SEOS Class
The SEOS class controls the behavior of the authorization system.
capamsc141
The SEOS class controls the behavior of the
PAM Server Control
authorization system.The class contains only one record, called SEOS, which specifies general security and authorization options. To view or change the status of SEOS class properties, use the setoptions command.
The following definitions describe the properties that are contained in this class record. Most properties are modifiable and can be manipulated using selang or the administration interfaces. Non-modifiable properties are marked
informational
.- ACCPACLIndicates the order in which the UACC (defaccess) and PACL lists are scanned during authorization.When ACCPACL is active and explicit access is provided for a user through an ACL, then that accessor is the allowed access. If there is no explicit access through an ACL but explicit access is defined through a PACL, then the PACL access is the allowed access. If neither ACL or PACL contains explicit access, defaccess is checked for access definitions.If ACCPACL is not activated, the ACL is still checked first for explicit access. If the ACL contains no explicit access definitions for the resource being checked, defaccess definitions are checked next. If no explicit access is defined in defaccess, then the PACL access definitions are checked.WhenPAM Server Controlis installed, the value of this property is set to yes.Use the accpacl or accpacl- parameter with the setoptions command to modify this property.
- ADMINEach record in the ADMIN class defines what authorization privileges non-admin users have to administer specific classes. EachPAM Server Controlclass that is to be administered by specific non-admin users is represented by an ADMIN record. The record contains a list of accessors with the access authority of each.Example: To allow user John to view FILE class rules, specify "authorize ADMIN FILE uid(John) access(read)"If ADMIN class is off, then a non-admin user cannot get administrator privileges using this ADMIN class.
- APPLIndicates whether the APPL class is active.
- AUTHHOSTIndicates whether the AUTHHOST class is active.
- CALENDARIndicates whether the CALENDAR class is active.
- CATEGORYIndicates whether the CATEGORY class is active.
- CNG_ADMIN_PWDIndicates whether a user with the PWMANAGER attribute can change an ADMIN user password using selang. The default is yes.Use the class+ or class- parameter and thecng_adminpwdoption with the setoptions command to activate or inactivate this property.
- CNG_OWN_PWDIndicates whether users can change their own passwords using selang.Use the class+ or class- parameter and thecng_ownpwdoption with the setoptions command to activate or inactivate this property.
- COMMENTDefines additional information that you want to include in the record.PAM Server Controldoes not use this information for authorization.Limit:255 characters.
- CONNECTIndicates whether the CONNECT class is active. When the CONNECT class is active, records in the class protect the outgoing connections.If the HOST class is active, the CONNECT class is not used as an active class, even when activated.If the TCP class is active, the CONNECT class is not used as an active class.
- CREATE_TIME(Informational) Displays the date and time when the record was created.
- DAYTIMERES(UNIX only) Indicates whetherPAM Server Controlchecks the daytime restrictions on resources.
- DMSList of DMS servers this database should send notifications to.
- DOMAIN(Windows only) Indicates whether the DOMAIN class is active.
- ENDTIME(Informational). The date and time the database files were last closed in an orderly manner.
- FILEIndicates whether the FILE class is active. When the FILE class is active, records in the class protect files and directories.
- ACCGRR
The
accumulative group rights
option (ACCGRR) affects how PAM Server Control
checks the ACL of a resource. If ACCGRR is enabled, PAM Server Control
checks the ACL for the authorities that are granted from all the groups to which the user belongs. If ACCGRR is disabled, PAM Server Control
checks the ACL to see if any of the applicable entries contain the value none. If so, access is denied. Otherwise PAM Server Control
ignores all group entries except the first applicable one in the access control list. Use the command setoptions ACCGRR command to enable or disable this property.- HOLIDAYIndicates whether the HOLIDAY class is active. When the HOLIDAY class is active, users need extra permission to log in during defined Holiday periods.
- HOSTIndicates whether the HOST class is active. When the HOST class is active,PAM Server Controlprotects incoming TCP/IP service requests from remote hosts.If the HOST class is active, the TCP and CONNECT classes are not used as active classes, even when activated.The default for the HOST class is active.
- INACTIndicates the number of inactive days after which user login is suspended. An inactive day is a day in which the user does not log in.A value for the INACTIVE property in a USER record overrides a value in a GROUP record. Both override the INACT property in the SEOS class record.Use the inactive or inactive- parameter with the setoptions command to update this property.
- ISDMSTrue if the PMDB serves as a DMS.
- LOGINAPPL(UNIX only) Indicates whether the LOGINAPPL class is active.
- MAXLOGINSThe maximum number of concurrent logins (terminal sessions) a user is allowed, after which the user is denied access. A zero value indicates no maximum and the user can log in to any number of terminal sessions concurrently. The value must be either zero or greater than 1 if the user wants to log in and run selang or otherwise administer the database, becausePAM Server Controlconsiders each task (login, selang, GUI, and so forth) to be a terminal session.A value for the MAXLOGINS property in a USER record overrides a value in a GROUP record. Both override the MAXLOGINS property in the SEOS class record. The value in the SEOS record is the default value used when there is no explicit value in the accessor record.Use the maxlogins parameter with the chres, editres, and newres commands to modify this property for the SEOS class.
- MFTERMINALIndicates whether the MFTERMINAL class is active.
- PASSWDRULESIndicates the password rules. This property contains a number of fields that determine howPAM Server Controlhandles password protection. For a complete list of the rules, see the modifiable property PROFILE of the USER class.Use the passwordparameter and the rules or rules- option with the setoptions command to modify this property.
- PASSWORDIndicates whether password checking is active.Use the class+ or class- parameter and the PASSWORD option with the setoptions command to activate or inactivate this property.
- PROCESSIndicates whether the PROCESS class is active. When the PROCESS class is active, records in the class protect defined processes from kill attempts.The file must also be defined in the FILE class.
- PROGRAMIndicates whether the PROGRAM class is active. When the PROGRAM class is active, records in the class protect defined programs that were marked as Trusted.
- PWPOLICYIndicates whether the PWPOLICY class is active.
- REGKEY(Windows only) Indicates whether the REGKEY class is active.
- REGVAL(Windows only) Indicates whether the REGVAL class is active.
- RESOURCE_DESCIndicates whether the RESOURCE_DESC class is active.
- RESPONSE_TABIndicates whether the RESPONSE_TAB class is active.
- SECLABELIndicates whether the SECLABEL class is active.
- SECLEVELIndicates whether the SECLEVEL class is active.
- STARTTIME(Informational). The date and time the database files were last opened.
- SUDOIndicates whether the SUDO class, used by sesudo, is active.
- SYSTEM_AAUDIT_MODESpecifies the default audit mode (systemwide audit mode) for users and enterprise users.Default:Failure LoginSuccess LoginFailure
- SURROGATEIndicates whether the SURROGATE class is active. When the SURROGATE class is active,PAM Server Controlprotects surrogate requests.
- TCPIndicates whether the TCP class is active. When the TCP class is active,PAM Server Controlprotects incoming and outgoing TCP services such as mail, ftp, and http.If the HOST class is active, the TCP class is not used as an active class, even when activated.If the TCP class is active, the CONNECT class is not used as an active class.
- TERMINALIndicates whether the TERMINAL class is active. When the TERMINAL class is active,PAM Server Controlperforms a terminal access check during sign-on and protects X-window sessions.
- USER_ATTRIndicates whether the USER_ATTR class is active.
- USER_DIRIndicates whether the USER_DIR class is active.
- UPDATE_TIME(Informational) Displays the date and time when the record was last modified.
- UPDATE_WHO(Informational) Displays the administrator who performed the update.