eTrust Acess Control

 

 

Access modes

Password Configurable Options

Command Listing

SO Command Descriptions

Access Control Resource ACCESS MODES

File Access

Mode

Abbreviation

Meaning

READ

R

List file contents

WRITE

W

Write to existing file

EXECUTE

X

Execute file

UPDATE

U (R,W)

Open

CHOWN

O

Change file owner

CHMOD

M

Change file mode

RENAME

V

Rename file

DELETE

D

Delete file

UTIME

T

Touch/utime, change timestamp

SEC

S

Change OS file Acls (acledit)

CREATE

CRE

Create file

PROGRAM, SUDO, GSUDO, APPL GAPPL

EXECUTE

X

Execute program

ADMIN

Mode

Abbreviation

Meaning

READ

R

List class attributes

MODIFY

M

Modify class

CREATE

C

Create new class object

DELETE

D

Delete class object

JOIN

J

Join user to class

PASSWORD

P

Grant password ability to user or group

TERMINAL

Mode

Abbreviation

Meaning

READ

R

Login from terminal source

WRITE

W

Administer Access Control from login source

TCP

Mode

Abbreviation

Meaning

READ

R

Read

WRITE

W

Write

Other resources

Mode

Abbreviation

Meaning

READ

R

Access Allowed

Password Configurable Options

Name

Default

Meaning

Alpha

1

Alpha Character

Alpha numeric

1

Alpha/Numeric Character

Cracelogins

6

Allowed logins after password expires

History

0

Number of passwords retained for checking

Interval

40

Password lifetime in days

Password min life

0

Number of days before change password

Length

5

Password length

Lower

1

Number of lowercase letters

Max rep

2

Number of max repeatable characters

Numeric

1

Number of numbers required in password

Special

1

Number of special characters

Upper

1

Number of uppercase characters

Old PW check

Yes

Check against current password

Name check

Yes

Check for user name

Inactive days

0

Inactive login days before password expires

Password Quality Control is only active if the PASSWORD class is active

Selang> setopt CLASS+(PASSWORD)

To change a password option use the following syntax

Selang> setopt class(password (parameter (setting) .)

i.e. setopt class(password(special(3))

The sepass command is used to change passwords and should be linked over the native password command.

The segrace command must be included user login to validate grace logins.

Full Access Control Command Listing

Alias

Define/display a pseudonym

Allow

Set user/group's permissions to SSO application

Allow-

Remove user/group's permissions to SSO application

Authorize (auth)

Set user/group's permissions to a resource

Authorize- (auth-)

Remove user/group's permissions to a resource

Chappl (ca)

Change the definition of an SSO application

Chfile (cf)

Change a file profile in the Access Control database

Chgrp (cg)

Change group attributes

Chlogin (cl)

Change a user's login record in the Access Control database

Chres (cr)

Change resource attributes

Chusr (cu)

Change user attributes

Editappl (ea)

If application non-existent operates as newappl if app exists operates as chappl

Editfile (ef)

If file non-existent operates as newfile file exists operates as chfile

Editgrp (eg)

If group non-existent operates as newgrp if group exists operates as chgrp

Editlogin (el)

If user non-existent operates as newlogin if user exists operates as chlogin

Editres (er)

If resource non-existent operates as newres if resource exists operates as chres

Editusr (eu)

If user non/existent operates as newusr if user exists operates as chusr

Environment

Change the target enviroment

Find (f)

Show a listing of profiles in a class

Help [topic]

Show help [concerning topic]

History

Show command history information

Hosts [(hosts-listing)]

Show/set list of target hosts/PMDBs

Join (j)

Join a user to a group

Join-(j-)

Remove a user from a group

Newappl (na)

Add and SSO application definition

Newfile (nf)

Add a file profile to the Access Control database

Newgrp (ng)

Add a new group to the Access Control database

Newlogin (nl)

Add a new login information record for a user

Newres (nr)

Add a new resource to Access Control database

Newusr (nu)

Add a new user to the Access Control database

Rmappl (ra)

Remove an SSO application definition

Rmfile (rf)

Remove a file profile from the Access Control database

Rmgrp (rg)

Remove a group from the Access Control database

Rmlogin (rl)

Remove a user's login record from the Access Control database

Rmres (rr)

Remove a resource from Access Control database

Rmusr (ru)

Remove a user from the Access Control database

Ruler

Select properties to display in query

Setoptions (so)

Set/show Access Control database options

Showappl (sa)

List an SSO application

Showfile (sf)

List a file from the Access Control database

Showgrp (sg)

List a group from the Access Control database

Showres (sr)

List a resource

Showusr (su)

List a user from the Access Control database

Source

Read commands from a file

Unalias

Remove a pseudonym defined by alias

Access Control Command Descriptions

/usr/seos/bin

S68SEOS

Access control interception module loader, used only on Solaris

SEOSHelp

Internal Access Control Help utility

SEOS_load

Access Control interception module loader, not used on Solaris

SOS_syscall

Access Control interception module, loaded by S68SEOS /SEOS_load

UxImport

Extract UNIX environment for Access Control environment

Dbdump

Access Control local database dump utility

Dbutil

Access Control Database Maintenance Utility

Issec

Display security daemons status

Rdbdump

Access Control runtime database dump utility

Se_loadtest

Test if Access Control extension is loaded

Seagente

Access Control agent daemon

Seam

Access Control administration GUI

Seaudit

CLI audit utility

Seauditx

GUI audit utility

Sebuildla

Creates a lookaside database

Sechkey

Changes the encryption key for various programs

Seclassadm

Access Control class administration utility

Secmon

GUI audit collection and display utility

Secompas

Compare Access Control and UNIX password

Secons

Access Control console

Seconvert

Convert configuration files

Secredb

Create empty Access Control database

Secrepsw

Create password file used with password PMDB

Sedb2scr

Dump database toscript

Sedlang

CLI administration tool

Seerr

Display error code translation

Seerrlog

Display Access Control error log

Segrace

Displays number of remaining grace logins

Segracex

X-Windows application for replacing expired passwords

Seini

Manage tokens in the seos.ini file

Selang

CLI administration tool

Selangx

GUI administration tool

Seload

Load Access Control kernel extensions and run Access Control daemons

Selock

X-Windows screen-saver and locker

Selockcom

Selock controller

Selogo

Internal Access Control utility to display Access Control logo

Selogrcd

Access Control log routing collector daemon

Selogrd

Access Control log routing emitter daemon

Semigrate

Database utility for user information

Semsgtool

Maintains the Access Control message file

Senable

Enables Access Control disabled users

Seone

Executes a command as a non-Access Control user process

Seosd

Access Control Server Daemon

Seoswd

Access Control watchdog daemon

Sepass

Password replacement command

Sepmd

Policy Model Database management utility

Sepmdadm

Policy model administration utility

Sepropadm

Administers Access Control database properties

Sepurgdb

Access Control Database Purger

Seretrust

Restore trusted program data

Serevu

Access Control Revoke Users

Sesu

Surrogate utility

Sesudo

Super User DO command

Setrans

Access Control internal translation utility

SetransLang

Access Control internal translation utility

Seuidpgm

Extracts Setuid/Setgid programs from file system

Seusrperms

Display defined resource access for User

Seversion

Display version of Access Control binary(ies)

Sewhoami

Displays the user name as to Access Control

Winsetup

OpenWindows configuration script

Winsetupx

X-Windows configuration script

/usr/seos/lbin

Sepmdd

Policy Model Database daemon

Base_isetup.sh

Used with installation program for interactive set-up

Copy_seosini.sh

Used with installation program to copy seos.ini file

Getvar.sh

Used with installation program to retrieve O/S information

Install_exits.sh

Used to install per/post user exits

Remove_exits.sh

Used to install pre/post user exits

Sedbpchk.sh

Runtime database backup and integrity checker

Show_for_install.sh

Used with install_exists.sh to display user exits

Show_for_remove.sh

Used with remove_exits.sh to display user exits

Subsconfig.sh

Used with sepmdadm to set-up Policy Model subscriber

Seinitfiles.sh

Used with installation program to create initialisation files

Serevu_new.sh

Used with to create new serevu configuration file

Initialisation Files

/usr/seos

Seos.ini

Seos initialisation file

/usr/seos/etc

Loginpgms.init

Programs that allow user Id changes to be recognised by Access Control

Privprogrms.init

Programs that run unrestricted by Access Control

Xdm.init

Xdm programs

Nfsdevs.init

Major nfs device numbers for nfs mounted file systems

Tracefilter.init

Trace file filtering

GAC.init

Global-Access-Check for generic files.

 

Otras notas:

 

/home/seosroot/rules

Target doc:

Target/target team/seos

 

To run rule scripts selang -f <filename> -o ../../output/<app>[L1|L2]

And then change the owner chown seosroot:csadmin <filename>

 

Dump of seos database

Sedb2scr -r giutgtl1.dmp

Procedure to work with VCS

Login as user>

 

Su -

VcsMenu

In case of failover reboot the standby (clear memory + seos)

1