setkst Command

Purpose

Sets the entries in the kernel security tables (KST).

Syntax

setkst [ -q ] [ -b | -l | -t table1, table2,...]

Description

The setkst command reads the security databases and loads the information from the databases into the kernel security tables. By default, all of the security databases are sent to the KST. Alternatively, you can specify a specific database using the -t flag. If only the authorization database is the only one you specified, the role and privileged command databases are updated in the KST because they are dependent on the authorization database.

The setkst command checks the tables before updating the KST. If any severe error in the database is found, the setkst command warns the user by sending message to the stderr, and exits without resetting the KST. If a minor error is found in the database, a warning message is displayed, and the entry is skipped.

The setkst command is only functional if the system is operating in enhanced Role Based Access Control (RBAC) mode. If the system is not in enhanced RBAC mode, the command displays an error message and ends.

Flags

Item Description
-b Loads the KST with the information that is stored in the backup binary file on the system. If information in the binary file cannot be loaded, the tables are regenerated from the security databases.
-l Reads the loglevel attribute value from the syslog stanza in the /etc/secvars.cfg file and updates the loglevel attribute value to the kernel. The valid values for the loglevel attribute are as follows: all, crit, and none. Any invalid value for the loglevel attribute are ignored by the setkst command.
-q Specifies quiet mode. Warning messages that occur are not displayed when the security databases are parsed.
-t table1, table2 Sends the specified security databases to the KST. The parameter for the -t flag is a comma-separated list of security databases. Values for this flag are as follows:
auth
Authorizations database
role
Role database
cmd
Privileged command database
dev
Privileged device database
dom
Domains
domobj
Domain objects

Security

The setkst command is a privileged command. Only users that have the following authorization can run the command successfully.
Item Description
aix.security.kst.set Required to run the command.

Files Accessed

File Mode
/etc/security/authorizations r
/etc/security/privcmds r
/etc/security/privdevs r
/etc/security/roles r
/etc/security/domains r
/etc/security/domobjs r
/etc/secvars.cfg r

Examples

  1. To send all of the security databases to the KST, enter the following command:
    setkst
  2. To send the role and privileged command databases to the KST, enter the following command:
    setkst -t role,cmd
  3. To send the domain object and domain databases to the KST, enter the following command:
    setkst -t domobj,dom