seosd

In the [seosd] section, the tokens determine the behavior of the authorization daemon and the cache utility for performance improvement.
capamsc141
In the [seosd] section, the tokens determine the behavior of the authorization daemon and the cache utility for performance improvement.
  • allow_exec_login
    Recognizes the
    exec login
    shell script command as a login event.
    Values:
    0,1 
    Default: 0
  • autobypass_level
    Specifies the level of automatic program bypass.
    Values:
    • disabled: auto-bypass is disabled
    • info: Save information in the run-time table
    • bypass: info + enable auto-bypass until next restart
    Default:
     bypass
  • bypass_filenames
  • Specifies a file that contains a list of file names to be exempted from seos events.
    For example, bypass_filenames = /opt/CA/PAMSC/bin/bypass_filenames
    Default:
    Token not set
  • bypass_nfs_port
    Specifies whether the port used by nfs (port 2049) are bypassed for CONNECT. The bypass exists to let NFS function correctly.
    If you change the value of this token to
    no
    , there will be no bypass for this port. Make sure that you then provide the required
    Privileged Access Manager
    rules to replace this bypass. Following is an example of such rules (you
    cannot
    use them as is):
    nr hostnet all mask (0.0.0.0) match(0.0.0.0)
    nr TCP 2049 owner(nobody) defaccess(none)
    authorize TCP 2049 hostnet(all) access(w) uid(root)
    nr TCP nfsd owner(nobody) defaccess(none)
    authorize TCP nfsd hostnet(all) access(w) uid(root)
    If you set the value of this token to
    no
    but do not provide the correct 
    Privileged Access Manager
    rules, NFS stops working.
    Default:
    yes
  • bypass_outgoing_TCPIP
    Defines a comma-separated list of ports for which seos_syscall will not pass outgoing connection events to seosd.
    Default:
    Token not set
  • bypass_suid_for_login
    Specifies the path of the login program for which the dummy SUID system calls should be ignored.
    This is used in case of some login programs, such as samba, which generate a large number of dummy SUID system calls. These system calls may interfere with the correct recognition of the logging in user.
    Default:
    none
  • bypass_suid_program
    Allows multiple su commands. On some platforms, the system's su binary works in a nonstandard way: When an su command to a non-root user is requested, it executes su to root prior to executing su to the requested user.
    If
    Privileged Access Manager
    surrogate protection is set for the root user, it may prevent the successful execution of an su to non-root users as well.
    To use the surrogate protection for the root user on such platforms and still to be able to su to non-root users without interruption, set the bypass_suid_program token to contain the real path for the system's su binary.
    Default:
    none
  • bypass_system_files
    Determines whether the 
    Privileged Access Manager
    authorization engine should bypass read access for the /etc/passwd and /etc/group system files.
    Valid values are:
    yes
    -bypasses read access to system files.
    no
    -does not bypass read access to system files.
    Default:
    yes
  • bypass_TCPIP
    Allows you to add one or more ports separated by commas for which seos_syscall will not pass events to seosd.
    The syntax is bypass_TCPIP=
    port1
    [,
    port2
    ,
    portx
    ]
    Default:
    Token not set
  • bypass_whois
    Defines utilities that the 
    Privileged Access Manager
    bypasses.  
    Values:
    Utilities in
    ACInstallDir/PAMSC/bin
    Default:
    none
  • bypass_xdm_ports
    Specifies whether the ports used by xdm (ports 6000-6010) are bypassed for CONNECT. The bypass exists to let xdm function correctly.
    If you change the value of this token to
    no
    , there will be no bypass for these ports. Make sure that you then provide the required 
    Privileged Access Manager
    rules to replace this bypass. Following is an example of such rules (you
    cannot
    use them as is):
    nr hostnet all mask (0.0.0.0) match(0.0.0.0)
    nr TCP X-Win owner(nobody) defaccess(none)
    authorize TCP X_Win hostnet(all) access(r)
    authorize TCP X_Win hostnet(all) access(w) uid(root)
    authorize TCP X_Win hostnet(all) access(w) gid(mygroup)
    nr TCP 6000 owner(nobody) defaccess(none)
    authorize TCP 6000 hostnet(all) access(r)
    authorize TCP 6000 hostnet(all) access(w) uid(root)
    authorize TCP 6000 hostnet(all) access(w) gid(mygroup)
    If you set the value of this token to
    no
    but do not provide the correct 
    Privileged Access Manager
    rules, xdm stops working. If the value of this token to
    yes
    and an outgoing connection is made via ports 6000-6010, the class name in the corresponding audit record is TERMINAL.
    Default:
    yes
  • cron_program
    Improves the check for cron login in seosd.
    Set the cron_program token to contain the real path for the system's cron binary.
    Default:
    none
  • core_if_watchdog_signal
    Specifies whether to create a core file when the watchdog process sends signal.
    Values:
    yes, no
    Default:
    no
  • dbdir
    Specifies the location of the 
    Privileged Access Manager
    database.
    Default:
    ACInstallDir
    /seosdb
  • debug_backup_dir
    Specifies the location of the backup debug files.
    Default:
     
    Privileged Access Manager
    product log directory
  • debug_backup_num
    Defines the number of backup debug files to save.
    Values:
    A positive number
    Default:
    2
  • debug_file
    Specifies the location of the seagent debug messages file.
    Default:
    ACInstallDir
    /log/seagent_debug
  • debug_level
    Defines the lowest level of debug messages to save.The level of the value set and all levels above are saved.
    Values:
    Disabled (no messages are saved), Critical, Very High, High, Normal., Low
    Default:
    Critical
  • debug_size
    Defines the maximum size in MBs of the debug messages file.
    Values:
    A positive number
    Default:
    256
  • debug_zone
    Defines which seosd submodules (zones) to produce debug messages for.
    Values:
    -1 (All zones), 1 (SKI), 2 (QP), 4 (RESOLV), 8 (SEOSD), 10 (AUXFALLBACK), 20 (AUTH)
    Default:
    -1
  • device_file
    Specifies whether to scan all devices in /dev.
    When the value of this token is set to Yes and the tty is not found in the standard list, 
    Privileged Access Manager
    scans all the devices located in /dev.
    (qplib resolves the tty name from the standard devices.)
    You can add devices to the list of the tty names.
    Default:
    no
  • dns_server
    Specifies the DNS server name used to change host resolving from the default server to another server.
    This token is usually used when the DNS caching option is enabled.
    Default:
    none
  • domain_names
    Specifies a list of domain names that seosd appends to short host names it receives for authorization purposes in order to create a fully qualified name, so that these names can be authorized in the relevant HOST, CONNECT, or TERMINAL classes.
    To identify a full name, seosd tries to append domain names in the domain_names list to the short name for authorization purposes.
    seosd first looks for a relevant rule in its database, using the short name only. If it does not find a record that matches the short name, it appends each domain name specified in the domain_names token, one by one, until it finds a match.
    For example, suppose you assign domain_names the following list:
    domain_names= market.com, journey.com, total.com
    Here is how seosd handles the matching process when a request from a subscriber called
    acme
    -which was not defined as a rule in the database-comes in:
    acme (not found in database)acme.market.com (not found)acme.journey.com (not found)acme.total.com (found)
    seosd uses the first record that matches (acme.total.com in this example) for authorization purposes.
    Default:
    As defined in /etc/resolv.conf
  • EnablePolicyCache
    Determines whether a run-time table should be used to store the database values required for authorization. The run-time table is loaded to the memory when seosd starts. This avoids connecting to the database and thus reduces the authorization time.
    Valid values are yes and no.
    Default:
    no
  • FileCache_auths
    If caching is enabled, specifies the number of records in the authorization pool. The maximum number of authorization records that can be cached is 800.
    Default:
    80
  • FileCache_CleanInt
    Specifies how often to erase the file cache (in minutes).
    Default:
    60
  • FileCache_files
    If caching is enabled, specifies the number of records in the file pool. The maximum number of file records that can be cached is 200.
    Default:
    20
  • FileCache_InitPrio
    Specifies the initial priority value of new records in the cache table.
    Default:
    10
  • FileCache_PriorInt
    If caching is enabled, specifies the frequency of recalculating priorities in the cache table.Each time a new record is saved counts as one.
    Default:
    1
  • FileCache_users
    If caching is enabled, specifies the number of records in the user pool. The maximum number of user records that can be cached is 500.
    Default:
    50
  • ftp_data_port
    Specifies the port number that ftp service uses to transfer data.
    Note
    : Verify that the ftp_data_port number is identical in both seos.ini and /etc/services files.
    Default:
    20
  • ftp_port
    Specifies the port number that ftp service uses to communicate.
    Note
    : Verify that the ftp_port number is identical in both seos.ini and /etc/services files.
    Default:
    21
  • get_login_terminal
    Determines whether seosd attempts to find the peer address of the login program in an alternative way. This is useful for connections such as ssh.
    Valid values include yes and no.
    Default:
    yes
  • grace_admin
    Determines the number of the grace logins that are set when an administrator changes users' passwords.
    Default:
    Token not set (1)
  • GroupidResolution
    Determines how 
    Privileged Access Manager
    resolves GID numbers to group names.
    Valid values include the following:
    system
    -
    Privileged Access Manager
    uses a system call to translate gid numbers. This value can be used for stand-alone, DNS client, and DNS server stations. (See also the resolve_timeout token in this table.)
    cache
    -gid numbers and group names are cached in seosd. This is the fastest and easiest way to do translations but the cache cannot be updated during runtime.
    ladb
    -
    Privileged Access Manager
    uses a lookaside database to translate gid numbers. The sebuildla utility must be run to recreate the lookaside database each time an update to the relevant transaction table takes place.
    For NIS, and NIS+ servers, you can use either cache or ladb.
    For Sun Solaris 2.5 and above and HP-UX 11.x, you can use either cache or ladb.
    For all stations, the value ladb is preferred.
    Default:
    Token not set (system)
  • HostResolution
    Determines how 
    Privileged Access Manager
    resolves IP addresses to host names.
    Valid values include the following:
    system
    -
    Privileged Access Manager
    uses a system call to translate IP addresses. This value can be used for stand-alone, NIS/NIS+ client, and DNS client stations. (See also the resolve_timeout token in this table.)
    cache
    -Host names and their IP addresses are cached in seosd. This is the fastest and easiest way to do translations but the cache cannot be updated during runtime.
    ladb
    -
    Privileged Access Manager
    uses a lookaside database to translate IP addresses. The sebuildla utility must be run to recreate the lookaside database each time an update to the relevant transaction table takes place.
    For NIS, NIS+, and DNS servers, you can use either cache or ladb; the value ladb is preferred.
    Default:
    Token not set (system)
  • IsolatedDaemon
    Determines whether seosd closes the file descriptors stdin, stdout, and stderr when they become a daemon.
    Valid values include the following:
    yes
    -seosd closes these file descriptors when they become a daemon.
    no
    -seosd does not close these file descriptors when they become a daemon.
    Default:
    no
  • kill_ignore
    Specifies whether seosd ignores (denies) the kill -9 command directed toward any one of the three main 
    Privileged Access Manager
    daemons. Valid values include the following:
    yes
    -Ignores the kill command. This is the default value.
    no
    -The kill command terminates seosd.
    Default:
    yes
  • login_parent_check
    Specifies whether the parent process should continue (once a child process has logged in) with the login sequence or abandon the sequence and inherit the login from the child.
    Valid values are 0 and 1.
    If it is 0, the parent continues with the login sequence.
    If it is 1, the parent abandons the login sequence and inherits the login from the child.
    Default:
    Token not set (0)
  • lookaside_allowdupuid
    Determines whether sebuildla will register duplicate UIDs
    Valid values:
    yes
    -register duplicate UIDs
    no
    -in case of duplicate UIDs, register only one UID
    Duplicate UIDs may cause inconstancy On UNIX OS
    Default:
    no
  • lookaside_path
    Specifies the directory where the lookaside database is located. Create this directory before running the sebuildla utility.
    Note:
    The lookaside database files are built and updated using the sebuildla utility.
    Default:
    ACInstallDir
    /ladb
  • max_loggedin_users
    Defines the maximum number of logged in users.
    Note:
    This value determines the size of one of the internal memory tables. The larger the table, the more memory it consumes.
    Limits:
    4096-20480
    Default:
    8192
  • MultiLoginPgm
    Defines the name and full path of a program that performs multiple logins. It is used to detect the correct login sequence for these special login applications.
    MultiLoginPgm is the login application name with the full path.
    Default:
    none
  • network_cache_timeout
    Specifies the time interval, in minutes, between network cache-table cleanings, if network cache is used. Use this token to set time limits for the stored accepted incoming TCP requests.
    For more information about using the network cache, see the
    Endpoint Administration Guide for UNIX
    .
    Default:
    10
  • nfs_devices
    Specifies the name and path of the file that contains the NFS major device numbers. Specify the full file path.
    Privileged Access Manager
     uses this file if it fails to get the program using device and inode number and also fails to get it using its name. The file contains the NFS defaults for major device numbers for every platform. This may vary from system to system. To find the numbers for your system, use a small program with the UNIX getmajor() function. Then, edit the nfsdevs.init file (or the file you named with this token) to contain the numbers you find.
    Whenever you mount and remount the NFS system, you should update your nfsdevs.init file. You can also use the first four digits of the device only.These numbers remain unchanged, even when you unmount and remount the system.
    Default:
    ACInstallDir
    /etc/nfsdevs.init
  • protect_bin
    Specifies whether seosd protects the 
    Privileged Access Manager
    binary files. Specify one of the following values:
    yes
    -seosd protects the 
    Privileged Access Manager
    binary files unless rules that allow such access are defined.
    Do not specify yes when the _default access for your FILE records is none because, unless all /opt/CA/PAMSC/bin files have FILE records, inaccessibility of files could make
    Privileged Access Manager
    r unusable.
    no
    -seosd does not protect the 
    Privileged Access Manager
    binary files.
    Default:
    no
  • resolve_rebind
    Specifies if seosd re-establishes the connection to the NIS server after a time-out failure.
    We strongly recommend that you do not change the default value.
    Default:
    yes
  • resolve_timeout
    Specifies the maximum number of seconds seosd tries to resolve IP to address, user ID to user name, group ID to group name, or service port number to service name.
    The value takes effect in two cases:
    When seosd is using system resolution. (See the HostResolution, ServiceResolution, UseridResolution, and GroupidResolution tokens.)
    When the under_NIS_server token is set to no.
    If the specified time expires without a resolution, seosd assumes that no resolution exists for the specified IP, ID, or port.
    If value is set to 0, there is no time out.
    Default:
    5
  • rt_priority
    Determines whether seosd has real-time priority.
    Valid values are yes and no
    When this token is set to yes, seosd will have real-time priority.
    Default:
    yes
  • ServiceResolution
    Determines how 
    Privileged Access Manager
    translates TCP port numbers to service names.
    Valid values include the following:
    system
    -
    Privileged Access Manager
    uses a system call to translate TCP port numbers. This value can be used for stand-alone, NIS/NIS+ client, DNS client, and DNS server stations. (See also the resolve_timeout token in this table.)
    cache
    -Service names and their TCP port numbers are cached in seosd. This is the fastest and easiest way to do translations but the cache cannot be updated during runtime.
    ladb
    -
    Privileged Access Manager
    uses a lookaside database to translate TCP port numbers. The sebuildla utility must be run to recreate the lookaside database each time an update to the relevant transaction table takes place.
    For NIS, and NIS+ servers, use either cache or ladb.
    Default:
    system
  • sim_login_timeout
    Defines the timeout (in minutes) before 
    Privileged Access Manager
    removes unused simulated login user entries from the Accessor Element Entry table (ACEE).
    Privileged Access Manager
     performs a simulated login to create ACEE entries when it needs access to information that can be found in the ACEE.
    Default:
    60
  • special_check
    Specifies whether to enable file path checking on kernel module loading. When enabled, 
    Privileged Access Manager
    checks that the kernel module to be loaded matches the filepath property of the KMODULE record (for non-Linux systems), or matches the signature of the KMODULE record (for Linux systems).
    Default:
    no
  • terminal_default_ignore
    Determines whether the defaccess value of the _default TERMINAL and of the specific TERMINAL records are considered when authorizing administrative access.
    Valid values are yes and no.
    yes
    -Administrative access ignores the defaccess value of the _default and of any specific TERMINAL records. In this case, administrative access will require an explicit authorization rule for a relevant specific TERMINAL record.
    no
    - Administrative access considers the defaccess value of all relevant TERMINAL records whether it is _default or specific.
    Default:
    yes
  • terminal_search_order
    Specifies whether seosd tries to check a TERMINAL defined by name before trying it by its IP address.
    Valid values are:
    name
    - TERMINALs will be checked by name before IP address.
    ip
    - TERMINALs will be checked by IP address before name.
    TERMINAL class supports generic rules defined by wildcards (IP address or host name pattern match). Generic rules are
    always
    checked after specific (full-name) rules. For example, if you set this to
    ip
    , seosd looks for a TERMINAL resource in the following order: complete IP address match, complete host name match, IP address pattern match, host name pattern match.
    Default:
    name
  • trace_backup
    Specifies whether to back up the trace messages file when it reaches the configured file size limit.
    Values
    : yes, no
    When set to yes, the trace_backup token saves a backup of the trace file, and creates a trace file.
    Default:
    yes
  • trace_file_backup
    Specifies the location of the trace messages backup file.
    Default:
    ACInstallDir/log/seosd.trace.bak
  • trace_file
    Specifies the name of the file to which the trace messages are sent, if trace messages are requested.
    Default:
    ACInstallDir
    /log/seosd.trace
  • trace_file_size
    Defines the maximum size of the trace messages file.
    Default:
    512 MB
  • trace_file_type
    Determines whether the trace file is written in binary or text format.
    Valid values include the following:
    binary
    -The trace file should be written in binary format. This option reduces the space occupied by this file.
    text
    -The trace file should be written in text format.
    The daemon seosd checks the value of this token and compares it to the contents of the trace file. If the token value does not match the format of the trace file, seosd saves the trace file under its name and adds the extension .backup.
    Default:
    text
  • trace_filter
    Specifies the name and path of the file that contains the filter data that is used to filter the trace messages.
    Default:
    ACInstallDir
    /data/
    language
    /etc/trcfilter.init
  • trace_space_saver
    Specifies the amount of free space, in MB, to be left in the file system. When the amount of free space is less than this number, 
    Privileged Access Manager
    disables the trace.
    Trace is never automatically enabled,even if more space becomes available at a later time.
    Default:
    512
  • trace_to
    Specifies the destination of trace messages.
    Valid values include the following:
    file
    -
    Privileged Access Manager
    sends the trace messages to the file specified by the trace_file token. To disable tracing, use the
    secons -t-
    command. For more information, see the trace_file token in this table.
    file,stop
    -
    Privileged Access Manager
    generates trace messages during daemon initialization. Once the daemon is initialized, trace messages generation stops.
    none
    -
    Privileged Access Manager
    does not issue trace messages. This is the normal setting after you install and implement
    Privileged Access Manager
    .
    If the token is set to
    file
    or
    file,stop
    , the 
    Privileged Access Manager
    trace can be toggled with the secons command with the -t option.
    Default:
    file, stop
  • update_dev_trusted_pgm
    Specifies whether seosd updates the trusted program device number when the trusted program starts.
    Values
    : yes, no
    Default:
    yes
  • UpdSurrogLogin
    Specifies whether 
    Privileged Access Manager
    updates the user's last access time on a surrogate login.
    Valid values are:
    1
    Privileged Access Manager
    updates the user's last access time on a surrogate login.
    0
    Privileged Access Manager
    does
    not
    update the user's last access time on a surrogate login
  • Undef_ForPacl
    Determines whether seosd checks an undefined user when there is an asterisk (*) in the accessor's name in a PACL.
    Valid values include the following:
    1
    -seosd will not include undefined users with an asterisk in their PACL.
    0
    -seosd will include undefined users with an asterisk in their PACL.
    Default:
    0
  • under_NIS_server
    Determines whether seosd uses internal name resolution instead of system name resolution.
    Valid values include the following:
    yes
    -seosd stores in memory or in a lookaside database (see the use_lookaside token) all user, group, host, and port information during startup.
    This is required for NIS, NIS+, and DNS server machines, and for the following operating systems: Sun Solaris 2.5 and above, HP-UX 11.x, IBM AIX 4.3.x, and IRIX 6.5.
    Turning this token off could hang the machine if it is an NIS server or one of the previously-mentioned operating systems.
    no
    -seosd uses system name resolution and the resolve_timeout token takes effect.
    This token is automatically assigned a value during installation.
    This token remains for purposes of backward compatibility only. If you have a new 
    Privileged Access Manager
    installation or an installation of version 2 or higher, use the tokens HostResolution, ServiceResolution, UseridResolution, and GroupidResolution instead.
    Default:
    Assigned during installation
  • use_lookaside
    Determines whether seosd stores the user, group, host, and port information in a lookaside database or in memory.
    This token is used in conjunction with the under_NIS_server token and has no relevance unless the under_NIS_server token is set to yes.
    Valid values include the following:
    yes
    -seosd uses the lookaside database for user, group, host, and service details. The lookaside database is built by the sebuildla utility and can be refreshed by it at any time.
    The location of the lookaside database is set by the lookaside_path token.
    no
    -seosd caches all user, group, host, and service information during startup so that all translations can be done in memory. We recommend that seosd be restarted daily to refresh the cache.
    This token remains for purposes of backward compatibility only. If you have a new 
    Privileged Access Manager
    installation or an installation of version 2 or higher, use the tokens HostResolution, ServiceResolution, UseridResolution, and GroupidResolution instead.
    Default:
    no
  • use_mapped_user_name
    (Valid if both 
    Privileged Access Manager
    and UNAB are installed) Specifies whether seosd uses the user enterprise name in audit records.
    Values
    : yes, no
    Default
    : no
  • use_nfs_devices
    Determines whether to use NFS devices. Valid values are yes or no.
    Default:
    Yes
  • use_standard_functions
    Determines whether sebuildla in an NIS environment will retrieve users by calling the standard system function getpwent or by parsing the output of ypcat passwd and cat /etc/passwd commands.
    Valid values are:
    yes
    -use the standard system function getpwent
    no
    -use parsing of the output of ypcat passwd and cat /etc/passwd commands.
    Default:
    yes
  • use_trusted_script
    Specifies whether seosd will use the trusted script mechanism.
    When the trusted script mechanism is used, programs called from within a shell script retain the name of the shell script in the internal 
    Privileged Access Manager
    tables.
    This means that if a script was used in a PACL, these programs will inherit that privilege. This also means that you cannot protect these programs via
    Privileged Access Manager
    .
    A trusted script begins with #! on the first line.
    When the trusted script mechanism is
    not
    used, these programs will be registered in the internal
    Privileged Access Manager
    tables under their own names.
    Default:
    yes
  • use_unab_db
    (Valid if both 
    Privileged Access Manager
    and UNAB are installed) Specifies whether seosd uses the UNAB database to resolve users and groups name if the current method is unable to do so. This token coincides with the tokens: use_lookaside, UseridResolution, GroupidResolution.
    Values
    :yes, no
    Default
    : no
  • UseFileCache
    Specifies whether to use the cache tool for file records to improve performance.
    Default:
    yes
  • UseNetworkCache
    Determines whether 
    Privileged Access Manager
    caches accepted incoming TCP requests.
    For more information about using the network cache, see the
    Endpoint Administration Guide for UNIX.
    Valid values are yes and no.
    Default:
    no
  • UseridResolution
    Specifies how 
    Privileged Access Manager
    translates UID numbers to user names.
    Valid values include the following:
    system
    -
    Privileged Access Manager
    uses a system call to translate uid numbers. This value can be used for stand-alone, NIS/NIS+ client, DNS client, and DNS server stations.
    cache
    -User names and their uid numbers are cached in seosd. This is the fastest and easiest way to do translations but the cache cannot be updated during runtime.
    ladb
    -
    Privileged Access Manager
    uses a lookaside database to translate uid numbers. The sebuildla utility must be run to recreate the lookaside database each time an update to the relevant transaction table takes place.
    For NIS and NIS+ servers, Sun Solaris 2.5 and above, or HP-UX 11.x operating systems, you must use either cache or ladb.
    Default:
    system
  • watchdog_refresh
    Determines whether seosd refreshes the Watchdog to scan the privileged programs and secured files for each file handle.
    Valid values include the following:
    yes
    -seosd refreshes the Watchdog.
    no
    -seosd does not refresh the Watchdog.
    Default:
    no