setsecconf Command

Purpose

Loads the system security flag settings into the kernel.

Syntax

setseconf { -c | -o } [ Attribute = Value ... ]

Description

The setsecconf command loads the system security flag settings into the kernel. If you specify any attributes, the values of these attributes are stored and used when the system is restarted. This command can change the setting of the flags for the CONFIGURATION and OPERATIONAL modes of the system, but these flags can be changed only when the system is in the CONFIGURATION mode.

Flags

Item	Description
-c	Specifies the CONFIGURATION mode.
-o	Specifies the OPERATIONAL mode.

Parameters

Item	Description
Attribute	You can specify the following attributes: root Specifies whether the root user can log in to the system. If enabled, the root user can log in to the system. If disabled, the root user cannot log in to the system. The value of this flag cannot be changed in Trusted AIX® systems. For more information, see the information in the "Disabling the root user" topic. tnet Specifies the Advanced Security Network. If enabled, all of the data packets are labeled. tlwrite Specifies whether to enforce the write access checks on the integrity labels (TLs). If enabled, TLs are checked on write, remove, and rename operations. If disabled, TLs can be set, but are ignored on write access checks. tlread Specifies whether to enforce the read access checks on the integrity labels (TLs). If enabled, TLs are checked on read operations. If disabled, TLs can be set, but are ignored on read access checks. traceauth Specifies if authorization tracing is enabled. If enabled, the authorizations used in a process are traced and logged in a process credential. The lssecattr command is used to display used authorizations. If disabled, no authorizations are traced in a system. By default, this flag is disabled. This flag is only meaningful in the operational mode. sl Specifies whether to enforce the Mandatory Access Control (MAC) flag. If enabled, MAC is enforced. If not enabled, sensitivity labels (SLs) can be configured, but not used to determine the access to files and other objects. tlib Specifies whether to recognize and enforce the Trusted Computing Base (TCB). If enabled, the TCB flag on file system objects is recognized and enforced. If disabled, the TCB on objects is ignored and all objects are treated as if they are not TCB objects.
Value	Specifies a value that is either enable or disable.

Item

Description

Attribute

You can specify the following attributes:

root: Specifies whether the root user can log in to the system. If enabled, the root user can log in to the system. If disabled, the root user cannot log in to the system. The value of this flag cannot be changed in Trusted AIX® systems. For more information, see the information in the "Disabling the root user" topic.
tnet: Specifies the Advanced Security Network. If enabled, all of the data packets are labeled.
tlwrite: Specifies whether to enforce the write access checks on the integrity labels (TLs). If enabled, TLs are checked on write, remove, and rename operations. If disabled, TLs can be set, but are ignored on write access checks.
tlread: Specifies whether to enforce the read access checks on the integrity labels (TLs). If enabled, TLs are checked on read operations. If disabled, TLs can be set, but are ignored on read access checks.
traceauth: Specifies if authorization tracing is enabled. If enabled, the authorizations used in a process are traced and logged in a process credential. The lssecattr command is used to display used authorizations. If disabled, no authorizations are traced in a system. By default, this flag is disabled. This flag is only meaningful in the operational mode.
sl: Specifies whether to enforce the Mandatory Access Control (MAC) flag. If enabled, MAC is enforced. If not enabled, sensitivity labels (SLs) can be configured, but not used to determine the access to files and other objects.
tlib: Specifies whether to recognize and enforce the Trusted Computing Base (TCB). If enabled, the TCB flag on file system objects is recognized and enforced. If disabled, the TCB on objects is ignored and all objects are treated as if they are not TCB objects.

Value

Specifies a value that is either enable or disable.

Security

The setsecconf command is a privileged command. Only users that have the following authorization can run the command successfully:

Item	Description
aix.mls.system.config.write	Required to set the system configuration flags.

Exit Status

The setsecconf command returns the following exit values:

Item	Description
0	Successful completion.
>0	An error occurred.

Examples

To turn on the trusted network and turn off the integrity read system flags for the CONFIGURATION mode run, enter the following command:
```
setsecconf –c tnet=enable tlread=disable
```
To turn on the integrity write system flag for the OPERATIONAL mode run, enter the following command:
```
setsecconf –o tlwrite=enable
```

Files

Item	Description
/usr/sbin/setsecconf	Contains the setsecconf command.