Valid in the AC environment
Use the chres, editres, and newres commands to work with resource records that belong to a CA ControlMinder class. These commands are identical in structure and only vary in the following way:
Note: This command also exists in the native Windows environment but operates differently there.
To add a resource using the newres command, at least one of the following conditions must be true:
To add or change a resource using the chres or editres commands, you must have sufficient authority over the resource. CA ControlMinder checks in the following order for any one of these conditions:
Note: The maximum length of a resource name is 255 single byte characters.
The following table lists command parameters that apply for each class that can be administered using the chres, editres, and newres commands.
Class |
Properties |
|||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
|
audit |
calendar |
category |
comment |
defaccess |
label |
level |
notify |
owner |
restrictions[‑] |
warning |
other |
ACVAR |
|
|
|
X |
|
|
|
|
X |
|
|
VARIABLE_ TYPE, VARIABLE_ VALUE |
ADMIN |
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
|
CALENDAR |
|
|
|
X |
|
|
|
|
X |
|
|
|
CATEGORY |
|
|
|
X |
|
|
|
|
X |
|
|
|
CONNECT |
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
|
CONTAINER |
X |
X |
|
X |
|
|
|
|
X |
|
X |
MEM |
DOMAIN |
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
MEM |
FILE |
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
|
GFILE |
X |
X |
|
X |
|
|
|
X |
X |
|
X |
MEM |
GHOST |
X |
X |
|
X |
|
|
|
|
X |
X |
X |
MEM |
GSUDO |
|
X |
|
X |
X |
|
|
|
X |
|
|
MEM |
GTERMINAL |
X |
X |
|
X |
X |
|
|
|
X |
X |
|
MEM |
HNODE |
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
SUBSCRIBER, POLICY |
HOLIDAY |
X |
|
X |
X |
X |
X |
X |
X |
X |
X |
X |
DATES |
HOST |
X |
X |
|
X |
|
|
|
|
X |
X |
X |
|
HOSTNET |
X |
X |
|
X |
|
|
|
|
X |
|
X |
MASK, MATCH |
HOSTNP |
X |
X |
|
X |
|
|
|
|
X |
X |
X |
|
LOGINAPPL |
X |
X |
|
X |
X |
|
|
X |
X |
X |
X |
LOGINFLAGS, LOGINMETHOD, LOGINPATH, LOGINSEQUENCE |
MFTERMINAL |
X |
X |
X |
X |
|
X |
X |
X |
X |
|
X |
DAYTIME |
POLICY |
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
SIGNATURE, RULESET |
PROCESS |
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
|
PROGRAM |
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
TRUST |
PWPOLICY |
|
|
|
X |
|
|
|
|
X |
|
|
|
REGKEY |
X |
X |
|
X |
X |
|
|
X |
X |
|
X |
DAYTIME |
REGVAL |
X |
X |
|
X |
X |
|
|
X |
X |
|
X |
DAYTIME |
RULESET |
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
SIGNATURE, CMD, UNDOCMD |
SECFILE |
|
|
|
X |
|
|
|
|
X |
|
|
TRUST, FLAGS |
SECLABEL |
|
|
X |
X |
|
|
X |
|
X |
|
|
|
SEOS |
|
X |
X |
X |
|
X |
X |
|
|
|
|
HOST |
SPECIALPGM |
|
|
|
X |
|
|
|
|
X |
|
|
|
SUDO |
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
TARGUID, PASSWORD |
SURROGATE |
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
|
TCP |
X |
|
X |
X |
X |
X |
X |
X |
X |
X |
X |
|
TERMINAL |
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
|
UACC |
X |
|
X |
X |
X |
|
|
|
X |
|
|
|
USER‑ATTR |
|
|
|
|
|
|
|
|
X |
|
X |
|
USER‑DIR |
X |
|
|
X |
|
|
|
|
X |
|
|
|
{{chres|cr}|{editres|er}|{newres|nr}} className resourceName \
[ac_id(id)] \ [audit({none|all|success|failure})] \ [calendar[-](calendarName)] \ [category[-](categoryName)] \ [cmd+(selang_command_string)|cmd-] \ [comment(string)|comment‑] \ [container[-](containerName)] \ [dates(time‑period)] \ [dh_dr{-|+}(dh_dr)] \ [disable|disable-] \ [defaccess(accessAuthority)] \ [filepath(filePaths)] \ [flags[-|+](flagName)] \ [gacc(access‑value)] \ [gowner(groupName)] \ [host(host-name)|host-] \ [label(labelName)|label‑] \ [level(number)|level‑] \ [mask(inetAddress)|match(inetAddress)] \ [mem(resourceName)|mem‑(resourceName)] \ [node_alias{-|+}(alias)] \ [node_ip{-|+}(ip)] \ [notify(mailAddress)|notify‑] \ [of_class(className)] \ [owner({userName | groupName})] \ [{password | password‑}] \ [policy(name(policy-name) {{deviation+|dev+}|{deviation-|dev-}})] \ [policy(name(policy-name) status(policy-status) {updator|updated_by}(user-name))] \ [{restrictions([days({anyday|weekdays|{[mon] [tue] [wed] \
[thu] [fri] [sat] [sun]}})] \ [time({anytime|startTime:endTime}) \
|restrictions‑}] \ [targuid(userName)] \ [trust | trust‑] \ [value{+|-}(value)] \ [warning | warning‑]
Defines a unique ID for the endpoint (HNODE object) that is saved in the local CA ControlMinder database and on the DMS. CA ControlMinder uses this ID to identify the HNODE, so that changes to the endpoint's IP address or name do not affect advanced policy management functionality; CA ControlMinder can still trace the endpoint.
Indicates which access events are logged. Specify one of the following attributes:
Defines Unicenter NSM calendar records that represent time restrictions in Unicenter TNG. CA ControlMinder maintains a list of these objects for management purposes only, but doesn't protect them. When assigning more than one calendar, separate the calendar names with a space or a comma.
Deletes one or more Unicenter NSM calendar records from the resource record. Use this parameter with the chres or editres command only.
Assigns one or more security categories to the resource record.
If you specify the category parameter when the CATEGORY class is not active, CA ControlMinder updates the resource definition in the database; however, the updated category assignment has no effect until the CATEGORY class is activated again.
Deletes one or more security categories from the resource record.
The specified security categories are deleted from the resource record, regardless of whether the CATEGORY class is active. Use this parameter only with the chres or editres command.
Specifies the name of the class to which the resource belongs. To list the resource classes defined to CA ControlMinder, use the find command.
Specifies a list of selang commands that define the policy. These are the commands used to deploy the policy. For example,
editres RULESET IIS5#02 cmd+("nr FILE /inetpub/* defaccess(none) owner(nobody)")
Removes policy deployment command list from the RULESET object.
Adds an alphanumeric string of up to 255 characters to the resource record. If the string contains any blanks, enclose the entire string in single quotation marks. The string replaces any existing string defined previously.
Note: For the SUDO class, this string has a special meaning. For more information about defining SUDO records, see the Endpoint Administration Guide for UNIX.
Deletes the comment from the resource record. Use this parameter only with the chres or editres command.
Represents CONTAINER objects, a generic grouping class.
containerName is the name of one or more CONTAINER records defined in the CONTAINER class. When assigning more than one CONTAINER, separate the names with a space or a comma.
Deletes one or more CONTAINER records from the resource record. Use this parameter with the chres or editres command only.
Defines one or more periods when users cannot log in, such as holidays. If more than one time period is specified, separate the periods with a space. Use the following format:
mm/dd[/yy[yy]][@hh:mm][-mm/dd]/[/yy[yy]][@hh:mm]
If you do not specify a year, (or you specify a year before 1990), it means the period or holiday is annual. You can specify the year with two digits or four digits, for example: 98 or 1998.
If you do not specify a start time then the start of the day (midnight) is used; if you do not specify an end time then the end of the day (midnight) is used. The format of the hours and the minutes is hh:mm, where hh is the hour in 24‑hour notation (00 through 23) and mm is the minutes (00 through 59).
If you do not specify an interval of time (for example, 12/25@14:00‑12/25@17:00), but only a day and a month (12/25), then the holiday lasts for one whole day.
If you are issuing the command in a different time zone from where the holiday occurs, translate the period to your local time. For example, if you are in New York and Los Angeles has a half‑day holiday, you must enter 09/14/98@18:00‑09/14/98@20:00. This prevents the users from logging in from 3:00 p.m. to 5:00 p.m. in Los Angeles.
Defines the default access authority for the resource. The default access authority is the authority granted to any accessor not in the resource's access control list that requests access to the resource. The default access is also applied to users who are not defined in the database. Valid access authority values vary by class.
If you omit accessAuthority, CA ControlMinder assigns the implicit access specified in the UACC property of the record that represents the resource's class in the UACC class.
Defines Distribution Hosts this endpoint uses for disaster recovery.
Defines one or more absolute file paths, each of which constitutes a valid kernel module. Multiple file paths are separated by a colon (:).
Defines how the resource is to be trusted and how to check it for trusted status. Available flags are Ctime, Mtime, Mode, Size, Device, Inode, Crc, and Own/All/None.
Lets a program access protected, frequently‑opened files at a much faster rate than otherwise possible.
Assigns a CA ControlMinder group as the owner of the resource record. The group owner of the resource record has unrestricted access to the resource, provided the group owner's security level, security label, and security category authorities are sufficient to allow access to the resource. The group owner of the resource is always permitted to update and delete the resource record. See the Endpoint Administration Guide for UNIX for more information.
Assigns a security label to the resource record.
Deletes the security label from the resource record. Use this parameter only with the chres or editres command.
Assigns a security level to the resource record. Enter a positive integer between 1 and 255.
Removes any security level from the resource. Use this parameter only with the chres or editres command.
The mask and match parameters are applicable only to HOSTNET records. They are required when creating a HOSTNET record and are optional when modifying a record.
Use mask and match together to define the group of hosts defined by a HOSTNET record. A host is a member of a HOSTNET record group if an AND of the host IP address with the mask address produces the match address.
For example, specifying mask(255.255.255.0) and match(192.16.133.0) means a host is a member of the group if it has an IP address in the range 192.16.133.0 to 192.16.133.255.
The mask and match parameters require IPv4 addresses.
Adds a member resource to a resource group. If you are adding more than one member resource, separate each name with a comma.
You can use the mem parameter only with resource records of the following classes:
Use the mem parameter to add a record of the appropriate type to a resource group, for example, to add a FILE record to a resource group of class GFILE.
Note: If you are using the mem parameter for CONTAINER resources, you must also include the of_class parameter.
Both the member resource and the resource group must already be defined in CA ControlMinder. To create a resource group, create a resource of the class you want. For example, the following command creates a GFILE resource group:
newres GFILE myfiles
Removes member resources from a resource group. If you are removing more than one member resource, separate the resource names with a space or a comma. Use this parameter only with the chres or editres command.
Defines an endpoint alias.
Defining aliases for the endpoint aliases lets CA ControlMinder send advanced policy management commands to the actual endpoint based on the alias.
Defines the IP address of the host. Advanced policy management uses the IP address, in conjunction with the endpoint's name, to locate the required endpoint.
Instructs CA ControlMinder to send notification messages whenever the resource represented by the resource record is accessed. Enter a user name, an email address of a user, or the email address of a mail group if an alias is specified.
Notification takes place only when the Log Routing System is active. The notification messages are sent either to the screen or to the mailbox of the users, depending on the setup of the Log Routing System.
Each time a notification message is sent, an audit record is written in the audit log. For information on filtering and viewing audit records, see the Endpoint Administration Guide for UNIX.
The recipient of notify messages should log in frequently to respond to the unauthorized access attempts described in each message.
Limit: 30 characters.
Specifies that no one is notified when the resource represented by the resource record is successfully accessed. Use this parameter only with the chres or editres command.
Specifies the resource type for the record you are adding to the CONTAINER class with the mem parameter.
Assigns a CA ControlMinder user or group as the owner of the resource record. The owner of the resource record has unrestricted access to the resource, provided the owner's security level, security label, and security category authorities are sufficient to allow access to the resource. The owner of the resource is always permitted to update and delete the resource record. See the Endpoint Administration Guide for UNIX for more information.
Specifies, for the SUDO class, that the sesudo command requires the original user's password.
Cancels the password parameter, so that the sesudo command no longer requires the original user's password. Use this parameter with the chres or editres command only. If the password parameter was not used previously, then this parameter is unnecessary.
Adds a subscriber of the node in the propagation tree and specifies its status. Alternatively, updates an existing policy version to specify whether a policy deviation exists or not. The updated_by property must be updated when updating policy status. It is a string representing the name of the user that changed the policy status.
Policy status can be one of Transferred, Deployed, Undeployed, Failed, SigFailed, Queued, UndeployFailed, or TransferFailed.
Removes the named policy version from the node. If no policy is specified, all policies deployed to this node are removed.
Defines the name of the resource record to modify or add. When changing or adding more than one resource, enclose the list of resource names in parentheses and separate the resource names with a space or a comma. At least one resource name must be specified.
CA ControlMinder processes each resource record independently in accordance with the specified parameters. If an error occurs while processing a resource, CA ControlMinder issues a message and continues processing with the next resource in the list.
Note: If you use a variable in a resource name, use the following syntax to refer to the variable: <!variable>, for example, <!AC_ROOT_PATH>\bin. You can only use variables in selang rules in policies.
Specifies the days of the week and the hours in the day when users can access the file.
If you omit the days argument and specify the time argument, the time restriction applies to any day‑of‑week restriction already indicated in the record. If you omit time and specify days, the day restriction applies to any time restriction already indicated in the record. If you specify both days and time, the users may access the system only during the specified time period on the specified days.
Deletes any restrictions that limit the users' ability to access the file.
Specifies a rule set to associate with the policy.
Deletes a rule set from the policy. If no ruleset is specified, removes all rulesets from the policy.
Specifies a hash value. For a policy, this is based on signatures of RULESET objects associated with the policy. For a ruleset, this is based on the policy deployment command list and policy undeployment (removal) command list.
Adds a subscriber of the node in the propagation tree and specifies its status. Status can be one of unknown, available, unavailable, or sync.
Removes a subscriber database from the node. If no subscriber is specified, all subscribers are removed.
Specifies, for the SUDO class, the name of the user whose authority is borrowed for executing the command. Default is root.
Specifies that the resource is trusted. The trust parameter applies only to resources of the PROGRAM and SECFILE classes. Users can execute the program as long as the program remains trusted. See the Endpoint Administration Guide for UNIX for more information. Use this parameter only with the chres or editres command.
Specifies that the resource is untrusted. The trust‑ parameter applies only to resources of the PROGRAM and SECFILE classes. Users cannot execute an untrusted program. See the Endpoint Administration Guide for UNIX for more information. Use this parameter only with the chres or editres command.
Specifies a list of selang commands that define policy undeployment. These are the commands used to remove the deployed policy (undeploy). For example:
editres RULESET IIS5#02 undocmd+("rr FILE /inetpub/*")
Removes policy removal command list from the RULESET object.
Adds the specified value to the specified variable (ACVAR object).
Removes the specified value from the specified variable (ACVAR object).
Specifies that, even if an accessor's authority is insufficient to access the resource, CA ControlMinder is to allow access to the resource. However, CA ControlMinder writes a warning message in the audit log.
Note: In Warning Mode, CA ControlMinder does not create warning messages for resource groups.
Specifies that, if an accessor's authority is insufficient to access the resource, CA ControlMinder is to deny the user access to the resource and does not write a warning message. Use this parameter only with the chres or editres command.
Examples
chres TERMINAL tty30 owner(admin1) defaccess(read) restrictions \ (days(weekdays)time(0800:1800))
chres FILE /account.txt group() owner()
To remove any record property, if the property is defined by a string, type the property with either the “‑“ sign or empty parenthesis “()”.
chres TERMINAL tty190 comment‑ notify(Bob@athena)
chres SURROGATE USER.root category(OPERATOR)
newres PROGRAM /bin/su defaccess(x) trust
newres SURROGATE GROUP.system defaccess(n) owner(nobody)
newres GTERMINAL ProjATerms mem(T1,T8,T11) owner(PROJECTA) \ restrictions(days(weekdays) time(0800:1800)) defaccess(n)
Copyright © 2013 CA Technologies.
All rights reserved.
|
|