RHOST(1M)							     RHOST(1M)

NAME    [Toc]    [Back]

     rhost - set the attributes	of remote hosts	and networks.

SYNOPSIS    [Toc]    [Back]

     /usr/etc/rhost [-l	<lookup_host>] [-f <cfile>] [-r	<remote>] [-k ]	[-n ]
     [-d ]

DESCRIPTION    [Toc]    [Back]

     On	systems	with TSIX networking enabled, the kernel uses an internal
     lookup table, called the internal Remote Host Database (RHDB), to enforce
     per host security policy.	The rhost command loads	the RHDB with the
     attributes	of remote hosts	and networks, specified	in /etc/rhost.conf.

   Options    [Toc]    [Back]
     -l	<lookup_host>
		     The -l option will	check the RHDB for a host name and, if
		     it	exists,	will display the host's	attributes.

     -f	<cfile>	     /etc/rhost.conf is	the default file used to create	the
		     RHDB.  Use	the -f option to use an	alternative
		     configuration file.  When using a different file other
		     then the default, make sure it has	the appropriate
		     security policies.

     -r	<remote>     The -r option is defined, but not used.

     -k		     The -k option is used to list all recognized attributes.

     -n		     The -n option checks the RHDB file	only.

     -d		     The -d option gives some debug information.

     -v		     The -v option turns on verbose mode.

     The /etc/rhost.conf file consists,	minimally, of a	series of host
     attribute profile assignments of the form:

	  <name>: = <attribute>	= <value>: [<attribute>	= <value>:]

     Newline characters	within a host attribute	profile	must be	escaped.  It
     is	usually	most convenient	to specify a series of commonly	used profiles
     as	templates, then	use the	templates to assign the	profiles to specific
     hosts.  A template	looks exactly like a host profile assignment, except
     that one of the attribute-value pairs is default_spec = .:, for example:

	  default_cipso: \
		    smm_type = single_level: \
		    nlm_type = cipso: \
		    default_spec = .:






									Page 1






RHOST(1M)							     RHOST(1M)



	  Either host names or IP addresses may	be used	to specify hosts.  If
	  a host name is used, an entry	for that host must appear in the local
	  /etc/hosts file, as rhost is run before network information services
	  (NIS)	are available.	A wildcard IP address, that is,	an address
	  with zeros in	some slots, may	be used	to specify a range of IP
	  addresses.  For example,

	       128.01.01.0:
	       128.01.0.0:
	       128.0.0.0:
	       0.0.0.0:

	  are valid host specifications. When rhost resolves addresses,	it
	  first	looks for a complete address, followed by a wildcard with one
	  zero byte, and so forth.  This allows	the administrator to specify,
	  for example:

	       0.0.0.0:	       The whole world is untrusted
	       128.01.01.0:    Except this network, which speaks CIPSO
	       128.01.01.01:   Except this host, which is TSIX.


	  A sample copy	of /etc/rhost.conf has been provided on	your system.
	  The file begins with a series	of templates, including	default_cipso
	  and default_sgipso.  These templates are used	later in the file to
	  assign profiles to specific hosts for	example:

	       localhost:  default_spec	= default_cipso:

	  The following	attributes are recognized:

	  host_type
	       The host_type attribute value will be printed when the RHDB is
	       loaded.

	  smm_type
	       Session Manager IDs. Identifies the protocol used to
	       communicate with	a host.	 Acceptable values are msix, msix_1.0,
	       msix_2.0, tsix, tsix_1.0, tsix_1.1, none	and single_level.
	       Other values are	ignored.  For more information,	see
	       trusted_networking(7m).

	  nlm_type
	       IP Security Options.  Acceptable	Trusted	IRIX values are	cipso,
	       cipso_tt1, cipso_tt2, ripso_bso,	ripso_bso_tx, ripso_bso_rx,
	       ripso_eso, sgipso, sgipso_nouid,	sgipso_spcl, sgipso_loop, none
	       and unlabeled.  Other values are	ignored.  For more
	       information, see	trusted_networking(7m).

	  ipsec
	       This attribute is recognized but	not implemented.




									Page 2






RHOST(1M)							     RHOST(1M)



	  default_spec
	       Indicates that this is a	template.

	  cache_size
	       Sets the	RHDB cache size.

	  min_sl
	       Minimum sensitivity label.

	  max_sl
	       Maximum sensitivity label.

	  min_integ
	       Minimum integrity label.

	  max_integ
	       Maximum integrity label.

	  def_sl
	       Default sensitivity label.

	  def_integ
	       Default integrity label.

	  def_ilb
	       Information label. Ignored.

	  def_clearance
	       Default clearance.

	  def_uid
	       Default user ID.

	  def_luid
	       Default login/audit ID.

	  def_sid
	       Default session ID.

	  def_gid
	       Default group ID.

	  def_ngrps
	       Default group ID	count.

	  def_gids
	       Default group ID	list.

	  def_audit
	       Default login/audit ID.





									Page 3






RHOST(1M)							     RHOST(1M)



	  def_privs
	       Default privileges.

	  max_privs
	       Maximum privileges.

	  vendor
	       Enable vendor specific compatibility.  Acceptable values	are
	       sun, hewlett-packard, hp, ibm, cray, dg,	harris and unknown.

	  doi  Domain of Interpretation.  This attribute is recognized but not
	       implemented.  Under Trusted IRIX/CMW only a DOI of 3 is
	       supported.

	  flags
	       Indicates which attributes are mandatory	on packets received
	       from a host.  The following values are recognized:  import,
	       export, deny_access, mand_sl, mand_integ, mand_ilb, mand_privs,
	       mand_luid, mand_ids, mand_sid, mand_pid,	mand_clearance,
	       trace_rcv_pkt, trace_xmt_pkt, trace_rcv_att and trace_xmt_att.


									PPPPaaaaggggeeee 4444