid domain definitions for the system.
/etc/security/rtc/rtcd_policy.conf
Contains configuration information for the rtcd daemon
/etc/security/smitacl.group
Contains group ACL definitions.
/etc/security/user
Contains the extended attributes of users.
/etc/security/user.roles
Contains a list of roles for each user.
/etc/security/enc/LabelEncodings
Contains label definitions for the Trusted AIX system.
/etc/security/domains
Contains the valid domain definitions for the system.
/etc/security/rtc/rtcd_policy.conf
Contains configuration information for the rtcd daemon
