Previous Topic: Use the Wrapper Script to Run sepassNext Topic: How to Install on Solaris Zones


Maintenance Mode Protection (Silent Mode)

CA ControlMinder has a maintenance mode, also known as silent mode, for protection when the CA ControlMinder daemons are down for maintenance. In this mode, CA ControlMinder denies events while these daemons are down.

When CA ControlMinder is running, it intercepts security sensitive events and checks whether the event is allowed. Without activating maintenance mode, all events are permitted when CA ControlMinder services are down. With active maintenance mode, events are denied when CA ControlMinder daemons are down, stopping user activity while the system is maintained.

Maintenance mode can be tuned, and it is disabled by default.

When the CA ControlMinder security services are down:

When maintenance mode is activated and security is down, the prevented events are not logged in the audit log file.

To enable maintenance mode, follow these steps:

Important! If root is not the maintenance user, make sure you have an open session for the maintenance user as you will not be able to log in otherwise.

  1. Make sure the CA ControlMinder daemons are down.
  2. Using seini utility, change the token silent_deny value to yes.

    The token is located under SEOS_syscall section.

    seini -s SEOS_syscall.silent_deny yes
    
  3. Change the token silent_admin value to the numeric UNIX UID that you want to let access the computer while CA ControlMinder daemons are down.
    seini -s SEOS_syscall.silent_admin <maintenance_UID>
    

    Note: root is the default maintenance mode user (UID 0).

    Important! If the maintenance user is not root, you must make the CA ControlMinder authorization daemon setuid to the root user so that you can start CA ControlMinder in maintenance mode. To make this change enter the following command:
    chmod 6111 seosd

  4. Start CA ControlMinder daemons with seload command.

    Note: If the maintenance mode user is not root, start CA ControlMinder daemons with seosd command.