The seretrust utility generates the selang commands required to retrust programs and secure files defined in the database. The seretrust utility reports the status of the SECFILE and PROGRAM resources that are defined as trusted but have changed. seretrust also checks whether programs have been changed but have not yet been caught by the Watchdog. (This means that in the CA ControlMinder database, these programs are still marked as trusted.) These programs are added to seretrust output with a note that the program content or timestamp has been changed, and the program needs to be retrusted.
Note: On UNIX, programs with setuid and setgid bits are stored in the database with their full descriptions, including their inode values. If you restore the system from backups, the programs occupy different inodes. CA ControlMinder detects the mismatch between the inodes and marks all the trusted programs as untrusted. The seretrust utility locates the trusted programs that are defined in the database and updates their inode values, so that when you invoke CA ControlMinder, the trusted programs remain trusted.
If you do not specify any switches, only untrusted programs and untrusted secured files are processed.
This command has the following format:
seretrust [-a] [-l|-m|-p|-s] path
Processes all trusted and untrusted objects.
Displays the help for this utility.
Extracts information about the programs and files from the database in the current directory.
If you omit this option, seretrust processes the database that CA ControlMinder uses.
Calculates the signatures for all kernel modules. If the signature property of a kernel module record is not valid, seretrust updates it with the correct signature, which ensures that the kernel module is trusted. Signatures are used only for Linux kernel modules.
Processes records in the PROGRAM class only.
Processes records in the SECFILE class only.
Specifies the base path for searching programs and secure files that need to be retrusted.
The utility processes the specified directory and all subdirectories.
Example: Retrust untrusted programs and secure files
This example shows you how you can use the seretrust utility to retrust programs and secure files.
Note: This example shows you a sample command output on UNIX, but the utility works the same on Windows.
To retrust programs and secure files, follow these steps:
seretrust > retrust_script
The utility processes both trusted programs and secured files because you did not specify any options; it also uses the root path because you did not specify any base path.
seretrust displays the following information on the screen:
Retrusting PROGRAMs & SPECFILEs, Base path = / Total of 0 entries retrusted. (Class=SECFILE) Total of 16 entities retrusted. (class=PROGRAM)
The following is the content of a script file seretrust can create:
chres PROGRAM ("/usr/bin/chgrpmem") trust chres PROGRAM ("/usr/bin/chie") trust chres PROGRAM ("/usr/bin/crontab") trust chres PROGRAM ("/usr/bin/cu") trust chres PROGRAM ("/usr/bin/ecs") trust chres PROGRAM ("/usr/bin/newgrp") trust chres PROGRAM ("/usr/bin/rmquedev") trust chres PROGRAM ("/usr/bin/rsh") trust chres PROGRAM ("/usr/bin/sysck") trust chres PROGRAM ("/usr/bin/uuname") trust chres PROGRAM ("/usr/lib/methods/showled") trust chres PROGRAM ("/usr/lib/mh/post") trust chres PROGRAM ("/usr/lib/mh/slocal") trust chres PROGRAM ("/usr/lpp/X11/bin/xlock") trust chres PROGRAM ("/usr/lpp/X11/bin/xterm") trust chres PROGRAM ("/usr/sbin/chvirprt") trust
selang ‑f retrust_script
Copyright © 2013 CA Technologies.
All rights reserved.
|
|