eTrust Acess Control
|
File Access |
|||||
|
Mode |
Abbreviation |
Meaning |
|||
|
READ |
R |
List file contents |
|||
|
WRITE |
W |
Write to existing file |
|||
|
EXECUTE |
X |
Execute file |
|||
|
UPDATE |
U (R,W) |
Open |
|||
|
CHOWN |
O |
Change file owner |
|||
|
CHMOD |
M |
Change file mode |
|||
|
RENAME |
V |
Rename file |
|||
|
DELETE |
D |
Delete file |
|||
|
UTIME |
T |
Touch/utime, change timestamp |
|||
|
SEC |
S |
Change OS file Acls (acledit) |
|||
|
CREATE |
CRE |
Create file |
|||
|
PROGRAM, SUDO, GSUDO, APPL GAPPL |
|||||
|
EXECUTE |
X |
Execute program |
|||
|
ADMIN |
|||||
|
Mode |
Abbreviation |
Meaning |
|||
|
READ |
R |
List class attributes |
|||
|
MODIFY |
M |
Modify class |
|||
|
CREATE |
C |
Create new class object |
|||
|
DELETE |
D |
Delete class object |
|||
|
JOIN |
J |
Join user to class |
|||
|
PASSWORD |
P |
Grant password ability to user or group |
|||
|
TERMINAL |
|||||
|
Mode |
Abbreviation |
Meaning |
|||
|
READ |
R |
Login from terminal source |
|||
|
WRITE |
W |
Administer Access Control from login source |
|||
|
TCP |
|||||
|
Mode |
Abbreviation |
Meaning |
|||
|
READ |
R |
Read |
|||
|
WRITE |
W |
Write |
|||
|
Other resources |
|||||
|
Mode |
Abbreviation |
Meaning |
|||
|
READ |
R |
Access Allowed |
|||
|
Name |
Default |
Meaning |
|||
|
Alpha |
1 |
Alpha Character |
|||
|
Alpha numeric |
1 |
Alpha/Numeric Character |
|||
|
Cracelogins |
6 |
Allowed logins after password expires |
|||
|
History |
0 |
Number of passwords retained for checking |
|||
|
Interval |
40 |
Password lifetime in days |
|||
|
Password min life |
0 |
Number of days before change password |
|||
|
Length |
5 |
Password length |
|||
|
Lower |
1 |
Number of lowercase letters |
|||
|
Max rep |
2 |
Number of max repeatable characters |
|||
|
Numeric |
1 |
Number of numbers required in password |
|||
|
Special |
1 |
Number of special characters |
|||
|
Upper |
1 |
Number of uppercase characters |
|||
|
Old PW check |
Yes |
Check against current password |
|||
|
Name check |
Yes |
Check for user name |
|||
|
Inactive days |
0 |
Inactive login days before password expires |
|||
|
Password Quality Control is only active if the PASSWORD class is active Selang> setopt CLASS+(PASSWORD) To change a password option use the following syntax Selang> setopt class(password (parameter (setting) ….) i.e. setopt class(password(special(3)) The sepass command is used to change passwords and should be linked over the native password command. The segrace command must be included user login to validate grace logins. |
|||||
|
Alias |
Define/display a pseudonym |
||||
|
Allow |
Set user/group's permissions to SSO application |
||||
|
Allow- |
Remove user/group's permissions to SSO application |
||||
|
Authorize (auth) |
Set user/group's permissions to a resource |
||||
|
Authorize- (auth-) |
Remove user/group's permissions to a resource |
||||
|
Chappl (ca) |
Change the definition of an SSO application |
||||
|
Chfile (cf) |
Change a file profile in the Access Control database |
||||
|
Chgrp (cg) |
Change group attributes |
||||
|
Chlogin (cl) |
Change a user's login record in the Access Control database |
||||
|
Chres (cr) |
Change resource attributes |
||||
|
Chusr (cu) |
Change user attributes |
||||
|
Editappl (ea) |
If application non-existent operates as newappl if app exists operates as chappl |
||||
|
Editfile (ef) |
If file non-existent operates as newfile file exists operates as chfile |
||||
|
Editgrp (eg) |
If group non-existent operates as newgrp if group exists operates as chgrp |
||||
|
Editlogin (el) |
If user non-existent operates as newlogin if user exists operates as chlogin |
||||
|
Editres (er) |
If resource non-existent operates as newres if resource exists operates as chres |
||||
|
Editusr (eu) |
If user non/existent operates as newusr if user exists operates as chusr |
||||
|
Environment |
Change the target enviroment |
||||
|
Find (f) |
Show a listing of profiles in a class |
||||
|
Help [topic] |
Show help [concerning topic] |
||||
|
History |
Show command history information |
||||
|
Hosts [(hosts-listing)] |
Show/set list of target hosts/PMDBs |
||||
|
Join (j) |
Join a user to a group |
||||
|
Join-(j-) |
Remove a user from a group |
||||
|
Newappl (na) |
Add and SSO application definition |
||||
|
Newfile (nf) |
Add a file profile to the Access Control database |
||||
|
Newgrp (ng) |
Add a new group to the Access Control database |
||||
|
Newlogin (nl) |
Add a new login information record for a user |
||||
|
Newres (nr) |
Add a new resource to Access Control database |
||||
|
Newusr (nu) |
Add a new user to the Access Control database |
||||
|
Rmappl (ra) |
Remove an SSO application definition |
||||
|
Rmfile (rf) |
Remove a file profile from the Access Control database |
||||
|
Rmgrp (rg) |
Remove a group from the Access Control database |
||||
|
Rmlogin (rl) |
Remove a user's login record from the Access Control database |
||||
|
Rmres (rr) |
Remove a resource from Access Control database |
||||
|
Rmusr (ru) |
Remove a user from the Access Control database |
||||
|
Ruler |
Select properties to display in query |
||||
|
Setoptions (so) |
Set/show Access Control database options |
||||
|
Showappl (sa) |
List an SSO application |
||||
|
Showfile (sf) |
List a file from the Access Control database |
||||
|
Showgrp (sg) |
List a group from the Access Control database |
||||
|
Showres (sr) |
List a resource |
||||
|
Showusr (su) |
List a user from the Access Control database |
||||
|
Source |
Read commands from a file |
||||
|
Unalias |
Remove a pseudonym defined by alias |
||||
|
/usr/seos/bin |
|||||
|
S68SEOS |
Access control interception module loader, used only on Solaris |
||||
|
SEOSHelp |
Internal Access Control Help utility |
||||
|
SEOS_load |
Access Control interception module loader, not used on Solaris |
||||
|
SOS_syscall |
Access Control interception module, loaded by S68SEOS /SEOS_load |
||||
|
UxImport |
Extract UNIX environment for Access Control environment |
||||
|
Dbdump |
Access Control local database dump utility |
||||
|
Dbutil |
Access Control Database Maintenance Utility |
||||
|
Issec |
Display security daemons status |
||||
|
Rdbdump |
Access Control runtime database dump utility |
||||
|
Se_loadtest |
Test if Access Control extension is loaded |
||||
|
Seagente |
Access Control agent daemon |
||||
|
Seam |
Access Control administration GUI |
||||
|
Seaudit |
CLI audit utility |
||||
|
Seauditx |
GUI audit utility |
||||
|
Sebuildla |
Creates a lookaside database |
||||
|
Sechkey |
Changes the encryption key for various programs |
||||
|
Seclassadm |
Access Control class administration utility |
||||
|
Secmon |
GUI audit collection and display utility |
||||
|
Secompas |
Compare Access Control and UNIX password |
||||
|
Secons |
Access Control console |
||||
|
Seconvert |
Convert configuration files |
||||
|
Secredb |
Create empty Access Control database |
||||
|
Secrepsw |
Create password file used with password PMDB |
||||
|
Sedb2scr |
Dump database toscript |
||||
|
Sedlang |
CLI administration tool |
||||
|
Seerr |
Display error code translation |
||||
|
Seerrlog |
Display Access Control error log |
||||
|
Segrace |
Displays number of remaining grace logins |
||||
|
Segracex |
X-Windows application for replacing expired passwords |
||||
|
Seini |
Manage tokens in the seos.ini file |
||||
|
Selang |
CLI administration tool |
||||
|
Selangx |
GUI administration tool |
||||
|
Seload |
Load Access Control kernel extensions and run Access Control daemons |
||||
|
Selock |
X-Windows screen-saver and locker |
||||
|
Selockcom |
Selock controller |
||||
|
Selogo |
Internal Access Control utility to display Access Control logo |
||||
|
Selogrcd |
Access Control log routing collector daemon |
||||
|
Selogrd |
Access Control log routing emitter daemon |
||||
|
Semigrate |
Database utility for user information |
||||
|
Semsgtool |
Maintains the Access Control message file |
||||
|
Senable |
Enables Access Control disabled users |
||||
|
Seone |
Executes a command as a non-Access Control user process |
||||
|
Seosd |
Access Control Server Daemon |
||||
|
Seoswd |
Access Control watchdog daemon |
||||
|
Sepass |
Password replacement command |
||||
|
Sepmd |
Policy Model Database management utility |
||||
|
Sepmdadm |
Policy model administration utility |
||||
|
Sepropadm |
Administers Access Control database properties |
||||
|
Sepurgdb |
Access Control Database Purger |
||||
|
Seretrust |
Restore trusted program data |
||||
|
Serevu |
Access Control Revoke Users |
||||
|
Sesu |
Surrogate utility |
||||
|
Sesudo |
Super User DO command |
||||
|
Setrans |
Access Control internal translation utility |
||||
|
SetransLang |
Access Control internal translation utility |
||||
|
Seuidpgm |
Extracts Setuid/Setgid programs from file system |
||||
|
Seusrperms |
Display defined resource access for User |
||||
|
Seversion |
Display version of Access Control binary(ies) |
||||
|
Sewhoami |
Displays the user name as to Access Control |
||||
|
Winsetup |
OpenWindows configuration script |
||||
|
Winsetupx |
X-Windows configuration script |
||||
|
/usr/seos/lbin |
|||||
|
Sepmdd |
Policy Model Database daemon |
||||
|
Base_isetup.sh |
Used with installation program for interactive set-up |
||||
|
Copy_seosini.sh |
Used with installation program to copy seos.ini file |
||||
|
Getvar.sh |
Used with installation program to retrieve O/S information |
||||
|
Install_exits.sh |
Used to install per/post user exits |
||||
|
Remove_exits.sh |
Used to install pre/post user exits |
||||
|
Sedbpchk.sh |
Runtime database backup and integrity checker |
||||
|
Show_for_install.sh |
Used with install_exists.sh to display user exits |
||||
|
Show_for_remove.sh |
Used with remove_exits.sh to display user exits |
||||
|
Subsconfig.sh |
Used with sepmdadm to set-up Policy Model subscriber |
||||
|
Seinitfiles.sh |
Used with installation program to create initialisation files |
||||
|
Serevu_new.sh |
Used with to create new serevu configuration file |
||||
|
Initialisation Files |
|||||
|
/usr/seos |
|||||
|
Seos.ini |
Seos initialisation file |
||||
|
/usr/seos/etc |
|||||
|
Loginpgms.init |
Programs that allow user Id changes to be recognised by Access Control |
||||
|
Privprogrms.init |
Programs that run unrestricted by Access Control |
||||
|
Xdm.init |
Xdm programs |
||||
|
Nfsdevs.init |
Major nfs device numbers for nfs mounted file systems |
||||
|
Tracefilter.init |
Trace file filtering |
||||
|
GAC.init |
Global-Access-Check for generic files. | ||||
Otras notas:
/home/seosroot/rules
Target doc:
Target/target team/seos
To run rule scripts selang -f <filename> -o ../../output/<app>[L1|L2]
And then change the owner chown seosroot:csadmin <filename>
Dump of seos database
Sedb2scr -r giutgtl1.dmp
Procedure to work with VCS
Login as user>
Su -
VcsMenu
In case of failover reboot the standby (clear memory + seos)