UNIX Endpoint Considerations

Release Notes › General Considerations › UNIX Endpoint Considerations

UNIX Endpoint Considerations

This section describes items you should consider when using CA Access Control on UNIX endpoints.

MultiLoginPgm Replaced by EXECLOGIN Flag

We recommend that you use the LOGINAPPL EXECLOGIN flag instead of MultiLoginPgm token to determine the full path of a special login application.

The EXECLOGIN flag postpones the LOGIN action until the first "exec" event of a login application.

PAM Configuration for CA Access Control Features

CA Access Control PAM features that rely on identifying user login attempts (for example, segrace, serevu, and log audit records) do not work if the line "auth requisite" appears before the CA Access Control line “auth optional pam_module” in the operating system's PAM configuration file.

If you want PAM to write user login attempts, the PAM configuration file should contain the line "auth required pam_module" instead of "auth requisite pam_module". If you specify the control-flag required and the module fails, it continues to next module. If you use the control-flag requisite and the module fails, it exits immediately and does not reach the CA Access Control line and so pam_module does not run.

Note: pam_module is the name of the PAM module file on your platform. For example, on Linux, this is pam_unix2.so.

telnet and rsh Require Specific PAM Configuration

You cannot use telnet or rsh to log in to a computer if your PAM configuration file:

Is missing the following lines:

login	account	optional	/usr/lib/security/libpam_unix.1

login	account	optional	/usr/lib/security/pam_seos.sl

To fix this, comment out the CA Access Control line if you want PAM to use the "OTHER account..." line instead, or uncomment the operating system's line.

CA Access Control PAM Module on AIX

Valid on AIX

If you set auth_login=pam in the seos section of the seos.ini file, CA Access Control uses PAM to authenticate users. CA Access Control uses the PAM API library during authentication, but AIX does not provide the PAM library in a shared library format that CA Access Control can easily link to. When CA Access Control attempts to use the PAM API it fails with an error “cannot find /usr/lib/libpam.o”. To avoid this error, you must configure the AIX PAM module.

To configure the AIX PAM module on AIX

Locate the AIX supplied libpam.a archive:
```
cd /usr/lib
```
This archive contains the AIX PAM shared library (shr.o).
Extract shr.o from libpam.a to /usr/lib:
```
ar -xv libpam.a
```
Rename shr.o to libpam.o:
```
mv shr.o libpam.o
```
Verify that change_pam=yes in the passwd section of the seos.ini file.
This configuration setting instructs sepass to use the PAM interface to change passwords.

SNMP Configuration

When you set selogrd to route audit records to SNMP listeners, you can use an SNMP community name that is different from the default name (“public”). To do this, use the following format in the selogrd.cfg configuration file:

snmp gateway@community

gateway: Defines the SNMP gateway host name.
community: Defines the SNMP community name that matches the target SNMP environment.

CA Access Control Generates the Login Session ID

CA Access Control generates at startup the login session ID that it adds to audit log records. This means that a logged on user gets a different session ID within the same terminal session every time CA Access Control restarts. The session ID remains the same only within the same CA Access Control session.

Enterprise Users Do Not Correspond to the _undefined User

If you use enterprise users (osuser_enabled is set to 1), CA Access Control does not consider any user as undefined.

Rules for the _undefined user are not relevant in this case.

The All Users Mask (*) Applies to Users That Are Not Defined

If you do not use enterprise users (osuser_enabled is set to 0), users that are not defined in the CA Access Control database are included in rules that apply to all users (using the mask *).

If you want to exclude undefined users from rules that apply to all users, create a more specific rule for the _undefined user that defines the required access to users that are not defined in the database.

Audit Log Backup Files Are Protected by Default

By default, CA Access Control protects audit log backup files if you configure settings to keep timestamped backups. This is the same default protection that the size-triggered audit backup file receives. To remove these files, you need to set permissive rules in the database.

Change Encryption Key After You Patch libcryptscr.so.125.0

The symmetric encryption key is embedded in the libcryptscr.so.125.0 library. If you patch this library, the patch may restore the default CA Access Control encryption key. To avoid communication problems, you must always change the encryption key immediately after you apply a patch to libcryptscr.so.125.0.

To change the key, navigate to /opt/CA/AccessControl/lib/libcryptscr.so.125.0 and run sechkey as follows, where previous_key is the encryption key that you used before the patch:

sechkey -d previous_key

sechkey replaces the default encryption key with the previous key.

Linux Kernel Recompilation

On Linux, if you recompile your kernel, you must copy the system.map file to the /boot directory to load the CA Access Control daemons.

Compiling API Samples

You should use gmake (GNU make) and not make to compile the API samples.

Do Not Use Administration API Functions Inside a seosd Exit

To avoid deadlocks, do not use any Administration API functions inside a seosd exit.

Tell Technical Publications how we can improve this information