Previous Topic: ReportAgent Key—Registry SettingsNext Topic: SeOSWD


SeOSD Key—Registry Settings

CA ControlMinder maintains generic settings it uses under the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\AccessControl\SeOSD

The SeOSD registry key contains the following registry entries:

AuditCollectorInterfaceName

Defines the pipe name which functions as an audit interface between the audit collector component (within seosd) and the different clients of the audit collector (kernel).

Default: AuditCollector

AuditServerCacheSize

Defines the size of the audit cache, in number of entries.

Default: 1024

CreateNewClasses

Specifies whether you can add new classes, created with the seclassadm utility, to a CA ControlMinder database.

Default: yes

CreateNewProps

Determines whether you can add new properties, created with the sepropadm utility, to a CA ControlMinder database.

Default: yes

dbdir

The directory in which the CA ControlMinder database is located.

Default: ACInstallDir\data\seosdb

DefLookupThreads

Defines the number of threads that CA ControlMinder can use to resolve SIDs into account names.

Default: 5

DefLookupTimeout

Defines the timeout, in milliseconds, before CA ControlMinder stops trying to resolve an SID into an account name.

Default: 2000

domain_names

The list of name suffixes used for matching purposes.

CA ControlMinder appends these suffixes to short host names to create long, fully qualified host names. These names can be authorized in the relevant HOST, CONNECT, or TERMINAL classes. To identify a full name, CA ControlMinder tries to append domain names in the domain_names list to the short name for authorization purposes. For class HOSTNP, CA ControlMinder matches all domain names (listed in this registry) with pattern to resolve into real IP addresses.

No default.

EnableCachedLogonInfo

(Optional) Controls logon cache information in the CA ControlMinderSubAuth.dll and defines whether the product enables keeping data for authorization in runtime tables for performance tuning.

Values:

0 - Logon caching is disabled. All logon events are passed to seosd for authorization.

1 - Logon caching is enabled.

Default: 0

Note: This value is set to 1when installing the Enterprise Management Server on a domain controller. After the upgrade, the value is restored to the same value as before the upgrade.

EnableIPv6Resolving

Controls whether the host name to the IP address resolution is applied on IPv6 protocol in addition to IPv4.

Values:

0 - Disables host name resolving over IPv6 protocol.

1 - Enables host name resolving over IPv6 protocol.

Default: 0

EnablePolicyCache

This value controls whether the authorization engine uses cached records or records directly from the database.

Valid values:

no - Authorization engine uses database records.

yes - Authorization engine uses cache records.

Default: no

EnvVarResolvingMode

The method of resolving embedded environment variables (for objects in the FILE, SECFILE, PROGRAM, PROCESS, SPECIALPGM, TERMINAL, or USER classes). For example:

newfile %SystemRoot%\temp.txt.

If you select 0, CA ControlMinder tries to resolve all environment variables, an error message is issued to the user, and the object is not created.

If you select 1, CA ControlMinder tries to resolve all environment variables, a warning message is issued to the user, and the object is created.

If you select 2, CA ControlMinder tries to resolve all environment variables and the object is created with no messages.

If you select 3, CA ControlMinder does not try to resolve environment variables.

Note: The PMDB assumes that there are no environment variables, so resolving is never tried.

Default: 2

GeneralInterceptionMode

Specifies whether to use Full Enforcement mode (0) or Audit Only mode (1).

Default: 0

GraceCountForMessage

Defines the number of remaining grace logins at which the Change Password dialog appears.

Default: 0

HostResolutionMode

Specifies the method CA ControlMinder uses to resolve host names.

Values:

0—HOST resolution is synchronous (current behavior).

1—HOST resolution is asynchronous (with 'Event Log' reporting)

The effects of this setting are:

2—HOST resolution is asynchronous (without 'Event Log' reporting).

Same as '1' with the exception that notification messages are not written anywhere.

Default: 0

HostResolutionRenewal

The time for internal cache refresh. The network interception authorization events use the registry value.

Default: 30000

HostResolutionTimeout

The time the authorization engine waits for reverse IP lookup requests, upon network interception event.

Default: 2000

LogonTimeOut

Defines the time in milliseconds CA ControlMinder waits for transactions with the sub authentication DLL (eACSubAuth.dll) before giving up. When this time passes, CA ControlMinder replies with the value set in LogonTimeOutAnswer.

Default: 4000

LogonTimeOutAnswer

Defines the logon answer to the operating system when the LogonTimeOut setting elapses without an answer from CA ControlMinder.

Default: 1 (true)

MaximumDiscreteFILELimit

The number of discrete FILE records you can create in the CA ControlMinder database.

The minimum value is default; if a user sets this value to be less than the default, CA ControlMinder acts as if a minimum were set.

Default: 4096

MaximumGenericFILELimit

The number of generic FILE records (name pattern-based records) you can create in the CA ControlMinder database.

The minimum value is default; if a user sets this value to be less than the default, CA ControlMinder acts as if a minimum were set.

Default: 512

ProcessCreationNotificationMode

Specifies whether to intercept process creation and notify seosd either using kernel or instrumentation mode.

Type: REG_DWORD

Values:

0—Process creation is performed using kernel module

1—Process creation is performed using instrumentation module

Default: 0

Note: If you set the key to 1, CA ControlMinder intercepts process creation through the Windows API only.

RebuildSuspiciousDatabase

This value is addressed only if database was not properly closed on previous session.

If the value is set to 0, the database is verified in a heuristic procedure for correctness (during startup). If the check finds a problem in the database, the database is rebuilt.

If the value is set to 1, the heuristic procedure check function is skipped. The database is rebuilt according to the database integrity check.

Default: 1

RefreshIPInterval

The time (in minutes) between consecutive automatic IP refresh requests.

If the value is set to 0, IP refreshes are not automatically performed. If you use a value from 1 through 30, CA ControlMinder uses 30 minutes, which is the minimum amount of time you can set, as the value.

Note: Refresh requests can be time consuming. For more information, see the secons utility -refIP option.

Default: 0

ResponseFile

The location where the response.ini, used by eACOexist.exe utility, resides.

Default: ACInstallDir\data\response.ini

sim_login_timeout

Defines the timeout (in minutes) before CA ControlMinder removes unused simulated login user entries from the Accessor Element Entry table (ACEE).

CA ControlMinder performs a simulated login to create ACEE entries when it needs access to information that can be found in the ACEE.

Default: 60

SurrogateInterceptionMode

Specifies the SURROGATE class interception mode.

Type: REG_DWORD

Limits: 0 - user mode interception, CA ControlMinder intercepts only the impersonation requests that originate from the RunAs utility; 1 - kernel mode interception, CA ControlMinder intercepts all impersonation requests.

Default: 0

SusrauthReadParamsSec

Defines how often trace parameters are updated.

Default: 30

SusrauthTraceDbgEnable

Specifies whether tracing into DbgView or kernel debugger is enabled (1).

Default: 0

SusrauthTraceFileEnable

Specifies whether tracing into a trace file (SusrauthTraceFileName) is enabled (1).

Default: 0

SusrauthTraceFileName

Defines the full pathname to the trace file.

No default

TerminalSearchOrder

Specifies how the authorization engine determines which TERMINAL record it verifies during the authorization process.

Values:

name—Authorization engine first looks for a TERMINAL record by name and if one is not found, it looks for an IP address match.

nameonly—Authorization engine looks for a TERMINAL record by name and if one is not found, ceases searching. It ignores TERMINAL records with an IP address format.

IP—Authorization engine first looks for a TERMINAL record by IP address and if one is not found, it looks for a name match.

Note: TERMINAL class supports generic rules defined by wildcards (IP address or host name pattern match). Generic rules are always verified after specific (full-name) rules. For example, if you set this to IP, seosd looks for a TERMINAL resource in the following order: complete IP address match, complete host name match, IP address pattern match, host name pattern match.

Default: nameonly

TermSrvTimeout

Specifies the timeout (in milliseconds) that the authorization engine waits for the second consecutive login, upon a Terminal Services connection.

Default: 2000

Note: When a user logs in using a local account, CA ControlMinder receives two login attempt notifications: the first from the local terminal and the second from the terminal server. If the user is assigned grace login count, two login attempts are logged and subtracted from the grace count. Therefore, CA ControlMinder does not update the grace count with the second login if the login attempt occurred within the specified timeout period.

trace_file

The name of the file to which the trace messages are sent, if trace messages are requested.

Default: ACInstallDir\log\seosd.trace

trace_file_type

Type of trace file.

If you do change the value of the value and a trace file exists, the existing trace file is saved with the file name extension .backup and then a new trace file is started in the format you specified.

Default: text

trace_filter

The name of the file that contains the filter data that is used to filter the trace messages. Specify the full path of the file.

Default: ACInstallDir\log\trcfilter.ini

trace_space_saver

The amount of free space, in KB, to be left in the file system. When the amount of free space is less than this number, CA ControlMinder disables the trace.

Note: Trace is never automatically enabled, even if more space becomes available at a later time.

Default: 5120

trace_to

The destination of trace messages. Set to none, file, or file,stop.

If you select none, CA ControlMinder does not generate trace messages.

If you select file, CA ControlMinder generates trace messages and sends them to the file listed in the registry trace_file as soon as CA ControlMinder becomes active.

If you select file,stop, CA ControlMinder generates trace messages during the period of service initialization. Once the service is initialized, no more trace messages are generated.

Default: file,stop