CA ControlMinder protects the following entities:
Is a user authorized to access a particular file?
CA ControlMinder restricts a user's ability to access a file. You can give a user one or more types of access, such as READ, WRITE, EXECUTE, DELETE, and RENAME. The access can be specified regarding an individual file or to a set of similarly named files.
Is a user authorized to use a particular terminal?
This check is done during the login process. Individual terminals and groups of terminals can be defined in the CA ControlMinder database, with access rules that state which users, or groups of users, are allowed to use the terminal or terminal group. Terminal protection ensures that no unauthorized terminal or station can be used to log into the accounts of powerfully authorized users.
Is a user authorized to log on at a particular time on a particular day?
Most users use their stations only on weekdays and only during work hours; the time‑of‑day and day‑of‑week login restrictions, as well as holiday restrictions, provide protection from hackers and from other unauthorized accessors.
Is another station authorized to receive TCP/IP services from the local computer? Is another station authorized to supply TCP/IP services to the local computer? Is another station permitted to receive services from every user of the local station?
An open system is a system in which both the computers and the networks are open. The advantage of an open system is also a disadvantage. Once a computer is connected to the outside world, one can never be sure who enters the system and what damage an alien user may do, intentionally or by mistake. CA ControlMinder includes “firewalls” that prevent local stations and servers from providing services to unknown stations.
Is the user permitted to log in from a second terminal?
The term concurrent logins refers to a user's ability to be logged onto the system from more than one terminal. CA ControlMinder can prevent a user from logging in more than once. This prevents intruders from logging into the accounts of users who are already logged in.
You can define and protect both regular entities (such as TCP/IP services and terminals) and functional entities (known as abstract objects; such as performing a transaction and accessing a record in a database).
CA ControlMinder provides the means to both delegate superuser authorities to operators and restrict the privilege of the superuser account.
Are users authorized to substitute their user IDs?
The UNIX setuid system call, one of the most sensitive services provided by the operating system, is intercepted by CA ControlMinder to check whether the user is authorized to perform the substitution. The substitute‑user authority check includes program pathing-users are permitted to substitute their user IDs only through specific programs. This is especially important in controlling who can substitute to root and thereby gain root access.
Is a user authorized to issue the newgrp (substitute‑group) command?
Substitute‑group protection is similar to substitute‑user protection.
Can a particular setuid or setgid program be trusted? Is the user authorized to invoke it?
The security administrator can test programs that are marked as setuid or setgid executables to ensure that they do not contain any security loopholes that can be used to gain unauthorized access. Programs that pass the test and are considered safe are defined as trusted programs. The CA ControlMinder Self‑Protection Module (also referred to as the CA ControlMinder watchdog) knows which program is in control at a particular time and checks whether the program has been modified or moved since it was classified as trusted. If a trusted program is modified or moved, the program is no longer considered trusted and CA ControlMinder does not allow it to run.
In addition, CA ControlMinder protects against various deliberate and accidental threats, including:
CA ControlMinder can be used to protect critical servers and services or daemons against kill attempts.
CA ControlMinder protects against various types of password attacks, enforces the password‑definition policies of your site, and detects break‑in attempts.
CA ControlMinder policies delineate rules that force users to create and use passwords of sufficient quality. To ensure that users create and use acceptable passwords, CA ControlMinder can set maximum and minimum lifetimes for passwords, restrict certain words, prohibit repetitive characters, and enforce other restrictions. Passwords are not permitted to last too long.
CA ControlMinder policies ensure that dormant accounts are dealt with appropriately.
CA ControlMinder can implement password protection and enforce security across NIS and non‑NIS domains.
Copyright © 2013 CA Technologies.
All rights reserved.
|
|