selang Reference Guide › selang Commands › selang Commands Reference › chres Command—Modify Resource Records

chres Command—Modify Resource Records

Valid in the AC environment

Use the chres, editres, and newres commands to work with resource records that belong to a CA ControlMinder class. These commands are identical in structure and only vary in the following way:

• The chres command modifies one or more resources.
• The editres command creates or modifies one or more resources.
• The newres command creates one or more resources.

Note: This command also exists in the native Windows environment but operates differently there.

To add a resource using the newres command, at least one of the following conditions must be true:

• You have the ADMIN attribute.
• You have CREATE access authority in the ACL of the resource class's record in the ADMIN class.
• If the token use_unix_file_owner in the seos.ini file is set to yes, an owner of a file in UNIX can define it as a new resource to CA ControlMinder.

To add or change a resource using the chres or editres commands, you must have sufficient authority over the resource. CA ControlMinder checks in the following order for any one of these conditions:

1. You have the ADMIN attribute.
2. The resource record is within the scope of a group in which you have the GROUP‑ADMIN attribute.
3. You are the owner of the record.
4. You are assigned MODIFY (for chres) or CREATE (for editres) access authority in the access control list of the resource class's record in the ADMIN class.

Note: The maximum length of a resource name is 255 single byte characters.

The following table lists command parameters that apply for each class that can be administered using the chres, editres, and newres commands.

{{chres|cr}|{editres|er}|{newres|nr}} className resourceName \

[ac_id(id)] \
[audit({none|all|success|failure})] \
[calendar[-](calendarName)] \
[category[-](categoryName)] \
[cmd+(selang_command_string)|cmd-] \
[comment(string)|comment‑] \
[container[-](containerName)] \
[dates(time‑period)] \
[dh_dr{-|+}(dh_dr)] \
[disable|disable-] \
[defaccess(accessAuthority)] \
[filepath(filePaths)] \
[flags[-|+](flagName)] \
[gacc(access‑value)] \
[gowner(groupName)] \
[host(host-name)|host-] \
[label(labelName)|label‑] \
[level(number)|level‑] \
[mask(inetAddress)|match(inetAddress)] \
[mem(resourceName)|mem‑(resourceName)] \
[node_alias{-|+}(alias)] \
[node_ip{-|+}(ip)] \
[notify(mailAddress)|notify‑] \
[of_class(className)]  \
[owner({userName | groupName})] \
[{password | password‑}] \
[policy(name(policy-name) {{deviation+|dev+}|{deviation-|dev-}})] \
[policy(name(policy-name) status(policy-status) {updator|updated_by}(user-name))] \
[{restrictions([days({anyday|weekdays|{[mon] [tue] [wed] \

[thu] [fri] [sat] [sun]}})] \
[time({anytime|startTime:endTime}) \

|restrictions‑}] \
[targuid(userName)] \
[trust | trust‑] \
[value{+|-}(value)] \
[warning | warning‑]

ac_id(id)

Defines a unique ID for the endpoint (HNODE object) that is saved in the local CA ControlMinder database and on the DMS. CA ControlMinder uses this ID to identify the HNODE, so that changes to the endpoint's IP address or name do not affect advanced policy management functionality; CA ControlMinder can still trace the endpoint.

audit

Indicates which access events are logged. Specify one of the following attributes:

• all-CA ControlMinder logs both authorized and unauthorized access attempts.
• failure-CA ControlMinder logs unauthorized access attempts. This is the default value.
• none-CA ControlMinder does not write any records in the log file.
• success-CA ControlMinder logs authorized access attempts.

calendar(calendarName)

Defines Unicenter NSM calendar records that represent time restrictions in Unicenter TNG. CA ControlMinder maintains a list of these objects for management purposes only, but doesn't protect them. When assigning more than one calendar, separate the calendar names with a space or a comma.

calendar‑(calendarName)

Deletes one or more Unicenter NSM calendar records from the resource record. Use this parameter with the chres or editres command only.

category(categoryName [,categoryName...])

Assigns one or more security categories A security category is the name of record in the CATEGORY class. You can assign a security category to accessors and to resources. An accessor can access a resource only if the accessor is assigned to all of the security categories assigned to the resource. to the resource record.

If you specify the category parameter when the CATEGORY class is not active, CA ControlMinder updates the resource definition in the database; however, the updated category assignment has no effect until the CATEGORY class is activated again.

category‑(categoryName [,categoryName...])

Deletes one or more security categories from the resource record.

The specified security categories are deleted from the resource record, regardless of whether the CATEGORY class is active. Use this parameter only with the chres or editres command.

className

Specifies the name of the class to which the resource belongs. To list the resource classes defined to CA ControlMinder, use the find command.

cmd+(selang_command_string)

Specifies a list of selang commands that define the policy. These are the commands used to deploy the policy. For example,

editres RULESET IIS5#02 cmd+("nr FILE /inetpub/* defaccess(none) owner(nobody)")

cmd-

Removes policy deployment command list from the RULESET object.

comment(string)

Adds an alphanumeric string of up to 255 characters to the resource record. If the string contains any blanks, enclose the entire string in single quotation marks. The string replaces any existing string defined previously.

Note: For the SUDO class, this string has a special meaning. For more information about defining SUDO records, see the Endpoint Administration Guide for UNIX.

comment‑

Deletes the comment from the resource record. Use this parameter only with the chres or editres command.

container(containerName)

Represents CONTAINER objects, a generic grouping class.

containerName is the name of one or more CONTAINER records defined in the CONTAINER class. When assigning more than one CONTAINER, separate the names with a space or a comma.

container‑(containerName)

Deletes one or more CONTAINER records from the resource record. Use this parameter with the chres or editres command only.

dates(time‑period)

Defines one or more periods when users cannot log in, such as holidays. If more than one time period is specified, separate the periods with a space. Use the following format:

mm/dd[/yy[yy]][@hh:mm][-mm/dd]/[/yy[yy]][@hh:mm]

If you do not specify a year, (or you specify a year before 1990), it means the period or holiday is annual. You can specify the year with two digits or four digits, for example: 98 or 1998.

If you do not specify a start time then the start of the day (midnight) is used; if you do not specify an end time then the end of the day (midnight) is used. The format of the hours and the minutes is hh:mm, where hh is the hour in 24‑hour notation (00 through 23) and mm is the minutes (00 through 59).

If you do not specify an interval of time (for example, 12/25@14:00‑12/25@17:00), but only a day and a month (12/25), then the holiday lasts for one whole day.

If you are issuing the command in a different time zone from where the holiday occurs, translate the period to your local time. For example, if you are in New York and Los Angeles has a half‑day holiday, you must enter 09/14/98@18:00‑09/14/98@20:00. This prevents the users from logging in from 3:00 p.m. to 5:00 p.m. in Los Angeles.

defaccess([accessAuthority])

Defines the default access authority for the resource. The default access authority is the authority granted to any accessor not in the resource's access control list that requests access to the resource. The default access is also applied to users who are not defined in the database. Valid access authority values vary by class.

If you omit accessAuthority, CA ControlMinder assigns the implicit access specified in the UACC property of the record that represents the resource's class in the UACC class.

dh_dr{+|-}(dh_dr)

Defines Distribution Hosts this endpoint uses for disaster recovery.

filepath(filePaths)

Defines one or more absolute file paths, each of which constitutes a valid kernel module. Multiple file paths are separated by a colon (:).

flags(flagName)

Defines how the resource is to be trusted and how to check it for trusted status. Available flags are Ctime, Mtime, Mode, Size, Device, Inode, Crc, and Own/All/None.

gacc(access‑value)

Lets a program access protected, frequently‑opened files at a much faster rate than otherwise possible.

gowner(groupName)

Assigns a CA ControlMinder group as the owner of the resource record. The group owner of the resource record has unrestricted access to the resource, provided the group owner's security level, security label, and security category authorities are sufficient to allow access to the resource. The group owner of the resource is always permitted to update and delete the resource record. See the Endpoint Administration Guide for UNIX for more information.

label(labelName)

Assigns a security label A security label is the name of a record in the SECLABEL class. A security label bundles together a security level and a set of security categories. Assigning a security label to an accessor or a resource gives the accessor or resource the combined security level and security categories associated with the security label. A security label overrides any specific security level and category assignments in an accessor or resource. to the resource record.

label‑

Deletes the security label from the resource record. Use this parameter only with the chres or editres command.

level(number)

Assigns a security level A security level is an integer between 0 and 255 that you can assign to accessors and resources. An accessor cannot access a resource if the accessor has a security level less than the security level assigned to the resource, even if the user is granted access authority in the resource's access control list. to the resource record. Enter a positive integer between 1 and 255.

level‑

Removes any security level from the resource. Use this parameter only with the chres or editres command.

mask (IPv4‑address) match (IPv4‑address)

The mask and match parameters are applicable only to HOSTNET records. They are required when creating a HOSTNET record and are optional when modifying a record.

Use mask and match together to define the group of hosts defined by a HOSTNET record. A host is a member of a HOSTNET record group if an AND of the host IP address with the mask address produces the match address.

For example, specifying mask(255.255.255.0) and match(192.16.133.0) means a host is a member of the group if it has an IP address in the range 192.16.133.0 to 192.16.133.255.

The mask and match parameters require IPv4 addresses.

mem(resourceName)

Adds a member resource to a resource group. If you are adding more than one member resource, separate each name with a comma.

You can use the mem parameter only with resource records of the following classes:

• CONTAINER. This class defines a group of objects from other resource classes.
• GFILE. This class contains resource records that define groups of files.
• GHOST. This class contains resource records that define groups of hosts.
• GSUDO. This class contains resource records that define groups of commands.
• GTERMINAL. This class contains resource records that define groups of terminals.
• GPOLICY. This class contains resource records that define a logical policy.
• GHNODE. This class contains resource records that define a host group.
• GDEPLOYMENT. This class contains resource records that define the policy deployment.

Use the mem parameter to add a record of the appropriate type to a resource group, for example, to add a FILE record to a resource group of class GFILE.

Note: If you are using the mem parameter for CONTAINER resources, you must also include the of_class parameter.

Both the member resource and the resource group must already be defined in CA ControlMinder. To create a resource group, create a resource of the class you want. For example, the following command creates a GFILE resource group:

newres GFILE myfiles

mem‑(resourceName)

Removes member resources from a resource group. If you are removing more than one member resource, separate the resource names with a space or a comma. Use this parameter only with the chres or editres command.

node_alias{-|+}(alias)

Defines an endpoint alias.

Defining aliases for the endpoint aliases lets CA ControlMinder send advanced policy management commands to the actual endpoint based on the alias.

node_ip[-|+](ip)

Defines the IP address of the host. Advanced policy management uses the IP address, in conjunction with the endpoint's name, to locate the required endpoint.

notify(mailAddress)

Instructs CA ControlMinder to send notification messages whenever the resource represented by the resource record is accessed. Enter a user name, an email address of a user, or the email address of a mail group if an alias is specified.

Notification takes place only when the Log Routing System is active. The notification messages are sent either to the screen or to the mailbox of the users, depending on the setup of the Log Routing System.

Each time a notification message is sent, an audit record is written in the audit log. For information on filtering and viewing audit records, see the Endpoint Administration Guide for UNIX.

The recipient of notify messages should log in frequently to respond to the unauthorized access attempts described in each message.

Limit: 30 characters.

notify‑

Specifies that no one is notified when the resource represented by the resource record is successfully accessed. Use this parameter only with the chres or editres command.

of_class(className)

Specifies the resource type for the record you are adding to the CONTAINER class with the mem parameter.

owner(Name)

Assigns a CA ControlMinder user or group as the owner of the resource record. The owner of the resource record has unrestricted access to the resource, provided the owner's security level, security label, and security category authorities are sufficient to allow access to the resource. The owner of the resource is always permitted to update and delete the resource record. See the Endpoint Administration Guide for UNIX for more information.

password

Specifies, for the SUDO class, that the sesudo command requires the original user's password.

password‑

Cancels the password parameter, so that the sesudo command no longer requires the original user's password. Use this parameter with the chres or editres command only. If the password parameter was not used previously, then this parameter is unnecessary.

policy(name(name#xx) status(status) updated_by(name)) | policy(name(name#xx) deviation{+|-})

Adds a subscriber of the node in the propagation tree and specifies its status. Alternatively, updates an existing policy version to specify whether a policy deviation exists or not. The updated_by property must be updated when updating policy status. It is a string representing the name of the user that changed the policy status.

Policy status can be one of Transferred, Deployed, Undeployed, Failed, SigFailed, Queued, UndeployFailed, or TransferFailed.

policy-[(name(name#xx))]

Removes the named policy version from the node. If no policy is specified, all policies deployed to this node are removed.

resourceName

Defines the name of the resource record to modify or add. When changing or adding more than one resource, enclose the list of resource names in parentheses and separate the resource names with a space or a comma. At least one resource name must be specified.

CA ControlMinder processes each resource record independently in accordance with the specified parameters. If an error occurs while processing a resource, CA ControlMinder issues a message and continues processing with the next resource in the list.

Note: If you use a variable in a resource name, use the following syntax to refer to the variable: <!variable>, for example, <!AC_ROOT_PATH>\bin. You can only use variables in selang rules in policies.

restrictions([days] [time])

Specifies the days of the week and the hours in the day when users can access the file.

If you omit the days argument and specify the time argument, the time restriction applies to any day‑of‑week restriction already indicated in the record. If you omit time and specify days, the day restriction applies to any time restriction already indicated in the record. If you specify both days and time, the users may access the system only during the specified time period on the specified days.

• [Days] specifies the days on which users may access the file. The days argument takes the following sub‑arguments:
  • anyday-Allow users access to the file on any day.
  • weekdays-Allow users access to the resource only on weekdays-Monday through Friday.
  • Mon, Tue, Wed, Thu, Fri, Sat, Sun-Allow users access to the resource only on the specified days. You can specify the days in any order. If you specify more than one day, separate the days with a space or a comma.
• [Time] specifies the period during which users may access the resource. The time argument takes the following sub‑arguments:
  • anytime-Allow users access to the resource at any time of the day.
  • startTime:endTime-Allow access to the resource only during the specified period. The format of both startTime and endTime is hhmm, where hh is the hour in 24‑hour notation (00 through 23) and mm is the minutes (00 through 59). Note that 2400 is not a valid time value. startTime must be less than endTime, and both times must occur on the same day. If the terminal is in a different time zone from the processor, adjust the time values by translating the start and end times for the terminal to the equivalent local times for the processor. For example, if the processor is in New York and the terminal is in Los Angeles, to allow access to the terminal from 8:00 a.m. to 5:00 p.m. in Los Angeles, specify time (1100:2000).

restrictions‑([days] [time])

Deletes any restrictions that limit the users' ability to access the file.

ruleset+(name)

Specifies a rule set to associate with the policy.

ruleset-(name)

Deletes a rule set from the policy. If no ruleset is specified, removes all rulesets from the policy.

signature(hash_value)

Specifies a hash value. For a policy, this is based on signatures of RULESET objects associated with the policy. For a ruleset, this is based on the policy deployment command list and policy undeployment (removal) command list.

subscriber(name(sub_name) status(status))

Adds a subscriber of the node in the propagation tree and specifies its status. Status can be one of unknown, available, unavailable, or sync.

subscriber-(name(sub_name)) | sub-

Removes a subscriber database from the node. If no subscriber is specified, all subscribers are removed.

targuid(userName)

Specifies, for the SUDO class, the name of the user whose authority is borrowed for executing the command. Default is root.

trust

Specifies that the resource is trusted. The trust parameter applies only to resources of the PROGRAM and SECFILE classes. Users can execute the program as long as the program remains trusted. See the Endpoint Administration Guide for UNIX for more information. Use this parameter only with the chres or editres command.

trust‑

Specifies that the resource is untrusted. The trust‑ parameter applies only to resources of the PROGRAM and SECFILE classes. Users cannot execute an untrusted program. See the Endpoint Administration Guide for UNIX for more information. Use this parameter only with the chres or editres command.

undocmd+(selang_command_string)

Specifies a list of selang commands that define policy undeployment. These are the commands used to remove the deployed policy (undeploy). For example:

editres RULESET IIS5#02 undocmd+("rr FILE /inetpub/*")

undocmd-

Removes policy removal command list from the RULESET object.

value+(value)

Adds the specified value to the specified variable (ACVAR object).

value-(value)

Removes the specified value from the specified variable (ACVAR object).

warning

Specifies that, even if an accessor's authority is insufficient to access the resource, CA ControlMinder is to allow access to the resource. However, CA ControlMinder writes a warning message in the audit log.

Note: In Warning Mode, CA ControlMinder does not create warning messages for resource groups.

warning‑

Specifies that, if an accessor's authority is insufficient to access the resource, CA ControlMinder is to deny the user access to the resource and does not write a warning message. Use this parameter only with the chres or editres command.

Examples

• The user admin1 wants to change the owner and default access for the terminal tty30 and restrict the use of the terminal to weekdays during regular business hours (8:00 a.m. to 6:00 p.m.).
  • The user admin1 has the ADMIN attribute.

    chres TERMINAL tty30 owner(admin1) defaccess(read)  restrictions \
    (days(weekdays)time(0800:1800))
    

• The admin user Sally wants to remove the group and owner property stored in a FILE class record for file account.txt.
  • The user Sally is the owner of Jared's user record.

    chres FILE /account.txt group() owner()
    

  To remove any record property, if the property is defined by a string, type the property with either the “‑“ sign or empty parenthesis “()”.

• The user Bob wants to delete the comment field of the terminal tty190 and be notified whenever access to the terminal is granted.
  • The user Bob is a CA ControlMinder user and is the owner of the terminal tty190.

    chres TERMINAL tty190 comment‑ notify(Bob@athena)
    

• The user Admin1 wants to add the OPERATOR category to the list of security categories of the resource USER.root, which is in the SURROGATE class.
  • The user Admin1 has the ADMIN attribute.
  • The OPERATOR category is defined in the database.

    chres SURROGATE USER.root category(OPERATOR)
    

• The user admin1 wants to define /bin/su as a trusted program with a global access of EXECUTE.
  • The user admin1 has the ADMIN attribute.
  • The following defaults apply:
    • restrictions(days(anyday) time(anytime))
    • owner(admin1)
    • audit(failure)

      newres PROGRAM /bin/su defaccess(x) trust
      

• The user admin1 wants to define the substitution of group ID to the group “system” as a protected resource to which no user, including admin1, has access.
  • The user admin1 has the ADMIN attribute. The user nobody is defined to CA ControlMinder.
  • The following defaults apply:
    • restrictions(days(anyday) time(anytime))
    • audit(failure)

      newres SURROGATE GROUP.system defaccess(n) owner(nobody)
      

• The user SecAdmin wants to define ProjATerms, a group of terminals containing the terminals T1, T8, and T11. The terminal group is to be used only by the group PROJECTA and only on weekdays during regular business hours (8:00 a.m. to 6:00 p.m.).
  • The user SecAdmin has the ADMIN attribute.
  • The terminals T1, T8, and T11 are defined to CA ControlMinder.
  • The group PROJECTA is defined to CA ControlMinder.
  • audit(failure)

    newres GTERMINAL ProjATerms mem(T1,T8,T11) owner(PROJECTA) \
    restrictions(days(weekdays) time(0800:1800)) defaccess(n)
    

More information:

rmres Command—Delete a Resource

showres Command—Display Resource Properties

find Command—List Database Records

chres Command—Modify Windows Resources

authorize Command—Set Access Authorities on a Resource

Access Authority by Class

CONTAINER Class