Friday, December 24, 2010
Thursday, December 23, 2010
Not able to submit cron jobs in AIX
1. User was not able to submit cron jobs in AIX.
a. I have resolved this issue as below.
b. /var/adm/cron/cron.allow -- to allow user to enable cron job submission.
c. /var/adm/cron/cron.deny -- to disallow user to cron job submission.
d. If you want to enable job submission for user add his user name in cron.allow , to disallow user to cron job submission add his name in cron.deny file. Root can do it.
e. Both files were ok then what was the issue?
f. User was not able to add cron entries as it’s “deamon” attribute was set to false.
g. I have changed it to TRUE.
h. And User was happy and appreciated me for this.
dtem:@:/var/adm/cron: lsuser oracle
oracle id=219 pgrp=dba groups=dba,oracle,vectus,release,released,2release,btchs5 home=/usr/local/oracle shell=/usr/bin/ksh gecos=dtem Oracle user login=true su=true rlogin=true daemon=false admin=false sugroups=ALL admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=27 registry=files SYSTEM=compat logintimes= loginretries=5 pwdwarntime=7 account_locked=false minage=0 maxage=4 maxexpired=-1 minalpha=2 minother=2 mindiff=2 maxrepeats=4 minlen=8 histexpire=52 histsize=12 pwdchecks= dictionlist= fsize=-1 cpu=-1 data=262144 stack=65536 core=2097151 rss=131072 nofiles=2000 time_last_login=1249279890 time_last_unsuccessful_login=1269238723 tty_last_login=/dev/pts/2 tty_last_unsuccessful_login=ftp host_last_login=35.101.8.66 host_last_unsuccessful_login=::ffff:35.248.120.16 unsuccessful_login_count=10 roles=
Changed it to true but how ?
dtem:@:/var/adm/cron: lsuser oracle
oracle id=219 pgrp=dba groups=dba,oracle,vectus,release,released,2release,btchs5 home=/usr/local/oracle shell=/usr/bin/ksh gecos=dtem Oracle user login=true su=true rlogin=true daemon=true admin=false sugroups=ALL admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=27 registry=files SYSTEM=compat logintimes= loginretries=5 pwdwarntime=7 account_locked=false minage=0 maxage=4 maxexpired=-1 minalpha=2 minother=2 mindiff=2 maxrepeats=4 minlen=8 histexpire=52 histsize=12 pwdchecks= dictionlist= fsize=-1 cpu=-1 data=262144 stack=65536 core=2097151 rss=131072 nofiles=2000 time_last_login=1249279890 time_last_unsuccessful_login=1269238723 tty_last_login=/dev/pts/2 tty_last_unsuccessful_login=ftp host_last_login=35.101.8.66 host_last_unsuccessful_login=::ffff:35.248.120.16 unsuccessful_login_count=10 roles=
Tuesday, December 21, 2010
Free Online Aix Training - Some links
Learn more about AIX
AIX & UNIX developerWorks zone
http://www-128.ibm.com/developerworks/aix
PowerAIX.org mit indischer User Group
http://www.poweraix.org/groups?groupid=5
Other useful Websites
Support for IBM System p servers
http://www-03.ibm.com/servers/eserver/support/unixservers
Technical Database for AIX
http://www14.software.ibm.com/webapp/set2/srchBroker/views/srchBroker.jsp
Redbooks domain for IBM System p
http://www.redbooks.ibm.com/portals/UNIX
Virtual Loaner Program
http://www.ibm.com/servers/enable/site/vlp
Whitepapers
Performance tuning UNIX systems
http://www-128.ibm.com/developerworks/eserver/library/au-unix-niceprocesses.html
Basic UNIX filesystem operations
http://www-128.ibm.com/developerworks/aix/library/au-unix-readdir.html
AIX 5L service strategy and best practices
http://www-03.ibm.com/servers/eserver/support/unixservers/aix_service_strategy.html
Hardware Management Console (HMC)
http://www-03.ibm.com/servers/eserver/support/unixservers/hmc_best_practices.html
High Availability on IBM System p servers. Considerations and sample architectures
http://www-03.ibm.com/servers/eserver/support/unixservers/arch_ha_systemp5.html
IBM System p servers in Production environments. Sample architectures and considerations
http://www-03.ibm.com/servers/eserver/support/unixservers/arch_prod_systemp5.html
IBM System p Firmware and Microcode. Service Strategies and Best Practices
http://www-03.ibm.com/servers/eserver/support/unixservers/arch_firmware_Systemp5.html
Redpapers
System p5 Quad-Core Module: Technical Overview & Introduction
Length: 10 pages
http://www.redbooks.ibm.com/redpapers/abstracts/redp4150.html
Redbooks
IBM System p5 Approaches to 24x7 Availability Including AIX 5L
http://www.redbooks.ibm.com/Redbooks.nsf/RedbookAbstracts/sg247196.html?Open
IBM AIX 5L Reference for HP-UX System Administrators
http://www.redbooks.ibm.com/abstracts/sg246767.html?Open
AIX Reference for Sun Solaris Administrators
http://www.redbooks.ibm.com/abstracts/sg246584.html?Open
Integrating AIX into Heterogenous LDAP Environments
http://www.redbooks.ibm.com/abstracts/sg247165.html?Open
Advanced POWER Virtualization on IBM System p5
http://www.redbooks.ibm.com/Redbooks.nsf/RedbookAbstracts/sg247940.html?OpenDocument
Problem Solving and Troubleshooting in AIX 5L
http://www.redbooks.ibm.com/Redbooks.nsf/RedbookAbstracts/sg245496.html?OpenDocument
AIX 5L Practical Performance Tools and Tuning Guide
http://www.redbooks.ibm.com/Redbooks.nsf/RedbookAbstracts/sg246478.html?OpenDocument
AIX 5L "From Strength to Strength"
http://www-03.ibm.com/servers/aix/os/aixs2s.pdf
Technical Services
System p Lab Services has the expert skills to assist in delivering AIX-based solutions across multiple pSeries platforms. With access to Systems Development Lab skills, we can provide consultation, planning, installation, configuration, migration, performance analysis and tuning, and training on the latest IBM Systems Group technologies. https://www-03.ibm.com/servers/eserver/services/pseriesservices.html
AIX & UNIX developerWorks zone
http://www-128.ibm.com/developerworks/aix
PowerAIX.org mit indischer User Group
http://www.poweraix.org/groups?groupid=5
Other useful Websites
Support for IBM System p servers
http://www-03.ibm.com/servers/eserver/support/unixservers
Technical Database for AIX
http://www14.software.ibm.com/webapp/set2/srchBroker/views/srchBroker.jsp
Redbooks domain for IBM System p
http://www.redbooks.ibm.com/portals/UNIX
Virtual Loaner Program
http://www.ibm.com/servers/enable/site/vlp
Whitepapers
Performance tuning UNIX systems
http://www-128.ibm.com/developerworks/eserver/library/au-unix-niceprocesses.html
Basic UNIX filesystem operations
http://www-128.ibm.com/developerworks/aix/library/au-unix-readdir.html
AIX 5L service strategy and best practices
http://www-03.ibm.com/servers/eserver/support/unixservers/aix_service_strategy.html
Hardware Management Console (HMC)
http://www-03.ibm.com/servers/eserver/support/unixservers/hmc_best_practices.html
High Availability on IBM System p servers. Considerations and sample architectures
http://www-03.ibm.com/servers/eserver/support/unixservers/arch_ha_systemp5.html
IBM System p servers in Production environments. Sample architectures and considerations
http://www-03.ibm.com/servers/eserver/support/unixservers/arch_prod_systemp5.html
IBM System p Firmware and Microcode. Service Strategies and Best Practices
http://www-03.ibm.com/servers/eserver/support/unixservers/arch_firmware_Systemp5.html
Redpapers
System p5 Quad-Core Module: Technical Overview & Introduction
Length: 10 pages
http://www.redbooks.ibm.com/redpapers/abstracts/redp4150.html
Redbooks
IBM System p5 Approaches to 24x7 Availability Including AIX 5L
http://www.redbooks.ibm.com/Redbooks.nsf/RedbookAbstracts/sg247196.html?Open
IBM AIX 5L Reference for HP-UX System Administrators
http://www.redbooks.ibm.com/abstracts/sg246767.html?Open
AIX Reference for Sun Solaris Administrators
http://www.redbooks.ibm.com/abstracts/sg246584.html?Open
Integrating AIX into Heterogenous LDAP Environments
http://www.redbooks.ibm.com/abstracts/sg247165.html?Open
Advanced POWER Virtualization on IBM System p5
http://www.redbooks.ibm.com/Redbooks.nsf/RedbookAbstracts/sg247940.html?OpenDocument
Problem Solving and Troubleshooting in AIX 5L
http://www.redbooks.ibm.com/Redbooks.nsf/RedbookAbstracts/sg245496.html?OpenDocument
AIX 5L Practical Performance Tools and Tuning Guide
http://www.redbooks.ibm.com/Redbooks.nsf/RedbookAbstracts/sg246478.html?OpenDocument
AIX 5L "From Strength to Strength"
http://www-03.ibm.com/servers/aix/os/aixs2s.pdf
Technical Services
System p Lab Services has the expert skills to assist in delivering AIX-based solutions across multiple pSeries platforms. With access to Systems Development Lab skills, we can provide consultation, planning, installation, configuration, migration, performance analysis and tuning, and training on the latest IBM Systems Group technologies. https://www-03.ibm.com/servers/eserver/services/pseriesservices.html
Monday, December 20, 2010
AIX interview Questions and answers
1) What is mean by AIX?(AIX interview Questions and answers)
a) AIX means advanced interactive executive. IBM has invented AIX which is nothing but the advanced UNIX.
2) How to reset Password in AIX? (AIX interview Questions and answers)
a) Log in as root or admin user.
b) Use passwd command to reset the password.
c) #passwd user_name
d) This will ask you
e) New password:
f) Enter new password and confirm again.
g) Password change completed.
3) How to set password to non expiry in AIX? (AIX interview Questions and answers)
a) Log in as root or admin user.
b) Use pwdadm –C username command to set non expiry passwd.
c) # pwdadm –C username
4) How to create User in aix? (AIX interview Questions and answers)
a) Log in as root or admin user.
b) Use smitty mkuser .
c) User name is only mandatory field.
d) Enter user name and press enter.
e) If you see command run OK. You have created user.
5) How to list user attributes? (AIX interview Questions and answers)
a) Log in as root or admin user.
b) Use lsuser command to list user attributes.
c) Eg.# lsuser user_name
d) Above command list all attributes of user_name.
Tuesday, December 14, 2010
BASIC AIX LEARNING
What to do after MCA,MCM,MSC,BSC,BCS and any graduate or Post graduate Course. Not getting job in IT after MCA, MCM, MSC,BSC or BCS. Come and join me to learn AIX.
How to become AIX administrator?
First I will mention here those things which are necessary to become AIX admin.
- Are you having 12+3 or more education in any field?
- Do you know anything about UNIX?
- Do know anything about Linux?
- Do you know anything about windows?
- Do you know anything about computer?
If you say yes to 1st and 2nd or 3rd or 4rh or 5th your correct person to become AIX admin.
First thing you should know about me is that I am not your English teacher! I am here to mention some good things which will help you to become AIX admin.
Strong Desire:
Yes it's true if you don’t know anything about UNIX (which is not really a rocket science) you should work hard with consistency.
Learning new things like Language or Technology need strong desire and continuous practice.
If you are working and want to switch the job as AIX administrator this is really not going to be easy but yes if you will give one hour a day I am sure that within 4 month you will be a good AIX administrator.
POWER Machine for Practice:
You need RS600/POWER machine to practice (which is not easy to manage).There are some people who are providing access to AIX machine trough internet (You may want to Google on this). If you don’t have AIX machine still you want to be a AIX administrator.
I will recommend you to read this blog on daily basis. I will try to make you aware of every situation which I am dealing with. You never know you will get a job on the basis of your theoretical knowledge and you can start with AIX.
Read 1 hour per day:
"If you think you can or you can't your are right"
Wednesday, December 1, 2010
AIX questions and Answers
1 How do i know my H/W is 64 bit or 32 bits?Ã bootinfo –y will show you the answer.
2 How do I know my kernel is 64 bit or 32 bits? Ã bootinfo –k
3 How to activate quorum of vg ? Ã # chvg -Qy VGname
4 How to disable quorum of vg ? Ã # chvg -Qn VGname
5 How to Check quorum stat of vg ? Ã #lsvg VGname | grep QUORUM
Saturday, October 9, 2010
Useful HACMP commands
clstat - show cluster state and substate; needs clinfo.
cldump - SNMP-based tool to show cluster state
cldisp - similar to cldump, perl script to show cluster state.
cltopinfo - list the local view of the cluster topology.
clshowsrv -a - list the local view of the cluster subsystems.
clfindres (-s) - locate the resource groups and display status.
clRGinfo -v - locate the resource groups and display status.
clcycle - rotate some of the log files.
cl_ping - a cluster ping program with more arguments.
clrsh - cluster rsh program that take cluster node names as argument.
clgetactivenodes - which nodes are active?
get_local_nodename - what is the name of the local node?
clconfig - check the HACMP ODM.
clRGmove - online/offline or move resource groups.
cldare - sync/fix the cluster.
cllsgrp - list the resource groups.
clsnapshotinfo - create a large snapshot of the hacmp configuration.
cllscf - list the network configuration of an hacmp cluster.
clshowres - show the resource group configuration.
cllsif - show network interface information.
cllsres - show short resource group information.
lssrc -ls clstrmgrES - list the cluster manager state.
lssrc -ls topsvcs - show heartbeat information.
cllsnode - list a node centric overview of the hacmp configuration.
cldump - SNMP-based tool to show cluster state
cldisp - similar to cldump, perl script to show cluster state.
cltopinfo - list the local view of the cluster topology.
clshowsrv -a - list the local view of the cluster subsystems.
clfindres (-s) - locate the resource groups and display status.
clRGinfo -v - locate the resource groups and display status.
clcycle - rotate some of the log files.
cl_ping - a cluster ping program with more arguments.
clrsh - cluster rsh program that take cluster node names as argument.
clgetactivenodes - which nodes are active?
get_local_nodename - what is the name of the local node?
clconfig - check the HACMP ODM.
clRGmove - online/offline or move resource groups.
cldare - sync/fix the cluster.
cllsgrp - list the resource groups.
clsnapshotinfo - create a large snapshot of the hacmp configuration.
cllscf - list the network configuration of an hacmp cluster.
clshowres - show the resource group configuration.
cllsif - show network interface information.
cllsres - show short resource group information.
lssrc -ls clstrmgrES - list the cluster manager state.
lssrc -ls topsvcs - show heartbeat information.
cllsnode - list a node centric overview of the hacmp configuration.
Saturday, September 25, 2010
Login sequence Files
/etc/passwd
Ex: - test:!:206:1:Test user:/home/test:/usr/bin/ksh
Total 7 fields in /etc/passwd file
Username : password : uid : gid : comment : users home directory : users login shell
If password field show ! then it mean password is stored in some other file.
If shows * means user account is disable
The file is stored in etc and all the user have rights to read the file but it can only be written by the superuser. The file has each line as a record of an individual user. Each line contains 7 fields seperated by ":“.Which is also known as IFS (Internal Field Seperater) . Each line of /etc/passwd looks something like this...
root:x:0:0:root:/root:/bin/bash
i) First field shows the loginname of the user.
ii) Shows the password since shadowing is been used this field will only show "!" which indicates that the password is stored in /etc/shadow
iii) This shows the UID (user id) of the user which is unique to each user.
iv) This shows the GID (group id) of the user.
v) This field is used for user comments or user details,fed by chfn command. Hence "chfn" details are fed into this field.
vi) This field indicates the home or working directory of the user.
vii) This field determines the shell used by the user when ever he/she logs in
/etc/security/passwd
Ex: - sybase:
password = 1wanjkFCH3OMU
lastupdate = 1123694767
flags =
Users encrypted passwords are stored here. Total 4 Fields.
Password: -
Specifies the encrypted password. The system encrypts the password created with the passwd command or the pwdadm command. If the password is empty, the user does not have a password. If the password is an * (asterisk), the user cannot log in. The value is a character string. The default value is *.
Lastupdate: -
Specifies the time (in seconds) since the epoch (00:00:00 GMT, January 1, 1970) when the password was last changed.
Flags: -
Specifies the restrictions applied by the login, passwd, and su commands. Following flags
ADMCHG: - Password was last changed by an administrator or root
ADMIN: - User password can only be change by administrator/root only.
NOCHECK: - None of the system password restrictions defined in the /etc/security/user file are enforced for this password.
/etc/security/user
Files contain users roles and security. Total 31 fields
account_locked Defines whether the account is locked. Locked accounts can not be used for
login. Possible values: true or false.
admin Defines the administrative status of the user. Possible values: true or false.
admgroups Lists the groups that the user administrates.
auth1 Defines primary authentication methods for a user. Commands login, telnet,
rlogin, and su support these authentication methods.
Possible values: SYSTEM, NONE, Token;Username.
SYSTEM :Describes normal password authentication in Version 3. Version 4 has
extended this definition to include loadable modules and an
authentication grammar. See SYSTEM attribute description below.
NONE :No authentication.
TOKEN; USERNAME: -A generic name for a custom authentication method
defined in /etc/security/login.cfg.
Example: - If auth1 is: auth1 = SYSTEM,mylogin;mary, And the stanza in
/etc/security/login.cfg is:
mylogin:
program = /etc/myprogram
This will do password authentication, and then invoke the program
/etc/myprogram with "mary" as the first parameter.
auth2 Defines the secondary authentication methods for a user. It is not a
requirement to pass this method to login. See auth1 description above for
examples.
SYSTEM Authenticate user weather it’s a local user login or domain user login. Describes
Version 4 authentication requirements. This attribute can be used to
describe multiple or alternate authentication methods. See authenticate()
routine and SYSTEM grammar manual pages.
Possible tokens:
files : local only authentication.
compat : local plus NIS authentication. Version 3 behavior
DCE : Distributed Computing Environment authentication.
Example:
SYSTEM = "DCE OR DCE[UNAVAIL] AND compat"
daemon Defines whether the user can execute programs using the system resource
controller (SRC). Possible values: true or false.
Dictionlist Defines the password dictionaries used when checking new passwords. The
format is a comma-separated list of absolute path names to dictionary files. A
dictionary file contains one word per line where each word has no leading or
trailing white space. Words should only contain 7 bit ASCII characters. All
dictionary files and directories should be write protected from everyone except
root. The default is valueless, which is equivalent to no dictionary checking.
Example dictionary: /usr/share/dict/words (Only available if text processing is
installed.)
expires Defines the expiration time for the user account. Possible values: a valid date in
the form MMDDHHMMYY or 0. If 0 the account does not expire. If 0101000070
the account is disabled. The range for YY is:
00 - 38 years 2000 thru 2038
39 - 99 years 1939 thru 1999
histexpire Defines the period of time in weeks that a user will not be able to reuse a
password. Possible values: an integer value between 0 and 260. 26
(approximately 6 months) is the recommended value. If previous password is
cms12 and if I enter histexpire=3 i.e 3 weeks, then user cannot reuse the same
password cms12 until 3 weeks are left. if histsize=2 he will not be able to
reuse the password until changes for atleast 2 times even if he has changed
password for 2 times, he will not allow to reuse the same password until 3 weeks
left. Ex: - histexpire = 52 – defines how long a password cannot be re-used
histsize Defines the number of previous passwords which cannot be reused. If I enter
histsize=2, and users current password say cms12, then he cannot use the same
password until he changes a password for atleast 2 times. Possible
values: an integer value between 0 and 50. Ex: - histsize = 20 – defines how
many previous passwords the system remembers
login Defines whether the user can login. Possible values : true or false.
logintimes Defines the times a user can login. The value is a comma separated list of items
as follows: [!][MMdd[-MMdd]]:hhmm-hhmm
[!]MMdd[-MMdd][:hhmm-hhmm] or
[!][w[-w]]:hhmm-hhmm or
[!]w[-w][:hhmm-hhmm]
where MM is a month number (00=January, 11=December), dd is the day of the
month, hh is the hour of the day (00 - 23), mm is the minute of the hour, and w is
a weekday (0=Sunday, 6= Saturday).
loginretries The number of invalid login attempts before a user is not allowed to login.
Possible values: a positive integer or 0 to disable this feature. the user's
unsuccessful_login_count attribute in the /etc/security/lastlog file to be less than
the value of loginretries. To do this, enter the following:
chsec -f /etc/security/lastlog -s username -a \ unsuccessful_login_count=0
maxage Defines the maximum number of weeks a password is valid. The default is 0,
which is equivalent to unlimited. Range: 0 to 52.
maxexpired Defines the maximum number of weeks after maxage that an expired password
can be changed by a user. After this defined time, only an administrative user can
change the password. The default is -1, which is equivalent to unlimited.
Range: -1 to 52. maxage must be greater than 0 for maxexpired to be enforced.
(root is exempt from maxexpired.) Ex: - maxexpired = 4 – maximum time in
weeks a password can be changed after it expires
maxrepeats Defines the maximum number of times a given character can appear in a
password. The default is 8, which is equivalent to unlimited. Range: 0 to 8.
minage Defines the minimum number of weeks between password changes. The default is
0. Range: 0 to 52.
minalpha Defines the minimum number of alphabetic characters in a password. The
default is 0. Range: 0 to 8.
mindiff Defines the minimum number of characters in the new password that were not in
the old password. The default is 0. Range: 0 to 8.
minlen Defines the minimum length of a password. The default is 0. Range: 0 to 8.
minother Defines the minimum number of non-alphabetic characters in a password. The
default is 0. Range: 0 to 8.
pwdchecks You can specify a script to authenticate user password instead of using
/etc/security/passwd. Defines external password restriction methods used when
checking new passwords. The format is a comma-separated list of absolute path
names to methods and/or method path names relative to /usr/lib. A password
restriction method is a program module that is loaded by the password
restrictions code at runtime. All password restriction methods and directories
should be write protected from everyone except root. The default is valueless,
which is equivalent to no external password restriction methods.
pwdwarntime The number of days before a forced password change that a warning will be
given to the user informing them of the impending password change. Possible
values: a positive integer or 0 to disable this feature.
registry Describes where this user is administered. It is used whenever there is a
possibility of resolving a remotely administered user to the local administration
domain. This can happen when network services go down or network databases
are replicated locally. Possible values : files, NIS, or DCE
rlogin Defines whether the user account can be accessed by remote logins. Commands
rlogin and telnet support this attribute. Possible values: true or false.
su Defines whether other users can switch to this user account. Command su supports
this attribute. Possible values: true or false.
sugroups Defines which groups can switch to this user account. Alternatively you may
explicitly deny groups by preceding the group name with a ! character.Possible
values : A list of valid groups separated by commas, ALL, or .
tpath Defines the user's trusted path characteristics. Possible values:
nosak : The Secure Attention Key (SAK) key (^X^R) has no effect.
notsh : The SAK key logs you out. You can never be on the trusted path.
always : When you log in you are always on the trusted path.
on : The trusted path is entered when the SAK key is hit.
Note : This attribute only takes effect if the sak_enabled
attribute (in /etc/security/login.cfg) is set to
true for the port you are logging into.
ttys Defines which terminals can access the user account. Alternatively you may
explicitly deny terminals by preceding the terminal name with the ! character.
Possible values: List of device paths separated by commas, ALL or .
umask Defines the default umask for the user. Possible values: three-digit octal value.
Notes: Boolean values (i.e. true or false) may use any of the following values.
These values are not case sensitive. true, false, yes, no, always, never.
Ex: - A typical stanza looks like the following example for user dhs:
dhs:
login = true
rlogin = false
ttys = /dev/console
sugroups = security,!staff
expires = 0531010090
tpath = on
admin = true
auth1 = SYSTEM,METH2;dhs
cmsadmin:
admin = true
maxage = 8
minlen = 6
minalpha = 2
minage = 1
admgroups = adm
To allow all ttys except /dev/tty0 to access the user account, change the ttys entry so that it reads as follows:
ttys = !/dev/tty0,ALL
/etc/profile
Sets the user environment at login time.
The $HOME/.profile file contains commands that the system executes when you log in. The .profile also provides variable profile assignments that the system sets and exports into the environment. The /etc/profile file contains commands run by all users at login.
After the login program adds the LOGNAME (login name) and HOME (login directory) variables to the environment, the commands in the $HOME/.profile file are executed, if the file is present. The .profile file contains the individual user profile that overrides the variables set in the profile file and customizes the user-environment profile variables set in the /etc/profile file. The .profile file is often used to set exported environment variables and terminal modes. The person who customizes the system can use the mkuser command to set default .profile files in each user home directory. Users can tailor their environment as desired by modifying their .profile file.
Note: The $HOME/.profile file is used to set environments for the Bourne and Korn shells. An equivalent environment for the C shell is the $HOME/.cshrc file.
Examples
The following example is typical of an /etc/profile file:
#Set file creation mask unmask 022
#Tell me when new mail arrives
MAIL=/usr/mail/$LOGNAME
#Add my /bin directory to the shell
search sequence
PATH=/usr/bin:/usr/sbin:/etc::
#Set terminal type
TERM=lft
#Make some environment variables global
export MAIL PATH TERM
$HOME/.hushlogin
If this file exist in root or any users home directory you can get /etc/motd or login message.
/etc/group
Ex: - sybase:!:201:Sybase
staff:!:1:ipsec,sybase,utsdev,utstest,utsusr,test,subrep,utsusrwc,utstalk,utssub
Total 4 fields in /etc/group
Group Name : group password : group id : group members
Group password ! means password is stored some where else in a file, doesn’t exist in AIX.
/etc/security/group
This file contain all the groups on system and there roles i.e. Who is administrator of group, who manages group users are defined here, extended group roles.
Adms: - Defines the group administrators. Administrators are users who can perform
administrative tasks for the group, such as setting the members and administrators of the group. This attribute is ignored if admin = true, since only the root user can alter a group defined as administrative. The value is a list of comma-separated user login-names. The default value is an empty string.
admin : - Defines the administrative status of the group.
Possible values are:
True Defines the group as administrative. Only the root user can change the
attributes of groups defined as administrative.
False Defines a standard group. The attributes of these groups can be changed
by the root user or a member of the security group. This is the default
value.
EX: - # more /etc/security/group
system:
admin = true
adms = cmsadmin
staff:
admin = false
bin:
admin = true
sys:
admin = true
adm:
admin = true
adms = cmsadmin
/etc/security/login.cfg
Contains configuration information for login and user authentication.
There are three types of stanzas: -
Port Defines the login characteristics of ports.
Authentication method Defines the authentication methods for users.
user configuration Defines programs that change user attributes.
Port Stanzas
Port stanzas define the login characteristics of ports and are named with the full path name of the port. Each port should have its own separate stanza. Each stanza has the following attributes:
herald
Specifies the initial message to be printed out when getty or login prompts for a login name. Defines the login message printed when the getty process opens the port. The default herald is the login prompt. The value is a character string.
herald2
Defines the login message printed after a failed login attempt. The default herald is the login prompt. The value is a character string.
Logindelay
Defines the delay factor (in seconds) between unsuccessful login attempts. If a user enter invalid password and if logindelay=3 i.e 3 seconds, then after invalid login user will get login prompt after 3 seconds i.e its wait for 3 sec between unsuccessful login. The value is a decimal integer string. The default value is 0, indicating no delay between unsuccessful login attempts.
Logindisable
Defines the number of unsuccessful login attempts allowed before the port is locked. If this is set to 3, then port will be locked after 3 invalid login. The value is a decimal integer string. The default value is 0, indicating that the port cannot lock as a result of unsuccessful login attempts.
Logininterval
Defines the time interval (in seconds) in which the specified unsuccessful login attempts must occur before the port is locked. If logindisable is 3 and users enters 3 times invalid password, know the port will be get locked, but if Logininterval is set to 50 i.e 50 seconds, then before locking port system waits for 50 seconds and then port is locked. The value is a decimal integer string. The default value is 0.
loginreenable
Defines the time interval (in minutes) a port is unlocked after a system lock. If a port is locked and loginreenable is 1 i.e 1 minute, then ports get unlocked automatically after 1 minutes. The value is a decimal integer string. The default value is 0, indicating that the port is not automatically unlocked.
Logintimes
Specifies the times, days, or both the user is allowed to access the system.
sak_enabled
Defines whether the secure attention key (SAK) is enabled for the port. The SAK key is the Ctrl-X, Ctrl-R key sequence. Possible values for the sak_enabled attribute are:
True SAK processing is enabled, so the key sequence establishes a trusted path for the port.
false SAK processing is not enabled, so a trusted path cannot be established. This is the default value.
synonym
Defines other path names for the terminal. The path names should be device special files with the same major and minor number and should not include hard or symbolic links. The value is a list of comma-separated path names.
For example, if you specify synonym=/dev/tty0 in the stanza for the /dev/console path name, then the /dev/tty0 path name is a synonym for the /dev/console path name. However, the /dev/console path name is not a synonym for the /dev/tty0 path name unless you specify synonym=/dev/console in the stanza for the /dev/tty0 path name.
Authentication Method Stanzas
auth_method is no longer used. Security methods should be configured in /usr/lib/security/methods.cfg
auth_method:
program = /any/program
program_64 = /any/program64
Auth_method corresponds to a custom authentication method specified in the SYSTEM attribute in /etc/security/user, and /any/program is the program to run in order to do the authentication. The program_64 attribute should be used for process running in 64 bit mode, /any/program64 is a 64 bit program.
These stanzas define the authentication methods for users assigned in the /etc/security/user file. The name of each stanza must be identical to one of the methods defined by the auth1 or the auth2 attribute in the /etc/security/user file.
Each stanza has one attribute:
Program
Contains the full path name of a program that provides primary or secondary authentication for a user. Program flags and parameters may be included.
Since the SYSTEM authentication method is supported directly by the login command and the su command, and the NONE method does not provide any authentication, neither requires definition. However, all other authentication methods must be defined in this file. Different authentication methods can be defined for each user.
User-Configuration Stanzas
User-configuration stanzas provide configuration information for programs that change user attributes. There is one user-configuration stanza: usw.
The usw stanza defines the configuration of miscellaneous facilities. The following attributes can be included:
Logintimeout
Defines the time (in seconds) the user is given to type the password. The value is a decimal integer string. The default is a value of 60.
maxlogins
Defines the maximum number of simultaneous logins to the system. The format is a decimal integer string. The default value varies depending on the specific machine license. A value of 0 indicates no limit on simultaneous login attempts.
Note: Login sessions include rlogins and telnets; these are counted against the maximum allowable number of simultaneous logins by the maxlogins attribute.
shells
Defines the valid shells on the system. This attribute is used by the chsh command to determine which shells a user can select. The value is a list of comma-separated full path names. The default is /usr/bin/sh, /usr/bin/bsh, /usr/bin/csh, /usr/bin/ksh, or /usr/bin/tsh.
Ex: -
default:
sak_enabled = false
logintimes =
logindisable = 0
logininterval = 0
loginreenable = 0
logindelay = 0
herald = "\n\* Unreserved Ticketing System's Restricted Area *\n\r* Unauthorized use of this system is prohibited*\n\r* All Invalid logins are monitored for audit,*\n\r improper use of this system is criminal offence *\n\rLogin: "
*/dev/console:
• synonym = /dev/tty0
usw:
shells = /bin/sh, /bin/bsh, /bin/csh, /bin/ksh, /bin/tsh, /bin/ksh93, /usr/bin/sh, /usr/bin/bsh, /usr/bin/csh, /usr/bin/ksh,/us
r/bin/tsh, /usr/bin/ksh93, /usr/bin/rksh, /usr/bin/rksh93, /usr/sbin/uucp/uucico, /usr/sbin/sliplogin, /usr/sbin/snappd
maxlogins = 32767
logintimeout = 60
auth_type = STD_AUTH
/etc/security/failedlogin
All failed login attempts are made here
/etc/security/lastlog
Defines the last login attributes for users.
time_last_login
The last time that the user successfully logged into the system. Specifies the number of seconds since the epoch (00:00:00 GMT, January 1, 1970) since the last successful login. The value is a decimal integer.
tty_last_login
The last tty port that the user successfully logged into. Specifies the terminal on which the user last logged in. The value is a character string.
host_last_login
The host from which the user logged in from if the tty was not locally attached. This implies that the user used telnet or rlogin to log into the system. Specifies the host from which the user last logged in. The value is a character string.
unsuccessful_login_count
The number of attempts to log in as the user since the last successful login. The value is a decimal integer. This attribute works in conjunction with the user's loginretries attribute, specified in the /etc/security/user file, to lock the user's account after a specified number of consecutive unsuccessful login attempts. Once the user's account is locked, the user will not be able to log in until the system administrator resets the user's unsuccessful_login_count attribute to be less than the value of loginretries. To do this, enter the following:
chsec -f /etc/security/lastlog -s username -a \ unsuccessful_login_count=0
time_last_unsuccessful_login
The time that the last unsuccessful attempt to log in as the user was made. Specifies the number of seconds since the epoch (00:00:00 GMT, January 1, 1970) since the last unsuccessful login. The value is a decimal integer.
tty_last_unsuccessful_login
The tty port of the last unsuccessful attempt to log in as the user was made. Specifies the terminal on which the last unsuccessful login attempt occurred. The value is a character string.
host_last_unsuccessful_login
The host from which the last unsuccessful attempt to log in as the user was made. Specifies the host from which the last unsuccessful login attempt occurred. The value is a character string.
All user database files should be accessed through the system commands and subroutines defined for this purpose. Access through other commands or subroutines may not be supported in future releases.
EX: -
root:
time_last_login = 1139610504
tty_last_login = ftp
host_last_login = ::ffff:10.128.0.52
unsuccessful_login_count = 0
time_last_unsuccessful_login = 1136845660
tty_last_unsuccessful_login = ftp
host_last_unsuccessful_login = ::ffff:10.128.0.52
sybase:
time_last_login = 1139428239
tty_last_login = /dev/pts/6
host_last_login = loopback
unsuccessful_login_count = 0
time_last_unsuccessful_login = 1139428235
tty_last_unsuccessful_login = /dev/pts/6
host_last_unsuccessful_login = loopback
/etc/environment
Sets up the user environment.
The /etc/environment file contains variables specifying the basic environment for all processes. When a new process begins, the exec subroutine makes an array of strings available that have the form Name=Value. This array of strings is called the environment. Each name defined by one of the strings is called an environment variable or shell variable. The exec subroutine allows the entire environment to be set at one time.
Environment variables are examined when a command starts running. The environment of a process is not changed by altering the /etc/environment file. Any processes that were started prior to the change to the /etc/environment file must be restarted if the change is to take effect for those processes. If the TZ variable is changed, the cron daemon must be restarted, because this variable is used to determine the current local time.
HOME
The full path name of the user login or HOME directory. The login program sets this to the name specified in the /etc/passwd file.
LANG
The locale name currently in effect. The LANG variable is set in the /etc/environment file at installation time.
NLSPATH
The full path name for message catalogs. The default is:
/usr/lib/nls/msg/%L/%N: /usr/lib/nls/msg/%L/%N.cat:
where %L is the value of the LC_MESSAGES category and %N is the catalog file name.
Note: See the chlang command for more information about changing message catalogs.
LC__FASTMSG
If LC_FASTMEG is set to false, POSIX-compliant message handling is performed. If LC__FASTMSG is set to true, it specifies that default messages should be used for the C and POSIX locales and that NLSPATH is ignored. If this variable is set to anything other than false or unset, it is considered the same as being set to true. The default value is LC__FASTMSG=true in the /etc/environment file.
LOCPATH
The full path name of the location of National Language Support tables. The default is /usr/lib/nls/loc and is set in the /etc/profile file. If the LOCPATH variable is a null value, it assumes that the current directory contains the locale files.
Note: All setuid and setgid programs will ignore the LOCPATH environment variable.
PATH
The sequence of directories that commands such as the sh, time, nice and nohup commands search when looking for a command whose path name is incomplete. The directory names are separated by colons.
TZ
The time-zone information. The TZ environment variable is set by the /etc/environment file. The TZ environment variable has the following format (spaces inserted for readability):
std offset dst offset, rule
The fields within the TZ environment variable are defined as follows:
std and dst
Designate the standard (std) and summer (dst) time zones. Only the std value along with the appropriate offset value is required. If the dst value is not specified, summer time does not apply. The values specified may be no less than three and no more than TZNAME_MAX bytes in length. The length of the variables corresponds to the %Z field of the date command; for libc and libbsd, TZNAME_MAX equals three characters. Any nonnumeric ASCII characters except the following may be entered into each field: a leading : (colon), a , (comma), a - (minus sign), a + (plus sign), or the ASCII null character.
Note: POSIX 1.0 reserves the leading : (colon) for an implementation-defined TZ specification. AIX disallows the leading colon, selecting CUT0 and setting the %Z field to a null string.
An example of std and dst format is as follows: EST5EDT
EST
Specifies Eastern U.S. standard time.
5
Specifies the offset, which is 5 hours behind Coordinated Universal Time (CUT).
EDT Specifies the corresponding summer time zone abbreviation.
Note: See "Time Zones" for a list of time zone names defined for the system.
offset Denotes the value added to local time to equal Coordinated Universal Time (CUT). CUT is the international time standard that has largely replaced Greenwich Mean Time. The offset variable has the following format:
hh:mm:ss
The fields within the offset variable are defined as follows:
hh
Specifies the dst offset in hours. This field is required. The hh value can range between the integers -12 and +11. A negative value indicates the time zone is east of the prime meridian; a positive value or no value indicates the time zone is west of the prime meridian.
mm
Specifies the dst offset detailed to the minute. This field is optional. If the mm value is present, it must be specified between 0 and 59 and preceded by a : (colon).
Ss
Specifies the dst offset detailed to the second. The ss field is optional. If the ss value is present, it must be specified between 0 and 59 and preceded by a : (colon).
An offset variable must be specified with the std variable. An offset variable for the dst variable is optional. If no offset is specified with the dst variable, the system assumes that summer time is one hour ahead of standard time.
As an example of offset syntax, Zurich is one hour ahead of CUT, so its offset is -1. Newfoundland is 1.5 hours ahead of eastern U.S. standard time zones. Its syntax can be stated as any of the following: 3:30, 03:30, +3:30, or 3:30:00.
rule The rule variable indicates when to change to and back from summer time. The rule variable has the following format:
start/time,end/time
The fields within the rule variable are defined as follows:
start
Specifies the change from standard to summer time.
end
Specifies the return to standard time from summer time.
Time
Specifies when the time changes occur within the time zone. For example, if the time variable is encoded for 2 a.m. then the time changes when the time zone reaches 2 a.m. on the date specified in the start variable.
EX: -
TZ=IST+5:30
LANG=en_US
LOCPATH=/usr/lib/nls/loc
NLSPATH=/usr/lib/nls/msg/%L/%N:/usr/lib/nls/msg/%L/%N.cat
LC__FASTMSG=true
# ODM routines use ODMDIR to determine which objects to operate on
# the default is /etc/objrepos - this is where the device objects
# reside, which are required for hardware configuration
ODMDIR=/etc/objrepos
/etc/security/environ
Defines the environment attributes for users.
If environment attributes are not defined, the system uses default values. Each user stanza can have the following attributes:
Usrenv
Defines variables to be placed in the user environment when the initial login command is given or when the su command resets the environment. The value is a list of comma-separated attributes. The default value is an empty string.
Sysenv
Defines variables to be placed in the user protected state environment when the initial login command is given or when the su command resets the environment. These variables are protected from access by unprivileged programs so other programs can depend on their values. The default value is an empty string.
Examples :- A typical stanza looks like the following example for user dhs:
dhs:
usrenv = "MAIL=/home/spool/mail/dhs,MAILCHECK=600"
sysenv = "NAME=dhs@delos"
EX: -
default:
root:
daemon:
/etc/security/limits
Defines process resource limits for users.
Note: Changing the limit does not affect those processes that started by init, or alternatively, ulimits are only used by those processes that go through the login processes.
The /etc/security/limits file defines process resource limits for users. This file is an ASCII file that contains stanzas that specify the process resource limits for each user. These limits are set by individual attributes within a stanza.
Each stanza is identified by a user name followed by a colon, and contains attributes in the Attribute=Value form. A new-line character ends each attribute, and an additional new-line character ends each stanza. If you do not define an attribute for a user, the system applies default values.
If the hard values are not explicitly defined in the /etc/security/limits file but the soft values are, the system substitutes the following values for the hard limits:
Resource Hard Value
Core Size unlimited
CPU Time cpu
Data Size unlimited
File Size fsize
Memory Size unlimited
Stack Size unlimited
File Descriptors unlimited
Note: Use a value of -1 to set a resource to unlimited.
If the hard values are explicitly defined but the soft values are not, the system sets the soft values equal to the hard values.
You can set the following limits on a user:
fsize
Largest file size that can be created or extended, identifies the soft limit for the largest file a user's process can create or extend.
core
Largest core file size that can be created, Specifies the soft limit for the largest core file a user's process can create.
cpu
Amount of cpu time to be used by each process. Must log out and back in for the changes to take affect.
Sets the soft limit for the largest amount of system unit time (in seconds) that a user's process can use.
data
Identifies the soft limit for the largest process data segment for a user's process.
stack
Specifies the soft limit for the largest process stack segment for a user's process.
Rss
Sets the soft limit for the largest amount of physical memory a user's process can allocate. This limit is not enforced by the system.
Nofiles
Sets the soft limit for the number of file descriptors a user process may have open at one time.
core_hard
Specifies the largest core file a user's process can create.
cpu_hard
Sets the largest amount of system unit time (in seconds) that a user's process can use.
data_hard
Identifies the largest process data segment for a user's process.
fsize_hard
Identifies the largest file a user's process can create or extend.
rss_hard
Sets the largest amount of physical memory a user's process can allocate. This limit is not enforced by the system.
stack_hard
Specifies the largest process stack segment for a user's process.
nofiles_hard
Sets the soft limit for the number of file descriptors a user process may have open at one time.
Except for the cpu attribute, each attribute must be a decimal integer string representing the number of 512-byte blocks allotted to the user. The cpu attribute is a decimal integer string representing the amount of system unit time in seconds.
EX: -
default:
fsize = -1
* 2097151
core = -1
* 2097151
cpu = -1
data = -1
* 262144
rss = -1
* 65536
stack = -1
* 65536
nofiles = 8000
root:
daemon:
/etc/shells
All valid shells are specify in this file.
/bin/csh
/bin/ksh
/bin/psh
/bin/tsh
/bin/bsh
/usr/bin/csh
/usr/bin/ksh
/usr/bin/psh
/usr/bin/tsh
/usr/bin/bsh
/etc/motd
Message of the day file
/etc/security/.ids
Holds the value for the next assignment to a group/user id and group/user admin id. Used by mkuser and mkgroup commands.
Sample contents: 4 203 12 200
• 4 = administrative user id (mkuser -a)
• 203 = user id (mkuser)
• 12 = administrative group id (mkgroup -a)
• 200 = group id (mkgroup)
Ex: -
# more /etc/security/.ids
8 213 14 202
Check /etc/passwd, you will see the last uid will be 212 if above “more /etc/security/.ids”
Displays the second column output as 213. This means that this file contains the UID’s or GID’s for next user or group to be made on system user useradd or adduser, system will assign automatically UID as 213 to new user and updates the /etc/security/.ids’s file’s second colume to 214.
/etc/security/.profile
/usr/lib/security/mkuser.sys
This scripts is run during user creation process, this scripts creates users home directory, gives group and ownership rights to that home directory and at last copy the /etc/security/.profile to users home directory/.profile
cp /etc/security/.profile $1/.profile
/usr/lib/security/mkuser.default
Contains the default attributes for new users.
The /usr/lib/security/mkuser.default file contains the default attributes for new users. This file is an ASCII file that contains user stanzas. These stanzas have attribute default values for users created by the mkuser command. There are two stanzas, user and admin, that can contain all defined attributes except the id and admin attributes. The mkuser command generates a unique id attribute. The admin attribute depends on whether the -a flag is used with the mkuser command.
Access Control: If read (r) access is not granted to all users, members of the security group should be given read (r) access. This command should grant write (w) access only to the root user.
Example
A typical user stanza looks like the following:
Below are the default attribute which get assign automatically to user, while creating a new user i.e if u just enter the mkuser amrik; here if u r not specifying any attribute i.e Primary group, home directory, this attributes get set automatically, this means to say that below attribute is a default attribute if u not specify system will set it for u.
user:
pgroup = staff
groups = staff
shell = /usr/bin/ksh
home = /home/$USER
auth1 = SYSTEM
admin:
pgrp = system
groups = system
shell = /usr/bin/ksh
home = /home/$USER
pgroup: - Primary group of user belongs
groups: - secondary group, of whom this user will be member
shell: - Login shell, taken from number shell supported by shell stanza of
/etc/secuirity/login.cfg
home: - Users login home directory, it can modified also.
/etc/security/user.roles
Contains the list of roles for each user. The /etc/security/user.roles file contains the list of roles for each user. This is an ASCII file that contains a stanza for system users. Each stanza is identified by a user name followed by a : (colon) and contains attributes in the form Attribute=Value. Each attribute pair ends with a newline character as does each stanza.
This file supports a default stanza. If an attribute is not defined, either the default stanza or the default value for the attribute is used.
A stanza contains the following attribute:
roles Contains the list of roles for each user.
The user.roles file is kept separately from the /etc/security/user file for performance reasons. Several commands scan this database, so system performance increases with smaller files to scan (especially on systems with large numbers of users).
/etc/security/roles
The /etc/security/roles file contains the list of valid roles. This is an ASCII file that contains a stanza for each system role. Each stanza is identified by a role name followed by a : (colon) and contains attributes in the form Attribute=Value. Each attribute pair ends with a newline character as does each stanza.
The file supports a default stanza. If an attribute is not defined, the default value for the attribute is used.
A stanza contains the following attributes:
rolelist Contains a list of roles implied by this role and allows a role to function as a super-role. If the rolelist attribute contains the value of "role1,role2", assigning the role to a user also assigns the roles of role1 and role2 to that user.
authorizations Contains the list of additional authorizations acquired by the user for this specific role.
groups Contains the list of groups that a user should belong to in order to effectively use this role. The user must be added to each group in this list for this role to be effective.
screens Contains a list of SMIT screen identifiers that allow a role to be mapped to various SMIT screens. The default value for this attribute is * (all screens).
msgcat Contains the file name of the message catalog that contains the one-line descriptions of system roles.
msgnum Contains the message ID that retrieves this role description from the message catalog.
Examples
A typical stanza looks like the following example for the ManageAllUsers role:
ManageAllUsers:
rolelist = ManageBasicUsers
authorizations = UserAdmin,RoleAdmin,PasswdAdmin,GroupAdmin
groups = security
screens = mkuser,rmuser,!tcpip
Ex: - test:!:206:1:Test user:/home/test:/usr/bin/ksh
Total 7 fields in /etc/passwd file
Username : password : uid : gid : comment : users home directory : users login shell
If password field show ! then it mean password is stored in some other file.
If shows * means user account is disable
The file is stored in etc and all the user have rights to read the file but it can only be written by the superuser. The file has each line as a record of an individual user. Each line contains 7 fields seperated by ":“.Which is also known as IFS (Internal Field Seperater) . Each line of /etc/passwd looks something like this...
root:x:0:0:root:/root:/bin/bash
i) First field shows the loginname of the user.
ii) Shows the password since shadowing is been used this field will only show "!" which indicates that the password is stored in /etc/shadow
iii) This shows the UID (user id) of the user which is unique to each user.
iv) This shows the GID (group id) of the user.
v) This field is used for user comments or user details,fed by chfn command. Hence "chfn" details are fed into this field.
vi) This field indicates the home or working directory of the user.
vii) This field determines the shell used by the user when ever he/she logs in
/etc/security/passwd
Ex: - sybase:
password = 1wanjkFCH3OMU
lastupdate = 1123694767
flags =
Users encrypted passwords are stored here. Total 4 Fields.
Password: -
Specifies the encrypted password. The system encrypts the password created with the passwd command or the pwdadm command. If the password is empty, the user does not have a password. If the password is an * (asterisk), the user cannot log in. The value is a character string. The default value is *.
Lastupdate: -
Specifies the time (in seconds) since the epoch (00:00:00 GMT, January 1, 1970) when the password was last changed.
Flags: -
Specifies the restrictions applied by the login, passwd, and su commands. Following flags
ADMCHG: - Password was last changed by an administrator or root
ADMIN: - User password can only be change by administrator/root only.
NOCHECK: - None of the system password restrictions defined in the /etc/security/user file are enforced for this password.
/etc/security/user
Files contain users roles and security. Total 31 fields
account_locked Defines whether the account is locked. Locked accounts can not be used for
login. Possible values: true or false.
admin Defines the administrative status of the user. Possible values: true or false.
admgroups Lists the groups that the user administrates.
auth1 Defines primary authentication methods for a user. Commands login, telnet,
rlogin, and su support these authentication methods.
Possible values: SYSTEM, NONE, Token;Username.
SYSTEM :Describes normal password authentication in Version 3. Version 4 has
extended this definition to include loadable modules and an
authentication grammar. See SYSTEM attribute description below.
NONE :No authentication.
TOKEN; USERNAME: -A generic name for a custom authentication method
defined in /etc/security/login.cfg.
Example: - If auth1 is: auth1 = SYSTEM,mylogin;mary, And the stanza in
/etc/security/login.cfg is:
mylogin:
program = /etc/myprogram
This will do password authentication, and then invoke the program
/etc/myprogram with "mary" as the first parameter.
auth2 Defines the secondary authentication methods for a user. It is not a
requirement to pass this method to login. See auth1 description above for
examples.
SYSTEM Authenticate user weather it’s a local user login or domain user login. Describes
Version 4 authentication requirements. This attribute can be used to
describe multiple or alternate authentication methods. See authenticate()
routine and SYSTEM grammar manual pages.
Possible tokens:
files : local only authentication.
compat : local plus NIS authentication. Version 3 behavior
DCE : Distributed Computing Environment authentication.
Example:
SYSTEM = "DCE OR DCE[UNAVAIL] AND compat"
daemon Defines whether the user can execute programs using the system resource
controller (SRC). Possible values: true or false.
Dictionlist Defines the password dictionaries used when checking new passwords. The
format is a comma-separated list of absolute path names to dictionary files. A
dictionary file contains one word per line where each word has no leading or
trailing white space. Words should only contain 7 bit ASCII characters. All
dictionary files and directories should be write protected from everyone except
root. The default is valueless, which is equivalent to no dictionary checking.
Example dictionary: /usr/share/dict/words (Only available if text processing is
installed.)
expires Defines the expiration time for the user account. Possible values: a valid date in
the form MMDDHHMMYY or 0. If 0 the account does not expire. If 0101000070
the account is disabled. The range for YY is:
00 - 38 years 2000 thru 2038
39 - 99 years 1939 thru 1999
histexpire Defines the period of time in weeks that a user will not be able to reuse a
password. Possible values: an integer value between 0 and 260. 26
(approximately 6 months) is the recommended value. If previous password is
cms12 and if I enter histexpire=3 i.e 3 weeks, then user cannot reuse the same
password cms12 until 3 weeks are left. if histsize=2 he will not be able to
reuse the password until changes for atleast 2 times even if he has changed
password for 2 times, he will not allow to reuse the same password until 3 weeks
left. Ex: - histexpire = 52 – defines how long a password cannot be re-used
histsize Defines the number of previous passwords which cannot be reused. If I enter
histsize=2, and users current password say cms12, then he cannot use the same
password until he changes a password for atleast 2 times. Possible
values: an integer value between 0 and 50. Ex: - histsize = 20 – defines how
many previous passwords the system remembers
login Defines whether the user can login. Possible values : true or false.
logintimes Defines the times a user can login. The value is a comma separated list of items
as follows: [!][MMdd[-MMdd]]:hhmm-hhmm
[!]MMdd[-MMdd][:hhmm-hhmm] or
[!][w[-w]]:hhmm-hhmm or
[!]w[-w][:hhmm-hhmm]
where MM is a month number (00=January, 11=December), dd is the day of the
month, hh is the hour of the day (00 - 23), mm is the minute of the hour, and w is
a weekday (0=Sunday, 6= Saturday).
loginretries The number of invalid login attempts before a user is not allowed to login.
Possible values: a positive integer or 0 to disable this feature. the user's
unsuccessful_login_count attribute in the /etc/security/lastlog file to be less than
the value of loginretries. To do this, enter the following:
chsec -f /etc/security/lastlog -s username -a \ unsuccessful_login_count=0
maxage Defines the maximum number of weeks a password is valid. The default is 0,
which is equivalent to unlimited. Range: 0 to 52.
maxexpired Defines the maximum number of weeks after maxage that an expired password
can be changed by a user. After this defined time, only an administrative user can
change the password. The default is -1, which is equivalent to unlimited.
Range: -1 to 52. maxage must be greater than 0 for maxexpired to be enforced.
(root is exempt from maxexpired.) Ex: - maxexpired = 4 – maximum time in
weeks a password can be changed after it expires
maxrepeats Defines the maximum number of times a given character can appear in a
password. The default is 8, which is equivalent to unlimited. Range: 0 to 8.
minage Defines the minimum number of weeks between password changes. The default is
0. Range: 0 to 52.
minalpha Defines the minimum number of alphabetic characters in a password. The
default is 0. Range: 0 to 8.
mindiff Defines the minimum number of characters in the new password that were not in
the old password. The default is 0. Range: 0 to 8.
minlen Defines the minimum length of a password. The default is 0. Range: 0 to 8.
minother Defines the minimum number of non-alphabetic characters in a password. The
default is 0. Range: 0 to 8.
pwdchecks You can specify a script to authenticate user password instead of using
/etc/security/passwd. Defines external password restriction methods used when
checking new passwords. The format is a comma-separated list of absolute path
names to methods and/or method path names relative to /usr/lib. A password
restriction method is a program module that is loaded by the password
restrictions code at runtime. All password restriction methods and directories
should be write protected from everyone except root. The default is valueless,
which is equivalent to no external password restriction methods.
pwdwarntime The number of days before a forced password change that a warning will be
given to the user informing them of the impending password change. Possible
values: a positive integer or 0 to disable this feature.
registry Describes where this user is administered. It is used whenever there is a
possibility of resolving a remotely administered user to the local administration
domain. This can happen when network services go down or network databases
are replicated locally. Possible values : files, NIS, or DCE
rlogin Defines whether the user account can be accessed by remote logins. Commands
rlogin and telnet support this attribute. Possible values: true or false.
su Defines whether other users can switch to this user account. Command su supports
this attribute. Possible values: true or false.
sugroups Defines which groups can switch to this user account. Alternatively you may
explicitly deny groups by preceding the group name with a ! character.Possible
values : A list of valid groups separated by commas, ALL, or .
tpath Defines the user's trusted path characteristics. Possible values:
nosak : The Secure Attention Key (SAK) key (^X^R) has no effect.
notsh : The SAK key logs you out. You can never be on the trusted path.
always : When you log in you are always on the trusted path.
on : The trusted path is entered when the SAK key is hit.
Note : This attribute only takes effect if the sak_enabled
attribute (in /etc/security/login.cfg) is set to
true for the port you are logging into.
ttys Defines which terminals can access the user account. Alternatively you may
explicitly deny terminals by preceding the terminal name with the ! character.
Possible values: List of device paths separated by commas, ALL or .
umask Defines the default umask for the user. Possible values: three-digit octal value.
Notes: Boolean values (i.e. true or false) may use any of the following values.
These values are not case sensitive. true, false, yes, no, always, never.
Ex: - A typical stanza looks like the following example for user dhs:
dhs:
login = true
rlogin = false
ttys = /dev/console
sugroups = security,!staff
expires = 0531010090
tpath = on
admin = true
auth1 = SYSTEM,METH2;dhs
cmsadmin:
admin = true
maxage = 8
minlen = 6
minalpha = 2
minage = 1
admgroups = adm
To allow all ttys except /dev/tty0 to access the user account, change the ttys entry so that it reads as follows:
ttys = !/dev/tty0,ALL
/etc/profile
Sets the user environment at login time.
The $HOME/.profile file contains commands that the system executes when you log in. The .profile also provides variable profile assignments that the system sets and exports into the environment. The /etc/profile file contains commands run by all users at login.
After the login program adds the LOGNAME (login name) and HOME (login directory) variables to the environment, the commands in the $HOME/.profile file are executed, if the file is present. The .profile file contains the individual user profile that overrides the variables set in the profile file and customizes the user-environment profile variables set in the /etc/profile file. The .profile file is often used to set exported environment variables and terminal modes. The person who customizes the system can use the mkuser command to set default .profile files in each user home directory. Users can tailor their environment as desired by modifying their .profile file.
Note: The $HOME/.profile file is used to set environments for the Bourne and Korn shells. An equivalent environment for the C shell is the $HOME/.cshrc file.
Examples
The following example is typical of an /etc/profile file:
#Set file creation mask unmask 022
#Tell me when new mail arrives
MAIL=/usr/mail/$LOGNAME
#Add my /bin directory to the shell
search sequence
PATH=/usr/bin:/usr/sbin:/etc::
#Set terminal type
TERM=lft
#Make some environment variables global
export MAIL PATH TERM
$HOME/.hushlogin
If this file exist in root or any users home directory you can get /etc/motd or login message.
/etc/group
Ex: - sybase:!:201:Sybase
staff:!:1:ipsec,sybase,utsdev,utstest,utsusr,test,subrep,utsusrwc,utstalk,utssub
Total 4 fields in /etc/group
Group Name : group password : group id : group members
Group password ! means password is stored some where else in a file, doesn’t exist in AIX.
/etc/security/group
This file contain all the groups on system and there roles i.e. Who is administrator of group, who manages group users are defined here, extended group roles.
Adms: - Defines the group administrators. Administrators are users who can perform
administrative tasks for the group, such as setting the members and administrators of the group. This attribute is ignored if admin = true, since only the root user can alter a group defined as administrative. The value is a list of comma-separated user login-names. The default value is an empty string.
admin : - Defines the administrative status of the group.
Possible values are:
True Defines the group as administrative. Only the root user can change the
attributes of groups defined as administrative.
False Defines a standard group. The attributes of these groups can be changed
by the root user or a member of the security group. This is the default
value.
EX: - # more /etc/security/group
system:
admin = true
adms = cmsadmin
staff:
admin = false
bin:
admin = true
sys:
admin = true
adm:
admin = true
adms = cmsadmin
/etc/security/login.cfg
Contains configuration information for login and user authentication.
There are three types of stanzas: -
Port Defines the login characteristics of ports.
Authentication method Defines the authentication methods for users.
user configuration Defines programs that change user attributes.
Port Stanzas
Port stanzas define the login characteristics of ports and are named with the full path name of the port. Each port should have its own separate stanza. Each stanza has the following attributes:
herald
Specifies the initial message to be printed out when getty or login prompts for a login name. Defines the login message printed when the getty process opens the port. The default herald is the login prompt. The value is a character string.
herald2
Defines the login message printed after a failed login attempt. The default herald is the login prompt. The value is a character string.
Logindelay
Defines the delay factor (in seconds) between unsuccessful login attempts. If a user enter invalid password and if logindelay=3 i.e 3 seconds, then after invalid login user will get login prompt after 3 seconds i.e its wait for 3 sec between unsuccessful login. The value is a decimal integer string. The default value is 0, indicating no delay between unsuccessful login attempts.
Logindisable
Defines the number of unsuccessful login attempts allowed before the port is locked. If this is set to 3, then port will be locked after 3 invalid login. The value is a decimal integer string. The default value is 0, indicating that the port cannot lock as a result of unsuccessful login attempts.
Logininterval
Defines the time interval (in seconds) in which the specified unsuccessful login attempts must occur before the port is locked. If logindisable is 3 and users enters 3 times invalid password, know the port will be get locked, but if Logininterval is set to 50 i.e 50 seconds, then before locking port system waits for 50 seconds and then port is locked. The value is a decimal integer string. The default value is 0.
loginreenable
Defines the time interval (in minutes) a port is unlocked after a system lock. If a port is locked and loginreenable is 1 i.e 1 minute, then ports get unlocked automatically after 1 minutes. The value is a decimal integer string. The default value is 0, indicating that the port is not automatically unlocked.
Logintimes
Specifies the times, days, or both the user is allowed to access the system.
sak_enabled
Defines whether the secure attention key (SAK) is enabled for the port. The SAK key is the Ctrl-X, Ctrl-R key sequence. Possible values for the sak_enabled attribute are:
True SAK processing is enabled, so the key sequence establishes a trusted path for the port.
false SAK processing is not enabled, so a trusted path cannot be established. This is the default value.
synonym
Defines other path names for the terminal. The path names should be device special files with the same major and minor number and should not include hard or symbolic links. The value is a list of comma-separated path names.
For example, if you specify synonym=/dev/tty0 in the stanza for the /dev/console path name, then the /dev/tty0 path name is a synonym for the /dev/console path name. However, the /dev/console path name is not a synonym for the /dev/tty0 path name unless you specify synonym=/dev/console in the stanza for the /dev/tty0 path name.
Authentication Method Stanzas
auth_method is no longer used. Security methods should be configured in /usr/lib/security/methods.cfg
auth_method:
program = /any/program
program_64 = /any/program64
Auth_method corresponds to a custom authentication method specified in the SYSTEM attribute in /etc/security/user, and /any/program is the program to run in order to do the authentication. The program_64 attribute should be used for process running in 64 bit mode, /any/program64 is a 64 bit program.
These stanzas define the authentication methods for users assigned in the /etc/security/user file. The name of each stanza must be identical to one of the methods defined by the auth1 or the auth2 attribute in the /etc/security/user file.
Each stanza has one attribute:
Program
Contains the full path name of a program that provides primary or secondary authentication for a user. Program flags and parameters may be included.
Since the SYSTEM authentication method is supported directly by the login command and the su command, and the NONE method does not provide any authentication, neither requires definition. However, all other authentication methods must be defined in this file. Different authentication methods can be defined for each user.
User-Configuration Stanzas
User-configuration stanzas provide configuration information for programs that change user attributes. There is one user-configuration stanza: usw.
The usw stanza defines the configuration of miscellaneous facilities. The following attributes can be included:
Logintimeout
Defines the time (in seconds) the user is given to type the password. The value is a decimal integer string. The default is a value of 60.
maxlogins
Defines the maximum number of simultaneous logins to the system. The format is a decimal integer string. The default value varies depending on the specific machine license. A value of 0 indicates no limit on simultaneous login attempts.
Note: Login sessions include rlogins and telnets; these are counted against the maximum allowable number of simultaneous logins by the maxlogins attribute.
shells
Defines the valid shells on the system. This attribute is used by the chsh command to determine which shells a user can select. The value is a list of comma-separated full path names. The default is /usr/bin/sh, /usr/bin/bsh, /usr/bin/csh, /usr/bin/ksh, or /usr/bin/tsh.
Ex: -
default:
sak_enabled = false
logintimes =
logindisable = 0
logininterval = 0
loginreenable = 0
logindelay = 0
herald = "\n\* Unreserved Ticketing System's Restricted Area *\n\r* Unauthorized use of this system is prohibited*\n\r* All Invalid logins are monitored for audit,*\n\r improper use of this system is criminal offence *\n\rLogin: "
*/dev/console:
• synonym = /dev/tty0
usw:
shells = /bin/sh, /bin/bsh, /bin/csh, /bin/ksh, /bin/tsh, /bin/ksh93, /usr/bin/sh, /usr/bin/bsh, /usr/bin/csh, /usr/bin/ksh,/us
r/bin/tsh, /usr/bin/ksh93, /usr/bin/rksh, /usr/bin/rksh93, /usr/sbin/uucp/uucico, /usr/sbin/sliplogin, /usr/sbin/snappd
maxlogins = 32767
logintimeout = 60
auth_type = STD_AUTH
/etc/security/failedlogin
All failed login attempts are made here
/etc/security/lastlog
Defines the last login attributes for users.
time_last_login
The last time that the user successfully logged into the system. Specifies the number of seconds since the epoch (00:00:00 GMT, January 1, 1970) since the last successful login. The value is a decimal integer.
tty_last_login
The last tty port that the user successfully logged into. Specifies the terminal on which the user last logged in. The value is a character string.
host_last_login
The host from which the user logged in from if the tty was not locally attached. This implies that the user used telnet or rlogin to log into the system. Specifies the host from which the user last logged in. The value is a character string.
unsuccessful_login_count
The number of attempts to log in as the user since the last successful login. The value is a decimal integer. This attribute works in conjunction with the user's loginretries attribute, specified in the /etc/security/user file, to lock the user's account after a specified number of consecutive unsuccessful login attempts. Once the user's account is locked, the user will not be able to log in until the system administrator resets the user's unsuccessful_login_count attribute to be less than the value of loginretries. To do this, enter the following:
chsec -f /etc/security/lastlog -s username -a \ unsuccessful_login_count=0
time_last_unsuccessful_login
The time that the last unsuccessful attempt to log in as the user was made. Specifies the number of seconds since the epoch (00:00:00 GMT, January 1, 1970) since the last unsuccessful login. The value is a decimal integer.
tty_last_unsuccessful_login
The tty port of the last unsuccessful attempt to log in as the user was made. Specifies the terminal on which the last unsuccessful login attempt occurred. The value is a character string.
host_last_unsuccessful_login
The host from which the last unsuccessful attempt to log in as the user was made. Specifies the host from which the last unsuccessful login attempt occurred. The value is a character string.
All user database files should be accessed through the system commands and subroutines defined for this purpose. Access through other commands or subroutines may not be supported in future releases.
EX: -
root:
time_last_login = 1139610504
tty_last_login = ftp
host_last_login = ::ffff:10.128.0.52
unsuccessful_login_count = 0
time_last_unsuccessful_login = 1136845660
tty_last_unsuccessful_login = ftp
host_last_unsuccessful_login = ::ffff:10.128.0.52
sybase:
time_last_login = 1139428239
tty_last_login = /dev/pts/6
host_last_login = loopback
unsuccessful_login_count = 0
time_last_unsuccessful_login = 1139428235
tty_last_unsuccessful_login = /dev/pts/6
host_last_unsuccessful_login = loopback
/etc/environment
Sets up the user environment.
The /etc/environment file contains variables specifying the basic environment for all processes. When a new process begins, the exec subroutine makes an array of strings available that have the form Name=Value. This array of strings is called the environment. Each name defined by one of the strings is called an environment variable or shell variable. The exec subroutine allows the entire environment to be set at one time.
Environment variables are examined when a command starts running. The environment of a process is not changed by altering the /etc/environment file. Any processes that were started prior to the change to the /etc/environment file must be restarted if the change is to take effect for those processes. If the TZ variable is changed, the cron daemon must be restarted, because this variable is used to determine the current local time.
HOME
The full path name of the user login or HOME directory. The login program sets this to the name specified in the /etc/passwd file.
LANG
The locale name currently in effect. The LANG variable is set in the /etc/environment file at installation time.
NLSPATH
The full path name for message catalogs. The default is:
/usr/lib/nls/msg/%L/%N: /usr/lib/nls/msg/%L/%N.cat:
where %L is the value of the LC_MESSAGES category and %N is the catalog file name.
Note: See the chlang command for more information about changing message catalogs.
LC__FASTMSG
If LC_FASTMEG is set to false, POSIX-compliant message handling is performed. If LC__FASTMSG is set to true, it specifies that default messages should be used for the C and POSIX locales and that NLSPATH is ignored. If this variable is set to anything other than false or unset, it is considered the same as being set to true. The default value is LC__FASTMSG=true in the /etc/environment file.
LOCPATH
The full path name of the location of National Language Support tables. The default is /usr/lib/nls/loc and is set in the /etc/profile file. If the LOCPATH variable is a null value, it assumes that the current directory contains the locale files.
Note: All setuid and setgid programs will ignore the LOCPATH environment variable.
PATH
The sequence of directories that commands such as the sh, time, nice and nohup commands search when looking for a command whose path name is incomplete. The directory names are separated by colons.
TZ
The time-zone information. The TZ environment variable is set by the /etc/environment file. The TZ environment variable has the following format (spaces inserted for readability):
std offset dst offset, rule
The fields within the TZ environment variable are defined as follows:
std and dst
Designate the standard (std) and summer (dst) time zones. Only the std value along with the appropriate offset value is required. If the dst value is not specified, summer time does not apply. The values specified may be no less than three and no more than TZNAME_MAX bytes in length. The length of the variables corresponds to the %Z field of the date command; for libc and libbsd, TZNAME_MAX equals three characters. Any nonnumeric ASCII characters except the following may be entered into each field: a leading : (colon), a , (comma), a - (minus sign), a + (plus sign), or the ASCII null character.
Note: POSIX 1.0 reserves the leading : (colon) for an implementation-defined TZ specification. AIX disallows the leading colon, selecting CUT0 and setting the %Z field to a null string.
An example of std and dst format is as follows: EST5EDT
EST
Specifies Eastern U.S. standard time.
5
Specifies the offset, which is 5 hours behind Coordinated Universal Time (CUT).
EDT Specifies the corresponding summer time zone abbreviation.
Note: See "Time Zones" for a list of time zone names defined for the system.
offset Denotes the value added to local time to equal Coordinated Universal Time (CUT). CUT is the international time standard that has largely replaced Greenwich Mean Time. The offset variable has the following format:
hh:mm:ss
The fields within the offset variable are defined as follows:
hh
Specifies the dst offset in hours. This field is required. The hh value can range between the integers -12 and +11. A negative value indicates the time zone is east of the prime meridian; a positive value or no value indicates the time zone is west of the prime meridian.
mm
Specifies the dst offset detailed to the minute. This field is optional. If the mm value is present, it must be specified between 0 and 59 and preceded by a : (colon).
Ss
Specifies the dst offset detailed to the second. The ss field is optional. If the ss value is present, it must be specified between 0 and 59 and preceded by a : (colon).
An offset variable must be specified with the std variable. An offset variable for the dst variable is optional. If no offset is specified with the dst variable, the system assumes that summer time is one hour ahead of standard time.
As an example of offset syntax, Zurich is one hour ahead of CUT, so its offset is -1. Newfoundland is 1.5 hours ahead of eastern U.S. standard time zones. Its syntax can be stated as any of the following: 3:30, 03:30, +3:30, or 3:30:00.
rule The rule variable indicates when to change to and back from summer time. The rule variable has the following format:
start/time,end/time
The fields within the rule variable are defined as follows:
start
Specifies the change from standard to summer time.
end
Specifies the return to standard time from summer time.
Time
Specifies when the time changes occur within the time zone. For example, if the time variable is encoded for 2 a.m. then the time changes when the time zone reaches 2 a.m. on the date specified in the start variable.
EX: -
TZ=IST+5:30
LANG=en_US
LOCPATH=/usr/lib/nls/loc
NLSPATH=/usr/lib/nls/msg/%L/%N:/usr/lib/nls/msg/%L/%N.cat
LC__FASTMSG=true
# ODM routines use ODMDIR to determine which objects to operate on
# the default is /etc/objrepos - this is where the device objects
# reside, which are required for hardware configuration
ODMDIR=/etc/objrepos
/etc/security/environ
Defines the environment attributes for users.
If environment attributes are not defined, the system uses default values. Each user stanza can have the following attributes:
Usrenv
Defines variables to be placed in the user environment when the initial login command is given or when the su command resets the environment. The value is a list of comma-separated attributes. The default value is an empty string.
Sysenv
Defines variables to be placed in the user protected state environment when the initial login command is given or when the su command resets the environment. These variables are protected from access by unprivileged programs so other programs can depend on their values. The default value is an empty string.
Examples :- A typical stanza looks like the following example for user dhs:
dhs:
usrenv = "MAIL=/home/spool/mail/dhs,MAILCHECK=600"
sysenv = "NAME=dhs@delos"
EX: -
default:
root:
daemon:
/etc/security/limits
Defines process resource limits for users.
Note: Changing the limit does not affect those processes that started by init, or alternatively, ulimits are only used by those processes that go through the login processes.
The /etc/security/limits file defines process resource limits for users. This file is an ASCII file that contains stanzas that specify the process resource limits for each user. These limits are set by individual attributes within a stanza.
Each stanza is identified by a user name followed by a colon, and contains attributes in the Attribute=Value form. A new-line character ends each attribute, and an additional new-line character ends each stanza. If you do not define an attribute for a user, the system applies default values.
If the hard values are not explicitly defined in the /etc/security/limits file but the soft values are, the system substitutes the following values for the hard limits:
Resource Hard Value
Core Size unlimited
CPU Time cpu
Data Size unlimited
File Size fsize
Memory Size unlimited
Stack Size unlimited
File Descriptors unlimited
Note: Use a value of -1 to set a resource to unlimited.
If the hard values are explicitly defined but the soft values are not, the system sets the soft values equal to the hard values.
You can set the following limits on a user:
fsize
Largest file size that can be created or extended, identifies the soft limit for the largest file a user's process can create or extend.
core
Largest core file size that can be created, Specifies the soft limit for the largest core file a user's process can create.
cpu
Amount of cpu time to be used by each process. Must log out and back in for the changes to take affect.
Sets the soft limit for the largest amount of system unit time (in seconds) that a user's process can use.
data
Identifies the soft limit for the largest process data segment for a user's process.
stack
Specifies the soft limit for the largest process stack segment for a user's process.
Rss
Sets the soft limit for the largest amount of physical memory a user's process can allocate. This limit is not enforced by the system.
Nofiles
Sets the soft limit for the number of file descriptors a user process may have open at one time.
core_hard
Specifies the largest core file a user's process can create.
cpu_hard
Sets the largest amount of system unit time (in seconds) that a user's process can use.
data_hard
Identifies the largest process data segment for a user's process.
fsize_hard
Identifies the largest file a user's process can create or extend.
rss_hard
Sets the largest amount of physical memory a user's process can allocate. This limit is not enforced by the system.
stack_hard
Specifies the largest process stack segment for a user's process.
nofiles_hard
Sets the soft limit for the number of file descriptors a user process may have open at one time.
Except for the cpu attribute, each attribute must be a decimal integer string representing the number of 512-byte blocks allotted to the user. The cpu attribute is a decimal integer string representing the amount of system unit time in seconds.
EX: -
default:
fsize = -1
* 2097151
core = -1
* 2097151
cpu = -1
data = -1
* 262144
rss = -1
* 65536
stack = -1
* 65536
nofiles = 8000
root:
daemon:
/etc/shells
All valid shells are specify in this file.
/bin/csh
/bin/ksh
/bin/psh
/bin/tsh
/bin/bsh
/usr/bin/csh
/usr/bin/ksh
/usr/bin/psh
/usr/bin/tsh
/usr/bin/bsh
/etc/motd
Message of the day file
/etc/security/.ids
Holds the value for the next assignment to a group/user id and group/user admin id. Used by mkuser and mkgroup commands.
Sample contents: 4 203 12 200
• 4 = administrative user id (mkuser -a)
• 203 = user id (mkuser)
• 12 = administrative group id (mkgroup -a)
• 200 = group id (mkgroup)
Ex: -
# more /etc/security/.ids
8 213 14 202
Check /etc/passwd, you will see the last uid will be 212 if above “more /etc/security/.ids”
Displays the second column output as 213. This means that this file contains the UID’s or GID’s for next user or group to be made on system user useradd or adduser, system will assign automatically UID as 213 to new user and updates the /etc/security/.ids’s file’s second colume to 214.
/etc/security/.profile
/usr/lib/security/mkuser.sys
This scripts is run during user creation process, this scripts creates users home directory, gives group and ownership rights to that home directory and at last copy the /etc/security/.profile to users home directory/.profile
cp /etc/security/.profile $1/.profile
/usr/lib/security/mkuser.default
Contains the default attributes for new users.
The /usr/lib/security/mkuser.default file contains the default attributes for new users. This file is an ASCII file that contains user stanzas. These stanzas have attribute default values for users created by the mkuser command. There are two stanzas, user and admin, that can contain all defined attributes except the id and admin attributes. The mkuser command generates a unique id attribute. The admin attribute depends on whether the -a flag is used with the mkuser command.
Access Control: If read (r) access is not granted to all users, members of the security group should be given read (r) access. This command should grant write (w) access only to the root user.
Example
A typical user stanza looks like the following:
Below are the default attribute which get assign automatically to user, while creating a new user i.e if u just enter the mkuser amrik; here if u r not specifying any attribute i.e Primary group, home directory, this attributes get set automatically, this means to say that below attribute is a default attribute if u not specify system will set it for u.
user:
pgroup = staff
groups = staff
shell = /usr/bin/ksh
home = /home/$USER
auth1 = SYSTEM
admin:
pgrp = system
groups = system
shell = /usr/bin/ksh
home = /home/$USER
pgroup: - Primary group of user belongs
groups: - secondary group, of whom this user will be member
shell: - Login shell, taken from number shell supported by shell stanza of
/etc/secuirity/login.cfg
home: - Users login home directory, it can modified also.
/etc/security/user.roles
Contains the list of roles for each user. The /etc/security/user.roles file contains the list of roles for each user. This is an ASCII file that contains a stanza for system users. Each stanza is identified by a user name followed by a : (colon) and contains attributes in the form Attribute=Value. Each attribute pair ends with a newline character as does each stanza.
This file supports a default stanza. If an attribute is not defined, either the default stanza or the default value for the attribute is used.
A stanza contains the following attribute:
roles Contains the list of roles for each user.
The user.roles file is kept separately from the /etc/security/user file for performance reasons. Several commands scan this database, so system performance increases with smaller files to scan (especially on systems with large numbers of users).
/etc/security/roles
The /etc/security/roles file contains the list of valid roles. This is an ASCII file that contains a stanza for each system role. Each stanza is identified by a role name followed by a : (colon) and contains attributes in the form Attribute=Value. Each attribute pair ends with a newline character as does each stanza.
The file supports a default stanza. If an attribute is not defined, the default value for the attribute is used.
A stanza contains the following attributes:
rolelist Contains a list of roles implied by this role and allows a role to function as a super-role. If the rolelist attribute contains the value of "role1,role2", assigning the role to a user also assigns the roles of role1 and role2 to that user.
authorizations Contains the list of additional authorizations acquired by the user for this specific role.
groups Contains the list of groups that a user should belong to in order to effectively use this role. The user must be added to each group in this list for this role to be effective.
screens Contains a list of SMIT screen identifiers that allow a role to be mapped to various SMIT screens. The default value for this attribute is * (all screens).
msgcat Contains the file name of the message catalog that contains the one-line descriptions of system roles.
msgnum Contains the message ID that retrieves this role description from the message catalog.
Examples
A typical stanza looks like the following example for the ManageAllUsers role:
ManageAllUsers:
rolelist = ManageBasicUsers
authorizations = UserAdmin,RoleAdmin,PasswdAdmin,GroupAdmin
groups = security
screens = mkuser,rmuser,!tcpip
Resume point....
· Upgradation of TL (technology level)
· Perform system startup and shutdown
· Installation of software and OS patches
· Adding new packages and applications when required by the developer.
· Creating file systems.
· Check and Repair File system
· Checking for error report on servers
· Sharing files by using nfs and mounting on client machines
· Create and manage user and group accounts
· Configuring Network Interfaces, Collect network device statistics.
· Scheduling the jobs using Crontab.
· Exporting volume group from one node to other and adding new disks to volume group.
· Replacing failed devices.
· Designing and managing disk space using AIX Logical Volume management.
· Adding / Removing Paging space
· Taking regular system backup using mksysb and volume group backups using savevg.
· Performance monitoring using vmstat, iostat, etc.
· Writing shell/perl scripts to accomplish day to day system administration task
· Providing L1 and L2 support for Linux
Subscribe to:
Comments (Atom)