|
|
|
In the [SEOS_syscall] section, the tokens are used by the SEOS_syscall kernel module.
Determines whether to bypass NFS files from SEOS events.
Valid values include the following:
0-Do not bypass NFS files.
1-Bypass NFS files.
Default: 0
Specifies whether to bypass real file paths resolution for authorization.
If you enable this setting (1), CA Access Control does not resolve file paths for authorization. This accelerates file events handling However, generic rules will not be enforced for file accesses that are made using links.
Example: A deny access rule for /realpath/files/* is not considered if this setting is enabled and a user accesses a file in this directory from a link. You need to have a generic rule for the link too (/alternatepath/*).
Default: 0
Determines whether to use caching for full path resolution to determine access permissions for files.
Valid values include the following:
0-No caching.
1-Use caching.
Default: 0
Determines the cache rate that used when cache is enabled for full path resolution.
Bigger values mean better caching.
Default: 10000
Determines whether to call tripAccept from the seload command after CA Access Control starts and, if tripAccept is called, defines a list of comma-separated TCP/IP ports that tripAccept should connect to and wake up the ports' listeners.
Valid values are any TCP/IP port number, and:
0-Do not call tripAccept from seload.
Limits: 0-64000
Default: 0
Determines whether to treat T_CONN_RES streams messages as high priority messages in the fiwput routine on UnixWare.
Valid values are:
1-handle T_CONN_RES streams messages as high priority messages in the fiwput routine.
0-handle T_CONN_RES streams messages as low priority messages in the fiwput routine.
Default: 0 (on UnixWare it should be 1)
Determines whether to allow debugging of any program while CA Access Control is running.
Valid values include the following:
0-Debugging allowed.
1-Debugging not allowed.
Default: 1
Determines whether a descendent of a SEOS daemon can register a SEOS service.
Valid values include the following:
0-Anyone can register a SEOS service.
1-Only a descendent can register a SEOS service.
Default: 0
Specifies whether the CA Access Control kernel identifies script execution.
Valid values include the following:
0-CA Access Control kernel does not identify script execution.
1-CA Access Control kernel identifies script execution.
Default: 0
Note: If the PUPM Agent is installed on the endpoint, the default value is 1. When enabled, the PUPM Agent is able to identify shell scripts named that use the PUPM Agent file (acpwd) without defining the script as a PROGRAM resource.
Indicates whether CA Access Control checks file access for files that are not defined in the database. By default CA Access Control does not check files that are not defined in the database.
Valid values include the following:
-1-Do not check all files.
0-Check all files.
Default: -1
Determines whether to use GAC caching for files when the user is root. By default GAC is not used when the user is root.
Valid values include the following:
0-No caching for root user.
1-Use caching for root.
Default: 0
Determines the default syscall number to communicate with SEOS_syscall on HP‑UX.
Valid values include any unused syscall entry number in sysent.
Default: 254
Defines which signals to protect.
Valid values include a mask that ORs (includes) all the signals that we want SEOS events for.
Default: SIGKILL, SIGSTOP, or SIGTERM events. Actual value varies by platform:
Determines whether a symbolic link will be protected.
Valid values include the following:
0-Links are not protected.
1-Links are protected.
Default: 0
Defines the maximum number of generic file rules allowed in the database.
Note: A large number may cause strange behaviors on different platforms. For assistance, contact CA Support at http://ca.com/support.
Valid values include any number greater than (<) 511.
Note: This token is supported only on AIX, HP, Linux, and Solaris.
Default: 512
Defines the maximum number of file rules allowed in the database.
Note: A large number may cause strange behaviors on different platforms. For assistance, contact CA Support at http://ca.com/support.
Valid values include any number greater than (<) 4095.
Note: This token is supported only on AIX, HP, Linux, and Solaris.
Default: 4096
Determines whether to allow mount and unmount of directories used by CA Access Control.
Valid values include the following:
0-Allow mounting.
1-Do not allow mounting.
Default: 1
Determines whether to check file access when a file belongs to a process file system (/proc). Valid values include the following:
0-token is ignored
1-bypass file access checks
Default: 1
Specifies the type of network interception to use (HP-UX only).
Note: You must also set SEOS_use_streams = yes
Valid values are:
0 - TCP hook
1 - streams
Default: 1
Important! Do not modify this token yourself. For assistance, contact CA Support at http://ca.com/support.
Specifies whether CA Access Control attaches to running STREAMS.
If you change this setting, you need to restart daemons that already listen to the network for CA Access Control to protect them.
Note: This setting applies only to Solaris 9 or earlier.
Default: yes
Determines whether the SEOS_syscall kernel module can be unloaded.
Valid values include the following:
0-Do not allow the unload.
1-Allow the unload.
Default: 1
Specifies the CA Access Control kernel module communication method (ioctl or system call).
You can use the ioctl communication method when all available system call numbers are in use by the operating system.
Values: 0-system call 1-ioctl
Default: 0
Important! Do not modify this token yourself. For assistance, contact CA Support at http://ca.com/support.
Specifies whether to use the streams subsystem for network interception (whether SEOS_load automatically pushes a module into streams).
This settings can only be used for HP-UX and Sun Solaris versions 8 and 9.
Default: no
Defines the user IDs of the maintenance users. This user's activity is permitted when security is down and silent_deny is yes. Use the user's numeric UNIX UID to define the maintenance user.
Default: 0 (user ID of root)
Determines whether to deny any event when security is down.
Valid values include the following:
yes-Silent deny is enabled (maintenance mode).
no-Silent deny is disabled.
Default: no
Specifies whether to check file access when a stat system call occurs.
If you specify 1 (check file access), CA Access Control does not let users who do not have read permissions perform operations that get information about a file and records read in the audit log. If you set this to 0, any user can get file information.
Values: 0 (do not check file access), 1 (check file access).
Default: 0
Determines whether to use the STOP feature, which protects from stack overflow attacks.
Valid values include the following:
0-Off.
1-On.
Default: 0
Determines how fork synchronization is managed.
On HP-UX platforms
1-Report forks from parent
2-Report forks from child
On other platforms
1-Parent reports without synchronization
2-Parent reports with synchronization (not supported on Linux)
Limits: Any value lower than 1 is interpreted as 1. Any value greater than 1 is interpreted as 2.
Note: Do not modify this setting because it may cause strange behaviors on different platforms. For assistance, contact CA Support at http://ca.com/support.
Default: 1
Specifies whether CA Access Control monitors processes that are executing CA Access Control code. If you have this enabled (the default), you can use the secons -sc or secons -scl to view these processes.
Valid values are:
0-inactive
1-active
Default: 1
Defines how long, in seconds, an intercepted system call can be blocked before it is considered risky. If a process is blocked for a period that is longer than this time, CA Access Control reports that SEOS_syscall module unload may fail.
Note: This value affects the unload readiness reports CA Access Control provides. For more information, see the Enterprise Administration Guide.
Default: 60
Determines whether to use the SEOS_syscall circular trace buffer.
Valid values include the following:
0-Do not use tracing.
1-Use tracing.
Default: 0
Determines whether to use the tripAccept utility when unloading SEOS_syscall to wake up the blocked accept system calls. This avoids running SEOS_syscall code after the module is unloaded.
Valid values are yes and no.
Default: yes
| Copyright © 2012 CA. All rights reserved. |
|