lssec Command

Purpose

Lists attributes in the security stanza files.

Syntax

lssec [ -c ] [ -f File ] [ -s Stanza ] [ -a Attribute ... ]

Description

The lssec command lists attributes stored in the security configuration stanza files. The following security configuration files contain attributes that you can specify with the Attribute parameter:

/etc/security/environ
/etc/security/group
/etc/security/audit/hosts
/etc/security/lastlog
/etc/security/limits
/etc/security/login.cfg
/usr/lib/security/mkuser.default
/etc/nscontrol.conf
/etc/security/passwd
/etc/security/portlog
/etc/security/pwdalg.cfg
/etc/security/roles
/etc/security/smitacl.user
/etc/security/smitacl.group
/etc/security/user
/etc/security/user.roles
/etc/security/rtc/rtcd_policy.conf

When listing attributes in the /etc/security/environ, /etc/security/lastlog, /etc/security/limits, /etc/security/passwd, and /etc/security/user files, the stanza name specified by the Stanza parameter must be either a valid user name or default. When listing attributes in the /etc/security/group file, the stanza name specified by the Stanza parameter must be either a valid group name or default. When listing attributes in the /usr/lib/security/mkuser.default file, the Stanza parameter must be either admin or user. When listing attributes in the /etc/security/portlog file, the Stanza parameter must be a valid port name. When listing attributes in the /etc/security/login.cfg file, the Stanza parameter must be either a valid port name, a method name, or the usw attribute.

You cannot list the password attribute of the /etc/security/passwd file with the lssec command.

Only the root user or a user with PasswdAdmin authorization can list the lastupdate and flags attributes for administrative users.

Flags

Item	Description
-c	Specifies that the output should be in colon-separated format.
-f File	Specifies the name of the stanza file to list.
-s Stanza	Specifies the name of the stanza to list.
-a Attribute	Specifies the attribute to list.

Security

Access Control: This command grants execute access only to the root user and the security group. The command has the trusted computing base attribute and runs the setuid subroutine for the root user to access the security databases.

Attention RBAC users and Trusted AIX users: This command can perform privileged operations. Only privileged users can run privileged operations. For more information about authorizations and privileges, see Privileged Command Database in AIX® Version 7.1 Security. For a list of privileges and the authorizations associated with this command, see the lssecattr command or the getcmdattr subcommand.

To get the full functionality of the command, besides the accessauths, the role should also have the aix.security authorization.

On a Trusted AIX system, only users with authorization aix.mls.clear.read can list clearance attributes of other users. Only users with authorization aix.mls.tty.read can list port attributes.

Files Accessed:

Mode	File
r	/etc/security/environ
r	/etc/security/group
r	/etc/security/audit/hosts
r	/etc/security/lastlog
r	/etc/security/limits
r	/etc/security/login.cfg
r	/usr/lib/security/mkuser.default
r	/etc/nscontrol.conf
r	/etc/security/passwd
r	/etc/security/portlog
r	/etc/security/pwdalg.cfg
r	/etc/security/roles
r	/etc/security/smitacl.user
r	/etc/security/smitacl.group
r	/etc/security/user
r	/etc/security/user.roles
r	/etc/security/domains
rw	/etc/security/rtc/rtcd_policy.conf

Examples

To list the number of unsuccessful login attempts by the root user since the last successful login of the root user, enter:
```
lssec -f /etc/security/lastlog -s root -a unsuccessful_login_count
```
The system displays the result as follows:
```
root unsuccessful_login_count=15
```
To list the times that logins are allowed on the /dev/tty2 port, enter:
```
lssec -f /etc/security/login.cfg -s /dev/tty2 -a logintimes
```
The system displays the result as follows:
```
/dev/tty0 logintimes=!january1,!july4,!december25
```
To list the default setting for the tpath attribute and the ttys attribute in colon format,

enter:

lssec -c -f /etc/security/user -s default -a tpath -a ttys

The system displays the result as follows:

#name:tpath:ttys
default:nosak:ALL

Files

Item	Description
/usr/bin/lssec	Specifies the path to the lssec command.
/etc/security/environ	Contains the environment attributes of users.
/etc/security/group	Contains extended attributes of groups.
/etc/security/audit/hosts	Contains host and processor IDs.
/etc/security/lastlog	Defines the last login attributes for users.
/etc/security/limits	Defines resource quotas and limits for each user.
/etc/security/login.cfg	Contains port configuration information.
/usr/lib/security/mkuser.default	Contains the defaults values for new users.
/etc/nscontrol.conf	Contains configuration information of some name services.
/etc/security/passwd	Contains password information.
/etc/security/portlog	Contains unsuccessful login attempt information for each port.
/etc/security/pwdalg.cfg	Contains configuration information for loadable password algorithms (LPA).
/etc/security/roles	Contains a list of valid roles.
/etc/security/smitacl.user	Contains user ACL definitions.
/etc/security/smitacl.group	Contains group ACL definitions.
/etc/security/user	Contains the extended attributes of users.
/etc/security/user.roles	Contains a list of roles for each user.
/etc/security/enc/LabelEncodings	Contains label definitions for the Trusted AIX system.
/etc/security/domains	Contains the valid domain definitions for the system.
/etc/security/rtc/rtcd_policy.conf	Contains configuration information for the rtcd daemon