SECURESYSTEM(1M)SECURESYSTEM(1M)NAMEsecuresystem - improve system security
SYNOPSIS
/usr/sysadm/privbin/securesystem
[ -l login -J java|javascript|both|none ]... [ -l login -P|-L|-D ]...
[ -r yes|no ] [ -k yes|no ] [ -s yes|no ] [ -n yes|no ]
[ -c yes|no ] [ -o yes|no ] [ -x yes|no ] [ -f yes|no ]
[ -u yes|no ] [ -w yes|no ]
DESCRIPTION
This command tries to improve the security of the system by modifying
parameters that affect the security of the system. They include disable
or enable Java and/or JavaScript for user accounts, add password, lock or
delete user accounts, remove NIS accounts, request a new password on
login to an account which has no password, lock out an account if it has
no password, use shadow password, turn off graphical login (clogin(1)),
disable the use of privilege accounts on system adminitration tools (see
PrivilegeManager(1M)), disable the display of windows of remote systems
on the local system, turn off IP forwarding in the kernel, change UMASK
to be readable and writable by owner only when a new file is created, and
turn off outbox web server.
Specifying the yes option improves the security of the system. The no
option reverse the process. There are a few things that this command
cannot reverse, that is, it does not remove user account password,
unlock, or add user accounts including the ones are deleted by the remove
NIS account option. See the UserManager(1M) if you want to perform these
functions. Another option that cannot be reversed is UMASK, it is simply
restored to a default of 002.
OPTIONS-l login Specifies the name of the account to be modified. It is needed
for the following options that deal with user accounts.
-J java|javascript|both|none
Java is to disable Java and enable JavaScript; javascript is to
disable JavaScript and enable Java; both is disable Java and
Javascript; none is to enable Java and Javascript.
-P Add a password to the specified account. The command will
prompt for the password on stdin.
-L|-D Lock or delete the specified account.
-r yes|no Yes means prompt for an initial password when logging into an
account that has no password, and no means an initial password
is not requested. The PASSREQ option in /etc/default/login is
updated. This setting is overridden by the -k yes option as
follows.
Page 1
SECURESYSTEM(1M)SECURESYSTEM(1M)-k yes|no Yes means lock out account if it has no password, and no means
accounts without password can still login. The MANDPASS option
in /etc/default/login is updated.
-s yes|no Yes means create shadow password, and no means if /etc/showdow
file exists, merge it back into /etc/passwd.
-n yes|no Yes means remove all NIS accounts from /etc/passwd. The
process can not be reversed by this command. No is accepted,
but performs no action.
-c yes|no Yes means do not display the graphical login application and no
means use it.
-o yes|no Yes means only root has the privilege to run system
administration task, and no means assigned user accounts can
run the tasks.
-x yes|no Yes means turn xhost(1) off, and no means turn it on.
-f yes|no Yes means turn off ipforwarding in the kernel, and no means
turn it on.
-u yes|no Yes means change UMASK in /etc/default/login to 022. The
original UMASK setting is not saved, so no simply restores
UMASK to a hopefully acceptable setting of 002.
-w yes|no Yes means disable Outbox Web Server, and no means enable it.
FILES
/etc/passwd User account password file
/etc/shadow User account shadow password file
/etc/default/login
Login parameters
/usr/lib/desktop/xhoston
Remote display flag
/etc/config/ns_fasttrack
Outbox web server control flag
/etc/config/visuallogin
Graphical login window control flag
SEE ALSOsysmgr(1M), UserManager(1M), PrivilegeManager(1M), clogin(1), xhost(1),
runpriv(1M).
Page 2
