Event Management lets you restrict the nodes and RUNIDs that are authorized to send the COMMAND, UNIXCMD, and UNIXSH message actions to your local host.
During the installation process, setup creates the actnode.prf configuration file. The file is in the $CAIGLBL0000/opr/config/hostname directory. It maintains the rules that specify how the message action restriction is enforced based on the submitting node and RUNID. Root owns the file, and only a UID of 0 can have write access to it. A rule in the file has the following format:
‑n=nodename,runid,flag
Identifies the node from which the COMMAND, UNIXCMD, or UNIXSH message action is initiated; it can contain a trailing generic mask character.
Defines a RUNID to whom the rule applies; it can contain a trailing generic mask character.
Defines one of the following values:
Disable. The feature is active to disallow the message action that runid submits from nodename.
Enable. Permit runid to submit the message action from nodename.
Warn. Check the rule, but permit message action submission.
You can update the actnode.prf configuration file at any time after installation by executing the caevtsec utility that is located in the $CAIGLBL0000\bin directory. The utility permits only the UID 0 user to maintain the file and preserve the file permissions. You can also maintain the file using a UNIX text editor.
Example:
‑n=*,*,E
This rule is in effect if, during installation, you elected not to activate message action restriction. The rule states that for all nodes and all RUNIDs, COMMAND, UNIXCMD, and UNIXSH message action submission is permitted.
Example:
‑n=*,*,D
This rule is in effect if, during installation, you elected to activate message action restriction. The rule states that for all nodes and all RUNIDs, COMMAND, UNIXCMD, and UNIXSH message action submission is not permitted.
Example:
‑n=*,*,E ‑n=*,root,D
These rules enforce message action restriction on the root RUNID but permit all other RUNIDs to submit the message actions.
Example:
‑n=*,*,E ‑n=mars,*,D ‑n=*,root,W
These rules permit all RUNIDs to submit the message actions unless the request comes from the mars node. In that case, message action restriction is enforced for all RUNIDs. The last rule sets a warning for the root RUNID if it comes from a node other than mars.
Event Management scans the entire configuration file for a best match and uses that rule. It uses the node field as a high-level qualifier when searching for a best match. In the example, any request coming from the mars node uses the “disallow” rule. The root user only triggers the warning rule if the request comes from a node other than mars.
|
Copyright © 2014 CA Technologies.
All rights reserved.
|
|