Purpose
Loads the system security flag
settings into the kernel.
Description
The setsecconf command
loads the system security flag settings into the kernel. If you specify
any attributes, the values of these attributes are stored and used
when the system is restarted. This command can change the setting
of the flags for the CONFIGURATION and OPERATIONAL modes of the system,
but these flags can be changed only when the system is in the CONFIGURATION
mode.
Flags
Item |
Description |
-c |
Specifies the CONFIGURATION mode. |
-o |
Specifies the OPERATIONAL mode. |
Parameters
Item |
Description |
Attribute |
You can specify the following attributes: - root
- Specifies if the root user is allowed to log in to the system.
If enabled, the root user is allowed to log in to the system. If disabled,
the root user is not allowed to log in to the system. This flag value
can not be changed in trusted AIX® systems.
- tnet
- Specifies the Advanced Security Network. If enabled, all of the
data packets are labeled.
- tlwrite
- Specifies whether to enforce the write access checks on the integrity
labels (TLs). If enabled, TLs are checked on write, remove, and rename
operations. If disabled, TLs can be set, but are ignored on write
access checks.
- tlread
- Specifies whether to enforce the read access checks on the integrity
labels (TLs). If enabled, TLs are checked on read operations. If disabled,
TLs can be set, but are ignored on read access checks.
- traceauth
- Specifies if authorization tracing is enabled. If enabled, the
authorizations used in a process are traced and logged in a process
credential. The lssecattr command is used to display used authorizations.
If disabled, no authorizations are traced in a system. By default,
this flag is disabled. This flag is only meaningful in the operational
mode.
- sl
- Specifies whether to enforce the Mandatory Access Control (MAC)
flag. If enabled, MAC is enforced. If not enabled, sensitivity labels
(SLs) can be configured, but not used to determine the access to files
and other objects.
- tlib
- Specifies whether to recognize and enforce the Trusted Computing
Base (TCB). If enabled, the TCB flag on file system objects is recognized
and enforced. If disabled, the TCB on objects is ignored and all objects
are treated as if they are not TCB objects.
|
Value |
Specifies a value that is either enable or disable. |
Security
The setsecconf command
is a privileged command. Only users that have the following authorization
can run the command successfully:
Item |
Description |
aix.mls.system.config.write |
Required to set the system configuration flags. |
Exit Status
The setsecconf command
returns the following exit values:
Item |
Description |
0 |
Successful completion. |
>0 |
An error occurred. |
Examples
- To turn on the trusted network and turn off the integrity read
system flags for the CONFIGURATION mode run, enter the following command:
setsecconf –c tnet=enable tlread=disable
- To turn on the integrity write system flag for the OPERATIONAL
mode run, enter the following command:
setsecconf –o tlwrite=enable
Files
Item |
Description |
/usr/sbin/setsecconf |
Contains the setsecconf command. |