access authority
An access authority is a permission owned by an accessor to perform a specified access on a resource.
access control list (ACL)
An access control list (ACL) is a list of accessors together with the accessors' permitted access to a particular resource. An access control list is a property of a resource record. See also ACL, NACL, PACL.
access rule
An access rule is a rule that states whether an accessor has access to a resource. The most common form for an access rule is an entry in an access control list (ACL).
accessor
An accessor is an entity that can access resources. The most common type of accessor is a user or group, for whom access authorities should be assigned and checked. When programs access resources, the owner (a user or group) of the program is the accessor.
accumulative group rights (ACCGRR)
The accumulative group rights option (ACCGRR) affects how CA ControlMinder checks a resource's ACL. If ACCGRR is enabled, CA ControlMinder checks the ACL for the authorities granted from all the groups to which the user belongs. If ACCGRR is disabled, CA ControlMinder checks the ACL to see if any of the applicable entries contain the value none. If so, access is denied. Otherwise CA ControlMinder ignores all group entries except the first applicable one in the access control list.
ACL
1. The ACL property of a resource is an access control list that defines the accessors that are granted authorization to the resource, together with the type of access that they are granted (for example, read). 2. An abbreviation for access control list.
ACROOT
ACROOT is the unique identifier CA ControlMinder management utilities (such as selang) use to map to the root Windows registry key under which CA ControlMinder stores its configuration settings. See CA ControlMinder Windows registry entries.
active
An active class is one for which CA ControlMinder checks authorization whenever there is an access attempt on a resource in that class. If the class is inactive, access is permitted without any CA ControlMinder checks. You can manually set the state of a resource class to be active or inactive.
audit event
An audit event is an event for which the kernel cache has enough information to process for auditing purposes; it is also known as a cached intercepted event. An audit event is the result of an interception event being cached.
Audit Only mode
Audit Only mode records all intercepted events without checking or enforcing access rules.
CA Business Intelligence
CA Business Intelligence is a set of reporting and analytic software that is used by a variety of CA products for the purposes of presenting information and supporting business decisions. Included in CA Business Intelligence is [assign the value for boe in your book], a complete suite of performance management, information management, reporting, and query and analysis tools.
cainstrm
cainstrm is an instrumentation registry key which CA ControlMinder maintains to control cainstrm.dll behavior settings (the settings apply to all loaded plug-ins). cainstrm.dll is located in the following directory:
HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\AccessControl\Instrumentation
CALACL
The CALACL property of a resource is an access control list that defines the accessors that are granted authorization to a resource, together with the type of access granted (for example, write) according to the accessors' status in the Unicenter TNG calendar. See also ACL, NACL, PACL.
central database
A central database is a Relational Database Management System (RDBMS) that holds information for CA ControlMinder Enterprise Management functionality, including reporting. You can use various tools to interrogate the data stored in the database about your CA ControlMinder implementation.
certificate
In the context of public key infrastructure cryptography, a digital certificate is an electronic document that states that the name (subject) on the certificate is bound to the public key in the certificate. A certificate is signed with a digital signature from a Certificate Authority or from the certificate subject itself (a self-signed certificate).
Certificate Authority (CA)
In public key infrastructure, a Certificate Authority (CA) is an organization that adds its signature to a digital certificate for another organization to use. The "other organization" is the subject of the certificate.
class
In CA ControlMinder, the class of a record defines the properties that the record can have. All records in a class have the same properties, though different values for these properties.
concurrent logins
Concurrent logins are multiple sessions initiated by the same user onto a system from more than one terminal at the same time.
cron expression
A cron expression is a series of fields separated by white space that define a schedule. cron expressions are frequently used in UNIX cron jobs.
deveng
deveng is a registry entry which specifies whether the interception hooking is disabled (relevant functions are not initialized at boot time). deveng has the following parameters:
deveng is located in the following directory:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
enterprise group
An enterprise group is a group that is defined in one of the enterprise user stores of the operating system, for example, a group defined in /etc/group on UNIX, or in Active Directory on Windows.
enterprise user
An enterprise user is a user that is defined in one of the enterprise user stores of the operating system, for example, a user defined in /etc/passwd in UNIX, or in Active Directory in Windows.
enterprise user store
An enterprise user store is a store in the operating system that stores users or groups, for example, /etc/passwd and /etc/groups on UNIX systems, or Active Directory on Windows.
FIPS
FIPS 140-2 (Security Requirements for Cryptographic Modules) is a USA government accreditation program for cryptographic modules in software, for organizations that deal with sensitive, but not classified, information. Validation is coordinated by the National Institute of Standards and Technology (NIST).
Full Enforcement mode
Full Enforcement mode is the normal operation mode for CA ControlMinder. In this mode, CA ControlMinder intercepts events and enforces the access rules written to the database.
group
A group is a collection of users. A group defines common access rules for users in the group. Groups can be nested (belong to other groups). CA ControlMinder can use group information from the CA ControlMinder database and from the enterprise user stores.
HIPAA (Health Insurance Portability and Accountability Act)
HIPAA is a United States federal law that protects health insurance coverage when workers change or lose their jobs. HIPAA also addresses the security and privacy of health data.
Interception Event
An interception event is an event that CA ControlMinder encounters for the first time and for which no authorization information or audit information exists in the kernel cache.
internal user
An internal user is a CA ControlMinder user that is defined in its own database—contrast with an enterprise user.
kernel module
A kernel module is a component of the UNIX operating system that you can load to extend the running kernel, and unload when no longer required. This adds flexibility, letting you load functionality as required, without wasting memory resources that would otherwise be required to cover all possible expected functionality in the base kernel.
logical host group
A logical host group is a group resource (of class GHNODE) whose members are endpoints (HNODE objects). You use logical host groups to represent a grouping of one or more hosts that were created for policy management purposes.
logical user
A logical user is a user with the LOGICAL attribute applied to their record, or a surrogate who runs a trusted program (SPECIALPGM resource). A logical user cannot log in and is used for internal CA ControlMinder purposes only.
NACL
The NACL property of a resource is an access control list that defines the accessors that are denied authorization to a resource, together with the type of access that they are denied (for example, write). See also ACL, CALACL, PACL.
No Interception mode
No Interception mode disables CA ControlMinder event interception. In this mode, CA ControlMinder does not intercept events or enforce access rules.
PACL
The PACL property of a resource is an access control list. Each entry in the list specifies an accessor, the type of access to the resource that the accessor is allowed, and the name of the program that the accessor needs to use when accessing the resource. The program name can include wildcard characters. See also ACL, CALACL, NACL.
Password consumers
Password consumers are application servers, databases and Windows services that obtain privileged account passwords using the SAM integration to execute a script, connect to a database or manage a Windows service. Password consumers use both privileged accounts and service accounts to run programs and services.
Password policy
A password policy for privileged accounts is a set of rules and restrictions that determine permissible privileged account passwords. Password policies also determine an interval at which CA ControlMinder Enterprise Management automatically creates a new password for the account
PCI DSS (Payment Card Industry Data Security Standards)
PCI DSS is an industry standard that was developed by the major credit card companies to help prevent security issues including fraud and hacking. Companies who accept, capture, store, transmit, or process credit and debit card data must comply with PCI DSS.
PKI
See Public Key Infrastructure.
PMDB
See Policy Model database.
PMDROOT@<pmd_name>
PMDROOT@<pmd_name> is the unique identifier CA ControlMinder management utilities (such as selang) use to map to the root Windows registry key under which CA ControlMinder stores configuration settings for the pmd_name Policy Model. This key is: HKEY_LOCAL_MACHINE\Software\ComputerAssociates\AccessControl\PMD\pmd_name
Policy Model database (PMDB)
A policy model database (PMDB) is a stand‑alone CA ControlMinder database, which contains the same types of rules as a CA ControlMinder database associated with a specific host system. When rules are applied to the master PMDB, these rules are propagated to all of the subscribed databases that were defined for the master.
Privileged accounts
Privileged accounts are accounts that are not assigned to individual accounts and have access to mission critical data and processes. System Administrators use privileged accounts to perform administrative tasks on target endpoints and privileged accounts are also embedded in service files, scripts, and configuration files to facilitate unattended processing.
profile group
A profile group is a group defined in the CA ControlMinder database that contains default values for user properties. When you assign a user to a profile group, the profile group provides those values to the user unless they have already been set for the user.
program pathing
Program pathing is an access rule associated with a file that requires that the file is accessed only through a specific program. Program pathing greatly increases the security of sensitive files. CA ControlMinder lets you use program pathing to provide additional protection for the files in your system.
property
A property of a record corresponds to the name of a field in that record in the database.
public key
A public key is one of a pair of asymmetric cryptography keys. Either key in a pair of keys can encrypt text, in which case the other key decrypts the text. The owner of a pair of keys keeps one private (the private key) and publishes the other (the public key).
Public Key Infrastructure (PKI)
Public Key Infrastructure (PKI) is the technology and set of procedures that uses public keys and certificates issued by trusted certificate authorities to provide secure authentication between computers.
record
In CA ControlMinder, a record is a CA ControlMinder database record. It consist of a name and a number of properties and belongs to a class, which determines how CA ControlMinder uses it. A record is either a resource or an accessor.
Report Agent
A Report Agent is a Windows service or a UNIX daemon that runs on each CA ControlMinder or UNAB endpoint and sends information to queues on a configured Message Queue that resides on the Distribution Server.
Report Portal
A Report Portal is an application server that serves CA ControlMinder reports. The server uses BusinessObjects InfoView portal to let you interact with the reporting information that is stored on the central database.
resource
A resource is an entity that can be accessed by an accessor and protected by an access rule, or the CA ControlMinder database record that corresponds to that entity. Examples of resources are files, programs, hosts, and terminals.
resource group
A resource group is a resource that contains a list of other resources. A resource group is a member of one of the following classes: CONTAINER, GFILE, GSUDO, GTERMINAL, or GHOST.
ruler
A ruler is a list of properties to be displayed. Each class has one ruler. If a ruler is defined for a class, when you request a list of property values for a record (for example with a selang show command), by default CA ControlMinder only shows the properties defined in the ruler.
security category
A security category is the name of record in the CATEGORY class. You can assign a security category to accessors and to resources. An accessor can access a resource only if the accessor is assigned to all of the security categories assigned to the resource.
security identifier (SID)
A security identifier (SID) is a numeric value that identifies a user or group to the operating system. Each entry in the discretionary access control list (DACL) has an SID that identifies the user or group for whom access is allowed, denied, or audited.
security label
A security label is the name of a record in the SECLABEL class. A security label bundles together a security level and a set of security categories. Assigning a security label to an accessor or a resource gives the accessor or resource the combined security level and security categories associated with the security label. A security label overrides any specific security level and category assignments in an accessor or resource.
security level
A security level is an integer between 0 and 255 that you can assign to accessors and resources. An accessor cannot access a resource if the accessor has a security level less than the security level assigned to the resource, even if the user is granted access authority in the resource's access control list.
SEOSDRV
SEOSDRV is the unique identifier CA ControlMinder management utilities (such as selang) use to map to the root Windows driver registry key.
Service accounts
Service accounts are internal accounts used by Windows services. These services provide core operating system and other functionality to the computer
SHA-1
SHA-1 is a FIPS approved, cryptographic hash function, which produces a 160-bit output. It is used by SSL/TLS, and by CA ControlMinder on Windows for password encryption.
signature
In public key infrastructure, a digital signature is a block of encrypted text associated with a message and with the signer, The signatory creates the signature using their private key and the message. Given the public key of the signatory, a reader can verify that the signatory did indeed sign the message and that the message has not changed after it was signed. Most commonly, the message is a certificate.
SOX (Sarbanes-Oxley Act)
SOX is a United States federal law that stipulates standards for financial reporting. It applies to the boards and management of all U.S. public companies.
SSL
SSL is a protocol that provides secure communications between programs connected by TCP/IP. SSL stands for Secure Sockets Layer. The term SSL is usually used to include TLS, and TLS is sometimes referred to as SSL 3.1.
surrogate
A surrogate is an accessor that performs an action on behalf of somebody else. Typically, the surrogate needs to have an access authority that the original user does not possess.
user
A user is a person who can log on, or can be the owner of a batch or daemon program. In CA ControlMinder, every access attempt is performed by a user. CA ControlMinder can use user information from the CA ControlMinder database and from enterprise user stores. It stores user information in its database, in either a USER record or an XUSER record.
virtual configuration file
A virtual configuration file contains the configuration values for a Policy Model's subscribers.
Warning mode
Warning Mode is a property that you can apply to a resource, and an option that you can apply to a class. If Warning mode is applied to a resource or a class and an access violates an access rule, CA ControlMinder writes an audit log entry with the return code W, but permits the access to the resource. If a class is in Warning mode, all the resources in that class are in Warning mode.
wildcard characters
CA ControlMinder recognizes wildcard characters for some names. Where it does so, the wildcards it recognizes are * and ?. The * character represents any number of any characters, including no characters; the ? character represents one instance of any character.
Windows registry entries
The Windows registry entries for CA ControlMinder control CA ControlMinder behavior and functionality on a Windows host. CA ControlMinder creates its registry entries under the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\AccessControl.
Windows service
A Windows service is a program that runs in the background on Windows, and is the Windows equivalent to a daemon on UNIX.
Copyright © 2013 CA Technologies.
All rights reserved.
|
|