Previous Topic: checkpwd Command—Check a Password for ComplianceNext Topic: ch[x]grp Command—Change Group Properties


chfile Command—Modify File Records

Valid in the AC environment

Use the chfile, editfile, and newfile commands to work with records in the FILE class. These commands are identical in structure and only vary in the following way:

Note: This command also exists in the native environment but operates differently.

To add or change a record for a file belonging to the FILE class, you must have sufficient authority over the file. CA ControlMinder makes the following checks until one of the following conditions is met:

  1. You have the ADMIN attribute.
  2. The resource record is within the scope of a group in which you have the GROUP‑ADMIN attribute.
  3. When changing a record, that you are its owner.
  4. You have CREATE (for newfile or editfile) or MODIFY (for chfile) access authority in the ACL of the FILE record in the ADMIN class.
  5. That you are the owner of the file (when defining a file to CA ControlMinder that exists in the native OS), if the token use_unix_file_owner in the seos.ini file is set to yes.
    {{chfile|cf}|{editfile|ef}|{newfile|nf}} filename... \
    
    [audit{none|all|success|failure}] \
    [category[-](categoryName)] \
    [comment(string)|comment‑] \
    [defaccess(accessAuthority)] \
    [label(labelName)|label‑] \
    [level(number)|level‑] \
    [notify(mailAddress)|notify‑] \
    [gowner(groupName)] \
    [owner({userName|groupName})] \
    [restrictions( \
    
    [days({anyday|weekdays|{[mon] [tue] [wed] \
    	[thu] [fri] [sat] [sun]}})] \
    [time({anytime|startTime:endTime}) \
    
    |restrictions‑] \
    [warning|warning‑]
    
audit{none|all|success|failure}

Specifies which access events are logged. The types of access are:

Note: To use the audit parameter, you must have the AUDITOR attribute.

category(categoryName)

Defines a space- or comma-separated list of security category records (defined in the CATEGORY class) to assign to the file.

If you specify the category parameter when the CATEGORY class is not active, CA ControlMinder updates the definition of the file in the database; however, the updated category assignment has no effect until the CATEGORY class is activated again.

Note: For more information about security category checking, see the Endpoint Administration Guide for your OS.

category‑(categoryName)

Deletes one or more security categories from the resource record. When removing more than one security category, separate the security category names with a space or a comma.

The specified security categories are deleted from the resource record, regardless of whether the CATEGORY class is active.

Note: This parameter is only valid when modifying a record.

comment(string)

Adds an alphanumeric string to the group record. If you previously added a comment string to the group record, the new sting specified here replaces the existing string.

Format: Up to 255 characters including double bytes and special characters. If the string contains any blanks, enclose the string in quotation marks.

comment‑

Deletes the comment string from the file record.

Note: This parameter is only valid when modifying a record.

defaccess(accessAuthority)

Specifies the default access authority for the file. The default access authority is the authority granted to any accessor that requests access to the file, but that is not in the access control lists of the file. The default access is also applied to users who are not defined in the database.

fileName

Defines the name of the file record. At least one file name must be specified.

If you are adding or changing a record in class FILE using a generic file name, use the wildcard expressions permitted in selang. When defining or changing more than one record, enclose the list of file names in parentheses and separate the file names with a space or a comma.

Note: If more than one file name is specified, CA ControlMinder processes each file record independently in accordance with the specified parameters. If an error occurs while processing a file, CA ControlMinder issues a message and continues processing with the next file in the list.

gowner(groupName)

Assigns a CA ControlMinder group as the owner of the file record. The group owner of the file record has unrestricted access to the file, provided the group owner's security level, security label, and security category authorities are sufficient to allow access to the file. The group owner of the file is always permitted to update and delete the file record.

label(labelName)

Assigns to the file a security label defined in the SECLABEL class. A security label represents an association between a particular security level and zero or more security categories. If the resource record currently contains a security label, the security label specified here replaces the current security label.

Note: For more information about security label checking, see the Endpoint Administration Guide for your OS.

label‑

Deletes the security label defined in the file record.

Note: This parameter is only valid when modifying a record.

level(number)

Assigns a security level to the resource record. Enter a positive integer between 1 and 255. If a security level was previously assigned to the resource record, the new value replaces the existing value.

Note: For more information about security level checking, see the Endpoint Administration Guide for your OS.

level‑

Stops CA ControlMinder from performing security level checking for the resource.

Note: This parameter is only valid when modifying a record.

notify(mailAddress)

Instructs CA ControlMinder to send notification messages whenever the file represented by the resource record is successfully accessed. Enter a user name, an email address of a user, or the email address of a mail group if an alias is specified.

Notification takes place only when the Log Routing System is active. The notification messages are sent either to the screen or to the mailbox of the users, depending on the setup of the Log Routing System.

Each time a notification message is sent, an audit record is written in the audit log.

The recipient of notify messages should log in frequently to respond to the unauthorized access attempts described in each message.

Limit: 30 characters.

Note: For information about filtering and viewing audit records, see the Endpoint Administration Guide for your OS.

notify‑

Specifies that no one is notified when CA ControlMinder grants access to the file represented by the record.

Note: This parameter is only valid when modifying a record.

owner(Name)

Assigns a CA ControlMinder user or group as the owner of the file record. The owner of the file record has unrestricted access to the file, provided the owner's security level, security label, and security category authorities are sufficient to allow access to the file. The owner of the file is always permitted to update and delete the file record.

restrictions(days(dayData) time(timeData))

Specifies the days of the week and the hours in the day when the file is accessible to users.

If you omit the days argument and specify the time argument, the time restriction applies to any day‑of‑week restriction already indicated in the record. If you omit time and specify days, the day restriction applies to any time restriction already indicated in the record. If you specify both days and time, the users are allowed to access the system only during the specified time period on the specified days.

days(dayData)

Specifies the days on which users can access the file. The days argument takes the following sub‑arguments:

  • anyday-Gives access to the file on any day.
  • weekdays-Gives access to the resource only on weekdays-Monday through Friday.
  • mon tue wed thu fri sat sun-Gives access to the resource only on the specified days. You can specify the days in any order. If more than one day is specified, separate the days with a space or a comma.
time(timeData)

Specifies the period during which users can access the file. The time argument takes the following sub‑arguments:

  • anytime-Gives access to the resource at any time of the day.
  • startTime:endTime-Gives access to the resource only during the specified period. The format of both startTime and endTime is hhmm, where hh is the hour in 24‑hour notation (00 through 23) and mm is the minutes (00 through 59). Note that 2400 is not a valid time value. StartTime must be less than endTime, and both times must occur on the same day. If the terminal is in a different time zone from the processor, adjust the time values by translating the start and end times for the terminal to the equivalent local times for the processor. For example, if the processor is in New York and the terminal is in Los Angeles, to allow access to the terminal from 8:00 a.m. to 5:00 p.m. in Los Angeles, specify time(1100:2000).
restrictions‑

Deletes any restrictions that limit the ability to access the file.

Note: This parameter is only valid when modifying a record.

warning

Puts the file into Warning mode.

warning‑

Takes the file out of Warning mode.

Example: Restrict Access to a File to All but the Superuser

To restrict access to the /etc/passwd file to READ access to all users except the superuser, enter the following command:

chfile /etc/passwd defaccess(read) owner(root)

The following must be true:

Example: Restrict Access to a File by Time

To prevent access to the /home/bob/secrets file and let the owner access the file only on weekdays between 08:00 and 18:00, enter the following command:

newfile /home/bob/secrets defac(none) restrictions(d(weekdays) t(0800:1800))

The following must be true:

Example: Prevent Access to Your Home Directory

To prevent all other users from accessing any file in your home directory (/home/bob), enter the following command on UNIX:

newfile /home/bob/* defaccess(none)

You can do the same on Windows using the following command:

newfile %userprofile%\* defaccess(none)

The following must be true:

More information:

authorize Command—Set Access Authorities on a Resource

chfile Command—Modify Windows File Settings

chfile Command—Modify UNIX File Settings

showfile Command—Display File Properties

rmfile Command—Delete File Records

Access Authority by Class

Warning Mode