# IBM_PROLOG_BEGIN_TAG # This is an automatically generated prolog. # # bos72L src/bos/etc/secvars/secvars.cfg 1.5 # # Licensed Materials - Property of IBM # # COPYRIGHT International Business Machines Corp. 2013,2018 # All Rights Reserved # # US Government Users Restricted Rights - Use, duplication or # disclosure restricted by GSA ADP Schedule Contract with IBM Corp. # # IBM_PROLOG_END_TAG # @(#)99 1.5 src/bos/etc/secvars/secvars.cfg, libs, bos72L, l2018_27B0 6/29/18 %U # /etc/secvars.cfg is a generic file for all the security variables that can be # accessed by a non-privilege user. # # The /etc/secvars.cfg is a stanza file, with each stanza name representing a # user attributes. The lssec and chsec commands can be used to manage this file. # Currently supported stanza names and their related attributes are : # # groups : domainlessgroups # # # domainlessgroups Defines the system configuration for merging the user's group # attributes among LDAP and files Modules. Only files and LDAP # modules are supported. Valid values are "true" or "false". # "true" : When this attribute is set as true, the group attribute # is merged from the LDAP and files modules i.e. LDAP users can be # assigned local groups and vice versa. # "false" : When this attribute is set as false, the group # attribute is not merged from the LDAP and files modules. # Default value is "false". # Note: In the event of the LDAP server being down or not reachable, # and this variable being set to 'true', some operations on groups # and users will fail. If this variable is set to 'true' , it # mandates a properly functioning LDAP server. # # rbac : loglevel # # loglevel Defines the syslog level for privileged commands. # 'loglevel' can be assigned the following values: # all : Indicates that all privileged command executions # are logged into syslog. # crit: Indicates that syslog messages are logged when # privileged commands run without ALLOW_ALL / ALLOW_OWNER / # ALLOW_GROUP as authorizations. # none: No syslog messages are logged when privileged # commands are run. # Default value of 'loglevel' is 'all'. # # # suid_profile : chkperm # # chkperm Defines the system configuration for checking ownership and # permission of the /etc/suid_profile file. The Korn shell (ksh) # interprets the /etc/suid_profile file as a profile when the # process, whose ruid != euid or rgid != egid, spawns a new shell. # The following values are valid for the chkperm attribute. # 'true' : When this attribute is set to true, the ksh verifies # the ownership [root] and file permissions [644] of the # /etc/suid_profile file before interpreting it as a profile. If # the ownership or permission is not proper, the ksh ignores the # /etc/suid_profile file. You can set the chkperm attribute to # true to enhance the security of the system. # 'false' : When this attribute is set to false, the ksh does not # validate the ownership and file permissions of the # /etc/suid_profile file. # Default value is 'false'. # Note: Set the chkperm attribute to true regardless of the # existence of the /etc/suid_profile file in the system. # # # Stanza example: # # groups: # domainlessgroups = true # # Use the chsec command to update this file. For example, to set the # domainlessgroups attribute, run : # # chsec -f /etc/secvars.cfg -s groups -a domainlessgroups=true # ######################################################################## groups: domainlessgroups = false rbac: loglevel = all suid_profile: chkperm = false