authrpt Command

Purpose

Reports the security capabilities of authorizations.

Syntax

authrpt [-Rload_module] [-C] [-c | -f | -r | -u] { auth1,auth2 ... }

Description

The authrpt command reports capability information of authorizations such as privileged commands, privileged files, role, and user information.

Either –c, -f, -r or –u flags can be specified.

When the -c option is specified, the privileged commands present in the /etc/security/privcmds database that can be executed by the authorizations is listed. The –c option can also be used to list the commands having ALLOW_ALL, ALLOW_GROUP and ALLOW_OWNER special authorizations.

When the –f option is specified, the list of privileged files present in the /etc/security/privfiles database that can be accessed by a user assigned the authorizations is listed.

When the –u option is specified, the list of users having the authorizations is displayed.

When the –r option is specified, the list of roles having the authorizations is listed.

The command takes a comma separated list of authorization names as input. When no option is specified, all the capability information such as commands, privileged files, roles and user information associated with the authorizations is listed.

Flags

Item Description
-c Specify that a report of privileged commands executable by the authorizations is to be obtained.
-f Specify that a report of privileged file information accessible by the authorizations is to be obtained.
-u Specify that a report of authorized users having the authorizations is to be obtained.
-r Specify that a report of roles having the authorizations is to be obtained.
-R Specifies the loadable module from which to obtain the report of authorization capabilities.
-C Displays the authorization attributes in colon-separated records, as follows:
authorizaton:attribute1:attribute2: ...
authorization1:value1:value2: ...
authorization2:value1:value2: ...

Exit status

Item Description
0 Successful completion.
>0 An error occurred.

Security

Access Control: This command should grant execute (x) access to the root user.

This command can be executed by root or an authorized user with the “aix.security.auth.list” authorization.

Attention RBAC users and Trusted AIX® users: This command can perform privileged operations. Only privileged users can run privileged operations. For more information about authorizations and privileges, see Privileged Command Database in AIX Version 7.1 Security. For a list of privileges and the authorizations associated with this command, see the lssecattr command or the getcmdattr subcommand.

Files

Item
/etc/security/roles
/etc/security/authorizations
/etc/security/privcmds
/etc/security/privfiles

Examples

To report the commands associated with authorizations aix.fs and aix.system, use the following syntax:
authrpt –c aix.fs,aix.system
To report all capabilities of authorization aix.security, use the following syntax:
authrpt aix.security
To report all capabilities of authorization aix.security.user in colon separated format, use the following syntax:
authrpt –C aix.security.user
Information similar to the following appears:
#authorization:commands:privfiles:roles:users
aix.security.user:/usr/bin/mkuser,
/usr/bin/chuser:/etc/csh.cshrc,
/etc/csh.login:role1:Bob,Simon