[ Next Article |
Previous Article |
Book Contents |
Library Home |
Legal |
Search ]
Commands Reference, Volume 5
usrck Command
Purpose
Verifies the correctness of a user definition.
usrck { -n |
-p | -t | -y }
{ ALL | User ... }
Description
The usrck command verifies the
correctness of the user definitions in the user database files, by checking
the definitions for ALL the users or for the users specified by
the User parameter. If more than one user is specified, there must
be a space between the names. You must select a flag to indicate whether
the system should try to fix erroneous attributes.
The command first checks the entries in
the /etc/passwd file. If you indicate that the system should fix
errors, duplicate user names are reported and removed. Duplicate IDs are
reported only, since there is no system fix. If an entry has fewer than
six colon-separated fields, the entry is reported, but not fixed. The usrck
command next checks specific user attributes in other files.
The usrck command verifies that
each user name listed in the /etc/passwd file has a stanza in the
/etc/security/user, /etc/security/limits and /etc/security/passwd
files. The usrck command also verifies that each group name listed
in the /etc/group file has a stanza in the /etc/security/group
file. The usrck command using the -y flag creates stanzas
in the security files for the missing user and group names.
Note: This command writes its messages
to stderr.
A list of all the user attributes follows,
with notations stating which attributes are checked:
account_locked |
No check. The usrck command sets this attribute to True and
disables accounts. |
admgroups |
Checks to see if the admgroups are defined in the user database
and, if you indicate that the system should fix errors, the command removes
any groups that are not in the database. |
auditclasses |
Checks to see if the auditclasses are defined for the user in
the /etc/security/audit/config file. If you indicate that the system
should fix errors, the command deletes all the auditclasses that are not
defined in the /etc/security/audit/config file. |
auth1 |
Checks the primary authentication method. Unless the method is NONE
or SYSTEM, it must be defined in the /etc/security/login.cfg file
and the program attribute must exist and be executable by the root user.
If you indicate that the system should fix errors, it will disable the
user account if an error is found. |
auth2 |
Checks the secondary authentication method. Unless the method is NONE
or SYSTEM, it must be defined in the /etc/security/login.cfg file
and the program attribute must exist and be executable by the root user.
There is no system fix. |
core |
Ensures that the values are sensible. If not, the command resets the
values to 200 blocks, the minimum value. |
core_hard |
Ensures that the values are sensible. If not, the command resets the
values to 200 blocks, the minimum value. This attribute applies to AIX
Version 4.2 or later. |
cpu |
Ensures that the values are sensible. If not, the command resets the
values to 120 seconds, the minimum value. |
cpu_hard |
Ensures that the values are sensible. If not, the command resets the
values to 120 seconds, the minimum value. This attribute applies to AIX
Version 4.2 or later. |
data |
Ensures that the values are sensible. If not, the command resets the
values to 128 blocks (64K) and for AIX Version 4.1.5 and later to 1272
blocks (636K), the minimum value. |
data_hard |
Ensures that the values are sensible. If not, the command resets the
values to 1 272 blocks (636K ), the minimum value. This attribute applies
to AIX Version 4.2 or later. |
dictionlist |
Checks the list of dictionary files. If you indicate that the system
should fix errors, all dictionary files that do not exist are deleted from
the user database. |
expires |
No check. |
fsize |
Ensures that the values are sensible. If not, the command resets the
values to 200 blocks, the minimum value. |
fsize_hard |
Ensures that the values are sensible. If not, the command resets the
values to 200 blocks, the minimum value. This attribute applies to AIX
Version 4.2 or later. |
gecos |
No check. |
histexpire |
Ensures that the values are sensible. If you indicate that the system
should fix errors, values that are too large are set to the largest possible
value and values that are too small are set to the smallest possible value. |
histsize |
Ensures that the values are sensible. If you indicate that the system
should fix errors, values that are too large are set to the largest possible
value and values that are too small are set to the smallest possible value. |
home |
Checks the existence and accessibility of the home directory by read
mode and search mode. If you indicate that the system should fix errors,
it will disable the user account if an error is found. |
id |
Checks the uniqueness of the user ID. If you indicate that the system
should fix errors, the command deletes any invalid entry in the /etc/passwd
file. |
login |
No check. |
loginretries |
Checks if the user attempted unsuccessful logins more than the allowable
amount. If so, the system disables the user account. |
logintimes |
Ensures that the string of time specifiers is valid. If you indicate
that the system should fix errors, the system disables the user account
if an error is found. |
maxage |
Ensures that the values are sensible. If you indicate that the system
should fix errors, values that are too large are set to the largest possible
value and values that are too small are set to the smallest possible value. |
maxexpired |
Ensures that the values are sensible. If you indicate that the system
should fix errors, values that are too large are set to the largest possible
value and values that are too small are set to the smallest possible value. |
maxrepeats |
Ensures that the values are sensible. If you indicate that the system
should fix errors, values that are too large are set to the largest possible
value and values that are too small are set to the smallest possible value. |
minage |
Ensures that the values are sensible. If you indicate that the system
should fix errors, values that are too large are set to the largest possible
value and values that are too small are set to the smallest possible value.
The system also indicates if the minage attribute is larger than
the maxage attribute. |
minalpha |
Ensures that the values are sensible. If you indicate that the system
should fix errors, values that are too large are set to the largest possible
value and values that are too small are set to the smallest possible value. |
mindiff |
Ensures that the values are sensible. If you indicate that the system
should fix errors, values that are too large are set to the largest possible
value and values that are too small are set to the smallest possible value. |
minlen |
Ensures that the values are sensible. If you indicate that the system
should fix errors, values that are too large are set to the largest possible
value and values that are too small are set to the smallest possible value. |
minother |
Ensures that the values are sensible. If you indicate that the system
should fix errors, values that are too large are set to the largest possible
value and values that are too small are set to the smallest possible value.
The system also indicates if the minage attribute plus the maxage
attribute is greater than the maximum password size. |
name |
Checks the uniqueness and composition of the user name. The name must
be a unique string of eight bytes or less. It cannot begin with a + (plus
sign), a : (colon), a - (minus sign), or a ~ (tilde). Names beginning with
a + (plus sign) or with a - (minus sign) are assumed to be names in the
NIS (Network Information Service) domain, and no further processing is
performed. It cannot contain a colon (:) in the string and cannot be the
ALL or default keywords. If you indicate that the system
should fix errors, the command disables the user account if an error is
found and deletes any invalid entry in the /etc/passwd file.
The usrck command verifies that,
for each user name listed in the /etc/passwd file, there is a stanza
in the /etc/security/user, /etc/security/limits, and /etc/security/passwd
files. The command adds stanzas for each one identified as missing. The
usrck command additionally verifies that each group name listed
in the /etc/group file has a stanza in the /etc/security/group
file. |
nofiles |
Ensures that the value is sensible. If not, resets the value to 200, the minimum value. |
nofiles_hard |
Ensures that the value is sensible. If not, resets the value to 200, the minimum value. |
pgrp |
Checks for the existence of the primary group in the user database.
If you indicate that the system should fix errors, it will disable the
user account if an error is found. |
pwdchecks |
Checks the list of external password restriction methods. If you indicate
that the system should fix errors, all methods that do not exist are deleted
from the user database. |
pwdwarntime |
Ensures that the value is sensible. If not, the system resets the value
to the difference between the maxage and minage values. |
rlogin |
No check. |
rss |
Checks to ensure that the values are sensible. If not, the command
resets the values to 128 blocks (64K), the minimum value. |
rss_hard |
Checks to ensure that the values are sensible. If not, the command
resets the values to 128 blocks (64K), the minimum value. This attribute
applies to AIX Version 4.2 or later. |
shell |
Checks the existence and accessibility of the shell by execute mode.
If you indicate that the system should fix errors, it will disable the
user account if an error is found. |
stack |
Checks to ensure that the values are sensible. If not, the command
resets the values to 128 blocks (64K), the minimum value. |
stack_hard |
Checks to ensure that the values are sensible. If not, the command
resets the values to 128 blocks (64K), the minimum value. This attribute
applies to AIX Version 4.2 or later. |
su |
No check. |
sugroups |
Checks for the existence of the sugroups in the user database
files. If you indicate that the system should fix errors, it will delete
all the groups that are not in the database. |
sysenv |
No check. |
tpath |
Checks to ensure that the shell attribute is tagged as a trusted
process if tpath=always. If you indicate that the system should
fix errors, it will disable the user account if an error is found. |
ttys |
Checks for the existence of the ttys in the user database files. If
you indicate that the system should fix errors, it will delete all the
ttys that do not exist from the user database. |
usrenv |
No check. |
If the fix involves disabling a user account,
use the chuser command to reset the value of the account_locked
attribute to False. You can use the System Management Interface Tool (SMIT)
to run the chuser command by entering:
smit chuser
The root user or a member of the security
group can enable a user account again by removing the account_locked
attribute or setting the account_locked attribute to False. The
root user's account is not disabled by the usrck command.
Generally, the sysck command calls
the usrck command as part of the verification of a trusted-system
installation. If the usrck command finds any errors in the user
database, the root user or a member of the security group should execute
both the grpck command and the pwdck command.
The usrck command checks to see if the database management security files (/etc/passwd.nm.idx, /etc/passwd.id.idx, /etc/security/passwd.idx, and /etc/security/lastlog.idx) files are up-to-date or newer than the corresponding system security files. Please note, it is alright for the /etc/security/lastlog.idx to be not newer than /etc/security/lastlog. If the database management security files are out-of-date, a warning message appears indicating that the root user should run the mkpasswd command.
The usrck command checks if the
specified user can log in. If the user cannot log in because of too many
unsuccessful login attempts or because the password is expired, the usrck
command issues a warning message indicating why the user cannot log in.
If you indicate that the system should fix errors, the system disables
the user account if the user cannot log in for the above reasons.
Flags
-n |
Reports errors but does not fix them. |
-p |
Fixes errors but does not report them. |
-t |
Reports errors and asks if they should be fixed. |
-y |
Fixes errors and reports them. |
Security
Access Control: This command should grant
execute (x) access to the root user and members of the security group.
The command should be setuid to the root user and have the trusted
computing base attribute.
Files Accessed:
Mode |
File |
r |
/etc/passwd |
r |
/etc/security/user |
rw |
/etc/security/group |
rw |
/etc/group |
rw |
/etc/security/lastlog |
rw |
/etc/security/limits |
rw |
/etc/security/audit/config |
rw |
/etc/security/login.cfg |
Auditing Events:
Event |
Information |
USER_Check |
user, attribute-error, status |
Examples
- To verify that all the users exist in the user
database, and have any errors reported (but not fixed), enter:
usrck -n ALL
- To delete from the user definitions those users
who are not in the user database files, and have any errors reported, enter:
usrck -y ALL
Files
Related Information
The grpck
command, pwdck
command, sysck command.
Security
Administration in AIX Version 4.3 System Management Concepts: Operating System and Devices describes the identification
and authentication of users, discretionary access control, the trusted
computing base, and auditing.
[ Next Article |
Previous Article |
Book Contents |
Library Home |
Legal |
Search ]