RHOST(1M)RHOST(1M)NAMErhost - set the attributes of remote hosts and networks.
SYNOPSIS
/usr/etc/rhost [-l <lookup_host>] [-f <cfile>] [-r <remote>] [-k ] [-n ]
[-d ]
DESCRIPTION
On systems with TSIX networking enabled, the kernel uses an internal
lookup table, called the internal Remote Host Database (RHDB), to enforce
per host security policy. The rhost command loads the RHDB with the
attributes of remote hosts and networks, specified in /etc/rhost.conf.
Options
-l <lookup_host>
The -l option will check the RHDB for a host name and, if
it exists, will display the host's attributes.
-f <cfile> /etc/rhost.conf is the default file used to create the
RHDB. Use the -f option to use an alternative
configuration file. When using a different file other
then the default, make sure it has the appropriate
security policies.
-r <remote> The -r option is defined, but not used.
-k The -k option is used to list all recognized attributes.
-n The -n option checks the RHDB file only.
-d The -d option gives some debug information.
-v The -v option turns on verbose mode.
The /etc/rhost.conf file consists, minimally, of a series of host
attribute profile assignments of the form:
<name>: = <attribute> = <value>: [<attribute> = <value>:]
Newline characters within a host attribute profile must be escaped. It
is usually most convenient to specify a series of commonly used profiles
as templates, then use the templates to assign the profiles to specific
hosts. A template looks exactly like a host profile assignment, except
that one of the attribute-value pairs is default_spec = .:, for example:
default_cipso: \
smm_type = single_level: \
nlm_type = cipso: \
default_spec = .:
Page 1
RHOST(1M)RHOST(1M)
Either host names or IP addresses may be used to specify hosts. If
a host name is used, an entry for that host must appear in the local
/etc/hosts file, as rhost is run before network information services
(NIS) are available.
For IP version 4 addresses, a wildcard IP address, that is, an
address with zeros in some slots, may be used to specify a range of
IP addresses. For example,
128.01.01.0:
128.01.0.0:
128.0.0.0:
0.0.0.0:
are valid host specifications. When rhost resolves IPv4 addresses,
it first looks for a complete address, followed by a wildcard with
one zero byte, and so forth. This allows the administrator to
specify, for example:
0.0.0.0: The whole world is untrusted
128.01.01.0: Except this network, which speaks CIPSO
128.01.01.01: Except this host, which is TSIX.
IP version 6 addresses must be quoted because the configuration file
uses ':' as a token delimiter, for example:
"1234:5678:90ab:cdef:1234:5678:90ab:cdef":
An address of all zeroes may be used as a wildcard that will match
all hosts:
"0:0:0:0:0:0:0:0":
When rhost resolves IPv6 addresses, it first looks for an exact host
match, followed by the wildcard address.
A sample copy of /etc/rhost.conf has been provided on your system.
The file begins with a series of templates, including default_cipso
and default_sgipso. These templates are used later in the file to
assign profiles to specific hosts for example:
localhost: default_spec = default_cipso:
The following attributes are recognized:
host_type
The host_type attribute value will be printed when the RHDB is
loaded.
smm_type
Session Manager IDs. Identifies the protocol used to
communicate with a host. Acceptable values are msix, msix_1.0,
Page 2
RHOST(1M)RHOST(1M)
msix_2.0, tsix, tsix_1.0, tsix_1.1, none and single_level.
Other values are ignored. For more information, see
trusted_networking(7m).
nlm_type
IP Security Options. Acceptable Trusted IRIX values are cipso,
cipso_tt1, cipso_tt2, ripso_bso, ripso_bso_tx, ripso_bso_rx,
ripso_eso, sgipso, sgipso_nouid, sgipso_spcl, sgipso_loop, none
and unlabeled. Other values are ignored. For more
information, see trusted_networking(7m).
ipsec
This attribute is recognized but not implemented.
default_spec
Indicates that this is a template.
cache_size
Sets the RHDB cache size.
min_sl
Minimum sensitivity label.
max_sl
Maximum sensitivity label.
min_integ
Minimum integrity label.
max_integ
Maximum integrity label.
def_sl
Default sensitivity label.
def_integ
Default integrity label.
def_ilb
Information label. Ignored.
def_clearance
Default clearance.
def_uid
Default user ID.
def_luid
Default login/audit ID.
Page 3
RHOST(1M)RHOST(1M)
def_sid
Default session ID.
def_gid
Default group ID.
def_ngrps
Default group ID count.
def_gids
Default group ID list.
def_audit
Default login/audit ID.
def_privs
Default privileges.
max_privs
Maximum privileges.
vendor
Enable vendor specific compatibility. Acceptable values are
sun, hewlett-packard, hp, ibm, cray, dg, harris and unknown.
doi Domain of Interpretation. This attribute is recognized but not
implemented. Under Trusted IRIX/CMW only a DOI of 3 is
supported.
flags
Indicates which attributes are mandatory on packets received
from a host. The following values are recognized: import,
export, deny_access, mand_sl, mand_integ, mand_ilb, mand_privs,
mand_luid, mand_ids, mand_sid, mand_pid, mand_clearance,
trace_rcv_pkt, trace_xmt_pkt, trace_rcv_att and trace_xmt_att.
Page 4
