本文详细介绍了chsec命令的使用方法,该命令用于修改安全配置文件中的属性,包括环境属性、组属性、登录配置等。文章解释了如何指定要修改的文件、属性及值,并提供了多个示例,如更改端口锁定行为、用户资源限制等。
Purpose
Changes the attributes in the security stanza files.
Syntax
chsec [ -f File] [ -s Stanza] [ -a Attribute = Value ... ]
Description
The chsec command changes the attributes stored in the security configuration stanza files. These security configuration stanza files have attributes that you can specify with the Attribute = Value parameter:
- /etc/security/environ
- /etc/security/group
- /etc/security/audit/hosts
- /etc/security/lastlog
- /etc/security/limits
- /etc/security/login.cfg
- /usr/lib/security/mkuser.default
- /etc/nscontrol.conf
- /etc/security/passwd
- /etc/security/portlog
- /etc/security/pwdalg.cfg
- /etc/security/roles
- /etc/security/rtc/rtcd_policy.conf
- /etc/security/smitacl.user
- /etc/security/smitacl.group
- /etc/security/user
- /etc/security/user.roles
- /etc/secvars.cfg
When modifying attributes in the /etc/security/environ, /etc/security/lastlog, /etc/security/limits, /etc/security/passwd, and /etc/security/user files, the stanza name specified by the Stanza parameter must either be a valid user name or default. When modifying attributes in the /etc/security/group file, the stanza name specified by the Stanza parameter must either be a valid group name or default. When modifying attributes in the /usr/lib/security/mkuser.default file, the Stanza parameter must be either admin or user. When modifying attributes in the /etc/security/portlog file, the Stanza parameter must be a valid port name. When modifying attributes in the /etc/security/login.cfg file, the Stanza parameter must either be a valid port name, a method name, or the usw attribute.
When modifying attributes in the /etc/security/login.cfg or /etc/security/portlog file in a stanza that does not already exist, the stanza is automatically created by the chsec command.
You cannot modify the password attribute of the /etc/security/passwd file using the chsec command. Instead, use the passwd command.
Only the root user or a user with an appropriate authorization can change administrative attributes. For example, to modify administrative group data, the user must be root or have GroupAdmin authorization.
NoteThe chsec command changes local user attributes. It does not change non-local user attributes. You can use the chsec command to change remote user attributes. The chsec command does not update remote user attributes in local security stanza files.
Flags
| Item | Description |
| -a Attribute = Value | Specifies the attribute to modify and the new value for that attribute. If you do not specify the value, the attribute is removed from the given stanza. |
| -f File | Specifies the name of the stanza file to modify. |
| -s Stanza | Specifies the name of the stanza to modify. |
Security
Access Control
This command grants execute access only to the root user and the security group. The command has the trusted computing base attribute and runs the setuid command to allow the root user to access the security databases.
On a Trusted AIX® system, only users with the aix.mls.clear.write authorization can modify clearance attributes. Only users with the aix.mls.tty.write authorization can modify the port attributes.
Auditing Events
| Event | Information |
| USER_Change | user name, attribute |
| GROUP_Change | group name, attribute |
| PORT_Change | port, attribute |
Files Accessed
| Mode | File |
| rw | /etc/security/environ |
| rw | /etc/security/group |
| rw | /etc/security/audit/hosts |
| rw | /etc/security/lastlog |
| rw | /etc/security/limits |
| rw | /etc/security/login.cfg |
| rw | /usr/lib/security/mkuser.default |
| rw | /etc/nscontrol.conf |
| rw | /etc/security/passwd |
| rw | /etc/security/portlog |
| rw | /etc/security/pwdalg.cfg |
| rw | /etc/security/roles |
| rw | /etc/security/rtc/rtcd_policy.conf |
| rw | /etc/security/smitacl.user |
| rw | /etc/security/smitacl.group |
| rw | /etc/security/user |
| rw | /etc/security/user.roles |
Attention RBAC users and Trusted AIX users: This command can perform privileged operations. Only privileged users can run privileged operations. For more information about authorizations and privileges, see Privileged Command Database in Security. For a list of privileges and the authorizations associated with this command, see the lssecattr command or the getcmdattr subcommand. To get the full functionality of the command, besides the accessauths, the role should also have the following authorizations:
- aix.security.user.audit
- aix.security.role.assign
- aix.security
To perform the chsec command on the /etc/security/rtc/rtcd_policy.conf file, the role should also have the following authorization:
- aix.security.config
Examples
- To change the /dev/tty0 port to automatically lock if 5 unsuccessful login attempts occur within 60 seconds, enter:
chsec -f /etc/security/login.cfg -s /dev/tty0 -a logindisable=5 -a logininterval=60
- To unlock the /dev/tty0 port after it has been locked by the system, enter:
chsec -f /etc/security/portlog -s /dev/tty0 -a locktime=0
- To allow logins from 8:00 a.m. until 5:00 p.m. for all users, enter:
chsec -f /etc/security/user -s default -a logintimes=:0800-1700
- To change the CPU time limit of user joe to 1 hour (3600 seconds), enter:
chsec -f /etc/security/limits -s joe -a cpu=3600
Files
| Item | Description |
| /usr/bin/chsec | Specifies the path to the chsec command. |
| /etc/security/environ | Contains the environment attributes of users. |
| /etc/security/group | Contains extended attributes of groups. |
| /etc/security/audit/hosts | Contains host and processor IDs. |
| /etc/security/group | Defines the last login attributes for users. |
| /etc/security/limits | Defines resource quotas and limits for each user. |
| /etc/security/login.cfg | Contains port configuration information. |
| /usr/lib/security/mkuser.default | Contains the default values for new users. |
| /etc/nscontrol.conf | Contains the configuration information of some name services. |
| /etc/security/passwd | Contains password information. |
| /etc/security/portlog | Contains unsuccessful login attempt information for each port. |
| /etc/security/pwdalg.cfg | Contains the configuration information for loadable password algorithms (LPA). |
| /etc/security/roles | Contains a list of valid roles. |
| /etc/security/rtc/rtcd_policy.conf | Contains the configuration information for the rtcd daemon. |
| /etc/security/smitacl.user | Contains user ACL definitions. |
| /etc/security/smitacl.group | Contains group ACL definitions. |
| /etc/security/user | Contains the extended attributes of users. |
| /etc/security/user.roles | Contains a list of roles for each user. |
| /etc/security/enc/LabelEncodings | Contains label definitions for the Trusted AIX system. |
| /etc/security/domains | Contains the valid domain definitions for the system. |
| /etc/secvars.cfg | Contains a stanza file. |
Parent topic:
Related information
扫一扫
748
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
