Previous Topic: SEOS_syscallNext Topic: seosdb


seosd

In the [seosd] section, the tokens determine the behavior of the authorization daemon and the cache utility for performance improvement.

autobypass_level

Specifies the level of automatic program bypass.

Values:

disabled — auto-bypass is disabled

info — save bypass information in run-time table

bypass — save information and enable auto-bypass until next restart.

Default: bypass

Example: autobypass_level = bypass

bypass_filenames

Specifies a file that contains a list of file names to be exempted from seos events.

Example: bypass_filenames = /opt/CA/AccessControl/bin/bypass_filenames

Default: Token not set

bypass_nfs_port

Specifies whether the port used by nfs (port 2049) are bypassed for CONNECT. The bypass exists to let NFS function correctly.

If you change the value of this token to no, there will be no bypass for this port. Make sure that you then provide the required CA ControlMinder rules to replace this bypass. Following is an example of such rules (you cannot use them as is):

nr hostnet all mask (0.0.0.0) match(0.0.0.0)
nr TCP 2049 owner(nobody) defaccess(none)
authorize TCP 2049 hostnet(all) access(w) uid(root)
nr TCP nfsd owner(nobody) defaccess(none)
authorize TCP nfsd hostnet(all) access(w) uid(root)

Note: If you set the value of this token to no but do not provide the correct CA ControlMinder rules, NFS stops working.

Default: yes

bypass_outgoing_TCPIP

Defines a comma-separated list of ports for which seos_syscall will not pass outgoing connection events to seosd.

Default: Token not set

bypass_suid_for_login

Specifies the path of the login program for which the dummy SUID system calls should be ignored.

This is used in case of some login programs, such as samba, which generate a large number of dummy SUID system calls. These system calls may interfere with the correct recognition of the logging in user.

Default: none

bypass_suid_program

Allows multiple su commands. On some platforms, the system's su binary works in a nonstandard way: When an su command to a non-root user is requested, it executes su to root prior to executing su to the requested user.

If CA ControlMinder surrogate protection is set for the root user, it may prevent the successful execution of an su to non-root users as well.

To use the surrogate protection for the root user on such platforms and still to be able to su to non-root users without interruption, set the bypass_suid_program token to contain the real path for the system's su binary.

Default: none

bypass_system_files

Determines whether the CA ControlMinder authorization engine should bypass read access for the /etc/passwd and /etc/group system files.

Valid values are:

yes-bypasses read access to system files.

no-does not bypass read access to system files.

Default: yes

bypass_TCPIP

Allows you to add one or more ports separated by commas for which seos_syscall will not pass events to seosd.

The syntax is bypass_TCPIP=port1[,port2,portx]

Default: Token not set

bypass_xdm_ports

Specifies whether the ports used by xdm (ports 6000-6010) are bypassed for CONNECT. The bypass exists to let xdm function correctly.

If you change the value of this token to no, there will be no bypass for these ports. Make sure that you then provide the required CA ControlMinder rules to replace this bypass. Following is an example of such rules (you cannot use them as is):

nr hostnet all mask (0.0.0.0) match(0.0.0.0)
nr TCP X-Win owner(nobody) defaccess(none)
authorize TCP X_Win hostnet(all) access(r)
authorize TCP X_Win hostnet(all) access(w) uid(root)
authorize TCP X_Win hostnet(all) access(w) gid(mygroup)
nr TCP 6000 owner(nobody) defaccess(none)
authorize TCP 6000 hostnet(all) access(r)
authorize TCP 6000 hostnet(all) access(w) uid(root)
authorize TCP 6000 hostnet(all) access(w) gid(mygroup)

Note: If you set the value of this token to no but do not provide the correct CA ControlMinder rules, xdm stops working. If the value of this token to yes and an outgoing connection is made via ports 6000-6010, the class name in the corresponding audit record is TERMINAL.

Default: yes

cron_program

Improves the check for cron login in seosd.

Set the cron_program token to contain the real path for the system's cron binary.

Default: none

dbdir

Specifies the location of the CA ControlMinder database.

Default: ACInstallDir/seosdb

debug_backup_dir

Specifies the location of the backup debug files.

Default: CA ControlMinder product log directory

debug_backup_num

Defines the number of backup debug files to save.

Values: A positive number

Default: 2

debug_level

Defines the lowest level of debug messages to save.The level of the value set and all levels above are saved.

Values: Disabled (no messages are saved), Critical, Very High, High, Normal., Low

Default: Critical

debug_size

Defines the maximum size in MBs of the debug messages file.

Values: A positive number

Default: 256

debug_zone

Defines which seosd submodules (zones) to produce debug messages for.

Values: -1 (all zones), 1 (SKI), 2 (QP), 4 (RESOLV), 8 (SEOSD), 10 (AUXFALLBACK), 20 (AUTH)

Default: -1

device_file

Specifies whether to scan all devices in /dev.

When the value of this token is set to Yes and the tty is not found in the standard list, CA ControlMinder scans all the devices located in /dev.

(qplib resolves the tty name from the standard devices.)

Note: You can add devices to the list of the tty names.

Default: no

dns_server

Specifies the DNS server name used to change host resolving from the default server to another server.

This token is usually used when the DNS caching option is enabled.

Default: none

domain_names

Specifies a list of domain names that seosd appends to short host names it receives for authorization purposes in order to create a fully qualified name, so that these names can be authorized in the relevant HOST, CONNECT, or TERMINAL classes.

To identify a full name, seosd tries to append domain names in the domain_names list to the short name for authorization purposes.

seosd first looks for a relevant rule in its database, using the short name only. If it does not find a record that matches the short name, it appends each domain name specified in the domain_names token, one by one, until it finds a match.

For example, suppose you assign domain_names the following list:

domain_names= market.com, journey.com, total.com

Here is how seosd handles the matching process when a request from a subscriber called acme-which was not defined as a rule in the database-comes in:

acme (not found in database)
acme.market.com (not found)
acme.journey.com (not found)
acme.total.com (found)

seosd uses the first record that matches (acme.total.com in this example) for authorization purposes.

Default: As defined in /etc/resolv.conf

EnablePolicyCache

Determines whether a run-time table should be used to store the database values required for authorization. The run-time table is loaded to the memory when seosd starts. This avoids connecting to the database and thus reduces the authorization time.

Valid values are yes and no.

Default: no

enf_register

Determines whether seosd registers to Unicenter NSM Event Notification Facility (ENF).

The valid values include the following:

yes-seosd registers to the ENF.

no-seosd does not register to the ENF.

Default: no

FileCache_auths

If caching is enabled, specifies the number of records in the authorization pool. The maximum number of authorization records that can be cached is 800.

Default: 80

FileCache_CleanInt

Specifies how often to erase the file cache (in minutes).

Default: 60

FileCache_files

If caching is enabled, specifies the number of records in the file pool. The maximum number of file records that can be cached is 200.

Default: 20

FileCache_InitPrio

Specifies the initial priority value of new records in the cache table.

Default: 10

FileCache_PriorInt

If caching is enabled, specifies the frequency of recalculating priorities in the cache table. Each time a new record is saved counts as one.

Default: 1

FileCache_users

If caching is enabled, specifies the number of records in the user pool. The maximum number of user records that can be cached is 500.

Default: 50

get_login_terminal

Determines whether seosd attempts to find the peer address of the login program in an alternative way. This is useful for connections such as ssh.

Valid values include yes and no.

Default: yes

grace_admin

Determines the number of the grace logins that are set when an administrator changes users' passwords.

Default: Token not set (1)

GroupidResolution

Determines how CA ControlMinder resolves GID numbers to group names.

Valid values include the following:

system-CA ControlMinder uses a system call to translate gid numbers. This value can be used for stand‑alone, DNS client, and DNS server stations. (See also the resolve_timeout token in this table.)

cache-gid numbers and group names are cached in seosd. This is the fastest and easiest way to do translations but the cache cannot be updated during runtime.

ladb-CA ControlMinder uses a lookaside database to translate gid numbers. The sebuildla utility must be run to recreate the lookaside database each time an update to the relevant transaction table takes place.

For NIS, and NIS+ servers, you can use either cache or ladb.

For Sun Solaris 2.5 and above and HP-UX 11.x, you can use either cache or ladb.

For all stations, the value ladb is preferred.

Default: Token not set (system)

HostResolution

Determines how CA ControlMinder resolves IP addresses to host names.

Valid values include the following:

system-CA ControlMinder uses a system call to translate IP addresses. This value can be used for stand‑alone, NIS/NIS+ client, and DNS client stations. (See also the resolve_timeout token in this table.)

cache-Host names and their IP addresses are cached in seosd. This is the fastest and easiest way to do translations but the cache cannot be updated during runtime.

ladb-CA ControlMinder uses a lookaside database to translate IP addresses. The sebuildla utility must be run to recreate the lookaside database each time an update to the relevant transaction table takes place.

For NIS, NIS+, and DNS servers, you can use either cache or ladb; the value ladb is preferred.

Default: Token not set (system)

IsolatedDaemon

Determines whether seosd closes the file descriptors stdin, stdout, and stderr when they become a daemon.

Valid values include the following:

yes-seosd closes these file descriptors when they become a daemon.

no-seosd does not close these file descriptors when they become a daemon.

Default: no

kill_ignore

Specifies whether seosd ignores (denies) the “kill ‑9” command directed toward any one of the three main CA ControlMinder daemons. Valid values include the following:

yes-Ignores the kill command. This is the default value.

no-The kill command terminates seosd.

Default: yes

login_parent_check

Specifies whether the parent process should continue (once a child process has logged in) with the login sequence or abandon the sequence and inherit the login from the child.

Valid values are 0 and 1.

If it is 0, the parent continues with the login sequence.

If it is 1, the parent abandons the login sequence and inherits the login from the child.

Default: Token not set (0)

lookaside_allowdupuid

Determines whether sebuildla will register duplicate UIDs

Valid values:

yes-register duplicate UIDs

no-in case of duplicate UIDs, register only one UID

Note: Duplicate UIDs may cause inconstancy On UNIX OS

Default: no

lookaside_path

Specifies the directory where the lookaside database is located. Create this directory before running the sebuildla utility.

Note: The lookaside database files are built and updated using the sebuildla utility.

Default: ACInstallDir/ladb

max_loggedin_users

Defines the maximum number of logged in users.

Note: This value determines the size of one of the internal memory tables. The larger the table, the more memory it consumes.

Limits: 4096-20480

Default: 8192

MultiLoginPgm

Defines the name and full path of a program that performs multiple logins. It is used to detect the correct login sequence for these special login applications.

MultiLoginPgm is the login application name with the full path.

Default: none

network_cache_timeout

Specifies the time interval, in minutes, between network cache-table cleanings, if network cache is used. Use this token to set time limits for the stored accepted incoming TCP requests.

Note: For more information about using the network cache, see the Endpoint Administration Guide for UNIX.

Default: 10

nfs_devices

Specifies the name and path of the file that contains the NFS major device numbers. Specify the full file path.

CA ControlMinder uses this file if it fails to get the program using device and inode number and also fails to get it using its name. The file contains the NFS defaults for major device numbers for every platform. This may vary from system to system. To find the numbers for your system, use a small program with the UNIX getmajor() function. Then, edit the nfsdevs.init file (or the file you named with this token) to contain the numbers you find.

Note: Whenever you mount and remount the NFS system, you should update your nfsdevs.init file. You can also use the first four digits of the device only. These numbers remain unchanged, even when you unmount and remount the system.

Default: ACInstallDir/etc/nfsdevs.init

protect_bin

Specifies whether seosd protects the CA ControlMinder binary files. Specify one of the following values:

yes-seosd protects the CA ControlMinder binary files unless rules that allow such access are defined.

Note: Do not specify yes when the _default access for your FILE records is none because, unless all /opt/CA/AccessControl/bin files have FILE records, inaccessibility of files could make CA ControlMinder unusable.

no-seosd does not protect the CA ControlMinder binary files.

Default: no

resolve_rebind

Specifies if seosd re‑establishes the connection to the NIS server after a time-out failure.

We strongly recommend that you do not change the default value.

Default: yes

resolve_timeout

Specifies the maximum number of seconds seosd tries to resolve IP to address, user ID to user name, group ID to group name, or service port number to service name.

The value takes effect in two cases:

When seosd is using system resolution. (See the HostResolution, ServiceResolution, UseridResolution, and GroupidResolution tokens.)

When the under_NIS_server token is set to no.

If the specified time expires without a resolution, seosd assumes that no resolution exists for the specified IP, ID, or port.

If value is set to 0, there is no time out.

Default: 5

rt_priority

Determines whether seosd has real-time priority.

Valid values are yes and no

When this token is set to yes, seosd will have real-time priority.

Default: yes

ServiceResolution

Determines how CA ControlMinder translates TCP port numbers to service names.

Valid values include the following:

system-CA ControlMinder uses a system call to translate TCP port numbers. This value can be used for stand‑alone, NIS/NIS+ client, DNS client, and DNS server stations. (See also the resolve_timeout token in this table.)

cache-Service names and their TCP port numbers are cached in seosd. This is the fastest and easiest way to do translations but the cache cannot be updated during runtime.

ladb-CA ControlMinder uses a lookaside database to translate TCP port numbers. The sebuildla utility must be run to recreate the lookaside database each time an update to the relevant transaction table takes place.

For NIS, and NIS+ servers, use either cache or ladb.

Default: system

sim_login_timeout

Defines the timeout (in minutes) before CA ControlMinder removes unused simulated login user entries from the Accessor Element Entry table (ACEE).

CA ControlMinder performs a simulated login to create ACEE entries when it needs access to information that can be found in the ACEE.

Default: 60

special_check

Specifies whether to enable file path checking on kernel module loading. When enabled, CA ControlMinder checks that the kernel module to be loaded matches the filepath property of the KMODULE record (for non-Linux systems), or matches the signature of the KMODULE record (for Linux systems).

Default: no

terminal_default_ignore

Determines whether the defaccess value of the _default TERMINAL and of the specific TERMINAL records are considered when authorizing administrative access.

Valid values are yes and no.

yes-Administrative access ignores the defaccess value of the _default and of any specific TERMINAL records. In this case, administrative access will require an explicit authorization rule for a relevant specific TERMINAL record.

no- Administrative access considers the defaccess value of all relevant TERMINAL records whether it is _default or specific.

Default: yes

terminal_search_order

Specifies whether seosd tries to check a TERMINAL defined by name before trying it by its IP address.

Valid values are:

name - TERMINALs will be checked by name before IP address.

ip - TERMINALs will be checked by IP address before name.

Note: TERMINAL class supports generic rules defined by wildcards (IP address or host name pattern match). Generic rules are always checked after specific (full-name) rules. For example, if you set this to ip, seosd looks for a TERMINAL resource in the following order: complete IP address match, complete host name match, IP address pattern match, host name pattern match.

Default: name

trace_file

Specifies the name of the file to which the trace messages are sent, if trace messages are requested.

Default: ACInstallDir/log/seosd.trace

trace_file_type

Determines whether the trace file is written in binary or text format.

Valid values include the following:

binary-The trace file should be written in binary format. This option reduces the space occupied by this file.

text-The trace file should be written in text format.

The daemon seosd checks the value of this token and compares it to the contents of the trace file. If the token value does not match the format of the trace file, seosd saves the trace file under its name and adds the extension .backup.

Default: text

trace_filter

Specifies the name and path of the file that contains the filter data that is used to filter the trace messages.

Default: ACInstallDir/data/language/etc/trcfilter.init

trace_space_saver

Specifies the amount of free space, in MB, to be left in the file system. When the amount of free space is less than this number, CA ControlMinder disables the trace.

Note: Trace is never automatically enabled, even if more space becomes available at a later time.

Default: 512

trace_to

Specifies the destination of trace messages.

Valid values include the following:

file-CA ControlMinder sends the trace messages to the file specified by the trace_file token. To disable tracing, use the secons -t- command. For more information, see the trace_file token in this table.

file,stop-CA ControlMinder generates trace messages during daemon initialization. Once the daemon is initialized, trace messages generation stops.

none-CA ControlMinder does not issue trace messages. This is the normal setting after you install and implement CA ControlMinder.

Note: If the token is set to file or file,stop, the CA ControlMinder trace can be toggled with the secons command with the -t option.

Default: file, stop

UpdSurrogLogin

Specifies whether CA ControlMinder updates the user's last access time on a surrogate login.

Valid values are:

1 - CA ControlMinder updates the user's last access time on a surrogate login.

0 - CA ControlMinder does not update the user's last access time on a surrogate login

Undef_ForPacl

Determines whether seosd checks an undefined user when there is an asterisk (*) in the accessor's name in a PACL.

Valid values include the following:

1-seosd will not include undefined users with an asterisk in their PACL.

0-seosd will include undefined users with an asterisk in their PACL.

Default: 0

under_NIS_server

Determines whether seosd uses internal name resolution instead of system name resolution.

Valid values include the following:

yes-seosd stores in memory or in a lookaside database (see the use_lookaside token) all user, group, host, and port information during startup.

This is required for NIS, NIS+, and DNS server machines, and for the following operating systems: Sun Solaris 2.5 and above, HP-UX 11.x, IBM AIX 4.3.x, and IRIX 6.5.

Important! Turning this token off could hang the machine if it is an NIS server or one of the previously-mentioned operating systems.

no-seosd uses system name resolution and the resolve_timeout token takes effect.

Note: This token is automatically assigned a value during installation.

This token remains for purposes of backward compatibility only. If you have a new CA ControlMinder installation or an installation of version 2 or higher, use the tokens HostResolution, ServiceResolution, UseridResolution, and GroupidResolution instead.

Default: Assigned during installation

use_lookaside

Determines whether seosd stores the user, group, host, and port information in a lookaside database or in memory.

Note: This token is used in conjunction with the under_NIS_server token and has no relevance unless the under_NIS_server token is set to yes.

Valid values include the following:

yes-seosd uses the lookaside database for user, group, host, and service details. The lookaside database is built by the sebuildla utility and can be refreshed by it at any time.

The location of the lookaside database is set by the lookaside_path token.

no-seosd caches all user, group, host, and service information during startup so that all translations can be done in memory. We recommend that seosd be restarted daily to refresh the cache.

This token remains for purposes of backward compatibility only. If you have a new CA ControlMinder installation or an installation of version 2 or higher, use the tokens HostResolution, ServiceResolution, UseridResolution, and GroupidResolution instead.

Default: no

use_mapped_user_name

(Valid if both CA ControlMinder and UNAB are installed) Specifies whether seosd uses the user enterprise name in audit records.

Values: yes, no

Default: no

use_nfs_devices

Determines whether to use NFS devices. Valid values are yes or no.

Default: Yes

use_standard_functions

Determines whether sebuildla in an NIS environment will retrieve users by calling the standard system function getpwent or by parsing the output of ypcat passwd and cat /etc/passwd commands.

Valid values are:

yes-use the standard system function getpwent

no-use parsing of the output of ypcat passwd and cat /etc/passwd commands.

Default: yes

use_trusted_script

Specifies whether seosd will use the trusted script mechanism.

When the trusted script mechanism is used, programs called from within a shell script retain the name of the shell script in the internal CA ControlMinder tables.

This means that if a script was used in a PACL, these programs will inherit that privilege. This also means that you cannot protect these programs via CA ControlMinder.

A trusted script begins with #! on the first line.

When the trusted script mechanism is not used, these programs will be registered in the internal CA ControlMinder tables under their own names.

Default: yes

use_unab_db

(Valid if both CA ControlMinder and UNAB are installed) Specifies whether seosd uses the UNAB database to resolve users and groups name if the current method is unable to do so. This token coincides with the tokens: use_lookaside, UseridResolution, GroupidResolution.

Values:yes, no

Default: no

UseFileCache

Specifies whether to use the cache tool for file records to improve performance.

Default: yes

UseNetworkCache

Determines whether CA ControlMinder caches accepted incoming TCP requests.

Note: For more information about using the network cache, see the Endpoint Administration Guide for UNIX.

Valid values are yes and no.

Default: no

UseridResolution

Specifies how CA ControlMinder translates UID numbers to user names.

Valid values include the following:

system-CA ControlMinder uses a system call to translate uid numbers. This value can be used for stand‑alone, NIS/NIS+ client, DNS client, and DNS server stations.

cache-User names and their uid numbers are cached in seosd. This is the fastest and easiest way to do translations but the cache cannot be updated during runtime.

ladb-CA ControlMinder uses a lookaside database to translate uid numbers. The sebuildla utility must be run to recreate the lookaside database each time an update to the relevant transaction table takes place.

For NIS and NIS+ servers, Sun Solaris 2.5 and above, or HP-UX 11.x operating systems, you must use either cache or ladb.

Default: system

watchdog_refresh

Determines whether seosd refreshes the Watchdog to scan the privileged programs and secured files for each file handle.

Valid values include the following:

yes-seosd refreshes the Watchdog.

no-seosd does not refresh the Watchdog.

Default: no

More information:

View Endpoint Status