Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

secconfig(8) [osf1 man page]

secconfig(8)						      System Manager's Manual						      secconfig(8)

NAME
secconfig, secsetup - Security features setup graphical interface (Enhanced Security) SYNOPSIS
/usr/sbin/sysman secconfig NOTE: The secsetup utility has been replaced by the secconfig graphical interface. DESCRIPTION
The utility is a graphical interface used to select the level of system security needed. It can convert from Base to enhanced security mode, and configure base and enhanced security features. If you are using secconfig to enable Enhanced security, you must first have loaded the enhanced security subsets. You can run while the system is in multiuser mode. However, if you change the security level, the change is not completed until you reboot the system. For both base and enhanced security, the secconfig utility allows you to enable segment sharing, to enable access control lists (ACLs), and to restrict the setting of the execute bit to root only. For enhanced security, the secconfig utility additionally allows you to configure security support from simple shadow passwords all the way to a strict C2 level of security. Shadow password support is an easy method for system administrators, who do not wish to use all of the extended security features, to move each user's password out of /etc/passwd and into the extended user profile database (auth.db. You can use the Custom mode if you wish to select additional security features, such as breakin detection and evasion, automatic database trimming, and password controls. When converting from base to enhanced security, secconfig updates the system default database (/etc/auth/system/default) and uses the con- vuser utility to migrate user accounts. While it is possible to convert user accounts from enhanced back to base, the default encryption algorithms and supported password lengths differ between base and enhanced security, and thus user account conversions do not succeed without a password change. NOTE: Because of the page table sharing mechanism used for shared libraries, the normal file system permissions are not adequate to protect against unauthorized reading. The secconfig interface allows you to disable segment sharing. The change in segment sharing takes effect at the next reboot. FILES
RELATED INFORMATION
acl(4), authcap(4), default(4), convuser(8), Security delim off secconfig(8)

Check Out this Related Man Page

db_recover(8)						      System Manager's Manual						     db_recover(8)

NAME
db_recover - Restores the database to a consistent state (Enhanced Security) SYNOPSIS
/usr/tcb/bin/db_recover [-cv] [-h home] FLAGS
Failure was catastrophic. Specify a home directory for the database. The correct directory for enhanced security is /var/tcb/files. Write out the pathnames of all of the database log files, whether or not they are involved in active transactions. Run in verbose mode. DESCRIPTION
A customized version of the Berkeley Database (Berkeley DB) is embedded in the operating system to provide high-performance database sup- port for critical security files. The DB includes full transactional support and database recovery, using write-ahead logging and check- pointing to record changes. The db_recover utility runs after an unexpected system failure to restore the security database to a consistent state. All committed transactions are guaranteed to appear after db_recover has run, and all uncommitted transactions are completely undone. DB recovery is normally performed automatically for the security files as part of system startup. In the case of catastrophic failure, an archival copy, or snapshot of all database files must be restored along with all of the log files written since the database file snapshot was made. (If disk space is a problem, log files may be referenced by symbolic links). If the failure was not catastrophic, the files present on the system at the time of failure are sufficient to perform recovery. If log files are missing, db_recover identifies the missing log files and fails, in which case the missing log files need to be restored and recovery performed again. The db_recover utility attaches to one or more of the Berkeley DB shared memory regions. In order to avoid region corruption, it should always be given the chance to detach and exit gracefully. To cause db_recover to clean up after itself and exit, send it an interrupt sig- nal (SIGINT). RETURN VALUES
The db_recover utility exits 0 on success, and >0 if an error occurs. ENVIRONMENT VARIABLES
If the -h option is not specified and the environment variable DB_HOME is set, it is used as the path of the database home. The home directory for security is /var/tcb/files. FILES
/var/tcb/files/auth.db /var/tcb/files/dblogs/* RELATED INFORMATION
Commands: db_archive(8), db_checkpoint(8), db_printlog(8), db_dump(8), db_load(8), db_stat(8), secconfig(8) delim off db_recover(8)
Man Page