roleqry Command

Purpose

Queries the usage of roles over a time period.

Syntax

roleqry {-c [-s ] | -q [ -F <trailListfile> ] [-t <time_period_in_days> ] } user

Description

The roleqry command queries information about the roles used by a user over a specified time frame.

When the -c flag is specified, the user is configured for the auditing of role information and authorization information. A rbacqry class is added to the /etc/security/audit/config file with events for auditing authorizations and roles. If the user is already being audited, a user entry present in the configuration file, then the rbacqry class is added to the user. Otherwise the username is added to the /etc/security/audit/config with the rbacqry class parameter. If the -s flag is specified, the user is enabled for audit. If the audit subsystem is already turned on, then it is restarted. If the audit system is already turned off, then the audit subsystem is started.

When the -q flag is specified, the audit data is queried for role information. When the -t flag is specified, the usage of roles from the date to the current system date is queried and obtained. Without -t falg, role usage over the period from which auditing was enabled for that user is obtained. The command displays the entire set of roles used during the time frame.
Note: The roleqry commands make use of the auditing feature in AIX®. Auditing has to be turned on, audit configuration for the user setup and the audit data collected during the specified time frame for the roleqry command to work as expected.

Flags

Item Description
-c Use this flag to configure the user for auditing of role usage.
-s Use this flag to start auditing subsystem if it is turned off. Shutdown and restart auditing subsystem if it is already turned on.
-q Use this flag to query audit data for role usage over a time period.
-F Use this flag to read the names of the audit trails to obtain audit information from the trailListFile. The names of audit trail files should be one name per line of text. If the -F flag is not specified, the system “audit/trail file is taken by default as the file to obtain audit information from.
-t Use this flag to specify the number of days from the current date to get the authorization usage.

Exit Status

Item Description
0 Successful completion.
>0 An error occurred.

Security

Access Control: This command should grant execute (x) access to the root user.

Attention RBAC users and Trusted AIX users: This command can perform privileged operations. Only privileged users can run privileged operations. For more information about authorizations and privileges, see Privileged Command Database in Security. For a list of privileges and the authorizations associated with this command, see the lssecattr command or the getcmdattr subcommand.

Files:
  • /etc/security/roles
  • audit/trail

Examples

  1. To query roles used by Bob run the following command:
    roleqry -q Bob
  2. To query roles used by Simon for the past 20 days run the following command:
     roleqry -q -t 20 Simon