Event Management Commandscaevtsec-Update Message Action Restriction Rules › actnode.prf-Maintain Message Action Restriction Rules

Previous Topic: caevtsec-Update Message Action Restriction Rules

Next Topic: camibwalk/camibwlk-Query SNMP Agents for MIB Information

actnode.prf-Maintain Message Action Restriction Rules

Use this file to maintain policies that specify how message action restriction is to be enforced based on the submitting node and RUNID. It is located in the $CAIGLBL0000/opr/config/hostname directory. The file must be owned by root and only a UID of 0 can have write access to it.

This file is created when Event Management is installed. A prompt lets you decide whether you want to override the default setting that disables the message action restriction feature.

An individual entry in the actnode.prf file has the following format:

-n=nodename,runid,flag
nodename

This is the node from which the COMMAND, UNIXCMD, or UNIXSH message action is initiated. It can contain a trailing generic mask character.

runid

RUNID to whom the rule applies. It can contain a trailing generic mask character.

flag

Use D for disable (feature is active; disallow the message action submitted by RUNID from nodename), E for enable (allow the RUNID from nodename to submit the message action), or W for warn (check the rule but allow the message action submission to occur).

Examples

This is the default rule in effect if, during installation, you elected not to activate message action restriction:

-n=*,*,E

The rule states that for all nodes and all RUNIDs, COMMAND, UNIXCMD and UNIXSH message action submission is allowed.

This is the default rule in effect if, during installation, you elected to activate message action restriction:

-n=*,*,D

The rule states that for all nodes and all RUNIDs, COMMAND, UNIXCMD and UNIXSH message action submission is disallowed.

This combination of rules only enforces a message action restriction on RUNID root and allows all other RUNIDs to submit the message actions:

-n=*,*,E 
-n=*,root,D

This combination of rules allows all RUNIDs to bypass message action restriction unless the request comes from the node mars:

-n=*,*,E 
-n=mars,*,D 
-n=*,root,W

In that case, message action restriction is enforced for all RUNIDs. The last entry sets a warning type restriction rule for RUNID root if it comes from a node other than mars.

Event Management scans the entire configuration file for a best match and uses that rule. It uses the node field as a high level qualifier when searching for a best match. For example:

-n=mars,*,D 
-n=*,root,W

If these are the only two entries in the file, any request coming from the node mars uses the disallow rule. The user root only uses the warning rule if the request comes from a node other than mars.