secvars.cfg File

Purpose

Consists of configuration values for various system security properties.

Description

The /etc/secvars.cfg file is a stanza file, where each stanza name represents a security property. The lssec and the chsec commands can be used to view and modify the files. The stanza contains the following stanza names:

groups

Defines the behavior of groups on the system. This stanza has the following attributes:

domainlessgroups

Controls the system configuration for merging the user's group attributes from Lightweight Directory Access Protocol (LDAP) and files domains. Only the files and the LDAP modules are supported. The domainlessgroups feature recognizes whether users or groups belong to the supported domains based on the registry values of the users or groups. Hence, the registry value specified for the users or groups must be either files or LDAP. The registry value cannot be a compound module or a compat registry even though the specified compound modules or compat registries might contain files domain, LDAP domain or both. The domainlessgroups feature is not applicable to values such as netgroups that are specified for the options parameter for LDAP module. The LDAP module is defined in the /etc/methods.cfg file.

The following values are valid for the domainlessgroups attribute.
True
When this attribute is set to true, a user can be assigned groups from both the LDAP and files domains simultaneously irrespective of user 's domain. The user must belong to either the LDAP or file domains.

For example, the users that are defined on the LDAP can be assigned the local groups and vice versa.

False
When this attribute is set to false, the users can be assigned groups only from the domain where the user definition exists. The default value is false.
Notes:
  1. If the LDAP server is down or not reachable, and this variable is set to true, some operations on groups and users fail. If this variable is set to true, it mandates a properly functioning LDAP server. For example, when the LDAP server is not reachable, the rmgroup for local groups fails because these groups can be a primary group to an LDAP user. Also, if the LDAP server is not reachable, a local user with an LDAP group, as primary group fails to login.
  2. You must not to have same names or IDs for the users or groups across LDAP and local (files) domains when this variable is set to true, because the behavior of some commands is unpredictable. To avoid creation of same ID, set the dist_uniqid system attribute.
  3. When the LDAP server is not reachable, the lsuser and lsgroup commands displays information from the local systems.
  4. Adding a local user to an LDAP group effectively makes that user belong to the LDAP group not only on the current host, but also on any other host where the user with the same name exists locally. In other words, if a user with the same name exists locally on two or more hosts, adding that user to an LDAP group from one host makes it effective on the other host.
  5. When local user is removed from the system, it is automatically removed from an LDAP group. This means that, when a local user that has the same name across two or more hosts is removed from an LDAP group from one host, all the local users with the same name across all the other hosts lose their membership from that LDAP group.
  6. When a user is assigned to a group, a user with same name exists in the other domain, the user that gets assigned to the group is the one from the same domain as the group.
    Example: specifying similar names to users or groups, across domains
    User "user1" is pesent in the LDAP domain.
	mkuser -R LDAP id=10001 user1 

Another user also named "user1" is present in the local domain.
	mkuser -R files id=1000 user1 

Ldgrp1's user user1 belongs to the LDAP domain.
	mkgroup -R LDAP id=20001 users=user1 Ldgrp1
  7. When an LDAP group is assigned as a primary group to a local user on one client or host, the group can be removed from another host. This is possible because the second host does not have any knowledge about the local users on the first client.
  8. If this feature is turned on, user validation is skipped while creating or modifying groups. For example: 
    chgroup users=user1,user2,user3 group_name
    users user1, user2, and user3 are not checked for their existence.

    Also, a group existing locally on one LDAP client cannot be assigned to users from another LDAP client.

  9. The root user cannot be assigned LDAP groups irrespective of the value of the domainlessgroups attribute.
  10. For the domainlessgroups feature to work properly, the user map files under /etc/security/ldap directory must contain the mapping for the pgid attribute.
  11. You must ensure that LDAP client daemon and LDAP server are up and running before you delete a local user or a local group. Otherwise the entry of such a local user or a local group continues to exist in the LDAP.

rbac

Defines the behavior of the syslog messages that are logged whenever the privileged commands are run. Privileged commands appear in the /etc/security/privcmds database. This stanza contains following attributes:
loglevel
Defines the syslog level for privileged commands. The loglevel attribute can have one of the following values:
all
Indicates that when the privileged commands are run, the results are logged in to the syslog file. The default value for loglevel is all.
crit
Indicates that the syslog messages are logged when privileged commands are run without the ALLOW_ALL, ALLOW_OWNER, or ALLOW_GROUP authorization in the /etc/security/privcmds file.
none
Indicates that the syslog messages are not logged when privileged commands are run.

suid_profile

Defines the restriction on the /etc/suid_profile file. This stanza has the following attributes:

chkperm

Defines the system configuration for checking the ownership and permission of the /etc/suid_profile file. The Korn shell (ksh) interprets the /etc/suid_profile file as a profile when the process, whose ruid != euid or rgid != egid, spawns a new shell.

The following values are valid for the chkperm attribute.
True
When this attribute is set to true, the ksh verifies the ownership [root] and file permissions [644] of the /etc/suid_profile file before interpreting it as a profile. If the ownership or permission is not proper, the ksh ignores the /etc/suid_profile file. You can set the chkperm attribute to true to enhance the security of the system.
False
When this attribute is set to false, the ksh does not validate the ownership and file permissions of the etc/suid_profile file. The default value is false.
Note: Set the chkperm attribute to true regardless of the existence of the /etc/suid_profile file in the system.

Stanza-Variable association table

This stanza contains the following attributes:

Stanza Attribute
groups domainlessgroups
rbac loglevel

Security

Access Control

These files grants read and write access to the root user. Access for other users and groups depends on the security policy for the system.

Files

Item Description
/etc/secvars.cfg Specifies the path to the file.
/etc/group Contains the basic attributes of groups.
/etc/security/group Contains the extended attributes of groups.

Examples

An example of the group stanza is follows:
groups:
		domainlessgroups=true