AIX

La commande 'chsec' permet de modifier certains attributs de sécurité d'un serveur AIX.

Une fois modifiés, ces attributs sont consultables avec la commande 'lssec'.

La syntaxe officielle est donnée ci-dessous.

chsec Command

Purpose

       Changes the attributes in the security stanza files.

Syntax

       chsec [ -f File] [ -s Stanza] [ -a Attribute = Value ... ]

Description

       The chsec command changes the attributes stored in the security configuration stanza files.
       These security configuration stanza files have attributes that you can specify with the
       Attribute = Value parameter:
       *    /etc/security/environ
       *    /etc/security/group
       *    /etc/security/audit/hosts
       *    /etc/security/lastlog
       *    /etc/security/limits
       *    /etc/security/login.cfg
       *    /usr/lib/security/mkuser.default
       *    /etc/nscontrol.conf
       *    /etc/security/passwd
       *    /etc/security/portlog
       *    /etc/security/pwdalg.cfg
       *    /etc/security/roles
       *    /etc/security/rtc/rtcd_policy.conf
       *    /etc/security/smitacl.user
       *    /etc/security/smitacl.group
       *    /etc/security/user
       *    /etc/security/user.roles

       When modifying attributes in the /etc/security/environ, /etc/security/lastlog,
       /etc/security/limits, /etc/security/passwd, and /etc/security/user files, the stanza name
       specified by the Stanza parameter must either be a valid user name or default. When
       modifying attributes in the /etc/security/group file, the stanza name specified by the
       Stanza parameter must either be a valid group name or default. When modifying attributes in
       the /usr/lib/security/mkuser.default file, the Stanza parameter must be either admin or
       user. When modifying attributes in the /etc/security/portlog file, the Stanza parameter
       must be a valid port name. When modifying attributes in the /etc/security/login.cfg file,
       the Stanza parameter must either be a valid port name, a method name, or the usw attribute.

       When modifying attributes in the /etc/security/login.cfg or /etc/security/portlog file in a
       stanza that does not already exist, the stanza is automatically created by the chsec
       command.

       You cannot modify the password attribute of the /etc/security/passwd file using the chsec
       command. Instead, use the passwd command.

       Only the root user or a user with an appropriate authorization can change administrative
       attributes. For example, to modify administrative group data, the user must be root or have
       GroupAdmin authorization.

Flags

       Item
            Description

       -a Attribute = Value
            Specifies the attribute to modify and the new value for that attribute. If you do not
            specify the value, the attribute is removed from the given stanza.
       -f File
            Specifies the name of the stanza file to modify.
       -s Stanza
            Specifies the name of the stanza to modify.

Security

       Access Control

       This command grants execute access only to the root user and the security group. The
       command has the trusted computing base attribute and runs the setuid command to allow the
       root user to access the security databases.

       On a Trusted AIX  system, only users with the aix.mls.clear.write authorization can modify
       clearance attributes. Only users with the aix.mls.tty.write authorization can modify the
       port attributes.

       Auditing Events
       Event
            Information
       USER_Change
            user name, attribute
       GROUP_Change
            group name, attribute
       PORT_Change
            port, attribute

       Files Accessed
       Mode
            File
       rw
            /etc/security/environ
       rw
            /etc/security/group
       rw
            /etc/security/audit/hosts
       rw
            /etc/security/lastlog
       rw
            /etc/security/limits
       rw
            /etc/security/login.cfg
       rw
            /usr/lib/security/mkuser.default
       rw
            /etc/nscontrol.conf
       rw
            /etc/security/passwd
       rw
            /etc/security/portlog
       rw
            /etc/security/pwdalg.cfg
       rw
            /etc/security/roles
       rw

            /etc/security/rtc/rtcd_policy.conf
       rw
            /etc/security/smitacl.user
       rw
            /etc/security/smitacl.group
       rw
            /etc/security/user
       rw
            /etc/security/user.roles

       Attention RBAC users and Trusted AIX users: This command can perform privileged operations.
       Only privileged users can run privileged operations. For more information about
       authorizations and privileges, see Privileged Command Database in Security. For a list of
       privileges and the authorizations associated with this command, see the lssecattr command
       or the getcmdattr subcommand. To get the full functionality of the command, besides the
       accessauths, the role should also have the following authorizations:
       *    aix.security.user.audit
       *    aix.security.role.assign
       *    aix.security

       To perform the chsec command on the /etc/security/rtc/rtcd_policy.conf file, the role
       should also have the following authorization:
       *    aix.security.config

Examples
       1    To change the /dev/tty0 port to automatically lock if 5 unsuccessful login attempts
            occur within 60 seconds, enter:

            chsec -f /etc/security/login.cfg -s /dev/tty0 -a logindisable=5 -a logininterval=60
       2    To unlock the /dev/tty0 port after it has been locked by the system, enter:

            chsec -f /etc/security/portlog -s /dev/tty0 -a locktime=0
       3    To allow logins from 8:00 a.m. until 5:00 p.m. for all users, enter:

            chsec -f /etc/security/user -s default -a logintimes=:0800-1700
       4    To change the CPU time limit of user joe to 1 hour (3600 seconds), enter:

            chsec -f /etc/security/limits -s joe -a cpu=3600

Files

       Item
            Description
       /usr/bin/chsec
            Specifies the path to the chsec command.
       /etc/security/environ
            Contains the environment attributes of users.
       /etc/security/group
            Contains extended attributes of groups.
       /etc/security/audit/hosts
            Contains host and processor IDs.
       /etc/security/group
            Defines the last login attributes for users.
       /etc/security/limits
            Defines resource quotas and limits for each user.
       /etc/security/login.cfg
            Contains port configuration information.
       /usr/lib/security/mkuser.default

            Contains the default values for new users.
       /etc/nscontrol.conf
            Contains the configuration information of some name services.
       /etc/security/passwd
            Contains password information.
       /etc/security/portlog
            Contains unsuccessful login attempt information for each port.
       /etc/security/pwdalg.cfg
            Contains the configuration information for loadable password algorithms (LPA).
       /etc/security/roles
            Contains a list of valid roles.
       /etc/security/rtc/rtcd_policy.conf
            Contains the configuration information for the rtcd daemon.
       /etc/security/smitacl.user
            Contains user ACL definitions.
       /etc/security/smitacl.group
            Contains group ACL definitions.
       /etc/security/user
            Contains the extended attributes of users.
       /etc/security/user.roles
            Contains a list of roles for each user.
       /etc/security/enc/LabelEncodings
            Contains label definitions for the Trusted AIX system.
       /etc/security/domains
            Contains the valid domain definitions for the system.