In the [SEOS_syscall] section, SEOS_syscall kernel module uses the tokens.
Determines whether to bypass NFS files from SEOS events.
Valid values:
0-Do not by pass NFS files.
1-Bypass NFS files.
Default: 0
Specifies whether to bypass the real file paths resolution for authorization.
If you enable this setting (1), CA ControlMinder does not resolve file paths for authorization. This accelerates file events handling. However, generic rules are not enforced for file accesses that are made using links.
Example: A deny access rule for /realpath/files/* is not considered if this setting is enabled and a user accesses a file in this directory from a link. Create a generic rule for the link too (/alternatepath/*).
Default: 0
Determines whether to use caching for full path resolution to determine access permissions for files.
Valid values:
0-No caching.
1-Use caching.
Default: 0
Determines the cache rate that used when the cache is enabled for full path resolution.
Bigger values mean better caching.
Default: 10000
Determines whether to call tripAccept from the seload command after CA ControlMinder starts and, if tripAccept is called, defines a list of comma-separated TCP/IP ports that tripAccept should connect to and wake up the ports' listeners.
Valid values are any TCP/IP port number, and:
0-Do not call tripAccept from seload.
Limits: 0-64000
Default: 0
Determines whether to treat T_CONN_RES streams messages as high priority messages in the fiwput routine on UnixWare.
Valid values:
1-handle T_CONN_RES streams messages as high priority messages in the fiwput routine.
0-handle T_CONN_RES streams messages as low priority messages in the fiwput routine.
Default: 0 (1 on UnixWare)
Determines whether to allow debugging of any program while CA ControlMinder is running.
Valid values:
0-Debugging allowed.
1-Debugging not allowed.
Default: 1
Determines whether a descendent of a SEOS daemon can register a SEOS service.
Valid values:
0-Anyone can register a SEOS service.
1-Only a descendant can register a SEOS service.
Default: 0
Defines how CA ControlMinder co-exists with dtrace. If dtrace is installed and set to monitor syscalls, it loads the systrace kernel module. This module interacts with CA ControlMinder with undefined results and can cause system panic or syscall interception probems.
Valid values:
0-CA ControlMinder prevents dtrace from loading the systrace kernel module.
1-Dtrace loads the Systrace kernel module. In this case you must ensure that your system loads the modules and CA ControlMinder in the following order:
Important: Loading systrace and CA ControlMinder in a different order can result in system panic or syscall interception probems.
Default: 0 (dtrace is prevented from loading)
Specifies whether the CA ControlMinder kernel identifies script execution.
Valid values:
0-CA ControlMinder kernel does not identify script execution.
1-CA ControlMinder kernel identifies script execution.
Default: 0
Note: If the SAM Agent is installed on the endpoint, the default value is 1. When enabled, the SAM Agent is able to identify shell scripts named that use the SAM Agent file (acpwd) without defining the script as a PROGRAM resource.
Indicates whether CA ControlMinder checks file access for files that are not defined in the database. By default CA ControlMinder does not check files that are not defined in the database.
Valid values include the following:
-1-Do not check all files.
0-Check all files.
Default: -1
Defines the maximum number of devices in the device protection table.
Default: 0-CA ControlMinder does not protect system devices.
Note: We recommend that you specify a minimum of 20 system devices.
Determines whether to use GAC caching for files when the user is root. By default GAC is not used when the user is root.
Valid values:
0-No caching for root user.
1-Use caching for root.
Default: 0
Determines the default syscall number to communicate with SEOS_syscall on HP‑UX.
Valid values include any unused syscall entry number in sysent.
Default: 254
Defines which signals to protect.
Valid values include a mask that ORs (includes) all the signals that we want SEOS events for.
Default: SIGKILL, SIGSTOP, or SIGTERM events. Actual value varies by platform:
Note: This token is not used
Determines whether a symbolic link will be protected.
Valid values:
0-Links are not protected.
1-Links are protected.
Default: 0
Determines the default syscall number to communicate with SEOS_syscall on LINUX.
Defines the maximum number of generic file rules allowed in the database.
Note: A large number may cause strange behaviors on different platforms. For assistance, contact CA Support at http://ca.com/support.
Valid values include any number greater than (<) 511.
Note: This token is supported only on AIX, HP, Linux, and Solaris.
Default: 256
Defines the maximum number of file rules allowed in the database.
Note: A large number may cause strange behaviors on different platforms. For assistance, contact CA Support at http://ca.com/support.
Valid values include any number greater than (<) 4095.
Note: This token is supported only on AIX, HP, Linux, and Solaris.
Default: 4096
Determines whether to allow mount and unmount of directories used by CA ControlMinder.
Valid values:
0-Allow mounting.
1-Do not allow mounting.
Default: 1
Determines whether to check file access when a file belongs to a process file system (/proc).
Valid values:
0 - Token is ignored
1 - Bypass file access checks
Default: 1
(Valid on HP-UX 11.11, 11.23, 11.31, and Sun Solaris 8, 9, 10, 11)
Specifies the type of network interception to use.
Note: You must also set SEOS_use_streams = yes
Valid values:
0 - TCP Hook
1 - Streams
2 - Network System Call
Default: 1, except on a Solaris 10 Update 2 where the default value is 0.
Important! Do not modify this token yourself. For assistance, contact CA Support at http://ca.com/support.
Specifies the time to keep a request in the authorization queue.
Valid values are:
0 - Timeout is disabled
A numerical value from 2 through 1000 - Defines the timeout interval in seconds.
Default: 0
Note: If the timeout is set to less than 2 seconds or more than 1000 seconds, CA ControlMinder assigns the default value and no timeout applied.
(Valid on HP-UX 11.11, 11.23, 11.31, and Sun Solaris 8, 9, 10, 11)
Specifies whether CA ControlMinder, during startup, attaches the SEOS Streams to the open TCP streams.
If you change this setting, restart all daemons that already listen to the network for CA ControlMinder to protect them.
Note: To use SEOS_streams_attach, configure SEOS Streams as the network interception method.
Valid values: yes, no
Default: yes
Determines whether the SEOS_syscall kernel module can be unloaded.
Valid values include the following:
0-Do not allow the unload.
1-Allow the unload.
Default: 1
Specifies the CA ControlMinder kernel module communication method (ioctl or system call).
You can use the ioctl communication method when all available system call numbers are in use by the operating system.
Values: 0-system call 1-ioctl
Default: 0
Important! Do not modify this token yourself. For assistance, contact CA Support at http://ca.com/support.
(Valid on HP-UX 11.11, 11.23, 11.31, and Sun Solaris 8, 9, 10, 11)
Specifies whether to use streams subsystem for network interception.
Valid values: yes, no
Default: no
Defines the user IDs of the maintenance users. The activity of this user is permitted when security is down and silent_deny is yes. To define the maintenance user, use the user numeric UNIX UID.
Default: 0 (user ID of root)
Determines whether to deny any event when security is down.
Valid values:
yes-Silent deny is enabled (maintenance mode).
no-Silent deny is disabled.
Default: no
Specifies whether to check file access when a stat system call occurs.
If you specify 1 (check file access), CA ControlMinder does not let users without read permissions perform operations that get information about a file and records read in the audit log. If you set this value to 0, any user can get file information.
0-Do not check file access.
1-Check file access.
Default: 0
Determines whether to use the STOP feature, which protects from stack overflow attacks.
Valid values:
0-Off
1-On
Default: 0
Specifies the maximum number of entries in the setuid cache. The setuid cache is used for managing non-PAM ready login applications such as sftp.
0-The cache is disabled.
Note: Do not change this value unless directed by CA Technologies staff.
Default: 128
Determines how fork synchronization is managed.
On HP-UX platforms
1-Report forks from parent
2-Report forks from child
On other platforms
1-Parent reports without synchronization
2-Parent reports with synchronization (not supported on Linux)
Limits: Any value lower than 1 is interpreted as 1. Any value greater than 1 is interpreted as 2.
Note: Do not modify this setting because it may cause strange behaviors on different platforms. For assistance, contact CA Support at http://ca.com/support.
Default: 1
Specifies whether CA ControlMinder monitors processes that are executing CA ControlMinder code. If you have this enabled (the default), you can use the secons -sc or secons -scl to view these processes.
Valid values:
0-inactive
1-active
Default: 1
Defines how long, in seconds, an intercepted system call can be blocked before it is considered risky. If a process is blocked for a period that is longer than this time, CA ControlMinder reports that SEOS_syscall module unload may fail.
Note: This value affects the unload readiness reports CA ControlMinder provides. For more information, see the Enterprise Administration Guide.
Default: 60
Determines whether to use the SEOS_syscall circular trace buffer.
Valid values:
0-Do not use tracing.
1-Use tracing.
Default: 0
Determines whether to use the tripAccept utility when unloading SEOS_syscall to wake up the blocked accept system calls. This avoids running SEOS_syscall code after the module is unloaded.
Valid values: yes, no
Default: yes
Copyright © 2013 CA Technologies.
All rights reserved.
|
|