Previous Topic: Controlling the Login ProcessNext Topic: Enable SFTP Login Interception


Examples: LOGINAPPL

For example, to permit only an anonymous user to use the ftp application, use the following procedure:

  1. Change the ftp default access to none with the following selang command:
    cr LOGINAPPL FTP defaccess(NONE) owner(nobody)
    
  2. Permit the user anonymous to use ftp with the following selang command:
    auth LOGINAPPL FTP uid(anonymous) access(X)
    

To restrict users from the group named account to use only telnet:

  1. Block the use of rlogin and rsh with the following selang command:
    auth LOGINAPPL(RLOGIN RSH) gid(account) access(N)
    
  2. Permit the group named account to use telnet with the following selang command:
    auth LOGINAPPL TELNET gid(account) acc(X)
    

Note: The previous example shows RLOGIN and RSH restrictions, but other login programs should be included as well.

Whenever you add or use a new login program, you must add a new LOGINAPPL record.

The login interception sequence always starts with setgid or setgroup events, which are called triggers. The sequence ends with a setuid event that changes the user's identity to the real user who logged in.

Login applications issue a variety of system calls, which CA ControlMinder uses to monitor login activity. These login sequences are preset for standard login applications. You can see them by studying the CA ControlMinder trace file.

Note: For more information about the LOGINAPPL class and setting a sequence, see the selang Reference Guide.