eTrust Access Control for UNIX and Linux User Guide

Transcription

eTrust Access Control for UNIX
and Linux
®
User Guide
r8 SP1
This documentation and any related computer software help programs (hereinafter referred to as the
“Documentation”) is for the end user’s informational purposes only and is subject to change or withdrawal by CA at
any time.
This Documentation may not be copied, transferred, reproduced, disclosed, modified or duplicated, in whole or in
part, without the prior written consent of CA. This Documentation is confidential and proprietary information of CA
and protected by the copyright laws of the United States and international treaties.
Notwithstanding the foregoing, licensed users may print a reasonable number of copies of the documentation for
their own internal use, and may make one copy of the related software as reasonably required for back-up and
disaster recovery purposes, provided that all CA copyright notices and legends are affixed to each reproduced copy.
Only authorized employees, consultants, or agents of the user who are bound by the provisions of the license for
the product are permitted to have access to such copies.
The right to print copies of the documentation and to make a copy of the related software is limited to the period
during which the applicable license for the Product remains in full force and effect. Should the license terminate for
any reason, it shall be the user’s responsibility to certify in writing to CA that all copies and partial copies of the
Documentation have been returned to CA or destroyed.
EXCEPT AS OTHERWISE STATED IN THE APPLICABLE LICENSE AGREEMENT, TO THE EXTENT PERMITTED BY
APPLICABLE LAW, CA PROVIDES THIS DOCUMENTATION “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING
WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE
OR NONINFRINGEMENT. IN NO EVENT WILL CA BE LIABLE TO THE END USER OR ANY THIRD PARTY FOR ANY
LOSS OR DAMAGE, DIRECT OR INDIRECT, FROM THE USE OF THIS DOCUMENTATION, INCLUDING WITHOUT
LIMITATION, LOST PROFITS, BUSINESS INTERRUPTION, GOODWILL, OR LOST DATA, EVEN IF CA IS EXPRESSLY
ADVISED OF SUCH LOSS OR DAMAGE.
The use of any product referenced in the Documentation is governed by the end user’s applicable license
agreement.
The manufacturer of this Documentation is CA.
Provided with “Restricted Rights.” Use, duplication or disclosure by the United States Government is subject to the
restrictions set forth in FAR Sections 12.212, 52.227-14, and 52.227-19(c)(1) - (2) and DFARS Section 252.2277014(b)(3), as applicable, or their successors.
All trademarks, trade names, service marks, and logos referenced herein belong to their respective companies.
Copyright © 2006 CA. All rights reserved.
CA Product References
This document references the following CA products:

eTrust® Access Control (eTrust AC)

eTrust® Single Sign-On (eTrust SSO)

eTrust® Web Access Control (eTrust Web AC)

eTrust® CA-Top Secret®

eTrust® CA-ACF2®

eTrust® Audit

Unicenter® TNG

Unicenter® Network and Systems Management (Unicenter NSM)

Unicenter® Software Delivery
Contact Technical Support
For online technical assistance and a complete list of locations, primary service
hours, and telephone numbers, contact Technical Support at
http://ca.com/support.
Contents
Chapter 1: Introducing the UNIX Interfaces
13
UNIX Administrative Interfaces ................................................................ 13
Policy Manager ............................................................................... 13
Security Administrator ........................................................................ 13
Chapter 2: Using Policy Manager
15
The Policy Manager Interface .................................................................. 15
Menu Bar ................................................................................. 16
Toolbar .................................................................................. 20
Program Bar .............................................................................. 22
Output Bar ............................................................................... 24
Managing Accessors .......................................................................... 25
Assigning Windows Rights to Accessors..................................................... 26
Restricting User Login ..................................................................... 26
Selecting User Activities to Audit ........................................................... 27
Entering Personal Information ............................................................. 28
Adding a User to a Group .................................................................. 29
Adding Nested Groups .................................................................... 29
Setting Active Directory Properties ......................................................... 30
Synchronizing Data with the Native Operating System....................................... 30
Managing eTrust AC Resources ................................................................ 31
Using the Calendar to Manage eTrust AC Resources ......................................... 32
Managing Windows Resources ............................................................. 33
Managing Windows Domains............................................................... 33
Protecting a Resource with SPECIALPGM ................................................... 34
Managing Policy Models ....................................................................... 34
Specifying the PMDB ...................................................................... 34
Displaying the Policy Model Window ........................................................ 34
Managing the Policy Model Hierarchy ....................................................... 36
Working with the Error Log ................................................................ 37
Displaying Properties ...................................................................... 38
Creating Sub Administrators ................................................................... 39
Chapter 3: Installing Security Administrator
41
What Is Security Administrator? ............................................................... 41
Memory Space and Disk Space ................................................................ 42
Contents v
Considerations for New Installations ........................................................... 42
Designating a Control Center .............................................................. 42
Workstations Where eTrust AC Is Necessary ................................................ 42
Installing Security Administrator ............................................................... 43
After the Installation .......................................................................... 45
Reviewing Security Administrator Configuration (All Installations) ............................ 45
Reestablishing Your Host Database (Upgraded Installations) ................................. 46
Creating a Secure Environment (New Installations) ......................................... 47
Upkeep ...................................................................................... 49
Chapter 4: Security Administrator Basics
51
Starting Security Administrator ................................................................ 51
The Main Window ............................................................................. 52
The Menu Bar ............................................................................ 54
The Toolbar .............................................................................. 55
Screen Locker ............................................................................ 56
Using Security Administrator .................................................................. 56
Performing Actions ........................................................................ 57
Using Dialogs ............................................................................. 57
Workflow..................................................................................... 58
Activity Page ................................................................................. 58
Activity Window .............................................................................. 61
Fields and Options ........................................................................ 62
Closing the Activity Window ............................................................... 63
Exiting Security Administrator ................................................................. 63
Chapter 5: Executing, Editing, and Reviewing Transactions
65
Executing Transactions........................................................................ 65
Verifying Commands Before Execution ..................................................... 66
Selecting a Source Host ................................................................... 66
Selecting Target Hosts .................................................................... 67
Selecting Users, Groups, or Resources ..................................................... 67
Viewing Transaction Progress .................................................................. 68
Monitoring Status ......................................................................... 68
Limiting Hosts ............................................................................ 70
Stopping and Restarting Transactions ...................................................... 71
Editing Commands ............................................................................ 71
Editing Commands for All Hosts ............................................................ 72
Editing Commands for One Host ........................................................... 74
Saving Commands in a File ................................................................ 76
Retrying Transactions ......................................................................... 77
vi User Guide
Viewing Output Messages ..................................................................... 78
Filtering Messages by Limiting Hosts ....................................................... 80
Finding a Word or String .................................................................. 81
Printing Output Messages ..................................................................... 81
Printing Messages from All Hosts ........................................................... 82
Printing Messages from One Host .......................................................... 82
Chapter 6: Host Administration
83
The Hosts Page ............................................................................... 83
Host Groups .................................................................................. 84
Creating a New Host Group ................................................................ 84
Adding Hosts to Host Groups .............................................................. 85
Removing Hosts from Host Groups ......................................................... 86
Deleting a Host Group ..................................................................... 86
Hosts ........................................................................................ 87
Creating a Host ........................................................................... 87
Selecting and Deselecting Hosts ........................................................... 88
Limiting the Display of Host Names ........................................................ 89
Updating a Host .......................................................................... 90
Deleting Hosts from the Database.......................................................... 90
Chapter 7: Account Administration
91
The Main Window ............................................................................. 91
Users ........................................................................................ 92
Filtering the List of Users .................................................................. 92
Creating a New User ...................................................................... 93
Using Templates to Copy User Properties ................................................... 94
Refreshing the User List ................................................................... 94
Selecting and Deselecting Users with Wildcards ............................................. 95
Viewing User Properties ................................................................... 96
Modifying User Properties ................................................................. 97
Changing Passwords ...................................................................... 99
Suspending and Resuming Users .......................................................... 100
Copying Users from the Source Host to Other Hosts ........................................ 101
Deleting Users ........................................................................... 102
Adding, Modifying, or Deleting User Access Permissions .................................... 103
Viewing User Access Permissions ......................................................... 104
User Groups ................................................................................. 105
Filtering the List of Groups ............................................................... 105
Creating a New Group .................................................................... 106
Using Templates to Copy Group Properties ................................................ 107
Contents vii
Refreshing the Group List ................................................................ 107
Selecting and Deselecting Groups Using Wildcards ......................................... 108
Viewing Group Properties ................................................................. 109
Modifying Group Properties ............................................................... 110
Adding Users To Groups and Removing Users From Groups ................................. 111
Copying Groups from the Source Host to Other Hosts ...................................... 112
Deleting Groups ......................................................................... 113
Adding, Modifying, or Deleting Group Access Permissions ................................... 114
Chapter 8: Resource Administration
117
Security Administrator ....................................................................... 117
Displaying Resources ........................................................................ 118
Filtering the List of Resources ................................................................ 119
Creating a Resource ......................................................................... 120
Selecting and Deselecting Resources Using Wildcards .......................................... 121
Viewing Resource Properties.................................................................. 122
Updating a Resource ......................................................................... 123
Editing Existing Resources and Creating New Ones ............................................. 126
Copying a Resource .......................................................................... 127
Protecting a Resource in the UNIX or Windows Environment .................................... 128
Deleting Resources .......................................................................... 129
Updating TCP Services and Ports ............................................................. 130
Adding Accessors to Windows Resources ...................................................... 131
Chapter 9: Policy Model Administration
133
The Policy Model Database ................................................................... 133
Working with PMDBs ......................................................................... 133
Accessor Transactions .................................................................... 134
PMDB Commands ........................................................................ 135
Chapter 10: Login Protection
137
Setting Up Login Protection .................................................................. 137
Chapter 11: Security Configuration
139
Working with Security Policies ................................................................ 139
Working with Password Policies ............................................................... 142
Viewing eTrust AC Status .................................................................... 143
viii User Guide
Chapter 12: Audit Log Routing
145
Log Routing ................................................................................. 145
View or Modify Audit Log Route Configuration .............................................. 145
Chapter 13: Setting Security Administrator Options
149
Specifying Preferences ....................................................................... 149
Preference Dialog Settings ................................................................... 149
Master Database Page ................................................................... 150
Activity Page ............................................................................ 151
Retry Mechanism Page ................................................................... 152
Password Page .......................................................................... 152
Property Editor Page ..................................................................... 153
Other Page .............................................................................. 153
Chapter 14: The Audit Browser: seauditx
155
The seauditx Utility .......................................................................... 155
Starting seauditx ............................................................................ 156
The seauditx Main Window ................................................................... 157
Switches ................................................................................ 158
Options ................................................................................. 159
Text Output ............................................................................. 160
Minimizing and Maximizing Areas ......................................................... 164
Help .................................................................................... 165
Filtering Audit Records ....................................................................... 165
Changing the Filter....................................................................... 166
Saving the Filter ......................................................................... 166
Retrieving a Saved Filter ................................................................. 167
Opening an Audit Log ........................................................................ 167
Loading a Backup Audit Log .............................................................. 168
Loading a Collected Audit Log ............................................................. 168
Loading a Default Audit Log .............................................................. 168
Viewing Audit Record Details ................................................................. 169
Network Trace Information Dialog......................................................... 172
Network Session Trace Configuration ...................................................... 172
Commenting the Audit Log ................................................................... 174
Creating or Editing a Comment ........................................................... 174
Inserting Information from an External File into a Comment ................................ 175
Saving a Comment in an External File ..................................................... 175
Searching for Text in a Comment ......................................................... 176
Clearing the Comment Editor Dialog....................................................... 176
Contents ix
Removing a Comment .................................................................... 176
Printing a Comment ...................................................................... 177
Adding Acknowledgements ................................................................... 177
Reassigning Comments and Acknowledgements ............................................... 178
Printing the Audit Log ........................................................................ 179
Setting Preferences for seauditx .............................................................. 179
Customizing seauditx ........................................................................ 180
The seos.ini File ............................................................................. 180
Chapter 15: SecMon
181
SecMon ..................................................................................... 181
Starting SecMon ............................................................................. 182
Minimizing SecMon .......................................................................... 183
The SecMon Main Window .................................................................... 184
Text Output ............................................................................. 186
Detailed Information ..................................................................... 188
Changing Text Color ..................................................................... 190
Performing Tasks with SecMon ............................................................... 191
Stopping and Restarting Retrieval of Audit Events .......................................... 191
Deleting Selected Audit Events............................................................ 191
Deleting All Audit Events ................................................................. 192
Changing Buffer Size ..................................................................... 192
Appendix A: User and Group Properties
193
User Properties .............................................................................. 193
eTrust AC User Properties ................................................................ 193
UNIX User Properties ..................................................................... 198
Windows User Properties ................................................................. 200
Group Properties ............................................................................ 202
eTrust AC Group Properties ............................................................... 203
UNIX Group Properties ................................................................... 206
Windows Group Properties ................................................................ 207
Appendix B: Resource Properties
209
Resource Properties ......................................................................... 209
The eTrust AC Classes ....................................................................... 209
Administration (ADMIN Class) ............................................................ 210
File and Directory (FILE Class) ............................................................ 213
File Group (GFILE Class) ................................................................. 216
Holiday (HOLIDAY Class) ................................................................. 218
x User Guide
Host (HOST Class) ....................................................................... 221
Host Groups (GHOST Class) .............................................................. 223
Host Network (HOSTNET Class) ........................................................... 225
Host Protection by Name Pattern (HOSTNP Class) .......................................... 227
Login by Terminal (TERMINAL Class) ...................................................... 229
Monitored Files (SECFILE Class) .......................................................... 232
Outgoing Connections by Host (CONNECT Class) ........................................... 233
Process (PROCESS Class)................................................................. 236
Security Labels (SECLABEL Class) ......................................................... 239
Security Categories (CATEGORY Class) .................................................... 241
SUID/SGID Programs (PROGRAM Class) ................................................... 242
Tasks (SUDO Class) ...................................................................... 245
Task Groups (GSUDO Class) .............................................................. 248
TCP Protection (TCP Class) ............................................................... 251
Terminal Groups (GTERMINAL Class) ...................................................... 254
User ID Substitution (SURROGATE Class) .................................................. 256
The UNIX Classes ............................................................................ 258
UNIX FILE Class ......................................................................... 258
Windows Classes ............................................................................ 260
NT FILE Class ............................................................................ 260
NT-PRINT Class .......................................................................... 262
NT-COM Class ........................................................................... 263
NT-SHARE Class ......................................................................... 264
NT-REGKEY and NT-REGVAL Class ........................................................ 266
Appendix C: seam.ini and UNIX Exits
269
The Security Administrator Configuration File .................................................. 269
[master_db] Section ..................................................................... 270
[transaction] Section ..................................................................... 271
[password] Section ...................................................................... 271
[hosts_groups] Section................................................................... 272
[print] Section ........................................................................... 272
[help_ini] Section ........................................................................ 272
[messages] Section ...................................................................... 272
[defaults] Section ........................................................................ 273
[user fields] Section...................................................................... 274
[others] Section ......................................................................... 275
[synchronize] Section .................................................................... 275
[bin] Section ............................................................................ 275
Security Administrator Command Line Options ............................................. 276
The Password Generation Utility .......................................................... 277
UNIX Exits .................................................................................. 277
Contents xi
Passing Arguments to UNIX Exits ......................................................... 278
Preserving the Values Passed to UNIX Exits ................................................ 279
Index
xii User Guide
281
Chapter 1: Introducing the UNIX
Interfaces
This section contains the following topics:
UNIX Administrative Interfaces (see page 13)
Policy Manager (see page 13)
Security Administrator (see page 13)
UNIX Administrative Interfaces
eTrust AC for UNIX provides two interfaces to help you manage the resources
in your enterprise and control who has access to them. The interfaces are
Policy Manager and Security Administrator.
This User Guide explains how to install and use each interface:

Chapters 1 and 2 provide information about Policy Manager.

The remaining chapters explain Security Administrator.
This chapter gives a brief introduction to each GUI interface so that you can
decide which one to use.
Policy Manager
Policy Manager lets you manage your UNIX workstations from a PC running
Windows NT, 2000, XP, or 2003. The CD that contains eTrust AC provides this
Windows GUI, which you can install by itself or with eTrust AC on the PC.
Security Administrator
The Security Administrator lets you manage your enterprise from a UNIX
workstation. The Administrator is a suite of tools that you can install with
eTrust AC or afterward.
Introducing the UNIX Interfaces 13
Chapter 2: Using Policy Manager
The Policy Manager Interface (see page 15)
Managing Accessors (see page 25)
Managing eTrust AC Resources (see page 31)
Managing Policy Models (see page 34)
Creating Sub Administrators (see page 39)
The Policy Manager Interface
Using Policy Manager 15
The Policy Manager main window contains the following elements:
Title bar
Displays the window title.
Menu bar
Contains the pull-down menus of commands you can use with Policy
Manager.
Toolbar
Provides access to frequently used commands.
Program bar
Provides access to the categories of objects you can manage with Policy
Manager.
Workspace
Displays windows for wizards and other items invoked from the menus,
toolbar, or program bar.
Output bar
Displays a condensed version of the messages that the selang command
language returns as the result of any action you take that makes a change
to a database.
Split bar
Separates the window into its various panes-the program bar, the
workspace, and the output bar area. You can grab the split bar and drag it
left or right (or up and down) to change the relative sizes of the panes.
Status bar
Displays descriptive text for items that the cursor points to.
Menu Bar
The menu bar contains the pull-down menus of commands you can use with
Policy Manager. The menu bar structure is dynamic, with appropriate
commands appearing for the action you are taking. For example, the Tree
menu appears only when the active window contains a tree structure.
16 User Guide
File Menu
With the File menu, you can:

Open any of the applications available from the program bar.

Open the Host Selection and Command Log dialogs.

Open the Manage Target Hosts dialog, which is used to set up the
multi-host transactions performed in Transaction mode. The dialog lets
you add hosts or groups of hosts, and select which ones will be active for a
particular multi-host session.

Activate the Transaction mode.

Clear the Command Log.

Exit Policy Manager.
View Menu
With the View menu, you can activate and deactivate all bars other than the
menu bar, and toggle Workbook mode. In Workbook mode, a tab is associated
with each open window in the workspace. Clicking a tab brings the associated
window to the front. This makes it easier to move around among multiple
widows.
When a window is open, the View menu chooses the type of display: large
icons, small icons, list, or details. (To make this choice yourself, use the
toolbar button Views, which is explained later in this chapter.)
Tools Menu
With the Tools menu, you can activate Wizards, display eTrust AC version or
Host information, and shut down eTrust services on the local or a remote host.
It also activates the Commands and Scripts dialog that runs selang commands
or scripts, and displays the output. The most important item on the Tools
menu is Options.
Note: You cannot create, maintain, or export the database from a remote
machine.
18 User Guide
System Options
Policy Manager contains default system options. To change these settings
according to the needs of your organization, choose Options from the Tools
menu.
The following describe these options and their default settings:
Accounts & Resources
Defines the resources that are displayed when you work with a PMDB, and
lets you choose whether B1 security features are shown. For a complete
description of B1 security features, see B1 Security Level Certification in
the Administrator Guide.
Appearance
Defines the way the toolbar and main windows look, and activates the
connection dialog
Command Log
Defines whether eTrust AC logs commands that do not update the eTrust
AC or native database. By default, eTrust AC does not log commands that
do not update a database.
Create
Defines the environments in which eTrust AC creates new users and
groups. By default, eTrust AC creates users and groups in both eTrust AC
and the native environment. You can also choose to always use the
wizards to create users and special programs.
Format
Defines the colors used to represent users and resources.
Mail Configuration
Defines the configuration eTrust AC uses to send email.
Mail Contents
Defines the contents of the email automatically generated by eTrust AC to
notify a user when the password has been changed.
Password
Activates and sets rules for password generation.
Startup
Specifies the host to connect to on startup. By default, eTrust AC updates
the local host. You can also choose an alternate splash screen and whether
you want to display the Wizards window on startup.
Transaction Mgr.
Sets the options for multi-host transactions. By default, the Transaction
Manager is inactive.
Window Menu
The Window menu lists the open windows in the workspace, lets you cascade
or tile the windows, and lets you close them singly or all together.
Help Menu
The Help menu activates the online help system and shows the version
number of eTrust AC.
Toolbar
The toolbar provides easy access to frequently used commands. Most of the
commands are also accessible from the menu bar. Like the menu bar, the
toolbar is dynamic, with appropriate commands appearing for the action you
are taking. Common tools are described in the following sections. Tools
specific to a particular window are described in the section on that
functionality.
20 User Guide
Connect
The Connect button displays the Host Selection dialog, which lets you connect
to a different host. By default, Policy Manager operates on the local host.
Note: For information about working with multiple hosts simultaneously, see
the online help.
The Connect button also lets you specify a list of favorites to choose from if
you frequently view or update any of the following:

Local Policy Model databases (PMDBs)

The eTrust AC database on a remote host

A PMDB on a remote host
You can also search the Network Neighborhood to connect to less frequently
accessed hosts. You can remove a host from the Favorites list at any time.
Note: To administer an eTrust AC database on a remote host, that remote
database must contain a TERMINAL record for your stand-alone machine,
granting it read and write access.
Transaction Mode
The Transaction Mode button toggles the Transaction Mode on or off. Before
you can use this button, you must activate the Transaction Manager in the
Tools menu.
Wizards
The Wizards button lets you activate the most commonly used wizards. You
can click the magic wand to open a window for selecting wizards, or click the
arrow and select a wizard to activate. You can also activate wizards by using
the Tools menu.
Refresh
The Refresh button lets you redisplay the current window after running a
transaction. The arrow lets you refresh all windows or the current window.
Views
The Views button lets you select the view for the active window. The choices
are: Large Icons, Small Icons, List, and Details. The arrow gives a drop-down
list of the choices. The icon toggles you through the list. Each window can
have its own view setting.
Print
The Print button displays a Print dialog that lets you print the contents of the
active window. You can select different formats for the header, content, and
footer. Clicking OK in this dialog opens the Windows Print dialog, where you
can set more printer options.
Program Bar
The program bar lets you choose specific items to protect or to be protected
from. To display the panels on the program bar, click the buttons labeled
Access Control, Windows NT, and Tools.
Access Control Panel
Users
This feature lets you administer users in the native Windows, native UNIX,
and eTrust AC environments.
Groups
This feature lets you administer groups in the native Windows NT, native
UNIX, and eTrust AC environments.
Resources
This feature lets you administer resources defined in the database.
22 User Guide
Windows NT Panel
Note: This panel is visible only when you are connected to a Windows host.
Server Manager
This feature lets you administer resources defined in a native Windows
database.
Files
This feature lets you administer file resources defined in the native
Windows environment.
Registry Editor
This feature lets you administer registry keys and values. Use it instead of
Regedit.
Security Policies
This feature lets you administer predefined security features.
Tools Panel
Policy Model
This feature lets you administer PMDBs and their subscribers in the host to
which you are connected.
Audit
This feature lets you administer the predefined and user-defined filters
used to select data from the audit log.
Output Bar
The output bar displays the command log, which is the file in which eTrust AC
writes selang commands. The information shown in the output bar includes
commands that were created, the host on which they were created, the
environment in which they were created, and the date and time they were
executed.
Every time you begin a new session of Policy Manager, eTrust AC creates a
new command log. Therefore, if you want to save the commands from a
session, you should save or print the log.
Note: Each line in the output bar of the Policy Manager window may represent
more than one selang command in the Command Log.
Note: By default, eTrust AC logs only selang commands that update the
eTrust AC or native Windows database. However, by choosing Options from
the Tools menu, you can configure eTrust AC to log commands that do not
update a database.
24 User Guide
Managing Accessors
Managing Accessors
An accessor, sometimes called an account, is an entity that can access system
resources. The most common type of accessor is a user-typically a person who
logs on and for whom access authorities should be assigned and checked.
Groups, programs and terminals are also accessors.
eTrust AC can identify users by account name only or by account name
prefixed with a Windows domain name or server name (when the user account
is not part of a Windows domain), depending on which you use when you
create user records in the eTrust AC database.
You can administer all the users and groups defined in the native Windows
operating system and in the eTrust AC database (the eTrust environment).
You can do the following:

Add a user or group to either or both environments (Windows and eTrust)

Update a user or group in either or both environments

Delete a user or group from either or both environments

Rename a user (Windows environment only)

Add a user to or remove a user from a group

Add a group to or remove a group from a group

View the protected resources of a user or group
To perform these functions, click Users or Groups in the Access Control panel
of the program bar, and then click New, Delete, or Properties on the toolbar.
To add a user, click the Users icon, then click the New button. The Create New
User dialog displays.
Click the icons on the left to display different panels. For example, the General
panel lets you enter user name and description, specify the eTrust AC or
Windows environment (Advanced button), and set password information.
Note: eTrust AC also provides wizards for some of the tasks necessary to
manage accessors. You can access them by clicking Users or Groups in the
Access Control panel, and then choose from the Tools menu or click the
Wizards toolbar button.
Important! We strongly recommend that you not use Windows NT backup
domain controllers (BDCs) to define users. Most of the functions you can
perform in native Windows with the User Manager and User Manager for
Domains you can perform in the Access Control and Windows panels of the
program bar.
Managing Accessors
You can import users and groups from your Windows system to the eTrust AC
database, either during the installation or later using the NT Import Wizard.
For more information and detailed procedures, see the online help for Policy
Manager.
Assigning Windows Rights to Accessors
You can assign standard and advanced rights to users and groups in Windows.
Most advanced rights are useful only to programmers writing applications for
computers running Windows Workstation or Windows Server; advanced rights
are not usually granted to a group or end user.
Note: For more information about programming rights, see the Windows NT
programming documentation.
Restricting User Login
You can restrict user login privileges in several ways:

Specify an expiration date

Suspend an account so that it exists in the eTrust AC database, but the
user cannot log in

Specify the number of grace logins

Specify the maximum number of terminals from which a user can log in

Specify the number of days that must pass before an account becomes
inactive

Limit login rights to specific days and hours
By default, the account does not expire or become inactive, the account is not
suspended, and a user can log in to any number of terminals without
restrictions.
Use the Create New User, Login panel to restrict login privileges.
26 User Guide
Managing Accessors
Selecting User Activities to Audit
For users defined in the eTrust AC database, you can specify the user activities
that eTrust AC should audit.
Note: Only users defined in the database with the AUDITOR attribute can
specify audit properties. This option is dimmed for users who are defined in
the Native environment only. For more information about auditing in eTrust
AC, see the Administrator Guide.
The following audit modes specify which user activities are included in the
eTrust AC audit log. These options are available from the Miscellaneous panel
of the dialogs for creating and editing users.
Success
Successful accesses to resources defined in eTrust AC are logged.
Logon Success
Successful logins are logged.
Logon Failure
Failed login attempts are logged.
Failure
Failed attempts to access resources defined in the database are logged.
Trace
Every message that appears in the trace file because of this user's actions
is also logged in the audit log.
All
All user activity, successful or not, is logged.
None
No user activity is logged.
Managing Accessors
Entering Personal Information
You can enter personal information about the user from the Miscellaneous
panel of the dialogs for creating and editing users. These properties are
optional.
Location
An alphanumeric string of up to 47 characters specifying the location of
the user, such as Main Office or East Coast Sales.
Country
An alphanumeric string of up to 19 characters indicating the country in
which the user is located.
Organization
An alphanumeric string of up to 19 characters indicating the organization
to which the user is assigned.
Organization Unit
An alphanumeric string of up to 19 characters indicating the organization
unit to which the user is assigned.
Phone
An alphanumeric string of up to 19 characters indicating the user's
telephone number.
E-Mail
An alphanumeric string of up to 256 characters indicating the email
address of the user.
28 User Guide
Managing Accessors
Adding a User to a Group
You can add users to a group to make managing much easier. Use the Groups
panel of the dialogs for creating and editing users:
Adding Nested Groups
You can add or modify nested groups from the Miscellaneous pane of the
dialogs for creating and editing groups. (Click Groups in the program bar and
then New or Properties on the toolbar.)
The Nested Groups dialog lets you add and delete super groups (parents) and
member groups (children) from existing groups. Properties of a super group
are passed down to its member groups.
Managing Accessors
Setting Active Directory Properties
When you are connected to a Windows 2000 machine with Active Directory,
you can use the Directory Services panel of the User or Group Properties
dialog to set Active Directory User or Group properties. These properties are
not supported in Windows NT, Windows 2000 without Active Directory, or the
eTrust AC native environment database.
The icon to activate the panel does not appear unless you are connected to a
Windows 2000 machine with Active Directory.
Note: Active Directory lets you organize users into different folders. Policy
Manager displays all Active Directory users in a single Users panel.
Synchronizing Data with the Native Operating System
When using selang commands, you can change data about an accessor in the
database without changing data in the native operating system. Likewise,
when using the User Manager in Windows, you can change data about an
accessor in Windows without changing data in eTrust AC. When you change
data in either of these ways, the accessor is defined differently in each
database..
eTrust AC monitors definitions in both eTrust AC and the native operating
system, and provides a Synchronization panel when the definitions in Windows
and eTrust AC do not match. When the definitions match, the Synchronization
icon is not visible.
30 User Guide
Managing eTrust AC Resources
A resource is an entity that users and groups can access. The most common
type of resource is a file. You access a file when you read information from it
or write information to it.
Resources are grouped by class, which is a name for the type of resource. For
example, the TERMINAL class contains all objects that are terminals, such as
tty1, tty2, and so on; the SHARE class contains all objects that are shared; the
FILE class contains definitions for files and directories. For more information
about the eTrust AC classes, see the Reference Guide.
The properties of a protected resource are stored in the resource's record. A
record is a collection of data consisting of the name and properties of a
resource. Every record in a particular class contains values for the same set of
properties-the properties appropriate to the type of object that the class
describes.
Properties indicate who defined the resource, the date when the resource was
defined, and more. In general, the most important information contained in a
resource record is the list of accessors authorized to access the resource. This
list is called the access control list (ACL). Many resources contain another list
of accessors, for which access is denied. This list is called the negative access
control list (NACL).
Note: You can view the ACLs or NACLs for a specific user or group by choosing
Protected Resources from the menu displayed when you right-click a user or
group name.
You can administer all the resources in the eTrust AC database by:

Adding a resource to any class in the eTrust AC database

Updating a resource in any class in the eTrust AC database

Deleting a resource in any class from the eTrust AC database

Defining terminals and terminal groups from which users can log in

Defining Holidays when users need extra privileges to log in

Defining task delegation and task groups
To perform these functions, click
(Resources) in the Access Control panel
of the program bar, select a resource in the workspace, and then click New,
Delete, or Properties on the toolbar.
Here is the dialog for creating a resource in the FILE class (click Resources and
New):
Click the icons on the left to display different panels. For example, the General
panel, which is shown, lets you enter resource name and description, specify
the owner, and more.
Using the Calendar to Manage eTrust AC Resources
eTrust AC supports user, group, and resource access enforcement according to
the Unicenter TNG calendar. The calendar contains time intervals of 15
minutes that you can set to ON or OFF. A calendar time interval set to OFF
prevents access to resource; a calendar time interval set to ON allows access
to the resource. eTrust AC retrieves Unicenter TNG active calendars at
specified time intervals.
You can add, edit, or remove a calendar resource using the Resources view.
Select Login Protection in the resources tree. Click the Calendar tree entry,
and right click to select an option.
32 User Guide
Managing Windows Resources
You can administer the resources in the native Windows database using the
dialogs for creating and editing resources. You can:

Add a resource to the REGISTRY and SHARE classes in the Windows
database.

Update a resource in any class in the Windows database, including the
Active Directory database.

Delete a resource in any class from the Windows database.
For more information about Windows resources, see the Windows Reference
Guide.
Managing Windows Domains
Using Policy Manager, you can:

Display information about a Windows domain

Add new computers to a Windows domain

Delete computers from a Windows domain

Create and delete trusted relationships between Windows domains
Select NT Specific in the resources tree. Click the Domain tree entry, and
right-click to select an option.
eTrust AC checks the validity of these operations if an eTrust AC client, such
as Policy Manager or selang, performs them. When it checks the validity of an
operation, eTrust AC uses the authorization rules that exist in the eTrust AC
database in the domain controller.
Each record in the eTrust AC class DOMAIN defines a Windows domain. The
three types of possible access for records in the DOMAIN class are:
READ
Lets the user display the properties of the domain.
CHMOD (Change Mode)
Lets the user create or delete trust relationships between domains.
EXEC (Execute)
Lets users add members to or delete members from a domain.
Managing Policy Models
Protecting a Resource with SPECIALPGM
Objects in the SPECIALPGM class define an application that needs special
eTrust AC authorization protection. This class is especially useful for protecting
programs, such as system services, that typically need to be run as SYSTEM
account. To protect such a program, define it as a record in the SPECIALPGM
class and associate a logical user name (defined as a USER record in the
eTrust AC database) with the Windows user name required to run the
program, authorizing only that logical user to run the program.
In Windows, you can use the Special Program Wizard to help set up this
protection. To run this wizard from the GUI, click the Resources button in the
program bar. Then select Special Program Wizard from the Tools menu.
You can use Policy Manager to manage several PMDB functions. These include
specifying a PMDB, managing subscribers, managing the error log, starting
and stopping the Policy Model daemon (in UNIX), reactivating an unavailable
subscriber, and displaying properties. For a complete description of integrating
PMDBs into your implementation plan, see the Administrator Guide.
Specifying the PMDB
eTrust AC supports multiple Policy Models on a single host. You can specify the
PMDB using Policy Manager or selang. For information about using selang, see
the Reference Guide.
Displaying the Policy Model Window
The Policy Model window, activated from the Tools panel of the program bar,
lists all the PMDBs defined on the station to which you are connected,
including subscribers where applicable.
34 User Guide
The Policy Model window contains the following columns:
Name
Lists the subscribers of the selected PMDB.
Type
Displays the type of subscriber: eTrust database, PMDB, or MF
(mainframe).
Status
Indicates whether the subscriber is Available or Unavailable. A subscriber
is Available when no commands are waiting to be executed. A subscriber is
Unavailable if its parent PMDB has sent one or more commands that have
not yet been executed. Commands are saved in the file updates.dat,
whose default location is \Program
Files\CA\eTrustAccessControl\data\pmdb.
Next Command
Displays the command that is waiting to be executed.
If the subscriber's status is Available, this column is empty.
Errors
Displays the number of errors for the selected subscriber. An error is a
command that failed; that is, it did not update the subscriber. Connection
failures are not included.
Executed Commands
Displays the percentage of commands that have been executed. If the
subscriber's status is Available, this column displays the value 100%.
Managing the Policy Model Hierarchy
Subscribers to a PMDB can be:

Another PMDB on the same or a remote host

An eTrust database on the same or a remote host

A mainframe database
Using Policy Manager, you can:

Add subscribers to a PMDB

Remove subscribers from a PMDB

Display the commands that were sent to subscribers but failed to update
them-the errors that appear in the error log

Erase the contents of the error log
When adding a subscriber, ensure that the parent PMDB and all the stations
you want to subscribe to it are part of the same network and can communicate
with each other by name. This lets eTrust AC update the parent_pmd key in
the registry of the subscriber.
36 User Guide
Working with the Error Log
The Policy Model error log contains a list of transactions that the subscriber
stations refused to apply. For more information about the PMDB error log, see
the eTrust AC for Windows Administrator Guide.
Using Policy Manager, you can display the errors of a PMDB and all its
subscribers, or you can display errors for only one subscriber. You can also
clear the contents of the error log.
The Policy Model Error Log contains the following columns:
Host
The full name of the PMDB on which the command failed.
Command
The full eTrust AC command that failed.
Error Description
The reason why the command failed.
Offset
The location of the command in the updates.dat file.
Date
The date on which the command failed.
Time
The time the command failed.
Note: If you click the Next button, eTrust AC brings the next set of records.
The query_size registry key defines the number of records in a set. (The
default value is 100.) The records in the next set are added to the display.
This means that if you pressed Next once (and the value of the key is still
100), then 200 records are displayed.
Displaying Properties
To display the properties of a PMDB or a subscriber, select Properties from the
View menu or the right-click menu.
The description of the properties displayed for the parent PMDB is as follows.
Policy Model Name
The name of the PMDB.
Parent
Indicates whether the PMDB is a parent.
Password File
For UNIX only, the name of the file that contains information about the
locally defined users such as their full names, IDs, the ID of the groups to
which the users belong, their home directories, and encrypted passwords.
Group File
For UNIX only, the name of the file that contains information about the
locally defined groups such as the group IDs and the list of users in the
groups.
eTrust AC displays a different window to show the properties of subscribers.
See Displaying the Policy Model Window in this chapter for a description of the
properties displayed for subscribers.
38 User Guide
Creating Sub Administrators
To set up sub administrators to manage users and groups from the Policy
Manager, complete the following steps:
1.
Launch Policy Manager.
Note: If eTrust AC server is installed on this machine, shut down eTrust
AC services after you log in to Policy Manager.
2.
From the Policy Manager toolbar, select Tools, Options.
The Options dialog displays.
3.
Select the Startup tab, then check Enable Users and Groups Sub
Administration.
4.
Click OK.
To enable sub administrators to access Policy Manager from a specific
terminal, complete the following steps:
1.
Select the Resources icon in the eTrust AC program bar to display the
Resources window.
2.
Expand the Login Protection folder.
3.
Select Terminal to display the list of available terminals.
4.
Double-click the terminal you want. The View or Set Terminal Properties General dialog displays.
5.
Select the Authorize icon to display the View or Set Terminal Properties Authorize dialog.
6.
Select the sub administrator you want to authorize and check Read and
Write permissions.
7.
Click OK.
To define a sub administrator with privileges to manage users, do the
following:
1.
Select the Resources icon in the eTrust AC program bar to display the
Resources window.
2.
Expand the Administration folder.
3.
Select Access by Class to display the list of available classes.
4.
Double-click the USER class and choose Properties. The View or Set ADMIN
Properties - General dialog displays.
Note: To enable the sub administrator to administer other classes, replace
the USER class with the class you want (GROUP, USER_DIR, and so forth).
5.
Select the Authorize icon to display the View or Set ADMIN Properties Authorize dialog.
6.
Click Add to display the Add eTrust AC Accessor dialog.
7.
Enter the name of the sub administrator in the Name field or click Browse
to locate.
8.
Check the permissions you want to give the sub administrator access to.
9.
Click OK to return to the View or Set ADMIN Properties - Authorize dialog.
10. Click OK to finish.
40 User Guide
Chapter 3: Installing Security
Administrator
What Is Security Administrator? (see page 41)
Memory Space and Disk Space (see page 42)
Considerations for New Installations (see page 42)
Installing Security Administrator (see page 43)
After the Installation (see page 45)
Upkeep (see page 49)
What Is Security Administrator?
Security Administrator is a set of eTrust AC graphical user interfaces (GUIs)
that you use to manage accessors and resources, audit logs, and security.
Security Administrator is a suite of tools that includes three programs:
manages hosts, user accounts, groups, and resources. Using X Window
System dialogs, Security Administrator integrates the management of the
eTrust AC, UNIX, and Windows security environments.
Seauditx
manages and reviewing audit logs.
SecMon
monitors security in real time.
Note: Security Administrator is written for UNIX workstations running
X Window System, Release 5. It also runs on X terminals, assuming that
sufficient resources are available. You may also find that some PC-based
X simulators can run Security Administrator. However, because Security
Administrator is a color-intensive product, you may need to increase the
number of colors available in your X simulator.
Installing Security Administrator 41
Memory Space and Disk Space
Memory Space and Disk Space
eTrust AC is a prerequisite to Security Administrator. If you have already
installed eTrust AC, the Security Administrator requires no additional memory,
but it does require additional disk space. The following table lists disk space by
platform:
Platform
Extra Disk Space Required (in MB)
IBM AIX
19
Digital DEC UNIX
10
HP-UX
26
Sun Solaris SPARC
8
Considerations for New Installations
This section gives background information for those who are installing eTrust
AC and Security Administrator for the first time.
Designating a Control Center
Before installing Security Administrator for the first time, you must:

Decide which stations to use as the control center for your security
administration team

Decide which users constitute that team

Make the control center especially secure.
Note: For more information about making the control center secure, see
Workstations Where eTrust AC Is Necessary
The underlying eTrust AC software is necessary not only at the stations where
you will install Security Administrator but also at all other stations that eTrust
AC manages. If necessary, install eTrust AC at your control center and the
other stations that require protection.
Note: For information about installing eTrust AC, see the Implementation
Guide.
42 User Guide
Installing Security Administrator
You install Security Administrator only on the stations of your control center;
that is, only on the stations where your security administration team manages
the identities and permissions of users and user groups.
You can install Security Administrator from a graphical interface on the
following platforms:

IBM AIX

Digital DEC UNIX

HP-UX

Sun Solaris
Before using the graphical installation script, you must have the TCL/TK
environment installed, using the following versions:

TCL-Version 7.6 and later

TK-Version 4.2 and later
Note: You can run the standard (non-graphical) installation script on all
platforms.
To install Security Administrator:
1.
If eTrust AC is active, shut it down by entering the following command:
# eTrustACDir/bin/secons -s
where eTrustACDir is the directory where you installed eTrust AC, by
default /opt/CA/eTrustAccessControl.
2.
If necessary, log in as root, or su to root.
3.
Change (cd) into to the distribution directory (where the installation files
are located).
4.
Run the standard installation script by entering the following command:
# ./Unix/Access-Control/install_base -admin
Follow the instructions that appear on the screen.
Note: To display a list of options for commands, include the -h option (for
example, install_base -h).
5.
Choose the directory in which to install the product. The default setting is
/opt/CA/eTrustAccessControl.
6.
Choose the group owner of the products you will install. The default is
root.
7.
Select which products to install (Security Administrator, Seauditx, and
SecMon). You can install Security Administrator without installing Seauditx
or SecMon.
8.
Select the security environments that Security Administrator will support:

9.
If you select Windows support, you must then provide a Windows
station where the eTrust AC auditing daemon is running.
Subsequently, each time you invoke Security Administrator, you can
either use Windows support (provided that you are a Windows
administrator) or hide its support.
If you do not have eTrust AC for Windows or Audit Director, do not
choose Windows support.
If you decide to do without Windows support now, but want to receive
it in the future, you must reinstall Security Administrator.
If you are installing SecMon, you must specify to which port to route audit
information. You can leave this field empty for the default port.
The executable files are now installed. If you are installing from the
graphical interface, the dialog displays the progress of each product you
selected for installation.
10. If you are upgrading Security Administrator, indicate whether you want to
reestablish your host's database. (Because Security Administrator uses a
new file to describe hosts, installing this version in place of previous
Security Administrator versions reinitializes your list of hosts to include
only the local host.)
If you decide to restore your list of hosts, the old files are saved in a
backup directory and a new host database is generated from the old files.
If you do not choose to reestablish the old host database, the new
database includes only the local host. The host database path, at
eTrustACDir/data/seam/hosts, is where Security Administrator stores
information for itself about your hosts and host groups.
11. Start or restart eTrust AC by entering the following command:
# eTrustACDir/bin/seosd
where eTrustACDir is the directory where you installed eTrust AC, by
default /opt/CA/eTrustAccessControl.
44 User Guide
After the Installation
After installing Security Administrator, perform the following tasks:

Review Security Administrator configuration (all installations)

Reestablish your host database (upgraded installations)

Create a secure environment on the stations of your control center (new
installations)
Reviewing Security Administrator Configuration (All Installations)
This step is optional because eTrust AC works well with its default
configuration values. You do not need to change configuration values
immediately. Nevertheless, it is good to learn about the configuration file as
soon as you can, so that you can adjust it for best operation. For more
information, see Specifying Preferences in the chapter “Setting Security
Administrator Options.”
This step is necessary only for Security Administrator, not for SecMon or
Seauditx.
Note: You can also make changes by changing the token values in the
Security Administrator configuration file seam.ini. Security Administrator
tokens control various aspects of how Security Administrator operates. For
more information, see the appendix “seami.ini and UNIX Exits.”
Reestablishing Your Host Database (Upgraded Installations)
If you are upgrading from a previous version of eTrust AC and your network
uses PMDBs (Policy Model databases), you should update it bottom-up
(subscribers first) so that any given moment no version 2 PMDB has any
version 1 subscribers. Version 1 PMDBs, however, can have version 2
subscribers.
The Security Administrator host database consists of two files:

hosts_info.dat

hosts_tree.dat
1.
Add hosts to the hosts_info.dat file using the following format:

For UNIX:
hostname:3:comment:cellname

For Windows:
hostname:65:comment:*
2.
Add hosts to hosts_tree.dat file formatted like the following example:
ROOT:
0
GROUP_1
:
1
HOST_11
:
2
HOST_12
:
2
GROUP_2
:
1
HOST_21
:
2
HOST_22
:
2
Each row contains a group name or host name, followed by a colon and a
level number. Each row with a nonzero level number (n) describes a
subnode of the nearest preceding row that has the preceding level number
(n-1).
For example, in the lines shown in the example, ROOT is the highest node
in the tree, the parent of all subdirectories, and is at level 0. GROUP_1 and
GROUP_2 are both children of ROOT, so they are at level 1. HOST_11 and
HOST_12 are children of GROUP_1, so they occupy the next level down,
level 2.
For more information about upgrading eTrust AC, see the Implementation
Guide.
46 User Guide
Creating a Secure Environment (New Installations)
If your installation of Security Administrator is new, you can create a secure
environment by performing the following tasks on each station that Security
Administrator will manage. This procedure requires the ADMIN attribute.
If you are already familiar with eTrust AC, use eTrust AC to perform the
following steps in whatever way you want. If you are not familiar with eTrust
AC, follow the detailed steps later in this section.
The tasks to perform are:
1.
Give the ADMIN attribute to each member of the security administration
team.
2.
Define the terminals of the control center with “nobody” as owner.
3.
From each of control center terminal, give the security administration
team read and write access to the station it will manage. (If you want,
define a user group and a terminal group. For guidance with groups, see
the Administrator Guide.)
Detailed Steps
If you are not yet familiar with eTrust AC, follow these more detailed
instructions on each station that Security Administrator will manage. If you are
using groups, you will occasionally need to vary the commands, for example,
by using chgrp (“change group”) instead of chusr (“change user”) and
GTERMINAL (“group of terminals”) instead of TERMINAL.
1.
Log in as a user with the ADMIN attribute, or if you have not yet given the
ADMIN attribute to any user at your site, log in as root and give yourself
the ADMIN attribute. For guidance if necessary, see the Getting Started.
Giving the ADMIN attribute to a user means giving that user permission to
perform most administrative tasks.
2.
To receive the prompt for entering eTrust AC commands, enter the
eTrustACDir/bin/selang command if eTrust AC is already active or the
eTrustACDir/bin/selang -l command if eTrust AC is not active (where
eTrustACDir is the directory where you installed eTrust AC, by default
/opt/CA/eTrustAccessControl).
The command prompt eTrustAC> should appear.
3.
Define all members of the security administration team as users with the
ADMIN attribute.
If the users do not yet exist for eTrust AC, you can create them as ADMIN
users by using the newusr command. If they already exist, the appropriate
command is chusr.
The following example uses the newusr command for an administrator
named Spinelli:
eTrustAC> newusr Spinelli ADMIN
4.
Define each station in the control center as a TERMINAL object with default
read and write access, with nobody as owner. Use newres for a station not
yet defined to eTrust AC or chres for a station already defined. The
following example uses the newres command for a terminal named
EastWing:
eTrustAC> newres TERMINAL EastWing defaccess(read,write) owner(nobody)
The name “nobody” has a special meaning as a user name in eTrust AC:
The eTrust AC user “nobody” can never log into the system. Thus, at this
stage, no one working from the control center station can use eTrust AC to
manipulate permissions at the station you are setting up. Later, you will
define the security administration team as exceptions that can do that.
(If you have defined a group of terminals, use GTERMINAL rather than
TERMINAL in the newres or chres command.)
48 User Guide
Upkeep
After specifying that no one working from the control center station can
use eTrust AC to manipulate permissions at the station you are setting up,
you must now define the security administration team as exceptions.
Provided that the security administration team is working from the control
center, you must explicitly allow it to use eTrust AC to manipulate
permissions at the station you are setting up.
5.
For each member of the security administration team, enter the following
command once for each control center station that the member may use
to modify the eTrust AC database of your current station.
eTrustAC> authorize TERMINAL stationName uid(secadmusr) access(read,write)
where stationName is the name of the control center station and
secadmusr is the name of the member of the security administration team.
(If you have defined a group of terminals, use GTERMINAL rather than
TERMINAL. If you have defined a group of administrators, use gid rather
than uid.)
After performing the preceding steps on each station that the security
administration team will manage, you must set up an environment where only
security administration team members can manage all those stations, and only
from the control center.
Upkeep
Remember, whenever a new user joins the administrative team, to give the
new administrator the necessary permissions, either individually or by adding
the new administrator to a group of administrators that you have defined.
Similarly, whenever a new host station needs protection by the administrative
team, make the appropriate definitions at the new host. See Creating a Secure
Environment in this chapter.
Chapter 4: Security Administrator Basics
Starting Security Administrator (see page 51)
The Main Window (see page 52)
Using Security Administrator (see page 56)
Workflow (see page 58)
Activity Page (see page 58)
Activity Window (see page 61)
Exiting Security Administrator (see page 63)
Starting Security Administrator
Before starting Security Administrator perform the following steps:
1.
Log in to the system.
2.
If the seosd daemon is not running, use the seosd or seload commands to
start it.
3.
If necessary, start the X Window System.
4.
Set your terminal display according to the system requirements at your
site.
To start Security Administrator, enter the following command:
eTrustACDir/bin/seam
where eTrustACDir is the directory where you installed eTrust AC, by default
/opt/CA/eTrustAccessControl
Note: If you receive a series of “unknown keysym” warnings the first time you
start Security Administrator, it means that your Motif configuration has a
possible problem. You can solve the problem by setting the XNLSPATH variable
to eTrustACDir/data (where eTrustACDir is the directory where you installed
eTrust AC, by default /opt/CA/eTrustAccessControl).
Security and system administrators are defined as ADMIN and are responsible
for operating Security Administrator. If you are not defined as ADMIN, an error
dialog appears when you start Security Administrator, informing you that you
do not have ADMIN status, and therefore most of the Security Administrator
operations are unavailable.
The title screen appears next, accompanied by a few messages reporting
progress, followed by the Security Administrator Main window.
Security Administrator Basics 51
The Main Window
The Main Window
When you start Security Administrator, the Main window appears. By default,
the Accounts and Hosts pages are displayed. Use these pages to prepare
account transactions by specifying which users, groups of users, and host
stations to update, and with what data.
52 User Guide
The Main Window
The Main window contains the following sections.

The top section contains a menu bar and a toolbar. It also displays the
source database from which Security Administrator extracts the objects
that appear in the Main window. Some options in the toolbar and menu
bar are used for specific pages and are not available for the other pages.

The middle section contains two pages: Accounts and Resources.
–
The Accounts page displays sections for users and groups, where you
select the user accounts and user groups to create, query, or update.
For more information, see the chapter “Account Administration.”
–
The Resources page displays all the resources. For more information,
see the chapter “Resource Administration.”

Between the middle and bottom sections, on the right side of the window,
is the Resize button, also called the sash button. This button controls the
position of the borderline between the middle and bottom sections and,
thus, their relative sizes. Drag it to move the borderline.

The bottom section contains three pages: Hosts, Activity, and Policy
model.
–
The Hosts page displays sections for hosts and host groups, where you
indicate the databases to update with the new or changed information.
For more information, see the chapter “Host Administration.”
–
The Activity page displays the status of all transactions executed in
Security Administrator during the current session. For more
information, see the chapter “Executing, Editing, and Reviewing
Transactions.”
–
The Policy model page displays a list of subscribers that you can add to
and monitor PMDB status. For more information, see the chapter
“Policy Model Administration.”
The Main Window
The Menu Bar
The menu bar contains the following menus:
File
Contains the Exit command, which saves all host and host group
information and exits Security Administrator.
Edit
Contains commands to create, update, query, and manipulate selected
objects. It also contains special commands for managing users, groups,
and Policy Models.
View
Determines the display mode of the active page section.
Tools
Includes commands to configure eTrust AC password policy and user
account protection; run the eTrust AC audit utility (seauditx); and set
Security Administrator preferences.
Activity
Shows or hides the Activity window during transactions.
Note: Not all menu items are available for all pages or selected items (users,
hosts, and so on). When not available, menu items are dimmed.
54 User Guide
The Main Window
The Toolbar
The available toolbar buttons are:
Source
Changes the source database for the top pages.
Refresh
Updates the active Security Administrator page section. When data
changes, the background of this button blinks red to indicate that you
should refresh the display.
Filter
Determines which accessor, resource, or host-depending on which page is
active-to display or perform a transaction on.
Create
Creates a resource, host, and so on in the active page.
Delete
Deletes the selected resource, host, and so on.
Update
Updates information about a selected resource, host, and so on.
Copy
Copies the selected accessor, resource, host, and so on.
Query
Shows information about the selected accessor, resource, host, and so on.
Screen Locker
Locks your screen if you must be away from the terminal (for more
information, see Screen Locker in this chapter).
Audit
Opens the seauditx utility window (see the chapter “The Audit Browser:
seauditx”).
Password Rules
Displays eTrust AC password policy settings so that you can view and
modify them.
Audit Log Routing
Displays the log routing configuration settings in the file selogrd.cfg so
that you can view and modify them.
Note: Not all toolbar buttons are available for all pages or selected items
(users, hosts, and so on). When not available, toolbar buttons are dimmed.
Using Security Administrator
Screen Locker
The Screen Locker option automatically protects your station or X terminal if
you are away from your work area for any length of time. To activate or
deactivate the option, choose Screen Locker from the Tools menu, or click the
Screen Locker button at the top of the window. The Selock Parameters dialog
opens.
This dialog lets you specify the length of idle time before the screen locks. The
default value is 10 minutes. When the screen locks, Screen Locker displays a
moving eTrust AC logo on a black background. When Screen Locker detects
any user activity-use of the keyboard or mouse-a dialog containing a prompt
for your password appears. When Screen Locker detects the correct password,
it unlocks the screen.
If Screen Locker detects an incorrect password, the screen remains locked.
To activate screen locking, select the Activate button and click OK. To
deactivate the option, deselect the Activate button and click OK.
To perform an operation or transaction, you must first select the appropriate
page. For example, to add a host to a host group, click the Hosts tab. Each
page can display information in the form of directory trees, icons, lists, or
tables. Use the View menu to select the display format for the current page.
Select and deselect objects by clicking their names (selected objects appear
highlighted).
56 User Guide
Performing Actions
To create, delete, update, or perform other actions to manipulate information,
you can use one of several methods:

Use the pop-up menu that appears when you right-click anywhere in a
page, and select one of the commands.

Select the appropriate command from the menu bar.

Use the toolbar buttons to select a command.
Using Dialogs
In most cases, when you choose a command, a dialog that contains text
boxes, options, and buttons opens. Each dialog has the following buttons:

The OK button approves the command and closes the dialog.

The Cancel button closes the dialog without approving the command.

The Apply button, if any, accepts the command without closing the dialog.
Workflow
Workflow
Here is an overview of typical Security Administrator workflow. For more
detail, see the chapter “Executing, Editing, and Reviewing Transactions.”
1.
In the Main window, select the objects your command will manipulate: the
particular users, user groups, resources, hosts, and host groups. Next,
invoke the appropriate command. We recommend that for the source host,
you choose the host that is the target for transactions.
2.
If a dialog appears, you can further customize your command.
3.
Click OK, and the Activity Window (see page 61) appears. From here, you
can monitor command progress.
4.
To examine results and revise commands, use the Edit menu on the
Activity window.
5.
After the command runs on all hosts, you can observe the results in the
Activity Page (see page 58).
Activity Page
From the Main window, you can view the status of all the transactions
performed in Security Administrator by clicking the Activity in the lower
section of the window. The Activity page lists transaction names, status, and
statistics indicating transaction success or failure on one or more hosts.
58 User Guide
Activity Page
The columns on the Activity page are:
Activity Window List
This is a list of transactions. When the icons in the Status column are
highlighted, you can view the transactions in greater detail in the Activity
window. To open the window, right-click a transaction. For information
about the Activity window, see Activity window in this chapter.
Status
These icons indicate the success or failure of transactions. The icons are:
The check mark shows that Security Administrator performed all
transactions on all hosts successfully. While the check mark is green,
the transaction history is available for viewing.
The X indicates that at least one transaction failed, although others, if
any, may have succeeded. While the X is red, the transaction history is
available for viewing.
An exclamation point indicates that the transaction has been paused.
To continue, right-click to open the Activity window and click Apply
or Go.
Activity Page
A running man indicates that the transaction is in progress.
Host Statistics
This area shows the result of transactions, their progress, and the number
of hosts affected. The columns are:
Failure
The number of hosts where the transaction failed.
Success
The number of hosts where the transaction was successful.
Warning
The number of hosts where a warning was issued.
Unreachable
The number of hosts where the transaction failed because Security
Administrator was unable to connect to the host.
Progress
Transaction execution from 0 to 100 percent.
Total
The number of hosts affected by the transaction.
60 User Guide
Activity Window
Activity Window
The Activity window lets you monitor details about transactions. You can open
the Activity window from the Main window by:

Choosing from the Activity menu.

Right-clicking a highlighted transaction on the Activity page. A pop-up
menu appears with options to display the Activity window if it is closed
(Show), close it if it is open (Hide), or delete the transaction.
When icons for a transaction are no longer highlighted on the Activity
page, however, the transaction history is no longer available and you
cannot open the Activity window for that transaction.
Activity Window
Fields and Options
The Activity window contains the following items:
Menu Bar
Contains menus from which you access various Security Administrator
commands.
Transaction
Indicates the command to be processed. If the whole command does not
fit in the Activity window, you can display the remainder with the End and
Home keys or the left and right arrow keys.
Host List
Contains the list of hosts where the requested transaction will execute.
The host icons are gray before execution, blue during execution, and green
after successful execution. If the transaction fails, they are orange or red,
depending on the reason for the failure. Click any host name to open the
Host Messages/Commands window, where you can edit the commands and
retry the transaction. See the chapter “Executing, Editing, and Reviewing
Transactions.”
Progress Indicator
Displays transaction execution from 0 to 100 percent.
Status Bar
Contains the following indicators:
Total (white)
The number of hosts where the transaction will be processed.
Success (green)
The number of hosts where the transaction succeeded.
Warning (yellow)
The number of hosts where a warning was generated upon completion
of the transaction.
Failed (orange)
The number of hosts where the transaction failed.
Unreachable (red)
The number of hosts that could not be reached.
GO/STOP Button
Starts execution of the transaction (unless execution starts automatically).
During execution, the Go button becomes a Stop button, so that you can
stop the transaction before completion.
62 User Guide
Exiting Security Administrator
Close Button
Closes the Activity window and cancels any transaction in progress. You
can temporarily hide the Activity window by clicking the Minimize button at
the top right corner of the window. Reopen the Activity window with the
Show command from the Activity menu in the Main window.
Help button
Displays help information for the Activity window.
Closing the Activity Window
Closing the Activity window makes its transaction unavailable for further
viewing, editing, and execution. If you need the transaction again and you
have not saved it as text, you must reexecute it from the Main window. See
the chapter “Executing, Editing, and Reviewing Transactions.”
Exiting Security Administrator
Closing the Main window ends all Security Administrator processing unless you
leave one or more Activity windows open.
1.
From the System menu choose Exit.
The Exit SeAM dialog appears.
2.
Click Exit to close the Main window only and leave any Activity windows
open and usable, or click Exit All to close Security Administrator entirely.
Note: If any Activity windows remain open, all other windows associated with
them, such as output message windows, remain open as well.
Chapter 5: Executing, Editing, and
Reviewing Transactions
Executing Transactions (see page 65)
Viewing Transaction Progress (see page 68)
Editing Commands (see page 71)
Retrying Transactions (see page 77)
Viewing Output Messages (see page 78)
Printing Output Messages (see page 81)
Executing Transactions
A Security Administrator transaction is a query or update of specific data in the
databases of one or more host stations. An update can involve creating,
deleting, or changing a record. Security Administrator gives you one window
(the Main window) for preparing transactions and a second window (the
Activity window) for managing their execution. Both windows are discussed in
detail in the chapter “Security Administrator Basics.”
Use the Main window to prepare transactions.
Instructions about the types of transactions you can perform on each page
appear in the chapters “Host Administration,” “Account Administration,” and
“Resource Administration.” Many transactions have a common pattern,
particularly when you want to update a number of users or user groups.
Executing, Editing, and Reviewing Transactions 65
Verifying Commands Before Execution
By default, Security Administrator executes transactions automatically when
you click OK or Apply after entering command details. If you want the
opportunity to verify commands and edit them before execution, you can set a
preference in Security Administrator before you prepare the transaction. This
preference sets the verify option in the seam.ini file. To set the preference:
1.
From the Tools menu in the Main window, choose Options.
2.
Click the Activity tab on the Preferences dialog that appears.
3.
Select the Verify Before Executing check box, and click OK.
After choosing to verify transactions before running them, you must manually
start transaction execution. You do this by clicking GO in the Activity window.
For information about the Activity window, see the chapter “Security
Administrator Basics.”
For more information about preferences, see the chapter “Setting Security
Administrator Options.”
Selecting a Source Host
Initially, you may want to select a source host other than the default. If the
default source host (listed in the seam.ini file) suits your needs, however, you
can skip this step.
The source host is a host whose database supplies your list of users. To select
a source host, perform the following steps.
1.
Click the Source button to open the Source dialog.
2.
For eTrust AC, UNIX, and Windows, select the source in any of the
following ways:

3.
Select Master DB to use the default database from the seam.ini
[master_db] section, where you can specify a host name or a PMDB.
(If you select Master DB, you cannot use the separate sections in the
dialog for eTrust AC, UNIX, and NT.)
Click the arrow for any of the Sources (eTrust AC, UNIX, or NT) and
choose a host from the drop-down list.
Enter a host name in a Source data field. (For eTrust AC, you can
enter the name of a host or a PMDB.)
Click OK.
For detailed information about hosts, see the chapter “Host Administration.”
66 User Guide
Selecting Target Hosts
Select one or more hosts that contain the databases you want to update.
1.
In the Hosts page, select the host groups whose members you want to
update. When you select a host group, all its members appear highlighted
in the Hosts panel.
2.
In the Hosts panel, click the hosts to select only those that you want
updated.
3.
If you want to update the PMDB subscriber databases, click the Policy
model tab to open the Policy model page. (For detailed information about
PMDBs, see the chapter “Policy Model Administration.”)
4.
In the left panel, select the PMDB from the tree subscribers in the Policy
model page. When you select a PMDB, all its subscribers appear
highlighted in the right panel.
5.
If necessary, select the subscribers you want to target in the right panel.
Selecting Users, Groups, or Resources
Select the accounts that you want to update with the command.
1.
If you are updating users, select them in the Users panel of the Accounts
page.
If you are updating user groups, select them in the Groups panel of the
Accounts page.
If you are updating resources, click the Resources tab to open the
Resources page. Select the resource category in the left panel, and then
select the resources in the right panel.
2.
In the same panel (Users, Groups, or Resources), click the right mouse
button to open the pop-up menu. Click the transaction you want to
perform.
Alternatively, select the transaction from the Edit menu or toolbar.
3.
When the dialog opens, select the appropriate options. (For detailed
information about the options, see the chapters “Account Administration”
and “Resource Administration.”)
4.
To perform the transaction and close the dialog, click OK or press Enter.
Note: Some dialogs have an Apply button. Clicking Apply is the same as
clicking OK, except that the dialog remains open. Thus, you can use the same
dialog repeatedly without needing to reopen it each time.
Viewing Transaction Progress
After clicking OK in the dialog where you specified command details, you can
monitor command progress in the Activity window (see page 61).
The transaction either begins after you click OK or remains available for
further editing, depending on the verify setting in the seam.ini file. See
Verifying Commands Before Execution in this chapter.
At any time, you can select hosts and examine their results or edit their
commands. (You do not need to wait for processing to stop.)
Important! If you close the Activity window while Security Administrator is
processing a transaction, the processing stops immediately. If you need the
transaction again and did not save it as text (see Saving Commands in a File
in this chapter), you must rerun it from the Main window.
Monitoring Status
You can use the Activity window to view the status of the transaction.
68 User Guide
1.
If Verify Before Executing is on, make any necessary edits; see Editing
Commands in this chapter. When you are finished, click GO in the Activity
window to execute the command.
2.
Monitor the command in the various sections of the Activity window.
Activity Window
Host list
In the Host area, the color of each host button indicates transaction
status:
Blue
The transaction is currently being attempted at the host.
Green
The databases of the host were successfully updated.
Yellow
A warning was issued.
Red
The transaction did not succeed because the connection failed.
Orange
Security Administrator succeeded in connecting to the host, but one or
more commands failed during execution.
Progress bar
The Progress Indicator advances to indicate the percentage of hosts that
have been processed.
Status bar
The counters in the Status area are updated as each host is processed:
Total
The number of hosts to be affected by the transaction.
Success
The number of hosts where the transaction succeeded.
Warning
The number of hosts where warnings were issued. If the transaction
includes both warnings and failures, the result is a failed transaction.
Failed
The number of hosts with failures because of a command. If a failure
occurs at any point in a transaction on a particular host, a failure icon
displays, although transactions on other hosts may have been
successful. This is merely to alert you that a failure occurred.
Unreachable
The number of hosts with failures because of a failed connection.
Limiting Hosts
If the Activity window has more hosts than you want to see, you can make it
show only the hosts that interest you. You can filter based on transaction
status, host name, or both.
Note: Any filter you enter for the Activity window also affects the Transaction
Messages window, which lets you view (but not edit) transactions. For more
information, see Viewing Output Messages in this chapter.
1.
From the View menu, choose Filter.
The Filter dialog appears.
2.
To filter based on transaction status, select the appropriate check boxes in
the Status area.
The filters are:
Before execution
Displays hosts on which the transaction has not been executed yet.
Success
Displays hosts on which the transaction was successful.
Warning
Displays hosts where a warning was issued as a result of the
transaction.
Failed
Displays hosts on which connection occurred, but the transaction
failed.
Unreachable
Displays hosts on which the transaction failed because of a failure to
connect.
3.
To filter based on host name, use the Host Names text box. You can enter
the UNIX wildcard characters: ? for any one character; * for any one or
more characters, or none; or [x-y] for any numeric or alphabetic
characters in the specified range, inclusive. You can specify more than one
filter if you separate them with spaces.
4.
Click OK.
Security Administrator displays only hosts whose names match both the status
and host name filters.
70 User Guide
Editing Commands
Stopping and Restarting Transactions
Security Administrator lets you stop processing temporarily so that you can
edit commands.
1.
To stop the command temporarily, click STOP. Security Administrator
finishes processing the host on which it is currently working but does not
continue processing any further. The button label changes from STOP to
CONTINUE.
2.
To edit commands for hosts that Security Administrator has not yet
processed, follow the procedure in Editing Commands for One Host in this
chapter. To view output messages without editing commands, follow the
procedure in Viewing Output Messages in this chapter.
3.
To retry commands that failed, follow the procedure in Retrying
Transactions in this chapter.
4.
To resume processing, click CONTINUE.
Editing Commands
During command execution, you can stop processing to edit the transaction for
hosts where the command has not yet been processed. In addition, you can
edit commands before running them if you configure Security Administrator so
that commands run after you click GO in the Activity window instead of
running automatically.
This section has procedures for editing commands for all hosts and for one
host at a time.
Note: Security Administrator also provides a way to view command output
messages without editing commands. See Viewing Output Messages in this
chapter.
Editing Commands
Editing Commands for All Hosts
Follow this procedure to edit commands for all hosts at one time. This is called
global editing.
Note: If you want to make some identical changes for all hosts (global
changes) as well as some changes for individual hosts, make the changes for
all hosts first. When you edit globally, changes you made to individual hosts
are lost.
1.
From the Edit menu in the Activity window, select Edit Commands.
The Edit window appears.
The Edit window contains two multi-line text areas. If a whole transaction
is not visible in these areas, use the scroll bars, left and right arrow keys,
or Home and End keys to view all the text. The areas are:
Commands
Contains the text of the commands that perform the requested
transaction.
Backout Commands
Contains commands for undoing the transaction. The backout
commands are performed automatically, in whole or in part, when the
transaction stops at an inappropriate point in the execution process.
Important! Do not edit lines that start with BT or ET. These lines are used
by the backout mechanism to restore the database if certain transactions
fail. Also, if you change the commands, make equivalent changes to the
backout commands. Otherwise, when you retry the transaction after
editing, the backout commands cannot undo any unsuccessful commands.
2.
In the Commands area, browse through the commands, and use the
mouse and the keyboard to edit them. Drag the resize button (the sash
button) vertically if you want to resize the Commands and Backout
Commands areas.
In the Commands area, the right mouse button displays a pop-up menu
with the following commands:
Restore original
Reverts to the commands as Security Administrator created them,
discarding all your editing.
Open
Opens a file that contains commands, and displays the commands in
the Commands area. See Saving Commands in a File in this chapter.
72 User Guide
Editing Commands
Save
Saves commands, including any editing you have done, in a file. If this
is the first save for these commands, you specify the name and
location for the file. After the first time, Security Administrator saves
the commands in the same file. See Saving Commands in a File in this
chapter.
Save As
Saves the commands, including any editing you have done, in a new
file for which you specify a name. See Saving Commands in a File in
this chapter.
Clear window
Erases the contents of the window.
3.
When you have finished editing, click OK to keep the changes you have
made.
Editing Commands
Editing Commands for One Host
You can choose one host at a time and edit the commands for it alone.
Important! If you want to make global changes for all hosts and changes for
individual hosts, do the global changes first. When you edit globally, any
changes you made to individual hosts are lost. See Editing Commands for All
Hosts in this chapter.
1.
Click the host name in the Host area of the Activity window.
Security Administrator opens the Host Messages/Commands dialog.
When you right-click the Output Messages area, a pop-up menu provides
the following commands:
Print
Prints all messages in the Output Messages area. For more information
about printing, see Printing Output Messages in this chapter.
Clear Window
Erases the contents of the Output Messages area.
2.
Click More.
An expanded version of the Host Messages/Commands window appears,
showing the commands and backout commands for the host. If you made
global changes to the commands, Security Administrator displays the
updated commands.
When you right-click the Commands or Backout Commands areas, a
pop-up menu provides the following commands:
Retry
Executes the commands in their current form. (Available only in the
Commands area.)
Restore global
Reverts to the global commands.
Open
Opens a file that contains commands, and displays the commands in
the Commands area. See Saving Commands in a File in this chapter.
Save
Saves commands, including any editing you have done, in a file. If this
is the first save for these commands, you specify the name and
location for the file. After the first time, Security Administrator saves
the commands in the same file. See Saving Commands in a File in this
chapter.
74 User Guide
Editing Commands
Save As
Saves the commands, including any editing you have done, in a new
file for which you specify a name. See Saving Commands in a File in
this chapter.
Clear window
Erases the contents of the area.
3.
Browse through the commands and backout commands (commands for
undoing the transactions), using the mouse and keyboard to edit them.
Important! Do not edit lines that start with BT or ET. These lines are used
by the backout mechanism to restore the database if certain transactions
fail. Also, if you change the commands, make equivalent changes to the
backout commands. Otherwise, when you retry the transaction after
editing, the backout commands cannot undo any unsuccessful commands.
4.
Drag the resize button (the sash button) vertically if you want to resize the
Commands, Backout Commands, and Output Messages areas.
5.
If a transaction fails or is only partially successful, you can perform the
transaction again, using the Retry command or button.

6.
If you want to see the output messages for only the retried
transaction, erase the existing output messages by selecting Clear
Window from the pop-up menu in the Output Messages area.
If you want to rewrite the commands and backout commands
completely, erase the current commands and backout commands by
selecting Clear Window from the pop-up menu in the Commands and
Backout Commands areas.
After you finish, use one of the following buttons at the bottom of the
dialog:
Close
Saves any editing as part of the current transaction and returns you to
the Activity window.
Retry
Executes the commands in their current form. See Retrying
Transactions in this chapter.
Less
Returns you to the original version of the Host Messages/Commands
window, which shows only output messages.
Editing Commands
Saving Commands in a File
You can save commands in a file and run the commands later. Saving
commands is useful when you need to run those same commands more than
once.
Note: To open a file that you have already saved, use this same procedure.
The only difference is to choose Open in step 2 instead of Save or Save As.
1.
Open a window for editing commands. To open the Edit window, choose
Edit, Edit Commands in the Activity window.
2.
To open the Host Messages/Commands dialog, click a host name in the
Host area of the Activity window. Click More to expand the dialog.
3.
Right-click in the Commands area, and choose Save or Save As from the
pop-up menu that appears.
The File Selection dialog opens.
4.
Specify a file name by doing one of the following:

Enter the full path and file name in the Selection field, and click OK.

Use the Directories and Files lists with the Filter field.
–
Double-click to select directories in the Directories list and files in
the Files list. The selections appear in the Filters field. The file
name in the Filter field does not change when you click to change
directories.
–
Limit the files and directories displayed by entering filters in the
Filters field. Use the asterisk (*) wildcard, which signifies zero or
more characters.
After you have selected a path and file name, click the Filter button to
make the Selection field match the Filter field.
Note: While the cursor is in the Filter field, the Enter key works like
the Filter button.
76 User Guide
Retrying Transactions
Retrying Transactions
If a transaction fails or is only partially successful, you can resubmit it to a
host, with or without editing it.
1.
Click a host name in the Activity window. The Host Messages/Commands
window opens.
2.
To edit the transaction, click the More button to display the Commands
and Backout Commands areas. Edit the commands. (For detailed
instructions, see Editing Commands for One Host in this chapter.)
3.
To see output messages for only the retried transaction, erase the existing
output messages by selecting Clear Window from the pop-up menu in the
Output Messages area.
4.
Click Retry to resubmit the transaction to the host.
When you close the Host Messages/Commands dialog, your edits are saved as
long as the Activity window remains open and no global editing is done there.
Viewing Output Messages
You can view system messages by opening the Transaction Messages window.
The messages that appear are either for all hosts involved in the transaction
or, if hosts were filtered from the Activity window, for the hosts that remained
after filtering. See Limiting Hosts in this chapter. You can also limit hosts while
you are reviewing messages, as explained in a following procedure.
Note: You can also view messages, for one host only, from the Host
Messages/Commands dialog, which also lets you edit commands. See Editing
Commands for One Host in this chapter
To view transaction messages:
1.
If necessary, display the Activity window. In the Activity page, right-click a
transaction that is highlighted and choose Show. (If a transaction is not
highlighted, its messages are not available and the Activity window does
not open.)
2.
Choose Edit, Show Output in the Activity window.
Messages for one or more hosts appear in the Activity Log area of the
Transaction Messages window.
The three menus in the menu bar of the Transaction Messages window are
System, Search, and View.
System
Save
Saves the messages in an existing file.
Save As
Saves the messages in a new file.
Print
Prints the contents of the Transaction Messages window. See Printing
Output Messages in this chapter.
Print Selection
Prints a selection of the messages. See Printing Output Messages in
this chapter.
Clear Log
Erases the contents of the Activity Log.
Close
Closes the window.
78 User Guide
Search
Find
Finds specific words or strings. For more information, see Finding a
Word or String in this chapter.
Find Next
After using Find, Find Next jumps to the next instance of the same
string. For more information, see Finding a Word or String in this
chapter.
Find Selection
After you select words or sentences in the Transaction Messages
window, Find Selection jumps to the next instance of the same words
or sentences. For more information, see Finding a Word or String in
this chapter.
View
Filter
Lets you limit the hosts whose messages appear in the Transaction
Messages window. See Filtering Messages by Limiting Hosts in this
chapter.
While you are viewing messages, you can also do the following:

Filter messages by limiting hosts

Find a word or string in the messages

Print messages
Filtering Messages by Limiting Hosts
You can filter the messages that appear in the Transaction Messages window
by limiting your view to only certain hosts. You can filter by transaction status,
host name, or both.
Note: Any filter you enter for the Transaction Messages window also affects
the Activity window.
1.
not open.)
2.
Display the Transaction Messages window by choosing Edit, Show Output
in the Activity window.
3.
Choose Filter from the View menu.
The Filter dialog appears.
4.
To filter based on transaction status, select the appropriate check box in
the Status area.
The filters are:
Before execution
Displays hosts on which the transaction has not been executed yet.
Success
Displays hosts on which the transaction was successful.
Warning
Displays hosts where a warning was issued as a result of the
transaction.
Failed
Displays hosts on which connection occurred, but the transaction
failed.
Unreachable
Displays hosts on which the transaction failed because of a failure to
connect.
80 User Guide
5.
To filter based on host name, use the Host Names text box. You can enter
the UNIX wildcard characters: ? for any one character; * for any one or
more characters, or none; [x-y] for any numeric or alphabetic characters
in the specified range, inclusive. You can specify more than one filter if you
separate them with spaces.
6.
Click OK.
Printing Output Messages
Finding a Word or String
You can find a word or a text string in the Activity Log area of the Transaction
Messages window.
1.
not open.)
2.
on the Activity window.
3.
Specify the search text using one of these methods:

Drag to select text in the Activity Log, and choose Find Selection from
the Search menu.
Choose Find from the Search menu. In the dialog that appears, enter a
word, part of a word, or several words. The search is case-sensitive,
so use the right combination of uppercase and lowercase letters. Click
OK.
4.
Click OK if the following dialog appears. This dialog is displayed if the
pointer is not at the beginning of the Activity Log, and Security
Administrator cannot find the requested string between the pointer and
the end of the Activity Log.
5.
To view the next appearance of the same string, choose Find Next from
the Search menu.
You can print the output messages for all hosts or only one host.
Printing Messages from All Hosts
You can print all messages in the Activity Log area of the Transaction
Messages window, or just the messages that you select.
1.
not open.)
2.
on the Activity window.
3.
To print all messages, choose Print from the System menu.
To print specific messages, drag to select them in the Activity Log area,
and choose Print Selection from the System menu.
The Print dialog appears, showing the current default print command.
4.
If necessary, change the print command, and click OK.
Note: Initially, the default print command is lp. To specify another default
printer, choose Tools, Options on the Main window and use the Activity page of
the dialog that appears. For more information, see the chapter “Setting
Security Administrator Options.”
Printing Messages from One Host
To print all output messages from one host:
1.
not open.)
2.
In the Activity window, click the host name.
The Host Messages/Commands dialog appears.
3.
Right-click inside the Output Messages area.
A pop-up menu appears.
4.
Choose Print.
Security Administrator sends the messages to the printer. All the messages
are printed, even though they may not be visible without scrolling.
82 User Guide
Chapter 6: Host Administration
The Hosts Page (see page 83)
Host Groups (see page 84)
Hosts (see page 87)
The Hosts Page
When you invoke Security Administrator, the Main window appears. By
default, the Hosts page appears. Use this page to choose which hosts or
groups of hosts to update and with what data:
Host Administration 83
Host Groups
Host Groups
At a large site, you must often implement the same transaction on many hosts
at once. When certain hosts are repeatedly treated the same way, it is often
convenient to define them as a host group. A host group is simply a list of
hosts that can be handled as a single unit. In the Host Groups section in the
bottom left quadrant of the Main window, you can create, select, and delete
host groups.
The host group named ALL, containing all the hosts that Security Administrator
knows of, is always available.
Creating a New Host Group
To create a new host group for your own convenience:
1.
Use the Edit pull-down menu, toolbar, or pop-up menu to choose Create.
The Create Host Group dialog appears.
2.
Enter the name for the new host group in the Group Name text box, and
click OK to create the new host group and close the dialog.
Security Administrator adds the new host group to the Host Groups list.
84 User Guide
Host Groups
Adding Hosts to Host Groups
To add, or connect, hosts to one or more host groups:
1.
In the Host page, select the host groups to which you want to connect
hosts. For example, to add members to the group Demo_1, click its host
group name or folder.
2.
Right-click in the Host group panel to open the pop-up menu, and then
click Members.
The following dialog appears:
The Members list on the right shows all the hosts that are currently in the
group. In this example, there are none, because Demo_1 is a new group.
3.
Select and deselect hosts by clicking their names.
4.
Click Add to connect the selected hosts to the selected host groups.
To remove members from the Members list, select their names and click
Remove.
5.
Click OK to connect the selected hosts to the selected host group and close
the dialog.
Host Groups
Removing Hosts from Host Groups
To remove hosts from one or more host groups:
1.
In the Host page, select the host groups from which you want to
disconnect hosts. For example, to remove members from the Demo_1
group, click its name or folder icon.
2.
Right-click in the Host group panel to open the pop-up menu, and then
click Members. The following dialog appears.
The Members list shows all the hosts that are currently in the host group.
3.
Select and deselect hosts by clicking their names, and click Remove.
4.
Click OK to disconnect the selected hosts from the selected host group and
close the dialog.
Deleting a Host Group
To delete a host group from your Security Administrator configuration:
1.
In the host group panel, select the host group you want to delete.
Note: You cannot delete the ALL host group, which includes all the hosts
known to Security Administrator.
2.
Click Edit, Delete.
The Delete Host Group dialog appears.
3.
Click OK.
The dialog closes and the selected host groups no longer exist.
Note: The hosts themselves still exist; Security Administrator removes
only the host group that allowed you to manipulate them jointly.
86 User Guide
Hosts
Hosts
When you select a host group, all its member hosts in the host panel are
automatically selected. Even if a host is a member of more than one selected
host group, it appears in the host panel only once. This section describes the
procedures available for the Hosts panel.
Creating a Host
To register a new host in your Security Administrator configuration:
1.
In the List of Host Groups panel, select the host groups that will include
the new host. The ALL host group will in any case include your new host. If
you do not want your new host in any other host groups, select only ALL.
2.
Click in the List of Hosts panel to select it.
3.
Click Edit, Create.
The Create Host dialog appears.
4.
In the General page, do the following:
a.
In the Host Name text box, enter a name for the new host .
b.
In the Host Type section, click the radio button that indicates the host
environment. Note that depending on systems configuration, some of
these options may not be available.
c.
In the bottom section, enter a comment if you wish.
5.
In the middle of the Membership page, a list shows all of the host groups
selected when you invoked the command. You can click in the list to
deselect and reselect host groups to include the new host.
6.
Click OK to register the new host as specified and to close the dialog.
Alternatively, click Apply to register it and leave the dialog open for further
work.
7.
Later, if you need to, you can use the Update command to change the
host's type, comment; and you can use the host-group pop-up menu
Member option to change its assignment to host groups.
Hosts
Selecting and Deselecting Hosts
You can select and deselect hosts in the Hosts section of the Main window.
To select or deselect a single host, simply click the name of the host in the
host list. The host name switches between selected (highlighted) and
unselected.
To select or deselect hosts according to a wildcard pattern:
1.
Use the Edit main menu or the pop-up menu to choose Select or Deselect.
The Select Hosts or Deselect Hosts dialog appears.
88 User Guide
2.
Click inside the text box and type the filter to determine which of the hosts
in the host list select or deselect. You can use the UNIX wildcard
characters: ? for any one character, * for any one or more characters, or
none, or [x-y] for any numeric or alphabetic characters in the specified
range, inclusive. You can specify more than one filter, if you separate
them with spaces.
3.
Click OK to select or deselect the hosts whose names match the specified
filters. Other hosts remain selected or deselected, as they were.
Hosts
Limiting the Display of Host Names
You can limit the display of host names to those that are selected or to those
that match a specified filter.
To display only the selected host names:
1.
Move the pointer to any location in the host list and open the pop-up
menu.
2.
Choose Selected from the pop-up menu.
All unselected host names disappear from the host list.
To filter the host names according to a wildcard specification:
1.
Use the Edit main menu, toolbar, or pop-up menu to choose Filter.
The Hosts Filter dialog appears.
2.
Click inside the text box and type the filter to determine which of the hosts
in the selected host groups will appear in the host list. You can use the
UNIX wildcard characters: ? for any one character, * for any one or more
characters, or none, or [x-y] for any numeric or alphabetic characters in
the specified range, inclusive. You can specify more than one filter if you
separate them with spaces.
3.
Click OK. Hosts that do not match the specified filters are removed from
the host list.
To cancel both limitations:
1.
Move the pointer to any location in the hosts display.
2.
Choose Deselect from the pop-up menu.
Hosts
Updating a Host
To change the characteristics of a host, use the pop-up menu or the Edit menu
and choose the Update command described here. The Update command
operates only on the first selected host in the Main window.
Note: You cannot change the name of a host.
To update a host:
1.
In the List of Hosts panel, select the host that you want to update.
Deselect any selected hosts that you do not want to update.
2.
Click Update from the Host menu, toolbar, or pop-up menu.
The Host Properties dialog appears.
At the top of the dialog is the host name. It appears dimmed because you
cannot change it.
3.
In the General page:
a.
Indicate a change in the host environment by clicking the appropriate
radio button.
b.
In the Comment box, write or update a comment if you wish.
4.
The Membership page displays the host's groups. You cannot change the
host's assignment to host groups from here; to do so, use the Members
command (see Adding Hosts to Host Groups and Removing Hosts from
Host Groups in this chapter).
5.
Click OK to update the host as specified and close the dialog.
Note: To assign hosts to host groups, use the host group Member commands,
either through the pop-up menu or through the main Edit menu. See Adding
Hosts to Host Groups earlier in this chapter.
Deleting Hosts from the Database
To delete one or more hosts from your Security Administrator configuration:
1.
In the List Display of Hosts panel, select the hosts that you want to delete.
2.
Click Delete in the Edit main menu, toolbar, or pop-up menu.
The Delete Host(s) dialog appears.
The list box shows all the hosts that you selected when you invoked the
command. You can deselect and reselect hosts by clicking their names.
3.
90 User Guide
Click OK. The dialog closes and the hosts are removed from the database.
Chapter 7: Account Administration
The Main Window (see page 91)
Users (see page 92)
User Groups (see page 105)
The Main Window
When you invoke Security Administrator, the Main Window appears, showing
the Accounts page by default. Use the Accounts page to prepare account
transactions by specifying which users, which groups of users, and which host
stations are to be updated and with what data.
Account Administration 91
Users
Users
In the Accounts page, the User section contains the list of users and their
security environments.
Names may come from an eTrust AC source host or from an eTrust AC Policy
Model database (PMDB). A PMDB is a database that applies to more than one
host; for details, see the Administrator Guide.
To complete any user transaction, you must select a host (from the Hosts
section at the bottom) where the transaction will be applied.
Filtering the List of Users
You can base the list of users on the Accounts page on whatever database you
want. See Specifying Preferences in the chapter “Security Administrator
Basics” for instructions on choosing a source host. Then you can apply a filter,
if you want, to limit the names displayed.
To show fewer than all the users from the source database:
1.
Choose Edit, Filter.
The Filter User dialog appears.
2.
In the text box, specify the mask or filter to be used as a criterion for
displaying user names. Only those user names that match the specified
filter appear in the User list. You can use the UNIX wildcard characters: ?
for any one character, * for any one or more characters, or none, or [x-y]
for any numeric or alphabetic characters in the specified range, inclusive.
To specify more than one filter, separate them with spaces.
3.
To filter masks in one or more environment, select the appropriate check
box.
4.
Click OK.
Security Administrator closes the dialog, reads the databases of the source
host, updates the user list, and displays the name of the source host at the
top.
92 User Guide
Users
Creating a New User
To create a new user on one or more hosts:
1.
In the Hosts section of the Hosts page, select the hosts where the user is
to be created, and deselect all other hosts. If the hosts that you want are
not visible, make them visible by selecting the ALL group or some other
host groups. The host group named ALL includes all the hosts that Security
Administrator knows of.
2.
Choose Edit, Create.
The Create User dialog appears.
3.
Enter the user name.
4.
If you want the new user to have the same values as a user who already
exists in the database, Choose File, Load User.
The Load User dialog appears.
Select the name of the user whose values you want to copy, and click OK.
All the values of the other user now appear in the Create User dialog.
Note: You can also copy properties to a new user by loading a template.
See Using Templates to Copy User Properties in this chapter.
5.
To select or deselect an environment, click it in the top right section of the
dialog. By default, the user is defined on all environments controlled by
Security Administrator.
If you customized APPL, an APPL button also appears in the top right
section of the property editor. For more information about how to
customize the APPL, see UNIX Exits in the appendix “seam.ini and UNIX
Exits.”
6.
Change the user properties to the desired values. If you selected Load
User, change any values for the new user that are not the same as for the
old user. Use the tabs to view properties on different pages. For a
description of user properties, see the appendix “User and Group
Properties.”
If property editor synch mode is on, and you are creating the user in more
than one environment, fields that should contain identical data receive
identical data automatically. (See Preference Dialog Settings in the chapter
“Setting Security Administrator Options.”)
If you specify a new password in the property editor, that password is
good for one usage only. Once logged in with the new password, the user
should specify a different password for future use.
7.
Click OK to create the user and close the dialog. Or, to create the user but
leave the dialog open, so that you can immediately create another user,
click Apply.
You can monitor progress in the Activity Window or page. For details, see
the chapter “Editing, Executing, and Reviewing Transactions.”
Users
8.
To view the new user, click the Refresh button on the toolbar.
Using Templates to Copy User Properties
If you want to base new users on a set of preselected properties (which are
editable), you can save a set of values as a template. Reload the template at
any time, instead of specifying properties one by one. In fact, each time you
click Create to start defining a new user, Security Administrator loads the
default template.
Templates are stored as *.USER files in the directory
eTrustACDir/data/seam/defaults (where eTrustACDir is the directory where
you installed eTrust AC, by default /opt/CA/eTrustAccessControl) You have no
reason to view or edit those files; just be sure not to delete them.
Creating a Template
To create a template:
1.
Fill the property editor with the data for the template by creating or
modifying a user.
2.
In the Create User window, choose File, Save As Template.
3.
In the Save As Template dialog, enter a name for the template.
If you want to overwrite an existing template, you can search for the name
of the template using the Browse key.
Loading a Template
To load a template at any time during your work with the property editor:
1.
In the Create User window, choose File, Load Template.
2.
In the Load Template dialog, specify an existing template by entering or
clicking its name.
After loading a template, you can edit it and save the data as a user or a
template.
Refreshing the User List
Security Administrator does not automatically refresh the user list when you
create or delete a user. Instead, it highlights the Refresh button to indicate
that the displayed User list is outdated. When you click the Refresh button,
users are added to the list or deleted from it as appropriate.
94 User Guide
Users
Selecting and Deselecting Users with Wildcards
You can select and deselect users in the Users section of the Main window by
simply clicking their names. Security Administrator, however, also provides a
more powerful way to select and deselect: wildcards.
To select or deselect users according to a wildcard pattern:
1.
Choose Select or Deselect from the pop-up menu.
The Select User or Deselect User dialog appears.
2.
Click inside the text box and enter a filter. You can use the UNIX wildcard
range, inclusive. You can specify more than one filter if you separate them
with spaces.
3.
Click OK.
The users whose names match the specified filter are selected or deselected.
Other users remain selected or deselected, as they were.
Users
Viewing User Properties
Asking to view the properties of a user is called querying the user. To query
one or more users on one or more hosts:
1.
If you wish, select Remove Host on Failure (Query). This automatically
reduces the list of host names, when the query is executed later, to only
those that contain the specified users. (For details, see Preference Dialog
Settings in the chapter “Setting Security Administrator Options.”)
2.
To query the user at fewer than all hosts, click the Hosts section to select
the hosts where the user is to be queried and to deselect all other hosts. If
the hosts that you want are not visible, make them visible by selecting the
ALL group or some other host groups. The host group named ALL includes
all the hosts that Security Administrator knows of.
3.
In the User section, select the users that are to be queried and deselect all
other user names. If the users that you want are not visible, use the
Source button or the Filter command from the pop-up menu.
4.
Choose Edit, Query.
The Query User dialog appears, listing the users that you selected in the
Main window.
5.
Use the dialog as follows:

6.
To query the user at all hosts, select the ALL button. Otherwise, the
user is queried only at the hosts that are selected in the Main Window.
To deselect and reselect users for querying, click the list at the left.
To query one additional user that does not appear in the list, enter the
user name in the text box under the list of users.
To select environments where the users should be queried, toggle the
appropriate check boxes in the Environment area. By default, the
users are queried in all environments controlled by Security
Administrator.
Click OK.
You can check progress in the Activity window or page. For details about using
the Activity window, see the chapter “Editing, Executing, and Reviewing
Transactions.”
96 User Guide
Users
Modifying User Properties
The Update command lets you change user properties in all environments that
include the user. The Edit command lets you not only change properties but
also create users with the same properties in environments where they do not
currently exist. This procedure shows both commands.
1.
In the Hosts section, select the hosts where the user is to be changed and
deselect all other hosts. If the hosts that you want are not visible, make
them visible by selecting the ALL group or other host groups. The host
group ALL includes all the hosts that Security Administrator knows of.
2.
In the User section, do one of the following:

If you are updating properties only, select one user.
If you are updating properties and creating users in environments
where they do not exist, select one or more users.
If a user that you want is not visible, use the Source button or the Filter
command from the pop-up menu.
3.
To modify only properties, choose Edit, Update.
The following dialog appears, displaying the present properties. (If
properties are in the APPL section, you need a utility to reload their values.
See UNIX Exits in the appendix “seam.ini and UNIX Exits.”) The user name
is dimmed because you cannot change it.
Note: If you specify a new password in the property editor, that password
is good for only one usage. Once logged in with the new password, the
user should specify a different password for future use.
4.
To modify properties and create users in environments where they do not
exist, use the Edit menu, the toolbar, or the pop-up menu to select Edit.
The Edit User dialog appears.
You can add users that you would like edit that you have not already
selected. You can also add users that have not been created, because the
Edit command creates users that do not exist.
5.
To select or deselect an environment that includes the user, click it in the
top right section of the property editor. (By default, users are updated in
all environments where they exist. In addition, if you selected Edit, users
are also created in all environments where they do not exist.)
Note: If you see a Browse button to the right of the Comment field near
the top of the eTrust AC section, the seam.ini file has been used to replace
the Comment field with user fields. The user fields appear in a separate
dialog, which you can examine by pressing the Browse button. If the
seam.ini file has been used the Comment is read-only and can be edited
only through the Browse dialog.
Users
6.
Change the user properties to the desired values. Use the tabs to view
properties on different pages. For a description of user properties, see the
appendix “User and Group Properties.”
If property editor synch mode is on, and you are updating or creating the
user in more than one environment, fields that should contain identical
data receive identical data automatically. (See Preference Dialog Settings
in the chapter “Setting Security Administrator Options.”)
7.
Click OK.
You can check progress in the Activity window or page. For details about how
to use the Activity window, see the chapter “Editing, Executing, and Reviewing
Transactions.”
98 User Guide
Users
Changing Passwords
You can use the property editor to change a user password, but if the
password is all you want to change, the separate Password command is more
convenient.
Like a new password from the property editor, a new password from the
Password command is good for only one usage. Once logged in with the new
password, the user should specify a different password for future use.
1.
In the User panel, select the user whose password is to change. Select
only one user. If the user that you want is not visible, use the Source
button or the Filter command from the pop-up menu.
2.
In the User panel, choose Edit, Password.
The Change Password dialog appears.
3.
Select the environments where the password is to change. Normally, you
should select all environments every time you change a password.

If you select UNIX or NT (Windows) but not eTrust AC, the history of
the user's password is not updated in eTrust AC, but the password is
updated.
If you select eTrust AC but not UNIX or NT (Windows), the user's
password is not changed, but the history of the user's password is
updated.
4.
Click the ALL radio button to make the change apply to all hosts, unless
you have a special reason to apply the change only to the hosts selected in
the Main window.
5.
Check that the password policy is correct, and then change the password
according to that policy.
Hidden
Enter the password in the New box, and then in the Confirm box.
Security Administrator displays asterisks (*) in the boxes; it does not
display what you type.
Clear (without Generate)
Enter the password in the New box. You can see what you have typed;
review it visually to make sure that the password is correct. There is
no need to use the Confirm box.
Clear and Generate
With Clear selected, click Generate. Security Administrator generates
the password and displays it in the New text box. Security
Administrator generates the password randomly, unless you specified
a password generator of your own. (For details about how to specify a
password generator, see The Password Generation Utility in the
appendix “seam.ini and UNIX Exits.”)
Users
6.
Click OK.
You can check progress in the Activity window or page. For details about
how to use the Activity window, see the chapter “Executing, Editing, and
Reviewing Transactions.”
Suspending and Resuming Users
To suspend one or more users, thereby temporarily or indefinitely halting their
permission to log in on one or more hosts:
1.
In the Hosts section, select the hosts where the user is to be suspended
and deselect all other hosts. If the hosts that you want are not visible,
make them visible by selecting the ALL group or other host groups. The
host group named ALL includes all the hosts that Security Administrator
knows of.
2.
In the User section, select the users who are to be suspended. If the users
are not all visible, use the Source button or the Filter command from the
pop-up menu.
3.
Choose Suspend from the Edit menu or the pop-up menu.
The Suspend User dialog appears.
If you wish, click users in the list to deselect and reselect the users
selected when you invoked the command. At the bottom of the list, you
can type one additional user to be selected.
4.
Specify the date and time for the start of the suspension. The default is
the current date. To change the date or time, enter a value in the
appropriate field or click the up or down arrows at the far right. Note that
the time is in 24-hour format.
5.
Choose all the hosts that are defined to Security Administrator or only
hosts that are selected in the Hosts display.
6.
Click OK to suspend the specified users from the specified hosts, starting
at the specified time and date.
You can check progress in the Activity window or page. For details about
how to use the Activity window, see the chapter “Editing, Executing, and
7.
100 User Guide
If you know when you want to allow the users to log in again (or be
resumed automatically), choose Edit, Resume. Specify the date and time.
The procedure for resuming users is similar to the preceding procedure for
suspending users.
Users
Copying Users from the Source Host to Other Hosts
If you want to copy groups and their users from host to host, you should copy
the groups first, then the users. This is the reason:

When you copy a group, users that belong to the group at the source
host (the host you are copying from) automatically join the group at the
target host (the one you are copying to) if they exist there. If they do not
exist there, they are ignored as the group is copied to the target host.

When you copy a user, the transaction succeeds only if all the groups to
which the user belongs on the source host already exist on the target host
and if all the connections succeed. Otherwise, the transaction is not
completed; backout occurs instead. (For more about backout-the undoing
of an unsuccessful command-see Transactions for All Hosts in the chapter
“Editing, Executing, and Reviewing Transactions.”)
To copy the definitions of one or more users on a particular host to one or
more other hosts:
1.
Define as your source host the host from which you want to copy. (The
source host name appears at the top of the Main Window. For details
about how to change it, see Specifying Preferences in the chapter
“Security Administrator Basics.”)
2.
If you want to copy to fewer than all other hosts, select the hosts to which
you want to copy the users. If the hosts that you want are not visible in
the Hosts display, make them visible by selecting the ALL group or other
host groups. The host group named ALL includes all the hosts that Security
3.
In the User section, select the users to be copied. If the users are not all
visible, use the Source button or the Filter command from the pop-up
menu.
4.
Choose Edit, Copy.
The Copy User dialog appears.
5.
To deselect and reselect users, click the list at the left.

6.
To copy one additional user that does not appear in the list, enter the
To copy the user to all hosts, select the ALL button. Otherwise, the
user is copied only to the hosts that are selected in the Main Window.
To select environments where the users should be copied, toggle the
users are copied to all environments controlled by Security
Administrator.
Click OK.
Users
Transactions.”
Deleting Users
To delete one or more users from one or more hosts:
1.
To delete the user from fewer than all hosts, click the Hosts section to
select the hosts where the user is to be deleted. Deselect all other hosts. If
ALL group or other host groups. The host group ALL includes all the hosts
that Security Administrator knows of.
2.
In the User section, select the names of users to be deleted, and deselect
all others. If the users that you want to delete are not visible, use the
Source button or the Filter command from the pop-up menu.
3.
Choose Edit, Delete.
The Delete User dialog appears, listing the users that you selected in the
Main window.

102 User Guide
To delete the user from all hosts, select All. Otherwise, the user is only
from the hosts that are selected in the Main window.
To deselect and reselect users, click the list at the left.
To delete one additional user that does not appear in the list, enter the
To deselect and reselect environments, toggle the check boxes in the
Environment area. By default, the groups are deleted from all
environments that Security Administrator controls.
To delete the users' home directories, click Delete. For information
about deleting a user's home directory automatically when you delete
a user, see the appendix “seam.ini and UNIX Exits.” This option is
available only if you are deleting the user from the UNIX environment.
4.
Click OK. The Activity window appears. For details about how to use the
Activity window, see the chapter “Editing, Executing, and Reviewing
Transactions.”
5.
To remove the deleted user graphically from the list of users, click the
Refresh toolbar button.
Users
Adding, Modifying, or Deleting User Access Permissions
To add or change user access permissions, follow this procedure:
1.
In the Main Window, select the hosts where you want your changes to be
implemented. Select one or more users.
2.
Choose Edit, Permit.
The Permit User dialog appears.
The name of the first selected user appears at the top of the Permit User
dialog. The dialog shows the access rights of the selected user to all the
resources.
3.

Click the button under the selected user name to receive a list of all
the resource classes. The default class is FILE. (See the appendix
“Resource Properties” for an explanation of classes.) After you select a
class, all the resources in the class are listed below it.
Select one of the resources to see what permissions the user has to
the resource. Letters represent the different permissions. If you run
your cursor over the letters, the full names of the permissions pop up.
4.
If you want to remove access permission to a resource, click Delete.
Confirm the deletion and click OK until the Activity Window reappears. The
deletion is complete.
5.
If you want to add access permission to a resource, select the resource
from the list and click Add.
If you want to change access permission, click Update.
The Permit Popup dialog appears.
6.
To give the same permissions to more than one user, enter names in the
Accessor field and separate them with commas.
7.
In the Permissions section, select the access rights you want to give to the
user. Each resource class has its own set of permissions. For example, you
can have Execute permission to a resource in the class PROGRAM, and
Read and Write permissions to a resource in the class TERMINAL. Every
set contains None.
8.
(Optional) In the Program field, specify a program through which the user
is permitted to access the resource-for example /bin/login.
9.
Click OK to implement your changes and return to the Permit User dialog.
10. When you are finished making all changes, click OK in the Permit User
dialog.
The Activity window reopens. For details about using the Activity window, see
the chapter “Editing, Executing, and Reviewing Transactions.”
Users
Viewing User Access Permissions
Any user belonging to both the ADMIN and SERVER user types can view and
print a report detailing the permissions for a particular user in various eTrust
AC classes (FILE, PROGRAM, SURROGATE, TERMINAL, SUDO, and CONNECT)
on the local host. The local host is the host on which Security Administrator is
running.
To display the report:
1.
Become a SERVER-type user (if you are not one already).
2.
Select the user in the Users panel of the Accounts page.
Note: Security Administrator generates a report on one user at a time; if
you select more than one user, it reports on the first one only.
3.
Click Tools, User Permissions.
The User Permissions dialog appears.
4.
Select or deselect the classes that you want to include or omit from the
report.
Note: If you want to include only one or a few classes, it is easier to click
Deselect All, and then select the appropriate classes. Conversely, if you
want to omit only one or a few classes, click Select All, and then deselect
the appropriate classes.
5.
If you want the report to include permission information for all the
resources, click ALL. Otherwise, the report just lists the resources.
6.
Click OK.
Security Administrator generates the permissions report and opens the
Report window (click Help in the window for information).
The name of the user you selected appears at the top left of the dialog.
7.
To close the report click Close.
To print the report, right-click the Report window and choose Print from
the pop-up menu that appears.
8.
104 User Guide
Ensure that the proper print command for your specific printer appears in
the text box, and then click OK.
User Groups
User Groups
Security Administrator works with user groups and host groups. When it
appears alone in Security Administrator or in this chapter, the word “group”
refers to a user group.
In the Main window, the Group section contains the group list and the buttons
that initiate operations on groups.
At the top of the Main window, the Source field next to the Source button
indicates from where the group names were copied. eTrust AC names may
come from an eTrust AC source host or from an eTrust AC PMDB. A PMDB is a
database that applies to more than one host; for details, see the Administrator
Guide.
The procedures used in the Group section are described in the following
section. To complete any group transaction, you must select a host (from the
Hosts section at the bottom) where the transaction is applied.
Filtering the List of Groups
You can base the list of groups, displayed on the Accounts page, on whatever
database you want. To select a database source host other than the default,
see Specifying Preferences in the chapter “Security Administrator Basics.”
Then you can apply a filter, if you want, to limit the names displayed.
To show fewer than all the groups in the source database:
1.
The Filter Groups dialog appears.
2.
In the text box, specify the mask or filter to be used as a criterion for
displaying group names. Only those host names that match the specified
mask appear in the list of groups. You can use the UNIX wildcard
range, inclusive.
3.
Click OK.
host, updates the group list, and displays the name of the source host at the
top.
User Groups
Creating a New Group
To create a new group on one or more hosts:
1.
In the Hosts section of the Hosts page, select the hosts where the group is
to be created, and clear all other hosts. If the hosts that you want are not
visible, make them visible by selecting the ALL group or some other host
groups. The host group named ALL includes all the hosts that Security
2.
The Create Group dialog appears.
3.
Enter a name for the group.
4.
If you want the new group to have the same values as a group that
already exists in the database, choose File, Load Group.
The Load Group dialog appears.
Enter the name of the group whose values you want to copy in the Group
name field. Click OK. All the values of that group now appear in the Create
Group dialog.
Note: You can also copy properties to a new group by loading a template.
See Using Templates to Copy Group Properties in this chapter.
To select or deselect an environment, click it in the top right section of the
dialog. By default, the group is defined on all environments controlled by
5.
Change the group properties to the desired values. If you selected Load
Group, change any values for the new group that are not the same as for
the old group. Use the page tabs to view properties on pages not initially
displayed. For a description of the properties, see the appendix “User and
Group Properties.”
If property editor synch mode is on, and you are creating the group in
more than one environment, fields that should contain identical data
receive identical data automatically. (See Preference Dialog Settings in the
chapter “Setting Security Administrator Options.”)
6.
Click OK to create the group and close the dialog. Or, to create the group
but leave the dialog open, so that you can immediately create another
group, click Apply.
You can check progress in the Activity window or Activity page at the
bottom of the Security Administrator Main window. For details about how
to use the Activity window, see the chapter “Editing, Executing, and
7.
106 User Guide
To make the new group appear in the list of groups, click the Refresh
toolbar button.
User Groups
Using Templates to Copy Group Properties
If you want to base new user groups on a set of pre-selected properties (which
are editable), you can save a set of values as a template. Reload the template
at any time, instead of specifying properties one by one. In fact, each time you
click Create to start defining a new user group, Security Administrator loads
the default template.
Your templates are stored as *.GROUP files in the directory
eTrustACDir/data/seam/defaults (where eTrustACDir is the directory where
you installed eTrust AC, by default /opt/CA/eTrustAccessControl). You have no
reason to view or edit those files; just be sure not to delete them.
Security Administrator comes with a group template named “default,” but you
can use a different template with your own default values.
Creating a Template
To create a template:
1.
Fill the property editor with the data for the template by creating or
modifying a group.
2.
In the Create Group window, choose File, Save As Template.
3.
In the dialog that appears, specify a name for the template.
If you want the template to appear automatically each time you create a
new group, click the Load Template by Default check box.
Loading a Template
To load a template at any time as you work with the property editor:
1.
In the Create Group window, choose File, Load Template.
2.
In the Load Template dialog, specify an existing template by entering or
clicking its name.
After loading a template, you can edit it and save the data as a group or a
template.
Refreshing the Group List
The group list is not refreshed automatically when a group is created or
deleted. The Refresh button blinks to indicate that the displayed group list is
outdated. Click the Refresh button, and groups are added to the list or deleted
from it as appropriate.
User Groups
Selecting and Deselecting Groups Using Wildcards
You can select and deselect groups in the Groups section of the Main window
by simply clicking their names. Security Administrator, however, also provides
a more powerful way to select and deselect: wildcards.
To select or deselect groups according to a wildcard pattern:
1.
In the Groups section, choose Select or Deselect from the pop-up menu.
The Select Group(s) or Deselect Group(s) dialog appears.
2.
with spaces.
3.
Click OK.
The groups whose names match the specified filter are selected or deselected.
All other groups remain selected or deselected, as they were.
108 User Guide
User Groups
Viewing Group Properties
Asking to view the properties of a group is called querying the group. To query
one or more groups on one or more hosts:
1.
If you wish, ensure that Remove Host on Failure (Query) is selected. This
automatically reduces the list of host names, when the query is executed
later, to only hosts that contain the specified groups. (For details, see
Preference Dialog Settings in the chapter “Setting Security Administrator
Options.”)
2.
To query the group at fewer than all hosts, click the Hosts section to select
the hosts where the group is to be queried and to deselect all other hosts.
If the hosts that you want are not visible, make them visible by selecting
the ALL group or some other host groups. The host group named ALL
includes all the hosts that Security Administrator knows of.
3.
In the Group section, select the groups that are to be queried and deselect
all other group names. If the groups that you want to query are not
visible, use the Source button or the Filter command from the pop-up
menu.
4.
Choose Edit, Query.
The Query Group dialog appears, listing the groups that you selected in
the Main window.

5.
To query the group at all hosts, select the All button. Otherwise, the
group is queried only at the hosts that are selected in the Main
Window.
To deselect and reselect groups for querying, click the list at the left.
To query one additional group that does not appear in the list, enter
the group name in the text box under the list of groups.
To select environments where the groups should be queried, toggle
the appropriate check boxes in the Environment area. By default, the
groups are queried in all environments controlled by Security
Administrator.
Click OK.
Transactions.”
User Groups
Modifying Group Properties
The Update command lets you change group properties in all environments
that include the group. The Edit command lets you not only change properties
but also create a group with the same properties in an environment where the
group does not currently exist. This procedure shows both commands.
1.
In the Hosts section, select the hosts where the group is to be changed
and deselect all other hosts. If the hosts that you want are not visible,
make them visible by selecting the ALL group or other host groups. The
host group ALL includes all the hosts that Security Administrator knows of.
2.
In the Group section, do one of the following:

If you are updating properties only, select one group.
If you are updating properties and creating groups in environments
where they do not exist, select one or more groups.
If the group that you want is not visible, use the Source button or the
Filter command from the pop-up menu.
3.
To modify only properties, choose Edit, Update.
The following dialog appears, displaying the present properties. (If
properties are in the APPL section, you need a utility to reload their values.
See UNIX Exits in the appendix “seam.ini and UNIX Exits.”) The group
name is dimmed because you cannot change it.
4.
To modify properties and create groups in environments where they do not
exist, choose Edit, Edit. (If properties are in the APPL section, you need a
utility to reload their values. See UNIX Exits in the appendix “seam.ini and
UNIX Exits.”)
The Edit Group dialog appears.
You can add groups that you would like edit that you have not already
selected. You can also add groups that have not been created, because the
Edit command creates groups that do not exist.
5.
To select or deselect an environment that includes the group, click it in the
top right section of the property editor. (By default, groups are updated in
all environments where they exist. In addition, if you selected Edit, groups
are also created in all environments where they do not exist.)
6.
Change the group properties to the desired values. Use the tabs to view
properties on different pages. For a description of group properties, see
the appendix “User and Group Properties.”
If property editor synch mode is on, and you are updating or creating the
group in more than one environment, fields that should contain identical
data receive identical data automatically. (See Preference Dialog Settings
in the chapter “Setting Security Administrator Options.”)
7.
110 User Guide
Click OK.
User Groups
Transactions.”
Adding Users To Groups and Removing Users From Groups
The following procedure lets you add users to groups and remove them from
groups. You can do this for one or more users, one or more existing groups,
and one or more hosts.
1.
In the Hosts section of the Main Window, select the hosts where the users
are to join the groups or be removed from them. Deselect all other hosts.
If the hosts that you want are not visible, make them visible by selecting
the ALL group or other host groups. The host group named ALL includes all
the hosts that Security Administrator knows of.
2.
In the User section, select the users who are to join the groups or be
removed from them. If all the users are not visible, use the Source button
or the Filter command from the pop-up menu.
3.
In the Group section, select the groups that the users are to join or leave.
If all the groups are not listed, use the Source button or the Filter
command from the pop-up menu.
4.
If you are adding users, choose Edit, Connect.
The Connect User to Group dialog appears.
5.
If you are removing users, choose Edit, Disconnect.
The Disconnect User From Group dialog appears.
These dialogs have no list of hosts. The command takes effect on the
hosts that are currently selected in the Main window.
In the left section of these dialogs is a list of users who were selected
when you invoked the command. Likewise, the right section contains a list
of selected groups.
6.
If you wish, click users or groups in the list to deselect and reselect them.
At the bottom of the list, you can type one additional user or group to be
selected.
7.
If you wish, click environments in the middle of the dialog to select or
deselect them as the locations where the users join or leave groups.
8.
Click OK.
Transactions.”
User Groups
Copying Groups from the Source Host to Other Hosts
If you want to copy groups and their users from host to host, you should copy
the groups first, then the users. This is the reason:

When you copy a group, users that belong to the group at the source
host (the host you are copying from) automatically join the group at the
target host (the one you are copying to) if they exist there. If they do not
exist there, they are ignored and the group is copied to the target host.

When you copy a user, the transaction succeeds only if all the groups to
which the user belongs on the source host exist already on the target host
and if all the connections succeed. Otherwise, the transaction is not
completed; backout occurs instead. (For more about backout-the undoing
of an unsuccessful command-see Transactions for All Hosts in the chapter
“Editing, Executing, and Reviewing Transactions.”
To copy the definitions of one or more groups on a particular host to one or
more other hosts:
1.
2.
If you want to copy to fewer than all the other hosts, select the hosts to
which you want to copy the groups. If the hosts that you want are not
visible in the Hosts display, make them visible by selecting the ALL group
or other host groups. The host group named ALL includes all the hosts that
Security Administrator knows of.
3.
In the Group section, select the groups to be copied. If the groups are not
all visible, use the Filter command from the pop-up menu.
4.
Choose Edit, Copy.
The Copy to Group dialog appears.

5.
112 User Guide
To deselect and reselect groups, click the list at the left.
To copy one additional group that does not appear in the list, enter the
group name in the text box under the list.
To copy the group to all hosts, select the ALL button. Otherwise, the
group is copied only to the hosts that are selected in the Main Window.
To select environments where the groups should be copied, toggle the
groups are copied to all environments controlled by Security
Administrator.
Click OK.
User Groups
Transactions.”
Deleting Groups
When you delete groups, the users that belong to the groups still exist; only
the groups that allow the users to be manipulated jointly are cancelled.
To delete one or more groups from one or more hosts:
1.
To delete the group from fewer than all hosts, click the Hosts section to
select hosts where the group is to be deleted. Deselect all other hosts. If
ALL group or other host groups. The host group ALL includes all the hosts
that Security Administrator knows of.
2.
In the Group section, select the names of groups to be deleted and
deselect all others. If the groups that you want to delete are not visible,
use the Source button or the Filter command from the pop-up menu.
3.
The Delete Group dialog appears, listing the groups that you selected in
the Main window.

To delete the group from all hosts, select All. Otherwise, the group is
deleted only from the hosts that are selected in the Main window.
To deselect and reselect groups, click the list at the left.
To delete one additional group that does not appear in the list, enter
the group name in the text box under the list of groups.
To deselect and reselect environments, toggle the check boxes in the
Environment area. By default, the groups are deleted from all
environments that Security Administrator controls.
4.
Click OK. The Activity window appears. For details about how to use the
Transactions.”
5.
To remove the deleted group graphically from the list of groups, click the
Refresh toolbar button.
User Groups
Adding, Modifying, or Deleting Group Access Permissions
To add or change group access permissions, follow this procedure:
1.
In the Main Window, select the hosts where you want your changes to be
implemented. Select one or more groups.
2.
Choose Edit, Permit.
The Permit Group dialog appears.
The name of the first selected group appears at the top of the Permit
Group dialog. The dialog shows you the access rights of the selected group
to all the resources.
3.

Click the button under the selected group name to receive a list of all
the resource classes. The default class is FILE. (See the appendix
“Resource Properties” for an explanation of classes.) After you select a
class, all the resources in the class are listed below it.
Select one of the resources to see what permissions the group has to
the resource. Letters represent the different permissions. If you run
your cursor over the letters, the full names of the permissions pop up.
4.
If you want to remove access permission to a resource, click Delete.
Confirm the deletion and click OK until the Activity Window reappears. The
deletion is complete.
5.
If you want to add access permission to a resource, select the resource
from the list and click Add.
If you want to change access permission, click Update.
The Permit Popup dialog appears.
6.
To give the same permissions to more than one group, enter names in the
Accessor field and separate them with commas.
7.
In the Permissions section, select the access rights you want to give to the
group. Each resource class has its own set of permissions. For example,
you can have Execute permission to a resource in the class PROGRAM, and
Read and Write permissions to a resource in the class TERMINAL. Every
set contains None.
8.
(Optional) In the Program field, specify a program through which the
group is permitted to access the resource-for example /bin/login.
9.
Click OK to implement your changes and return to the Permit Group
dialog.
10. When you are finished making all changes, click OK in the Permit Group
dialog.
The Activity window reopens. For details about how to use the Activity window,
see the chapter “Editing, Executing, and Reviewing Transactions.”
114 User Guide
User Groups
Chapter 8: Resource Administration
Security Administrator (see page 117)
Displaying Resources (see page 118)
Filtering the List of Resources (see page 119)
Creating a Resource (see page 120)
Selecting and Deselecting Resources Using Wildcards (see page 121)
Viewing Resource Properties (see page 122)
Updating a Resource (see page 123)
Editing Existing Resources and Creating New Ones (see page 126)
Copying a Resource (see page 127)
Protecting a Resource in the UNIX or Windows Environment (see page 128)
Deleting Resources (see page 129)
Updating TCP Services and Ports (see page 130)
Adding Accessors to Windows Resources (see page 131)
This chapter describes how Security Administrator manages eTrust AC, UNIX,
and Windows resources. Using the Security Administrator Main Window, you
can edit, copy, and add resources; set relevant parameters; and perform
many other related transactions.
Resource Administration 117
Displaying Resources
Displaying Resources
When you invoke Security Administrator, the Main window appears. To display
all resource classes, click the Resources tab.
The resources are divided according to the following environments: eTrust AC,
UNIX, and NT (Windows). Each environment is in turn subdivided into resource
categories specific to that environment. Clicking the plus sign of an
environment name opens its list of categories, and clicking the plus sign of a
category opens its list of object subcategories.
Clicking any of the resource subcategories displayed in the left panel displays
all the relevant resource records or objects in the right panel. Click the lowest
branch of the category to display class-specific records.
The Copy, Delete, Select, Deselect, and Filter functions are similar for most
resources. However, the Create and Update functions may differ because some
resources have different protections, conditions, or parameters. For example,
attributes and parameters that you can assign to ADMIN class resources differ
from those you can assign to TCP class resources or to the NT File class.
Therefore, the pages that appear in the Security Administrator resource
property editor vary for different classes. For more information about specific
parameters that appear in the Security Administrator resource property editor
for each class, see the appendix “Resource Properties.”
118 User Guide
Filtering the List of Resources
Filtering the List of Resources
You can base the list of resources, displayed on the Resources page, on
whatever database you want. To select a database source host other than the
default, see Specifying Preferences in the chapter “Security Administrator
Basics.” Then you can apply a filter, if you want, to limit the names displayed.
To show fewer than all the resources in the source database:
1.
A Filter dialog appears.
2.
In the text box, specify a mask or filter for displaying resource record
names. The filter is case-sensitive. You can use the UNIX wildcard
with spaces.
3.
Click OK.
host, updates the resource record list, and displays the name of the source
host at the top of the Main Window.
Creating a Resource
Creating a Resource
To add resource records to a resource type, use the Security Administrator
resource property editor. To create a new record:
1.
In the Hosts page at the bottom of the Main window, select the host or
host group where you want to create the resource.
2.
In the left panel of the Resources page, select the appropriate resource
subcategory. For example, to create a CATEGORY class resource, click
Security Categories under the B1 Features category.
3.
The Create a New Security Category dialog appears.
4.
In the Category Name field, enter the name of the new category record.
5.
In the Owner field, enter the name of a user or group entitled to edit the
record. To view a list of predefined owners, click Browse.
6.
In the Comment field, enter any data useful for your site.
7.
Click OK.
Security Administrator closes the resource property editor and generates the
commands required to perform the specified actions. You can monitor progress
in the Activity window. For details, see the chapter “Editing, Executing, and
120 User Guide
Selecting and Deselecting Resources Using Wildcards
Selecting and Deselecting Resources Using Wildcards
You can select and deselect resources in the Resources section of the Main
window by simply clicking their names. Security Administrator, however, also
provides a more powerful way to select and deselect: wildcards.
To select records according to a wildcard pattern:
1.
In the Hosts page at the bottom of the Main window, select a host or host
group.
2.
In the Resources area, right-click and choose Select or Deselect from the
pop-up menu.
The Select file or Deselect file dialog appears.
3.
with spaces. The filter is case-sensitive.
4.
Click OK.
The records whose names match the specified filter are selected or deselected.
All other records remain selected or deselected, as they were.
Viewing Resource Properties
Viewing Resource Properties
Asking to view the properties of a resource is called querying the resource. To
query one or more resources on one or more hosts:
1.
To query fewer than all hosts, click the Hosts section to select the hosts
where the resource is to be queried and to deselect all other hosts. If the
hosts that you want are not visible, make them visible by selecting the ALL
group or some other host groups. The host group named ALL includes all
the hosts that Security Administrator knows of.
2.
Select a resource class in the left pane, and then one or more resource
records in the right pane.
3.
Choose Edit, Query.
A Query dialog appears.
On the left is a list of the resource records that were selected when you
invoked the command.
4.

5.
To deselect and reselect resources for querying, click the list at the
left.
To query one additional resource that does not appear in the list, enter
the resource name in the text box under the list.
To query all hosts, select the All button. Otherwise, the resource is
queried only at the hosts that are selected in the Main Window.
Click OK.
You can monitor progress in the Activity window or page. For details about
using the Activity window, see the chapter “Editing, Executing, and Reviewing
Transactions.”
122 User Guide
Updating a Resource
Updating a Resource
You can modify the properties of any existing resource record by using the
Update command. Each resource class has its own set of properties (note that
statistics data is read-only). For more information about specific properties for
each class, see the appendix “Resource Properties.”
Note: You can modify existing resources and add new ones by using the Edit
command. See Editing Existing Resources and Creating New Ones in this
chapter.
To update a record:
1.
In the Hosts page at the bottom of the Main window, select the host or
host group where you want to create the resource.
2.
In the left panel of the Resources page, select the appropriate resource
subcategory. For example, to update a FILE class resource category, click
File and Directory under the System Resources category.
3.
Select a record in the right panel, and then choose Edit, Update.
The Update the File Properties dialog opens.
4.
In the General page, you can change the following parameters:
Owner
A user or group entitled to edit the record. To receive a list of users
and groups, click the Browse button.
Comment
Any data useful for your site
Default Access
The type of default access for the FILE record. Select the default
accesses you want to give to accessors. Select None if the default
should allow no access to the resource.
5.
In the Access List page, you can edit the access permissions of accessors.
Move your cursor over the permission initials to get the full names. For
information about the permissions, click the Help button in the dialog that
appears when you click the Add or Edit buttons.
Use the Access List page as follows:

To give one or more existing users or groups access to the file, click
the Add button. Click beside the names of the accessors under the
appropriate authority to give permission (a check mark appears) or
remove the permission.
To remove accessors from the access list of the FILE resource, select
the appropriate accessor and click the Delete button.
Updating a Resource

6.
To change the permissions of the accessors, select the appropriate
accessor and click the Edit button.
In the Restrictions page, you can change the following parameters:
Allowed Days
The days on which the resource can be accessed. To select all seven
days of the week, click Anyday. To select Monday through Friday, click
Weekdays. To select individual days, click the boxes representing each
day. To clear all the days, click Reset.
Allowed Time
The period during which accessors can access the resource on the
specified days. Drag the Start and End sliders to the required setting.
The time range is in 24-hour format.
7.
In the Membership page, you can view the following parameters:
Not Members
Group or groups to which this file does not belong.
Members
Group or groups to which this file will be added.
8.
In the Statistics page, you can view the following parameters:
Creation Time
The time and date when the FILE resource record was created. This is
a read-only field.
Update Time
The time and date of the most recent update. This is a read-only field.
Updated By
The name of the user who last updated the resource. This is a
read-only field.
9.
In the Auditing page, you can change the following parameters:
Warning
Whether to enable warning mode. In warning mode, all access
requests are granted. If a request normally would have been denied, a
record is written to the audit log. Default is no.
Notify
The email address or alias of the person who is to be notified when the
resource is accessed. You must be properly configured for this activity
through appropriate eTrust AC permissions. For more information, see
the Administrator Guide. You can enter up to 30 alphanumeric
characters.
124 User Guide
Updating a Resource
Audit Mode
The type of operations to trigger creation of audit records:
Success
Successful operations
Failure
Failed operations
None
No operations
10. In the B1 page, you can change the following parameters:
Categories
The list of security categories assigned to the resource. Enter the
name of an existing category, or click the Browse button to receive a
list of all the existing categories. (To create a new category, select the
CATEGORY class from the resource class list in the Main window, and
then use the Create command. See Creating a Resource in this
chapter.)
Seclabel
The security label assigned to the resource. Enter the name of an
existing seclabel, or click the Browse button to receive a list of all the
existing seclabels. (To create a new seclabel, select the SECLABEL
class from the resource class list in the Main window, and then use the
Create command. See Creating a Resource in this chapter.)
Seclevel
The security level assigned to the resource. Enter an integer up to
255. Default is zero.
11. When you have finished making changes to the pages, click OK.
commands required to perform the specified actions. You can check the
progress in the Activity window or page. For details about how to use the
Transactions.”
Editing Existing Resources and Creating New Ones
Editing Existing Resources and Creating New Ones
The Edit command lets you update existing records and create new records at
the same time. The Update command, explained previously, is effective when
you are working on records already in existence. The Edit command, however,
allows more flexibility because it not only updates existing records but it
creates new ones in environments where they do not currently exist.
To change or create one or more resources, select Edit from the pop-up menu.
You can change any properties listed on these pages. Auditing data is
read-only and each resource class has its own set of properties. For more
information about particular properties for each class, see the appendix
“Resource Properties.”
To edit a record:
1.
In the Hosts page at the bottom of the Main window, select a host or host
group.
2.
Select a resource category. This example demonstrates editing File
Groups.
3.
Select one or more resources in the right panel.
If o records exist you can use the Edit command to create some.
4.
Right-click, and choose Edit from the pop-up menu.
For file groups, the dialog contains several pages of access properties.
(The number of pages depends on the resource.)
5.
Click each tab and enter the desired properties. For information, click Help.
6.
When you have finished making changes, click OK.
Security Administrator closes the dialog and generates the commands required
to perform the specified actions.
You can check the progress in the Activity window or page. For details about
how to use the Activity window, see the chapter “Editing, Executing, and
126 User Guide
Copying a Resource
Copying a Resource
To copy one or more resource records:
1.
2.
If you want to copy to fewer than all the other hosts, select the hosts to
which you want to copy the resource. If the hosts that you want are not
visible in the Hosts display, make them visible by selecting the ALL group
or other host groups. The host group named ALL includes all the hosts that
Security Administrator knows of.
3.
Click to select the class you want to copy from, and then click one or more
files in the right panel.
4.
Choose Edit, Copy.
The Copy File dialog appears.
At the left is a list of the resource records that were selected when you
5.

6.
To deselect and reselect resources, click the list at the left.
To copy one additional resource that does not appear in the list, enter
the resource name in the text box under the list.
To copy the resource to all hosts, select the ALL button. Otherwise, the
group is copied only to the hosts that are selected in the Main Window.
Click OK to copy the selected records to the selected hosts.
commands required to perform the specified actions.
Transactions.”
Protecting a Resource in the UNIX or Windows Environment
Protecting a Resource in the UNIX or Windows Environment
To protect a resource:
1.
Right-click the UNIX or Windows file that you want to protect. Choose Edit,
Protect.
The Update the File Properties dialog appears.
This dialog is similar to the one for creating a resource. Each page shows a
different set of properties.
2.
Make any changes to the pages, and click OK.
Transactions.”
128 User Guide
Deleting Resources
Deleting Resources
To delete a resource record:
1.
To delete from fewer than all hosts, click the Hosts section to select the
hosts where the resource is to be deleted and to deselect all other hosts. If
ALL group or some other host groups. The host group named ALL includes
all the hosts that Security Administrator knows of.
2.
Select a resource class on the left panel of the Resources page, and then
click one or more records on the right panel.
3.
A Delete dialog appears.
At the left is a list of the resource records that were selected when you
4.

5.
To deselect and reselect resources, click the list at the left.
To delete one additional resource that does not appear in the list,
enter the resource name in the text box under the list.
To delete from all hosts, select the All button. Otherwise, only on the
hosts that are selected in the Main Window are deleted.
Click OK.
Transactions.”
Updating TCP Services and Ports
Updating TCP Services and Ports
To let hosts use particular TCP services and ports:
1.
Select the TCP resource classes.
2.
Select one or more TCP class records to change (this example has only
one), and then select Update from the pop-up menu or the toolbar.
The Update the TCP Protection Properties dialog appears.
3.
Select the access type you want for the resource. The access types for the
TCP class are Read and None. Read access lets the resource record use the
services and ports that are listed in the access list.
4.
When you have finished making changes to the pages, click OK.
Note: If you change the access types of the resource record, the name of the
TCP service or port you selected in the Access List page appears automatically
in the Name field.
Transactions.”
130 User Guide
Adding Accessors to Windows Resources
If you have appropriate access, you can add or edit accessors to Windows
resources you are creating or updating:
1.
Select one of the Windows resource classes, and then one or more records
that you want to work with.
2.
From the Edit menu, choose Create or Update. The relevant dialog
appears.
3.
Click the button at the top of the dialog to select the class (user or group)
you want to add to the access list of the resource record.
4.
Enter the name of the resource in the Name field.
5.
Select the access types you want the user or group to have, or change the
current access types. The Windows resource class has the following
permissions:
READ
The accessor can use the resource record without changing it.
WRITE
The accessor can write in the resource record.
MODIFY
The accessor can change the resource record.
DELETE
The accessor can delete the resource record.
CHOWN
The accessor can change the owner of the resource record.
CHMOD
The accessor can change the standard Windows access modes.
UTIME
The accessor can change the resource modification time.
SEC
The accessor can change the access control list of the record.
NONE
The accessor has no access rights in the resource record.
6.
When you finish making changes, click OK.
The Security Administrator closes the dialog and generates the commands
required to perform the specified actions.
You can check progress in the Activity window or page. For details about using
the Activity window, see the chapter “Editing, Executing, and Reviewing
Transactions.”
132 User Guide
Chapter 9: Policy Model Administration
The Policy Model Database (see page 133)
Working with PMDBs (see page 133)
The Policy Model Database
The eTrust AC Policy Model database (PMDB) is a regular eTrust AC database
that includes a list of subscriber databases, each of which resides on a
separate computer. The Policy Model service allows the management of many
eTrust AC databases from one central database. Security Administrator
automatically propagates any rules defined in the central database and applies
them to the subscriber databases. The PMDB is a useful tool for managing
many stations that have identical authority restrictions and access rules.
You can configure the subscriber eTrust AC databases as PMDBs if they also
have subscribers, or as ordinary eTrust AC databases if they do not have
subscribers. This allows for a hierarchical configuration of PMDBs. Whenever
you make a change to the PMDB, Security Administrator automatically updates
all of its subscriber databases. For a complete description of the PMDB, see the
Administrator Guide.
You perform PMDB tasks from the Policy model page at the bottom of the Main
window. Click the Policy model tab to display the page.
The left panel displays the Policy Models as a hierarchical tree. Note that the
topmost, or root, element is not a PMDB; it is the master list of PMDBs. As
such, you cannot perform any commands on this element.
The right panel displays the subscribers to the PMDB selected in the left panel.
If you select the root element, the right panel lists all the PMDBs.
Working with PMDBs
The two ways to update a PMDB are accessor (user and group) transactions
and PMDB commands. This section describes both.
Policy Model Administration 133
Working with PMDBs
Accessor Transactions
Normally, when you perform a user or group transaction-such as a query or an
update-Security Administrator performs the transaction for the selected users
or groups that reside on the selected hosts. It then adds the result of the
transaction to the host eTrust AC database.
By contrast, when you update a PMDB, eTrust AC propagates the result to all
subscriber databases. For information about performing accessor transactions,
see the chapter “Account Administration.”
134 User Guide
Working with PMDBs
PMDB Commands
PMDB commands affect selected PMDBs and their subscribers. To execute a
command, select the PMDB or subscriber, and right-click to open the pop-up
menu.
Show commands
Displays the list of commands (in the command file) sent to subscribers
and the subscribers that received them.
Show error
Displays the transaction and PMDB connection errors in the error file. If
there are no errors for any subscribers, a message box appears when you
select this option.
Add subscriber, Remove subscriber
Opens a dialog where you add a subscriber to, or remove a subscriber
from, the selected PMDB. If an error occurs, a message appears in the
dialog Error Message area.
Distribution status
Displays the names of PMDB hosts on which an error occurred (such as a
command error or an unavailable host), the number of errors, and
whether the host is currently unavailable.
Start daemon, Stop daemon
Starts or stops the PMDB daemon. A confirmation box appears when you
select either of these options. If an error occurs (for example, if you
attempt to start the daemon and it is already running), an error message
appears.
Clear error
Deletes the error file. A confirmation box appears when you select this
option.
Truncate
Clears or truncates the command file. When you enter the subscriber
name and offset and click OK, Security Administrator truncates the
subscriber command file from the beginning of the file to the specified
offset.
Policy Model Administration 135
Chapter 10: Login Protection
Setting Up Login Protection (see page 137)
Setting Up Login Protection
The Login Protection Setup dialog lets you determine which terminals
accessors can log in from, which login applications they can use when they log
in, and the maximum number of logins they can perform. You can restrict
login privileges for both users and groups.
To set up login protection:
1.
Click Tools, Login Protection Setup.
Note: Because you select the users and groups from the dialog, Security
Administrator ignores any accessors already selected in the Account page.
2.
In the Accessors to Protect section, specify the names of the users and
groups whose login privileges you want to restrict. Either enter the names
separated by commas or click List, select the names from the left side of
the dialog, click the right arrow button to move them to the right side, and
click OK.
3.
In the Login from Terminals section, specify which terminals accessors can
(Allow terminals) and cannot (Deny terminals) log in from. Enter the
terminal names separated by commas; or click List, select the names from
the left side of the dialog, click the right arrow button to move them to the
right side, and then click OK.
Note: This setting modifies TERMINAL class properties.
4.
In the Login Through Programs section, specify which login applications
accessors can (Allow programs) and cannot (Deny programs) use. Either
enter the terminal names separated by commas or click List, select the
names from the left side of the dialog, click the right arrow button to move
them to the right side, and then click OK.
Note: This setting modifies LOGINAPPL class properties.
5.
Click the Restrictions tab to open the Restrictions page.
6.
In the top section of the page, indicate the days when accessors can log
in. Either click individual day buttons or click Weekdays to select
Monday to Friday.
Login Protection 137
Setting Up Login Protection
7.
Drag the From and To sliders to set the range of hours when accessors can
log in. The time shown to the left of the sliders indicates the current
setting.
8.
In the bottom section, enter the maximum number of concurrent logins
allowed for each accessor.
9.
Select Ignore or Allow to determine Holiday access. If you select Allow,
enter or select the appropriate holidays.
10. Click OK to save the changes and close the dialog.
138 User Guide
Chapter 11: Security Configuration
Working with Security Policies (see page 139)
Working with Password Policies (see page 142)
Viewing eTrust AC Status (see page 143)
Working with Security Policies
To view and modify security policy settings for the eTrust AC and Windows
environments:
1.
Click Security Options in the Tools menu or on the toolbar.
The Security Options dialog appears.
The dialog consists of two pages-eTrust and NT (Windows)-each with its
own set of option pages. The NT page is available if you have eTrust AC
Windows software installed.
2.
If necessary, indicate the environments you want to configure by selecting
or clearing the eTrust or NT check boxes located above the page section.
3.
On the subpages of the eTrust page, indicate the security options you
want. Each option activates or deactivates an eTrust AC class or setoptions
parameter.
The following table lists the security options on each page and their
corresponding classes or parameters. For more information about classes
and the setoptions command, see the Reference Guide.
Subpage
Option
Class or Parameter
Login Protection
Login by application checks
LOGINAPPL
Terminal checks
TERMINAL
Holiday checks
HOLIDAY
File checks
FILE
Process checks
PROCESS
SUID/SGID program checks
PROGRAM
Administration checks
ADMIN
System Resources
Security Configuration 139
Subpage
Option
Class or Parameter
Network Protection
TCP checks
TCP
Incoming connection checks
HOST
Outgoing connection checks
CONNECT
Surrogate checks
SURROGATE
Task delegation (SUDO)
SUDO
Special programs
SPECIALPGM
Category checks
CATEGORY
Seclabel checks
SECLABEL
Seclevel checks
SECLEVEL
Accumulative group rights
setoptions accgrr
Accumulative checks for ACL and PACL
setoptions accpacl
Owner password change
setoptions cng_ownpwd
Admin password change
setoptions cng_adminpwd
User Identity
Control
B1 Features
Algorithm Options
4.
140 User Guide
If you have eTrust AC Windows software installed, use the NT page to
change Windows security parameters. Every user in Windows is associated
with an account that identifies the accessor to Windows.
The NT page contains one subpage with the following options:
Maximum Login Failures Before Lock
The number of times users can fail to log in before their accounts are
disabled. When the limit is exceeded, users cannot log in, even with
the correct password. Enter a positive integer.
Disabled Access Attempt
The length of time, in minutes, that accounts are disabled after
exceeding the maximum number of login attempts. After the time has
elapsed, disabled accounts are allowed to log in. Enter a positive
integer.
Maximum Time After Logins Restriction (Min)
The length of time, in minutes, when the application shuts down
automatically after the user time restriction has passed. For example,
if user Joe can work only from 9:00 to 17:00, the number you enter
determines how many minutes Joe has to log off after 17:00 before his
application shuts down automatically. Enter a positive integer.
5.
Click OK to submit the changes.
The Activity window opens. For a description of the Activity window, see the
chapter “Editing, Executing, and Reviewing Transactions.”
Working with Password Policies
Working with Password Policies
A password policy is a set of rules regarding a password's lifetime, restrictions,
and so forth. When an eTrust AC password policy is enabled, the user
changing the password must obey the rules of the policy. When a password is
changed, the new password is checked according to the rules of the password
policy. If the new password does not conform to the password policy, the
change is rejected.
Use the following procedure to view and modify the minimum acceptable
conditions for user passwords and accounts for the eTrust AC environment.
1.
Click Tools, Password.
The Password Rules dialog appears.
2.
Click Default to set the rules globally, or click Profile Group to set the rules
for a specific profile group. If you select Profile, enter a profile group name
or click Browse to select one. You can create a new profile group by
entering a name that does not exist.
3.
To activate or deactivate password checking, click Password Checks at the
top of the eTrust page. This option affects the setoptions class
(PASSWORD) setting. For more information, see the Reference Guide.
4.
On the pages, indicate password policy rules. Depending on the rule, you
select or deselect a check box or enter a value. The following table
describes the subpages and their options.
Subpage
Option
Description
Validity
Check
The user name Determines whether new passwords can contain the name of the user.
For example, if this option is selected for the user John, then the
password cannot be Johnson or Johnston, although it can be Jonssen.
The password Determines whether new passwords can contain the old password. For
being replaced example, if the old password was John, and you select this option, the
new password cannot be Johnson, and vice versa.
Limits
Number of
stored old
passwords
142 User Guide
Specifies the number of old passwords that are stored in the database to
prevent reuse of recent passwords. Enter a number between 0 and 24.
If you specify 0, passwords are not saved.
Viewing eTrust AC Status
Subpage
Option
Description
Maximum
days between
passwords
Sets the maximum number of days before eTrust AC prompts you for a
new password.
Minimum days Sets the minimum number of days before eTrust AC lets you change
your password.
between
passwords
Format
Maximum
number of
grace logins
Specifies the number of grace logins that users can have. The number
you enter determines the number of times a user can log in after the
password expires.
Minimum
number of
characters
Sets the minimum number of characters that passwords must contain, in
these following categories: alphabetic, numeric, alphanumeric,
lowercase, uppercase, and special characters. All values must be
integers.
Maximum
number of
repetitive
characters
Specifies the maximum number of consecutive, identical characters that
passwords may contain.
Minimum
password
length
Specifies the minimum number of characters that passwords must
contain.
5.
Click OK to submit the changes.
The Activity window opens. For a description of the Activity window, see the
chapter “Editing, Executing, and Reviewing Transactions.”
Viewing eTrust AC Status
You can view the status of the serevu, selogrd, and selogrcd services at any
time during a Security Administrator session. Click Tools, eTrust Status to
open the eTrust Status dialog.
This dialog displays the source host name, the current version of eTrust AC,
and the status of the three optional services. The check box to the right of
each daemon indicates whether it is currently running. See the chapter
“Utilities in Detail” in the Utilities Guide for information about these daemons.
Note: The information in the eTrust Status dialog is read-only; you cannot
modify it.
Chapter 12: Audit Log Routing
Log Routing (see page 145)
Log Routing
eTrust AC uses the log routing daemon, selogrd, to distribute selected local
audit log records to specific hosts; reformat audit log records into email
messages, ASCII files, or user windows; and transmit notification messages
based on audited events.
To determine audit record routing, selogrd uses a configuration file,
selogrd.cfg. This file is a list of which audit log records to route-or not to
route-and to where. For a complete description of this file, see the selogrd
command in the Utilities Guide.
You can view and modify the selogrd.cfg file in Security Administrator from the
Audit Log Routing dialog. You can also propagate a particular configuration file
to other hosts.
The dialog shows the current routing information in the selogrd.cfg file of the
source host. Each line represents a section in the file. Use the buttons on the
right to add predefined or customized destination sections and to update or
delete existing sections.
View or Modify Audit Log Route Configuration
To view or modify audit log route configuration:
1.
If necessary, specify the source host by clicking the Source toolbar button,
selecting the source host, and clicking OK.
2.
If you want to propagate the source selogrd.cfg file to other hosts, select
those hosts in the Hosts page.
Note: The current version of Security Administrator does not support this
feature for PMDB propagation.
3.
Click Tools, Audit Log Routing. The Audit Log Routing dialog appears.
Audit Log Routing 145
Log Routing
Add Predefined Destination
To add predefined destination sections:
1.
Click Add.
The Add Predefined Destination dialog appears.
2.
Select the destination or destinations you want to add by clicking the
appropriate check boxes. For each destination you select, enter the
destination in the corresponding text box or select the destination by
clicking its List button (for email, you must type the destinations).
3.
Click OK to close the dialog; the new sections appear in the information
window. If you change your mind, click Cancel to close the dialog without
adding any lines.
Note: The additions are not stored in the selogrd.cfg file until you close the
Audit Log Routing dialog by clicking OK.
Create Customized Destination
To create a customized destination section:
1.
Click Add Customize.
The Section Editor dialog appears.
2.
Enter the name of the section in the Section name text box.
3.
Click the Destination button, which shows the current destination type,
and select the appropriate type from the drop-down list. Depending on the
type you select, enter the appropriate destination name or click Browse (or
List) and select the name.
4.
To include or exclude the record, click Add.
The Rules dialog opens.
146 User Guide
a.
In the Rule type section, select Include or Exclude to specify whether
to route this audit record.
b.
In the Rule section, fill in the appropriate rule categories by entering
the information in the field or by clicking List and selecting a name or
item.
c.
Click OK to close the Rules editor.
5.
To delete a rule, select the rule and click Delete.
6.
Click OK to save changes and close the Section editor.
Log Routing
Modify Existing Destination
To modify existing destination sections:
1.
Select the section you want to modify and click Update.
The Section Editor dialog appears, with the current settings for the
selected section filled in.
2.
Follow Steps 2-6 in the procedure for creating a customized destination in
this chapter.
Delete a Section
To delete a section:
1.
Select the sections you want to delete.
2.
Click Delete.
3.
When you have finished adding or modifying sections, click OK to save
them and close the Audit Log Routing dialog.
Note: When you modify the selogrd.cfg file, eTrust AC creates a copy of the
original file named selogrd.cfg_save. This occurs on all the hosts that you
selected.
Audit Log Routing 147
Chapter 13: Setting Security
Administrator Options
Specifying Preferences (see page 149)
Preference Dialog Settings (see page 149)
Specifying Preferences
This procedure shows how to specify preferences for operations (rather than
for users and for groups).
1.
From the Tools menu on the Main window, choose Options.
The Preferences dialog appears.
2.
Change whatever settings you wish. See Preference Dialog Settings in this
chapter.
3.
To save the changes, click OK.
The values you specify are saved in the seam.ini file, so that Security
Administrator can use them in future sessions.
Preference Dialog Settings
This section describes the settings on each page of the Preferences dialog.
Setting Security Administrator Options 149
Master Database Page
The Master Database page lets you specify the hosts whose databases are
loaded when you start Security Administrator.
eTrust AC host
The eTrust AC host (or hosts) whose users, groups, resources, password
policies, and account policies are loaded when you invoke Security
Administrator. The transactions you execute are implemented on these
hosts.
UNIX host
The UNIX host (or hosts) whose users, groups, resources, password
hosts.
Windows NT host
The Windows host (or hosts) whose users, groups, resources, password
hosts.
150 User Guide
Activity Page
The Activity page contains preferences for the Activity window.
Verify before executing
Whether to delay execution of each transaction until you click GO in the
Activity window. If you do not select this option, processing begins at the
same time that the Activity window appears.
Remove host on failure (query)
When processing a user or group query, whether to erase from the Activity
window the names of hosts where the query failed. If you do not select
this option, you must inspect the results to see where the user or group is
defined and where it is not.
Execute backout commands on warning
Whether the backout commands, which undo a transaction, should be
activated when a warning is issued. If you select this button, every time a
warning is issued the transaction is undone.
Print Command
The command in the dialog for printing transaction results. The default is
lp.
Output directory
The name of the directory for temporary files. When you close Security
Administrator, the temporary files are deleted.
Max. hosts running parallel
The number of hosts where Security Administrator runs transactions
simultaneously. The default is 1, meaning that Security Administrator runs
transactions on one host at a time.
Retry Mechanism Page
The Retry Mechanism page contains preferences for retrying transactions.
Automatic retry mechanism: Number of retries
The number of times Security Administrator tries to connect to a host after
failing the first time. The default is 3. Clicking the STOP button in the
Activity window stops the retries.
Automatic retry mechanism: Interval between retries
How many seconds Security Administrator waits before each retry. The
default is 60.
Automatic retry mechanism: Max. hosts running parallel
The number of hosts where Security Administrator retries transactions
simultaneously without a retry request from you. The default is 1.
Manual retry (Output box): Max. hosts running parallel
The number of hosts where Security Administrator retries transactions
simultaneously when you retry from the Host Messages/Commands
window. The default is 1.
Password Page
The Password page contains preferences for passwords.
Use clear password
The default password policy for a user or group. When Use clear password
is selected, you can see the password when you enter it onto the screen or
a password generator enters a password automatically. If you do not
select Use clear password, you must type the password twice and you
cannot see the password.
Password generator
The name of the program that generates the password automatically. (For
information about preparing such a program, see The Password Generation
Utility in the appendix “seam.ini and UNIX Exits.”) If you leave the box
blank, then a random algorithm creates the password.
152 User Guide
Property Editor Page
The Property Editor page contains preferences for the windows that let you
create and modify users, groups, and resources.
Synchronize mode
When you specify Synchronize mode, the value for a property that appears
in more than one section of the property editor is automatically copied
from one section to the others. If you do not select this option, the values
remain independent of each another.
The properties can have the same name, as in Password, or they can be
close equivalents such as the eTrust AC Full Name and the UNIX GECOS
Info. To find corresponding properties, use the tables in the appendix
“Resource Properties,” or see the defaults.usr and defaults.grp files in
eTrustACDir/data/seam/defaults.
APPL Extractors
The names of the utilities that restore data from UNIX exits to the
site-specific fields in the property editor APPL section. One utility is for
user data and another utility (or the same one) is for group data. (See
Passing Arguments to UNIX Exits in the appendix “seam.ini and UNIX
Exits.”)
Other Page
The Other page contains miscellaneous preferences.
Host database path
The full directory path of the Security Administrator files that store
definitions for hosts and host groups.
Delete homedir for delete user
Whether to delete a user home directory automatically when Security
Administrator deletes a user from the UNIX environment. If this option is
selected, then the home directory is deleted by default when you delete a
UNIX user. Otherwise, the default is to retain the user home directory.
Chapter 14: The Audit Browser: seauditx
The seauditx Utility (see page 155)
Starting seauditx (see page 156)
The seauditx Main Window (see page 157)
Filtering Audit Records (see page 165)
Opening an Audit Log (see page 167)
Viewing Audit Record Details (see page 169)
Commenting the Audit Log (see page 174)
Adding Acknowledgements (see page 177)
Reassigning Comments and Acknowledgements (see page 178)
Printing the Audit Log (see page 179)
Setting Preferences for seauditx (see page 179)
Customizing seauditx (see page 180)
The seos.ini File (see page 180)
The seauditx Utility
The seauditx utility is an X Window System graphical user interface (GUI) that
displays, filters, and prints the data in the audit log. The utility lets you set
preferences, print the current selection of audit log records, and open old audit
logs that were saved.
The seauditx utility is installed when you install the Security Administrator. For
installation instructions, see the chapter “Installing Security Administrator.”
We recommend that you become familiar with the basic concepts of eTrust AC
before using seauditx. The concepts, both basic and advanced, are described
in the Administrator Guide and the Reference Guide.
This chapter describes the seauditx audit browser. It includes information
about:

How to start seauditx

The seauditx Main window

The audit log

How to perform the various functions of seauditx
Note: eTrust AC also offers the seaudit utility. The seaudit utility is an audit
reader, not a GUI. For more information about this utility, see the Utilities
Guide.
The Audit Browser: seauditx 155
Starting seauditx
Starting seauditx
You can start seauditx from the command line or the Security Administrator.
1.
Start the X Window system and ensure that the application display is set
to your terminal according to the system requirements at your site.
2.
Start seauditx in one of the following ways.

In Security Administrator, choose Audit from the Report menu of the
Main window.
At the command line, enter the seauditx command. seauditx supports
the same command line parameters as seaudit. For more information,
see the seaudit utility in the Utilities Guide.
For example, the following command opens the seauditx Main window
with the Resource switch activated and the FILE class selected. The
window displays all the File audit records in the database.
seauditx -r FILE \* \*
Note: Entering seauditx -h gives you a list of all the command line
parameters. It also gives examples of strings of parameters.
Note: The seauditx utility does not display a password even if one was
entered as part of a logged chusr, editusr, or newusr command. A series of
asterisks (***) appears instead of the clear-text password.
156 User Guide
The seauditx Main Window
The seauditx utility displays records from the default audit log, which contains
audit information for the station where you are working.
The audit log is automatically opened and filtered according to the default
settings. A progress indicator appears. Usually filtering takes seauditx several
seconds. You can stop the operation by clicking Stop in the progress indicator
window at any point.
After the filtering is finished, the Main window appears.
The Main window contains the following areas:
Title bar
Displays the window title and several buttons used to close, minimize, or
maximize the window.
Menu bar
Contains the pull-down menus.
Switches
Contains settings that filter data from the audit log according to what
caused an event to be audited.
Options
Contains settings that filter data from the audit log according to data that
is in every record, such as date, time, source, and type of error.
Text Output
Contains the audit log records, reports of login attempts and resource
access attempts, and reports of relevant messages displayed by eTrust AC
after execution of a login or access command.
Scroll bars
Contain standard tools to move up and down or left and right to locate the
particular record you want.
The switches and options in the Main window can be used separately or
together to define exactly which records you want to display from the audit log
in the output area, and can filter the audit log in various ways such as the
following:

User login

Terminal login

Host

Resource class

Start and end dates

Start and end times

Type of access
Switches
Use various switches to select data from the audit log. At least one switch
must be active. You can use more than one switch at a time to provide a more
specific filter. The following table describes the switches and the filtering they
provide.
Switch
Element
Description
Login
User
Selects the login data for one user or for a selected set of users.
Enter the user name or a pattern.
Terminal
Selects the login data from one terminal or from a selected set of
terminals. Enter the terminal name or a pattern.
Host
Selects the data from one host or from a set of hosts. Enter the host
name or a pattern.
Services
Selects the data of one service or of a set of services. Enter the
service name or a pattern.
Class
Selects the data from one class or from a selected set of classes.
Enter the class name or a pattern.
Resource
Selects one or more specific records in the selected classes, if you
select a resource class in the Class element of this switch.
User
Selects the data of one user or a selected set of users who tried to
access the specified resource.
Network
Resource
Trusted
Program
Displays the data for programs that are marked as Trusted.
StartupShutdown
Lists the start-up and shutdown commands for eTrust AC daemons.
Admin
158 User Guide
Command
Selects the eTrust AC command to display in the Text Output area.
Even if you write the full name of the command, an asterisk (*)
must follow it.
Class
Specifies which class or set of classes to display as targets of the
specified command.
Object
Selects a specific record or set of records to display as targets of the
specified command.
User
Selects one user or a set of users who executed the specified
command.
Switch
Element
Description
Trace User
Displays the trace records of the user with the specified user name.
Trace
Resource
Displays the trace records of the specified resource.
Trace Records
Only
Displays all the trace records of the users and resources whose
activities are being traced.
Options
Use the various options to select the data for display in Text Output. You can
use more than one option to provide a more exact selection of records from
the audit log. The following table describes the options and the filtering they
provide.
Option
Elements
Description
Date
Start
Command is reported only if it was executed during the period
defined by the start and end dates.
End
Time
Start
End
Command is reported only if it was executed during the period
defined by the start and end times.
Source
Host
If the data has been collected from several hosts, this option
permits you to select data from one host or from a specified set
of hosts. Enter the host name or a pattern.
Show
Failures
Data is reported that meets one or more of these criteria, which
are types of access.
Successes
Notify
Warnings
For example, if you want to see accesses that failed, select
Failures, and seauditx displays only the entries in the audit log
that represent failed access.
Password
Logout
Text Output
After you select criteria in the Switches and Options areas, and press Apply,
the filtered information from the audit log appears in Text Output. To view
information that lies outside the currently displayed window, you can do any of
the following:

Use the scroll bars, which move Text Output horizontally and vertically.

Minimize the Switches area and the Options area, automatically increasing
the size of Text Output. For more information, see Minimizing and
Maximizing Areas in this chapter.

Enlarge the Main window to increase the size of Text Output.
Note: To see detailed information about a record in the Text Output area,
double-click it. See Viewing Audit Record Details in this chapter.
The columns in the Text Output area are described in the following table:
(Comment)
Column to click to add or remove a comment in a record. See Commenting
the Audit Log in this chapter.
(Acknowledge)
Column to click to add or remove an acknowledge icon (check mark) to
signify that the record has been read. See Adding Acknowledgements in
this chapter.
Host
Host station where the audit record was collected.
Date
Date when the (attempted) access occurred.
Time
Time when the (attempted) access occurred.
R
eTrust AC alphabetic return code indicating what happened. The values
and their meanings are:
A
An attempt to log in failed because an invalid password was entered
repeatedly.
D
eTrust AC denied access to a resource, did not permit a login, or did
not permit an update to the eTrust AC database because the accessor
did not have sufficient authorization.
160 User Guide
E
Serevu enabled a disabled user account.
F
An attempt to update the eTrust AC database failed.
I
Serevu disabled a user account.
M
The executed command started or stopped a daemon.
O
A user logged out.
P
eTrust AC permitted access to a resource or permitted a login.
S
The eTrust AC database was successfully updated.
T
An audit record was written because all the actions of the user are
being traced.
U
A trusted program (setuid or setgid) was changed; therefore, it is no
longer trusted.
W
An accessor's authority was insufficient to access the specified
resource; however, eTrust AC allowed the access because warning
mode is set in the resource.
Event
The attempted action.
The remaining fields depend on the type of event in the Event column, as
described in the following sections.
For Most Event Types (All Types Except Login, Logout, Update, and Trace)
Most event types have the following columns to the right of the Event column.
User
The name of the accessor who executed the command.
Acc(or)
(Access or Accessor) The access type, if relevant.
Stage
Two numbers. The first number (up to three digits) indicates at which
stage eTrust AC decided what action to take. The second number
represents the reason for the audit record. For an explanation of this code,
double-click anywhere in the record.
Object
The name of the resource being accessed or updated.
Pgm
The name of the program that accessed the resource.
For Login and Logout
Login and Logout events have the following columns to the right of the Event
column:
Class / User
Acc(or)
(Access or Accessor) The access type.
Stage
Object
The name of the terminal from which the login or logout was attempted.
Pgm / Origin
The name of the program that attempted the login or logout.
162 User Guide
For Update
Update events have the following columns to the right of the Event column.
Class / User
The class that was updated.
Acc(or)
(Access or Accessor) The name of the accessor who executed the
command.
Stage
Object
The name of the resource being updated.
Pgm / Origin
The name of the terminal from which the update was made.
Command / Miscellaneous
A complete copy of the command entered by the accessor. If the
command is a password update, the password itself is not displayed.
For Trace
Trace events have the following columns to the right of the Event column.
Trace indicates that the record was created for the class on which the action
was performed.
Login user ID
The UNIX UID of the process.
Effective user ID
The effective UID of the process.
Real user ID
The UID that eTrust AC associates with the process.
Stage Code
A number that indicates at which stage eTrust AC decided what action to
take. For more information about stage codes, see the Reference Guide.
Trace Information
The name and details of the resource being accessed or updated, or the
action being traced. The format of these fields is the same as the format
described in the Utilities Guide.
Minimizing and Maximizing Areas
The Switches, Options, and Text Output areas in seauditx can appear
minimized or maximized. A minimized area occupies only sufficient space to
display the current settings of the area. Settings cannot be changed in a
minimized area. A maximized area displays all information in the area,
whether it is selected or not, and settings can be changed there.
To toggle an area between minimized and maximized, click the arrow button
to the left of the area title.
The following figure shows the Switch and Options areas minimized. With
these areas minimized, you can see more audit records in the Text Output
area.
164 User Guide
Filtering Audit Records
Help
The online help for seauditx provides the following information:

The seauditx version number. Choose Help, About in the Main window.

Information about seauditx. Choose Help, Contents in the Main window.

Information about dialogs. Click the Help button in those dialogs.
You can control which audit records appear in the Text Output area by
changing information in the Switches and Options areas.
A button represents each switch and option. At least one switch must be
selected; however, you do not have to select any options.
In this figure, the switch in the upper left box-Login-is active; all the others
are inactive.
When you deactivate a button, all the settings for the button are saved. They
are recalled when you next activate the button.
If a button is active, you can change the criteria in its boxes, and activate the
filter criteria by pressing Apply. If a button is inactive, the specified criteria are
not applied.
Note: You must enter years as four digits (for example, 1997), and times as
24 hours (hh:mm), separating the hours and minutes with a colon (:). For
example, to specify 2:15 p.m., type 14:15.
Changing the Filter
You can change the list in the Audit log by specifying filter criteria.
1.
Specify filter criteria by setting the switches and options:

2.
To toggle a button between active and inactive, click anywhere within
the button frame except a text box.
To change the value in a text box, double-click the old value and then
enter the new value over it.
To specify classes for Resource and Admin, click the arrow beside the
text box to display a list of options. Click to select the class you want.
To change a month on the Date button of the Options area, click the
month and then select the new month from the pop-up menu.
Press Enter or click Apply.
In the following two cases it is not necessary to click Apply:

When seauditx is invoked from the command line. You can activate a filter
by typing the appropriate command line parameters. If the filter is not
activated by command line parameters, then a default filter is activated.
The default filter is installed with seauditx, and cannot be changed.

When a file is opened or loaded through the File menu. The filter is
activated according to the switches and options set in the main window at
the time the file is opened or loaded.
After you click Apply, the Main window displays a progress indicator. The
progress indicator measures the time span of the operation. Usually, it takes
seauditx several seconds to filter the information differently or to load a
different file. You can stop the operation by clicking Stop in the progress
indicator window at any point.
Saving the Filter
After setting the switches and options, you can save the filter criteria you
selected.
1.
From the System menu, select Save Filter.
The SeOS Audit Save Filter dialog appears.
2.
Enter a name for your filter in the Filter Name field and click OK.
All saved filters are kept in your home directory in the audit.ini file. You need
never open that file directly, but be careful not to delete it.
166 User Guide
Opening an Audit Log
Retrieving a Saved Filter
To use a saved filter, follow this procedure:
1.
From the System menu, choose Load Filter.
The Audit Load Filter dialog appears.
2.
Select one of the saved filters displayed in the Filter name field.
In the Command line options field, all the options and switches for the
selected filter appear. To see all the criteria, scroll the information with
your left mouse button.
3.
Click OK or press Enter.
Provided you have sufficient authority, you can open the latest eTrust AC audit
log or any other eTrust AC audit log that was saved. The log appears in the
Text Output area of the seauditx Main window.
1.
From the File menu, choose Open.
The File Selection dialog appears.
2.
Specify a file name by doing one of the following:

Enter the full path and file name in the Selection field.

Use the Directories and Files lists with the Filter field.
–
Double-click to select directories in the Directories list and files in
the Files list. The selections appear in the Filter field. The file name
in the Filter field does not change when you click to change
directories.
–
Limit the files and directories displayed by entering filters in the
Filter field. Use the asterisk (*) wildcard, which signifies zero or
more characters.
After you have selected a path and file name, click the Filter button to
make the Selection field match the Filter field.
When you have specified the file you want to open, click OK or press
Enter.
The specified file is opened and filtered according to the filter criteria that were
set when you started to open the file.
Loading a Backup Audit Log
When the default audit log becomes very large, eTrust AC saves it as a backup
log. eTrust AC creates a new, empty audit log that becomes the default. The
name of the backup audit log is defined in the audit_back token in the seos.ini
file. To load the backup audit log, in the seauditx Main window choose File,
Load, Backup.
Loading a Collected Audit Log
The collected audit log contains all the audit information amassed by the
eTrust AC collector program, selogrcd. Selogrcd collects audit information from
selected stations that are running eTrust AC auditing programs and sending
the records through selogrd.
The name of the collected audit log is defined in the CollectFile token in the
seos.ini file. To load the collected audit log, in the seauditx Main window
choose File, Load, Collected.
Loading a Default Audit Log
The default audit log contains current audit information about the station
where you are working. The name of the log is defined in the audit_log token
in the seos.ini file. To load the default audit log, in the seauditx Main window
choose File, Load, Default.
168 User Guide
Viewing Audit Record Details
You can see detailed information about any record in the audit log shown in
the Text Output area of the seauditx Main window.
1.
Select the record that has information you want to see by clicking it or
moving the cursor to it with the up or down arrow key.
2.
Double-click the record or press Enter.
The Audit Record Info dialog appears.
Different information appears for different event types. In the dialog shown,
the type of event is incoming network connection.
Note: If you have configured your system to trace network sessions, and
information is available about what computers the user has been logging into,
the Net Trace button is active. In this case, you can click the Net Trace button
to receive more information about the source and trace of the login. For
information about the dialog that the Net Trace button displays, see Network
Trace Information Dialog in this chapter. For configuration details, see Network
Session Trace Configuration in this chapter.
The following is a list of the various types of information shown in the Audit
Record Info dialog for the event types, in alphabetical order. Not all of this
information appears for all the events.
Access
The access type, if relevant.
Administrator
The name of the administrator who executed the command in the selected
record.
Class
The class that the executed command was directed to.
Command
The complete command that the accessor entered.
Command type
The type of command used in the selected record. For example, Add
Resource appears if the command executed was to add a resource.
Daemon
The name of the daemon that was started or shut down.
Date
The date that the command was executed: day, month, and year.
Details
Other details about the executed command.

If the Event type was a daemon shutdown or a trace, then Details tells
at which stage eTrust AC decided what action to take.
Details can also record the reason for the success or failure of the
access attempt, or the purpose of the access.
Effective user ID
Event type
170 User Guide
The type of event that took place. For example, if a resource was added to
the database, the Event type field records the type of event by displaying
“Security database administration.”
File
The name of the file that is being accessed.
Host name
The name of the remote host that the connection was executed
(attempted) from.
Login user ID
Object
The resource that is being accessed.
Program
The name of the program through which the event was executed.
Real user ID
Resource
Service
The name of the service that was requested from the remote host.
Status
What happened when the user accessed or attempted to access the
resource. The full word of the explanation appears here. For a list of all the
possibilities, see the R (Alphabetic Return Code) table entry in Text Output
in this chapter.
Terminal
The terminal that the event was executed from.
Time
The exact time that the command was executed.
Trace Information
action being traced. The format of these fields is the same as the format
described in the Utilities Guide.
User name
Network Trace Information Dialog
To receive more trace login information, double-click the NetTrace button in
the Audit Record Info dialog. A Net Trace dialog opens.
The following is the information for the event types in the Net Trace
Information dialog in alphabetical order.
Date
Date when login took place.
Host
The name of the host to which login occurred.
User
The user name used for the login.
Login program
The program used to log in.
Session
A unique session number for each session opened in eTrust AC.
Network Session Trace Configuration
The following configuration steps let you activate network session tracing,
which lets you find the computers that users have logged on to.
Note: The following procedures assume that you installed eTrust AC in the
/opt/CA/eTrustAccessControl directory.
172 User Guide
Collections Hosts
At each collection host:
1.
For all platforms except IBM AIX, Digital DEC UNIX, and HP-UX, add the
following line to the file /opt/CA/eTrustAccessControl/etc/selogrcd.ext:
sessgen /opt/CA/eTrustAccessControl/lib/ext_so.so.500.0
For IBM AIX platforms, add the following line instead:
sessgen /opt/CA/eTrustAccessControl/lib/ext_so.o.500
For Digital DEC UNIX and HP-UX platforms, add the following line instead:
sessgen /opt/CA/eTrustAccessControl/lib/ext_so.sl.500.0
2.
Copy the file /opt/CA/eTrustAccessControl/data/seauditx/loginports.init to
the directory /opt/CA/eTrustAccessControl/etc.
3.
Start the selogrd daemon.
Collections Agents
At each collection agent:
1.
Start the seosd daemon.
2.
Change CONNECT, HOST, and TCP classes by entering these eTrust AC
commands:
so class-(CONNECT, HOST)
so class+(TCP)
3.
Add the user property to be audited:
chusr userName audit(loginsuccess)
4.
Enable an audit log for TCP class:
cr TCP_default audit (a)
5.
Add the following to the /opt/CA/eTrustAccessControl/log/selogrd.cfg file:
NetSection
host hostName
include CLASS(TCP*).
include CLASS(LOGIN).
include CLASS(SHUTDOWN).
where hostName is the name of the host to which information is being
sent for collection.
Commenting the Audit Log
You can specify comments for the audit records displayed in the Text Output
area of the seauditx Main window. The procedures in this section show you
how to:

Create or edit a comment

Add information from a file to a comment

Save a comment in a file

Search for text in a comment

Remove a comment

Print a comment
Creating or Editing a Comment
1.
To create a new comment, select the record that you want to comment on
and click the leftmost dot.
To edit an existing comment, click the comment icon.
The Comment Editor dialog appears.
2.
To add or edit a comment, click in the text box and start typing. When you
are finished, click OK to save the comment in an internal seauditx file.
When you create a new comment, the dot in the Text Output area of the
seauditx Main window changes to a comment icon.
174 User Guide
Inserting Information from an External File into a Comment
You can use the contents of an external file as a comment. You can also copy
information from an external file into an existing comment. This procedure
shows how to do both.
1.
Select a record to comment. Click the leftmost dot.
The Comment Editor window appears.
2.
From the File menu, choose Open.
A File Selection dialog appears.
3.
Either enter a file name in the Selection field, or locate your file using the
Directories and Files lists with the Filter field. (For information about how
to use the File Selection Box, see Opening an Audit Log in this chapter.)
The comment appears in the Comment Editor.
4.
If necessary, edit the comment by clicking in the display area and typing.
5.
If you want to copy this comment to an existing comment:
6.
a.
Select the text to copy, and from the Edit menu choose Copy. If you
want to search for the correct text, see Searching for Text in a
Comment in this chapter.
b.
Open the other comment from the seauditx Main window.
c.
In the Comment Editor, position the cursor where you want to copy
the information, and choose Edit, Paste.
Click OK.
Saving a Comment in an External File
You may want to save a comment in an external file in order to use the same
text again for other audit log records.
1.
In the Comment Editor, pull down the File menu and choose Save.
The File Selection box appears
2.
Either enter a file name in the Selection box, or locate your file using the
Directories and Files lists with the Filter text box. (For information about
how to use the File Selection Box, see Opening an Audit Log in this
chapter.)
If a file with the same name already exists, a prompt asks you to confirm
that you want to overwrite the existing file.
3.
Click OK or press Enter.
Searching for Text in a Comment
This procedure shows how to find text in a comment that is displayed in the
Comment Editor.
1.
Open a comment in the Comment Editor by clicking the comment icon in
the seauditx Main window. If the comment is saved in an external file,
open the file by choosing File, Open.
2.
In the Comment Editor, choose Edit, Find.
3.
In the Find dialog that appears, enter the text that you are looking for and
click OK.
4.
To find the next occurrence choose Edit, Find Next.
Note: Select text by left clicking at the beginning of the text. Continuing
to hold down the left button, drag the mouse to the end of the text, and
release the button.
5.
Another way to select text that you want to search for is to highlight it in
the comment with the mouse, and then choose Edit, Find Selection. The
cursor and highlight jump to the next location of your text.
Clearing the Comment Editor Dialog
By removing all text from the Comment Editor, you can enter a new comment.
Use either the Edit menu or the pop-up menu that appears when you rightclick in the display area. Choose Clear Window from either menu.
Removing a Comment
This procedure removes a comment from the internal seauditx file, but not
from any external file you created for the same comment.
1.
Click the comment in the Text Output area. The Comment Editor dialog
appears.
2.
Click the Remove button at the bottom of the Comment Editor.
The comment is erased from the internal seauditx file, and the comment icon
reverts to a dot, as shown.
176 User Guide
Adding Acknowledgements
Printing a Comment
You can print a whole comment or selected text in a comment.
1.
Open a comment in the Comment Editor by clicking the comment icon in
the seauditx Main window. If the comment is saved in an external file,
open the file by choosing File, Open.
2.
To print the whole comment, choose File, Print (or right-click and choose
Print).
To select part of the comment, drag to select the text, and choose File,
Print Selection.
Note: The default print command is lpr. It is possible to change the default
print command by selecting Preferences from the System menu.
Adding Acknowledgements
To acknowledge that you have examined a line in the Audit log, you can tag it
with a check mark to serve as a reminder in the future. The check is graphical
and does not change the audit log. To acknowledge that you have examined a
line, click the near left dot.
The button becomes a check mark.
To remove the check mark, click it. It reverts to a dot.
Reassigning Comments and Acknowledgements
Reassigning Comments and Acknowledgements
In several circumstances, you must reassign or remove comments and
acknowledgements for an audit file:

You delete the audit file. The comments and acknowledge marks are not
automatically removed from the seauditx log file.

You move the audit file. The comments and acknowledges are not
automatically moved from the seauditx log file.

When the audit log becomes very large, eTrust AC saves the log file with a
different name, and opens a new audit log.
You receive the following prompt to reassign or save your comments.
To remove the comments, click the Remove button. The comments are erased
from the internal seauditx files and no longer appear. If you received the
prompt because eTrust AC has created a backup of your audit file, the
comments no longer appear in the backup audit file either.
To reassign the comments to another audit log file:
1.
Click the Reassign button. The File Selection dialog opens.
2.
Either enter a file name in the Selection field, or locate your file using the
Directories and Files lists with the Filter field. (For information about how
to use the File Selection Box, see Opening an Audit Log in this chapter.)
3.
Click OK.
The comments are reassigned to the chosen audit log. Whether the audit file
was deleted, moved, or backed up, the new file opens without comments. The
previous audit log still has its comments.
178 User Guide
Printing the Audit Log
Printing the Audit Log
You can print the audit data in the Text Output area of the seauditx Main
window. If you filtered the information in the log (see Filtering Audit Records
in this chapter), all audit records that match the filter are printed, whether
visible or not. Comments and the acknowledgement marks are not printed.
1.
From the File menu in the seauditx Main window, choose Print. The Print
dialog appears, containing the default print command.
Note: The default print command is lpr. You can change the default print
command by choosing Preferences from the System menu.
2.
If necessary, enter the new command over the existing command.
3.
Press Enter or click OK.
The file is sent to the printer.
Setting Preferences for seauditx
Preferences indicate the default print command and determine how
information appears in seauditx.
To change the preferences:
1.
From the System menu, choose Preferences.
The Audit Preferences dialog appears.
Note: When seauditx is installed, hosts and services are identified by
name, and the print command is lpr by default.
2.
Click a radio button to specify how to identify network hosts. This setting
determines the format for data in the Text Output area and the format you
use to specify network hosts in the Switches area.
3.
Click a radio button to specify how to identify network services. This
setting determines the format for data in the Text Output area and the
format you use to specify network services in the Switches area.
4.
To change the print command, enter the new command over the existing
command.
5.
Click OK.
Your preferences are saved in your home directory in the .audit.ini file.
Customizing seauditx
Customizing seauditx
The application resources that you can customize, such as colors and fonts,
are in the seauditx file. During standard installation, this file is placed into the
/usr/lib/X11/app-defaults/ directory for all platforms except Sun Solaris. In
Sun Solaris, the file is placed in the /usr/lib/openwin/app-defaults/ directory.
The seos.ini File
The seauditx utility uses tokens in two sections of the seos.ini file:

logmgr

selogrd
For more information, see the Administrator Guide.
180 User Guide
Chapter 15: SecMon
SecMon (see page 181)
Starting SecMon (see page 182)
Minimizing SecMon (see page 183)
The SecMon Main Window (see page 184)
Performing Tasks with SecMon (see page 191)
SecMon
SecMon is an X Window System graphical user interface (GUI) that provides
an ongoing display of current audit events taking place in a UNIX environment.
The utility contains a Main window that displays real-time data, which is also
transmitted to the audit log. The window both lists audit events and lets you
see detailed information about them.
The SecMon utility is installed when you install the Security Administrator. For
installation instructions, see the chapter “Installing Security Administrator.”
We recommend that you become familiar with the basic concepts of eTrust AC
and log routing in eTrust AC before using SecMon. The concepts, both basic
and advanced, are described in the Administrator Guide and the Reference
Guide.
This chapter describes the SecMon audit viewer. It includes information about
the following:

How to invoke SecMon

The SecMon main window

How to perform the various functions of SecMon
Note: eTrust AC also offers the seauditx utility, which is a GUI that displays,
filters, prints, and saves audit information. For more information about this
utility, see the chapter “The Audit Browser: seauditx.”
Note: The SecMon utility does not display a password even if one was entered
as part of a chusr, editusr, or newusr command. A series of asterisks (***)
appears instead of the clear text password.
SecMon 181
Starting SecMon
Starting SecMon
Start SecMon from the command line.
1.
Start the X Window system and ensure that the application display is set
to your terminal according to the system requirements at your site.
2.
Do the following on each client machine:

Edit the eTrustACDir/log/selogrd.cfg (where eTrustACDir is the
directory where you installed eTrust AC, by default
/opt/CA/eTrustAccessControl) file to define the audit events you want
to be notified about. For the syntax of this file, see the selogrd utility
in the Utilities Guide.
Be sure that the message destination type in the selogrd.cfg file is
cons. Include the heading SecMon and set the destination name to the
full host name of the administrator machine where SecMon will be
running. For example, if you want SecMon to display a message each
time a user starts an eTrust AC daemon, enter the following three lines
into the eTrustACDir/log/selogrd.cfg file:
secmon
cons monitoring_host_name
.

Start the selogrd daemon:
selogrd
3.
Start the SecMon application on the administrator machine. When you
enter command-line parameters, the Main window implements the
parameters when it opens. For example, to open the Main window with 20
rows of data displayed, enter the command:
secmon -visibleRows 20
Note: Entering secmon -h gives you a list of all the command line
parameters.
182 User Guide
Minimizing SecMon
Minimizing SecMon
If you run SecMon as an icon (minimized), it alerts you to new messages by
flashing (except when run using the .fvwm95 window manager). Click to
minimize SecMon to an icon.
This is how SecMon looks as an icon on the desktop.
SecMon 183
The SecMon Main Window
After you enter the secmon command, the Main window appears. It displays
audit messages as they are received.
184 User Guide
The Main window contains the following areas:
Title bar
Displays the window title and several buttons used to close, minimize, or
maximize the window.
Toolbar
Contains buttons that let you stop or start real-time auditing, change the
buffer size, clear records, view information about SecMon, and exit
SecMon.
Text Output
Contains audit records displayed in real-time.
Detailed Info
Gives further detail for the chosen audit record.
Scroll bars
Contain standard tools to move up and down or left and right to locate the
particular record you want.
The SecMon audit utility can display records according to the following criteria:

User login

Terminal login

Specific host

Specific resource class

Start and end dates

Start and end times
You select the type of access that will be reported by editing the selogrd.cfg
file on all the monitored systems.
All reporting is runtime only. To look at the stored audit logs, use the seauditx
utility (for more information, see the chapter “The Audit Browser: seauditx”).
SecMon 185
Text Output
Audit record information appears in the Text Output area. To view information
that lies outside the currently displayed window, you can:

Use the scroll bars, which move Text Output up and down, and left and
right. When you click the up and down scroll bar, SecMon stops receiving
new audit information. When you finish examining previous records, click
the top left toolbar button to reactivate retrieval.

Enlarge the Main window to increase the size of Text Output.
The following table describes the Text Output fields.
Host
Host station where audit record was collected.
Date
The date on which the (attempted) access occurred.
Time
The time at which the (attempted) access occurred.
R
This is the eTrust AC alphabetic return code indicating what happened. The
valid values and their meanings are:
A
An attempt to log in failed because an invalid password was entered
repeatedly.
D
eTrust AC denied access to a resource, did not permit a login, or did
not permit an update to the eTrust AC database because the accessor
did not have sufficient authorization.
E
Serevu enabled a disabled user account.
F
An attempt to update the eTrust AC database failed.
I
Serevu disabled a user account.
M
The executed command started or shut down a daemon.
O
A user logged out.
186 User Guide
P
eTrust AC permitted access to a resource or permitted a login.
S
The eTrust AC database was successfully updated.
T
An audit record was written because all the actions of the user are
being traced.
U
A trusted program (setuid or setgid) was changed; therefore it is no
longer Trusted.
W
The authority of an accessor was insufficient to access the specified
resource; however, eTrust AC allowed the access because warning
mode is set in the resource.
Event
This is the type of event-login, logout, or update-or the class on which the
action was performed.
Content of Message
Further details, such as name of the accessor, the name of the terminal
from which a login or logout was performed, the name of the program that
accessed a resource, and so on depending on the action examined.
SecMon 187
Detailed Information
The Detailed Info area of the SecMon Main window displays detailed
information about any record in the audit log.
To display the Detailed Info:
1.
Select the record that has information you want to see by clicking it with
the left mouse button or moving the cursor to it with the down arrow key.
2.
Double-click the record or press Enter.
3.
The information appears in the Detailed Info area:
The following describes the information for the various event types, in
alphabetical order. Not all of this information appears for all the event types.
Access
The access type, if relevant.
Administrator
The name of the administrator who executed the command in the selected
record.
Class
The class that the executed command was directed to.
188 User Guide
Command
The complete command that the accessor typed.
Command type
The type of command used in the selected record. For example, Add
Resource appears if the command executed was to add a resource.
Daemon
The name of the daemon that was started or shut down.
Date
The date that the command was executed: day, month, and year.
Details
Other details concerning the executed command.
If the Event type was a daemon shutdown or a trace, this column displays
the Stage at which the event was audited. The Stage consists of two
numbers. The first number (up to three digits) indicates at which stage
eTrust AC decided what action to take. The second number represents the
reason for the audit record. For an explanation of this code, double-click
anywhere in the record.
Details can also record the reason for the success or failure, the access
attempt, or the purpose of the access.
Effective user ID
Event type
The type of event that took place. For example, if a resource was added to
the database, the Event type field records the type of event by displaying
“Security database administration.”
File
The name of the file that is being accessed.
Host name
The name of the remote host that the connection was executed
(attempted) from.
Login user ID
Object
The resource that is being accessed.
Program
The name of the program through which the event was executed.
SecMon 189
Real user ID
Resource
Service
The name of the service that was requested from the remote host.
Status
What happened when the user accessed or attempted to access the
resource. The full word of the explanation appears here. For a list of all the
possibilities, see the R (Alphabetic Return Code) table entry in Text Output
in this chapter.
Terminal
The terminal that the event was executed from.
Time
The exact time that the command was executed.
Trace Information
action being traced. The format of these fields is the same as the trace
messages described in the Utilities Guide.
User name
Changing Text Color
After you examine a record in the Detailed Info area, it changes color in the
Text Output area.
You can modify the color of a visited record by using the -visitColor parameter
when starting SecMon. The default color is green, but to set the color to red at
startup, enter the following command:
secmon -visitColor red
After you finish examining a record, it appears in red.
190 User Guide
Performing Tasks with SecMon
SecMon is a runtime monitor that displays audit messages in the Text Output
area as they are received. Toolbar buttons in the upper left corner let you:

Stop and restart the retrieval of audit events

Delete selected audit events or all of them

Change the buffer size for the Text Output area

Exit SecMon
Tool tips for the toolbar buttons appear if you move the pointer over the
button. You do not need to click the button for the explanation to appear.
Stopping and Restarting Retrieval of Audit Events
If you want to stop the retrieval of audit events, click the leftmost button on
the toolbar. This button operates in toggle mode. The icon changes to reflect
the action that you can take with it.
Once clicked, new messages are not displayed. The messages that you already
received remain in the buffer and can be viewed using the scroll bars.
Click the running man icon to receive messages again.
Deleting Selected Audit Events
To delete records from the display and the buffer, use the second button to
the left.
The audit information is not cleared from audit logs that are collected for other
auditing uses; the display buffer for SecMon is temporary and is used for
real-time purposes.
The following procedure shows how to clear selected events. You can also
clear all events; see Clearing All Audit Events in this chapter.
1.
Click one or more records to highlight and select them.
2.
Click the Clear messages button.
A confirmation message appears.
3.
Click Yes to remove the selected lines from the display area and the
display buffer.
SecMon 191
Deleting All Audit Events
This procedure shows how to clear all audit events from the SecMon display
area and buffer. This procedure does not delete audit messages from the audit
log, only from the SecMon display.
1.
Do not highlight any lines and click the Clear Buffer button.
A confirmation message appears:
2.
Click Yes to remove all lines from the display area and the display buffer.
Changing Buffer Size
The SecMon buffer size determines how many incoming messages are
displayed in the SecMon Text Output area. The default is 200 lines of text.
1.
Click Options to change how many scrollable lines of records are available
for viewing.
2.
In the Options dialog, enter the number of message lines to appear in the
Text Output area.
3.
Click OK.
You can also set buffer size from the command line when you invoke SecMon:
secmon -scrollLine number-of-lines
where number-of-lines is the number of scrollable lines.
192 User Guide
Appendix A: User and Group Properties
User Properties (see page 193)
Group Properties (see page 202)
User Properties
You can define user properties using the property editor in the Create User,
Update User, and Edit User dialogs. Different user properties exist for eTrust
AC, UNIX, and Windows.
eTrust AC User Properties
The eTrust page contains seven subpages of options.
User and Group Properties 193
User Properties
The following table describes the options in each subpage:
Subpage
Option
Purpose
Personal Data
Full name
The full name of the user. This name is for your own administrative
purposes; eTrust AC does not use this information.
Comment
A comment string of up to 255 characters that you can use for your
own purposes. Security Administrator does not use this string.
Note: You can use the seam.ini file to replace the Comment field
with fields of your own, which appear at the end of the eTrust AC
properties. For details, see the description of the seami.ini section
[user fields] in The Security Administrator Configuration File in the
appendix “seam.ini and UNIX Exits.”
Login
Location
The user's location.
Country
The country the user works in.
Phone
The user's telephone number.
Organization
The organization in which the user works.
Org unit
The organizational unit in which the user works.
For the following three properties, click the buttons to receive a list of months,
days, and years. Select the date, and type in the hour (in 24-hour format) and
minute, when you want the property to activate.
Suspend
The date and time for suspending the user account (revoking
permission to log in).
Resume
The date and time for restoring permission to the user to log in after
suspension.
Expire date
The date and time that the user's login becomes invalid. After the
specified time, the user cannot log in to the system.
Grace login
The number of grace logins for the user (maximum 255). When the
user's password expires, the user is granted the specified number of
grace logins before eTrust AC prevents further logins. If you leave
this field blank, eTrust AC uses the system default value.
Note: For more information, see the chapter “Controlling Login
Commands” in the Administrator Guide.
194 User Guide
Max logins
The maximum number of terminals from which the user can
simultaneously log in.
Inactive days
The number of days that must pass before the system changes the
user to inactive. When the specified number of days is reached, the
user account becomes inactive, and the user cannot log in.
User Properties
Subpage
Option
Purpose
Password
New
The new password. Use any characters except spaces. Rules about
passwords vary according to what environment or program you are
working with.
Note: For more information about password rules in eTrust AC, see
the sepass utility in the Utilities Guide.
Note: For more information about password rules in UNIX, see your
UNIX documentation.
Confirm
Retype the new password to confirm.
Hidden
Lets you enter a password manually.
Clear
Clears the current password. If you want Security Administrator to
generate the password for you, click Clear, and then Generate.
Generate
Automatically generates a password.
Password
interval
The number of days that must pass after the password was set or
changed before the system prompts the user for a new password.
When the specified number of days is reached, eTrust AC informs
the user that the current password has expired.
Password
The minimum number of days that must pass before the user is
minimum time allowed to change the password.
Restrictions
Allowed days
The days on which the user can access the system. Select the check
boxes that represent the days to allow the user access. To select
only Monday through Friday, click Weekdays. This limitation applies
only to logging in; once logged in, the user can continue working
indefinitely.
Note that the days refer to the time zone of the host to which the
user is attempting to log in, which is not necessarily the time zone
of the user's location.
Allowed time
The period during which the user can log in on the specified days.
Drag the Start and End sliders to the required time, which appears
to the left of the sliders. The time range is in 24-hour format.
Ignore holiday Specifies whether the user can log in during any period, ignoring
restrictions defined by a holiday record.
Note: For more information, see the HOLIDAY class in the
Reference Guide.
User Properties
Subpage
Option
Purpose
Auditing
Audit mode
Specifies when to write an audit record to the eTrust AC audit log.
You can assign a value to this property only if you set the AUDITOR
attribute. Click a check box to select or deselect it. The modes are:
Success-Writes an audit record each time the user successfully
accesses a resource.
Failure-Writes an audit record each time the user is denied access
to a resource.
Login success-Writes an audit record each time the user succeeds
in logging into the system.
Login failure-Writes an audit record each time eTrust AC prevents
the user from logging into the system.
Trace-Writes an audit record for every message that appears in the
eTrust AC trace file because of the user's actions.
None-Does not write any audit records to document the particular
user's activities.
Characteristics
Notify
Notifies a user or email recipient every time the user logs in. The
specified user should log in frequently to respond to the
unauthorized access attempts described in each message. Each time
a notification message is sent, an audit record is written.
User Mode
Special administrative attributes that you can assign to the user.
Click a check box to select or deselect it. The modes are:
Admin-The user can run Security Administrator and perform all
eTrust AC activities except assigning audit attributes.
Auditor-The user can assign audit attributes, and display user and
characteristics.
Operator-The user can display user and user-group characteristics.
Server-eTrust AC permits a pseudo-login by a multiuser (MUSAS)
process with the user's ID, so that the user has greater access
through the process than without it. If the user has the ADMIN
attribute as well, Security Administrator can provide details of user
permissions (see Viewing User Properties in the chapter “Account
Administration”).
Password Manager-The user can change the passwords of other
users
196 User Guide
Owner
The user or group that can change the user's properties without
requiring the ADMIN attribute.
Profile
Assigns the user to the specified profile group. eTrust AC assigns
properties from the profile group to the user if the properties were
not explicitly assigned to the user in the user record.
User Properties
Subpage
B1
Option
Purpose
Groups
The list of groups that the user belongs to. Specify zero or more
groups. If you specify more than one group, separate group names
with spaces.
Policy Model
Specifies that when a user changes a password with the sepass
utility, the new password is propagated to the specified PMDB.
Category
The special administrative attributes that you can assign to the
user.
Security label
The security label of the user.
Security level
The security level of the user. The number 0 means the user has no
access to anything that possesses a security level. Range is 0 - 255.
UNIX User Properties
The UNIX page contains two subpages of options.
User Properties
Subpage
Option
Purpose
Personal
Gecos
The user's GECOS information.
Shell
The full path of the initial program or shell to be executed after the
user invokes the login or su command. The default path is /bin/sh.
eTrust AC checks whether the specified program or shell exists and,
if not, issues an error message.
Home dir
The user's home directory; specify the full path. eTrust AC attempts
to create the directory, but updates the UNIX file (/etc/passwd)
regardless of whether eTrust AC successfully creates the home
directory. The default directory is /home/userName (where
userName is the name you assign when you create the user).
Primary group
The user's primary group ID. Specify a UNIX group that already
exists. The default is the group whose ID number is 1.
Groups
with spaces.
UserId
The numeric ID for the user (UID), which serves as a unique
discretionary access control. The default is a number that is one
more than the largest existing UID.
Note that the seos.ini file may define certain numbers as
untouchable-that is, outside the permissible range-for the UID. For
a description of the seos.ini file, see the Administrator Guide.
Password
198 User Guide
New
The new password.
Confirm
Hidden
Clear
generate the password for you, click Clear and Generate.
Generate
User Properties
Windows User Properties
The NT page contains six subpages of options.
Subpage
Option
Personal Data Full name
Account Data
Purpose
The full name of the user.
Comment
Any remark you want to add to the user record. If the string contains
any blanks, enclose it in single quotation marks.
Location
The user's location.
Country
The country the user works in. This string is part of the X.500 naming
scheme; you can also use it for language selection.
Phone
The user's telephone number.
Organization
The organization in which the user works.
Org unit
The organizational unit where the user works.
Home dir
drive
The drive that accommodates the user's home directory.
User Properties
Subpage
Option
Purpose
Home dir
The full path of the user's home directory.
Primary
Group
The name of the Primary Global Group. A primary group is the only
group from which the user cannot be deleted.
Account is
disabled
Specifies whether the user account is disabled. If it is, the user cannot
access the system.
Account is
currently
locked out
Specifies whether the user account is locked out temporarily. If it is,
the user cannot log in.
Password
Specifies whether the user password can expire.
never expires
Login
Cannot
change the
password
Specifies whether the user can change the user password.
No password
is required
Specifies whether the user needs a password to log in to the system.
Expire date
The date and time that the user's login becomes invalid. Click the
buttons to display a list of months, days, and years. Select the date,
and enter the hour (in 24-hour format) and minute for this property to
activate. After the specified time, the user cannot log in to the system.
Never expires Specifies that the user password never expires.
Password
200 User Guide
Logon server
The server where this user must log in to.
Num logons
The number of terminals a user can log in from concurrently.
Profile
The full path of the user's profile. The profile is a file that contains a
record of the user's Desktop environment.
Script
The full path of the script that logs the user into the application. This
field is dimmed if No is selected for “Is script active” (see the next
option).
Is script
active
Specifies whether the script that logs the user into the application is
active. If you select No, the Script path field is dimmed.
New
The new password. Use any characters except spaces. Rules about
passwords vary according to what environment or program you are
working with. For more information about password rules in eTrust AC,
see the sepass utility in the Utilities Guide. For more information about
password rules in UNIX, see your UNIX documentation.
Confirm
Hidden
Clear
generate the password for you, click Clear, and then Generate.
Group Properties
Subpage
Option
Purpose
Generate
Password age The number of days before a user must change the password.
Restrictions
Bad
passwords
count
The number of bad passwords a user is permitted to enter before
being locked out of the system.
Allowed days
boxes that represent the days to allow the user access. To select only
Monday through Friday, click Weekdays.
Allowed time
The period during which the user can log in on the specified days.
Drag the Start and End sliders to the required time, which appear to
the left of the sliders. The time range is in 24-hour format.
Characteristic Workstations
s
The workstations this user has administrative access to.
Terminals
The terminals from which this user can log in.
Groups
with spaces.
UserId
The user ID of the user.
GroupId
The group ID of the user.
Group Properties
You can define different group properties for eTrust AC, UNIX, and Windows
using the property editor in the Create group, Update group, and Edit group
dialogs.
Group Properties
eTrust AC Group Properties
The eTrust page contains five subpages of options.
Personal Data
Full name
The user's full name. This name is for your own administrative
purposes; Security Administrator does not use this information.
Comment
A comment string of up to 255 characters that you can use for your
own purposes. Security Administrator does not use this string.
202 User Guide
Group Properties
Characteristics
Owner
The user or group that can update the group's properties without
requiring the ADMIN attribute.
Superior group
An optional, second group to which the members will automatically
belong. A group can have no more than one superior group.
Any group can be designated as the superior group (parent) of any
number of other groups; however, the parent group must already exist
in the environment in which the group is being created.
Note: For more information about group-to-group relationships, see
User list
The list of users that belong to the group. Each user must already be
defined to eTrust AC. Separate each user name with a space.
Restrictions
Allowed days
boxes that represent the days to allow the user access. To select only
Monday through Friday, click Weekdays. This limitation applies only to
logging in; once logged in, the user can continue working indefinitely.
Note that the days refer to the time zone of the host to which the user
is attempting to log in, which is not necessarily the time zone of the
user's location.
Allowed time
The period during which the user can log in on the specified days. Drag
the Start and End sliders to the required time, which appear to the left
of the sliders. The time range is in 24-hour format.
Profile Data
Policy model
Specifies the PMDB to which a new password is propagated when a
user changes the password with the sepass utility. Enter the name of
the PMDB.
Password minimum time
Sets the number of days that must pass, after the user sets or
changes a password, before the system prompts the user for a new
password. When the specified number of days is reached, eTrust AC
informs the user that the current password has expired.
Inactive days
Group Properties
The minimum number of days that must pass before the user is
allowed to change the password.
Password interval
Specifies the number of days that must pass before the system
changes the user account to inactive. When the number of days is
reached, the user cannot log in.
Profile login
For the following three properties, click the buttons to receive a list of
months, days, and years. Select the date, and type in the hour (in 24-hour
format) and minute, when you want the property to activate.
Expire date
The date and time that the user's login becomes invalid. After the
specified time, the user cannot log in to the system.
Suspend
The date and time for suspending the user account (revoking
permission to log in).
Resume
The date and time for restoring permission to the user to log in after
suspension.
Max logins
The maximum number of terminals from which the user can
simultaneously log in.
Grace login
The number of grace logins for the user (maximum 255). When the
user's password expires, the user is granted the specified number of
grace logins before eTrust AC prevents further logins. If you leave this
field blank, eTrust AC uses the system default value.
Note: For more information, see the Administrator Guide.
204 User Guide
Group Properties
UNIX Group Properties
The UNIX page contains one subpage of options.
Personal Data
Members
The list of users that are members of the group. The users in this list
must be defined to UNIX. Use spaces or commas to separate user
names.
Group Id
The group's identification number. If you do not specify a group ID,
eTrust AC assigns a group ID that equals the largest current group ID
plus one. eTrust AC creates group ID numbers in the same way when
adding more than one group at a time. eTrust AC does not allow a
group ID of zero. Additionally, the seos.ini file may define certain
numbers as untouchable-that is, outside the permissible range-for the
UID and the GID. For a description of the seos.ini file, see the
Group Properties
Windows Group Properties
The NT page contains one subpage of options.
Personal Data
Comment
Any remark you want to add to the group record. If the string contains
any blanks, enclose it in single quotation marks.
Members
A list of all the users in the group. To add to the list, type the names of
the users you want, or click Browse. To add users to the group you are
creating or updating, select the names of the users in the User list and
click the right arrow button. To remove users from a group, select the
users in the Selection list and click the left arrow button.
206 User Guide
Group Properties
Group Id
The group's identification number. If you do not specify a group ID,
eTrust AC assigns one that is equal to the largest current group ID
plus one. eTrust AC creates group ID numbers the same way when
adding more than one group at a time.
eTrust AC does not allow a group ID of zero. Additionally, the seos.ini
file may define certain numbers as untouchable-that is, outside the
permissible range-for the UID and the GID. For a description of the
seos.ini file, see the Administrator Guide.
Appendix B: Resource Properties
Resource Properties (see page 209)
The eTrust AC Classes (see page 209)
The UNIX Classes (see page 258)
Windows Classes (see page 260)
Resource Properties
For resource classes, you deal with a list of characteristics (called properties)
in a property editor. This appendix lists the meanings of each class's property
and its values.
You can view and modify class properties using the property editor in the
Update and Edit dialogs. There are different classes for eTrust AC, UNIX, and
Windows. All classes appear in the Resources tabbed page.
The eTrust AC Classes
This section details the eTrust AC classes and their properties. To view the
eTrust AC classes, click the Access by Class item under Administration in the
eTrust section.
Resource Properties 209
Administration (ADMIN Class)
To view and modify the ADMIN record, select the object in the right pane, and
then select Update or Edit from the Edit menu or toolbar. For information
about the property editor, see the chapter “Resource Administration.”
The ADMIN class contains the definitions that allow non-ADMIN users to
administer specific classes. Each ADMIN record represents an eTrust AC class
that is to be administered by specific users. The record contains a list of
accessors along with the access authority of each. The key of the ADMIN class
record is the name of the class being protected.
Owner
The eTrust AC user or group that owns the record. Click the Browse button
to view a list of all the users.
Any user or group name in the database
Creation Time
The date on which the record was created. This property is shown only
when updating a record.
Read-only field
Update Time
The date on which the record was updated. This property is shown only
Read-only field
Updated by
The user name of whomever updated the record. This property is shown
only when updating a record.
Read-only field
Audit Mode
What should trigger creation of audit records:
S-Successful operations
F-Failed operations
N-No operations
Success or Failed, both, or None
Notify
resource is accessed.
Alphanumeric, 30 characters
210 User Guide
Warning
Whether to enable warning mode. In warning mode, all access requests
are granted but if an access request normally would have been denied, a
record is written to the audit log.
Yes, No
Allowed Days
The days on which the resource can be accessed. Select the boxes
representing each day to allow access to the resource on those days. To
select all seven days of the week, click Anyday. To select Monday through
Friday, click Weekdays.
To clear your selection for all the days, select Reset.
Any selection.
Allowed Time
specified days. Drag the Start and End sliders to the required setting. By
default, if you set Allowed Time without setting Allowed Days, access is set
for all seven days a week for the times specified.
Any time range, specified by 24-hour slider
Seclevel
The security level (1 - 255) assigned to the resource, or 0. The number 0
means that the accessor's security level will not be checked.
Integer between
0 and 255, inclusive.
Default = 0
Seclabel
The security label assigned to the resource. Type in the name of a
seclabel, or click the Browse button to receive a list of all the existing
seclabels.
The name of a security label in the database, or nothing
Categories
A list of categories assigned to the resource. Type in the name or names of
a category, separated by commas, or click the Browse button to receive a
list of all the existing categories.
One or more categories in the database, or none
Default Access
The permitted access for users who are not covered in the access list:
C-Create
D-Delete
J-Join
P-Password
R-Read
Y-Modify
Any selection. Selecting nothing means default access is none.
Access list
A list of accessors and their access authority to the resource. The
authorities are:
A-All
C-Create
D-Delete
J-Join
N or nothing-None
P-Password
R-Read
Y-Modify
For example, click Add to add a user. Once you have added accessors,
click permissions beside them. A check mark appears to indicate
permissions chosen.
Any user or group names
Comment
Any data useful for your site, or you can leave the field blank.
212 User Guide
File and Directory (FILE Class)
Each record in the FILE class defines the access allowed to a file, a directory,
or the files that match a certain file name pattern (also called a mask). A file
need not have been created yet to have a rule defined for it.
You can protect symbolic links like any other files. Note, however, that by
protecting a link you do not automatically protect the file that the link points
to.
The key of the FILE class record is the name of the file or directory protected
by the record. The full path must be specified.
Owner
The eTrust AC user or group that is the owner of the record. You can click
the Browse button to receive a list of all the users.
Creation Time
Date when record was created. This property is shown only when updating
a record.
Read-only field
Update Time
Date of last update. This property is shown only when updating a record.
Read-only field
Updated by
Name of user who last updated the file's record. This property is shown
Read-only field
Audit Mode
S-Successful operation
F-Failed operations
N-No operations
Success, Failed, both, None
Notify
The email address or alias of the person who is to be notified when the file
is accessed.
Membership
Assign eTrust AC groups to be the owner of the record.
Not Members: Groups to which this file does not belong.
Members: Groups to which this file will be added.
Any group name in the database
Warning
Yes or no
Allowed Days
Any selection
Allowed Time
Seclevel
The security level (1 - 255) assigned to the file, or 0. The number 0 means
that the accessor's security level will not be checked.
Integer between
Default = 0
Seclabel
seclabels.
The name of a security label in the database, or none
Categories
Default Access
214 User Guide
(Create)
(Delete)
(Chmod)
(Chown)
(Sec)
(Utime)
(Read)
(Rename)
(Write)
(Execute)
Any selection-selecting nothing means default access is none
Membership
Assign eTrust AC groups to be the owner of the group of files.
Not Members: Groups to which these files do not belong.
Members: Groups to which these files will be added.
Access list
authorities are:
A-All
R-Read
C-Create
S-Sec
D-Delete
T-Utime
J-Join
U-Update
M-Chmod V-Rename
N or nothing-None W-Write
O-Chown X-Execute
P-Password Y-Modify
permissions chosen.
Any user or group names, each of which can be followed by the access
authority in parentheses. Each must be separated from the next name (if
any) by a comma.
Comment
File Group (GFILE Class)
Each record in the FILE class defines the access allowed to a file, a directory,
or the files that match a certain file name pattern (also called a mask). A file
need not have been created yet to have a rule defined for it.
You can protect symbolic links like any other files. However, by protecting a
link you do not automatically protect the file that the link points to.
The key of the FILE class record is the name of the file or directory protected
by the record. You must specify the full path.
Owner
Audit Mode
F-Failed operations
N-No operations
Notify
The email address or alias of the person who is to be notified when the file
is accessed. If dimmed, not allowed.
Warning
Yes or no
Allowed Days
Any selection
216 User Guide
Allowed Time
Access list
authorities are:
A-All
R-Read
C-Create
S-Sec
D-Delete
T-Utime
J-Join
U-Update
M-Chmod V-Rename
O-Chown X-Execute
P-Password Y-Modify
permissions chosen.
any) by a comma.
Comment
Holiday (HOLIDAY Class)
Each record in the HOLIDAY class defines one or more periods when users
need extra permission to log in. Each holiday record can include several
periods; you can include all the year's holiday periods in one holiday record.
However, if you include more than one holiday period in one holiday record,
you cannot allow a user to log in during some of them and prevent the user
from logging in during others. If you want to allow a specific user to log in
during New Year's Day but not during Christmas, for example, the two
holidays must be defined in different records.
Owner
The eTrust AC user or group that owns the record. You can click the
Browse button for a list of all users.
Audit Mode
F-Failed operations
N-No operations
Notify
Warning
Enables or disables warning mode. In warning mode, all access requests
are granted, but if an access request normally would have been denied, a
Yes or no
Allowed Days
Any selection
218 User Guide
Allowed Time
Seclevel
means that the accessor's security level is not checked.
Integer between
Default = 0
Seclabel
The security label assigned to the resource. Enter the name of a seclabel,
or click the Browse button for a list of all existing seclabels.
Categories
a category, separated by commas, or click the Browse button for a list of
all existing categories.
Start date
Date at which the holiday begins.
Choose Forever if it is an annually recurring holiday. If you choose
Forever, the year button does not appear.
Choose All Day if the holiday lasts 24 hours.
Month, date, and year
End date
Date when the holiday ends.
Choose Forever if it is a recurring holiday each year. If you choose
Forever, the year button does not appear.
Click All Day if the holiday is 24 hours. Choose Forever if it is an annually
recurring holiday. If a holiday starts in one year and ends in the next, you
must make separate holidays for each year (for example, Christmas to
New Year's Day).
Month, date, and year
Access list
authorities are:
A-All
R-Read
C-Create
S-Sec
D-Delete
T-Utime
J-Join
U-Update
M-Chmod V-Rename
O-Chown X-Execute
P-Password Y-Modify
permissions chosen.
any) by a comma.
Access list
authorities are:
N or nothing-None
R-Read
permissions chosen.
Comment
220 User Guide
Host (HOST Class)
The HOST class defines access rules that govern the access other stations
(hosts) have to the local host when they are using Internet communication.
Records in the HOST class represent these “clients” of the local host. For each
client (HOST record), a property lists the service rules that govern the services
the local host may provide to the client.
Owner
Creation Time
a record.
Read-only field
Update Time
Read-only field
Updated by
Name of user who last updated the resource's record. This property is
shown only when updating a record.
Read-only field
Group Membership
A list of GHOST records (groups of hosts) in which the HOST is a member.
The name of one or more GHOST records
Audit Mode
F-Failed operations
N-No operations
Warning
Yes or no
Allowed Days
Any selection
Allowed Time
Internet Access list
A list of TCP services and the permitted access to them (R or none) from
this resource
[for example, telnet(R), talk, ftp(N)].
Talk is the default access.
The list may be empty.
TCP service names and their access
Comment
222 User Guide
Host Groups (GHOST Class)
Each record in the class defines a group of hosts. Grouping is accomplished by
explicitly connecting hosts (records of the HOST class) to the GHOST record.
GHOST records define access rules that govern the access other stations
(hosts) that belong to the group of hosts have to the local host when they are
using internet communication. For each client group (GHOST record), a
property lists the service rules that govern the services the local host can
provide to hosts belonging to the client group.
Owner
Creation Time
a record.
Read-only field
Update Time
Read-only field
Updated by
Read-only field
Members
A list of hosts that are members of the group. The list may be empty.
One or more names, separated by a comma. No spaces are allowed.
Audit Mode
F-Failed operations
N-No operations
Warning
Yes or no
Allowed Days
Any selection
Allowed Time
this resource
Talk has the default access.
Comment
224 User Guide
Host Network (HOSTNET Class)
Each record in the HOSTNET class defines a group consisting of all hosts on a
particular network. HOSTNET records define access rules that govern the
access other stations (hosts) on the specific network have to the local host
when they are using Internet communication. The key of each HOSTNET
record consists of mask and match values for the IP address. For each group
of clients (HOSTNET record), a property lists the service rules that govern the
services the local host may provide to the clients.
Owner
Creation Time
a record.
Read-only field
Update Time
Read-only field
Updated by
Read-only field
Audit Mode
F-Failed operations
N-No operations
Warning
Yes or no
Allowed Days
Any selection
Allowed Time
this resource,
IP Match
When a bitwise AND is performed on the mask and the inet address of a
host, and the result equals match, the host is a member of the HOSTNET
record. For example, specifying mask(255.0.255.0) and
match(192.0.133.0) includes all hosts with inet addresses of the format
192.anything.133.anything.
Each, four numbers separated by periods (.)
Comment
226 User Guide
Host Protection by Name Pattern (HOSTNP Class)
The term HOSTNP (HOST Name Pattern) refers to a group of hosts that have
similar host names. HOSTNP records define access rules that govern the
access other stations (hosts) that match the record's name pattern have to the
local host when they are using Internet communication. In each mask
(HOSTNP record), a property lists the service rules that govern the services
the local host may provide to the group of clients.
The key of the HOSTNP class record is the name pattern identifying the hosts
that are protected by the HOSTNP record.
Owner
Creation Time
a record.
Read-only field
Update Time
Read-only field
Updated by
Read-only field
Audit Mode
F-Failed operations
N-No operations
Warning
Yes or no
Allowed Days
Any selection
Allowed Time
The time period during which accessors can access the resource on the
this resource
Comment
228 User Guide
Login by Terminal (TERMINAL Class)
The TERMINAL class defines records that represent the terminals of the local
host, another host on the network, or X-Terminals from which a user can log
into the system. Terminals are checked during user login. Users can log in
from a terminal only if they have been authorized to use the terminal.
The key of the TERMINAL record is the name of the terminal. This name
identifies the terminal to eTrust AC.
Owner
Creation Time
a record.
Read-only field
Update Time
Read-only field
Updated by
Read-only field
Group Membership
A list of terminal groups in which the terminal is a member.
The name of one or more GTERMINALs in the database
Audit Mode
F-Failed operations
N-No operations
Notify
terminal is used.
Warning
Yes or no
Allowed Days
Any selection.
Allowed Time
Seclevel
The security level (1 - 255) assigned to the terminal, or 0. The number 0
Integer between
Default = 0
Seclabel
The security label assigned to the terminal.
Categories
A list of categories assigned to the terminal.
Default Access
The permitted access for users who are not covered in the access listR (Read; log in by the terminal),
W (Write; edit the eTrust AC database), or neither.
R (Read), W (Write), or neither
230 User Guide
Access list
A list of accessors and their access authority by this terminal. The
authorities are:
A-All
N or nothing-None
R-Read; log in from the terminal
W-Write; edit the eTrust AC database
permissions chosen.
Comment
Monitored Files (SECFILE Class)
Each record of the SECFILE class contains the name of a file that is protected
by the seoswd program-the eTrust AC Watchdog daemon.
By scanning these files and ensuring that the information known about them is
still accurate, the eTrust AC Watchdog ensures that unauthorized users have
not changed the files.
The key of the SECFILE class record is the name of the file that the SECFILE
record protects. Specify the full path.
Owner
Creation Time
a record.
Read-only field
Update Time
Read-only field
Updated by
Read-only field
Comment
232 User Guide
Outgoing Connections by Host (CONNECT Class)
eTrust AC provides protection for outgoing TCP connections. Each record in the
CONNECT class represents a target of the connection-a remote host
Owner
Comment
Default Access
The permitted access for users who are not covered in the access list: R
(Read) or none. Select None if there is no default access to the record.
Read or nothing
Access list
A list of accessors and their access authority to this resource. The
authorities are:
N or nothing-None
R-Read
For example, click Add to add users. Once you have added accessors, click
permissions beside them. A check mark appears to indicate permissions
chosen.
Any user or group names, for each of which access authority is selected by
clicking appropriate buttons.
Warning
Yes or no
Notify
Audit Mode
F-Failed operations
N-No operations
Categories
Creation Time
The date and time on which the record was created. This property is
Read-only field
Update Time
Read-only field
Updated by
Read-only field
Allowed Days
Any selection
Allowed Time
234 User Guide
Seclevel
Integer between
Default = 0
Seclabel
seclabels.
Process (PROCESS Class)
The PROCESS class defines programs-executable binaries running in their own
address space-that must be protected from being killed. Major daemons and
database servers are examples of the type of programs that require such
protection because these processes are the main targets for service denial
attacks.
The key of the PROCESS class record is the name of the program the record
protects. Specify the full path.
Owner
Creation Time
a record.
Read-only field
Update Time
Read-only field
Updated by
Read-only field
Audit Mode
F-Failed operations
N-No operations
Notify
process is accessed.
236 User Guide
Warning
Yes or no
Allowed Days
Any selection
Allowed Time
Seclevel
The security level (1 - 255) assigned to the process, or 0. The number 0
Integer between
Default = 0
Seclabel
The security label assigned to the process.
Categories
A list of categories assigned to the process.
Default Access
R (Read) or none.
Read or nothing
Access list
authorities are:
A-All
N or nothing-None
R-Read
permissions chosen.
Comment
238 User Guide
Security Labels (SECLABEL Class)
Each SECLABEL record defines a security label. A security label is like a
variable that has a security level as its value.
When security level checking is enabled, eTrust AC performs security level
checking in addition to its other authorization checking. A security level is an
integer between 1 and 255 that can be assigned to users and resources. When
a user requests access to a resource that has a security level assigned to it,
eTrust AC compares the security level of the resource with the security level of
the user. If the user's security level is equal to or greater than the security
level of the resource, eTrust AC continues with other authorization checking;
otherwise, the user is denied access to the resource.
To protect a resource by security level checking, assign a security level to the
resource's record.
To allow a user access to resources protected by security level checking,
assign a security level to the user's record.
If the SECLABEL class is active, eTrust AC uses the security level associated
with the security labels of the resource and user; the security level that is
explicitly set in the resource and user records is ignored. The key of the
SECLABEL class record is the name of the security label. This name is used to
identify the security label when assigning it to a user or resource.
Owner
Creation Time
a record.
Read-only field
Update Time
Read-only field
Updated by
Read-only field
Comment
level
The security level (1 - 255) assigned to the security label, or 0. The
number 0 means that no security level is assigned.
Integer between
Default = 0
Categories
The name of one or more categories in the database
240 User Guide
Security Categories (CATEGORY Class)
Each record of the CATEGORY class defines a security category. When the user
requests access to a resource that has been assigned one or more security
categories, eTrust AC compares the list of security categories in the user's
record with the list of security categories in the resource record. If eTrust AC
finds any security category in the resource record that is not in the user's
record, eTrust AC denies access to the resource. If the user's record contains
all the security categories specified in the resource record, eTrust AC continues
with other authorization checking.
Each security category defined to eTrust AC is represented by a record in the
CATEGORY class.
Owner
Creation Time
The date on which the record was created. This property is shown only
Read-only field
Update Time
Read-only field
Updated by
Read-only field
Comment
SUID/SGID Programs (PROGRAM Class)
The PROGRAM class defines programs that are considered part of the trusted
computing base. The eTrust AC Watchdog monitors programs in the PROGRAM
class to ensure that they are not modified.
Each PROGRAM record contains several properties that define information
about the trusted program's file. The eTrust AC daemons check whether these
values change. If the values change, the program is marked untrusted.
The key of the PROGRAM class record is the file name of the program the
record protects. Specify the full path of the file.
Owner
Creation Time
a record.
Read-only field
Update Time
Read-only field
Updated by
Read-only field
Untrust
Whether the program has become untrusted. If the program is untrusted,
it is being prevented from running because some change has been
detected.
Yes or no
Audit Mode
F-Failed operations
N-No operations
242 User Guide
Notify
program is accessed.
Warning
Yes or no
Allowed Days
Any selection
Allowed Time
Seclevel
The security level (1 - 255) assigned to the program, or 0. The number 0
Integer between
Default = 0
Seclabel
The security label assigned to the program.
Categories
A list of categories assigned to the program.
Default Access
x (Execute) or none.
Execute or nothing
Access list
authorities are:
A-All
N or nothing-None
X-Execute
permissions chosen.
Comment
244 User Guide
Tasks (SUDO Class)
Each record in the SUDO class defines a command that the SuperUser-Do
utility allows a user to perform or prevents a user from executing.
Command
The command to be executed by root.
Up to 255 alphanumeric characters. For format, see the sesudo utility in
the Utilities Guide.
Owner
Creation Time
a record.
Read-only field
Update Time
Read-only field
Updated by
Read-only field
Audit Mode
F-Failed operations
N-No operations
Notify
Warning
Yes or no
Allowed Days
Any selection
Allowed Time
level
Integer between
Default = 0
Seclabel
seclabels.
Categories
Default Access
x or none.
Execute or nothing
246 User Guide
Access list
authorities are:
A-All
N or nothing-None
x-Execute
permissions chosen.
Task Groups (GSUDO Class)
The GSUDO class defines groups of actions that the Surrogate-Do utility may
let a user execute or prevent a user from executing. A SUDO record must
already define each action. If there are several actions that you want to treat
similarly, handling them all in a single GSUDO record is more economical and
less error-prone than handling each of them in its individual SUDO record. A
single access rule can make the whole group of actions available or
unavailable to a particular user or group of users.
Command
The command to be executed by root.
Up to 255 alphanumeric characters. For format, see the sesudo utility in
the Utilities Guide.
Owner
Creation Time
a record.
Read-only field
Update Time
Read-only field
Updated by
Read-only field
Audit Mode
F-Failed operations
N-No operations
Notify
248 User Guide
Warning
Yes or no
Allowed Days
Any selection
Allowed Time
level
Integer between
Default = 0
Seclabel
seclabels.
Categories
Default Access
The permitted access for a new GSUDO record. Select Execute if any user
who accesses the script can execute changes in it. Select None if there is
no default access to the record.
Execute or nothing
Access list
authorities are:
A-All
N or nothing-None
E-Execute
permissions chosen.
250 User Guide
TCP Protection (TCP Class)
The TCP class defines records that represent individual TCP/IP services, such
as mail, ftp, and http. Each record's ACL can specify access types not only for
individual hosts that may request the service, but also for host groups
(GHOSTs), networks (HOSTNETs), and sets of hosts defined by a name pattern
(HOSTNPs).
If the HOST class is active (that is, used as a criterion for access), the TCP
class cannot effectively be active.
The key of the TCP record is the name representing the service.
Owner
Creation Time
a record.
Read-only field
Update Time
Read-only field
Updated by
Read-only field
Audit Mode
F-Failed operations
N-No operations
Notify
service is used.
Warning
Yes or no
Allowed Days
Any selection
Allowed Time
Default Access
The permitted access for hosts who are not covered in the access list:
Incoming connection (Read), Outgoing connection (Write) or nothing.
W-Write-for outgoing connection
N or nothing-None
R-Read-for incoming connection
Read, Write, or nothing
Access list (ACL)
A list of accessors and their access authority to this resource. Accessors
can be hosts, host groups, networks, or host name patterns. The
authorities are:
A-All
N or nothing-None
A and R are synonymous for this resource.
permissions chosen.
Zero or more host names, host group names, network names, or host
name patterns
252 User Guide
Negative Access List (NACL)
A list of accessors that have do not have authority to access this resource.
Accessors can be hosts, host groups, networks, or host name patterns.
The authorities are:
A-All
N or nothing-None
A and R are synonymous for this resource.
name patterns
PACL
A list of accessors and their access authority to this resource. Accessors
can be hosts, host groups, networks, or host name patterns. The
authorities are:
N or nothing-None
R-Write-for outgoing connection
permissions chosen.
name patterns
Comment
Terminal Groups (GTERMINAL Class)
The GTERMINAL class defines groups of terminals. Such groups help you
economize on access. You can specify an access rule (a permission or
prohibition) for a group of terminals by a single command, rather than having
to specify the same access rule for each terminal. Similarly, a rule regarding a
group of terminals can be applied by a single command to a group of users.
Owner
Creation Time
a record.
Read-only field
Update Time
Read-only field
Updated by
Read-only field
Members
A list of terminals that are members of the group. The list may be empty.
One or more names, separated by commas. No spaces are allowed.
Access list
authorities are:
A-All
N or nothing-None
R-Read; log into the terminal
W-Write; edit the terminal's eTrust AC database
permissions chosen.
any) by a comma or space.
254 User Guide
The access authority can be written in full, or its abbreviation can be used.
Comment
Default Access
The access to the resource for defined accessors that are not covered by
explicit rules: R (Read), W (Write), both, or none.
R, W, both, or neither.
User ID Substitution (SURROGATE Class)
Records of the SURROGATE class define restrictions that protect a user from
other users when they make su (substitute UID) requests. eTrust AC treats the
surrogate request as an abstract resource that can be accessed only by
authorized users.
A record in the SURROGATE class represents every user or group of users that
requires surrogate protection.
Owner
Creation Time
a record.
Read-only field
Update Time
Read-only field
Updated by
Read-only field
Audit Mode
F-Failed operations
N-No operations
Notify
256 User Guide
Warning
Yes or no
Allowed Days
Any selection
Allowed Time
Seclevel
Integer between
Default = 0
Seclabel
seclabels.
The name of a security label in the database, or none.
Categories
One or more categories in the database, or none.
Default Access
R or none.
Read or nothing
The UNIX Classes
Access list
authorities are:
A-All
N or nothing-None
R-Read
permissions chosen.
Comment
The UNIX Classes
This section details the UNIX classes and their properties.
UNIX FILE Class
Each object in this class defines a file to UNIX. The key of the FILE record is
the file name, without the directory. You can set the following properties when
updating file properties:
Owner
The eTrust AC user that is the owner of the record. You can click the
Browse button to receive a list of all the users.
Any user name in the database
Group
The eTrust AC group that is the owner of the record. You can click the
Browse button to receive a list of all the groups.
Creation Time
a record.
Read-only field
258 User Guide
The UNIX Classes
Update Time
Read-only field
Last Accessed
Time of last update. This property is shown only when updating a record.
Read-only field
Default Access
R (Read), W (Write, edit the eTrust AC database), or E (Execute). Select
Set UID/GID to identify the files as programs that reset the user or
groupID. If Set UID/GID is selected, accessors who attempt to execute the
program are monitored.
R (Read), W (Write), or Execute
Comment
Modification Time
The date and time the file was last modified.
Read-only field
Directory
Whether the file is a directory.
Read-only field
Device
The device ID for where the file is located.
Read-only field
Inode
The file's inode. The inode is the address of a program.
Read-only field
Size (in bytes)
The size of the file, in bytes.
Read-only field
Link Name
If the file is a symbolic link, the name of the other file to which the
record's file is linked.
Read-only field
Windows Classes
Windows Classes
This section details the Windows classes and their properties.
NT FILE Class
Each object in the NT FILE class defines the access allowed to a file or
directory. You can set the following properties when updating file properties:
Owner
A user or group entitled to edit the record. You can click the Browse button
to receive a list of predefined owners.
Group
The name of the group that has access to the file. To receive a list of
predefined groups, click the Browse button.
File Attributes
The attributes of the file.
Archive-The file is an archival file. Applications use this value to mark files
for backup or removal.
Hidden-The file is hidden. It is not included in an ordinary directory
listing.
Normal-The file has no other attributes. This value is valid only if used by
itself.
Read-Only-The file is a read-only file. Applications can read the file, but
cannot write in it or delete it.
System-The file is part of the operating system or is used exclusively by
the operating system.
Temporary-The file is being used for temporary storage.
Archive, Hidden, Normal, Read-Only, System, or Temporary
Creation Time
a record.
Read-only field
Update Time
Read-only field
260 User Guide
Windows Classes
Last Accessed
Time of last update. This property is shown only when updating a record.
Read-only field
Default Access
A list of accessors, each with its access authority to the NT FILE. If the file
is a directory, a Directory tab and a File tab appear at the bottom of the
list of accessors. Select Directory if you want the access rights to apply to
the directory only. Select File if you want the access rights to apply to all
the files that are created in this directory.
Click beside the names of the accessors under the appropriate authority to
enable or remove the access right from the accessor. Or click the Add
button to give one or more existing users or groups access to the NT FILE
record. Click the Edit button to change the access rights of the accessors.
Click the Delete button to remove the access rights of the users and
groups.
Auditing
F-Failed operations
Success or Failed or none.
Is Directory
A flag that indicates Yes if the file is a directory; or No if not.
Yes or no
Device
The device ID for where the file is located.
Read-only field
File Index
A unique identifier. The file index is used to establish the identity of an
open file.
Read-only field
Windows Classes
File Size (in bytes)
The size of the file, in bytes.
Read-only field
Number of Links
If the file is a symbolic link, the number of links that are contained in the
file.
Read-only field
NT-PRINT Class
The NT PRINT class defines printers. Each record contains a set of properties
that defines the printer.
The following properties can be set when updating print properties:
Owner
Group
The name of the group that has access to the file. To receive a list of
predefined groups, click the Browse button.
Comment
Access List
A list of accessors, each with its access authority to the NT PRINTER. Click
the Add button to give one or more existing users or groups access. Click
the Edit button to change the access rights. Click the Delete button to
remove access rights.
Auditing
F-Failed operations
Success or Failed or none
262 User Guide
Windows Classes
Printer Name
The name of the PRINTER.
Location
The physical location of the printer.
Read-only field
Server Name
The server that controls the printer
Read-only field
Share Name
The share name of an outside computer. The outside computer is known
inside the network by this name.
Read-only field
NT-COM Class
The COM class defines a serial communication port, represented by Com1:,
Com2:, and so on. A serial communication port is a hardware interface used
mostly by computer modems.
The following properties can be set when updating COM properties:
Owner
Access List
A list of accessors, each with its access authority to the COM record. Click
Auditing
F-Failed operations
Windows Classes
User ID
If a user is the owner of the serial communication port, UID specifies the
name of the owner.
Group Id
If a group is the owner of the serial communication port, GID specifies the
name of the owner.
Device
Security data for the COM class is stored in the Device section.
Read-only field
NT-SHARE Class
Each object in the SHARE class defines directories that are shared with
external computers and users-other computers and users can access the
shared directories.
You can set the following properties when updating file properties:
Owner
Auditing
F-Failed operations
Access List
A list of accessors, each with its access authority to the NT SHARE. Click
264 User Guide
Windows Classes
Path
The directory where the share name is located.
Valid directory
Comment
A brief description of the SHARE record.
Max Connections
The maximum number of connections (users accessing a SHARE record) at
any given time.
Numeric
Name
The share name of a resource. A share name is the name by which an
outside computer is known inside the network.
Host name
Type
The different types of the class SHARE.
PRINTQ, DISKTREE, DEVICE, and IPC
Number of Connections
The number of connections (users accessing a SHARE record) at any given
time.
Numeric
Available Permissions
The access permissions that you can give to the accessors, as listed below.
The following lists the permissions that are available:
ACCESS_ALL
Permission to read, write, create, execute, and delete resources, and to
modify their attributes and permissions.
ACCESS_ATTRIB
Permission to modify the resource's attributes; for example, the date and
time when a file was last updated.
ACCESS_CREATE
Permission to create a resource (such as a file). Data can be written to the
resource while it is being created.
ACCESS_DELETE
Permission to delete the resource.
Windows Classes
ACCESS_EXEC
Permission to execute the resource (such as a PROGRAM record).
ACCESS_PERM
Permission to modify the permissions (read, write, create, execute, and
delete) assigned to a user or an application for a resource.
ACCESS_READ
Permission to read data from a resource and, by default, to execute the
resource.
ACCESS_WRITE
Permission to write data to the resource.
NT-REGKEY and NT-REGVAL Class
The REGKEY class defines the tree-like structure of keys (like directories)
where Windows configurations and information is saved. The REGKEY section
also contains records in the REGVAL class. The REGVAL class defines the files
within the directories where the configuration values are stored.
The following properties can be set when updating REGKEY or REGVAL
properties:
Owner
An owner of the registry key. You can click the Browse button to receive a
list of predefined owners.
Default Access
Whether the REGKEY record has default access or not.
None-users not on record's eTrust AC list do not have access to record.
Deselect None-users not on list have default access to the record.
Any selection. Selecting nothing means default access is none.
Auditing
F-Failed operations
266 User Guide
Windows Classes
Access List
A list of accessors, each with access authority to the REGKEY record. Click
SUBKEY
The first subdirectory on the next level under the REGKEY registry. At
bottom of list of accessors, click SUBKEY to give users and group access
rights to SUBKEY.
KEY
The first file on the next level under the REGKEY registry. At bottom of list
of accessors, click KEY to give users and group access rights to SUBKEY.
Value Name
The type of REGVAL record:
String-Registry values are strings.
Dword-Registry values are decimal or hexadecimal integer.
Binary-Registry values are string, number, or range of hexadecimal
number.
Numeric or string
Value Data
The data corresponding to the value name (type) of REGVAL record, as
shown in the next table.
For REGVAL
Value name... Value data is...
Description
String
String
String
Dword
Integer. Select form in Base
section before entering the value
data.
Hexadecimal or decimal
Windows Classes
For REGVAL
Value name... Value data is...
Binary
268 User Guide
Description
Hexadecimal or decimal
Integer. First column is offset
integer and is read-only. Second
column is actual value of the
binary REGVAL. This can be
entered as a number, string, or
range of hexadecimal numbers.
Separate hexadecimal strings and
numbers by spaces or commas.
Appendix C: seam.ini and UNIX Exits
The Security Administrator Configuration File (see page 269)
UNIX Exits (see page 277)
The Security Administrator Configuration File
Note: A convenient way to edit much of the Security Administrator
configuration file is the Pref command on the Options menu of the Main
window.
Security Administrator takes its default settings from a configuration file called
seam.ini. During the process of Security Administrator installation, the location
of the seam.ini file is automatically recorded in the eTrust AC configuration
file, seos.ini. Thereafter, Security Administrator relies on the seos.ini file for
the location of the seam.ini file. Specifically, the Data token in the [seam]
section of the seos.ini file specifies the location of the seam.ini file. For
example:
[seam]
data = /opt/CA/eTrustAccessControl/data/seam
Among the specifications in the seam.ini file are the names and locations of
various files used by Security Administrator. Some of the files can be
customized; whereas others should not be touched. All the default values allow
normal behavior of Security Administrator after installation, so that you do not
need to modify any of the files unless you want to.
The seam.ini file is divided into sections, and each section contains one or
more tokens and their settings. The structure of the file consists of section
names enclosed in square brackets and followed, on separate lines, by tokens;
the tokens are separated from their values by the = signs:
[section-name]
token1 = value1
token2 = value2
The remainder of this section describes the tokens.
seam.ini and UNIX Exits 269
[master_db] Section
db = database-name
database-name specifies the default database for eTrust AC in Security
Administrator. The database is the source of information for the objects
(users, groups, and resources) defined in the eTrust AC environment in
It can be a host name or the name of a PMDB. A PMDB is a database that
applies to more than one host; for details, see the Administrator Guide.
unix = host-name
host-name specifies the default database for UNIX in Security
(users, groups, and resources) defined in the UNIX environment in
It can be a host name or the name of a PMDB.
nt = host-name
host-name specifies the default database for Windows in Security
(users, groups, and resources) defined in the Windows environment in
It can be a host name or the name of a PMDB.
pmd = master-pmdb[,master-pmdb[,...]]
master-pmdb specifies the master PMDB you want to administer from
Security Administrator. You can specify more than one master PMDB by
separating them with commas.
270 User Guide
[transaction] Section
output_dir = directory
directory specifies the directory for Security Administrator's temporary
files. Default is /tmp/seos_trans.
remove_pb_hosts_on_failure = {yes|no}
A yes value means that Security Administrator does not show you any
hosts where your transaction cannot be executed or where your
transaction has no effect. For example, if your transaction is a query for
the status of a user, that user may not exist on every host. In that case,
Security Administrator lists only the hosts where it can get user
information.
A no value means that Security Administrator shows you all hosts
regardless of transaction success or failure. Default is no.
retry_interval = time-in-seconds
time-in-seconds is the minimum number of seconds that Security
Administrator waits before retrying to connect to hosts that could not yet
be reached for transaction execution. Default is 60.
retry_num = how-many
how-many is the number of times that Security Administrator tries to
connect to hosts if it failed to connect to them in its first attempt. Default
is 3.
verify = {yes|no}
A yes value means that Security Administrator waits for you to click Go
before executing a transaction. Default is yes.
A no value means that Security Administrator starts executing a
transaction as soon as you okay the transaction's dialog.
[password] Section
show = {yes|no}
A yes value means that new passwords appear when entered, and you
must type them only once.
A no value means that new passwords are invisible when entered, and you
must type them twice. Default is no.
generator = utility
utility specifies the executable file that runs your password generation
utility. (See The Password Generations Utility in this appendix.) The
default is the random algorithm.
[hosts_groups] Section
path = directory
directory specifies the location of the files that describe host groups. Each
file has the same name as a host group and consists of a list of that host
group's members. The default is
/opt/CA/eTrustAccessControl/data/seam/hosts.
[print] Section
command = utility
utility specifies the executable file for printing Security Administrator
transaction output. The default is lp.
[help_ini] Section
path = directory
directory specifies the location of the Security Administrator help files,
which contain the information that the HELP button invokes. The default is
/opt/CA/eTrustAccessControl/ data/seam/help. You should not alter the
help files.
[messages] Section
msg_file = filename
filename specifies the Security Administrator message file, which contains
Security Administrator's error messages, warning messages, and
confirmation messages. The default is
/opt/CA/eTrustAccessControl/data/seam/ seam_errors.msg. You should
not alter the message file.
272 User Guide
[defaults] Section
delete_homedir = {yes|no}
A yes value means that when you use Security Administrator to delete a
user from the UNIX environment, the user's home directory is deleted.
Security Administrator relies on eTrust AC UNIX exit scripts to erase the
home directory. When eTrust AC is installed, the scripts that delete the
home directory are installed automatically and registered as UNIX exits.
A no value means that the user's home directory remains even when you
use Security Administrator to delete the user from the UNIX environment.
Default is no.
group = filename
filename specifies the group configuration file, which contains default
settings for new groups. (In the context of Security Administrator, the
word group, unless otherwise clarified by its context, refers to a group of
users.) To specify the default settings, you use the property editor (see
Modifying Group Properties in the chapter “Account Administration”) rather
than directly editing the group configuration file.
user = filename
filename specifies the user configuration file, which contains default
settings for new users. To specify the default settings, you use the
property editor (see Modifying User Properties in the chapter “Account
Administration”) rather than directly editing the user configuration file.
[user fields] Section
For users, only you can replace the property editor Comment field with one or
more fields of your own. Your fields appear at the end of the property editor
eTrust section.
To specify fields to replace the Comment field for users, add the section
header [user fields] at the end of the seam.ini file and follow it with one or
more lines in this format:
fieldname=(MaxLength=length, Format='formatstring')
where:
fieldname
Specifies your chosen name for the field.
length
Specifies the maximum number of characters you allow in the field. All
your maximum lengths together must not total more than 255.
formatstring
Specifies an optional string in which each character dictates the format of
the corresponding character in the user field value. When used in
formatstring:

d permits any digit

a permits any alphanumeric character

l permits any letter

* permits any character
The following characters are literal, permitting only themselves:
- (hyphen)
: (colon)
; (semicolon)
, (comma)
. (period)
(blank-space)
The string is enclosed in single quotes.
Example
For example, the following section calls for a field named SSN that consists of
nine digits, hyphenated after the third and fifth digits, and a field called
Contact that has up to 20 characters in no particular format.
[user fields]
SSN=(MaxLength=11, Format='ddd-dd-dddd')
Contact=(MaxLength=20)
274 User Guide
If your seam.ini file contains an erroneous user-fields section, the property
editor retains its Comment field instead of your user fields.
[others] Section
read_usr_appl = script-name
script-name is the UNIX exit (see page 277) utility that Security
Administrator uses to extract a user's APPL data.
read_grp_appl = script-name
script-name is the UNIX exit (see page 277) utility that Security
Administrator uses to extract a group's APPL data.
max_items_to_copy = how-many
how-many is the maximum number of users, groups, and resources you
can copy from host to host at one time.
Note: Copying may take a while. Security Administrator is suspended until the
transaction is finished in all the selected environments.
[synchronize] Section
sync_mode = {y|n}
A yes value means that you specify Synchronize mode. If you give a value
to a property in one environment (eTrust AC or UNIX), the value is
automatically copied to the other environments if a corresponding property
exists there.
In the Create, Edit, and Update property editors, the value for a property
that appears in more than one section of the property editor is
automatically copied from one section to the others.
Corresponding properties do not necessarily have exactly the same name
on screen. To find corresponding properties, use the tables in the appendix
“Resource Properties,” or consult the defaults.usr and defaults.grp files in
eTrustACDir/data/seam/defaults.
A no value means that no property value in any environment affects the
values in any other environment. The default is no.
[bin] Section
path = directory
directory specifies the directory where the Security Administrator is
installed. It must not be changed. The default is
/opt/CA/eTrustAccessControl/bin.
Security Administrator Command Line Options
Security Administrator has several command line options, which are used to
determine colors, width, and so on as follows.

To start Security Administrator without the initial progress indicator
window, use the -nologo flag:
eTrustACDir/bin/seam -nologo

To size the Security Administrator Main window differently, change the
setting with the -geometry flag:
eTrustACDir/bin/seam -geometry WidthxHeight
where:
eTrustACDir
Specifies the directory where you installed eTrust AC.
Width
Specifies the desired width, in points.
Height
Specifies the desired height, in points.
Note: An x must separate the Width and Height parameters.
276 User Guide
UNIX Exits
The Password Generation Utility
You can write a password generation utility of your own, as a script or any
other type of executable. Write it according to the following rules, reference it
in the [password] section of your seam.ini file, and when Security
Administrator is called upon to generate a password, it will use your utility.
Otherwise, passwords are generated with the help of the default random
algorithm.
If you write a password generation utility, observe the following rules.

The utility must have these four parameters:
host_name
The name of the host where the user is defined.
user_name
The name of the user.
full_user_name
The value of the user's Full User Name property in the eTrust
environment.
comment
The value of the user's Comment property in the eTrust environment.
If you replaced the comment with user fields (see [user fields] Section
in this appendix), then this is the concatenated value of those fields.

The utility must print the generated password to standard output.

If any error occurs while the password is being generated, the utility must
print an error message to standard output, and the string ERROR: must
appear as the start of the error message.
The eTrustACDir/samples directory includes an example of a
password-generating script, SeamGenPasswd.sh.
UNIX Exits
As Security Administrator runs, it can trigger shell scripts or executables of
your own, called UNIX exits. For example, you can perform an initialization
process for each new user that is added, or you may want to perform some
extra logging or screening of commands before they are executed.
Note: For more information about how to run UNIX exits, see the
UNIX Exits
Passing Arguments to UNIX Exits
Your exits can take advantage not only of all standard eTrust AC data, such as
names and permissions, but also of additional information that you provide
especially for exit-time use. For example, you may want to receive more
information about a user's job description than that provided by standard
eTrust AC properties.
To define such extra properties:
1.
Create a new text file in the eTrustACDir/data/seam/appl directory. The
file is for storing names and default values of your extra properties. Give it
an appropriate name.
If you will be using many extra properties and you find it convenient to
group them into categories, you can use this first file for one category and
then repeat the procedure for other categories. Give each file a name that
describes its category. Security Administrator will repeat the file names as
category names in the property editor.
(The property editor is the set of dialogs where you create or change
values for record properties. The information for use by exits appears in a
special section of the dialog, the APPL section.)
2.
In the text file, begin each line with the name of a property. After the
property, type a space and the default value for the property if you want it
to have a default value. For example:
calendar_file my_dates
3.
Save the text file. Create further text files in the same directory, for
further categories of properties, if you want.
4.
If you want the APPL section of the property editor to include the actual
values for your extra properties when you invoke the property editor to
update a user or group, you must define a script to extract the properties
in the [others] section of seam.ini. An example of how to define a script to
extract the property values for users is:
read_usr_appl =
/opt/CA/eTrustAccessControl/data/seam/scripts/read_usr_appl.sh
If you do not define a script to extract the properties of users or groups,
only default values appear in the APPL section of the property editor when
you update a user.
5.
As you use Security Administrator and your pre-update and post-update
exits are automatically invoked, the current values of your extra properties
will be passed to the exit programs. The invocation of exits depends on the
seos.ini file. For more information about how to specify which exit
programs to run, see the chapter “UNIX Exits” in the Administrator Guide.
If you want the values to remain available later, it is up to the exit
program to save them, as described in Preserving the Values Passed to
UNIX Exits in this appendix.
278 User Guide
UNIX Exits
Preserving the Values Passed to UNIX Exits
When you use the APPL section of the property editor to pass extra user or
group data to an exit program, Security Administrator does not save the data.
It is the responsibility of the exit programs to save the data, if you want the
data saved.
Saving
The exit receives the APPL data as a parameter from Security Administrator.
The parameter's syntax is:
APPL=Section1(Field1a=Value1a Field1b=Value1b ... ) \
Section2(Field2a=Value2a Field2b=Value2b ... ) \
...
For example:
APPL=Directories(pgms=programs arcv=archives)
\
Files(cal=calendar tel=phones hrs=hours)
At the host where the user or group is defined, the pre-update exit can save
the APPL data in a temporary file. Then the post-update exit can save it at the
local NIS server, for example.
Then to reload the data into Security Administrator when next the user or
group appears in the property editor, you need a utility of your own: a
user-written script or an executable program.
UNIX Exits
Reloading
The utility for reloading data into the property editor must accept the following
input parameters from Security Administrator.
host_name
The name of Security Administrator's current source host. If the current
source is a PMDB, then host_name is the name of the host that governs
the PMDB.
object_class
USER or GROUP
object_name
The name of the user or group.
The utility must print the extracted data to the standard output in the
following format.
.section1
field1a value1a
field1b value1b
...
.section2
field2a value2a
field2b value2b
...
As you use this format:

Divide the output into sections, one section for each of the
eTrustACDir/data/seam/appl/* files containing your data.

For the first line of each section, write a dot (.) followed by the file name
from the appl directory.

For the remainder of each section, use lines each of which consist of a field
name, a blank, and the value for the field.
Do not use blanks in the field value. (You can use underscores instead.)
The utility must exit with 0 in the case of success and with any nonzero value
in all other cases.
The error message produced by the utility must be printed not on the
standard error port but, like the extracted data, on the standard output.
You must register the name of the utility in the appropriate field in the Others
section of Security Administrator's Preferences dialog. Then the property editor
will automatically run the utility and retrieve the data.
280 User Guide
Index
A
Access Control List (ACL) • 31
Access Control panel in • 22
ACCESS_ALL • 264
ACCESS_ATTRIB • 264
ACCESS_CREATE • 264
ACCESS_DELETE • 264
ACCESS_EXEC • 264
ACCESS_PERM • 264
ACCESS_READ • 264
ACCESS_WRITE • 264
accessors, definition of • 25
ACL (Access Control List) • 31
Active Directory properties in Windows 2000 •
30
Activity tabbed page of Security Administrator
• 58
Activity window of Security Administrator
about • 61
closing • 63
editing transactions • 71
filtering hosts in • 70
retrying transactions • 77
viewing transaction progress • 68
ADMIN class • 210
ALL host group • 84
audit events • 181
audit log • 155
Audit Record Info dialog • 169
auditing user activities • 27
B
backout commands • 72
C
calendars, specifying access with • 32
CATEGORY class • 241
classes • 209
ADMIN • 210
CATEGORY • 241
COM • 263
CONNECT • 233
DOMAIN • 33
FILE • 213, 258, 260
for • 209
for UNIX • 258
for Windows • 260
GFILE • 216
GHOST • 223
GSUDO • 248
GTERMINAL • 254
HOLIDAY • 218
HOST • 221
HOSTNET • 225
HOSTNP • 227
PRINT • 262
PROCESS • 236
PROGRAM • 242
REGKEY • 266
REGVAL • 266
SECFILE • 232
SECLABEL • 239
SHARE • 264
SPECIALPGM • 34
SUDO • 245
SURROGATE • 256
TCP • 251
TERMINAL • 229
COM class • 263
command log in • 24
commandsSee transactions • 65
configuration file of Security Administrator •
269
CONNECT class • 233
contacting technical support • 3
customer support, contacting • 3
D
database, Policy Model • 34
deleting
groups • 113
users • 102
DOMAIN class • 33
E
executing transactions • 65
exitsSee UNIX exits • 277
Index 281
F
FILE class
FILE class • 213
UNIX • 258
Windows • 260
filtering
groups • 105
hosts • 70
messages • 80
resources • 119
users • 92
for groups • 203
for resources • 209
for users • 193
G
GFILE class • 216
GHOST class • 223
groups
about • 105
Active Directory in Windows 2000 • 30
adding to other environments • 110
adding to resources • 131
adding users to • 29, 111
assigning Windows rights to • 26
copying to another host • 112
creating • 25, 106
creating with templates • 107
deleting • 113
deselecting with wildcards • 108
filtering • 105
groups • 203
modifying • 25, 110
nesting • 29
permissions • 114
properties • 109, 202
refreshing list of • 107
removing users from • 111
selecting with wildcards • 108
synchronizing data with Windows • 30
templates for creating • 107
UNIX properties • 206
Windows properties • 207
GSUDO class • 248
GTERMINAL class • 254
H
HOLIDAY class • 218
282 User Guide
HOST class • 221
host groups
adding hosts to • 85
ALL • 84
creating • 84
deleting • 86
removing hosts from • 86
Host Messages/Commands dialog • 74
HOSTNET class • 225
HOSTNP class • 227
hosts
adding to host groups • 85
copying groups to • 112
copying users to • 101
creating • 87
deleting • 90
deselecting • 88
displaying • 89
filtering • 70
removing from host groups • 86
selecting • 88
source host • 66
updating • 90
J
joinSee users, adding to groups • 111
L
login, restricting • 26
M
Main window of seauditx
about • 157
acknowledgements in audit log • 177, 178
comments in audit log • 174, 178
filtering audit records • 165
minimizing areas of • 164
opening audit log • 167
Options area • 159
printing audit log • 179
Switches area • 158
Text Output area • 160
viewing audit records • 169
Main window of seauditxSee also seauditx •
155
Main window of SecMon
about • 184
Detailed Info area • 188
Text Output area • 186, 190
Main window of SecMonSee also SecMon • 181
Main window of Security Administrator
about • 52
Activity tabbed page • 58
closing • 63
menu bar • 54
screen locker • 56
toolbar • 55
menu bar • 16
in • 16
in Security Administrator • 54
messages
filtering • 80
printing • 81
reviewing • 78
N
NACL (Negative Access Control List) • 31
Negative Access Control List (NACL) • 31
O
output bar • 24
output bar in • 24
P
passwords
changing • 99
policies • 142
utility for generating • 277
permissions
for groups • 114
for users • 103, 104
PMDB (Policy Model database) • 34
Policy Model database • 34
Preferences window • 149
PRINT class • 262
printing messages • 81
PROCESS class • 236
program bar • 22
program bar in • 22
PROGRAM class • 242
properties • 193, 203, 209
UNIX for groups • 206
UNIX for resources • 258
UNIX for users • 198
Windows for groups • 207
Windows for resources • 260
Windows for users • 200
Q
querying propertiesSee viewing properties • 96
R
refreshing
group list • 107
user list • 94
REGKEY class • 266
REGVAL class • 266
reports of user access permissions • 104
resources
about • 31, 117
adding accessors to • 131
classes • 209, 258
copying • 127
creating • 31, 120, 126
deleting • 129
displaying • 118
filtering • 119
modifying • 31, 123, 126
protecting • 128
protecting special programs • 34
using calendars with • 32
Windows domain • 33
resourcesSee also classes • 209
S
screen locker • 56
seam.ini
[bin] section • 275
[defaults] section • 273
[help_ini] section • 272
[host_groups] section • 272
[master_db] section • 270
[messages] section • 272
[others] section • 275
[password] section • 271
[print] section • 272
[synchronize] section • 275
[transaction] section • 271
[user fields] section • 274
about • 269
tokens • 269
SeAMSee Security Administrator • 41
seauditx
Index 283
about • 155
customizing • 180
help for • 165
Main window • 157
seos.ini • 180
setting preferences for • 179
starting • 156
seauditxSee also Main window of seauditx •
155
SECFILE class • 232
SECLABEL class • 239
SecMon
about • 181
changing buffer size • 192
deleting audit events • 191, 192
Main window • 184
selogrd.cfg file • 182
starting • 182
stopping and restarting retrieval of audit
events • 191
SecMonSee also Main window of SecMon • 181
Activity window • 61
command line options • 276
configuration file • 269
Edit window • 72
exiting • 63
Host Messages/Commands dialog • 74
Main window • 52
password generation utility • 277
Preferences window • 149
seam.ini • 269
setting preferences for • 149
starting • 51
transactions, executing • 65
UNIX exits • 277
workflow • 58
selogrd.cfg • 182
seos.ini • 180, 269
seosd daemon • 51
setoptions command • 139
SHARE class • 264
source host • 66
SPECIALPGM class • 34
SUDO class • 245
support, contacting • 3
SURROGATE class • 256
284 User Guide
T
TCP class • 251
technical support, contacting • 3
templates
for creating groups • 107
for creating users • 94
TERMINAL class • 229
toolbar • 20
in • 20
in Security Administrator
in Security Administrator • 55
Tools panel in • 23
transactions
editing for all hosts • 72
editing for one host • 74
executing • 65
retrying • 77
reviewing messages • 78
saving in a file • 76
verifying before execution • 66
viewing progress • 68
U
UNIX classes • 258
UNIX exits
passing arguments to • 278
reloading saved values • 280
saving values from • 279
users
about • 92
Active Directory in Windows 2000 • 30
adding to groups • 29, 111
adding to resources • 131
assigning Windows rights to • 26
auditing • 27
copying to another host • 101
creating • 25, 93, 97
creating with templates • 94
deleting • 102
filtering • 92
modifying • 25, 97
password • 99
permissions • 103, 104
personal information • 28
refreshing list of • 94
removing from groups • 111
restricting login privileges • 26
resuming • 100
suspending • 100
templates for creating • 94
UNIX properties • 198
users • 193
Windows properties • 200
V
viewing properties
groups • 109
resources • 122
users • 96
W
Windows classes • 260
Windows NT panel in • 23
Index 285