[ Bottom of Page | Previous Page | Next Page | Contents | Index | Library Home | Legal | Search ]

Commands Reference, Volume 5

usrck Command

Purpose

Verifies the correctness of a user definition.

Syntax

usrck -n | -p  -t  -y } { ALLUser ... }

Description

The usrck command verifies the correctness of the user definitions in the user database files, by checking the definitions for ALL the users or for the users specified by the User parameter. If more than one user is specified, there must be a space between the names. You must select a flag to indicate whether the system should try to fix erroneous attributes.

The command first checks the entries in the /etc/passwd file. If you indicate that the system should fix errors, duplicate user names are reported and removed. Duplicate IDs are reported only, because there is no system fix. If an entry has fewer than six colon-separated fields, the entry is reported, but not fixed. The usrck command next checks specific user attributes in other files.

The usrck command verifies that each user name listed in the /etc/passwd file has a stanza in the /etc/security/user, /etc/security/limits and /etc/security/passwd files. The usrck command also verifies that each group name listed in the /etc/group file has a stanza in the /etc/security/group file. The usrck command using the -y flag creates stanzas in the security files for the missing user and group names.

Note
This command writes its messages to stderr.

A list of all the user attributes follows, with notations stating which attributes are checked:

account_locked No check. The usrck command sets this attribute to True and disables accounts.
admgroups Checks to see if the admgroups are defined in the user database and, if you indicate that the system should fix errors, the command removes any groups that are not in the database.
auditclasses Checks to see if the auditclasses are defined for the user in the /etc/security/audit/config file. If you indicate that the system should fix errors, the command deletes all the auditclasses that are not defined in the /etc/security/audit/config file.
auth1 Checks the primary authentication method. Unless the method is NONE or SYSTEM, it must be defined in the /etc/security/login.cfg file and the program attribute must exist and be executable by the root user. If you indicate that the system should fix errors, it will disable the user account if an error is found.
auth2 Checks the secondary authentication method. Unless the method is NONE or SYSTEM, it must be defined in the /etc/security/login.cfg file and the program attribute must exist and be executable by the root user. There is no system fix.
core Ensures that the values are sensible. If not, the command resets the values to 200 blocks, the minimum value.
core_hard Ensures that the values are sensible. If not, the command resets the values to 200 blocks, the minimum value.
cpu Ensures that the values are sensible. If not, the command resets the values to 120 seconds, the minimum value.
cpu_hard Ensures that the values are sensible. If not, the command resets the values to 120 seconds, the minimum value.
data Ensures that the values are sensible. If not, the command resets the values to 1272 blocks (636K), the minimum value.
data_hard Ensures that the values are sensible. If not, the command resets the values to 1272 blocks (636K ), the minimum value.
dictionlist Checks the list of dictionary files. If you indicate that the system should fix errors, all dictionary files that do not exist are deleted from the user database.
expires No check.
fsize Ensures that the values are sensible. If not, the command resets the values to 200 blocks, the minimum value.
fsize_hard Ensures that the values are sensible. If not, the command resets the values to 200 blocks, the minimum value.
gecos No check.
histexpire Ensures that the values are sensible. If you indicate that the system should fix errors, values that are too large are set to the largest possible value and values that are too small are set to the smallest possible value.
histsize Ensures that the values are sensible. If you indicate that the system should fix errors, values that are too large are set to the largest possible value and values that are too small are set to the smallest possible value.
home Checks the existence and accessibility of the home directory by read mode and search mode. If you indicate that the system should fix errors, it will disable the user account if an error is found.
id Checks the uniqueness of the user ID. If you indicate that the system should fix errors, the command deletes any invalid entry in the /etc/passwd file.
login No check.
loginretries Checks if the user attempted unsuccessful logins more than the allowable amount. If so, the system disables the user account.
logintimes Ensures that the string of time specifiers is valid. If you indicate that the system should fix errors, the system disables the user account if an error is found.
maxage Ensures that the values are sensible. If you indicate that the system should fix errors, values that are too large are set to the largest possible value and values that are too small are set to the smallest possible value.
maxexpired Ensures that the values are sensible. If you indicate that the system should fix errors, values that are too large are set to the largest possible value and values that are too small are set to the smallest possible value.
maxrepeats Ensures that the values are sensible. If you indicate that the system should fix errors, values that are too large are set to the largest possible value and values that are too small are set to the smallest possible value.
minage Ensures that the values are sensible. If you indicate that the system should fix errors, values that are too large are set to the largest possible value and values that are too small are set to the smallest possible value. The system also indicates if the minage attribute is larger than the maxage attribute.
minalpha Ensures that the values are sensible. If you indicate that the system should fix errors, values that are too large are set to the largest possible value and values that are too small are set to the smallest possible value.
mindiff Ensures that the values are sensible. If you indicate that the system should fix errors, values that are too large are set to the largest possible value and values that are too small are set to the smallest possible value.
minlen Ensures that the values are sensible. If you indicate that the system should fix errors, values that are too large are set to the largest possible value and values that are too small are set to the smallest possible value.
minother Ensures that the values are sensible. If you indicate that the system should fix errors, values that are too large are set to the largest possible value and values that are too small are set to the smallest possible value. The system also indicates if the minage attribute plus the maxage attribute is greater than the maximum password size.
name Checks the uniqueness and composition of the user name. The name must be a unique string of eight bytes or less. It cannot begin with a + (plus sign), a : (colon), a - (minus sign), or a ~ (tilde). Names beginning with a + (plus sign) or with a - (minus sign) are assumed to be names in the NIS (Network Information Service) domain, and no further processing is performed. It cannot contain a colon (:) in the string and cannot be the ALL or default keywords. If you indicate that the system should fix errors, the command disables the user account if an error is found and deletes any invalid entry in the /etc/passwd file.

The usrck command verifies that, for each user name listed in the /etc/passwd file, there is a stanza in the /etc/security/user, /etc/security/limits, and /etc/security/passwd files. The command adds stanzas for each one identified as missing. The usrck command additionally verifies that each group name listed in the /etc/group file has a stanza in the /etc/security/group file.

nofiles Ensures that the value is sensible. If not, resets the value to 200, the minimum value.
nofiles_hard Ensures that the value is sensible. If not, resets the value to 200, the minimum value.
pgrp Checks for the existence of the primary group in the user database. If you indicate that the system should fix errors, it will disable the user account if an error is found.
pwdchecks Checks the list of external password restriction methods. If you indicate that the system should fix errors, all methods that do not exist are deleted from the user database.
pwdwarntime Ensures that the value is sensible. If not, the system resets the value to the difference between the maxage and minage values.
rlogin No check.
rss Checks to ensure that the values are sensible. If not, the command resets the values to 128 blocks (64K), the minimum value.
rss_hard Checks to ensure that the values are sensible. If not, the command resets the values to 128 blocks (64K), the minimum value.
shell Checks the existence and accessibility of the shell by execute mode. If you indicate that the system should fix errors, it will disable the user account if an error is found.
stack Checks to ensure that the values are sensible. If not, the command resets the values to 128 blocks (64K), the minimum value.
stack_hard Checks to ensure that the values are sensible. If not, the command resets the values to 128 blocks (64K), the minimum value.
su No check.
sugroups Checks for the existence of the sugroups in the user database files. If you indicate that the system should fix errors, it will delete all the groups that are not in the database.
sysenv No check.
tpath Checks to ensure that the shell attribute is tagged as a trusted process if tpath=always. If you indicate that the system should fix errors, it will disable the user account if an error is found.
ttys Checks for the existence of the ttys in the user database files. If you indicate that the system should fix errors, it will delete all the ttys that do not exist from the user database.
usrenv No check.

If the fix involves disabling a user account, use the chuser command to reset the value of the account_locked attribute to False. You can use the System Management Interface Tool (SMIT) to run the chuser command by entering:

smit chuser

The root user or a member of the security group can enable a user account again by removing the account_locked attribute or setting the account_locked attribute to False. The root user's account is not disabled by the usrck command.

Generally, the sysck command calls the usrck command as part of the verification of a trusted-system installation. If the usrck command finds any errors in the user database, the root user or a member of the security group should execute both the grpck command and the pwdck command.

The usrck command checks to see if the database management security files (/etc/passwd.nm.idx, /etc/passwd.id.idx, /etc/security/passwd.idx, and /etc/security/lastlog.idx) files are up-to-date or newer than the corresponding system security files. Please note, it is all right for the /etc/security/lastlog.idx to be not newer than /etc/security/lastlog. If the database management security files are out-of-date, a warning message appears indicating that the root user should run the mkpasswd command.

The usrck command checks if the specified user can log in. If the user cannot log in because of too many unsuccessful login attempts or because the password is expired, the usrck command issues a warning message indicating why the user cannot log in. If you indicate that the system should fix errors, the system disables the user account if the user cannot log in for the above reasons.

Flags

-n Reports errors but does not fix them.
-p Fixes errors but does not report them.
-t Reports errors and asks if they should be fixed.
-y Fixes errors and reports them.

Security

Access Control: This command should grant execute (x) access to the root user and members of the security group. The command should be setuid to the root user and have the trusted computing base attribute.

Files Accessed:

Mode File
r /etc/passwd
r /etc/security/user
rw /etc/security/group
rw /etc/group
rw /etc/security/lastlog
rw /etc/security/limits
rw /etc/security/audit/config
rw /etc/security/login.cfg

Auditing Events:

Event Information
USER_Check user, attribute-error, status

Examples

  1. To verify that all the users exist in the user database, and have any errors reported (but not fixed), enter:
    usrck  -n ALL 
  2. To delete from the user definitions those users who are not in the user database files, and have any errors reported, enter:
    usrck  -y ALL  

Files

/usr/bin/usrck Specifies the path of the usrck command.
/etc/passwd Contains basic user attributes.
/etc/security/user Contains the extended attributes of users.
/etc/group Contains basic group attributes.
/etc/security/group Contains the extended attributes of groups.
/etc/security/lastlog Contains the last login attributes for users.
/etc/security/limits Contains the process resource limits of users.
/etc/security/audit/config Contains audit system configuration information.
/etc/security/login.cfg Contains configuration information.

Related Information

The grpck command, pwdck command, sysck command.

Security Administration in AIX 5L Version 5.2 Security Guide describes the identification and authentication of users, discretionary access control, the trusted computing base, and auditing.

[ Top of Page | Previous Page | Next Page | Contents | Index | Library Home | Legal | Search ]