Transcription
CA ControlMinderEndpoint Administration Guide for UNIX12.8
This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred toas the “Documentation”) is for your informational purposes only and is subject to change or withdrawal by CA at any time. ThisDocumentation is proprietary information of CA and may not be copied, transferred, reproduced, disclosed, modified orduplicated, in whole or in part, without the prior written consent of CA.If you are a licensed user of the software product(s) addressed in the Documentation, you may print or otherwise makeavailable a reasonable number of copies of the Documentation for internal use by you and your employees in connection withthat software, provided that all CA copyright notices and legends are affixed to each reproduced copy.The right to print or otherwise make available copies of the Documentation is limited to the period during which the applicablelicense for such software remains in full force and effect. Should the license terminate for any reason, it is your responsibility tocertify in writing to CA that all copies and partial copies of the Documentation have been returned to CA or destroyed.TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS DOCUMENTATION “AS IS” WITHOUT WARRANTY OF ANYKIND, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULARPURPOSE, OR NONINFRINGEMENT. IN NO EVENT WILL CA BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY LOSS OR DAMAGE,DIRECT OR INDIRECT, FROM THE USE OF THIS DOCUMENTATION, INCLUDING WITHOUT LIMITATION, LOST PROFITS, LOSTINVESTMENT, BUSINESS INTERRUPTION, GOODWILL, OR LOST DATA, EVEN IF CA IS EXPRESSLY ADVISED IN ADVANCE OF THEPOSSIBILITY OF SUCH LOSS OR DAMAGE.The use of any software product referenced in the Documentation is governed by the applicable license agreement and suchlicense agreement is not modified in any way by the terms of this notice.The manufacturer of this Documentation is CA.Provided with “Restricted Rights.” Use, duplication or disclosure by the United States Government is subject to the restrictionsset forth in FAR Sections 12.212, 52.227-14, and 52.227-19(c)(1) - (2) and DFARS Section 252.227-7014(b)(3), as applicable, ortheir successors.Copyright 2013 CA. All rights reserved. All trademarks, trade names, service marks, and logos referenced herein belong totheir respective companies.
Third-Party NoticesCONTAINS IBM(R) 32-bit Runtime Environment for AIX(TM), Java(TM) 2 TechnologyEdition, Version 1.4 Modules(c) Copyright IBM Corporation 1999, 2002All Rights ReservedSample Scripts and Sample SDK CodeThe Sample Scripts and Sample SDK code included with the CA ControlMinder productare provided "as is", for informational purposes only. Adjust them to your specificenvironment and do not use them in production without running tests and validations.CA Technologies does not provide support for these samples and cannot be responsiblefor any errors that these scripts may cause.
CA Technologies Product ReferencesThis document references the following CA Technologies products: CA ControlMinder CA ControlMinder CA Single Sign-On (CA SSO) CA Top Secret CA ACF2 CA Audit CA Network and Systems Management (CA NSM, formerly Unicenter NSM andUnicenter TNG) CA Software Delivery (formerly Unicenter Software Delivery) CA Service Desk (formerly Unicenter Service Desk) User Activity Reporting (formerly CA Enterprise Log Manager) CA Identity ManagerDocumentation ConventionsThe CA ControlMinder documentation uses the following conventions:FormatMeaningMono-spaced fontCode or program outputItalicEmphasis or a new termBoldText that you must type exactly as shownA forward slash (/)Platform independent directory separator used todescribe UNIX and Windows pathsThe documentation also uses the following special conventions when explainingcommand syntax and user input (in a mono-spaced font):FormatMeaningItalicInformation that you must supplyBetween square brackets ([])Optional operands
FormatMeaningBetween braces ({})Set of mandatory operandsChoices separated by pipe ( ).Separates alternative operands (choose one).For example, the following means either a username or a group name:{username groupname}.Indicates that the preceding item or group of itemscan be repeatedUnderlineDefault valuesA backslash at end of linepreceded by a space ( \)Sometimes a command does not fit on a single linein this guide. In these cases, a space followed by abackslash ( \) at the end of a line indicates that thecommand continues on the following line.Note: Avoid copying the backslash character andomit the line break. These are not part of the actualcommand syntax.Example: Command Notation ConventionsThe following code illustrates how command conventions are used in this guide:ruler className [props({all {propertyName1[,propertyName2].})]In this example: The command name (ruler) is shown in regular mono-spaced font as it must betyped as shown. The className option is in italic as it is a placeholder for a class name (for example,USER). You can run the command without the second part enclosed in square brackets,which signifies optional operands. When using the optional parameter (props), you can choose the keyword all or,specify one or more property names separated by a comma.File Location ConventionsThe CA ControlMinder documentation uses the following file location conventions: ACInstallDir—The default CA ControlMinder installation directory.–Windows—C:\Program trol/
ACSharedDir—A default directory used by CA ControlMinder for UNIX.– ACServerInstallDir—The default CA ControlMinder Enterprise Managementinstallation directory.– The default Distribution Server installation directory.– tionServerJBoss HOME—The default JBoss installation directory.–/opt/jboss-4.2.3.GAContact CA TechnologiesContact CA SupportFor your convenience, CA Technologies provides one site where you can access theinformation that you need for your Home Office, Small Business, and Enterprise CATechnologies products. At http://ca.com/support, you can access the followingresources: Online and telephone contact information for technical assistance and customerservices Information about user communities and forums Product and documentation downloads CA Support policies and guidelines Other helpful resources appropriate for your productProviding Feedback About Product DocumentationIf you have comments or questions about CA Technologies product documentation, youcan send a message to techpubs@ca.com.To provide feedback about CA Technologies product documentation, complete ourshort customer survey which is available on the CA Support website athttp://ca.com/docs.
Documentation ChangesThe following documentation updates have been made since the last release of thisdocumentation: Predefined Groups Using Conditional Access Control Lists - Added a note about shell scripts Protecting Against Stack Overflow: STOP - Updated description
ContentsChapter 1: Introduction17About this Guide . 17Who Should Use this Guide . 17Chapter 2: Managing Endpoints19What Is CA ControlMinder? . 19Why Does UNIX Need Protecting? . 19How Does This Work? . 20What Is Protected? . 20How Is It Protected? . 23Expanding Native Security. 24Endpoint Management . 26Chapter 3: Managing Users and Groups27Users and Groups . 27Where Information about Accessors Is Stored . 28How CA ControlMinder Finds a User Record . 28Integration with the Enterprise User Stores . 29Guidelines for Managing Accessors in Enterprise Stores . 29Users and Groups that Must be Defined in the Database . 29Restrictions on the Use of Enterprise Users. 29Restrictions on the Use of Enterprise Groups . 30Enable or Disable the Use of Enterprise Users and Groups . 30Enable or Disable the Creation of XUSER Records at Enterprise User Login. 31Enable or Disable Checking Enterprise Store before Creating XUSER Records on UNIX . 32Recycled Enterprise Store Accounts on Windows . 32Resolve Recycled Enterprise Accounts on Windows. 33Database Accessors . 34Predefined Users . 35Predefined Groups . 36Profile Groups . 37How CA ControlMinder Uses Profile Groups to Determine User Properties . 37Accessor Management . 38Manage Users or Groups . 38User Management Using selang . 41Group Management Using selang . 41Contents 9
Chapter 4: Managing Resources45Resources . 45Resource Groups . 45Classes . 46Default Record for Class . 46User-Defined Classes . 51Chapter 5: Managing Authorization53Access Authorities . 53Setting Access Authority - Examples . 53Access Control Lists . 54Conditional Access Control Lists . 55defaccess—The Default Access Field . 55How Access Authority to a Resource Is Determined . 56Interaction Between User and Group Access Authorities . 57Accumulative Group Rights (ACCGRR) . 58Security Levels, Categories, and Labels . 58Security Levels . 58Security Categories . 59Security Labels . 59Chapter 6: Protecting Accounts61Why Protect Accounts? . 61Safe User Substitution . 61Set User ID Substitution Rules. 62How to Set Up sesu for User Substitution . 62Setting Up the Surrogate DO Facility . 66Defining SUDO Records . 68Preventing Password Attacks . 70serevu . 70pam seos . 71Restrictions and Limitations . 72Checking User Inactivity . 73Chapter 7: Managing User Passwords75Password Control . 75Defining Password Policies . 75Configure Password Quality Checking . 76Changing Passwords . 7710 Endpoint Administration Guide for UNIX
Password Expiration and Grace Logins . 77Specify the Password Interval . 78Set Individual User or Group Password Intervals . 78Grace Logins . 79Track Grace Logins . 79Chapter 8: Protecting Files and Programs81Restricting Access to Files and Directories . 81How File Protection Works . 84Protect Files. 84Wildcards in FILE Resource Names . 85Restricting File Access . 86Blocking Trojan Horses with the abspath Group . 89Synchronization with Native UNIX Security . 90Example: Synchronization . 91HP-UX Limitations . 92Sun Solaris Limitations . 92Monitoring Sensitive Files .
CA Network and Systems Management (CA NSM, formerly Unicenter NSM and Unicenter TNG) CA Software Delivery (formerly Unicenter Software Delivery) CA Service Desk (formerly Unicenter Service De
