A trusted program is one that can be executed only as long as it has not been altered. Ordinarily it is a setuid/setgid program. CA ControlMinder also allows you to specify regular programs as trusted. When you are sure that the program has not been tampered with, register it in the PROGRAM class, where CA ControlMinder can guard its integrity.
You may want to use trusted programs together with program pathing, so users can perform certain tasks only by means of trusted programs.
Note: For more information about program pathing, see the Endpoint Administration Guide for UNIX.
CA ControlMinder can help you with a script to register a whole collection of setuid and setgid programs as trusted.
Issue this command:
seuidpgm ‑q ‑l ‑f / > /opt/CA/AccessControl/seuid.txt
Run as shown, seuidpgm does the following:
Note: For a complete description of seuidpgm, see the Reference Guide.
selang [‑l] ‑f /opt/CA/AccessControl/seuid.txt
It may take a few minutes for selang to finish.
Enter the following selang command to set that default access value:
chres PROGRAM _default defaccess(none)
Note: Veteran CA ControlMinder users will remember the UACC class in this connection. That class still exists and can be used to specify the default access of a resource. However, for ease of use we recommended that for specifying the default access of a class, you use the class's _default record instead. The _default specification overrides any UACC specification for the same class.
The records in the PROGRAM class representing the setuid, setgid, and regular programs that you have registered store the following attributes of the executable files.
The most important attribute of each program you register is that the program is trusted. That is, the program is considered OK to run. Any change in any of the attributes listed previously causes the program to lose its trusted status, and then CA ControlMinder can prevent the program from running.
Copyright © 2013 CA Technologies.
All rights reserved.
|
|