[ Previous | Next | Contents | Glossary | Home | Search ]
AIX Version 4.3 Commands Reference, Volume 1

chsec Command

Purpose

Changes the attributes in the security stanza files.

Syntax

chsec [-fFile] [ -s Stanza] [ -a Attribute = Value ... ]

Description

The chsec command changes the attributes stored in the security configuration stanza files. These security configuration stanza files have attributes that you can specify with the Attribute = Value parameter:

When modifying attributes in the /etc/security/environ, /etc/security/lastlog, /etc/security/limits, /etc/security/passwd, and /etc/security/user files, the stanza name specified by the Stanza parameter must either be a valid user name or default. When modifying attributes in the /etc/security/group file, the stanza name specified by the Stanza parameter must either be a valid group name or default. When modifying attributes in the /usr/lib/security/mkuser.default file, the Stanza parameter must be either admin or user. When modifying attributes in the /etc/security/portlog file, the Stanza parameter must be a valid port name. When modifying attributes in the /etc/security/login.cfg file, the Stanza parameter must either be a valid port name, a method name, or the usw attribute.

When modifying attributes in the /etc/security/login.cfg or /etc/security/portlog file in a stanza that does not already exist, the stanza is automatically created by the chsec command.

You cannot modify the password attribute of the /etc/security/passwd file using the chsec command. Instead, use the passwd command.

Only the root user or a user with an appropriate authorization can change administrative attributes. For example, to modify administrative group data, the user must be root or have GroupAdmin authorization.

Flags

-a Attribute = Value Specifies the attribute to modify and the new value for that attribute. If you do not specify the value, the attribute is removed from the given stanza.
-f File Specifies the name of the stanza file to modify.
-s Stanza Specifies the name of the stanza to modify.

Security

Access Control: This command grants execute access only to the root user and the security group. The command has the trusted computing base attribute and runs the setuid command to allow the root user to access the security databases.

Files Accessed:

Mode File
rw /etc/security/environ
rw /etc/security/group
rw /etc/security/lastlog
rw /etc/security/limits
rw /etc/security/login.cfg
rw /usr/lib/security/mkuser.default
rw /etc/security/passwd
rw /etc/security/portlog
rw /etc/security/user

Auditing Events:

Event Information
USER_Change user name, attribute
GROUP_Change group name, attribute
PORT_Change port, attribute

Examples

  1. To change the /dev/tty0 port to automatically lock if 5 unsuccessful login attempts occur within 60 seconds, enter:
    chsec -f /etc/security/login.cfg -s /dev/tty0 -a logindisable=5 -a logininterval=60
  2. To unlock the /dev/tty0 port after it has been locked by the system, enter:
    chsec -f /etc/security/portlog -s /dev/tty0 -a locktime=0
  3. To allow logins from 8:00 a.m. until 5:00 p.m. for all users, enter:
    chsec -f /etc/security/user -s default -a logintimes=:0800-1700
  4. To change the CPU time limit of user joe to 1 hour (3600 seconds), enter:
    chsec -f /etc/security/limits -s joe -a cpu=3600

Files

/usr/bin/chsec Specifies the path to the chsec command.
/etc/security/environ Contains the environment attributes of users.
/etc/security/group Contains extended attributes of groups.
/etc/security/lastlog Defines the last login attributes for users.
/etc/security/limits Defines resource quotas and limits for each user.
/etc/security/login.cfg Contains port configuration information.
/usr/lib/security/mkuser.default Contains the default values for new users.
/etc/security/passwd Contains password information.
/etc/security/portlog Contains unsuccessful login attempt information for each port.
/etc/security/user Contains the extended attributes of users.

Related Information

The chgroup command, chuser command, grpck command, login command, lsgroup command, lssec command, lsuser command, mkgroup command, mkuser command, passwd command, pwdck command, rmgroup command, rmuser command, su command, usrck command.

The getgroupattr subroutine, getportattr subroutine, getuserattr subroutine, getuserpw subroutine, putgroupattr subroutine, putportattr subroutine, putuserattr subroutine, putuserpw subroutine.


[ Previous | Next | Contents | Glossary | Home | Search ]