CA ControlMinder maintains generic settings it uses under the following key:
HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\AccessControl\SeOSD
The SeOSD registry key contains the following registry entries:
Defines the pipe name which functions as an audit interface between the audit collector component (within seosd) and the different clients of the audit collector (kernel).
Default: AuditCollector
Defines the size of the audit cache, in number of entries.
Default: 1024
Specifies whether you can add new classes, created with the seclassadm utility, to a CA ControlMinder database.
Default: yes
Determines whether you can add new properties, created with the sepropadm utility, to a CA ControlMinder database.
Default: yes
The directory in which the CA ControlMinder database is located.
Default: ACInstallDir\data\seosdb
Defines the number of threads that CA ControlMinder can use to resolve SIDs into account names.
Default: 5
Defines the timeout, in milliseconds, before CA ControlMinder stops trying to resolve an SID into an account name.
Default: 2000
The list of name suffixes used for matching purposes.
CA ControlMinder appends these suffixes to short host names to create long, fully qualified host names. These names can be authorized in the relevant HOST, CONNECT, or TERMINAL classes. To identify a full name, CA ControlMinder tries to append domain names in the domain_names list to the short name for authorization purposes. For class HOSTNP, CA ControlMinder matches all domain names (listed in this registry) with pattern to resolve into real IP addresses.
No default.
(Optional) Controls logon cache information in the CA ControlMinderSubAuth.dll and defines whether the product enables keeping data for authorization in runtime tables for performance tuning.
Values:
0 - Logon caching is disabled. All logon events are passed to seosd for authorization.
1 - Logon caching is enabled.
Default: 0
Note: This value is set to 1when installing the Enterprise Management Server on a domain controller. After the upgrade, the value is restored to the same value as before the upgrade.
Controls whether the host name to the IP address resolution is applied on IPv6 protocol in addition to IPv4.
Values:
0 - Disables host name resolving over IPv6 protocol.
1 - Enables host name resolving over IPv6 protocol.
Default: 0
This value controls whether the authorization engine uses cached records or records directly from the database.
Valid values:
no - Authorization engine uses database records.
yes - Authorization engine uses cache records.
Default: no
The method of resolving embedded environment variables (for objects in the FILE, SECFILE, PROGRAM, PROCESS, SPECIALPGM, TERMINAL, or USER classes). For example:
newfile %SystemRoot%\temp.txt.
If you select 0, CA ControlMinder tries to resolve all environment variables, an error message is issued to the user, and the object is not created.
If you select 1, CA ControlMinder tries to resolve all environment variables, a warning message is issued to the user, and the object is created.
If you select 2, CA ControlMinder tries to resolve all environment variables and the object is created with no messages.
If you select 3, CA ControlMinder does not try to resolve environment variables.
Note: The PMDB assumes that there are no environment variables, so resolving is never tried.
Default: 2
Specifies whether to use Full Enforcement mode (0) or Audit Only mode (1).
Default: 0
Defines the number of remaining grace logins at which the Change Password dialog appears.
Default: 0
Specifies the method CA ControlMinder uses to resolve host names.
Values:
0—HOST resolution is synchronous (current behavior).
1—HOST resolution is asynchronous (with 'Event Log' reporting)
The effects of this setting are:
2—HOST resolution is asynchronous (without 'Event Log' reporting).
Same as '1' with the exception that notification messages are not written anywhere.
Default: 0
The time for internal cache refresh. The network interception authorization events use the registry value.
Default: 30000
The time the authorization engine waits for reverse IP lookup requests, upon network interception event.
Default: 2000
Defines the time in milliseconds CA ControlMinder waits for transactions with the sub authentication DLL (eACSubAuth.dll) before giving up. When this time passes, CA ControlMinder replies with the value set in LogonTimeOutAnswer.
Default: 4000
Defines the logon answer to the operating system when the LogonTimeOut setting elapses without an answer from CA ControlMinder.
Default: 1 (true)
The number of discrete FILE records you can create in the CA ControlMinder database.
The minimum value is default; if a user sets this value to be less than the default, CA ControlMinder acts as if a minimum were set.
Default: 4096
The number of generic FILE records (name pattern-based records) you can create in the CA ControlMinder database.
The minimum value is default; if a user sets this value to be less than the default, CA ControlMinder acts as if a minimum were set.
Default: 512
Specifies whether to intercept process creation and notify seosd either using kernel or instrumentation mode.
Type: REG_DWORD
Values:
0—Process creation is performed using kernel module
1—Process creation is performed using instrumentation module
Default: 0
Note: If you set the key to 1, CA ControlMinder intercepts process creation through the Windows API only.
This value is addressed only if database was not properly closed on previous session.
If the value is set to 0, the database is verified in a heuristic procedure for correctness (during startup). If the check finds a problem in the database, the database is rebuilt.
If the value is set to 1, the heuristic procedure check function is skipped. The database is rebuilt according to the database integrity check.
Default: 1
The time (in minutes) between consecutive automatic IP refresh requests.
If the value is set to 0, IP refreshes are not automatically performed. If you use a value from 1 through 30, CA ControlMinder uses 30 minutes, which is the minimum amount of time you can set, as the value.
Note: Refresh requests can be time consuming. For more information, see the secons utility -refIP option.
Default: 0
The location where the response.ini, used by eACOexist.exe utility, resides.
Default: ACInstallDir\data\response.ini
Defines the timeout (in minutes) before CA ControlMinder removes unused simulated login user entries from the Accessor Element Entry table (ACEE).
CA ControlMinder performs a simulated login to create ACEE entries when it needs access to information that can be found in the ACEE.
Default: 60
Specifies the SURROGATE class interception mode.
Type: REG_DWORD
Limits: 0 - user mode interception, CA ControlMinder intercepts only the impersonation requests that originate from the RunAs utility; 1 - kernel mode interception, CA ControlMinder intercepts all impersonation requests.
Default: 0
Defines how often trace parameters are updated.
Default: 30
Specifies whether tracing into DbgView or kernel debugger is enabled (1).
Default: 0
Specifies whether tracing into a trace file (SusrauthTraceFileName) is enabled (1).
Default: 0
Defines the full pathname to the trace file.
No default
Specifies how the authorization engine determines which TERMINAL record it verifies during the authorization process.
Values:
name—Authorization engine first looks for a TERMINAL record by name and if one is not found, it looks for an IP address match.
nameonly—Authorization engine looks for a TERMINAL record by name and if one is not found, ceases searching. It ignores TERMINAL records with an IP address format.
IP—Authorization engine first looks for a TERMINAL record by IP address and if one is not found, it looks for a name match.
Note: TERMINAL class supports generic rules defined by wildcards (IP address or host name pattern match). Generic rules are always verified after specific (full-name) rules. For example, if you set this to IP, seosd looks for a TERMINAL resource in the following order: complete IP address match, complete host name match, IP address pattern match, host name pattern match.
Default: nameonly
Specifies the timeout (in milliseconds) that the authorization engine waits for the second consecutive login, upon a Terminal Services connection.
Default: 2000
Note: When a user logs in using a local account, CA ControlMinder receives two login attempt notifications: the first from the local terminal and the second from the terminal server. If the user is assigned grace login count, two login attempts are logged and subtracted from the grace count. Therefore, CA ControlMinder does not update the grace count with the second login if the login attempt occurred within the specified timeout period.
The name of the file to which the trace messages are sent, if trace messages are requested.
Default: ACInstallDir\log\seosd.trace
Type of trace file.
If you do change the value of the value and a trace file exists, the existing trace file is saved with the file name extension .backup and then a new trace file is started in the format you specified.
Default: text
The name of the file that contains the filter data that is used to filter the trace messages. Specify the full path of the file.
Default: ACInstallDir\log\trcfilter.ini
The amount of free space, in KB, to be left in the file system. When the amount of free space is less than this number, CA ControlMinder disables the trace.
Note: Trace is never automatically enabled, even if more space becomes available at a later time.
Default: 5120
The destination of trace messages. Set to none, file, or file,stop.
If you select none, CA ControlMinder does not generate trace messages.
If you select file, CA ControlMinder generates trace messages and sends them to the file listed in the registry trace_file as soon as CA ControlMinder becomes active.
If you select file,stop, CA ControlMinder generates trace messages during the period of service initialization. Once the service is initialized, no more trace messages are generated.
Default: file,stop
|
Copyright © 2013 CA Technologies.
All rights reserved.
|
|