You must protect mission‑critical processes, such as database servers or application daemons, against denial of service attacks. The native UNIX security system bases its process protection on the process user ID. This implies that under native UNIX, root can do anything to any process. CA ControlMinder adds to UNIX process protection by defining rules based on the executable file running in the process. CA ControlMinder process protection is independent of the user ID of the process. A record in the PROCESS class must define every process that CA ControlMinder will protect.
For example, to protect the ASCII viewer /bin/more from being killed, follow this procedure:
newres PROCESS /bin/more defaccess(N) owner(nobody)
This command defines /bin/more as a process to be protected from kill attempts; therefore the default access is none (N). The owner(nobody) setting ensures that even the user who defined this rule cannot kill the /bin/more process.
/bin/more /tmp/seosd.trace
kill %1
Your attempt should fail, with CA ControlMinder displaying the “Permission denied” message.
To make an exception that permits a specific user to kill the /bin/more processes, enter the selang command:
authorize PROCESS /bin/more uid(username)
Note: Use the same procedure to protect other binary executables on your system from being killed.
CA ControlMinder protects regular kill signals (SIGTERM) and the kill signals that an application cannot mask (SIGKILL and SIGSTOP). It passes other signals, such as SIGHUP or SIGUSR1, to the process to determine whether to ignore or react to the kill signal.
Copyright © 2013 CA Technologies.
All rights reserved.
|
|