SEOS_syscall
In the [SEOS_syscall] section, SEOS_syscall kernel module uses the following tokens.
capamsc141
In the [SEOS_syscall] section, SEOS_syscall kernel module uses the following tokens.
- bypass_NFSDetermines whether to bypass NFS files from SEOS events.Valid values:0-Do not by pass NFS files1-Bypass NFS filesDefault: 0
- bypass_realpathSpecifies whether to bypass the real file paths resolution for authorization.If you enable this setting (1),Privileged Access Managerdoes not resolve file paths for authorization. This accelerates file events handling. However, generic rules are not enforced for file accesses that are made using links.Example: A deny access rule for /realpath/files/* is not considered if this setting is enabled and a user accesses a file in this directory from a link. Create a generic rule for the link too (/alternatepath/*).Default: 0 (disabled)
- cache_enabledDetermines whether to use caching for full path resolution to determine access permissions for files.Valid values:0-No caching1-Use cachingDefault:0
- cache_rateDetermines the cache rate that used when the cache is enabled for full path resolution.Bigger values mean better caching.Default:10000
- cache_realpathSpecifies whether to cache the resolved full path.Values:0 (no caching), 1 (use caching)Default:0
- call_tripAccept_from_seloadDetermines whether to call tripAccept from the seload command afterPrivileged Access Managerstarts. If tripAccept is called, defines a list of comma-separated TCP/IP ports that tripAccept should connect to, and wake up the listeners of the ports.Valid values:1 to 64000- Any TCP/IP port number0-Do not call tripAccept from seload.Limits:0-64000Default:0
- cdserver_conn_resDetermines whether to treat T_CONN_RES streams messages as high priority messages in the fiwput routine on UnixWare.Valid values:1-handle T_CONN_RES streams messages as high priority messages in the fiwput routine.0-handle T_CONN_RES streams messages as low priority messages in the fiwput routine.Default: 0 (1 on UnixWare)
- debug_protectDetermines whether to allow debugging of any program whilePrivileged Access Manageris running.Valid values:0-Debugging allowed1-Debugging not allowedDefault: 1
- DESCENDENT_dependentDetermines whether a descendent of a SEOS daemon can register a SEOS service.Valid values:0-Anyone can register a SEOS service1-Only a descendant can register a SEOS serviceDefault: 0
- dtrace_coexistenceDefines howPrivileged Access Managerco-exists with dtrace. If dtrace is installed and set to monitor syscalls, it loads the systrace kernel module. This module interacts withPrivileged Access Managerwith undefined results and can cause system panic or syscall interception problems.Default:0 (dtrace is prevented from loading)Valid values:0-Privileged Access Managerprevents dtrace from loading the systrace kernel module.1-Dtrace loads the Systrace kernel module. In this case you must ensure that your system loads the modules andPrivileged Access Managerin the following order:
- Load and startPrivileged Access Manager(seload)
- Load systrace (modprobe systrace)
- dtrace system calls
- Unload systrace (rmmod systrace)
- StopPrivileged Access Manager(secons -sk)
- UnloadPrivileged Access Manager(SEOS_load -u)Loading systrace andPrivileged Access Managerin a different order can result in system panic or syscall interception probems.
- exec_read_enabledSpecifies whether thePrivileged Access Managerkernel identifies script execution.Valid values:0-Privileged Access Managerkernel does not identify script execution.1-Privileged Access Managerkernel identifies script execution.Default: 0
- file_bypassIndicates whetherPrivileged Access Managerchecks file access for files that are not defined in the database. By defaultPrivileged Access Managerdoes not check files that are not defined in the database.Valid values:-1-Do not check all files0-Check all filesDefault:-1
- file_rdevice_maxDefines the maximum number of devices in the device protection table.Default:0-Privileged Access Managerdoes not protect system devices.Note: We recommend that you specify a minimum of 20 system devices.
- GAC_rootDetermines whether to use GAC caching for files when the user is root. By default GAC is not used when the user is root.Valid values:0-No caching for root user1-Use caching for rootDefault:0
- HPUX11_SeOS_Syscall_numberDetermines the default syscall number to communicate with SEOS_syscall on HP-UX.Valid values include any unused syscall entry number in sysent.Default: 254
- kill_signal_maskDefines which signals to protect.Valid values include a mask that ORs (includes) all the signals that we want SEOS events for.Default: SIGKILL, SIGSTOP, or SIGTERM eventsActual value varies by platform:
- (HP-UX) 0x804100
- (Sun Solaris) 0x404100
- (IBM AIX and Digital DEC UNIX) 0x14100
- (Linux) 0x44100
- LINUX_SeOS_Syscall_numberDetermines the default syscall number to communicate with SEOS_syscall on LINUX.
- max_generic_file_rules(Valid onAIX, HP, Linux, and Solaris only) Defines the maximum number of generic file rules allowed in the database.Note:A large number may cause strange behaviors on different platforms. For assistance, contact CA Support at http://ca.com/support.Valid values include any number greater than 511.Default: 256
- max_regular_file_rules(Valid onAIX, HP, Linux, and Solaris only)Defines the maximum number of file rules allowed in the database.Note:A large number may cause strange behaviors on different platforms. For assistance, contact CA Support at http://ca.com/support.Valid values include any number greater than 4095.Default:4096
- mount_protectDetermines whether to allow mount and unmount of directories used byPrivileged Access Manager.Valid values:0-Allow mounting1-Do not allow mountingDefault: 1
- proc_bypassDetermines whether to check file access when a file belongs to a process file system (/proc).Valid values:0-Token is ignored1-Bypass file access checksDefault: 1
- SEOS_network_intercept_type(Valid on HP-UX 11.11, 11.23, 11.31, and Sun Solaris 8, 9, 10, 11)Specifies the type of network interception to use.Configure SEOS_use_streams = yes. Do not modify the SEOS_network_intercept_type token yourself. For assistance, contact Broadcom Support at https://www.broadcom.com/support.Valid values:0-TCP Hook1-Streams2-Network System CallDefault: 2
- SEOS_request_timeoutSpecifies the time to keep a request in the authorization queue.Valid values:0- Timeout is disabled2 to 1000- the timeout interval in secondsDefault: 0Note:If the timeout is set to less than 2 seconds or more than 1000 seconds,Privileged Access Managerreverts to the default value (0). No timeout is applied.
- SEOS_streams_attach(Valid on HP-UX 11.11, 11.23, 11.31, and Sun Solaris 8, 9, 10, 11)Specifies whetherPrivileged Access Managerattaches the SEOS Streams to the open TCP streams during startup.If you change this setting, restart all daemons that already listen to the network forPrivileged Access Managerto protect them.Note:To use SEOS_streams_attach, configure SEOS Streams as the network interception method.Valid values are yes and no.Default: yes
- SEOS_unload_enabledDetermines whether the SEOS_syscall kernel module can be unloaded.Valid values:0-Do not allow the unload1-Allow the unloadDefault: 1
- SEOS_use_ioctlSpecifies thePrivileged Access Managerkernel module communication method (ioctl or system call).You can use the ioctl communication method when all available system call numbers are in use by the operating system.Do not modify this token yourself. For assistance, contact Broadcom Support at https://www.broadcom.com/support.Valid Values:0-system call1-ioctlDefault: 0
- SEOS_use_streams(Valid on HP-UX 11.11, 11.23, 11.31, and Sun Solaris 8, 9, 10, 11)Specifies whether to use streams subsystem for network interception.Valid values are yes and no.Default: no
- silent_adminDefines the user IDs of the maintenance users. The activity of this user is permitted when security is down and silent_deny is yes. To define the maintenance user, use the user numeric UNIX UID.Default: 0 (user ID of root)
- silent_denyDetermines whether to deny any event when security is down.Valid values:yes-Silent deny is enabled (maintenance mode)no-Silent deny is disabledDefault: no
- STAT_interceptSpecifies whether to check file access when a STAT system call occurs.Valid values:0-Do not check file access1-Check file accessIf you specify 1 (check file access),Privileged Access Managerdoes not let users without read permissions perform operations that get information about a file. Such user attempts are recorded as "read" in the audit log. If you set this value to 0, any user without read access can get the file information.Default: 0
- STOP_enabledDetermines whether to use the STOP feature, which protects from stack overflow attacks.Valid values:0-Off1-OnDefault: 0
- suid_cache_maxSpecifies the maximum number of entries in the setuid cache. The setuid cache is used for managing non-PAM ready login applications such as sftp.0-The cache is disabled.Default: 128Note:Do not change this value unless directed by Broadcom staff. For assistance, contact Broadcom Support at https://www.broadcom.com/support.
- synchronize_forkDetermines how fork synchronization is managed.Valid values on HP-UX platforms:1-Report forks from parent2-Report forks from childValid values onother platforms:1-Parent reports without synchronization2-Parent reports with synchronization (not supported on Linux)Limits: Any value lower than 1 is interpreted as 1. Any value greater than 1 is interpreted as 2.Default:1Note:Do not modify this setting yourself because it may cause strange behaviors on different platforms. For assistance, contact Broadcom Support athttps://www.broadcom.com/support.
- syscall_monitor_enabledSpecifies whetherPrivileged Access Managermonitors processes that are executingPrivileged Access Managercode. If you have this enabled (the default), you can use the secons -sc or secons -scl to view these processes.Valid values:0-inactive1-activeDefault: 1
- threshold_timeDefines how long, in seconds, an intercepted system call can be blocked before it is considered risky. If a process is blocked for a period that is longer than this time,Privileged Access Managerreports that SEOS_syscall module unload can fail.Note:This value affects the unload readiness reportsPrivileged Access Managerprovides. For more information, see theEnterprise Administration Guide.Default:60
- trace_enabledDetermines whether to use the SEOS_syscall circular trace buffer.Valid values:0-Do not use tracing1-Use tracingDefault: 0
- use_tripAcceptDetermines whether to use the tripAccept utility when unloading SEOS_syscall to wake up the blocked accept system calls. This avoids running SEOS_syscall code after the module is unloaded.Valid values are yes and no.Default: yes