Previous Topic: seretrust Utility—Generate Commands to Retrust Programs and Secure FilesNext Topic: sessfgate Utility—Route Unicenter Security Requests to CA ControlMinder


serevu Utility—Handle Unsuccessful Login Attempts

Valid on UNIX

The serevu utility handles users who have had a specified number of failed login attempts during a specified period. Depending on your specifications, it can disable, report, or ignore the user. By default, it disables the user in the UNIX environment of the local station. If no such user exists locally, serevu checks the NIS information to find the user.

If you set a value in the passwd_pmd configuration setting, CA ControlMinder updates the appropriate PMDB, which then propagates the update to its subscribers. If you did not set a value in the passwd_pmd token, CA ControlMinder uses the value in the parent_pmd configuration setting, which then propagates the update to its subscribers.

Note: If you want serevu to send commands to the PMD (which, you can configure in serevu.cfg) and root is not defined on the PMD with the ADMIN attribute or with terminal access, you should define the following on the PMD and all of its subscribers:

eu _serevu logical
authorize admin USER uid(_serevu) access(a)
# The following line can be executed on the master PMD only
authorize terminal localTerminalName uid(_serevu) access(a)

Notes: For the serevu utility to work properly, the user root must have write access to the file /etc/passwd. If you define a remote computer in the serevu configuration file (serevu.cfg), you must also give login authorization to the remote computer. For example:

eu _serevu admin logical
authorize terminal localTerminalName uid(_serevu) access(a)
er specialpgm $ACDIR/bin/serevu seosuid(_serevu ) unixuid(root)

This command has the following format:

serevu {daemon|nodeamon} [-f nn] \
[-d {nn[s|m|h|d|w]|FOREVER}] \
[{-s|-t} nn[s|m|h|d|w]]
daemon

Runs the utility as a daemon. This is the default value.

nodaemon

Runs the utility as a regular process.

‑d

Specifies the amount of time for which the user's login is disabled. By default, this value is in seconds.

Note: The amount of time a user account is disabled cannot be less than the amount of time between each serevu scan. The amount of time a user account is disabled should be a multiple of the time between each serevu scan.

‑f

Specifies the number of failed logins. The serevu utility disables the accounts of users who reach this number of failed logins over the specified period.

Note: We recommend that the number of failed logins, which can also be defined by the value of the def_fail_count configuration setting, always be the same as the value of allowed unsuccessful login attempts set on your system. (On Solaris, for example, the system values for this are set in /etc/default/login by the RETRIES token.) See your operating system documentation for more details.

‑h

Displays the help for this utility.

‑s

Specifies the time period, starting from now and going backwards, within which serevu scans for failed logins.

Default: 300 seconds (configuration setting).

‑t

Specifies the time period that should elapse between successive serevu checks.

Default: 120 seconds (configuration setting).

FOREVER

Used with the -d option, specifies the time as unlimited. If you use this parameter, user logins will be disabled forever.

nn[s|m|h|d|w]

Used with the -d, -s, and -t options, specifies the time for the option.

s

nn in seconds (the default).

m

nn in minutes.

h

nn in hours.

d

nn in days.

w

nn in weeks.