Previous Topic: seosNext Topic: seosd


SEOS_syscall

In the [SEOS_syscall] section, SEOS_syscall kernel module uses the tokens.

bypass_NFS

Determines whether to bypass NFS files from SEOS events.

Valid values:

0-Do not by pass NFS files.
1-Bypass NFS files.

Default: 0

bypass_realpath

Specifies whether to bypass the real file paths resolution for authorization.

If you enable this setting (1), CA ControlMinder does not resolve file paths for authorization. This accelerates file events handling. However, generic rules are not enforced for file accesses that are made using links.

Example: A deny access rule for /realpath/files/* is not considered if this setting is enabled and a user accesses a file in this directory from a link. Create a generic rule for the link too (/alternatepath/*).

Default: 0

cache_enabled

Determines whether to use caching for full path resolution to determine access permissions for files.

Valid values:

0-No caching.
1-Use caching.

Default: 0

cache_rate

Determines the cache rate that used when the cache is enabled for full path resolution.

Bigger values mean better caching.

Default: 10000

call_tripAccept_from_seload

Determines whether to call tripAccept from the seload command after CA ControlMinder starts and, if tripAccept is called, defines a list of comma-separated TCP/IP ports that tripAccept should connect to and wake up the ports' listeners.

Valid values are any TCP/IP port number, and:

0-Do not call tripAccept from seload.

Limits: 0-64000

Default: 0

cdserver_conn_res

Determines whether to treat T_CONN_RES streams messages as high priority messages in the fiwput routine on UnixWare.

Valid values:

1-handle T_CONN_RES streams messages as high priority messages in the fiwput routine.

0-handle T_CONN_RES streams messages as low priority messages in the fiwput routine.

Default: 0 (1 on UnixWare)

debug_protect

Determines whether to allow debugging of any program while CA ControlMinder is running.

Valid values:

0-Debugging allowed.
1-Debugging not allowed.

Default: 1

DESCENDENT_dependent

Determines whether a descendent of a SEOS daemon can register a SEOS service.

Valid values:

0-Anyone can register a SEOS service.
1-Only a descendant can register a SEOS service.

Default: 0

dtrace_coexistence

Defines how CA ControlMinder co-exists with dtrace. If dtrace is installed and set to monitor syscalls, it loads the systrace kernel module. This module interacts with CA ControlMinder with undefined results and can cause system panic or syscall interception probems.

Valid values:

0-CA ControlMinder prevents dtrace from loading the systrace kernel module.
1-Dtrace loads the Systrace kernel module. In this case you must ensure that your system loads the modules and CA ControlMinder in the following order:

  1. Load and start CA ControlMinder (seload)
  2. Load systrace (modprobe systrace)
  3. dtrace system calls
  4. Unload systrace (rmmod systrace)
  5. Stop CA Access Control (secons -sk)
  6. Unload CA Access Control (SEOS_load -u)

Important: Loading systrace and CA ControlMinder in a different order can result in system panic or syscall interception probems.

Default: 0 (dtrace is prevented from loading)

exec_read_enabled

Specifies whether the CA ControlMinder kernel identifies script execution.

Valid values:

0-CA ControlMinder kernel does not identify script execution.

1-CA ControlMinder kernel identifies script execution.

Default: 0

Note: If the SAM Agent is installed on the endpoint, the default value is 1. When enabled, the SAM Agent is able to identify shell scripts named that use the SAM Agent file (acpwd) without defining the script as a PROGRAM resource.

file_bypass

Indicates whether CA ControlMinder checks file access for files that are not defined in the database. By default CA ControlMinder does not check files that are not defined in the database.

Valid values include the following:

-1-Do not check all files.
0-Check all files.

Default: -1

file_rdevice_max

Defines the maximum number of devices in the device protection table.

Default: 0-CA ControlMinder does not protect system devices.

Note: We recommend that you specify a minimum of 20 system devices.

GAC_root

Determines whether to use GAC caching for files when the user is root. By default GAC is not used when the user is root.

Valid values:

0-No caching for root user.
1-Use caching for root.

Default: 0

HPUX11_SeOS_Syscall_number

Determines the default syscall number to communicate with SEOS_syscall on HP‑UX.

Valid values include any unused syscall entry number in sysent.

Default: 254

kill_signal_mask

Defines which signals to protect.

Valid values include a mask that ORs (includes) all the signals that we want SEOS events for.

Default: SIGKILL, SIGSTOP, or SIGTERM events. Actual value varies by platform:

link_protect

Note: This token is not used

Determines whether a symbolic link will be protected.

Valid values:

0-Links are not protected.
1-Links are protected.

Default: 0

LINUX_SeOS_Syscall_number

Determines the default syscall number to communicate with SEOS_syscall on LINUX.

max_generic_file_rules

Defines the maximum number of generic file rules allowed in the database.

Note: A large number may cause strange behaviors on different platforms. For assistance, contact CA Support at http://ca.com/support.

Valid values include any number greater than (<) 511.

Note: This token is supported only on AIX, HP, Linux, and Solaris.

Default: 256

max_regular_file_rules

Defines the maximum number of file rules allowed in the database.

Note: A large number may cause strange behaviors on different platforms. For assistance, contact CA Support at http://ca.com/support.

Valid values include any number greater than (<) 4095.

Note: This token is supported only on AIX, HP, Linux, and Solaris.

Default: 4096

mount_protect

Determines whether to allow mount and unmount of directories used by CA ControlMinder.

Valid values:

0-Allow mounting.
1-Do not allow mounting.

Default: 1

proc_bypass

Determines whether to check file access when a file belongs to a process file system (/proc).

Valid values:

0 - Token is ignored

1 - Bypass file access checks

Default: 1

SEOS_network_intercept_type

(Valid on HP-UX 11.11, 11.23, 11.31, and Sun Solaris 8, 9, 10, 11)

Specifies the type of network interception to use.

Note: You must also set SEOS_use_streams = yes
Valid values:

0 - TCP Hook

1 - Streams

2 - Network System Call

Default: 1, except on a Solaris 10 Update 2 where the default value is 0.

Important! Do not modify this token yourself. For assistance, contact CA Support at http://ca.com/support.

SEOS_request_timeout

Specifies the time to keep a request in the authorization queue.

Valid values are:

0 - Timeout is disabled

A numerical value from 2 through 1000 - Defines the timeout interval in seconds.

Default: 0

Note: If the timeout is set to less than 2 seconds or more than 1000 seconds, CA ControlMinder assigns the default value and no timeout applied.

SEOS_streams_attach

(Valid on HP-UX 11.11, 11.23, 11.31, and Sun Solaris 8, 9, 10, 11)

Specifies whether CA ControlMinder, during startup, attaches the SEOS Streams to the open TCP streams.

If you change this setting, restart all daemons that already listen to the network for CA ControlMinder to protect them.

Note: To use SEOS_streams_attach, configure SEOS Streams as the network interception method.

Valid values: yes, no

Default: yes

SEOS_unload_enabled

Determines whether the SEOS_syscall kernel module can be unloaded.

Valid values include the following:

0-Do not allow the unload.
1-Allow the unload.

Default: 1

SEOS_use_ioctl

Specifies the CA ControlMinder kernel module communication method (ioctl or system call).

You can use the ioctl communication method when all available system call numbers are in use by the operating system.

Values: 0-system call 1-ioctl

Default: 0

Important! Do not modify this token yourself. For assistance, contact CA Support at http://ca.com/support.

SEOS_use_streams

(Valid on HP-UX 11.11, 11.23, 11.31, and Sun Solaris 8, 9, 10, 11)

Specifies whether to use streams subsystem for network interception.

Valid values: yes, no

Default: no

silent_admin

Defines the user IDs of the maintenance users. The activity of this user is permitted when security is down and silent_deny is yes. To define the maintenance user, use the user numeric UNIX UID.

Default: 0 (user ID of root)

silent_deny

Determines whether to deny any event when security is down.

Valid values:

yes-Silent deny is enabled (maintenance mode).

no-Silent deny is disabled.

Default: no

STAT_intercept

Specifies whether to check file access when a stat system call occurs.

If you specify 1 (check file access), CA ControlMinder does not let users without read permissions perform operations that get information about a file and records read in the audit log. If you set this value to 0, any user can get file information.

0-Do not check file access.
1-Check file access.

Default: 0

STOP_enabled

Determines whether to use the STOP feature, which protects from stack overflow attacks.

Valid values:

0-Off
1-On

Default: 0

suid_cache_max

Specifies the maximum number of entries in the setuid cache. The setuid cache is used for managing non-PAM ready login applications such as sftp.

0-The cache is disabled.

Note: Do not change this value unless directed by CA Technologies staff.

Default: 128

synchronize_fork

Determines how fork synchronization is managed.

On HP-UX platforms

1-Report forks from parent
2-Report forks from child

On other platforms

1-Parent reports without synchronization
2-Parent reports with synchronization (not supported on Linux)

Limits: Any value lower than 1 is interpreted as 1. Any value greater than 1 is interpreted as 2.

Note: Do not modify this setting because it may cause strange behaviors on different platforms. For assistance, contact CA Support at http://ca.com/support.

Default: 1

syscall_monitor_enabled

Specifies whether CA ControlMinder monitors processes that are executing CA ControlMinder code. If you have this enabled (the default), you can use the secons -sc or secons -scl to view these processes.

Valid values:

0-inactive

1-active

Default: 1

threshold_time

Defines how long, in seconds, an intercepted system call can be blocked before it is considered risky. If a process is blocked for a period that is longer than this time, CA ControlMinder reports that SEOS_syscall module unload may fail.

Note: This value affects the unload readiness reports CA ControlMinder provides. For more information, see the Enterprise Administration Guide.

Default: 60

trace_enabled

Determines whether to use the SEOS_syscall circular trace buffer.

Valid values:

0-Do not use tracing.
1-Use tracing.

Default: 0

use_tripAccept

Determines whether to use the tripAccept utility when unloading SEOS_syscall to wake up the blocked accept system calls. This avoids running SEOS_syscall code after the module is unloaded.

Valid values: yes, no

Default: yes