SEOS_syscall

In the [SEOS_syscall] section, SEOS_syscall kernel module uses the following tokens.
capamsc141
In the [SEOS_syscall] section, SEOS_syscall kernel module uses the following tokens.
  • bypass_NFS
    Determines whether to bypass NFS files from SEOS events.
    Valid values:
    0-
    Do not by pass NFS files
    1-
    Bypass NFS files
    Default
    : 0
  • bypass_realpath
    Specifies whether to bypass the real file paths resolution for authorization.
    If you enable this setting (1),
    Privileged Access Manager
    does not resolve file paths for authorization. This accelerates file events handling. However, generic rules are not enforced for file accesses that are made using links.
    Example
    : A deny access rule for /realpath/files/* is not considered if this setting is enabled and a user accesses a file in this directory from a link. Create a generic rule for the link too (/alternatepath/*).
    Default
    : 0 (disabled)
  • cache_enabled
    Determines whether to use caching for full path resolution to determine access permissions for files.
    Valid values:
    0
    -No caching
    1
    -Use caching
    Default:
    0
  • cache_rate
    Determines the cache rate that used when the cache is enabled for full path resolution.
    Bigger values mean better caching.
    Default:
    10000
  • cache_realpath
    Specifies whether to cache the resolved full path.
    Values:
    0 (no caching), 1 (use caching)
    Default:
    0
  • call_tripAccept_from_seload
    Determines whether to call tripAccept from the seload command after
    Privileged Access Manager
    starts. If tripAccept is called, defines a list of comma-separated TCP/IP ports that tripAccept should connect to, and wake up the listeners of the ports.
    Valid values:
    1 to 64000
    - Any TCP/IP port number
    0
    -Do not call tripAccept from seload.
    Limits:
    0-64000
    Default:
    0
  • cdserver_conn_res
    Determines whether to treat T_CONN_RES streams messages as high priority messages in the fiwput routine on UnixWare.
    Valid values:
    1
    -handle T_CONN_RES streams messages as high priority messages in the fiwput routine.
    0
    -handle T_CONN_RES streams messages as low priority messages in the fiwput routine.
    Default
    : 0 (1 on UnixWare)
  • debug_protect
    Determines whether to allow debugging of any program while
    Privileged Access Manager
    is running.
    Valid values:
    0
    -Debugging allowed
    1
    -Debugging not allowed
    Default
    : 1
  • DESCENDENT_dependent
    Determines whether a descendent of a SEOS daemon can register a SEOS service.
    Valid values:
    0
    -Anyone can register a SEOS service
    1
    -Only a descendant can register a SEOS service
    Default
    : 0
  • dtrace_coexistence
    Defines how
    Privileged Access Manager
    co-exists with dtrace. If dtrace is installed and set to monitor syscalls, it loads the systrace kernel module. This module interacts with
    Privileged Access Manager
    with undefined results and can cause system panic or syscall interception problems.
    Default
    :0 (dtrace is prevented from loading)
    Valid values:
    0
    -
    Privileged Access Manager
    prevents dtrace from loading the systrace kernel module.
    1
    -Dtrace loads the Systrace kernel module. In this case you must ensure that your system loads the modules and
    Privileged Access Manager
    in the following order:
    1. Load and start
      Privileged Access Manager
      (seload)
    2. Load systrace (modprobe systrace)
    3. dtrace system calls
    4. Unload systrace (rmmod systrace)
    5. Stop
      Privileged Access Manager
      (secons -sk)
    6. Unload
      Privileged Access Manager
      (SEOS_load -u)
      Loading systrace and
      Privileged Access Manager
      in a different order can result in system panic or syscall interception probems.
  • exec_read_enabled
    Specifies whether the
    Privileged Access Manager
    kernel identifies script execution.
    Valid values:
    0
    -
    Privileged Access Manager
    kernel does not identify script execution.
    1
    -
    Privileged Access Manager
    kernel identifies script execution.
    Default
    : 0
  • file_bypass
    Indicates whether
    Privileged Access Manager
    checks file access for files that are not defined in the database. By default
    Privileged Access Manager
    does not check files that are not defined in the database.
    Valid values:
    -1
    -Do not check all files
    0
    -Check all files
    Default:
    -1
  • file_rdevice_max
    Defines the maximum number of devices in the device protection table.
    Default:
    0-
    Privileged Access Manager
    does not protect system devices.
    Note
    : We recommend that you specify a minimum of 20 system devices.
  • GAC_root
    Determines whether to use GAC caching for files when the user is root. By default GAC is not used when the user is root.
    Valid values:
    0
    -No caching for root user
    1
    -Use caching for root
    Default:
    0
  • HPUX11_SeOS_Syscall_number
    Determines the default syscall number to communicate with SEOS_syscall on HP-UX.
    Valid values include any unused syscall entry number in sysent.
    Default
    : 254
  • kill_signal_mask
    Defines which signals to protect.
    Valid values include a mask that ORs (includes) all the signals that we want SEOS events for.
    Default
    : SIGKILL, SIGSTOP, or SIGTERM events
    Actual value varies by platform:
    • (HP-UX) 0x804100
    • (Sun Solaris) 0x404100
    • (IBM AIX and Digital DEC UNIX) 0x14100
    • (Linux) 0x44100
  • LINUX_SeOS_Syscall_number
    Determines the default syscall number to communicate with SEOS_syscall on LINUX.
  • max_generic_file_rules
    (Valid onAIX, HP, Linux, and Solaris only) Defines the maximum number of generic file rules allowed in the database.
    Note:
    A large number may cause strange behaviors on different platforms. For assistance, contact CA Support at http://ca.com/support.
    Valid values include any number greater than 511.
    Default
    : 256
  • max_regular_file_rules
    (Valid onAIX, HP, Linux, and Solaris only)Defines the maximum number of file rules allowed in the database.
    Note:
    A large number may cause strange behaviors on different platforms. For assistance, contact CA Support at http://ca.com/support.
    Valid values include any number greater than 4095.
    Default
    :4096
  • mount_protect
    Determines whether to allow mount and unmount of directories used by
    Privileged Access Manager
    .
    Valid values:
    0
    -Allow mounting
    1
    -Do not allow mounting
    Default
    : 1
  • proc_bypass
    Determines whether to check file access when a file belongs to a process file system (/proc).
    Valid values:
    0
    -Token is ignored
    1
    -Bypass file access checks
    Default
    : 1
  • SEOS_network_intercept_type
    (Valid on HP-UX 11.11, 11.23, 11.31, and Sun Solaris 8, 9, 10, 11)
    Specifies the type of network interception to use.
    Configure SEOS_use_streams = yes. Do not modify the SEOS_network_intercept_type token yourself. For assistance, contact Broadcom Support at https://www.broadcom.com/support.
    Valid values:
    0
    -TCP Hook
    1
    -Streams
    2
    -Network System Call
    Default
    : 2
  • SEOS_request_timeout
    Specifies the time to keep a request in the authorization queue.
    Valid values:
    0
    - Timeout is disabled
    2 to 1000
    - the timeout interval in seconds
    Default
    : 0
    Note:
    If the timeout is set to less than 2 seconds or more than 1000 seconds,
    Privileged Access Manager
    reverts to the default value (0).  No timeout is applied.
  • SEOS_streams_attach
    (Valid on HP-UX 11.11, 11.23, 11.31, and Sun Solaris 8, 9, 10, 11)
    Specifies whether
    Privileged Access Manager
    attaches the SEOS Streams to the open TCP streams during startup.If you change this setting, restart all daemons that already listen to the network for
    Privileged Access Manager
    to protect them.
    Note:
    To use SEOS_streams_attach, configure SEOS Streams as the network interception method.
    Valid values are yes and no.
    Default
    : yes
  • SEOS_unload_enabled
    Determines whether the SEOS_syscall kernel module can be unloaded.
    Valid values:
    0
    -Do not allow the unload
    1
    -Allow the unload
    Default
    : 1
  • SEOS_use_ioctl
    Specifies the
    Privileged Access Manager
    kernel module communication method (ioctl or system call).You can use the ioctl communication method when all available system call numbers are in use by the operating system.
    Do not modify this token yourself. For assistance, contact Broadcom Support at https://www.broadcom.com/support.
    Valid Values:
    0
    -system call
    1
    -ioctl
    Default
    : 0
  • SEOS_use_streams
    (Valid on HP-UX 11.11, 11.23, 11.31, and Sun Solaris 8, 9, 10, 11)
    Specifies whether to use streams subsystem for network interception.
    Valid values are yes and no.
    Default
    : no
  • silent_admin
    Defines the user IDs of the maintenance users. The activity of this user is permitted when security is down and silent_deny is yes. To define the maintenance user, use the user numeric UNIX UID.
    Default
    : 0 (user ID of root)
  • silent_deny
    Determines whether to deny any event when security is down.
    Valid values:
    yes
    -Silent deny is enabled (maintenance mode)
    no
    -Silent deny is disabled
    Default
    : no
  • STAT_intercept
    Specifies whether to check file access when a STAT system call occurs.
    Valid values:
    0
    -Do not check file access
    1
    -Check file access
    If you specify 1 (check file access),
    Privileged Access Manager
    does not let users without read permissions perform operations that get information about a file. Such user attempts are recorded as "read" in the audit log. If you set this value to 0, any user without read access can get the file information.
    Default
    : 0
  • STOP_enabled
    Determines whether to use the STOP feature, which protects from stack overflow attacks.
    Valid values:
    0
    -Off
    1
    -On
    Default
    : 0
  • suid_cache_max
    Specifies the maximum number of entries in the setuid cache. The setuid cache is used for managing non-PAM ready login applications such as sftp.
    0
    -The cache is disabled.
    Default
    : 128
    Note:
    Do not change this value unless directed by Broadcom staff. For assistance, contact Broadcom Support at https://www.broadcom.com/support.
  • synchronize_fork
    Determines how fork synchronization is managed.
    Valid values on HP-UX platforms:
    1
    -Report forks from parent
    2
    -Report forks from child
    Valid values onother platforms:
    1
    -Parent reports without synchronization
    2
    -Parent reports with synchronization (not supported on Linux)
    Limits
    : Any value lower than 1 is interpreted as 1. Any value greater than 1 is interpreted as 2.
    Default
    :1
    Note:
    Do not modify this setting yourself because it may cause strange behaviors on different platforms. For assistance, contact Broadcom Support athttps://www.broadcom.com/support.
  • syscall_monitor_enabled
    Specifies whether
    Privileged Access Manager
    monitors processes that are executing
    Privileged Access Manager
    code. If you have this enabled (the default), you can use the secons -sc or secons -scl to view these processes.
    Valid values:
    0
    -inactive
    1
    -active
    Default
    : 1
  • threshold_time
    Defines how long, in seconds, an intercepted system call can be blocked before it is considered risky. If a process is blocked for a period that is longer than this time,
    Privileged Access Manager
    reports that SEOS_syscall module unload can fail.
    Note:
    This value affects the unload readiness reports
    Privileged Access Manager
    provides. For more information, see the
    Enterprise Administration Guide
    .
    Default:
    60
  • trace_enabled
    Determines whether to use the SEOS_syscall circular trace buffer.
    Valid values:
    0
    -Do not use tracing
    1
    -Use tracing
    Default
    : 0
  • use_tripAccept
    Determines whether to use the tripAccept utility when unloading SEOS_syscall to wake up the blocked accept system calls. This avoids running SEOS_syscall code after the module is unloaded.
    Valid values are yes and no.
    Default
    : yes