IRIX Base Documentation 2002 November

home *** CD-ROM | disk | FTP | other *** search

/ IRIX Base Documentation 2002 November / SGI IRIX Base Documentation 2002 November.iso / usr / share / catman / a_man / cat1 / rhost.z / rhost

Wrap

Text File | 2002-10-03 | 8.3 KB | 265 lines

RRRRHHHHOOOOSSSSTTTT((((1111MMMM)))) RRRRHHHHOOOOSSSSTTTT((((1111MMMM)))) NNNNAAAAMMMMEEEE rhost - set the attributes of remote hosts and networks. SSSSYYYYNNNNOOOOPPPPSSSSIIIISSSS ////uuuussssrrrr////eeeettttcccc////rrrrhhhhoooosssstttt [----llll <_l_o_o_k_u_p__h_o_s_t>] [----ffff <_c_f_i_l_e>] [----rrrr <_r_e_m_o_t_e>] [----kkkk ]]]] [----nnnn ]]]] [----dddd ]]]] DDDDEEEESSSSCCCCRRRRIIIIPPPPTTTTIIIIOOOONNNN On systems with TSIX networking enabled, the kernel uses an internal lookup table, called the internal Remote Host Database (RHDB), to enforce per host security policy. The rhost command loads the RHDB with the attributes of remote hosts and networks, specified in /_e_t_c/_r_h_o_s_t._c_o_n_f. OOOOppppttttiiiioooonnnnssss -l <_l_o_o_k_u_p__h_o_s_t> The ----llll option will check the RHDB for a host name and, if it exists, will display the host's attributes. -f <_c_f_i_l_e> ////eeeettttcccc////rrrrhhhhoooosssstttt....ccccoooonnnnffff is the default file used to create the RHDB. Use the ----ffff option to use an alternative configuration file. When using a different file other then the default, make sure it has the appropriate security policies. -r <_r_e_m_o_t_e> The ----rrrr option is defined, but not used. -k The ----kkkk option is used to list all recognized attributes. -n The ----nnnn option checks the RHDB file only. -d The ----dddd option gives some debug information. -v The ----vvvv option turns on verbose mode. The /_e_t_c/_r_h_o_s_t._c_o_n_f file consists, minimally, of a series of host attribute profile assignments of the form: <_n_a_m_e>: = <_a_t_t_r_i_b_u_t_e> = <_v_a_l_u_e>: [<_a_t_t_r_i_b_u_t_e> = <_v_a_l_u_e>:] Newline characters within a host attribute profile must be escaped. It is usually most convenient to specify a series of commonly used profiles as templates, then use the templates to assign the profiles to specific hosts. A template looks exactly like a host profile assignment, except that one of the attribute-value pairs is _d_e_f_a_u_l_t__s_p_e_c = .:, for example: _d_e_f_a_u_l_t__c_i_p_s_o: \ _s_m_m__t_y_p_e = _s_i_n_g_l_e__l_e_v_e_l: \ _n_l_m__t_y_p_e = _c_i_p_s_o: \ _d_e_f_a_u_l_t__s_p_e_c = .: PPPPaaaaggggeeee 1111 RRRRHHHHOOOOSSSSTTTT((((1111MMMM)))) RRRRHHHHOOOOSSSSTTTT((((1111MMMM)))) Either host names or IP addresses may be used to specify hosts. If a host name is used, an entry for that host must appear in the local /_e_t_c/_h_o_s_t_s file, as rrrrhhhhoooosssstttt is run before network information services (NIS) are available. A wildcard IP address, that is, an address with zeros in some slots, may be used to specify a range of IP addresses. For example, 128.01.01.0: 128.01.0.0: 128.0.0.0: 0.0.0.0: are valid host specifications. When rrrrhhhhoooosssstttt resolves addresses, it first looks for a complete address, followed by a wildcard with one zero byte, and so forth. This allows the administrator to specify, for example: 0.0.0.0: The whole world is untrusted 128.01.01.0: Except this network, which speaks CIPSO 128.01.01.01: Except this host, which is TSIX. A sample copy of /_e_t_c/_r_h_o_s_t._c_o_n_f has been provided on your system. The file begins with a series of templates, including default_cipso and default_sgipso. These templates are used later in the file to assign profiles to specific hosts for example: _l_o_c_a_l_h_o_s_t: _d_e_f_a_u_l_t__s_p_e_c = _d_e_f_a_u_l_t__c_i_p_s_o: The following attributes are recognized: host_type The host_type attribute value will be printed when the RHDB is loaded. smm_type Session Manager IDs. Identifies the protocol used to communicate with a host. Acceptable values are msix, msix_1.0, msix_2.0, tsix, tsix_1.0, tsix_1.1, none and single_level. Other values are ignored. For more information, see trusted_networking(7m). nlm_type IP Security Options. Acceptable Trusted IRIX values are cipso, cipso_tt1, cipso_tt2, ripso_bso, ripso_bso_tx, ripso_bso_rx, ripso_eso, sgipso, sgipso_nouid, sgipso_spcl, sgipso_loop, none and unlabeled. Other values are ignored. For more information, see trusted_networking(7m). ipsec This attribute is recognized but not implemented. PPPPaaaaggggeeee 2222 RRRRHHHHOOOOSSSSTTTT((((1111MMMM)))) RRRRHHHHOOOOSSSSTTTT((((1111MMMM)))) default_spec Indicates that this is a template. cache_size Sets the RHDB cache size. min_sl Minimum sensitivity label. max_sl Maximum sensitivity label. min_integ Minimum integrity label. max_integ Maximum integrity label. def_sl Default sensitivity label. def_integ Default integrity label. def_ilb Information label. Ignored. def_clearance Default clearance. def_uid Default user ID. def_luid Default login/audit ID. def_sid Default session ID. def_gid Default group ID. def_ngrps Default group ID count. def_gids Default group ID list. def_audit Default login/audit ID. PPPPaaaaggggeeee 3333 RRRRHHHHOOOOSSSSTTTT((((1111MMMM)))) RRRRHHHHOOOOSSSSTTTT((((1111MMMM)))) def_privs Default privileges. max_privs Maximum privileges. vendor Enable vendor specific compatibility. Acceptable values are sun, hewlett-packard, hp, ibm, cray, dg, harris and unknown. doi Domain of Interpretation. This attribute is recognized but not implemented. Under Trusted IRIX/CMW only a DOI of 3 is supported. flags Indicates which attributes are mandatory on packets received from a host. The following values are recognized: import, export, deny_access, mand_sl, mand_integ, mand_ilb, mand_privs, mand_luid, mand_ids, mand_sid, mand_pid, mand_clearance, trace_rcv_pkt, trace_xmt_pkt, trace_rcv_att and trace_xmt_att. PPPPaaaaggggeeee 4444