SECURESYSTEM(1M) SECURESYSTEM(1M)
NAME
securesystem - improve system security
SYNOPSIS
/usr/sysadm/privbin/securesystem [ -l <loginName> [ -j java | javascript
| both | none ][ -P | -L | -D ] ] [ -n yes ] [ -k yes|no ] [ -s yes|no ]
[ -c yes|no ] [ -o yes|no ] [ -x yes|no ] [ -f yes|no ] [ -u yes ] [ -w
yes|no ]
DESCRIPTION
This command tries to improve the security of the system by modifying
parameters that affect the security of the system. They include disable
or enable Java and/or JavScript for user accounts, add password, lock or
delete user accounts, remove NIS accounts, lock out an account if it has
no password, use shadow password, turn off graphical login (clogin(1)),
disable the use of privilege accounts on system adminitration tools (see
PrivilegeManager(1M)), disable the display of windows of remote systems
on the local system, turn off IP forwarding in the kernel, change UMASK
to be readable and writable by owner only when a new file is created, and
turn off outbox web server.
Specifying the yes option improves the security of the system. The no
option reverse the process. There are a few things that this command
cannot reverse, that is, it does not remove user account password,
unlock, or add user accounts including the ones are deleted by the remove
NIS account option. See the UserManager(1M) if you want to perform these
functions. Another option that cannot be reversed is UMASK, it cannot be
reset.
OPTIONS
-l login Specifies the name of the account to be modified. It is needed
for the following options that deal with user accounts.
-J java|javascript|both|none
Java is to disable Java and enable JavaScript; javascript is to
disable JavaScript and enable Java; both is disable Java and
Javascript; none is to enable Java and Javascript.
-P Add a password to the specified account. The command will
prompt for the password on stdin.
-L|-D Lock or delete the specified account.
-k yes|no Yes means lock out account if it has no password and no means
accounts without password can still login. The MANDPASS option
in /etc/default/login is updated.
-s yes|no Yes means create shadow password and no means if /etc/showdow
file exists, merge it back into /etc/passwd.
Page 1
SECURESYSTEM(1M) SECURESYSTEM(1M)
-n yes Yes means remove all NIS accounts from /etc/passwd and the
process can not be reversed by this command.
-c yes|no Yes means do not display the graphical login application and no
means use it.
-o yes|no Yes means only root has the privilege to run system
administration task and no means assigned user accounts can run
the tasks.
-x yes|no Yes means turn xhost(1) off and no means turn it on.
-f yes|no Yes means turn off ipforwarding in the kernel and no means turn
it on.
-u yes Yes means change UMASK in /etc/default/login to 022.
-w yes|no Yes means disable Outbox Web Server and no means enabling it.
FILES
/etc/passwd User account password file
/etc/shadow User account shadow password file
/etc/default/login
Login parameters
/usr/lib/desktop/xhoston
Remote display flag
/etc/config/ns_fasttrack
Outbox web server control flag
/etc/config/visuallogin
Graphical login window control flag
SEE ALSO
sysmgr(1M), UserManager(1M), PrivilegeManager(1M), clogin(1), xhost(1),
runpriv(1M).
Page 2