On UNIX/Linux platforms, Event Management lets you restrict the nodes and RUNIDs authorized to send the message actions COMMAND, UNIXCMD and UNIXSH to your local host.
During installation, if setup detects that Event Management was previously installed at that node, a message appears informing you of the new message action restriction feature and the default setting that disables message action restriction. You have the opportunity to override the default and enable message action restriction.
If you accept the default response n to the prompt for message action restriction, setup creates the actnode.prf configuration file for you with a single entry of -n=*,*,E to allow all RUNIDs from all nodes to submit these message actions.
If you instead respond to the prompt for message action restriction, setup creates the actnode.prf configuration file with a single entry of -n=*,*,D to deny all RUNIDs from all nodes the ability to submit these message actions.
When setup detects that you are installing Event Management for the first time on the node, a message appears informing you of the new message action restriction feature and the default setting that disables message action restriction. You are given the opportunity to override the default and enable message action restriction at that time.
If you accept the default response n to the prompt for message action restriction, setup creates the actnode.prf configuration file for you with a single entry of -n=*,*,E to enable message action submission for all RUNIDs from all nodes.
If you instead respond y to the prompt for message action restriction, setup creates the actnode.prf configuration file with a single entry of -n=*,*,D to disable all RUNIDs from all nodes from submitting these message actions.
You can change this rule at any time after installation by executing the caevtsec utility located in the $CAIGLBL0000\bin directory. The utility only allows the uid 0 user to maintain the file and preserve the file permissions. The file may also be maintained using a UNIX/Linux text editor. For more information about using the caevtsec utility, see the online CA Reference.
The actnode.prf configuration file is located in the $CAIGLBL0000/opr/config/hostname directory. You can use this file to maintain policies that specify how message action restriction is to be enforced based on the submitting node and RUNID. The file must be owned by root and only a uid of 0 may have write access to it. An individual entry in the file has the following format:
-n=nodename,runid,flag
Specifies the node from which the COMMAND, UNIXCMD or UNIXSH message action is initiated; it may contain a trailing generic mask character.
Specifies the node from which the COMMAND, UNIXCMD or UNIXSH message action is initiated; it may contain a trailing generic mask character.
Specifies D for disable (feature is active; disallow the message action submitted by RUNID from nodename), E for enable (allow the RUNID from nodename to submit the message action), or W for warn (check the rule but allow the message action submission to occur).
For example:
-n=*,*,E
is the default rule in effect if, during installation, you elected not to activate message action restriction. The rule states that for all nodes and all RUNIDs, COMMAND, UNIXCMD and UNIXSH message action submission is allowed.
-n=*,*,D
is the default rule in effect if, during installation, you elected to activate message action restriction. The rule states that for all nodes and all RUNIDs, COMMAND, UNIXCMD and UNIXSH message action submission is disallowed.
-n=*,*,E -n=*,root,D
enforces a message action restriction on RUNID root and allows all other RUNIDs to submit the message actions.
-n=*,*,E -n=mars,*,D -n=*,root,W
allows all RUNIDs to bypass message action restriction unless the request comes from the node mars. In that case, message action restriction is enforced for all RUNIDs. The last entry sets a warning type restriction rule for RUNID root if it comes from a node other than mars.
Event Management scans the entire configuration file for a best match and uses that rule. It uses the node field as a high level qualifier when searching for a best match. For example if the following are the only two entries in the file, any request coming from the node mars uses the disallow rule. The user root only uses the warning rule if the request comes from a node other than mars.
-n=mars,*,D -n=*,root,W
Note: On Windows, to execute a command a user must be defined in the Users Authorized to Issue Commands configuration setting.
|
Copyright © 2010 CA.
All rights reserved.
|
|