setkst Command

Purpose

Sets the entries in the kernel security tables (KST).

Syntax

setkst [ -q ] [ -b | -l | -t table1, table2,...]

Description

The setkst command reads the security databases and loads the information from the databases into the kernel security tables. By default, all of the security databases are sent to the KST. Alternatively, you can specify a specific database using the -t flag. If only the authorization database is the only one you specified, the role and privileged command databases are updated in the KST because they are dependent on the authorization database.

The setkst command checks the tables before updating the KST. If any severe error in the database is found, the setkst command warns the user by sending message to the stderr, and exits without resetting the KST. If a minor error is found in the database, a warning message is displayed, and the entry is skipped.

The setkst command is only functional if the system is operating in enhanced Role Based Access Control (RBAC) mode. If the system is not in enhanced RBAC mode, the command displays an error message and ends.

Flags

Item	Description
-b	Loads the KST with the information that is stored in the backup binary file on the system. If information in the binary file cannot be loaded, the tables are regenerated from the security databases.
-l	Reads the `loglevel` attribute value from the `syslog` stanza in the `/etc/secvars.cfg` file and updates the `loglevel` attribute value to the kernel. The valid values for the `loglevel` attribute are as follows: `all`, `crit`, and `none`. Any invalid value for the `loglevel` attribute are ignored by the `setkst` command.
-q	Specifies quiet mode. Warning messages that occur are not displayed when the security databases are parsed.
-t table1, table2	Sends the specified security databases to the KST. The parameter for the -t flag is a comma-separated list of security databases. Values for this flag are as follows: auth Authorizations database role Role database cmd Privileged command database dev Privileged device database dom Domains domobj Domain objects

Security

The setkst command is a privileged command. Only users that have the following authorization can run the command successfully.

Item	Description
aix.security.kst.set	Required to run the command.

Files Accessed

File	Mode
/etc/security/authorizations	r
/etc/security/privcmds	r
/etc/security/privdevs	r
/etc/security/roles	r
/etc/security/domains	r
/etc/security/domobjs	r
/etc/secvars.cfg	r

Examples

To send all of the security databases to the KST, enter the following command:
```
setkst
```
To send the role and privileged command databases to the KST, enter the following command:
```
setkst -t role,cmd
```
To send the domain object and domain databases to the KST, enter the following command:
```
setkst -t domobj,dom
```