|
|
|
CA Access Control has a maintenance mode, also known as silent mode, for protection when the CA Access Control daemons are down for maintenance. In this mode, CA Access Control denies events while these daemons are down.
When CA Access Control is running, it intercepts security sensitive events and checks whether the event is allowed. Without activating maintenance mode, all events are permitted when CA Access Control services are down. With active maintenance mode, events are denied when CA Access Control daemons are down, stopping user activity while the system is maintained.
Maintenance mode can be tuned, and it is disabled by default.
When the CA Access Control security services are down:
When maintenance mode is activated and security is down, the prevented events are not logged in the audit log file.
To enable maintenance mode, follow these steps:
Important! If root is not the maintenance user, make sure you have an open session for the maintenance user as you will not be able to log in otherwise.
The token is located under SEOS_syscall section.
seini -s SEOS_syscall.silent_deny yes
seini -s SEOS_syscall.silent_admin <maintenance_UID>
Note: root is the default maintenance mode user (UID 0).
Important! If the maintenance user is not root, you must make the CA Access Control authorization daemon setuid to the root user so that you can start CA Access Control in maintenance mode. To make this change enter the following command:
chmod 6111 seosd
Note: If the maintenance mode user is not root, start CA Access Control daemons with seosd command.
| Copyright © 2012 CA. All rights reserved. | Tell Technical Publications how we can improve this information |