# IBM_PROLOG_BEGIN_TAG 
# This is an automatically generated prolog. 
#  
# bos72L src/bos/etc/secvars/secvars.cfg 1.5 
#  
# Licensed Materials - Property of IBM 
#  
# COPYRIGHT International Business Machines Corp. 2013,2018 
# All Rights Reserved 
#  
# US Government Users Restricted Rights - Use, duplication or 
# disclosure restricted by GSA ADP Schedule Contract with IBM Corp. 
#  
# IBM_PROLOG_END_TAG 

# @(#)99 1.5 src/bos/etc/secvars/secvars.cfg, libs, bos72L, l2018_27B0 6/29/18 %U 

# /etc/secvars.cfg is a generic file for all the security variables that can be 
# accessed by a non-privilege user.
#
# The /etc/secvars.cfg is a stanza file, with each stanza name representing a 
# user attributes. The lssec and chsec commands can be used to manage this file.
# Currently supported stanza names and their related attributes are :
#
# groups :	domainlessgroups 
# 
#
# domainlessgroups Defines the system configuration for merging the user's group
#               attributes among LDAP and files Modules. Only files and LDAP
#               modules are supported. Valid values are "true" or "false".
#               "true"  : When this attribute is set as true, the group attribute
#               is merged from the LDAP and files modules i.e. LDAP users can be
#               assigned local groups and vice versa.
#               "false" : When this attribute is set as false,  the group
#               attribute is not merged from the LDAP and files modules.
#               Default value is "false".
#               Note: In the event of the LDAP server being down or not reachable,
#               and this variable being set to 'true', some operations on groups
#               and users will fail. If this variable is set to 'true' , it 
#		mandates a properly functioning LDAP server.
# 
# rbac :	loglevel
#
# loglevel	Defines the syslog level for privileged commands. 
#		'loglevel' can be assigned the following values:
#		all : Indicates that all privileged command executions  
#		are logged into syslog.
#		crit: Indicates that syslog messages are logged when 
#		privileged commands run without  ALLOW_ALL / ALLOW_OWNER /
#		ALLOW_GROUP as authorizations. 
#		none: No syslog messages are logged when privileged 
#		commands are run. 
#		Default value of 'loglevel' is 'all'.
#
#
# suid_profile : chkperm
#
#  chkperm	Defines the system configuration for checking ownership and 
#		permission of the /etc/suid_profile file. The Korn shell (ksh) 
#		interprets the /etc/suid_profile file as a profile when the
#		process, whose ruid != euid or rgid != egid, spawns a new shell. 
#		The following values are valid for the chkperm attribute.
#		'true' : When this attribute is set to true, the ksh verifies
#		the ownership [root] and file permissions [644] of the
#		/etc/suid_profile file before interpreting it as a profile. If
#		the ownership or permission is not proper, the ksh ignores the
#		/etc/suid_profile file. You can set the chkperm attribute to
#		true to enhance the security of the system.
#		'false'  : When this attribute is set to false, the ksh does not
#		validate the ownership and file permissions of the
#		/etc/suid_profile file. 
#		Default value is 'false'.
#		Note: Set the chkperm attribute to true regardless of the
#		existence of the /etc/suid_profile file in the system.
#
#
# Stanza example:
#
# groups:
#	domainlessgroups = true
#
# Use the chsec command to update this file. For example, to set the
# domainlessgroups attribute, run :
#
# chsec -f /etc/secvars.cfg -s groups -a domainlessgroups=true
#
########################################################################


groups:
	domainlessgroups = false

rbac:
	loglevel = all

suid_profile:
	chkperm = false