setsecconf Command

Purpose

Loads the system security flag settings into the kernel.

Syntax

setseconf { -c | -o } [ Attribute = Value ... ]

Description

The setsecconf command loads the system security flag settings into the kernel. If you specify any attributes, the values of these attributes are stored and used when the system is restarted. This command can change the setting of the flags for the CONFIGURATION and OPERATIONAL modes of the system, but these flags can be changed only when the system is in the CONFIGURATION mode.

Flags

Item Description
-c Specifies the CONFIGURATION mode.
-o Specifies the OPERATIONAL mode.

Parameters

Item Description
Attribute You can specify the following attributes:
root
Specifies if the root user is allowed to log in to the system. If enabled, the root user is allowed to log in to the system. If disabled, the root user is not allowed to log in to the system. This flag value can not be changed in trusted AIX® systems.
tnet
Specifies the Advanced Security Network. If enabled, all of the data packets are labeled.
tlwrite
Specifies whether to enforce the write access checks on the integrity labels (TLs). If enabled, TLs are checked on write, remove, and rename operations. If disabled, TLs can be set, but are ignored on write access checks.
tlread
Specifies whether to enforce the read access checks on the integrity labels (TLs). If enabled, TLs are checked on read operations. If disabled, TLs can be set, but are ignored on read access checks.
traceauth
Specifies if authorization tracing is enabled. If enabled, the authorizations used in a process are traced and logged in a process credential. The lssecattr command is used to display used authorizations. If disabled, no authorizations are traced in a system. By default, this flag is disabled. This flag is only meaningful in the operational mode.
sl
Specifies whether to enforce the Mandatory Access Control (MAC) flag. If enabled, MAC is enforced. If not enabled, sensitivity labels (SLs) can be configured, but not used to determine the access to files and other objects.
tlib
Specifies whether to recognize and enforce the Trusted Computing Base (TCB). If enabled, the TCB flag on file system objects is recognized and enforced. If disabled, the TCB on objects is ignored and all objects are treated as if they are not TCB objects.
Value Specifies a value that is either enable or disable.

Security

The setsecconf command is a privileged command. Only users that have the following authorization can run the command successfully:

Item Description
aix.mls.system.config.write Required to set the system configuration flags.

Exit Status

The setsecconf command returns the following exit values:

Item Description
0 Successful completion.
>0 An error occurred.

Examples

  1. To turn on the trusted network and turn off the integrity read system flags for the CONFIGURATION mode run, enter the following command:
    setsecconf –c tnet=enable tlread=disable
  2. To turn on the integrity write system flag for the OPERATIONAL mode run, enter the following command:
    setsecconf –o tlwrite=enable

Files

Item Description
/usr/sbin/setsecconf Contains the setsecconf command.