ETrust Access Control For UNIX And Linux Utilities Guide

Transcription

eTrust Access Control for UNIXand Linux Utilities Guider8 SP1

This documentation and any related computer software help programs (hereinafter referred to as the“Documentation”) is for the end user’s informational purposes only and is subject to change or withdrawal by CA atany time.This Documentation may not be copied, transferred, reproduced, disclosed, modified or duplicated, in whole or inpart, without the prior written consent of CA. This Documentation is confidential and proprietary information of CAand protected by the copyright laws of the United States and international treaties.Notwithstanding the foregoing, licensed users may print a reasonable number of copies of the documentation fortheir own internal use, and may make one copy of the related software as reasonably required for back-up anddisaster recovery purposes, provided that all CA copyright notices and legends are affixed to each reproduced copy.Only authorized employees, consultants, or agents of the user who are bound by the provisions of the license forthe product are permitted to have access to such copies.The right to print copies of the documentation and to make a copy of the related software is limited to the periodduring which the applicable license for the Product remains in full force and effect. Should the license terminate forany reason, it shall be the user’s responsibility to certify in writing to CA that all copies and partial copies of theDocumentation have been returned to CA or destroyed.EXCEPT AS OTHERWISE STATED IN THE APPLICABLE LICENSE AGREEMENT, TO THE EXTENT PERMITTED BYAPPLICABLE LAW, CA PROVIDES THIS DOCUMENTATION “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDINGWITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSEOR NONINFRINGEMENT. IN NO EVENT WILL CA BE LIABLE TO THE END USER OR ANY THIRD PARTY FOR ANYLOSS OR DAMAGE, DIRECT OR INDIRECT, FROM THE USE OF THIS DOCUMENTATION, INCLUDING WITHOUTLIMITATION, LOST PROFITS, BUSINESS INTERRUPTION, GOODWILL, OR LOST DATA, EVEN IF CA IS EXPRESSLYADVISED OF SUCH LOSS OR DAMAGE.The use of any product referenced in the Documentation is governed by the end user’s applicable licenseagreement.The manufacturer of this Documentation is CA.Provided with “Restricted Rights.” Use, duplication or disclosure by the United States Government is subject to therestrictions set forth in FAR Sections 12.212, 52.227-14, and 52.227-19(c)(1) - (2) and DFARS Section 252.2277014(b)(3), as applicable, or their successors.All trademarks, trade names, service marks, and logos referenced herein belong to their respective companies.Copyright 2006 CA. All rights reserved.

CA Product ReferencesThis document references the following CA products: eTrust Access Control (eTrust AC) eTrust Single Sign-On (eTrust SSO) eTrust Web Access Control (eTrust Web AC) eTrust CA-Top Secret eTrust CA-ACF2 eTrust Audit Unicenter TNG Unicenter Network and Systems Management (Unicenter NSM) Unicenter Software DeliveryContact Technical SupportFor online technical assistance and a complete list of locations, primary servicehours, and telephone numbers, contact Technical Support athttp://ca.com/support.

ContentsChapter 1: Utilities by Category9eTrust AC Utilities . 9Categories . 9User Utilities . 10Administrator Utilities . 11Installation Utilities . 13Support Utilities . 14Password Utilities . 14Daemons . 14Chapter 2: Utilities in Detail17ChangeEncryptionMethod . 17dbmgr . 17dbmgr -create Function—Create a Database . 18dbmgr -dump Function—Display Database Information . 20dbmgr -export Function—Create Script . 23dbmgr -migrate Function—Copy Data to a Flat File . 25dbmgr -util Function—Manage Existing Database. 27dbmgr -backup Function—Backup a Database . 29dbmgr -restore Function—Restore a Database . 29defclass . 30DictImport . 31dmsmgr. 31-create Function—Create a DMS or a DMA . 32-remove Function—Remove a DMS or a DMA . 33-cleanup Function—Remove Obsolete Nodes . 33eacpg gen . 34exporttngdb . 37issec . 38migopts . 39policydeploy . 40policyreport . 42seagent . 46seaudit . 47seauxd . 59sebuildla . 60sechkey . 65Contents v

seclassadm . 68secompas . 72secons . 74secrepsw . 85sedbpchk . 86seerrlog . 88segrace . 89segracex . 91seini . 93selang . 96seldapcred . 103seload . 104selock . 106selockcom . 112selogmix . 114selogrcd . 116selogrd . 118semsgtool . 133senable . 135senone. 137SEOS load . 138SEOS syscall . 139seosd . 140seostngd . 147seoswd . 150sepass . 153sepmd . 163Administering Subscribers . 164Truncating the Update File. 166Dual Control . 167Managing the Policy Model Log File . 169Other PMDB Administration . 170sepmdadm . 172sepmdd . 177sepropadm . 183sepurgdb. 185sereport . 186seretrust . 191serevu . 193sessfgate . 199sesu . 200sesudo . 202vi Utilities Guide

seuidpgm . 207seversion . 210sewhoami . 211uninstall eTrustAC. 212UxImport . 213Appendix A: Trace Messages217Conventions . 217Messages . 217Appendix B: The lang.ini File239lang.ini File Tokens . 240general . 240history . 241newres. 242newusr . 243properties . 244User-Defined Properties . 244The Definition Files. 244The Tokens File . 245The Attributes File . 246unix . 247Appendix C: String Matching249Wildcard Expressions . 249Wildcard Matching . 249Character Lists . 250Examples: Wildcard Matching . 251Index253Contents vii

Chapter 1: Utilities by CategoryThis section contains the following topics:eTrust AC Utilities (see page 9)Categories (see page 9)User Utilities (see page 10)Administrator Utilities (see page 11)Installation Utilities (see page 13)Support Utilities (see page 14)Password Utilities (see page 14)Daemons (see page 14)eTrust AC UtilitieseTrust AC has many utilities. As a convenient overview, this chapter classifiesthem by category. Some utilities are listed more than once. For a descriptionof the utilities arranged alphabetically, see the chapter “Utilities in Detail.”CategoriesThis chapter groups the eTrust AC utilities into the following categories: User utilities for typical users of the system Administrator utilities for administrators to manage and configureeTrust AC Installation utilities for product installation, system startup, or theremoval of eTrust AC from the system Support utilities for technical support Password utilities for replacing passwords Daemons for performing eTrust AC functionsUtilities by Category 9

User UtilitiesUser UtilitiesdefclassDefines basic Unicenter TNG asset types in each database and every newPMDB that is defined.exporttngdbMigrates the current Unicenter Security data into a local eTrust ACdatabase or PMDB.segraceDisplays various login and password settings for a user.segracexAllows user to replace an expired password.selockLocks the user's screen and displays a screen saver.selockcomControls the selock utility.senoneExecutes a shell as if it were invoked by a non eTrust AC user.sepassServes in place of the UNIX passwd and yppasswd commands.sesuServes in place of the UNIX su command.sesudoExecutes commands for one user with the permissions of another user.sewhoamiServes in place of the UNIX whoami command and reports the eTrust ACusername, which is harder to change than the UNIX username.10 Utilities Guide

Administrator UtilitiesAdministrator UtilitiesdbmgrCreates, manages, and maintains the eTrust AC database.dmsmgrCreates or removes a DMS or a DMA from an eTrust AC computer, ormaintains the DMS database to remove obsolete objects.eacpg genAutomatically generates eTrust AC control policies.ChangeEncryptionMethodChanges the encryption method of existing policy models.issecDisplays the eTrust AC security daemons' status.policydeployDeploys or removes a policy from a Policy Model hierarchy or on an eTrustAC end-point.policyreportGenerates offline (static) HTML reports based on information in a DMS.seauditDisplays selected data from the eTrust AC audit log.sebuildlaCreates a lookaside database.sechkeyChanges the encryption key for various eTrust AC programs.seclassadmAdds new classes to the eTrust AC database.seconsControls the eTrust AC daemons.secrepswCreates password file without shadowing.sedbpchkChecks the integrity of the eTrust AC database. Backs up the database ifthe database passes the check.Utilities by Category 11

Administrator UtilitiesseerrlogLists records in the eTrust AC error log.selangInvokes the selang command shell.seldapcredEncrypts and stores a provided credential for use by LDAP-enabled eTrustAC utilities (such as sebuildla) for retrieving data from an LDAP DirectoryInformation Tree (DIT). Together with the value of the ldap userdn tokenin the [seos] section of the seos.ini file, it lets the utility authenticate tothe LDAP service.selogmixSplits and merges audit files.semsgtoolMaintains, decodes, and creates eTrust AC message files.senableRe-enables a previously disabled user account.sepmdAdministers PMDBs.sepmdadmCreates PMDBs.sepurgdbPurges the eTrust AC database.sereportProvides reports-accessible from a web browser-of database and PolicyModel information.seretrustRetrusts untrusted programs.seversionDisplays the version information of an eTrust AC module.uninstall eTrustACRemoves eTrust AC from the station.12 Utilities Guide

Installation UtilitiesInstallation UtilitiesDictImportImports an external dictionary to the eTrust AC database for passwordchecks.exporttngdbMigrates the current Unicenter Security data into a local eTrust ACdatabase or PMDB.migoptsThe eTrust AC program run at installation that translates the currentUnicenter Security environment into the global settings of either a localeTrust AC database or PMDB.seloadThe utility that loads the eTrust AC extension to the UNIX kernel andexecutes the eTrust AC daemons.SEOS loadThe eTrust AC interception module loader for all stations except SunSolaris.SEOS syscallThe eTrust AC interception module.seostngdeTrust AC synchronization daemon (for Unicenter TNG).sepropadmThe administrator of eTrust AC database properties.seuidpgmThe extractor of the setuid programs in a UNIX file system.UxImportThe extractor of the user, group, and host information in a UNIX systemand, if installed, in NIS.uninstall eTrustACThe utility for removing eTrust AC from the station.Utilities by Category 13

Support UtilitiesSupport UtilitiessedbpchkChecks the integrity of the eTrust AC database, and if it passes, backs upthe database.seiniDisplays information about the eTrust AC database and initialization filesand sets the values of tokens in the initialization files.Password UtilitiessecompasCompares UNIX and eTrust AC passwords for all eTrust AC users.sepassServes in place of the UNIX passwd and yppasswd commands.DaemonsmfsdDaemon for mainframe synchronization.seagenteTrust AC agent daemon (the Agent).seauxdeTrust AC auxiliary daemon.selogrcdCollector daemon for the eTrust AC log routing system.selogrdTransmitter daemon for the eTrust AC log routing system.seosdeTrust AC authorization daemon (the Engine).seoswdeTrust AC watchdog daemon (the Watchdog).sepmddPolicy model daemon.14 Utilities Guide

DaemonsserevuDaemon for dealing with users who have committed too many loginfailures.sersvdDaemon enabling the Remote Status View (RSV).sessfgateDaemon to route reformatted Unicenter Security APIs through themessage queue to eTrust AC.Utilities by Category 15

Chapter 2: Utilities in DetailChangeEncryptionMethodChanges the encryption methods of policy models. Three encryption methodsare available. When you run this utility, you are asked to choose one of thefollowing encryption methods: AES (128bit, 192bit, or 256bit) DES TRIPLEDES SCRAMBLEAfter you choose the method, the utility searches for existing Policy Models inthe system, decrypts them by running "sepmd -de pmd name", and thenchanges the encryption method by linking libcrypt to the new shared library:libdes, libtripledes, or libscramble.Note: To run ChangeEncryptionMethod eTrust AC needs to be running. Tochange the encryption method, the utility asks you whether it can temporarilyshut down eTrust AC.dbmgrCreates, manages, and maintains the eTrust AC database files.Note: This utility replaces the following utilities from previous versions:dbdump, rdbdump, dbutil, secredb, sedb2scr, and semigrate.The dbmgr utility handles several tasks, each described separately in thissection: Creating a new database Generating reports on database records Creating a script that defines a database Copying data from a database to a flat file Managing and maintaining

eTrust Access Control for UNIX and Linux . This documentation and any related computer software help programs (hereinafter referred to as the “Documentation”) is for the end user’s informational purposes only