UNIX_SOCKET Class

UNIX_SOCKET Class
capamsc141
Each record in the UNIX_SOCKET class defines the access that is allowed to a specific Unix Named Socket. You can define a rule even though a Named socket file is not yet created.
 
: The UNIX_SOCKET class is not enabled by default.
The key of the UNIX_SOCKET class record is the name of the socket pathname that is protected by the record. The full path must be specified.
Unix domain sockets with abstract namespaces, instead of pathnames, are also supported on Linux. The key of the UNIX_SOCKET class, in this case, is the abstract name without the leading null character. For example, the key for unix socket with abstract name "\0hidden" is just "hidden".
The following definitions describe the properties that are contained in this class record. Most properties are modifiable and can be manipulated using Selang or the administration interfaces. Non-modifiable properties are marked informational:
 
  • ACL
    Defines a list of accessors (users and groups) permitted to access the resource, and the accessor access types. Each element in the access control list (ACL) contains the following information:
    • Accessor
      Defines the user or group that is attempting to access the resource under protection.
    • Access
      Defines the access authority that the Accessor has to the resource. Use the Access Parameter with the Authorize or Authorize- command to modify the ACL.
  • CALACL
    Defines a list of the accessors (users and groups) that are permitted to access the resource, and their access types according to the CA Unicenter NSM calendar status. Each element in the Calendar Access Control List (CALACL) contains the following information:
    • Accessor
      Defines the user or group that is attempting to access the resource under protection.
    • Calendar
       Defines a reference to a calendar in Unicenter TNG. Use the Calendar parameter with the Authorize command to permit user or group access to the resource according to the access defined in the calendar ACL.
    • Access
       Defines the access authority that the accessor has to the resource. Access is permitted only when the calendar is ON. Access is denied in all other cases.
  • CALENDAR
    Represents a Unicenter TNG calendar object for user, group, and resource restrictions in
    PAM Server Control
    .
    PAM Server Control
     fetches Unicenter TNG active calendars at specified time intervals.
  • CATEGORY
    Defines one or more security categories that are assigned to a user or resource.
  • COMMENT
    Defines additional information that you can include in the record. 
    PAM Server Control
     does not use this information for authorization. Limit: 255 characters.
  • CREATE_TIME
    Displays the date and time when the record was created.
  • DAYTIME
    Defines the day and time restrictions that govern when an accessor can access a resource. Use the Restrictions parameter with the chres, ch[x]usr, or ch[x]grp commands to modify this property. The resolution of daytime restrictions is one minute.
  • GROUPS
    The list of GFILE or CONTAINER records a resource record belongs to. DB property: GROUPS
    To modify this property in a FILE class record, change the MEMBERS property in the appropriate CONTAINER or GFILE record. Use the mem+ or mem- parameter with the chres, editres, or newres command to modify this property.
  • NACL
     The NACL property of a resource is an access control list. The list defines the accessors that are denied authorization to a resource, along with the type of access that they are denied (for example, write). See also ACL, CALACL, PACL. Each entry in the NACL contains the following information:
    • Accessor
      Defines the user or group that is attempting to access the resource under protection.
    • Access
       Defines the type of access that is denied to the accessor. Use the Authorize Deniedaccess command, or the Authorize- Deniedaccess- command, to modify this property.
  • NOTIFY
     Defines the user to be notified when a resource or user generates an audit event. CA Privileged Identity Manager can email the audit record to the specified user. Limit: 30 characters.
  • Owner
    Defines the user or group that owns that record.
  • PACL
    Defines a list of accessors that can access the resource when the access request is made by a specific program, or a program that matches a name pattern and their access types. Each element in the program access control list (PACL) contains the following information:
    • Accessor
      Defines the user or group that is attempting to access the resource under protection.
    • Program
      Defines a reference to a record in the PROGRAM class, either specifically or by wild card program matching.
    • Access
      Defines the access authority that the accessor has to the resource.
      Use the via(pgm) parameter with the Selang Authorize command to add programs, accessors, and their access types to a PACL. You can use the Authorize- command to remove accessors from a PACL.
  • RAUDIT
    Defines the types of access events that
    PAM Server Control
     records in the audit log. RAUDIT derives its name from Resource AUDIT. Valid values are the following:
    • all
      All access requests.
    •  
      success
      Granted access requests.
    • failure
      Denied access requests.
    • none
      No access requests.
      PAM Server Control
      records events on each attempted access to a resource, and does not record whether the access rules were applied 
      directly to the resource, or were applied to a group or class that had the resource as a member. Use the audit parameter of the chres and chfile commands to modify the audit mode.
  • SECLABEL
    Defines the security label of a user or resource.
    The SECLABEL property corresponds to the label[-] parameter of the chres and ch[x]usr commands.
  •  
    SECLEVEL
    Defines the security level of an accessor or resource. This property corresponds to the level[-] parameter of the ch[x]usr and chres commands.
  • UUAC
    Defines the default access authority for the resource.  This access authority indicates the access tht is granted to accessors who are not defined to
    PAM Server Control
     or who do not appear inthe ACL of the resource. Use the Defaccess parameter with the chres, editres, or newres command to modify this property.
  • UNTRUST
    Defines whether the resource is untrusted or trusted. If the UNTRUST property is set, accessors cannot use the resource. If the UNTRUST property is not set, the other properties that are listed in the database for the resource are used to determine accessor access authority. If a trusted resource is changed in any way,
    PAM Server Control
     sets the UNTRUST property automatically.
     
    Use the trust[-] parameter with the chres, editres, or newres command to modify this property.
  • UPDATE_TIME
    (Informational) Displays the date and time when the record was last modified.
  • UPDATE_WHO
    (Informational) Displays the administrator who performed the update.
  • WARNING
     Specifies whether Warning mode is enabled. If you enable the Warning mode on a resource, then all the access requests to a resource are granted. If an access request violates an access rule, a record is written to the audit log.
Example: 
This example shows how to restrict user access to allow only user1 to connect to UNIX socket /run/docker.sock and audit all access attempts:
AC> so class+(UNIX_SOCKET)
AC> nr UNIX_SOCKET /run/docker.sock owner(nobody) defaccess(none) audit(all)
AC> auth UNIX_SOCKET /run/docker.sock uid(user1) access(connect)