USER
Login sequence Files
/etc/passwd
Ex: - test:!:206:1:Test user:/home/test:/usr/bin/ksh
Total 7 fields in /etc/passwd file
Username : password : uid : gid : comment : users home directory : users login shell
If password field show ! then it mean password is stored in some other file.
If shows * means user account is disable
The file is stored in etc and all the user have rights to read the file but it can only be written by the superuser. The file has each line as a record of an individual user. Each line contains 7 fields seperated by ":“.Which is also known as IFS (Internal Field Seperater) . Each line of /etc/passwd looks something like this...
root:x:0:0:root:/root:/bin/bash
i) First field shows the loginname of the user.
ii) Shows the password since shadowing is been used this field will only show "!" which indicates that the password is stored in /etc/shadow
iii) This shows the UID (user id) of the user which is unique to each user.
iv) This shows the GID (group id) of the user.
v) This field is used for user comments or user details,fed by chfn command. Hence "chfn" details are fed into this field.
vi) This field indicates the home or working directory of the user.
vii) This field determines the shell used by the user when ever he/she logs in
/etc/security/passwd
Ex: - sybase:
password = 1wanjkFCH3OMU
lastupdate = 1123694767
flags =
Users encrypted passwords are stored here. Total 4 Fields.
Password: -
Specifies the encrypted password. The system encrypts the password created with the passwd command or the pwdadm command. If the password is empty, the user does not have a password. If the password is an * (asterisk), the user cannot log in. The value is a character string. The default value is *.
Lastupdate: -
Specifies the time (in seconds) since the epoch (00:00:00 GMT, January 1, 1970) when the password was last changed.
Flags: -
Specifies the restrictions applied by the login, passwd, and su commands. Following flags
ADMCHG: - Password was last changed by an administrator or root
ADMIN: - User password can only be change by administrator/root only.
NOCHECK: - None of the system password restrictions defined in the /etc/security/user file are enforced for this password.
/etc/security/user
Files contain users roles and security. Total 31 fields
account_locked Defines whether the account is locked. Locked accounts can not be used for
login. Possible values: true or false.
admin Defines the administrative status of the user. Possible values: true or false.
admgroups Lists the groups that the user administrates.
auth1 Defines primary authentication methods for a user. Commands login, telnet,
rlogin, and su support these authentication methods.
Possible values: SYSTEM, NONE, Token;Username.
SYSTEM :Describes normal password authentication in Version 3. Version 4 has
extended this definition to include loadable modules and an
authentication grammar. See SYSTEM attribute description below.
NONE :No authentication.
TOKEN; USERNAME: -A generic name for a custom authentication method
defined in /etc/security/login.cfg.
Example: - If auth1 is: auth1 = SYSTEM,mylogin;mary, And the stanza in
/etc/security/login.cfg is:
mylogin:
program = /etc/myprogram
This will do password authentication, and then invoke the program
/etc/myprogram with "mary" as the first parameter.
auth2 Defines the secondary authentication methods for a user. It is not a
requirement to pass this method to login. See auth1 description above for
examples.
SYSTEM Authenticate user weather it’s a local user login or domain user login. Describes
Version 4 authentication requirements. This attribute can be used to
describe multiple or alternate authentication methods. See authenticate()
routine and SYSTEM grammar manual pages.
Possible tokens:
files : local only authentication.
compat : local plus NIS authentication. Version 3 behavior
DCE : Distributed Computing Environment authentication.
Example:
SYSTEM = "DCE OR DCE[UNAVAIL] AND compat"
daemon Defines whether the user can execute programs using the system resource
controller (SRC). Possible values: true or false.
Dictionlist Defines the password dictionaries used when checking new passwords. The
format is a comma-separated list of absolute path names to dictionary files. A
dictionary file contains one word per line where each word has no leading or
trailing white space. Words should only contain 7 bit ASCII characters. All
dictionary files and directories should be write protected from everyone except
root. The default is valueless, which is equivalent to no dictionary checking.
Example dictionary: /usr/share/dict/words (Only available if text processing is
installed.)
expires Defines the expiration time for the user account. Possible values: a valid date in
the form MMDDHHMMYY or 0. If 0 the account does not expire. If 0101000070
the account is disabled. The range for YY is:
00 - 38 years 2000 thru 2038
39 - 99 years 1939 thru 1999
histexpire Defines the period of time in weeks that a user will not be able to reuse a
password. Possible values: an integer value between 0 and 260. 26
(approximately 6 months) is the recommended value. If previous password is
cms12 and if I enter histexpire=3 i.e 3 weeks, then user cannot reuse the same
password cms12 until 3 weeks are left. if histsize=2 he will not be able to
reuse the password until changes for atleast 2 times even if he has changed
password for 2 times, he will not allow to reuse the same password until 3 weeks
left. Ex: - histexpire = 52 – defines how long a password cannot be re-used
histsize Defines the number of previous passwords which cannot be reused. If I enter
histsize=2, and users current password say cms12, then he cannot use the same
password until he changes a password for atleast 2 times. Possible
values: an integer value between 0 and 50. Ex: - histsize = 20 – defines how
many previous passwords the system remembers
login Defines whether the user can login. Possible values : true or false.
logintimes Defines the times a user can login. The value is a comma separated list of items
as follows: [!][MMdd[-MMdd]]:hhmm-hhmm
[!]MMdd[-MMdd][:hhmm-hhmm] or
[!][w[-w]]:hhmm-hhmm or
[!]w[-w][:hhmm-hhmm]
where MM is a month number (00=January, 11=December), dd is the day of the
month, hh is the hour of the day (00 - 23), mm is the minute of the hour, and w is
a weekday (0=Sunday, 6= Saturday).
loginretries The number of invalid login attempts before a user is not allowed to login.
Possible values: a positive integer or 0 to disable this feature. the user's
unsuccessful_login_count attribute in the /etc/security/lastlog file to be less than
the value of loginretries. To do this, enter the following:
chsec -f /etc/security/lastlog -s username -a \ unsuccessful_login_count=0
maxage Defines the maximum number of weeks a password is valid. The default is 0,
which is equivalent to unlimited. Range: 0 to 52.
maxexpired Defines the maximum number of weeks after maxage that an expired password
can be changed by a user. After this defined time, only an administrative user can
change the password. The default is -1, which is equivalent to unlimited.
Range: -1 to 52. maxage must be greater than 0 for maxexpired to be enforced.
(root is exempt from maxexpired.) Ex: - maxexpired = 4 – maximum time in
weeks a password can be changed after it expires
maxrepeats Defines the maximum number of times a given character can appear in a
password. The default is 8, which is equivalent to unlimited. Range: 0 to 8.
minage Defines the minimum number of weeks between password changes. The default is
0. Range: 0 to 52.
minalpha Defines the minimum number of alphabetic characters in a password. The
default is 0. Range: 0 to 8.
mindiff Defines the minimum number of characters in the new password that were not in
the old password. The default is 0. Range: 0 to 8.
minlen Defines the minimum length of a password. The default is 0. Range: 0 to 8.
minother Defines the minimum number of non-alphabetic characters in a password. The
default is 0. Range: 0 to 8.
pwdchecks You can specify a script to authenticate user password instead of using
/etc/security/passwd. Defines external password restriction methods used when
checking new passwords. The format is a comma-separated list of absolute path
names to methods and/or method path names relative to /usr/lib. A password
restriction method is a program module that is loaded by the password
restrictions code at runtime. All password restriction methods and directories
should be write protected from everyone except root. The default is valueless,
which is equivalent to no external password restriction methods.
pwdwarntime The number of days before a forced password change that a warning will be
given to the user informing them of the impending password change. Possible
values: a positive integer or 0 to disable this feature.
registry Describes where this user is administered. It is used whenever there is a
possibility of resolving a remotely administered user to the local administration
domain. This can happen when network services go down or network databases
are replicated locally. Possible values : files, NIS, or DCE
rlogin Defines whether the user account can be accessed by remote logins. Commands
rlogin and telnet support this attribute. Possible values: true or false.
su Defines whether other users can switch to this user account. Command su supports
this attribute. Possible values: true or false.
sugroups Defines which groups can switch to this user account. Alternatively you may
explicitly deny groups by preceding the group name with a ! character.Possible
values : A list of valid groups separated by commas, ALL, or .
tpath Defines the user's trusted path characteristics. Possible values:
nosak : The Secure Attention Key (SAK) key (^X^R) has no effect.
notsh : The SAK key logs you out. You can never be on the trusted path.
always : When you log in you are always on the trusted path.
on : The trusted path is entered when the SAK key is hit.
Note : This attribute only takes effect if the sak_enabled
attribute (in /etc/security/login.cfg) is set to
true for the port you are logging into.
ttys Defines which terminals can access the user account. Alternatively you may
explicitly deny terminals by preceding the terminal name with the ! character.
Possible values: List of device paths separated by commas, ALL or .
umask Defines the default umask for the user. Possible values: three-digit octal value.
Notes: Boolean values (i.e. true or false) may use any of the following values.
These values are not case sensitive. true, false, yes, no, always, never.
Ex: - A typical stanza looks like the following example for user dhs:
dhs:
login = true
rlogin = false
ttys = /dev/console
sugroups = security,!staff
expires = 0531010090
tpath = on
admin = true
auth1 = SYSTEM,METH2;dhs
cmsadmin:
admin = true
maxage = 8
minlen = 6
minalpha = 2
minage = 1
admgroups = adm
To allow all ttys except /dev/tty0 to access the user account, change the ttys entry so that it reads as follows:
ttys = !/dev/tty0,ALL
/etc/profile
Sets the user environment at login time.
The $HOME/.profile file contains commands that the system executes when you log in. The .profile also provides variable profile assignments that the system sets and exports into the environment. The /etc/profile file contains commands run by all users at login.
After the login program adds the LOGNAME (login name) and HOME (login directory) variables to the environment, the commands in the $HOME/.profile file are executed, if the file is present. The .profile file contains the individual user profile that overrides the variables set in the profile file and customizes the user-environment profile variables set in the /etc/profile file. The .profile file is often used to set exported environment variables and terminal modes. The person who customizes the system can use the mkuser command to set default .profile files in each user home directory. Users can tailor their environment as desired by modifying their .profile file.
Note: The $HOME/.profile file is used to set environments for the Bourne and Korn shells. An equivalent environment for the C shell is the $HOME/.cshrc file.
Examples
The following example is typical of an /etc/profile file:
#Set file creation mask unmask 022
#Tell me when new mail arrives
MAIL=/usr/mail/$LOGNAME
#Add my /bin directory to the shell
search sequence
PATH=/usr/bin:/usr/sbin:/etc::
#Set terminal type
TERM=lft
#Make some environment variables global
export MAIL PATH TERM
$HOME/.hushlogin
If this file exist in root or any users home directory you can get /etc/motd or login message.
/etc/group
Ex: - sybase:!:201:Sybase
staff:!:1:ipsec,sybase,utsdev,utstest,utsusr,test,subrep,utsusrwc,utstalk,utssub
Total 4 fields in /etc/group
Group Name : group password : group id : group members
Group password ! means password is stored some where else in a file, doesn’t exist in AIX.
/etc/security/group
This file contain all the groups on system and there roles i.e. Who is administrator of group, who manages group users are defined here, extended group roles.
Adms: - Defines the group administrators. Administrators are users who can perform
administrative tasks for the group, such as setting the members and administrators of the group. This attribute is ignored if admin = true, since only the root user can alter a group defined as administrative. The value is a list of comma-separated user login-names. The default value is an empty string.
admin : - Defines the administrative status of the group.
Possible values are:
True Defines the group as administrative. Only the root user can change the
attributes of groups defined as administrative.
False Defines a standard group. The attributes of these groups can be changed
by the root user or a member of the security group. This is the default
value.
EX: - # more /etc/security/group
system:
admin = true
adms = cmsadmin
staff:
admin = false
bin:
admin = true
sys:
admin = true
adm:
admin = true
adms = cmsadmin
/etc/security/login.cfg
Contains configuration information for login and user authentication.
There are three types of stanzas: -
Port Defines the login characteristics of ports.
Authentication method Defines the authentication methods for users.
user configuration Defines programs that change user attributes.
Port Stanzas
Port stanzas define the login characteristics of ports and are named with the full path name of the port. Each port should have its own separate stanza. Each stanza has the following attributes:
herald
Specifies the initial message to be printed out when getty or login prompts for a login name. Defines the login message printed when the getty process opens the port. The default herald is the login prompt. The value is a character string.
herald2
Defines the login message printed after a failed login attempt. The default herald is the login prompt. The value is a character string.
Logindelay
Defines the delay factor (in seconds) between unsuccessful login attempts. If a user enter invalid password and if logindelay=3 i.e 3 seconds, then after invalid login user will get login prompt after 3 seconds i.e its wait for 3 sec between unsuccessful login. The value is a decimal integer string. The default value is 0, indicating no delay between unsuccessful login attempts.
Logindisable
Defines the number of unsuccessful login attempts allowed before the port is locked. If this is set to 3, then port will be locked after 3 invalid login. The value is a decimal integer string. The default value is 0, indicating that the port cannot lock as a result of unsuccessful login attempts.
Logininterval
Defines the time interval (in seconds) in which the specified unsuccessful login attempts must occur before the port is locked. If logindisable is 3 and users enters 3 times invalid password, know the port will be get locked, but if Logininterval is set to 50 i.e 50 seconds, then before locking port system waits for 50 seconds and then port is locked. The value is a decimal integer string. The default value is 0.
loginreenable
Defines the time interval (in minutes) a port is unlocked after a system lock. If a port is locked and loginreenable is 1 i.e 1 minute, then ports get unlocked automatically after 1 minutes. The value is a decimal integer string. The default value is 0, indicating that the port is not automatically unlocked.
Logintimes
Specifies the times, days, or both the user is allowed to access the system.
sak_enabled
Defines whether the secure attention key (SAK) is enabled for the port. The SAK key is the Ctrl-X, Ctrl-R key sequence. Possible values for the sak_enabled attribute are:
True SAK processing is enabled, so the key sequence establishes a trusted path for the port.
false SAK processing is not enabled, so a trusted path cannot be established. This is the default value.
synonym
Defines other path names for the terminal. The path names should be device special files with the same major and minor number and should not include hard or symbolic links. The value is a list of comma-separated path names.
For example, if you specify synonym=/dev/tty0 in the stanza for the /dev/console path name, then the /dev/tty0 path name is a synonym for the /dev/console path name. However, the /dev/console path name is not a synonym for the /dev/tty0 path name unless you specify synonym=/dev/console in the stanza for the /dev/tty0 path name.
Authentication Method Stanzas
auth_method is no longer used. Security methods should be configured in /usr/lib/security/methods.cfg
auth_method:
program = /any/program
program_64 = /any/program64
Auth_method corresponds to a custom authentication method specified in the SYSTEM attribute in /etc/security/user, and /any/program is the program to run in order to do the authentication. The program_64 attribute should be used for process running in 64 bit mode, /any/program64 is a 64 bit program.
These stanzas define the authentication methods for users assigned in the /etc/security/user file. The name of each stanza must be identical to one of the methods defined by the auth1 or the auth2 attribute in the /etc/security/user file.
Each stanza has one attribute:
Program
Contains the full path name of a program that provides primary or secondary authentication for a user. Program flags and parameters may be included.
Since the SYSTEM authentication method is supported directly by the login command and the su command, and the NONE method does not provide any authentication, neither requires definition. However, all other authentication methods must be defined in this file. Different authentication methods can be defined for each user.
User-Configuration Stanzas
User-configuration stanzas provide configuration information for programs that change user attributes. There is one user-configuration stanza: usw.
The usw stanza defines the configuration of miscellaneous facilities. The following attributes can be included:
Logintimeout
Defines the time (in seconds) the user is given to type the password. The value is a decimal integer string. The default is a value of 60.
maxlogins
Defines the maximum number of simultaneous logins to the system. The format is a decimal integer string. The default value varies depending on the specific machine license. A value of 0 indicates no limit on simultaneous login attempts.
Note: Login sessions include rlogins and telnets; these are counted against the maximum allowable number of simultaneous logins by the maxlogins attribute.
shells
Defines the valid shells on the system. This attribute is used by the chsh command to determine which shells a user can select. The value is a list of comma-separated full path names. The default is /usr/bin/sh, /usr/bin/bsh, /usr/bin/csh, /usr/bin/ksh, or /usr/bin/tsh.
Ex: -
default:
sak_enabled = false
logintimes =
logindisable = 0
logininterval = 0
loginreenable = 0
logindelay = 0
herald = "\n\* Unreserved Ticketing System's Restricted Area *\n\r* Unauthorized use of this system is prohibited*\n\r* All Invalid logins are monitored for audit,*\n\r improper use of this system is criminal offence *\n\rLogin: "
*/dev/console:
• synonym = /dev/tty0
usw:
shells = /bin/sh, /bin/bsh, /bin/csh, /bin/ksh, /bin/tsh, /bin/ksh93, /usr/bin/sh, /usr/bin/bsh, /usr/bin/csh, /usr/bin/ksh,/us
r/bin/tsh, /usr/bin/ksh93, /usr/bin/rksh, /usr/bin/rksh93, /usr/sbin/uucp/uucico, /usr/sbin/sliplogin, /usr/sbin/snappd
maxlogins = 32767
logintimeout = 60
auth_type = STD_AUTH
/etc/security/failedlogin
All failed login attempts are made here
/etc/security/lastlog
Defines the last login attributes for users.
time_last_login
The last time that the user successfully logged into the system. Specifies the number of seconds since the epoch (00:00:00 GMT, January 1, 1970) since the last successful login. The value is a decimal integer.
tty_last_login
The last tty port that the user successfully logged into. Specifies the terminal on which the user last logged in. The value is a character string.
host_last_login
The host from which the user logged in from if the tty was not locally attached. This implies that the user used telnet or rlogin to log into the system. Specifies the host from which the user last logged in. The value is a character string.
unsuccessful_login_count
The number of attempts to log in as the user since the last successful login. The value is a decimal integer. This attribute works in conjunction with the user's loginretries attribute, specified in the /etc/security/user file, to lock the user's account after a specified number of consecutive unsuccessful login attempts. Once the user's account is locked, the user will not be able to log in until the system administrator resets the user's unsuccessful_login_count attribute to be less than the value of loginretries. To do this, enter the following:
chsec -f /etc/security/lastlog -s username -a \ unsuccessful_login_count=0
time_last_unsuccessful_login
The time that the last unsuccessful attempt to log in as the user was made. Specifies the number of seconds since the epoch (00:00:00 GMT, January 1, 1970) since the last unsuccessful login. The value is a decimal integer.
tty_last_unsuccessful_login
The tty port of the last unsuccessful attempt to log in as the user was made. Specifies the terminal on which the last unsuccessful login attempt occurred. The value is a character string.
host_last_unsuccessful_login
The host from which the last unsuccessful attempt to log in as the user was made. Specifies the host from which the last unsuccessful login attempt occurred. The value is a character string.
All user database files should be accessed through the system commands and subroutines defined for this purpose. Access through other commands or subroutines may not be supported in future releases.
EX: -
root:
time_last_login = 1139610504
tty_last_login = ftp
host_last_login = ::ffff:10.128.0.52
unsuccessful_login_count = 0
time_last_unsuccessful_login = 1136845660
tty_last_unsuccessful_login = ftp
host_last_unsuccessful_login = ::ffff:10.128.0.52
sybase:
time_last_login = 1139428239
tty_last_login = /dev/pts/6
host_last_login = loopback
unsuccessful_login_count = 0
time_last_unsuccessful_login = 1139428235
tty_last_unsuccessful_login = /dev/pts/6
host_last_unsuccessful_login = loopback
/etc/environment
Sets up the user environment.
The /etc/environment file contains variables specifying the basic environment for all processes. When a new process begins, the exec subroutine makes an array of strings available that have the form Name=Value. This array of strings is called the environment. Each name defined by one of the strings is called an environment variable or shell variable. The exec subroutine allows the entire environment to be set at one time.
Environment variables are examined when a command starts running. The environment of a process is not changed by altering the /etc/environment file. Any processes that were started prior to the change to the /etc/environment file must be restarted if the change is to take effect for those processes. If the TZ variable is changed, the cron daemon must be restarted, because this variable is used to determine the current local time.
HOME
The full path name of the user login or HOME directory. The login program sets this to the name specified in the /etc/passwd file.
LANG
The locale name currently in effect. The LANG variable is set in the /etc/environment file at installation time.
NLSPATH
The full path name for message catalogs. The default is:
/usr/lib/nls/msg/%L/%N: /usr/lib/nls/msg/%L/%N.cat:
where %L is the value of the LC_MESSAGES category and %N is the catalog file name.
Note: See the chlang command for more information about changing message catalogs.
LC__FASTMSG
If LC_FASTMEG is set to false, POSIX-compliant message handling is performed. If LC__FASTMSG is set to true, it specifies that default messages should be used for the C and POSIX locales and that NLSPATH is ignored. If this variable is set to anything other than false or unset, it is considered the same as being set to true. The default value is LC__FASTMSG=true in the /etc/environment file.
LOCPATH
The full path name of the location of National Language Support tables. The default is /usr/lib/nls/loc and is set in the /etc/profile file. If the LOCPATH variable is a null value, it assumes that the current directory contains the locale files.
Note: All setuid and setgid programs will ignore the LOCPATH environment variable.
PATH
The sequence of directories that commands such as the sh, time, nice and nohup commands search when looking for a command whose path name is incomplete. The directory names are separated by colons.
TZ
The time-zone information. The TZ environment variable is set by the /etc/environment file. The TZ environment variable has the following format (spaces inserted for readability):
std offset dst offset, rule
The fields within the TZ environment variable are defined as follows:
std and dst
Designate the standard (std) and summer (dst) time zones. Only the std value along with the appropriate offset value is required. If the dst value is not specified, summer time does not apply. The values specified may be no less than three and no more than TZNAME_MAX bytes in length. The length of the variables corresponds to the %Z field of the date command; for libc and libbsd, TZNAME_MAX equals three characters. Any nonnumeric ASCII characters except the following may be entered into each field: a leading : (colon), a , (comma), a - (minus sign), a + (plus sign), or the ASCII null character.
Note: POSIX 1.0 reserves the leading : (colon) for an implementation-defined TZ specification. AIX disallows the leading colon, selecting CUT0 and setting the %Z field to a null string.
An example of std and dst format is as follows: EST5EDT
EST
Specifies Eastern U.S. standard time.
5
Specifies the offset, which is 5 hours behind Coordinated Universal Time (CUT).
EDT Specifies the corresponding summer time zone abbreviation.
Note: See "Time Zones" for a list of time zone names defined for the system.
offset Denotes the value added to local time to equal Coordinated Universal Time (CUT). CUT is the international time standard that has largely replaced Greenwich Mean Time. The offset variable has the following format:
hh:mm:ss
The fields within the offset variable are defined as follows:
hh
Specifies the dst offset in hours. This field is required. The hh value can range between the integers -12 and +11. A negative value indicates the time zone is east of the prime meridian; a positive value or no value indicates the time zone is west of the prime meridian.
mm
Specifies the dst offset detailed to the minute. This field is optional. If the mm value is present, it must be specified between 0 and 59 and preceded by a : (colon).
Ss
Specifies the dst offset detailed to the second. The ss field is optional. If the ss value is present, it must be specified between 0 and 59 and preceded by a : (colon).
An offset variable must be specified with the std variable. An offset variable for the dst variable is optional. If no offset is specified with the dst variable, the system assumes that summer time is one hour ahead of standard time.
As an example of offset syntax, Zurich is one hour ahead of CUT, so its offset is -1. Newfoundland is 1.5 hours ahead of eastern U.S. standard time zones. Its syntax can be stated as any of the following: 3:30, 03:30, +3:30, or 3:30:00.
rule The rule variable indicates when to change to and back from summer time. The rule variable has the following format:
start/time,end/time
The fields within the rule variable are defined as follows:
start
Specifies the change from standard to summer time.
end
Specifies the return to standard time from summer time.
Time
Specifies when the time changes occur within the time zone. For example, if the time variable is encoded for 2 a.m. then the time changes when the time zone reaches 2 a.m. on the date specified in the start variable.
EX: -
TZ=IST+5:30
LANG=en_US
LOCPATH=/usr/lib/nls/loc
NLSPATH=/usr/lib/nls/msg/%L/%N:/usr/lib/nls/msg/%L/%N.cat
LC__FASTMSG=true
# ODM routines use ODMDIR to determine which objects to operate on
# the default is /etc/objrepos - this is where the device objects
# reside, which are required for hardware configuration
ODMDIR=/etc/objrepos
/etc/security/environ
Defines the environment attributes for users.
If environment attributes are not defined, the system uses default values. Each user stanza can have the following attributes:
Usrenv
Defines variables to be placed in the user environment when the initial login command is given or when the su command resets the environment. The value is a list of comma-separated attributes. The default value is an empty string.
Sysenv
Defines variables to be placed in the user protected state environment when the initial login command is given or when the su command resets the environment. These variables are protected from access by unprivileged programs so other programs can depend on their values. The default value is an empty string.
Examples :- A typical stanza looks like the following example for user dhs:
dhs:
usrenv = "MAIL=/home/spool/mail/dhs,MAILCHECK=600"
sysenv = "NAME=dhs@delos"
EX: -
default:
root:
daemon:
/etc/security/limits
Defines process resource limits for users.
Note: Changing the limit does not affect those processes that started by init, or alternatively, ulimits are only used by those processes that go through the login processes.
The /etc/security/limits file defines process resource limits for users. This file is an ASCII file that contains stanzas that specify the process resource limits for each user. These limits are set by individual attributes within a stanza.
Each stanza is identified by a user name followed by a colon, and contains attributes in the Attribute=Value form. A new-line character ends each attribute, and an additional new-line character ends each stanza. If you do not define an attribute for a user, the system applies default values.
If the hard values are not explicitly defined in the /etc/security/limits file but the soft values are, the system substitutes the following values for the hard limits:
Resource Hard Value
Core Size unlimited
CPU Time cpu
Data Size unlimited
File Size fsize
Memory Size unlimited
Stack Size unlimited
File Descriptors unlimited
Note: Use a value of -1 to set a resource to unlimited.
If the hard values are explicitly defined but the soft values are not, the system sets the soft values equal to the hard values.
You can set the following limits on a user:
fsize
Largest file size that can be created or extended, identifies the soft limit for the largest file a user's process can create or extend.
core
Largest core file size that can be created, Specifies the soft limit for the largest core file a user's process can create.
cpu
Amount of cpu time to be used by each process. Must log out and back in for the changes to take affect.
Sets the soft limit for the largest amount of system unit time (in seconds) that a user's process can use.
data
Identifies the soft limit for the largest process data segment for a user's process.
stack
Specifies the soft limit for the largest process stack segment for a user's process.
Rss
Sets the soft limit for the largest amount of physical memory a user's process can allocate. This limit is not enforced by the system.
Nofiles
Sets the soft limit for the number of file descriptors a user process may have open at one time.
core_hard
Specifies the largest core file a user's process can create.
cpu_hard
Sets the largest amount of system unit time (in seconds) that a user's process can use.
data_hard
Identifies the largest process data segment for a user's process.
fsize_hard
Identifies the largest file a user's process can create or extend.
rss_hard
Sets the largest amount of physical memory a user's process can allocate. This limit is not enforced by the system.
stack_hard
Specifies the largest process stack segment for a user's process.
nofiles_hard
Sets the soft limit for the number of file descriptors a user process may have open at one time.
Except for the cpu attribute, each attribute must be a decimal integer string representing the number of 512-byte blocks allotted to the user. The cpu attribute is a decimal integer string representing the amount of system unit time in seconds.
EX: -
default:
fsize = -1
* 2097151
core = -1
* 2097151
cpu = -1
data = -1
* 262144
rss = -1
* 65536
stack = -1
* 65536
nofiles = 8000
root:
daemon:
/etc/shells
All valid shells are specify in this file.
/bin/csh
/bin/ksh
/bin/psh
/bin/tsh
/bin/bsh
/usr/bin/csh
/usr/bin/ksh
/usr/bin/psh
/usr/bin/tsh
/usr/bin/bsh
/etc/motd
Message of the day file
/etc/security/.ids
Holds the value for the next assignment to a group/user id and group/user admin id. Used by mkuser and mkgroup commands.
Sample contents: 4 203 12 200
• 4 = administrative user id (mkuser -a)
• 203 = user id (mkuser)
• 12 = administrative group id (mkgroup -a)
• 200 = group id (mkgroup)
Ex: -
# more /etc/security/.ids
8 213 14 202
Check /etc/passwd, you will see the last uid will be 212 if above “more /etc/security/.ids”
Displays the second column output as 213. This means that this file contains the UID’s or GID’s for next user or group to be made on system user useradd or adduser, system will assign automatically UID as 213 to new user and updates the /etc/security/.ids’s file’s second colume to 214.
/etc/security/.profile
/usr/lib/security/mkuser.sys
This scripts is run during user creation process, this scripts creates users home directory, gives group and ownership rights to that home directory and at last copy the /etc/security/.profile to users home directory/.profile
cp /etc/security/.profile $1/.profile
/usr/lib/security/mkuser.default
Contains the default attributes for new users.
The /usr/lib/security/mkuser.default file contains the default attributes for new users. This file is an ASCII file that contains user stanzas. These stanzas have attribute default values for users created by the mkuser command. There are two stanzas, user and admin, that can contain all defined attributes except the id and admin attributes. The mkuser command generates a unique id attribute. The admin attribute depends on whether the -a flag is used with the mkuser command.
Access Control: If read (r) access is not granted to all users, members of the security group should be given read (r) access. This command should grant write (w) access only to the root user.
Example
A typical user stanza looks like the following:
Below are the default attribute which get assign automatically to user, while creating a new user i.e if u just enter the mkuser amrik; here if u r not specifying any attribute i.e Primary group, home directory, this attributes get set automatically, this means to say that below attribute is a default attribute if u not specify system will set it for u.
user:
pgroup = staff
groups = staff
shell = /usr/bin/ksh
home = /home/$USER
auth1 = SYSTEM
admin:
pgrp = system
groups = system
shell = /usr/bin/ksh
home = /home/$USER
pgroup: - Primary group of user belongs
groups: - secondary group, of whom this user will be member
shell: - Login shell, taken from number shell supported by shell stanza of
/etc/secuirity/login.cfg
home: - Users login home directory, it can modified also.
/etc/security/user.roles
Contains the list of roles for each user. The /etc/security/user.roles file contains the list of roles for each user. This is an ASCII file that contains a stanza for system users. Each stanza is identified by a user name followed by a : (colon) and contains attributes in the form Attribute=Value. Each attribute pair ends with a newline character as does each stanza.
This file supports a default stanza. If an attribute is not defined, either the default stanza or the default value for the attribute is used.
A stanza contains the following attribute:
roles Contains the list of roles for each user.
The user.roles file is kept separately from the /etc/security/user file for performance reasons. Several commands scan this database, so system performance increases with smaller files to scan (especially on systems with large numbers of users).
/etc/security/roles
The /etc/security/roles file contains the list of valid roles. This is an ASCII file that contains a stanza for each system role. Each stanza is identified by a role name followed by a : (colon) and contains attributes in the form Attribute=Value. Each attribute pair ends with a newline character as does each stanza.
The file supports a default stanza. If an attribute is not defined, the default value for the attribute is used.
A stanza contains the following attributes:
rolelist Contains a list of roles implied by this role and allows a role to function as a super-role. If the rolelist attribute contains the value of "role1,role2", assigning the role to a user also assigns the roles of role1 and role2 to that user.
authorizations Contains the list of additional authorizations acquired by the user for this specific role.
groups Contains the list of groups that a user should belong to in order to effectively use this role. The user must be added to each group in this list for this role to be effective.
screens Contains a list of SMIT screen identifiers that allow a role to be mapped to various SMIT screens. The default value for this attribute is * (all screens).
msgcat Contains the file name of the message catalog that contains the one-line descriptions of system roles.
msgnum Contains the message ID that retrieves this role description from the message catalog.
Examples
A typical stanza looks like the following example for the ManageAllUsers role:
ManageAllUsers:
rolelist = ManageBasicUsers
authorizations = UserAdmin,RoleAdmin,PasswdAdmin,GroupAdmin
groups = security
screens = mkuser,rmuser,!tcpip
* Source Article from : Internet
Ex: - test:!:206:1:Test user:/home/test:/usr/bin/ksh
Total 7 fields in /etc/passwd file
Username : password : uid : gid : comment : users home directory : users login shell
If password field show ! then it mean password is stored in some other file.
If shows * means user account is disable
The file is stored in etc and all the user have rights to read the file but it can only be written by the superuser. The file has each line as a record of an individual user. Each line contains 7 fields seperated by ":“.Which is also known as IFS (Internal Field Seperater) . Each line of /etc/passwd looks something like this...
root:x:0:0:root:/root:/bin/bash
i) First field shows the loginname of the user.
ii) Shows the password since shadowing is been used this field will only show "!" which indicates that the password is stored in /etc/shadow
iii) This shows the UID (user id) of the user which is unique to each user.
iv) This shows the GID (group id) of the user.
v) This field is used for user comments or user details,fed by chfn command. Hence "chfn" details are fed into this field.
vi) This field indicates the home or working directory of the user.
vii) This field determines the shell used by the user when ever he/she logs in
/etc/security/passwd
Ex: - sybase:
password = 1wanjkFCH3OMU
lastupdate = 1123694767
flags =
Users encrypted passwords are stored here. Total 4 Fields.
Password: -
Specifies the encrypted password. The system encrypts the password created with the passwd command or the pwdadm command. If the password is empty, the user does not have a password. If the password is an * (asterisk), the user cannot log in. The value is a character string. The default value is *.
Lastupdate: -
Specifies the time (in seconds) since the epoch (00:00:00 GMT, January 1, 1970) when the password was last changed.
Flags: -
Specifies the restrictions applied by the login, passwd, and su commands. Following flags
ADMCHG: - Password was last changed by an administrator or root
ADMIN: - User password can only be change by administrator/root only.
NOCHECK: - None of the system password restrictions defined in the /etc/security/user file are enforced for this password.
/etc/security/user
Files contain users roles and security. Total 31 fields
account_locked Defines whether the account is locked. Locked accounts can not be used for
login. Possible values: true or false.
admin Defines the administrative status of the user. Possible values: true or false.
admgroups Lists the groups that the user administrates.
auth1 Defines primary authentication methods for a user. Commands login, telnet,
rlogin, and su support these authentication methods.
Possible values: SYSTEM, NONE, Token;Username.
SYSTEM :Describes normal password authentication in Version 3. Version 4 has
extended this definition to include loadable modules and an
authentication grammar. See SYSTEM attribute description below.
NONE :No authentication.
TOKEN; USERNAME: -A generic name for a custom authentication method
defined in /etc/security/login.cfg.
Example: - If auth1 is: auth1 = SYSTEM,mylogin;mary, And the stanza in
/etc/security/login.cfg is:
mylogin:
program = /etc/myprogram
This will do password authentication, and then invoke the program
/etc/myprogram with "mary" as the first parameter.
auth2 Defines the secondary authentication methods for a user. It is not a
requirement to pass this method to login. See auth1 description above for
examples.
SYSTEM Authenticate user weather it’s a local user login or domain user login. Describes
Version 4 authentication requirements. This attribute can be used to
describe multiple or alternate authentication methods. See authenticate()
routine and SYSTEM grammar manual pages.
Possible tokens:
files : local only authentication.
compat : local plus NIS authentication. Version 3 behavior
DCE : Distributed Computing Environment authentication.
Example:
SYSTEM = "DCE OR DCE[UNAVAIL] AND compat"
daemon Defines whether the user can execute programs using the system resource
controller (SRC). Possible values: true or false.
Dictionlist Defines the password dictionaries used when checking new passwords. The
format is a comma-separated list of absolute path names to dictionary files. A
dictionary file contains one word per line where each word has no leading or
trailing white space. Words should only contain 7 bit ASCII characters. All
dictionary files and directories should be write protected from everyone except
root. The default is valueless, which is equivalent to no dictionary checking.
Example dictionary: /usr/share/dict/words (Only available if text processing is
installed.)
expires Defines the expiration time for the user account. Possible values: a valid date in
the form MMDDHHMMYY or 0. If 0 the account does not expire. If 0101000070
the account is disabled. The range for YY is:
00 - 38 years 2000 thru 2038
39 - 99 years 1939 thru 1999
histexpire Defines the period of time in weeks that a user will not be able to reuse a
password. Possible values: an integer value between 0 and 260. 26
(approximately 6 months) is the recommended value. If previous password is
cms12 and if I enter histexpire=3 i.e 3 weeks, then user cannot reuse the same
password cms12 until 3 weeks are left. if histsize=2 he will not be able to
reuse the password until changes for atleast 2 times even if he has changed
password for 2 times, he will not allow to reuse the same password until 3 weeks
left. Ex: - histexpire = 52 – defines how long a password cannot be re-used
histsize Defines the number of previous passwords which cannot be reused. If I enter
histsize=2, and users current password say cms12, then he cannot use the same
password until he changes a password for atleast 2 times. Possible
values: an integer value between 0 and 50. Ex: - histsize = 20 – defines how
many previous passwords the system remembers
login Defines whether the user can login. Possible values : true or false.
logintimes Defines the times a user can login. The value is a comma separated list of items
as follows: [!][MMdd[-MMdd]]:hhmm-hhmm
[!]MMdd[-MMdd][:hhmm-hhmm] or
[!][w[-w]]:hhmm-hhmm or
[!]w[-w][:hhmm-hhmm]
where MM is a month number (00=January, 11=December), dd is the day of the
month, hh is the hour of the day (00 - 23), mm is the minute of the hour, and w is
a weekday (0=Sunday, 6= Saturday).
loginretries The number of invalid login attempts before a user is not allowed to login.
Possible values: a positive integer or 0 to disable this feature. the user's
unsuccessful_login_count attribute in the /etc/security/lastlog file to be less than
the value of loginretries. To do this, enter the following:
chsec -f /etc/security/lastlog -s username -a \ unsuccessful_login_count=0
maxage Defines the maximum number of weeks a password is valid. The default is 0,
which is equivalent to unlimited. Range: 0 to 52.
maxexpired Defines the maximum number of weeks after maxage that an expired password
can be changed by a user. After this defined time, only an administrative user can
change the password. The default is -1, which is equivalent to unlimited.
Range: -1 to 52. maxage must be greater than 0 for maxexpired to be enforced.
(root is exempt from maxexpired.) Ex: - maxexpired = 4 – maximum time in
weeks a password can be changed after it expires
maxrepeats Defines the maximum number of times a given character can appear in a
password. The default is 8, which is equivalent to unlimited. Range: 0 to 8.
minage Defines the minimum number of weeks between password changes. The default is
0. Range: 0 to 52.
minalpha Defines the minimum number of alphabetic characters in a password. The
default is 0. Range: 0 to 8.
mindiff Defines the minimum number of characters in the new password that were not in
the old password. The default is 0. Range: 0 to 8.
minlen Defines the minimum length of a password. The default is 0. Range: 0 to 8.
minother Defines the minimum number of non-alphabetic characters in a password. The
default is 0. Range: 0 to 8.
pwdchecks You can specify a script to authenticate user password instead of using
/etc/security/passwd. Defines external password restriction methods used when
checking new passwords. The format is a comma-separated list of absolute path
names to methods and/or method path names relative to /usr/lib. A password
restriction method is a program module that is loaded by the password
restrictions code at runtime. All password restriction methods and directories
should be write protected from everyone except root. The default is valueless,
which is equivalent to no external password restriction methods.
pwdwarntime The number of days before a forced password change that a warning will be
given to the user informing them of the impending password change. Possible
values: a positive integer or 0 to disable this feature.
registry Describes where this user is administered. It is used whenever there is a
possibility of resolving a remotely administered user to the local administration
domain. This can happen when network services go down or network databases
are replicated locally. Possible values : files, NIS, or DCE
rlogin Defines whether the user account can be accessed by remote logins. Commands
rlogin and telnet support this attribute. Possible values: true or false.
su Defines whether other users can switch to this user account. Command su supports
this attribute. Possible values: true or false.
sugroups Defines which groups can switch to this user account. Alternatively you may
explicitly deny groups by preceding the group name with a ! character.Possible
values : A list of valid groups separated by commas, ALL, or .
tpath Defines the user's trusted path characteristics. Possible values:
nosak : The Secure Attention Key (SAK) key (^X^R) has no effect.
notsh : The SAK key logs you out. You can never be on the trusted path.
always : When you log in you are always on the trusted path.
on : The trusted path is entered when the SAK key is hit.
Note : This attribute only takes effect if the sak_enabled
attribute (in /etc/security/login.cfg) is set to
true for the port you are logging into.
ttys Defines which terminals can access the user account. Alternatively you may
explicitly deny terminals by preceding the terminal name with the ! character.
Possible values: List of device paths separated by commas, ALL or .
umask Defines the default umask for the user. Possible values: three-digit octal value.
Notes: Boolean values (i.e. true or false) may use any of the following values.
These values are not case sensitive. true, false, yes, no, always, never.
Ex: - A typical stanza looks like the following example for user dhs:
dhs:
login = true
rlogin = false
ttys = /dev/console
sugroups = security,!staff
expires = 0531010090
tpath = on
admin = true
auth1 = SYSTEM,METH2;dhs
cmsadmin:
admin = true
maxage = 8
minlen = 6
minalpha = 2
minage = 1
admgroups = adm
To allow all ttys except /dev/tty0 to access the user account, change the ttys entry so that it reads as follows:
ttys = !/dev/tty0,ALL
/etc/profile
Sets the user environment at login time.
The $HOME/.profile file contains commands that the system executes when you log in. The .profile also provides variable profile assignments that the system sets and exports into the environment. The /etc/profile file contains commands run by all users at login.
After the login program adds the LOGNAME (login name) and HOME (login directory) variables to the environment, the commands in the $HOME/.profile file are executed, if the file is present. The .profile file contains the individual user profile that overrides the variables set in the profile file and customizes the user-environment profile variables set in the /etc/profile file. The .profile file is often used to set exported environment variables and terminal modes. The person who customizes the system can use the mkuser command to set default .profile files in each user home directory. Users can tailor their environment as desired by modifying their .profile file.
Note: The $HOME/.profile file is used to set environments for the Bourne and Korn shells. An equivalent environment for the C shell is the $HOME/.cshrc file.
Examples
The following example is typical of an /etc/profile file:
#Set file creation mask unmask 022
#Tell me when new mail arrives
MAIL=/usr/mail/$LOGNAME
#Add my /bin directory to the shell
search sequence
PATH=/usr/bin:/usr/sbin:/etc::
#Set terminal type
TERM=lft
#Make some environment variables global
export MAIL PATH TERM
$HOME/.hushlogin
If this file exist in root or any users home directory you can get /etc/motd or login message.
/etc/group
Ex: - sybase:!:201:Sybase
staff:!:1:ipsec,sybase,utsdev,utstest,utsusr,test,subrep,utsusrwc,utstalk,utssub
Total 4 fields in /etc/group
Group Name : group password : group id : group members
Group password ! means password is stored some where else in a file, doesn’t exist in AIX.
/etc/security/group
This file contain all the groups on system and there roles i.e. Who is administrator of group, who manages group users are defined here, extended group roles.
Adms: - Defines the group administrators. Administrators are users who can perform
administrative tasks for the group, such as setting the members and administrators of the group. This attribute is ignored if admin = true, since only the root user can alter a group defined as administrative. The value is a list of comma-separated user login-names. The default value is an empty string.
admin : - Defines the administrative status of the group.
Possible values are:
True Defines the group as administrative. Only the root user can change the
attributes of groups defined as administrative.
False Defines a standard group. The attributes of these groups can be changed
by the root user or a member of the security group. This is the default
value.
EX: - # more /etc/security/group
system:
admin = true
adms = cmsadmin
staff:
admin = false
bin:
admin = true
sys:
admin = true
adm:
admin = true
adms = cmsadmin
/etc/security/login.cfg
Contains configuration information for login and user authentication.
There are three types of stanzas: -
Port Defines the login characteristics of ports.
Authentication method Defines the authentication methods for users.
user configuration Defines programs that change user attributes.
Port Stanzas
Port stanzas define the login characteristics of ports and are named with the full path name of the port. Each port should have its own separate stanza. Each stanza has the following attributes:
herald
Specifies the initial message to be printed out when getty or login prompts for a login name. Defines the login message printed when the getty process opens the port. The default herald is the login prompt. The value is a character string.
herald2
Defines the login message printed after a failed login attempt. The default herald is the login prompt. The value is a character string.
Logindelay
Defines the delay factor (in seconds) between unsuccessful login attempts. If a user enter invalid password and if logindelay=3 i.e 3 seconds, then after invalid login user will get login prompt after 3 seconds i.e its wait for 3 sec between unsuccessful login. The value is a decimal integer string. The default value is 0, indicating no delay between unsuccessful login attempts.
Logindisable
Defines the number of unsuccessful login attempts allowed before the port is locked. If this is set to 3, then port will be locked after 3 invalid login. The value is a decimal integer string. The default value is 0, indicating that the port cannot lock as a result of unsuccessful login attempts.
Logininterval
Defines the time interval (in seconds) in which the specified unsuccessful login attempts must occur before the port is locked. If logindisable is 3 and users enters 3 times invalid password, know the port will be get locked, but if Logininterval is set to 50 i.e 50 seconds, then before locking port system waits for 50 seconds and then port is locked. The value is a decimal integer string. The default value is 0.
loginreenable
Defines the time interval (in minutes) a port is unlocked after a system lock. If a port is locked and loginreenable is 1 i.e 1 minute, then ports get unlocked automatically after 1 minutes. The value is a decimal integer string. The default value is 0, indicating that the port is not automatically unlocked.
Logintimes
Specifies the times, days, or both the user is allowed to access the system.
sak_enabled
Defines whether the secure attention key (SAK) is enabled for the port. The SAK key is the Ctrl-X, Ctrl-R key sequence. Possible values for the sak_enabled attribute are:
True SAK processing is enabled, so the key sequence establishes a trusted path for the port.
false SAK processing is not enabled, so a trusted path cannot be established. This is the default value.
synonym
Defines other path names for the terminal. The path names should be device special files with the same major and minor number and should not include hard or symbolic links. The value is a list of comma-separated path names.
For example, if you specify synonym=/dev/tty0 in the stanza for the /dev/console path name, then the /dev/tty0 path name is a synonym for the /dev/console path name. However, the /dev/console path name is not a synonym for the /dev/tty0 path name unless you specify synonym=/dev/console in the stanza for the /dev/tty0 path name.
Authentication Method Stanzas
auth_method is no longer used. Security methods should be configured in /usr/lib/security/methods.cfg
auth_method:
program = /any/program
program_64 = /any/program64
Auth_method corresponds to a custom authentication method specified in the SYSTEM attribute in /etc/security/user, and /any/program is the program to run in order to do the authentication. The program_64 attribute should be used for process running in 64 bit mode, /any/program64 is a 64 bit program.
These stanzas define the authentication methods for users assigned in the /etc/security/user file. The name of each stanza must be identical to one of the methods defined by the auth1 or the auth2 attribute in the /etc/security/user file.
Each stanza has one attribute:
Program
Contains the full path name of a program that provides primary or secondary authentication for a user. Program flags and parameters may be included.
Since the SYSTEM authentication method is supported directly by the login command and the su command, and the NONE method does not provide any authentication, neither requires definition. However, all other authentication methods must be defined in this file. Different authentication methods can be defined for each user.
User-Configuration Stanzas
User-configuration stanzas provide configuration information for programs that change user attributes. There is one user-configuration stanza: usw.
The usw stanza defines the configuration of miscellaneous facilities. The following attributes can be included:
Logintimeout
Defines the time (in seconds) the user is given to type the password. The value is a decimal integer string. The default is a value of 60.
maxlogins
Defines the maximum number of simultaneous logins to the system. The format is a decimal integer string. The default value varies depending on the specific machine license. A value of 0 indicates no limit on simultaneous login attempts.
Note: Login sessions include rlogins and telnets; these are counted against the maximum allowable number of simultaneous logins by the maxlogins attribute.
shells
Defines the valid shells on the system. This attribute is used by the chsh command to determine which shells a user can select. The value is a list of comma-separated full path names. The default is /usr/bin/sh, /usr/bin/bsh, /usr/bin/csh, /usr/bin/ksh, or /usr/bin/tsh.
Ex: -
default:
sak_enabled = false
logintimes =
logindisable = 0
logininterval = 0
loginreenable = 0
logindelay = 0
herald = "\n\* Unreserved Ticketing System's Restricted Area *\n\r* Unauthorized use of this system is prohibited*\n\r* All Invalid logins are monitored for audit,*\n\r improper use of this system is criminal offence *\n\rLogin: "
*/dev/console:
• synonym = /dev/tty0
usw:
shells = /bin/sh, /bin/bsh, /bin/csh, /bin/ksh, /bin/tsh, /bin/ksh93, /usr/bin/sh, /usr/bin/bsh, /usr/bin/csh, /usr/bin/ksh,/us
r/bin/tsh, /usr/bin/ksh93, /usr/bin/rksh, /usr/bin/rksh93, /usr/sbin/uucp/uucico, /usr/sbin/sliplogin, /usr/sbin/snappd
maxlogins = 32767
logintimeout = 60
auth_type = STD_AUTH
/etc/security/failedlogin
All failed login attempts are made here
/etc/security/lastlog
Defines the last login attributes for users.
time_last_login
The last time that the user successfully logged into the system. Specifies the number of seconds since the epoch (00:00:00 GMT, January 1, 1970) since the last successful login. The value is a decimal integer.
tty_last_login
The last tty port that the user successfully logged into. Specifies the terminal on which the user last logged in. The value is a character string.
host_last_login
The host from which the user logged in from if the tty was not locally attached. This implies that the user used telnet or rlogin to log into the system. Specifies the host from which the user last logged in. The value is a character string.
unsuccessful_login_count
The number of attempts to log in as the user since the last successful login. The value is a decimal integer. This attribute works in conjunction with the user's loginretries attribute, specified in the /etc/security/user file, to lock the user's account after a specified number of consecutive unsuccessful login attempts. Once the user's account is locked, the user will not be able to log in until the system administrator resets the user's unsuccessful_login_count attribute to be less than the value of loginretries. To do this, enter the following:
chsec -f /etc/security/lastlog -s username -a \ unsuccessful_login_count=0
time_last_unsuccessful_login
The time that the last unsuccessful attempt to log in as the user was made. Specifies the number of seconds since the epoch (00:00:00 GMT, January 1, 1970) since the last unsuccessful login. The value is a decimal integer.
tty_last_unsuccessful_login
The tty port of the last unsuccessful attempt to log in as the user was made. Specifies the terminal on which the last unsuccessful login attempt occurred. The value is a character string.
host_last_unsuccessful_login
The host from which the last unsuccessful attempt to log in as the user was made. Specifies the host from which the last unsuccessful login attempt occurred. The value is a character string.
All user database files should be accessed through the system commands and subroutines defined for this purpose. Access through other commands or subroutines may not be supported in future releases.
EX: -
root:
time_last_login = 1139610504
tty_last_login = ftp
host_last_login = ::ffff:10.128.0.52
unsuccessful_login_count = 0
time_last_unsuccessful_login = 1136845660
tty_last_unsuccessful_login = ftp
host_last_unsuccessful_login = ::ffff:10.128.0.52
sybase:
time_last_login = 1139428239
tty_last_login = /dev/pts/6
host_last_login = loopback
unsuccessful_login_count = 0
time_last_unsuccessful_login = 1139428235
tty_last_unsuccessful_login = /dev/pts/6
host_last_unsuccessful_login = loopback
/etc/environment
Sets up the user environment.
The /etc/environment file contains variables specifying the basic environment for all processes. When a new process begins, the exec subroutine makes an array of strings available that have the form Name=Value. This array of strings is called the environment. Each name defined by one of the strings is called an environment variable or shell variable. The exec subroutine allows the entire environment to be set at one time.
Environment variables are examined when a command starts running. The environment of a process is not changed by altering the /etc/environment file. Any processes that were started prior to the change to the /etc/environment file must be restarted if the change is to take effect for those processes. If the TZ variable is changed, the cron daemon must be restarted, because this variable is used to determine the current local time.
HOME
The full path name of the user login or HOME directory. The login program sets this to the name specified in the /etc/passwd file.
LANG
The locale name currently in effect. The LANG variable is set in the /etc/environment file at installation time.
NLSPATH
The full path name for message catalogs. The default is:
/usr/lib/nls/msg/%L/%N: /usr/lib/nls/msg/%L/%N.cat:
where %L is the value of the LC_MESSAGES category and %N is the catalog file name.
Note: See the chlang command for more information about changing message catalogs.
LC__FASTMSG
If LC_FASTMEG is set to false, POSIX-compliant message handling is performed. If LC__FASTMSG is set to true, it specifies that default messages should be used for the C and POSIX locales and that NLSPATH is ignored. If this variable is set to anything other than false or unset, it is considered the same as being set to true. The default value is LC__FASTMSG=true in the /etc/environment file.
LOCPATH
The full path name of the location of National Language Support tables. The default is /usr/lib/nls/loc and is set in the /etc/profile file. If the LOCPATH variable is a null value, it assumes that the current directory contains the locale files.
Note: All setuid and setgid programs will ignore the LOCPATH environment variable.
PATH
The sequence of directories that commands such as the sh, time, nice and nohup commands search when looking for a command whose path name is incomplete. The directory names are separated by colons.
TZ
The time-zone information. The TZ environment variable is set by the /etc/environment file. The TZ environment variable has the following format (spaces inserted for readability):
std offset dst offset, rule
The fields within the TZ environment variable are defined as follows:
std and dst
Designate the standard (std) and summer (dst) time zones. Only the std value along with the appropriate offset value is required. If the dst value is not specified, summer time does not apply. The values specified may be no less than three and no more than TZNAME_MAX bytes in length. The length of the variables corresponds to the %Z field of the date command; for libc and libbsd, TZNAME_MAX equals three characters. Any nonnumeric ASCII characters except the following may be entered into each field: a leading : (colon), a , (comma), a - (minus sign), a + (plus sign), or the ASCII null character.
Note: POSIX 1.0 reserves the leading : (colon) for an implementation-defined TZ specification. AIX disallows the leading colon, selecting CUT0 and setting the %Z field to a null string.
An example of std and dst format is as follows: EST5EDT
EST
Specifies Eastern U.S. standard time.
5
Specifies the offset, which is 5 hours behind Coordinated Universal Time (CUT).
EDT Specifies the corresponding summer time zone abbreviation.
Note: See "Time Zones" for a list of time zone names defined for the system.
offset Denotes the value added to local time to equal Coordinated Universal Time (CUT). CUT is the international time standard that has largely replaced Greenwich Mean Time. The offset variable has the following format:
hh:mm:ss
The fields within the offset variable are defined as follows:
hh
Specifies the dst offset in hours. This field is required. The hh value can range between the integers -12 and +11. A negative value indicates the time zone is east of the prime meridian; a positive value or no value indicates the time zone is west of the prime meridian.
mm
Specifies the dst offset detailed to the minute. This field is optional. If the mm value is present, it must be specified between 0 and 59 and preceded by a : (colon).
Ss
Specifies the dst offset detailed to the second. The ss field is optional. If the ss value is present, it must be specified between 0 and 59 and preceded by a : (colon).
An offset variable must be specified with the std variable. An offset variable for the dst variable is optional. If no offset is specified with the dst variable, the system assumes that summer time is one hour ahead of standard time.
As an example of offset syntax, Zurich is one hour ahead of CUT, so its offset is -1. Newfoundland is 1.5 hours ahead of eastern U.S. standard time zones. Its syntax can be stated as any of the following: 3:30, 03:30, +3:30, or 3:30:00.
rule The rule variable indicates when to change to and back from summer time. The rule variable has the following format:
start/time,end/time
The fields within the rule variable are defined as follows:
start
Specifies the change from standard to summer time.
end
Specifies the return to standard time from summer time.
Time
Specifies when the time changes occur within the time zone. For example, if the time variable is encoded for 2 a.m. then the time changes when the time zone reaches 2 a.m. on the date specified in the start variable.
EX: -
TZ=IST+5:30
LANG=en_US
LOCPATH=/usr/lib/nls/loc
NLSPATH=/usr/lib/nls/msg/%L/%N:/usr/lib/nls/msg/%L/%N.cat
LC__FASTMSG=true
# ODM routines use ODMDIR to determine which objects to operate on
# the default is /etc/objrepos - this is where the device objects
# reside, which are required for hardware configuration
ODMDIR=/etc/objrepos
/etc/security/environ
Defines the environment attributes for users.
If environment attributes are not defined, the system uses default values. Each user stanza can have the following attributes:
Usrenv
Defines variables to be placed in the user environment when the initial login command is given or when the su command resets the environment. The value is a list of comma-separated attributes. The default value is an empty string.
Sysenv
Defines variables to be placed in the user protected state environment when the initial login command is given or when the su command resets the environment. These variables are protected from access by unprivileged programs so other programs can depend on their values. The default value is an empty string.
Examples :- A typical stanza looks like the following example for user dhs:
dhs:
usrenv = "MAIL=/home/spool/mail/dhs,MAILCHECK=600"
sysenv = "NAME=dhs@delos"
EX: -
default:
root:
daemon:
/etc/security/limits
Defines process resource limits for users.
Note: Changing the limit does not affect those processes that started by init, or alternatively, ulimits are only used by those processes that go through the login processes.
The /etc/security/limits file defines process resource limits for users. This file is an ASCII file that contains stanzas that specify the process resource limits for each user. These limits are set by individual attributes within a stanza.
Each stanza is identified by a user name followed by a colon, and contains attributes in the Attribute=Value form. A new-line character ends each attribute, and an additional new-line character ends each stanza. If you do not define an attribute for a user, the system applies default values.
If the hard values are not explicitly defined in the /etc/security/limits file but the soft values are, the system substitutes the following values for the hard limits:
Resource Hard Value
Core Size unlimited
CPU Time cpu
Data Size unlimited
File Size fsize
Memory Size unlimited
Stack Size unlimited
File Descriptors unlimited
Note: Use a value of -1 to set a resource to unlimited.
If the hard values are explicitly defined but the soft values are not, the system sets the soft values equal to the hard values.
You can set the following limits on a user:
fsize
Largest file size that can be created or extended, identifies the soft limit for the largest file a user's process can create or extend.
core
Largest core file size that can be created, Specifies the soft limit for the largest core file a user's process can create.
cpu
Amount of cpu time to be used by each process. Must log out and back in for the changes to take affect.
Sets the soft limit for the largest amount of system unit time (in seconds) that a user's process can use.
data
Identifies the soft limit for the largest process data segment for a user's process.
stack
Specifies the soft limit for the largest process stack segment for a user's process.
Rss
Sets the soft limit for the largest amount of physical memory a user's process can allocate. This limit is not enforced by the system.
Nofiles
Sets the soft limit for the number of file descriptors a user process may have open at one time.
core_hard
Specifies the largest core file a user's process can create.
cpu_hard
Sets the largest amount of system unit time (in seconds) that a user's process can use.
data_hard
Identifies the largest process data segment for a user's process.
fsize_hard
Identifies the largest file a user's process can create or extend.
rss_hard
Sets the largest amount of physical memory a user's process can allocate. This limit is not enforced by the system.
stack_hard
Specifies the largest process stack segment for a user's process.
nofiles_hard
Sets the soft limit for the number of file descriptors a user process may have open at one time.
Except for the cpu attribute, each attribute must be a decimal integer string representing the number of 512-byte blocks allotted to the user. The cpu attribute is a decimal integer string representing the amount of system unit time in seconds.
EX: -
default:
fsize = -1
* 2097151
core = -1
* 2097151
cpu = -1
data = -1
* 262144
rss = -1
* 65536
stack = -1
* 65536
nofiles = 8000
root:
daemon:
/etc/shells
All valid shells are specify in this file.
/bin/csh
/bin/ksh
/bin/psh
/bin/tsh
/bin/bsh
/usr/bin/csh
/usr/bin/ksh
/usr/bin/psh
/usr/bin/tsh
/usr/bin/bsh
/etc/motd
Message of the day file
/etc/security/.ids
Holds the value for the next assignment to a group/user id and group/user admin id. Used by mkuser and mkgroup commands.
Sample contents: 4 203 12 200
• 4 = administrative user id (mkuser -a)
• 203 = user id (mkuser)
• 12 = administrative group id (mkgroup -a)
• 200 = group id (mkgroup)
Ex: -
# more /etc/security/.ids
8 213 14 202
Check /etc/passwd, you will see the last uid will be 212 if above “more /etc/security/.ids”
Displays the second column output as 213. This means that this file contains the UID’s or GID’s for next user or group to be made on system user useradd or adduser, system will assign automatically UID as 213 to new user and updates the /etc/security/.ids’s file’s second colume to 214.
/etc/security/.profile
/usr/lib/security/mkuser.sys
This scripts is run during user creation process, this scripts creates users home directory, gives group and ownership rights to that home directory and at last copy the /etc/security/.profile to users home directory/.profile
cp /etc/security/.profile $1/.profile
/usr/lib/security/mkuser.default
Contains the default attributes for new users.
The /usr/lib/security/mkuser.default file contains the default attributes for new users. This file is an ASCII file that contains user stanzas. These stanzas have attribute default values for users created by the mkuser command. There are two stanzas, user and admin, that can contain all defined attributes except the id and admin attributes. The mkuser command generates a unique id attribute. The admin attribute depends on whether the -a flag is used with the mkuser command.
Access Control: If read (r) access is not granted to all users, members of the security group should be given read (r) access. This command should grant write (w) access only to the root user.
Example
A typical user stanza looks like the following:
Below are the default attribute which get assign automatically to user, while creating a new user i.e if u just enter the mkuser amrik; here if u r not specifying any attribute i.e Primary group, home directory, this attributes get set automatically, this means to say that below attribute is a default attribute if u not specify system will set it for u.
user:
pgroup = staff
groups = staff
shell = /usr/bin/ksh
home = /home/$USER
auth1 = SYSTEM
admin:
pgrp = system
groups = system
shell = /usr/bin/ksh
home = /home/$USER
pgroup: - Primary group of user belongs
groups: - secondary group, of whom this user will be member
shell: - Login shell, taken from number shell supported by shell stanza of
/etc/secuirity/login.cfg
home: - Users login home directory, it can modified also.
/etc/security/user.roles
Contains the list of roles for each user. The /etc/security/user.roles file contains the list of roles for each user. This is an ASCII file that contains a stanza for system users. Each stanza is identified by a user name followed by a : (colon) and contains attributes in the form Attribute=Value. Each attribute pair ends with a newline character as does each stanza.
This file supports a default stanza. If an attribute is not defined, either the default stanza or the default value for the attribute is used.
A stanza contains the following attribute:
roles Contains the list of roles for each user.
The user.roles file is kept separately from the /etc/security/user file for performance reasons. Several commands scan this database, so system performance increases with smaller files to scan (especially on systems with large numbers of users).
/etc/security/roles
The /etc/security/roles file contains the list of valid roles. This is an ASCII file that contains a stanza for each system role. Each stanza is identified by a role name followed by a : (colon) and contains attributes in the form Attribute=Value. Each attribute pair ends with a newline character as does each stanza.
The file supports a default stanza. If an attribute is not defined, the default value for the attribute is used.
A stanza contains the following attributes:
rolelist Contains a list of roles implied by this role and allows a role to function as a super-role. If the rolelist attribute contains the value of "role1,role2", assigning the role to a user also assigns the roles of role1 and role2 to that user.
authorizations Contains the list of additional authorizations acquired by the user for this specific role.
groups Contains the list of groups that a user should belong to in order to effectively use this role. The user must be added to each group in this list for this role to be effective.
screens Contains a list of SMIT screen identifiers that allow a role to be mapped to various SMIT screens. The default value for this attribute is * (all screens).
msgcat Contains the file name of the message catalog that contains the one-line descriptions of system roles.
msgnum Contains the message ID that retrieves this role description from the message catalog.
Examples
A typical stanza looks like the following example for the ManageAllUsers role:
ManageAllUsers:
rolelist = ManageBasicUsers
authorizations = UserAdmin,RoleAdmin,PasswdAdmin,GroupAdmin
groups = security
screens = mkuser,rmuser,!tcpip
* Source Article from : Internet
