secconfig(8)secconfig(8)NAME
secconfig, secsetup - Security features setup graphical interface
(Enhanced Security)
SYNOPSIS
/usr/sbin/sysman secconfig
Note
The secsetup utility has been replaced by the secconfig graphical
interface.
DESCRIPTION
The secconfig utility is a graphical interface used to select the level
of system security needed. It can convert from Base to enhanced secu‐
rity mode, and configure base and enhanced security features. If you
are using secconfig to enable Enhanced security, you must first have
loaded the enhanced security subsets.
You can run secconfig while the system is in multiuser mode. However,
if you change the security level, the change is not completed until you
reboot the system.
For both base and enhanced security, the secconfig utility allows you
to enable segment sharing, to enable access control lists (ACLs), and
to restrict the setting of the execute bit to root only.
For enhanced security, the secconfig utility additionally allows you to
configure security support from simple shadow passwords all the way to
a strict C2 level of security. Shadow password support is an easy
method for system administrators, who do not wish to use all of the
extended security features, to move each user's password out of
/etc/passwd and into the extended user profile database (auth.db. You
can use the Custom mode if you wish to select additional security fea‐
tures, such as breakin detection and evasion, automatic database trim‐
ming, and password controls.
When converting from base to enhanced security, secconfig updates the
system default database (/etc/auth/system/default) and uses the con‐
vuser utility to migrate user accounts.
While it is possible to convert user accounts from enhanced back to
base, the default encryption algorithms and supported password lengths
differ between base and enhanced security, and thus user account con‐
versions do not succeed without a password change.
Note
Because of the page table sharing mechanism used for shared libraries,
the normal file system permissions are not adequate to protect against
unauthorized reading. The secconfig interface allows you to disable
segment sharing. The change in segment sharing takes effect at the next
reboot.
FILES
/etc/auth/system/default
/etc/passwd
/tcb/files/auth.db
SEE ALSOacl(4), authcap(4), default(4), convuser(8)
Security
secconfig(8)