Index Index for
Section 8
Index Alphabetical
listing for S
Bottom of page Bottom of
page		 

secconfig(8)


NAME

  secconfig, secsetup - Security features setup graphical interface (Enhanced
  Security)


SYNOPSIS

  /usr/sbin/sysman secconfig

				     Note

       The secsetup utility has been replaced by the secconfig graphical
       interface.


DESCRIPTION

  The secconfig utility is a graphical interface used to select the level of
  system security needed. It can convert from Base to enhanced security mode,
  and configure base and enhanced security features. If you are using
  secconfig to enable Enhanced security, you must first have loaded the
  enhanced security subsets.

  You can run secconfig while the system is in multiuser mode. However, if
  you change the security level, the change is not completed until you reboot
  the system.

  For both base and enhanced security, the secconfig utility allows you to
  enable segment sharing, to enable access control lists (ACLs), and to
  restrict the setting of the execute bit to root only.

  For enhanced security, the secconfig utility additionally allows you to
  configure security support from simple shadow passwords all the way to a
  strict C2 level of security. Shadow password support is an easy method for
  system administrators, who do not wish to use all of the extended security
  features, to move each user's password out of /etc/passwd and into the
  extended user profile database (auth.db. You can use the Custom mode if you
  wish to select additional security features, such as breakin detection and
  evasion, automatic database trimming, and password controls.

  When converting from base to enhanced security, secconfig updates the
  system default database (/etc/auth/system/default) and uses the convuser
  utility to migrate user accounts.

  While it is possible to convert user accounts from enhanced back to base,
  the default encryption algorithms and supported password lengths differ
  between base and enhanced security, and thus user account conversions do
  not succeed without a password change.

				     Note

       Because of the page table sharing mechanism used for shared libraries,
       the normal file system permissions are not adequate to protect against
       unauthorized reading. The secconfig interface allows you to disable
       segment sharing. The change in segment sharing takes effect at the
       next reboot.


FILES

  /etc/auth/system/default

  /etc/passwd

  /tcb/files/auth.db


SEE ALSO

  acl(4), authcap(4), default(4), convuser(8)

  Security

Index Index for
Section 8
Index Alphabetical
listing for S
Top of page Top of
page