usrck Command

Purpose

Verifies the correctness of a user definition.

Syntax

usrck { -l [ -b ] |  -n | -p  -t  -y } { ALLUser ... }

Description

The usrck command verifies the correctness of the user definitions in the user database files, by checking the definitions for ALL the users or for the users specified by the User parameter. If more than one user is specified, there must be a space between the names. You must select a flag to indicate whether the system should try to fix erroneous attributes.

The command first checks the entries in the /etc/passwd file. If you indicate that the system should fix errors, duplicate user names are reported and disabled. Duplicate IDs are reported only, because there is no system fix. If an entry has fewer than six colon-separated fields, the entry is reported, but not fixed. The usrck command next checks specific user attributes in other files.

The usrck command verifies that each user name listed in the /etc/passwd file has a stanza in the /etc/security/user, /etc/security/limits and /etc/security/passwd files. The usrck command also verifies that each group name listed in the /etc/group file has a stanza in the /etc/security/group file. The usrck command using the -y flag creates stanzas in the security files for the missing user and group names.

Note: This command writes its messages to stderr.

A list of all the user attributes follows, with notations stating which attributes are checked:

Item Description
account_locked No check. The usrck command sets this attribute to True and disables accounts.
admgroups Checks to see if the admgroups are defined in the user database and, if you indicate that the system should fix errors, the command removes any groups that are not in the database.
auditclasses Checks to see if the auditclasses are defined for the user in the /etc/security/audit/config file. If you indicate that the system should fix errors, the command deletes all the auditclasses that are not defined in the /etc/security/audit/config file.
auth1 Checks the primary authentication method. Unless the method is NONE or SYSTEM, it must be defined in the /etc/security/login.cfg file and the program attribute must exist and be executable by the root user. If you indicate that the system should fix errors, it will disable the user account if an error is found.
Note: The auth1 attribute is deprecated and should not be used.
auth2 Checks the secondary authentication method. Unless the method is NONE or SYSTEM, it must be defined in the /etc/security/login.cfg file and the program attribute must exist and be executable by the root user. There is no system fix.
Note: The auth2 attribute is deprecated and should not be used.
core Ensures that the values are sensible. If not, the command resets the values to 200 blocks, the minimum value.
core_hard Ensures that the values are sensible. If not, the command resets the values to 200 blocks, the minimum value.
cpu Ensures that the values are sensible. If not, the command resets the values to 120 seconds, the minimum value.
cpu_hard Ensures that the values are sensible. If not, the command resets the values to 120 seconds, the minimum value.
data Ensures that the values are sensible. If not, the command resets the values to 1272 blocks (636K), the minimum value.
data_hard Ensures that the values are sensible. If not, the command resets the values to 1272 blocks (636K ), the minimum value.
dictionlist Checks the list of dictionary files. If you indicate that the system should fix errors, all dictionary files that do not exist are deleted from the user database.
expires No check.
fsize Ensures that the values are sensible. If not, the command resets the values to 200 blocks, the minimum value.
fsize_hard Ensures that the values are sensible. If not, the command resets the values to 200 blocks, the minimum value.
gecos No check.
histexpire Ensures that the values are sensible. If you indicate that the system should fix errors, values that are too large are set to the largest possible value and values that are too small are set to the smallest possible value.
histsize Ensures that the values are sensible. If you indicate that the system should fix errors, values that are too large are set to the largest possible value and values that are too small are set to the smallest possible value.
home Checks the existence and accessibility of the home directory by read mode and search mode. If you indicate that the system should fix errors, it will disable the user account if an error is found.
id Checks the uniqueness of the user ID. If you indicate that the system should fix errors, the command deletes any invalid entry in the /etc/passwd file.
login No check.
loginretries Checks if the user attempted unsuccessful logins more than the allowable amount. If so, the system disables the user account.
logintimes Ensures that the string of time specifiers is valid. If you indicate that the system should fix errors, the system disables the user account if an error is found.
Item Description
maxage Ensures that the values are sensible. If you indicate that the system should fix errors, values that are too large are set to the largest possible value and values that are too small are set to the smallest possible value.
maxexpired Ensures that the values are sensible. If you indicate that the system should fix errors, values that are too large are set to the largest possible value and values that are too small are set to the smallest possible value.
maxrepeats Ensures that the values are sensible. If you indicate that the system should fix errors, values that are too large are set to the largest possible value and values that are too small are set to the smallest possible value.
minage Ensures that the values are sensible. If you indicate that the system should fix errors, values that are too large are set to the largest possible value and values that are too small are set to the smallest possible value. The system also indicates if the minage attribute is larger than the maxage attribute.
minalpha Ensures that the values are sensible. If you indicate that the system should fix errors, values that are too large are set to the largest possible value and values that are too small are set to the smallest possible value.
mindiff Ensures that the values are sensible. If you indicate that the system should fix errors, values that are too large are set to the largest possible value and values that are too small are set to the smallest possible value.
minlen Ensures that the values are sensible. If you indicate that the system should fix errors, values that are too large are set to the largest possible value and values that are too small are set to the smallest possible value.
minother Ensures that the values are sensible. If you indicate that the system should fix errors, values that are too large are set to the largest possible value and values that are too small are set to the smallest possible value. The system also indicates if the minage attribute plus the maxage attribute is greater than the maximum password size.
name Checks the uniqueness and composition of the user name. The name must be a unique string of eight bytes or less. It cannot begin with a + (plus sign), a : (colon), a - (minus sign), or a ~ (tilde). Names beginning with a + (plus sign) or with a - (minus sign) are assumed to be names in the NIS (Network Information Service) domain, and no further processing is performed. It cannot contain a colon (:) in the string and cannot be the ALL or default keywords. If you indicate that the system should fix errors, the command disables the user account if an error is found and deletes any invalid entry in the /etc/passwd file.

The usrck command verifies that, for each user name listed in the /etc/passwd file, there is a stanza in the /etc/security/user, /etc/security/limits, and /etc/security/passwd files. The command adds stanzas for each one identified as missing. The usrck command additionally verifies that each group name listed in the /etc/group file has a stanza in the /etc/security/group file.

nofiles Ensures that the value is sensible. If not, resets the value to 200, the minimum value.
nofiles_hard Ensures that the value is sensible. If not, resets the value to 200, the minimum value.
pgrp Checks for the existence of the primary group in the user database. If you indicate that the system should fix errors, it will disable the user account if an error is found.
pwdchecks Checks the list of external password restriction methods. If you indicate that the system should fix errors, all methods that do not exist are deleted from the user database.
pwdwarntime Ensures that the value is sensible. If not, the system resets the value to the difference between the maxage and minage values.
rlogin No check.
rss Checks to ensure that the values are sensible. If not, the command resets the values to 128 blocks (64KB), the minimum value. The value is not set by the system.
rss_hard Checks to ensure that the values are sensible. If not, the command resets the values to 128 blocks (64KB), the minimum value. The value is not set by the system.
shell Checks the existence and accessibility of the shell by execute mode. If you indicate that the system should fix errors, it will disable the user account if an error is found.
stack Checks to ensure that the values are sensible. If not, the command resets the values to 128 blocks (64KB), the minimum value.
stack_hard Checks to ensure that the values are sensible. If not, the command resets the values to 128 blocks (64KB), the minimum value.
su No check.
sugroups Checks for the existence of the sugroups in the user database files. If you indicate that the system should fix errors, it will delete all the groups that are not in the database.
sysenv No check.
tpath Checks to ensure that the shell attribute is tagged as a trusted process if tpath=always. If you indicate that the system should fix errors, it will disable the user account if an error is found.
ttys Checks for the existence of the ttys in the user database files. If you indicate that the system should fix errors, it will delete all the ttys that do not exist from the user database.
usrenv No check.

If the fix involves disabling a user account, use the chuser command to reset the value of the account_locked attribute to False. You can use the System Management Interface Tool (SMIT) to run the chuser command by entering: 

smit chuser

The root user or a member of the security group can enable a user account again by removing the account_locked attribute or setting the account_locked attribute to False. The root user's account is not disabled by the usrck command.

Generally, the sysck command calls the usrck command as part of the verification of a trusted-system installation. If the usrck command finds any errors in the user database, the root user or a member of the security group should execute both the grpck command and the pwdck command.

The usrck command checks to see if the database management security files (/etc/passwd.nm.idx, /etc/passwd.id.idx, /etc/security/passwd.idx, and /etc/security/lastlog.idx) files are up-to-date or newer than the corresponding system security files. Please note, it is acceptable for the /etc/security/lastlog.idx to be not newer than /etc/security/lastlog. If the database management security files are out-of-date, a warning message appears indicating that the root user should run the mkpasswd command.

The usrck command checks if the specified user can log in. If the user cannot log in because of too many unsuccessful login attempts or because the password is expired, the usrck command issues a warning message indicating why the user cannot log in. If you indicate that the system should fix errors, the system disables the user account if the user cannot log in for the above reasons.

If the -l flag is specified, the usrck command scans all users or the users specified by the User parameter to determine if users can access the system. The criteria used to determine accessibility for a user are listed in the following table:
Table 1. User Accessibility Criteria
Criterion Description Cause
1 User account is locked. The user's account_locked attribute is set to true.
2 User account is expired. The user's expires attribute is set to a value (expiration time) that is expired.
3 User has too many consecutive failed login attempts. The user's unsuccessful_login_count value is greater than the user's loginretries value.
4 User has no password. The user's password field is '*' in /etc/password or /etc/security/password.
5 User is not allowed to log in for this date/time. The current date/time is not within the allowed time as defined by the user's logintimes attribute.
6 The /etc/nologin file exists. The /etc/nologin file prevents a non-root user from logging in.
7 User password is expired and only system administrator can change it. The user's password is expired and the ADMIN password flag is set.
8 User is denied login to host. The user's hostallowedlogin and hostsdeniedlogin attributes do not allow access to the current host.
9 User is denied access by applications. The user's login, rlogin, and su attributes are set to false and the rcmds attribute is set to deny. If at least one but not all of these attribute values deny authorization, the system is considered partially accessible by the user.
10 User is denied login to terminal. The user's ttys attribute does not allow access to the current terminal. The system is considered partially accessible for the user.

If the -b flag is also specified, the output consists of two fields, the user name and a 16-digit bit mask, separated by a tab. Each digit in the bit mask corresponds to a criteria in the User Accessibility Criteria table above, with criteria 1 represented by the rightmost digit. If the bit location for a criteria is set to 1, the check for this criteria failed for the user. Extra digits in the output are reserved for future use.

The following is an example of the usrck command with the -l flag: 
# usrck -l testusr1 testusr2
3001-689 The system is inaccessible to testusr1, due to the following:
         User account is locked
         User denied login to terminal.
        
3001-689 The system is inaccessible to testusr2, due to the following:
         User account is expired.
         User has too many consecutive failed login attempts.
         User denied login to host.
The following is an example of the usrck command with the -l and -b flags: 
# usrck -lb testusr1 testusr2
 testusr1       0000000000000001
 testusr2       0000000001000110

Flags

Item Description
-b Reports users who are not able to access the system and the reasons, with the reasons displayed in a bit-mask format. The -l flag must be specified if the -b flag is specified.
Note: The bit mask does not report criteria 10 (user denied login to terminal), since this cannot be considered a complete scenario when determining if a system is inaccessible to a user. Likewise, the bit mask does not report criteria 9 (User denied access by applications) if at least one but not all of the attributes' values deny authentication; this criteria is only reported when all four attribute values deny authentication.
-l Scans all users or the users specified by the User parameter to determine if the users can access the system.
-n Reports errors but does not fix them.
-p Fixes errors but does not report them.
-t Reports errors and asks if they should be fixed.
-y Fixes errors and reports them.

Exit Status

This command returns the following exit values:

Item Description
0 User definition files are appropriate.
>0 An error occurred or there is an error in one or more user definition files. The following error codes are returned:
EINVAL (22)
Invalid command-line arguments
ENOENT (2)
One or more user definition files do not exist
ENOTRUST (114)
Errors in user definitions in the database files or users unable to access the system (found by -l option)

Security

Access Control: This command should grant execute (x) access to the root user and members of the security group. The command should be setuid to the root user and have the trusted computing base attribute.

Files Accessed:

Mode File
r /etc/passwd
r /etc/security/user
rw /etc/security/group
rw /etc/group
rw /etc/security/lastlog
rw /etc/security/limits
rw /etc/security/audit/config
rw /etc/security/login.cfg

Auditing Events:

Event Information
USER_Check user, attribute-error, status
Attention RBAC users and Trusted AIX users: This command can perform privileged operations. Only privileged users can run privileged operations. For more information about authorizations and privileges, see Privileged Command Database in AIX® Version 7.1 Security. For a list of privileges and the authorizations associated with this command, see the lssecattr command or the getcmdattr subcommand.

Examples

  1. To verify that all the users exist in the user database, and have any errors reported (but not fixed), enter:

    usrck  -n ALL 

  2. To delete from the user definitions those users who are not in the user database files, and have any errors reported, enter:

    usrck  -y ALL  

  3. To display the list of users who are unable to access the system, enter:

    usrck -l ALL

  4. To display the list of users who are unable to access the system, in a bit mask format, enter:

    usrck -l -b ALL

Files

Item Description
/usr/bin/usrck Specifies the path of the usrck command.
/etc/passwd Contains basic user attributes.
/etc/security/user Contains the extended attributes of users.
/etc/group Contains basic group attributes.
/etc/security/group Contains the extended attributes of groups.
/etc/security/lastlog Contains the last login attributes for users.
/etc/security/limits Contains the process resource limits of users.
/etc/security/audit/config Contains audit system configuration information.
/etc/security/login.cfg Contains configuration information.