usrck : Validation de définition utilisateur

Détails: Catégorie parente: AIX; Catégorie : Les commandes; Mis à jour : 6 juin 2012; Affichages : 281

Cette commande permet de valider la définition d'un utilisateur spécifié en argument.

Ci-dessous la syntaxe officielle.

Commande : 'usrck'

Objet

Vérifie la validité d'une définition d'utilisateur AIX.

Syntaxe

usrck { -l [ -b ] | -n | -p | -t | -y } { ALL | User ... }

Description.

La command 'usrchk' permet de validation les définitions de tous les utilisateurs du système ou seulement de celui passé en argument.

Si plusieurs utilisateurs doivent être traités, un espace doit séparer chaque nom.

Suivant les niveaux de correction choisi, il est nécessaire de passer des paramètres en option.

Tout d'abord, la commande vérifie les entrées du fichier '/etc/passwd'.

Si vous indiquez que le programme doit corriger les erreurs, les noms dupliqués sont affichés et désactivés.De même pour les "Duplicate IDs" Sachant qu'il n'y a pas de correctif système.

Si une entrée possède moins de 6 séprareteurs de colonne, un message est affiché, sans correction.

Ensuite, la commande vérifie les attributs utilisateurs dans les autres fichiers.

The usrck command verifies that each user name listed in the /etc/passwd file has a stanza in the /etc/security/user, /etc/security/limits and /etc/security/passwd files. The usrck command also verifies that each group name listed in the /etc/group file has a stanza in the /etc/security/group file. The usrck command using the -y flag creates stanzas in the security files for the missing user and group names.

Note:

La commande envoie les messages sur la sortie erreur(stderr).

A list of all the user attributes follows, with notations stating which attributes are checked:

account_locked	No check. The usrck command sets this attribute to True and disables accounts.
admgroups	Checks to see if the admgroups are defined in the user database and, if you indicate that the system should fix errors, the command removes any groups that are not in the database.
auditclasses	Checks to see if the auditclasses are defined for the user in the /etc/security/audit/config file. If you indicate that the system should fix errors, the command deletes all the auditclasses that are not defined in the /etc/security/audit/config file.
auth1	Checks the primary authentication method. Unless the method is NONE or SYSTEM, it must be defined in the /etc/security/login.cfg file and the program attribute must exist and be executable by the root user. If you indicate that the system should fix errors, it will disable the user account if an error is found. Note: The auth1 attribute is deprecated and should not be used.
auth2	Checks the secondary authentication method. Unless the method is NONE or SYSTEM, it must be defined in the /etc/security/login.cfg file and the program attribute must exist and be executable by the root user. There is no system fix. Note: The auth2 attribute is deprecated and should not be used.
core	Ensures that the values are sensible. If not, the command resets the values to 200 blocks, the minimum value.
core_hard	Ensures that the values are sensible. If not, the command resets the values to 200 blocks, the minimum value.
cpu	Ensures that the values are sensible. If not, the command resets the values to 120 seconds, the minimum value.
cpu_hard	Ensures that the values are sensible. If not, the command resets the values to 120 seconds, the minimum value.
data	Ensures that the values are sensible. If not, the command resets the values to 1272 blocks (636K), the minimum value.
data_hard	Ensures that the values are sensible. If not, the command resets the values to 1272 blocks (636K ), the minimum value.
dictionlist	Checks the list of dictionary files. If you indicate that the system should fix errors, all dictionary files that do not exist are deleted from the user database.
expires	No check.
fsize	Ensures that the values are sensible. If not, the command resets the values to 200 blocks, the minimum value.
fsize_hard	Ensures that the values are sensible. If not, the command resets the values to 200 blocks, the minimum value.
gecos	No check.
histexpire	Ensures that the values are sensible. If you indicate that the system should fix errors, values that are too large are set to the largest possible value and values that are too small are set to the smallest possible value.
histsize	Ensures that the values are sensible. If you indicate that the system should fix errors, values that are too large are set to the largest possible value and values that are too small are set to the smallest possible value.
home	Checks the existence and accessibility of the home directory by read mode and search mode. If you indicate that the system should fix errors, it will disable the user account if an error is found.
id	Checks the uniqueness of the user ID. If you indicate that the system should fix errors, the command deletes any invalid entry in the /etc/passwd file.
login	No check.
loginretries	Checks if the user attempted unsuccessful logins more than the allowable amount. If so, the system disables the user account.
logintimes	Ensures that the string of time specifiers is valid. If you indicate that the system should fix errors, the system disables the user account if an error is found.

maxage	Ensures that the values are sensible. If you indicate that the system should fix errors, values that are too large are set to the largest possible value and values that are too small are set to the smallest possible value.
maxexpired	Ensures that the values are sensible. If you indicate that the system should fix errors, values that are too large are set to the largest possible value and values that are too small are set to the smallest possible value.
maxrepeats	Ensures that the values are sensible. If you indicate that the system should fix errors, values that are too large are set to the largest possible value and values that are too small are set to the smallest possible value.
minage	Ensures that the values are sensible. If you indicate that the system should fix errors, values that are too large are set to the largest possible value and values that are too small are set to the smallest possible value. The system also indicates if the minage attribute is larger than the maxage attribute.
minalpha	Ensures that the values are sensible. If you indicate that the system should fix errors, values that are too large are set to the largest possible value and values that are too small are set to the smallest possible value.
mindiff	Ensures that the values are sensible. If you indicate that the system should fix errors, values that are too large are set to the largest possible value and values that are too small are set to the smallest possible value.
minlen	Ensures that the values are sensible. If you indicate that the system should fix errors, values that are too large are set to the largest possible value and values that are too small are set to the smallest possible value.
minother	Ensures that the values are sensible. If you indicate that the system should fix errors, values that are too large are set to the largest possible value and values that are too small are set to the smallest possible value. The system also indicates if the minage attribute plus the maxage attribute is greater than the maximum password size.
name	Checks the uniqueness and composition of the user name. The name must be a unique string of eight bytes or less. It cannot begin with a + (plus sign), a : (colon), a - (minus sign), or a ~ (tilde). Names beginning with a + (plus sign) or with a - (minus sign) are assumed to be names in the NIS (Network Information Service) domain, and no further processing is performed. It cannot contain a colon (:) in the string and cannot be the ALL or default keywords. If you indicate that the system should fix errors, the command disables the user account if an error is found and deletes any invalid entry in the /etc/passwd file. The usrck command verifies that, for each user name listed in the /etc/passwd file, there is a stanza in the /etc/security/user, /etc/security/limits, and /etc/security/passwd files. The command adds stanzas for each one identified as missing. The usrck command additionally verifies that each group name listed in the /etc/group file has a stanza in the /etc/security/group file.
nofiles	Ensures that the value is sensible. If not, resets the value to 200, the minimum value.
nofiles_hard	Ensures that the value is sensible. If not, resets the value to 200, the minimum value.
pgrp	Checks for the existence of the primary group in the user database. If you indicate that the system should fix errors, it will disable the user account if an error is found.
pwdchecks	Checks the list of external password restriction methods. If you indicate that the system should fix errors, all methods that do not exist are deleted from the user database.
pwdwarntime	Ensures that the value is sensible. If not, the system resets the value to the difference between the maxage and minage values.
rlogin	No check.
rss	Checks to ensure that the values are sensible. If not, the command resets the values to 128 blocks (64K), the minimum value.
rss_hard	Checks to ensure that the values are sensible. If not, the command resets the values to 128 blocks (64K), the minimum value.
shell	Checks the existence and accessibility of the shell by execute mode. If you indicate that the system should fix errors, it will disable the user account if an error is found.
stack	Checks to ensure that the values are sensible. If not, the command resets the values to 128 blocks (64K), the minimum value.
stack_hard	Checks to ensure that the values are sensible. If not, the command resets the values to 128 blocks (64K), the minimum value.
su	No check.
sugroups	Checks for the existence of the sugroups in the user database files. If you indicate that the system should fix errors, it will delete all the groups that are not in the database.
sysenv	No check.
tpath	Checks to ensure that the shell attribute is tagged as a trusted process if tpath=always. If you indicate that the system should fix errors, it will disable the user account if an error is found.
ttys	Checks for the existence of the ttys in the user database files. If you indicate that the system should fix errors, it will delete all the ttys that do not exist from the user database.
usrenv	No check.

If the fix involves disabling a user account, use the chuser command to reset the value of the account_locked attribute to False. You can use the System Management Interface Tool (SMIT) to run the chuser command by entering:

smit chuser

The root user or a member of the security group can enable a user account again by removing the account_locked attribute or setting the account_locked attribute to False. The root user's account is not disabled by the usrck command.

Generally, the sysck command calls the usrck command as part of the verification of a trusted-system installation. If the usrck command finds any errors in the user database, the root user or a member of the security group should execute both the grpck command and the pwdck command.

The usrck command checks to see if the database management security files (/etc/passwd.nm.idx, /etc/passwd.id.idx, /etc/security/passwd.idx, and /etc/security/lastlog.idx) files are up-to-date or newer than the corresponding system security files. Please note, it is acceptable for the /etc/security/lastlog.idx to be not newer than /etc/security/lastlog. If the database management security files are out-of-date, a warning message appears indicating that the root user should run the mkpasswd command.

The usrck command checks if the specified user can log in. If the user cannot log in because of too many unsuccessful login attempts or because the password is expired, the usrck command issues a warning message indicating why the user cannot log in. If you indicate that the system should fix errors, the system disables the user account if the user cannot log in for the above reasons.

If the -l flag is specified, the usrck command scans all users or the users specified by the User parameter to determine if users can access the system. The criteria used to determine accessibility for a user are listed in the following table:

Table 1. User Accessibility Criteria
Criterion	Description	Cause
1	User account is locked.	The user's account_locked attribute is set to true.
2	User account is expired.	The user's expires attribute is set to a value (expiration time) that is expired.
3	User has too many consecutive failed login attempts.	The user's unsuccessful_login_count value is greater than the user's loginretries value.
4	User has no password.	The user's password field is '' in /etc/password* or /etc/security/password.
5	User is not allowed to log in for this date/time.	The current date/time is not within the allowed time as defined by the user's logintimes attribute.
6	The /etc/nologin file exists.	The /etc/nologin file prevents a non-root user from logging in.
7	User password is expired and only system administrator can change it.	The user's password is expired and the ADMIN password flag is set.
8	User is denied login to host.	The user's hostallowedlogin and hostsdeniedlogin attributes do not allow access to the current host.
9	User is denied access by applications.	The user's login, rlogin, and su attributes are set to false and the rcmds attribute is set to deny. If at least one but not all of these attribute values deny authorization, the system is considered partially accessible by the user.
10	User is denied login to terminal.	The user's ttys attribute does not allow access to the current terminal. The system is considered partially accessible for the user.

If the -b flag is also specified, the output consists of two fields, the user name and a 16-digit bit mask, separated by a tab. Each digit in the bit mask corresponds to a criteria in the User Accessibility Criteria table above, with criteria 1 represented by the rightmost digit. If the bit location for a criteria is set to 1, the check for this criteria failed for the user. Extra digits in the output are reserved for future use.

The following is an example of the usrck command with the -l flag:

# usrck -l testusr1 testusr2
3001-689 The system is inaccessible to testusr1, due to the following:
         User account is locked
         User denied login to terminal.
        
3001-689 The system is inaccessible to testusr2, due to the following:
         User account is expired.
         User has too many consecutive failed login attempts.
         User denied login to host.

The following is an example of the usrck command with the -l and -b flags:

# usrck -lb testusr1 testusr2
 testusr1       0000000000000001
 testusr2       0000000001000110

Flags

-b	Reports users who are not able to access the system and the reasons, with the reasons displayed in a bit-mask format. The -l flag must be specified if the -b flag is specified. Note: The bit mask does not report criteria 10 (user denied login to terminal), since this cannot be considered a complete scenario when determining if a system is inaccessible to a user. Likewise, the bit mask does not report criteria 9 (User denied access by applications) if at least one but not all of the attributes' values deny authentication; this criteria is only reported when all four attribute values deny authentication.
-l	Scans all users or the users specified by the User parameter to determine if the users can access the system.
-n	Reports errors but does not fix them.
-p	Fixes errors but does not report them.
-t	Reports errors and asks if they should be fixed.
-y	Fixes errors and reports them.

Exit Status

This command returns the following exit values:

0	User definition files are appropriate.
>0	An error occurred or there is an error in one or more user definition files. The following error codes are returned: EINVAL (22) Invalid command-line arguments ENOENT (2) One or more user definition files do not exist ENOTRUST (114) Errors in user definitions in the database files or users unable to access the system (found by -l option)

Security

Access Control: This command should grant execute (x) access to the root user and members of the security group. The command should be setuid to the root user and have the trusted computing base attribute.

Files Accessed:

Mode	File
r	/etc/passwd
r	/etc/security/user
rw	/etc/security/group
rw	/etc/group
rw	/etc/security/lastlog
rw	/etc/security/limits
rw	/etc/security/audit/config
rw	/etc/security/login.cfg

Auditing Events:

Event	Information
USER_Check	user, attribute-error, status

Attention RBAC users and Trusted AIX users: This command can perform privileged operations. Only privileged users can run privileged operations. For more information about authorizations and privileges, see Privileged Command Database in Security. For a list of privileges and the authorizations associated with this command, see the lssecattr command or the getcmdattr subcommand.

Examples

To verify that all the users exist in the user database, and have any errors reported (but not fixed), enter:
usrck -n ALL
To delete from the user definitions those users who are not in the user database files, and have any errors reported, enter:
usrck -y ALL
To display the list of users who are unable to access the system, enter:
usrck -l ALL
To display the list of users who are unable to access the system, in a bit mask format, enter:
usrck -l -b ALL

Files

/usr/bin/usrck	Specifies the path of the usrck command.
/etc/passwd	Contains basic user attributes.
/etc/security/user	Contains the extended attributes of users.
/etc/group	Contains basic group attributes.
/etc/security/group	Contains the extended attributes of groups.
/etc/security/lastlog	Contains the last login attributes for users.
/etc/security/limits	Contains the process resource limits of users.
/etc/security/audit/config	Contains audit system configuration information.
/etc/security/login.cfg	Contains configuration information.

Related Information

The grpck command, pwdck command, sysck command.