For example, to permit only an anonymous user to use the ftp application, use the following procedure:
cr LOGINAPPL FTP defaccess(NONE) owner(nobody)
auth LOGINAPPL FTP uid(anonymous) access(X)
To restrict users from the group named account to use only telnet:
auth LOGINAPPL(RLOGIN RSH) gid(account) access(N)
auth LOGINAPPL TELNET gid(account) acc(X)
Note: The previous example shows RLOGIN and RSH restrictions, but other login programs should be included as well.
Whenever you add or use a new login program, you must add a new LOGINAPPL record.
The login interception sequence always starts with setgid or setgroup events, which are called triggers. The sequence ends with a setuid event that changes the user's identity to the real user who logged in.
Login applications issue a variety of system calls, which CA ControlMinder uses to monitor login activity. These login sequences are preset for standard login applications. You can see them by studying the CA ControlMinder trace file.
Note: For more information about the LOGINAPPL class and setting a sequence, see the selang Reference Guide.
Copyright © 2013 CA Technologies.
All rights reserved.
|
|