In the [seosd] section, the tokens determine the behavior of the authorization daemon and the cache utility for performance improvement.
Specifies the level of automatic program bypass.
disabled — auto-bypass is disabled
info — save bypass information in run-time table
bypass — save information and enable auto-bypass until next restart.
Default: bypass
Example: autobypass_level = bypass
Specifies a file that contains a list of file names to be exempted from seos events.
Example: bypass_filenames = /opt/CA/AccessControl/bin/bypass_filenames
Default: Token not set
Specifies whether the port used by nfs (port 2049) are bypassed for CONNECT. The bypass exists to let NFS function correctly.
If you change the value of this token to no, there will be no bypass for this port. Make sure that you then provide the required CA ControlMinder rules to replace this bypass. Following is an example of such rules (you cannot use them as is):
nr hostnet all mask (0.0.0.0) match(0.0.0.0) nr TCP 2049 owner(nobody) defaccess(none) authorize TCP 2049 hostnet(all) access(w) uid(root) nr TCP nfsd owner(nobody) defaccess(none) authorize TCP nfsd hostnet(all) access(w) uid(root)
Note: If you set the value of this token to no but do not provide the correct CA ControlMinder rules, NFS stops working.
Default: yes
Defines a comma-separated list of ports for which seos_syscall will not pass outgoing connection events to seosd.
Default: Token not set
Specifies the path of the login program for which the dummy SUID system calls should be ignored.
This is used in case of some login programs, such as samba, which generate a large number of dummy SUID system calls. These system calls may interfere with the correct recognition of the logging in user.
Default: none
Allows multiple su commands. On some platforms, the system's su binary works in a nonstandard way: When an su command to a non-root user is requested, it executes su to root prior to executing su to the requested user.
If CA ControlMinder surrogate protection is set for the root user, it may prevent the successful execution of an su to non-root users as well.
To use the surrogate protection for the root user on such platforms and still to be able to su to non-root users without interruption, set the bypass_suid_program token to contain the real path for the system's su binary.
Default: none
Determines whether the CA ControlMinder authorization engine should bypass read access for the /etc/passwd and /etc/group system files.
Valid values are:
yes-bypasses read access to system files.
no-does not bypass read access to system files.
Default: yes
Allows you to add one or more ports separated by commas for which seos_syscall will not pass events to seosd.
The syntax is bypass_TCPIP=port1[,port2,portx]
Default: Token not set
Specifies whether the ports used by xdm (ports 6000-6010) are bypassed for CONNECT. The bypass exists to let xdm function correctly.
If you change the value of this token to no, there will be no bypass for these ports. Make sure that you then provide the required CA ControlMinder rules to replace this bypass. Following is an example of such rules (you cannot use them as is):
nr hostnet all mask (0.0.0.0) match(0.0.0.0) nr TCP X-Win owner(nobody) defaccess(none) authorize TCP X_Win hostnet(all) access(r) authorize TCP X_Win hostnet(all) access(w) uid(root) authorize TCP X_Win hostnet(all) access(w) gid(mygroup) nr TCP 6000 owner(nobody) defaccess(none) authorize TCP 6000 hostnet(all) access(r) authorize TCP 6000 hostnet(all) access(w) uid(root) authorize TCP 6000 hostnet(all) access(w) gid(mygroup)
Note: If you set the value of this token to no but do not provide the correct CA ControlMinder rules, xdm stops working. If the value of this token to yes and an outgoing connection is made via ports 6000-6010, the class name in the corresponding audit record is TERMINAL.
Default: yes
Improves the check for cron login in seosd.
Set the cron_program token to contain the real path for the system's cron binary.
Default: none
Specifies the location of the CA ControlMinder database.
Default: ACInstallDir/seosdb
Specifies the location of the backup debug files.
Default: CA ControlMinder product log directory
Defines the number of backup debug files to save.
Values: A positive number
Default: 2
Defines the lowest level of debug messages to save.The level of the value set and all levels above are saved.
Values: Disabled (no messages are saved), Critical, Very High, High, Normal., Low
Default: Critical
Defines the maximum size in MBs of the debug messages file.
Values: A positive number
Default: 256
Defines which seosd submodules (zones) to produce debug messages for.
Values: -1 (all zones), 1 (SKI), 2 (QP), 4 (RESOLV), 8 (SEOSD), 10 (AUXFALLBACK), 20 (AUTH)
Default: -1
Specifies whether to scan all devices in /dev.
When the value of this token is set to Yes and the tty is not found in the standard list, CA ControlMinder scans all the devices located in /dev.
(qplib resolves the tty name from the standard devices.)
Note: You can add devices to the list of the tty names.
Default: no
Specifies the DNS server name used to change host resolving from the default server to another server.
This token is usually used when the DNS caching option is enabled.
Default: none
Specifies a list of domain names that seosd appends to short host names it receives for authorization purposes in order to create a fully qualified name, so that these names can be authorized in the relevant HOST, CONNECT, or TERMINAL classes.
To identify a full name, seosd tries to append domain names in the domain_names list to the short name for authorization purposes.
seosd first looks for a relevant rule in its database, using the short name only. If it does not find a record that matches the short name, it appends each domain name specified in the domain_names token, one by one, until it finds a match.
For example, suppose you assign domain_names the following list:
domain_names= market.com, journey.com, total.com
Here is how seosd handles the matching process when a request from a subscriber called acme-which was not defined as a rule in the database-comes in:
acme (not found in database)
acme.market.com (not found)
acme.journey.com (not found)
acme.total.com (found)
seosd uses the first record that matches (acme.total.com in this example) for authorization purposes.
Default: As defined in /etc/resolv.conf
Determines whether a run-time table should be used to store the database values required for authorization. The run-time table is loaded to the memory when seosd starts. This avoids connecting to the database and thus reduces the authorization time.
Valid values are yes and no.
Default: no
Determines whether seosd registers to Unicenter NSM Event Notification Facility (ENF).
The valid values include the following:
yes-seosd registers to the ENF.
no-seosd does not register to the ENF.
Default: no
If caching is enabled, specifies the number of records in the authorization pool. The maximum number of authorization records that can be cached is 800.
Default: 80
Specifies how often to erase the file cache (in minutes).
Default: 60
If caching is enabled, specifies the number of records in the file pool. The maximum number of file records that can be cached is 200.
Default: 20
Specifies the initial priority value of new records in the cache table.
Default: 10
If caching is enabled, specifies the frequency of recalculating priorities in the cache table. Each time a new record is saved counts as one.
Default: 1
If caching is enabled, specifies the number of records in the user pool. The maximum number of user records that can be cached is 500.
Default: 50
Determines whether seosd attempts to find the peer address of the login program in an alternative way. This is useful for connections such as ssh.
Valid values include yes and no.
Default: yes
Determines the number of the grace logins that are set when an administrator changes users' passwords.
Default: Token not set (1)
Determines how CA ControlMinder resolves GID numbers to group names.
Valid values include the following:
system-CA ControlMinder uses a system call to translate gid numbers. This value can be used for stand‑alone, DNS client, and DNS server stations. (See also the resolve_timeout token in this table.)
cache-gid numbers and group names are cached in seosd. This is the fastest and easiest way to do translations but the cache cannot be updated during runtime.
ladb-CA ControlMinder uses a lookaside database to translate gid numbers. The sebuildla utility must be run to recreate the lookaside database each time an update to the relevant transaction table takes place.
For NIS, and NIS+ servers, you can use either cache or ladb.
For Sun Solaris 2.5 and above and HP-UX 11.x, you can use either cache or ladb.
For all stations, the value ladb is preferred.
Default: Token not set (system)
Determines how CA ControlMinder resolves IP addresses to host names.
Valid values include the following:
system-CA ControlMinder uses a system call to translate IP addresses. This value can be used for stand‑alone, NIS/NIS+ client, and DNS client stations. (See also the resolve_timeout token in this table.)
cache-Host names and their IP addresses are cached in seosd. This is the fastest and easiest way to do translations but the cache cannot be updated during runtime.
ladb-CA ControlMinder uses a lookaside database to translate IP addresses. The sebuildla utility must be run to recreate the lookaside database each time an update to the relevant transaction table takes place.
For NIS, NIS+, and DNS servers, you can use either cache or ladb; the value ladb is preferred.
Default: Token not set (system)
Determines whether seosd closes the file descriptors stdin, stdout, and stderr when they become a daemon.
Valid values include the following:
yes-seosd closes these file descriptors when they become a daemon.
no-seosd does not close these file descriptors when they become a daemon.
Default: no
Specifies whether seosd ignores (denies) the “kill ‑9” command directed toward any one of the three main CA ControlMinder daemons. Valid values include the following:
yes-Ignores the kill command. This is the default value.
no-The kill command terminates seosd.
Default: yes
Specifies whether the parent process should continue (once a child process has logged in) with the login sequence or abandon the sequence and inherit the login from the child.
Valid values are 0 and 1.
If it is 0, the parent continues with the login sequence.
If it is 1, the parent abandons the login sequence and inherits the login from the child.
Default: Token not set (0)
Determines whether sebuildla will register duplicate UIDs
Valid values:
yes-register duplicate UIDs
no-in case of duplicate UIDs, register only one UID
Note: Duplicate UIDs may cause inconstancy On UNIX OS
Default: no
Specifies the directory where the lookaside database is located. Create this directory before running the sebuildla utility.
Note: The lookaside database files are built and updated using the sebuildla utility.
Default: ACInstallDir/ladb
Defines the maximum number of logged in users.
Note: This value determines the size of one of the internal memory tables. The larger the table, the more memory it consumes.
Limits: 4096-20480
Default: 8192
Defines the name and full path of a program that performs multiple logins. It is used to detect the correct login sequence for these special login applications.
MultiLoginPgm is the login application name with the full path.
Default: none
Specifies the time interval, in minutes, between network cache-table cleanings, if network cache is used. Use this token to set time limits for the stored accepted incoming TCP requests.
Note: For more information about using the network cache, see the Endpoint Administration Guide for UNIX.
Default: 10
Specifies the name and path of the file that contains the NFS major device numbers. Specify the full file path.
CA ControlMinder uses this file if it fails to get the program using device and inode number and also fails to get it using its name. The file contains the NFS defaults for major device numbers for every platform. This may vary from system to system. To find the numbers for your system, use a small program with the UNIX getmajor() function. Then, edit the nfsdevs.init file (or the file you named with this token) to contain the numbers you find.
Note: Whenever you mount and remount the NFS system, you should update your nfsdevs.init file. You can also use the first four digits of the device only. These numbers remain unchanged, even when you unmount and remount the system.
Default: ACInstallDir/etc/nfsdevs.init
Specifies whether seosd protects the CA ControlMinder binary files. Specify one of the following values:
yes-seosd protects the CA ControlMinder binary files unless rules that allow such access are defined.
Note: Do not specify yes when the _default access for your FILE records is none because, unless all /opt/CA/AccessControl/bin files have FILE records, inaccessibility of files could make CA ControlMinder unusable.
no-seosd does not protect the CA ControlMinder binary files.
Default: no
Specifies if seosd re‑establishes the connection to the NIS server after a time-out failure.
We strongly recommend that you do not change the default value.
Default: yes
Specifies the maximum number of seconds seosd tries to resolve IP to address, user ID to user name, group ID to group name, or service port number to service name.
The value takes effect in two cases:
When seosd is using system resolution. (See the HostResolution, ServiceResolution, UseridResolution, and GroupidResolution tokens.)
When the under_NIS_server token is set to no.
If the specified time expires without a resolution, seosd assumes that no resolution exists for the specified IP, ID, or port.
If value is set to 0, there is no time out.
Default: 5
Determines whether seosd has real-time priority.
Valid values are yes and no
When this token is set to yes, seosd will have real-time priority.
Default: yes
Determines how CA ControlMinder translates TCP port numbers to service names.
Valid values include the following:
system-CA ControlMinder uses a system call to translate TCP port numbers. This value can be used for stand‑alone, NIS/NIS+ client, DNS client, and DNS server stations. (See also the resolve_timeout token in this table.)
cache-Service names and their TCP port numbers are cached in seosd. This is the fastest and easiest way to do translations but the cache cannot be updated during runtime.
ladb-CA ControlMinder uses a lookaside database to translate TCP port numbers. The sebuildla utility must be run to recreate the lookaside database each time an update to the relevant transaction table takes place.
For NIS, and NIS+ servers, use either cache or ladb.
Default: system
Defines the timeout (in minutes) before CA ControlMinder removes unused simulated login user entries from the Accessor Element Entry table (ACEE).
CA ControlMinder performs a simulated login to create ACEE entries when it needs access to information that can be found in the ACEE.
Default: 60
Specifies whether to enable file path checking on kernel module loading. When enabled, CA ControlMinder checks that the kernel module to be loaded matches the filepath property of the KMODULE record (for non-Linux systems), or matches the signature of the KMODULE record (for Linux systems).
Default: no
Determines whether the defaccess value of the _default TERMINAL and of the specific TERMINAL records are considered when authorizing administrative access.
Valid values are yes and no.
yes-Administrative access ignores the defaccess value of the _default and of any specific TERMINAL records. In this case, administrative access will require an explicit authorization rule for a relevant specific TERMINAL record.
no- Administrative access considers the defaccess value of all relevant TERMINAL records whether it is _default or specific.
Default: yes
Specifies whether seosd tries to check a TERMINAL defined by name before trying it by its IP address.
Valid values are:
name - TERMINALs will be checked by name before IP address.
ip - TERMINALs will be checked by IP address before name.
Note: TERMINAL class supports generic rules defined by wildcards (IP address or host name pattern match). Generic rules are always checked after specific (full-name) rules. For example, if you set this to ip, seosd looks for a TERMINAL resource in the following order: complete IP address match, complete host name match, IP address pattern match, host name pattern match.
Default: name
Specifies the name of the file to which the trace messages are sent, if trace messages are requested.
Default: ACInstallDir/log/seosd.trace
Determines whether the trace file is written in binary or text format.
Valid values include the following:
binary-The trace file should be written in binary format. This option reduces the space occupied by this file.
text-The trace file should be written in text format.
The daemon seosd checks the value of this token and compares it to the contents of the trace file. If the token value does not match the format of the trace file, seosd saves the trace file under its name and adds the extension .backup.
Default: text
Specifies the name and path of the file that contains the filter data that is used to filter the trace messages.
Default: ACInstallDir/data/language/etc/trcfilter.init
Specifies the amount of free space, in MB, to be left in the file system. When the amount of free space is less than this number, CA ControlMinder disables the trace.
Note: Trace is never automatically enabled, even if more space becomes available at a later time.
Default: 512
Specifies the destination of trace messages.
Valid values include the following:
file-CA ControlMinder sends the trace messages to the file specified by the trace_file token. To disable tracing, use the secons -t- command. For more information, see the trace_file token in this table.
file,stop-CA ControlMinder generates trace messages during daemon initialization. Once the daemon is initialized, trace messages generation stops.
none-CA ControlMinder does not issue trace messages. This is the normal setting after you install and implement CA ControlMinder.
Note: If the token is set to file or file,stop, the CA ControlMinder trace can be toggled with the secons command with the -t option.
Default: file, stop
Specifies whether CA ControlMinder updates the user's last access time on a surrogate login.
Valid values are:
1 - CA ControlMinder updates the user's last access time on a surrogate login.
0 - CA ControlMinder does not update the user's last access time on a surrogate login
Determines whether seosd checks an undefined user when there is an asterisk (*) in the accessor's name in a PACL.
Valid values include the following:
1-seosd will not include undefined users with an asterisk in their PACL.
0-seosd will include undefined users with an asterisk in their PACL.
Default: 0
Determines whether seosd uses internal name resolution instead of system name resolution.
Valid values include the following:
yes-seosd stores in memory or in a lookaside database (see the use_lookaside token) all user, group, host, and port information during startup.
This is required for NIS, NIS+, and DNS server machines, and for the following operating systems: Sun Solaris 2.5 and above, HP-UX 11.x, IBM AIX 4.3.x, and IRIX 6.5.
Important! Turning this token off could hang the machine if it is an NIS server or one of the previously-mentioned operating systems.
no-seosd uses system name resolution and the resolve_timeout token takes effect.
Note: This token is automatically assigned a value during installation.
This token remains for purposes of backward compatibility only. If you have a new CA ControlMinder installation or an installation of version 2 or higher, use the tokens HostResolution, ServiceResolution, UseridResolution, and GroupidResolution instead.
Default: Assigned during installation
Determines whether seosd stores the user, group, host, and port information in a lookaside database or in memory.
Note: This token is used in conjunction with the under_NIS_server token and has no relevance unless the under_NIS_server token is set to yes.
Valid values include the following:
yes-seosd uses the lookaside database for user, group, host, and service details. The lookaside database is built by the sebuildla utility and can be refreshed by it at any time.
The location of the lookaside database is set by the lookaside_path token.
no-seosd caches all user, group, host, and service information during startup so that all translations can be done in memory. We recommend that seosd be restarted daily to refresh the cache.
This token remains for purposes of backward compatibility only. If you have a new CA ControlMinder installation or an installation of version 2 or higher, use the tokens HostResolution, ServiceResolution, UseridResolution, and GroupidResolution instead.
Default: no
(Valid if both CA ControlMinder and UNAB are installed) Specifies whether seosd uses the user enterprise name in audit records.
Values: yes, no
Default: no
Determines whether to use NFS devices. Valid values are yes or no.
Default: Yes
Determines whether sebuildla in an NIS environment will retrieve users by calling the standard system function getpwent or by parsing the output of ypcat passwd and cat /etc/passwd commands.
Valid values are:
yes-use the standard system function getpwent
no-use parsing of the output of ypcat passwd and cat /etc/passwd commands.
Default: yes
Specifies whether seosd will use the trusted script mechanism.
When the trusted script mechanism is used, programs called from within a shell script retain the name of the shell script in the internal CA ControlMinder tables.
This means that if a script was used in a PACL, these programs will inherit that privilege. This also means that you cannot protect these programs via CA ControlMinder.
A trusted script begins with #! on the first line.
When the trusted script mechanism is not used, these programs will be registered in the internal CA ControlMinder tables under their own names.
Default: yes
(Valid if both CA ControlMinder and UNAB are installed) Specifies whether seosd uses the UNAB database to resolve users and groups name if the current method is unable to do so. This token coincides with the tokens: use_lookaside, UseridResolution, GroupidResolution.
Values:yes, no
Default: no
Specifies whether to use the cache tool for file records to improve performance.
Default: yes
Determines whether CA ControlMinder caches accepted incoming TCP requests.
Note: For more information about using the network cache, see the Endpoint Administration Guide for UNIX.
Valid values are yes and no.
Default: no
Specifies how CA ControlMinder translates UID numbers to user names.
Valid values include the following:
system-CA ControlMinder uses a system call to translate uid numbers. This value can be used for stand‑alone, NIS/NIS+ client, DNS client, and DNS server stations.
cache-User names and their uid numbers are cached in seosd. This is the fastest and easiest way to do translations but the cache cannot be updated during runtime.
ladb-CA ControlMinder uses a lookaside database to translate uid numbers. The sebuildla utility must be run to recreate the lookaside database each time an update to the relevant transaction table takes place.
For NIS and NIS+ servers, Sun Solaris 2.5 and above, or HP-UX 11.x operating systems, you must use either cache or ladb.
Default: system
Determines whether seosd refreshes the Watchdog to scan the privileged programs and secured files for each file handle.
Valid values include the following:
yes-seosd refreshes the Watchdog.
no-seosd does not refresh the Watchdog.
Default: no
Copyright © 2013 CA Technologies.
All rights reserved.
|
|