Valid in the AC environment
Use the chfile, editfile, and newfile commands to work with records in the FILE class. These commands are identical in structure and only vary in the following way:
Note: This command also exists in the native environment but operates differently.
To add or change a record for a file belonging to the FILE class, you must have sufficient authority over the file. CA ControlMinder makes the following checks until one of the following conditions is met:
{{chfile|cf}|{editfile|ef}|{newfile|nf}} filename... \
[audit{none|all|success|failure}] \ [category[-](categoryName)] \ [comment(string)|comment‑] \ [defaccess(accessAuthority)] \ [label(labelName)|label‑] \ [level(number)|level‑] \ [notify(mailAddress)|notify‑] \ [gowner(groupName)] \ [owner({userName|groupName})] \ [restrictions( \
[days({anyday|weekdays|{[mon] [tue] [wed] \ [thu] [fri] [sat] [sun]}})] \ [time({anytime|startTime:endTime}) \
|restrictions‑] \ [warning|warning‑]
Specifies which access events are logged. The types of access are:
Note: To use the audit parameter, you must have the AUDITOR attribute.
Defines a space- or comma-separated list of security category records (defined in the CATEGORY class) to assign to the file.
If you specify the category parameter when the CATEGORY class is not active, CA ControlMinder updates the definition of the file in the database; however, the updated category assignment has no effect until the CATEGORY class is activated again.
Note: For more information about security category checking, see the Endpoint Administration Guide for your OS.
Deletes one or more security categories from the resource record. When removing more than one security category, separate the security category names with a space or a comma.
The specified security categories are deleted from the resource record, regardless of whether the CATEGORY class is active.
Note: This parameter is only valid when modifying a record.
Adds an alphanumeric string to the group record. If you previously added a comment string to the group record, the new sting specified here replaces the existing string.
Format: Up to 255 characters including double bytes and special characters. If the string contains any blanks, enclose the string in quotation marks.
Deletes the comment string from the file record.
Note: This parameter is only valid when modifying a record.
Specifies the default access authority for the file. The default access authority is the authority granted to any accessor that requests access to the file, but that is not in the access control lists of the file. The default access is also applied to users who are not defined in the database.
Defines the name of the file record. At least one file name must be specified.
If you are adding or changing a record in class FILE using a generic file name, use the wildcard expressions permitted in selang. When defining or changing more than one record, enclose the list of file names in parentheses and separate the file names with a space or a comma.
Note: If more than one file name is specified, CA ControlMinder processes each file record independently in accordance with the specified parameters. If an error occurs while processing a file, CA ControlMinder issues a message and continues processing with the next file in the list.
Assigns a CA ControlMinder group as the owner of the file record. The group owner of the file record has unrestricted access to the file, provided the group owner's security level, security label, and security category authorities are sufficient to allow access to the file. The group owner of the file is always permitted to update and delete the file record.
Assigns to the file a security label defined in the SECLABEL class. A security label represents an association between a particular security level and zero or more security categories. If the resource record currently contains a security label, the security label specified here replaces the current security label.
Note: For more information about security label checking, see the Endpoint Administration Guide for your OS.
Deletes the security label defined in the file record.
Note: This parameter is only valid when modifying a record.
Assigns a security level to the resource record. Enter a positive integer between 1 and 255. If a security level was previously assigned to the resource record, the new value replaces the existing value.
Note: For more information about security level checking, see the Endpoint Administration Guide for your OS.
Stops CA ControlMinder from performing security level checking for the resource.
Note: This parameter is only valid when modifying a record.
Instructs CA ControlMinder to send notification messages whenever the file represented by the resource record is successfully accessed. Enter a user name, an email address of a user, or the email address of a mail group if an alias is specified.
Notification takes place only when the Log Routing System is active. The notification messages are sent either to the screen or to the mailbox of the users, depending on the setup of the Log Routing System.
Each time a notification message is sent, an audit record is written in the audit log.
The recipient of notify messages should log in frequently to respond to the unauthorized access attempts described in each message.
Limit: 30 characters.
Note: For information about filtering and viewing audit records, see the Endpoint Administration Guide for your OS.
Specifies that no one is notified when CA ControlMinder grants access to the file represented by the record.
Note: This parameter is only valid when modifying a record.
Assigns a CA ControlMinder user or group as the owner of the file record. The owner of the file record has unrestricted access to the file, provided the owner's security level, security label, and security category authorities are sufficient to allow access to the file. The owner of the file is always permitted to update and delete the file record.
Specifies the days of the week and the hours in the day when the file is accessible to users.
If you omit the days argument and specify the time argument, the time restriction applies to any day‑of‑week restriction already indicated in the record. If you omit time and specify days, the day restriction applies to any time restriction already indicated in the record. If you specify both days and time, the users are allowed to access the system only during the specified time period on the specified days.
Specifies the days on which users can access the file. The days argument takes the following sub‑arguments:
Specifies the period during which users can access the file. The time argument takes the following sub‑arguments:
Deletes any restrictions that limit the ability to access the file.
Note: This parameter is only valid when modifying a record.
Puts the file into Warning mode.
Takes the file out of Warning mode.
Example: Restrict Access to a File to All but the Superuser
To restrict access to the /etc/passwd file to READ access to all users except the superuser, enter the following command:
chfile /etc/passwd defaccess(read) owner(root)
The following must be true:
Example: Restrict Access to a File by Time
To prevent access to the /home/bob/secrets file and let the owner access the file only on weekdays between 08:00 and 18:00, enter the following command:
newfile /home/bob/secrets defac(none) restrictions(d(weekdays) t(0800:1800))
The following must be true:
Example: Prevent Access to Your Home Directory
To prevent all other users from accessing any file in your home directory (/home/bob), enter the following command on UNIX:
newfile /home/bob/* defaccess(none)
You can do the same on Windows using the following command:
newfile %userprofile%\* defaccess(none)
The following must be true:
Copyright © 2013 CA Technologies.
All rights reserved.
|
|