The information systems security officer (ISSO) is responsible
for ensuring the integrity of the system.
To do this, the ISSO runs the
authck
program, which checks the internal consistency of the files that make up the
authentication database.
(This function cannot be performed with the GUIs.)
This chapter describes the
authck
program, suggests
reasons for running it, and explains what to do if it finds discrepancies.
The authentication database, consists of the following subsidiary databases:
Protected password database (/tcb/files/auth.db
and
/var/tcb/files/auth.db
or
/tcb/files/auth/<a-z>/username)
System defaults database (/etc/auth/system/default)
For detailed information about the format and contents of the databases,
see the
default(4),
devassign(4),
files(4),
prpasswd(4), and
ttys(4)
reference pages.
The system management GUI interface is the preferred method for modifying
the above files.
But, for disaster recovery or for times when the GUI interface
is not available, the
edauth
program can be used to modify
the above files.
In single user mode, the
/usr
and
/var
file systems must be mounted before the
edauth
program is used.
The
authck
program
checks the overall structure and the internal consistency
of the authentication database.
The
authck
program checks
for the correctness of entries within each database and also checks related
fields in other databases.
For example, it checks the protected password database
entry for a user against the
/etc/passwd
file and the command
authorizations database.
You can specify the following arguments on the
authck
command line:
-pChecks the protected password database and the
/etc/passwd
file to ensure that they are complete and that they agree with
each other.
It also checks the protected password database for reasonable
values.
-tChecks the fields in the terminal control database for reasonable values.
-fChecks the file control database for syntax and value specification
errors.
Without this flag, entries with unknown authorizations, user names,
and so on, are ignored.
Any such entries are also silently ignored by
setfiles.
Typically these errors are typographical, such as "rooot"
instead of "root," and the program attempts to guess the right
value.
-aPerforms the functions of
-f,
-p, and
-t.
-c.
-v
Provides program activity status during operation.
The
authck
program produces a report listing any
discrepancies between the databases.
Compare the output of the program with
the actual database entries and rectify any differences immediately.
Problems
typically occur because someone has manually updated one of the databases
without making the corresponding change to the related databases.
When you add applications to the system by
a means other than the
setld
program, you should also add
file control database entries for the application's control and database files
and programs.
It is best to consult with the application supplier to get a
file and program list, and suggested protection attributes for all files.
If you add the application's files to the file control database, you gain the benefit of periodic integrity checking of that application's resources.
See the
fverify(8)
reference page for more information on checking
file integrity.
If the
/etc/passwd
file is lost, but the extended
profiles are still available, then a command sequence like the following can
be used to recover some of the missing data:
# bcheckrc
# /tcb/bin/convuser -dn | /usr/bin/xargs /tcb/bin/edauth -g | \
sed '/:u_id#/!d;s/.*:u_name=//;s/:u_id#/:*:/;s/:u_.*$/:/' \
> psw.missing
This creates a
psw.missing
file containing entries like the following:
root:*:0: jdoe:*:0:
Primary group information, finger information, home directory, and login shell are not recorded in the extended profile. The data for those fields must be recovered by other means.