This section contains the following topics:
This appendix describes the tcllca.so library, an LCA extension that adds LCA commands to the TCL environment.
Note: This information is valid for UNIX only.
More flexible than the selang command language, tcllca imitates selang from the TCL shell environment while adding new commands to return information about CA ControlMinder objects-users, resources, classes, and properties-from the TCL environment, without using a selang command and parsing the result.
The extension is in shared library format, loaded by the TCL load command. You may need to set the LD_LIBRARY_PATH to the lib subdirectory in the CA ControlMinder directory. To successfully load the extension, you must have the CA ControlMinder admin flag and access to the local terminal, and be running CA ControlMinder.
The extension loads the following shared libraries:
To load the tcllca extension:
setenv LD_LIBRARY_PATH ${LD_LIBRARY_PATH}:ACDir/lib
tclsh
The % prompt appears.
Load the tcllca library with the command:
load ACDir/tcllca.so
The following sample program first loads the tcllca.so extension library, and then finds all the users owned by the root user.
>setenv LD_LIBRARY_PATH ${LD_LIBRARY_PATH}:/opt/CA/AccessControl/lib >tclsh %load /opt/CA/eTrustAccessControl/lib/tcllca.so %set user_list [se_get_resources user] %foreach user $user_list { if {[se_scan_props user $user OWNER] == “OWNER root”} { lappend root_owned $user } } %if [info exists root_owned] { puts “users owned by root : $root_owned” } else { puts “no users owned by root” } %
The LCA TCL extension includes the following functions:
The se_class_list function prints all the classes in the database.
se_class_list
The se_get_resources function prints the names of all the objects in the specified class. If you specify an object, the function searches for it in the database and, if the object does not exist, returns an error. If the object does exist, the function prints the name of the object. If the object contains wildcards, the function returns the object list.
For example, the following command returns a list of all the users in the database:
se_get_resources user se_get_resources class [object];
The segetstat function tells you the status returned by the last command:
The last command was successfully processed.
The last command was not successfully processed.
Relevant only for the newfile, newgrp, newres, and newusr commands. The object already exists inside the database.
The information message was returned from a selang command.
The last two (DUP and NOTICE) can return only from a selang command.
segetstat
The se_grp_usrs function prints a list of all the users in the group. This is valid only for a group of users not for groups of other classes (for example, GFILE and GHOST).
For example, the following command prints all the users in the group called “system”:
se_grp_usrs system se_grp_usrs group_name
The se_is_running function tells you whether the seosd daemon is currently running. The function returns “yes” if seosd is currently running; otherwise, it returns “no.”
se_is_running
The selang function executes CA ControlMinder commands. The parameters are transferred as they are to the selang utility. The selang output is returned as the result. This is the only command valid for changing data inside the database.
Note: This function does not actually invoke selang. It uses an API to contact the database or agent, using the same syntax as selang.
For example, the following command returns the properties of the file inside the database if it exists; otherwise, it returns the selang error message:
selang sr file /opt/CA/AccessControl/bin/selang selang parameters
The se_objs_in_grp function prints all the members of a group of resources that belong to the same class (GHOST, GTERMINAL, GFILE, and GSUDO).
For example, the following command prints all the hosts inside the group DevTerms:
se_objs_in_grp GHOST DevTerms se_objs_in_grp class object_list
The se_scan_props function prints the properties of an object inside the database. If you do not specify a property, the function returns a list of all the object's properties. You can specify a list of properties by separating them with spaces.
For example, the following command returns the root user audit mode:
se_scan_props user root AUDIT_MODE se_scan_props class object [properties]
The sewhoami function tells you under what current CA ControlMinder user name you are running (note that this can be different from the current UNIX user).
Sewhoami
Copyright © 2013 CA Technologies.
All rights reserved.
|
|