aliasck(1M) DG/UX B2 Security R4.12MU02 aliasck(1M)
NAME
aliasck - check aliases
SYNOPSIS
aliasck [-q] -a [alias-string]
aliasck [-q] -l [alias-string]
aliasck [-q] -m [alias-string]
aliasck [-q] -c [-f file] [alias-string]
aliasck [-q] -c [-f file] [-s flagspec alias-string]
where:
alias-string An audit alias, capability alias, location and timeset
alias, or MAC label alias to be checked against the
indicated alias definition database
file The pathname of a capability alias definition file
flagspec One or more capability set flags:
b Bounding capability set
e Effective capability set
i Inheritable capability set
p Permitted capability set
r Required capability set
all All of the above
DESCRIPTION
The aliasck command validates alias definitions. The -a option
specifies that audit aliases be checked, the -l option specifies that
location and timeset aliases be checked, and the -m option specifies
that MAC aliases be checked. The -c option specifies that capability
aliases be checked.
The aliasck -a command checks the contents of the audit alias
database for errors. If an optional alias-string is given, it will
also check this alias against the audit alias database to see if it
is defined and valid.
The aliasck -l command checks the contents of the location and
timeset (loctime) alias database for errors. If an optional alias-
string is given, it will also check this string against the loctime
alias database.
The aliasck -m command checks the contents of the MAC alias database
for errors. If an optional alias-string is given, it will also check
that this string is a valid MAC label alias or MAC label definition
in the MAC alias database.
The aliasck -c command checks the contents of the capability alias
database for errors. If an optional -f file is given, it will use
this file as the location of the capability alias database. If an
optional alias-string is given, it will also check that this string
is a valid capability alias definition in the capability alias
database. If an optional -s flagspec alias-string is given, aliasck
will check that all sets specified in flagspec are found in the
capability state represented by alias-string and that the following
subset relationships between the sets present are met:
The effective set is a subset of the permitted set.
The permitted set is a subset of the bounding set.
The inheritable set is a subset of the bounding set.
For all options, if the -q option is given, the program will do its
work silently. In this case, no error message will be written, but
the exit code will be set appropriately.
The user must have appropriate privilege to invoke this command.
For details of alias syntax, see auditaliasdefs(4M),
capaliasdefs(4M), loctimealiasdefs(4M), macaliasdefs(4M), and
maclabeldefs(4M).
EXAMPLES
# aliasck -a
In file /etc/tcb/audit/auditaliasdefs:
(CHDIR,LINK,MKDIR,UMLINK):ALL
^
unknown class/alias name
# aliasck -a foo
Invalid audit mask:
foo
^
Unknown alias
# aliasck -c -s bpe "(b:none;p:all;e:all)"
The permitted set is not a subset of the bounding set.
FILES
/etc/tcb/audit/auditmaskdefs File of basic aliases for classes
and reasons.
/etc/tcb/audit/auditaliasdefs File defining additional site-
specific audit aliases.
/etc/tcb/aa/loctimenamedefs File of basic aliases for locations
and timesets.
/etc/tcb/aa/loctimealiasdefs File defining additional site-
specific loctime aliases.
/etc/tcb/cap/capaliasdefs File defining capability aliases.
/etc/tcb/mac/maclabeldefs File of basic aliases for MAC
hierarchies and categories.
/etc/tcb/mac/macaliasdefs File defining additional site-
specific mac aliases.
DIAGNOSTICS
Exit status is 0 if successful, 1 on error.
The following alias errors are detected:
Alias parsing errors:
name too long
unknown class/alias name (audit)
unknown location/alias name (loctime)
unknown hierarchy/alias name (MAC)
unknown reason name (audit)
unknown timeset name (loctime)
unknown category name (MAC)
addition/subtraction of incomplete masks
addition of incomplete loctimes
bad syntax
internal errors (not user errors)
bad parse state encountered
reason found in class tree (audit)
class found in reason tree (audit)
timeset found in location tree (audit)
location found in timeset tree (audit)
hierarchy found in category tree (MAC)
category found in hierarchy tree (MAC)
Alias name errors:
duplicate name
duplicate abbreviation
Audit mask/loctime name definition file errors:
can't open audit_mask_defs file (audit)
can't open loctime_name_defs file (loctime)
can't open mac_label_defs file (MAC)
*Reason line missing (must be first section) (audit)
bad reason line format (must be alphanum alphanum decimal)
(audit)
*Class line missing (must be second section) (audit)
bad class line format (must be alphanum alphanum decimal)
(audit)
*Timeset line missing (must be first section) (loctime)
bad timeset line format (loctime)
*Location line missing (must be second section) (loctime)
bad location line format (loctime)
*hierarchy line missing (must be first section) (MAC)
bad hierarchy line format (must be alphanum alphanum
decimal) (MAC)
*category line missing (must be second section) (MAC)
bad category line format (must be alphanum alphanum
decimal) (MAC)
bad *line encountered (if third one exists, must be
*General)
extra *line encountered (only 3 above allowed)
bad alias def line (must be 2 alphanums & char string)
Alias definition file errors:
can't open audit_alias_defs file (audit)
can't open loctime_alias_defs file (loctime)
can't open mac_alias_defs file (MAC)
*line found - invalid in this file
bad alias def line (must be 2 alphanums & char string)
Error reading system alias database (capability)
Error reading alias file (capability)
General errors:
not enough memory
null alias-string
incomplete alias
When an error is detected, an appropriate error message is written to
the standard output (without the -q option). If the error is a parse
error relating to a particular alias definition, the offending
definition is displayed with a pointer to the position where the
error was found. The program will stop at the first error detected.
SEE ALSO
audadmin(1M), authck(1M), macd(1M), auditaliasdefs(4M),
auditmaskdefs(4M), capaliasdefs(4M), loctimealiasdefs(4M),
loctimenamedefs(4M), macaliasdefs(4M), maclabeldefs(4M).
NOTES
The program stops at the first detected error. It may need to be
executed again after each error is corrected to completely check the
alias databases.
Licensed material--property of copyright holder(s)