/etc/nscontrol.conf File
Purpose
Contains configuration information of some name services.
Description
| Stanza Name | RBAC and Domain RBAC library subroutines |
|---|---|
| authorizations | getauthattr, getauthattrs, putauthattr, putauthattrs |
| roles | getroleattr, getroleattrs, putroleattr, putroleattrs |
| privcmds | getcmdattr, getcmdattrs, putcmdattr, putcmdattrs |
| privdevs | getdevattr, getdevattrs, putdevattr, putdevattrs |
| privfiles | getpfileattr, getpfileattrs, putpfileattr, putpfileattrs |
- efsusrkeystore
- efsgrpkeystore
- efsadmkeystore
- tsddat
- tepolicies
- auditconfig
| Item | Description |
|---|---|
| secorder | A comma-separated list of module names that
library subroutines use in searching and updating a database. The
following module names are valid:
A search operation is performed on each module in the order that is specified until a matching entry is found. A failure is returned if no match is found from all of the modules. A modification operation is performed on the first entry match. A creation operation is performed on the first module in the list only. You can override the value of the secorder attribute by calling the setsecorder subroutine in an application program, or by using the -R module option on commands that support the option. |
| databasename | Specifies the database names to consider with database operations. The databasename attribute is used for Trusted Execution Databases, such as the Trusted Signature Database and the TE policy Database. While the LDAP search operation is performed these names are used as a part of Distinguished Names (DN). |
| Item | Description |
|---|---|
| Searchorder | A comma-separated list of module names that
library subroutines use in searching and updating a database. The
following module names are valid:
A search operation is performed on each module in the order that is specified until a matching entry is found. A failure is returned if no match is found from all of the modules. A modification operation is performed on the first entry match. A creation operation is performed on the first module in the list only. You can override the value of the searchorder attribute by using the -R module option on commands that support the option. |
Files
| Item | Description |
|---|---|
| /etc/security/domains | Contains domain definitions. |
| /etc/security/domobjs | Contains domain objects and their associated security settings. |
| /etc/security/authorizations | Contains the user-defined authorizations. |
| /etc/security/roles | Contains role definitions. |
| /etc/security/privcmds | Contains privileged command names and their associated security settings. |
| /etc/security/privdevs | Contains privileged device names and their associated security settings. |
| /etc/security/privfiles | Contains authorization lists for privileged configuration files that the trvi editor can access. |
| /etc/security/tsd/tsd.dat | Contains trusted signature database. |
| /etc/security/tsd/tepolicies.dat | Contains trusted execution policies for the system. |
| /var/efs | Contains all the EFS Keystores. |
Security
This files grants read and write access to the root user. Access for other users and groups depends on the security policy for the system.
Examples
- An example of the authorizations stanza follows:
authorizations: secorder = files,LDAPThis entry states that the search for an authorization is done in the local /etc/security/authorizations database first. If no matching entry is found, further search is done in the LDAP database.
- An example of the TE Signature Database stanza follows:
tsddat: secorder = LDAP,files databasename = TSD_v1Note: In case of tsddat stanza and tepolicies stanza the secorder files, LDAP is not a valid use case. - An example of the efsusrkeystore stanza follows:
efsusrkeystore: secorder = LDAP,files