UNIX_SOCKET Class
UNIX_SOCKET Class
capamsc141
Each record in the UNIX_SOCKET class defines the access that is allowed to a specific Unix Named Socket. You can define a rule even though a Named socket file is not yet created.
: The UNIX_SOCKET class is not enabled by default.
The key of the UNIX_SOCKET class record is the name of the socket pathname that is protected by the record. The full path must be specified.
Unix domain sockets with abstract namespaces, instead of pathnames, are also supported on Linux. The key of the UNIX_SOCKET class, in this case, is the abstract name without the leading null character. For example, the key for unix socket with abstract name "\0hidden" is just "hidden".
The following definitions describe the properties that are contained in this class record. Most properties are modifiable and can be manipulated using Selang or the administration interfaces. Non-modifiable properties are marked informational:
- ACLDefines a list of accessors (users and groups) permitted to access the resource, and the accessor access types. Each element in the access control list (ACL) contains the following information:
- AccessorDefines the user or group that is attempting to access the resource under protection.
- AccessDefines the access authority that the Accessor has to the resource. Use the Access Parameter with the Authorize or Authorize- command to modify the ACL.
- CALACLDefines a list of the accessors (users and groups) that are permitted to access the resource, and their access types according to the CA Unicenter NSM calendar status. Each element in the Calendar Access Control List (CALACL) contains the following information:
- AccessorDefines the user or group that is attempting to access the resource under protection.
- CalendarDefines a reference to a calendar in Unicenter TNG. Use the Calendar parameter with the Authorize command to permit user or group access to the resource according to the access defined in the calendar ACL.
- AccessDefines the access authority that the accessor has to the resource. Access is permitted only when the calendar is ON. Access is denied in all other cases.
- CALENDARRepresents a Unicenter TNG calendar object for user, group, and resource restrictions inPAM Server Control.PAM Server Controlfetches Unicenter TNG active calendars at specified time intervals.
- CATEGORYDefines one or more security categories that are assigned to a user or resource.
- COMMENTDefines additional information that you can include in the record.PAM Server Controldoes not use this information for authorization. Limit: 255 characters.
- CREATE_TIMEDisplays the date and time when the record was created.
- DAYTIMEDefines the day and time restrictions that govern when an accessor can access a resource. Use the Restrictions parameter with the chres, ch[x]usr, or ch[x]grp commands to modify this property. The resolution of daytime restrictions is one minute.
- GROUPSThe list of GFILE or CONTAINER records a resource record belongs to. DB property: GROUPSTo modify this property in a FILE class record, change the MEMBERS property in the appropriate CONTAINER or GFILE record. Use the mem+ or mem- parameter with the chres, editres, or newres command to modify this property.
- NACLThe NACL property of a resource is an access control list. The list defines the accessors that are denied authorization to a resource, along with the type of access that they are denied (for example, write). See also ACL, CALACL, PACL. Each entry in the NACL contains the following information:
- AccessorDefines the user or group that is attempting to access the resource under protection.
- AccessDefines the type of access that is denied to the accessor. Use the Authorize Deniedaccess command, or the Authorize- Deniedaccess- command, to modify this property.
- NOTIFYDefines the user to be notified when a resource or user generates an audit event. CA Privileged Identity Manager can email the audit record to the specified user. Limit: 30 characters.
- OwnerDefines the user or group that owns that record.
- PACLDefines a list of accessors that can access the resource when the access request is made by a specific program, or a program that matches a name pattern and their access types. Each element in the program access control list (PACL) contains the following information:
- AccessorDefines the user or group that is attempting to access the resource under protection.
- ProgramDefines a reference to a record in the PROGRAM class, either specifically or by wild card program matching.
- AccessDefines the access authority that the accessor has to the resource.Use the via(pgm) parameter with the Selang Authorize command to add programs, accessors, and their access types to a PACL. You can use the Authorize- command to remove accessors from a PACL.
- RAUDITDefines the types of access events thatPAM Server Controlrecords in the audit log. RAUDIT derives its name from Resource AUDIT. Valid values are the following:
- allAll access requests.
- successGranted access requests.
- failureDenied access requests.
- noneNo access requests.PAM Server Controlrecords events on each attempted access to a resource, and does not record whether the access rules were applieddirectly to the resource, or were applied to a group or class that had the resource as a member. Use the audit parameter of the chres and chfile commands to modify the audit mode.
- SECLABELDefines the security label of a user or resource.The SECLABEL property corresponds to the label[-] parameter of the chres and ch[x]usr commands.
- SECLEVELDefines the security level of an accessor or resource. This property corresponds to the level[-] parameter of the ch[x]usr and chres commands.
- UUACDefines the default access authority for the resource. This access authority indicates the access tht is granted to accessors who are not defined toPAM Server Controlor who do not appear inthe ACL of the resource. Use the Defaccess parameter with the chres, editres, or newres command to modify this property.
- UNTRUSTDefines whether the resource is untrusted or trusted. If the UNTRUST property is set, accessors cannot use the resource. If the UNTRUST property is not set, the other properties that are listed in the database for the resource are used to determine accessor access authority. If a trusted resource is changed in any way,PAM Server Controlsets the UNTRUST property automatically.Use the trust[-] parameter with the chres, editres, or newres command to modify this property.
- UPDATE_TIME(Informational) Displays the date and time when the record was last modified.
- UPDATE_WHO(Informational) Displays the administrator who performed the update.
- WARNINGSpecifies whether Warning mode is enabled. If you enable the Warning mode on a resource, then all the access requests to a resource are granted. If an access request violates an access rule, a record is written to the audit log.
Example:
This example shows how to restrict user access to allow only user1 to connect to UNIX socket /run/docker.sock and audit all access attempts:AC> so class+(UNIX_SOCKET)AC> nr UNIX_SOCKET /run/docker.sock owner(nobody) defaccess(none) audit(all)AC> auth UNIX_SOCKET /run/docker.sock uid(user1) access(connect)