Trace the authorizations that a command needs to run successfully.
The traceauth command records the authorizations that a command attempts to use when the command is run. There are two ways an authorization can be used. The first way is the accessauths attribute that grants access to run a specified program. The second way is the checkauths attribute that is checked in a program before performing a privileged operation. The traceauth command can trace and report both types of authorizations. The traceauth command is used either for command investigation when entries are added to the privileged command database or to identify which authorizations to use while creating a role. The traceauth command runs the command specified by the Command parameter, along with associated arguments for the Command.
Generally, run the traceauth command with the PV_ROOT privilege or by assuming a role that has aix authorization so that any attempt to use authorization would succeed. In this case, the traceauth command can keep track of all of the authorizations that the command specified in the Command parameter needs for a successful run without the PV_ROOT privilege or a special role. After the command specified in the Command parameter is run, the list of used accessauths and checkauths are written to the standard output (stdout) file.
Item | Description |
---|---|
-d | Display the output of the truss command with the authorizations that are required by the command. |
-e | Follow the exec subroutine. If the command specified by the Command parameter runs an exec subroutine, the traceauth command reports the authorizations needed so far, and then proceeds with recording the authorizations associated with the new executable file. If the file run by the exec subroutine has its setuid bit set and is not owned by root, the traceauth command cannot properly trace the authorizations use of the file. |
-f | Follow the fork subroutine. If the controlled process calls the fork subroutine, the traceauth command also reports the authorizations used by the new child process. |
-o | Write the output to the specified file instead of the standard output (stdout) file. |
Item | Description |
---|---|
args | Specifies the arguments for the associated command in the Command parameter. |
Command | Specifies the name of the command whose authorizations you want to trace. |
outputfile | If you do not want to write the output to the standard output (stdout) file, use the -o flag. Then, specify the name of the output file to which you want to record the authorizations in the outputfile parameter. |