Previous Topic: UTF8 Interpreted Audit RecordNext Topic: Obsolete API


tcllca: The LCA Extension

This section contains the following topics:

The tcllca.so Library

Programming Guide

tcllca Functions

The tcllca.so Library

This appendix describes the tcllca.so library, an LCA extension that adds LCA commands to the TCL environment.

Note: This information is valid for UNIX only.

Programming Guide

More flexible than the selang command language, tcllca imitates selang from the TCL shell environment while adding new commands to return information about CA ControlMinder objects-users, resources, classes, and properties-from the TCL environment, without using a selang command and parsing the result.

The extension is in shared library format, loaded by the TCL load command. You may need to set the LD_LIBRARY_PATH to the lib subdirectory in the CA ControlMinder directory. To successfully load the extension, you must have the CA ControlMinder admin flag and access to the local terminal, and be running CA ControlMinder.

The extension loads the following shared libraries:

To load the tcllca extension:

  1. If necessary, set the library path with the following command where ACDir is the directory where CA ControlMinder is installed:
    setenv LD_LIBRARY_PATH ${LD_LIBRARY_PATH}:ACDir/lib
    
  2. Load the TCL shell with the command:
    tclsh
    

    The % prompt appears.

    Load the tcllca library with the command:

    load ACDir/tcllca.so
    

Sample Program

The following sample program first loads the tcllca.so extension library, and then finds all the users owned by the root user.

>setenv LD_LIBRARY_PATH ${LD_LIBRARY_PATH}:/opt/CA/AccessControl/lib
>tclsh
%load /opt/CA/eTrustAccessControl/lib/tcllca.so 
%set user_list [se_get_resources user]
%foreach user $user_list {
  if {[se_scan_props user $user OWNER] == “OWNER root”} {
     lappend root_owned $user
  }
 }
%if [info exists root_owned]  {
   puts “users owned by root : $root_owned”
 } else {
   puts “no users owned by root”
 }
%

tcllca Functions

The LCA TCL extension includes the following functions:

se_class_list Function

The se_class_list function prints all the classes in the database.

se_class_list

se_get_resources Function

The se_get_resources function prints the names of all the objects in the specified class. If you specify an object, the function searches for it in the database and, if the object does not exist, returns an error. If the object does exist, the function prints the name of the object. If the object contains wildcards, the function returns the object list.

For example, the following command returns a list of all the users in the database:

se_get_resources user
se_get_resources class [object];

segetstat Function

The segetstat function tells you the status returned by the last command:

OK

The last command was successfully processed.

ERROR

The last command was not successfully processed.

DUP

Relevant only for the newfile, newgrp, newres, and newusr commands. The object already exists inside the database.

NOTICE

The information message was returned from a selang command.

The last two (DUP and NOTICE) can return only from a selang command.

segetstat

se_grp_usrs Function

The se_grp_usrs function prints a list of all the users in the group. This is valid only for a group of users not for groups of other classes (for example, GFILE and GHOST).

For example, the following command prints all the users in the group called “system”:

se_grp_usrs system
se_grp_usrs group_name

se_is_running Function

The se_is_running function tells you whether the seosd daemon is currently running. The function returns “yes” if seosd is currently running; otherwise, it returns “no.”

se_is_running

selang Function

The selang function executes CA ControlMinder commands. The parameters are transferred as they are to the selang utility. The selang output is returned as the result. This is the only command valid for changing data inside the database.

Note: This function does not actually invoke selang. It uses an API to contact the database or agent, using the same syntax as selang.

For example, the following command returns the properties of the file inside the database if it exists; otherwise, it returns the selang error message:

selang sr file /opt/CA/AccessControl/bin/selang
selang parameters

se_objs_in_grp Function

The se_objs_in_grp function prints all the members of a group of resources that belong to the same class (GHOST, GTERMINAL, GFILE, and GSUDO).

For example, the following command prints all the hosts inside the group DevTerms:

se_objs_in_grp GHOST DevTerms
se_objs_in_grp class object_list

se_scan_props Function

The se_scan_props function prints the properties of an object inside the database. If you do not specify a property, the function returns a list of all the object's properties. You can specify a list of properties by separating them with spaces.

For example, the following command returns the root user audit mode:

se_scan_props user root AUDIT_MODE
se_scan_props class object [properties]

sewhoami Function

The sewhoami function tells you under what current CA ControlMinder user name you are running (note that this can be different from the current UNIX user).

Sewhoami