How it Works
HP
Loading...
S
Loading...
Loading...
Sentry
User Manual
113 pgs404.11 Kb0

HP Sentry User Manual

SENTRY
The Integrated Security System
Release 4
User Guide
Fitzgerald & Long
12341 E. Cornell Avenue, #18
Aurora, Colorado 80014-3323 USA
Phone: (303) 755-1102
FAX: (303) 755-1703
NOTICE
The information contained in this guide is subject to change without notice.
Fitzgerald & Long, Inc. shall not be liable for technical or editorial omissions made herein; nor for incidental or consequential damages resulting from the furnishing, performance, or use of this material.
This guide contains information protected by copyright. No part of this guide may be photocopied or reproduced in any form without prior written consent from Fitzgerald & Long, Inc.
Copyright 2000 by
Fitzgerald & Long, Inc.
12341 E. Cornell Avenue, #18
Aurora, Colorado 80014-3323
(303) 755-1102
All rights are reserved.
The software described in this document is furnished under a license agreement. The software may be used or copied only in accordance with the terms of the agreement. The software and this documentation are entirely the property of Fitzgerald & Long, Inc. It is against the law to copy the software onto tape, disk, diskette, or any other medium for any purpose other than for back-up or archival purposes.
UNIX is a registered trademark of Unix System Laboratories. uniVerse, PI/open, and UniData are registered trademarks of Informix Software, Inc.
Table Of Contents
USING THIS GUIDE---------------------------------------------------------------------------------------- Intro - 1 USING THE SCREENS ------------------------------------------------------------------------------------ Intro - 3 INSTALLING SENTRY------------------------------------------------------------------------------------ Intro - 5 GETTING STARTED--------------------------------------------------------------------------------------- Intro - 8 INTRODUCING THE MAIN MENU ------------------------------------------------------------------Intro - 12
1. INTRODUCING THE DATABASE CREATION AND VALIDATION MENU----------- 1 - 1
1.0 DATABASE CREATION AND VALUDATION MENU------------------------------------------- 1 - 2
1.1 UPLOAD USER AND GROUP PROFILES FROM UNIX----------------------------------------- 1 - 4
1.2 CREATE DATABASE FROM FILE SYSTEM ------------------------------------------------------ 1 - 6
1.3 VALIDATE THE USER PROFILE DATABASE ---------------------------------------------------- 1 - 7
2. INTRODUCING THE DATABASE MAINTENANCE MENU-------------------------------- 2 - 1
2.0 DATABASE MAINTENANCE -------------------------------------------------------------------------- 2 - 2
2.1 SYSTEM PROFILE MAINTENANCE ---------------------------------------------------------------- 2 - 4
2.2 USER MAINTENANCE---------------------------------------------------------------------------------2 - 10
2.3 GROUP MAINTENANCE-------------------------------------------------------------------------------2 - 18
2.4 FILE SYSTEM---------------------------------------------------------------------------------------------2 - 23
ACLs Maintenance-------------------------------------------------------------------------------------------2 - 28 More File Manager Views ----------------------------------------------------------------------------------2 - 31
2.5 COMMAND MAINTENANCE-------------------------------------------------------------------------2 - 34
2.6 USER ITEM PROTECTION MAINTENANCE -----------------------------------------------------2 - 38
3. INTRODUCING THE REPORTS MENU -------------------------------------------------------------- 3 - 1
3.0 REPORTS MENU------------------------------------------------------------------------------------------ 3 - 2
3.1 SYSTEM PROFILE REPORT--------------------------------------------------------------------------- 3 - 4
3.2 USER PROFILES ------------------------------------------------------------------------------------------ 3 - 9
3.3 GROUPS REPORT ---------------------------------------------------------------------------------------3 - 11
3.4 ACCOUNT PROTECTION REPORT-----------------------------------------------------------------3 - 13
3.5 COMMAND PROTECTION REPORT---------------------------------------------------------------3 - 15
3.6 ACCESS VIOLATIONS REPORT---------------------------------------------------------------------3 - 17
4. INTRODUCING THE UTILITIES MENU------------------------------------------------------------- 4 - 1
4.0 UTILITIES MENU----------------------------------------------------------------------------------------- 4 - 2
4.1 VOC PROTECTION SETUP ---------------------------------------------------------------------------- 4 - 4
4.2 PUGING THE VIOLATIONS LOG -------------------------------------------------------------------- 4 - 5
4.3 PASSWORD CREATION-------------------------------------------------------------------------------- 4 - 7
4.4 REBUILD CROSS REFERENCE FILES-------------------------------------------------------------4 - 10
4.5 UPDATE PROTECTED COMMANDS---------------------------------------------------------------4 - 11
APPENDIX 1 ---------------------------------------------------------------------------------------------Appendix - 1
SENTRY INTERNAL SUBROUTINES----------------------------------------------------------- Appendix - 1
Subroutine: SENTRY.ENCRYPT------------------------------------------------------------------ Appendix - 1 DATA ENCRYPTION------------------------------------------------------------------------------- Appendix - 2 Subroutine: SENTRY.USER.ITEM.CONTROL------------------------------------------------- Appendix - 3 Subroutine: SENTRY.VIOLATION.STAMP----------------------------------------------------- Appendix - 6
APPENDIX 2 ------------------------------------------------------------------------------------------ Appendix 2 - 1
SENTRY KEY BINDINGS ------------------------------------------------------------------------Appendix 2 - 1
SENTRY User’s Guide Introduction - 1
USING THIS GUIDE
The SENTRY User's Guide is comprehensive in its descriptions of all of SENTRY's menus, data entry screens and reports. The Guide follows the same structure as the SENTRY menu system.
There are four major sections in SENTRY. These are:
1. Database Creation and Validation
2. Database Maintenance
3. Reports
4. Utilities
Additionally, there is an introductory section and a number of appendices. The introduction includes an overview of the User’s Guide, a description of conventions used throughout the SENTRY screens, installation instructions and suggestions on getting started.
Note that each menu selection has a number to its left indicating the selection number from the Main Menu. For example, the Database Maintenance Menu is preceded by the number "2", indicating that it is the second selection from the Main Menu. The User Maintenance program documentation has the section number 2.2 in it's title. This references the second program, User Maintenance, in the second section, Database Maintenance.
The Guide uses several notation conventions for the sake of easy reading and conciseness. These include:
<RETURN> This figure indicates that the return key, sometimes called NEW LINE or ENTER, should
be pressed. This is one key stroke.
<ESC> This figure is used to indicate the escape key. Most keyboards have a key labeled "ESC".
The use of the escape key is ALWAYS followed by <RETURN>. SENTRY uses this key to allow an abort or escape from any program. All data remains as it were prior to the aborted session. Please note that this function may be assigned to another key if desired. See Appendix 2 for details on creating new key bindings.
" " (quotes) The SENTRY User's Guide frequently uses double quotation marks to set off the
characters you should enter. NEVER type the quotes!
TCL Terminal Control Language. SENTRY will function equally well on any of the UNIX-
based database environments, including uniVerse, UniData and PI/open. Since each environment uses its own naming conventions we have used the generic term “TCL” to indicate the command prompt for whichever environment you are using. For UniData and
Fitzgerald & Long
Introduction - 2 SENTRY User’s Guide
PI/open the command prompt is indicated by a colon “:” while for uniVerse the prompt is a greater-than sign “>”.
Fitzgerald & Long
SENTRY User’s Guide Introduction - 3
USING THE SCREENS
SENTRY data entry screens feature some very helpful functions. These include "repaint", "backup", "escape" (exit without update), “execute” and "help". The following paragraphs describe each function.
Repaint ^^ <RETURN> Enter a caret twice, followed by <RETURN>. The caret key is generally
located on the same key as the "6" (SHIFT 6). This is a total of three key strokes. The screen will be repainted and the cursor will be repositioned to its original position. This is very convenient when a system message causes a data entry screen to scroll.
Backup ^ <RETURN> Press the caret key followed by return (2 key strokes). This will cause the
cursor to backup one prompt in the data entry screen.
Escape <ESC> <RETURN> Press the escape key followed by the return key (2 key strokes).
This feature allows you to exit any data entry program at any prompt. No data will be changed.
Use this key to exit data entry screens when you have made changes and wish to cancel
your changes. To save changes you must enter "F" to file those changes.
XEQ You may use TCL (Terminal Control Language) commands at any input prompt. Enter
"XEQ" followed by your command. For example:
XEQ LIST SENTRY.USERS WITH < DEPARTMENT = “MIS” USER.NAME
HELP Enter the word HELP at any input prompt in SENTRY. A HELP screen will be displayed
containing a brief explanation of the expected input and syntax where appropriate. Press <RETURN> to exit the HELP screen.
Please note that these functions may be assigned to alternate keys if desired. See Appendix 2 for details regarding creation of new key bindings
Fitzgerald & Long
Introduction - 4 SENTRY User’s Guide
Data Entry Conventions
Underscore/underline When awaiting data, the cursor is positioned at the beginning of the field.
The field is delineated by underscores. A sentence describing the field is displayed at the bottom of the screen. No data appearing on the underscore is an indication that the field in the database is currently null.
Field numbers Each data entry screen and menu uses sequential numbers which appear at
the left of the field descriptions. To address a particular field, enter the number associated with that field.
Change a field Having addressed the desired field via the field number, an underscore will
appear to the right of the current data and the cursor will be positioned on the leftmost character of the data field. Type over the existing data to change it. DO NOT space over existing data to delete characters which your new entry does not cover. Simply <RETURN> when you have entered the new data. The field will be repainted to display your entry.
Deleting a field When you wish to delete the data in a field and make the field null,
address the field using the appropriate line number, then enter a space followed by <RETURN>. A blank (null) field will be displayed.
Fitzgerald & Long
SENTRY User’s Guide Introduction - 5
INSTALLING SENTRY
Installing the SENTRY software is very simple! Just follow these easy steps. If you encounter problems at any point, please call us for additional assistance.
Before you begin, check your system to see if there is a possible conflict with the accounts we will be loading. Do you have an account or user name called "sentry" or "sentry.practice"? If you have an account or user ID which uses either of these names, DO NOT INSTALL SENTRY. Please call us for alternate installation instructions. If you are in doubt as to the naming conventions on your computer, DO NOT INSTALL SENTRY. Be safe, call us for assistance and instruction on installation. We want to help.
SENTRY will require approximately 5 to 10 MB of disk space in one filesystem on your computer. This is an estimate. The actual size will vary depending on the number of files on your system and the cross referencing for those files. Please discuss your disk space concerns with us. Check to see that this space is available before beginning installation. You will NOT need to stop or start the system during installation and your users may continue to use the computer while you are installing SENTRY.
1. Login to your system as the super-user (usually the user "root"). Change directories ("cd") to the directory where you wish to place the SENTRY account. We suggest placing SENTRY in a top-level directory (for example, the "/u1" or “/usr” directory). SENTRY may be placed on any local file system.
2. List the contents of the directory using "ls" or "ls -C". Make sure that this is the directory where you wish to place SENTRY. Use "pwd" to verify your directory.
3. If SENTRY has been previously installed on your system, there may be an existing directory named "sentry". Change the name of this existing directory to "sentry.old" by entering the command:
mv sentry sentry.old
Enter "ls -C" to verify that the name is changed.
4. Restore the contents of the tape using cpio. You will need to know the device file used to interface with your tape drive. Ours, for example, is "/dev/rmt/0m". Enter this command:
cpio -icvBdum < /dev/xxx (replace xxx with your device file name)
The tape contains two accounts: sentry and sentry.practice. You must restore sentry; sentry.practice is optional. It contains several demonstration items and files.
5. When the restore is complete, cd to the sentry directory and list the contents ("ls" or "ls -C").
Fitzgerald & Long
Introduction - 6 SENTRY User’s Guide
6. Notice a file named "install". This is a script which will perform the steps necessary to install the SENTRY software. Execute the script by entering:
./install
7. Next type the command to enter your database environment (uv, udt, piopen). You should now see the TCL prompt ">" or “:”.
If you see the UNIX message “…:not found” when you enter the command, it means that your PATH variable is not setup to contain the path to the command directory of your database. Each database environment has a directory named “bin” which contains its executable programs. The UNIX PATH variable must contain the path to this directory in order for you to use the environment’s commands. Depending upon the database system you have and where it is installed the path will look like one of these:
uniVerse /…/uv/bin “…” implies that the actual path varies UniData /…/udt/bin according to where your database PI/open /…/isys/bin account was installed.
The PATH variable may be set permanently by modifying the “.profile” file in your home directory to include the appropriate path in the PATH assignment. The problem may be resolved temporarily (until you logout) by entering these Bourne shell commands at the UNIX prompt:
PATH=$PATH:/…/…/bin export PATH
Note that “/…/…/bin” must be replaced with the actual appropriate pathname!
8. Set the proper terminal type for the terminal you are using with the SET.TERM.TYPE command, (e.g. SET.TERM.TYPE tvi925).
9. Now enter the command "SENTRY". You will see a copyright screen which identifies your company and computer system. If there are discrepancies in the data on this screen, please contact us. SENTRY is licensed only for use at the company and on the system described on the copyright screen.
10. Enter a carriage return. You will now see the SENTRY Menu on your screen (Figure 1).
Fitzgerald & Long
SENTRY User’s Guide Introduction - 7
SENTRY Main Menu 07 AUG 2000
1. Database Creation and Validation Menu
2. Database Maintenance Menu
3. Reports Menu
4. Utilities Menu
Please select one of the above:
Figure 1 - Main Menu
11. At this point you are ready to begin loading your data into the SENTRY database. This procedure is described in the following section “Getting Started”.
Fitzgerald & Long
Introduction - 8 SENTRY User’s Guide
GETTING STARTED
This section describes how to invoke the SENTRY Main Menu. It also describes the copyright and the validation screen which will be displayed as you enter SENTRY. Additionally, the first three steps for loading the SENTRY database are presented.
< < S E N T R Y - Serial Number 00.08.70100 > >
This version of SENTRY has been prepared expressly for
Fitzgerald & Long, Inc.
12341 East Cornell Avenue
Aurora, Colorado
and may be used there only on the following computer system:
Hewlett-Packard 9000-E25, PI/Open Serial # 999999
Any other use is in violation of the license and is forbidden.
< < < < Release 4.1 - Copyright 1988 - 2000 > > > >
Fitzgerald & Long, Inc.
12341 East Cornell, # 18
Aurora, Colorado 80014 USA
Telephone: (303) 755-1102
Figure 2 - This is an example of the SENTRY copyright screen.
Having restored SENTRY from tape and installed the software, you are ready to proceed with this section. SENTRY is installed as a directory named sentry; this directory is also setup as a standard database account. To access SENTRY you must be “in” the sentry account – that is, sentry must be your present working directory. To reach sentry from the UNIX prompt, use the UNIX “cd” command followed by the command to invoke your database environment (e.g. uv”, “udtor piopen). To reach sentry from TCL in another account use the TCL “LOGTO” command.
Since SENTRY is a security product, it won’t allow just any user to use it to modify your system! Only users whose UNIX UID is 0 (zero) will be permitted to enter SENTRY. Users with the UID of 0 are referred to as “super users” because they have the power to do nearly anything on the system. The standard user root is an example of a “super user”. The passwords to super user logins should be carefully protected!
Fitzgerald & Long
SENTRY User’s Guide Introduction - 9
Our recommendation is that you create a userid called sentry with the UID of 0 (zero). This user will have “sentry” as its “home” directory and will invoke the database on login. Suggestion: use SENTRY to create this user while “getting started” with SENTRY.
At TCL, enter:
SENTRY
The SENTRY copyright screen (Figure 2) will be displayed. This screen reminds you that SENTRY is protected by copyright law and is licensed for use to the company and computer system named on the screen. Under no circumstances may you use the SENTRY software for any other company and/or computer system than the one for which this copy of SENTRY was prepared, without the written permission of Fitzgerald & Long, Inc.
The copyright screen awaits a <RETURN>.
Validating System Administrator authority.....
You must be super-user to use SENTRY!
Press <RETURN> to continue :
Figure 3 - This screen is displayed immediately after the copyright screen in the previous figure. You will see the second line “You must be super user to use SENTRY” only if your user ID has a UID other than 0 (zero).
NOTE: If another user is logged in as the System Administrator and attempts to use SENTRY, the
following message will be displayed.
SENTRY is currently being run by user n.
Fitzgerald & Long
Introduction - 10 SENTRY User’s Guide
This is a safety precaution. SENTRY is a very powerful tool and should only be used by the System Administrator or his designee. SENTRY is designed to be a single user utility. Therefore, only one user at a time is allowed into SENTRY.
The third SENTRY screen (Figure 3) informs you that SENTRY is validating that your user ID has a UID of 0 (zero). If it does NOT, you will see the message:
“You must be a super-user to use SENTRY!”
The validation screen may flash by so quickly that you cannot read it because the test for UID = 0 is so quick. Unless the validation fails, SENTRY will display the Main Menu.
The SENTRY Main Menu
There are four selections on the SENTRY Main Menu. These are:
1. Database Creation and Validation Menu
2. Database Maintenance Menu
3. Reports Menu
4. Utilities Menu
Choose selection one, Database Creation and Validation Menu. This selection presents another menu which has three more choices. Each selection in each menu is documented thoroughly in the User Guide. Simply look for the User Guide section that corresponds to the number of the menu selection. For example, to get to the second selection of the Database Creation and Validation Menu you first entered “1” from the Main Menu and then entered “2” from the next menu. In the User Guide you will find documentation about this selection in section 1.2.
Read the appropriate section of the User Guide for each of the three selections in the Database Creation and Validation Menu and then execute each one in turn. They perform the following tasks to setup your SENTRY database:
1. Upload User and Group Profiles from UNIX - this program will read your UNIX passwd and group files and create database records in SENTRY for all the users and groups which have been setup on your system. The process will take just a few seconds.
2. Create Database from File System - this program scans the locals disks on your system and builds cross reference information in SENTRY about the directories and files it finds. The cross reference uses a sophisticated database structure known as a “balanced B-tree” - this will allow SENTRY to locate objects on your disk nearly instantaneously! Because this is a complex task it will take longer, perhaps as long as an hour or more. The appropriate section of the User Guide describes a technique for running this program as a “phantom” or “background” task to avoid tying up your terminal.
3. Validate the User Profile Database - this program validates the logical integrity of the data you have uploaded into SENTRY. It will print a report of any problems and inconsistencies it finds. If you
Fitzgerald & Long
SENTRY User’s Guide Introduction - 11
wish to send the report to a specific printer, form or destination use the SETPTR command to set your printer parameters before executing this selection. After performing these steps your SENTRY database reflects the actual state of your system. You may now use the Database Maintenance Menu to fix the inconsistencies reported by the validation program or to modify users, groups and file permissions. You may also begin to protect database commands. The Reports Menu will print a variety of useful reports which will allow you to view the data you have collected. The Utilities Menu contains a number of tools which will occasionally be useful.
Complete documentation for each menu and selection in SENTRY is contained in the next sections of this User Guide.
Fitzgerald & Long
Introduction - 12 SENTRY User’s Guide
INTRODUCING THE MAIN MENU
SENTRY'S Main Menu follows the copyright screen and the System Administrator validation screen. It is the entry point into the four submenus. The four submenus are presented as selections 1 through 4 (Figure
4).
SENTRY Main Menu 07 AUG 2000
1. Database Creation and Validation Menu
2. Database Maintenance Menu
3. Reports Menu
4. Utilities Menu
Please select one of the above: 1
Figure 4 - This is an example of SENTRY’s Main Menu which provides access to the four submenus and divides SENTRY into four logical sections.
These four selections outline the four logical divisions of SENTRY. Each division is a collection of programs which perform related tasks.
The documentation mirrors this organization: There are four major sections. Each section is introduced via a figure of the Main Menu and a short description of the processes which may be performed from that particular menu selection. Note that the section topic appears in bold print to amplify the Main Menu selection used to invoke the submenu for that topic.
Each submenu is introduced in the same manner. Each selection on each submenu is documented through a sample screen. A description of each field and its use is presented.
In using the menus please note that "on-line" help is available. At the menu selection prompt, enter
HELP <RETURN>
Then enter the number of the menu item for which you would like to receive help.
Fitzgerald & Long
SENTRY User’s Guide Introduction - 13
The first selection, Database Creation and Validation Menu offers access to programs which upload the information in the UNIX passwd and group files into SENTRY's database. Another program transverses the disks, reading the permissions, owner and group for each file and directory and loading cross reference information into SENTRY's database. Once the data are loaded, you should test the consistency of the data by executing the validation program.
The second selection, Database Maintenance Menu, is the menu for all data entry programs. You may create, delete, and modify users, groups and file permissions. You may also protect commands, peruse files and directories and modify SENTRY system parameters.
This second submenu displays six selections. These are programs to maintain the system profile, user profiles, groups, the file system, SENTRY's Command Protection and SENTRY's User Defined Item Protection.
The third selection on SENTRY's Main Menu invokes the Reports Menu. This submenu provides access to reports. These reports describe all aspects of the SENTRY database from the perspectives of system, users, groups, permissions, access violations and SENTRY protected database commands.
The fourth selection on SENTRY's Main Menu is the Utilities Menu. This submenu provides a collection of programs to perform such tasks as duplicating Command Protection in one account like that in another account, purging the Violations Log, and rebuilding the cross reference files. You may also use a tool which will generate new passwords for all or selected users. Yet another utility will update the VOC of a protected account with the command protection setup through SENTRY, insuring consistency.
The following sections will describe each menu in detail. Each selection of each submenu is described with examples of the screens and prompts available through these programs.
Fitzgerald & Long
SENTRY User’s Guide Section 1 - 1
1. INTRODUCING THE DATABASE CREATION AND VALIDATION MENU
The first selection of SENTRY's Main Menu is Database Creation and Validation. This menu provides access to programs which will build SENTRY’s database from your existing user, group and file system data.
SENTRY Main Menu 07 AUG 2000
1. Database Creation and Validation Menu
2. Database Maintenance Menu
3. Reports Menu
4. Utilities Menu
Please select one of the above: 1
Figure 5 - Database Creation and Validation is the first selection on the Main Menu.
These programs provide a quick and easy way to document your existing system. Because all of the data are loaded into SENTRY's database, comprehensive reports are available. Additionally, These programs simplify most of the data entry tasks usually associated with setting up a new security system.
Complimentary to the programs which build the SENTRY database is a program to evaluate the consistency of usage in groups, users, and permissions.
The three selections in the Database Creation and Validation Menu are the first three steps you should take after installing SENTRY. The following sections provide detailed descriptions on how, when and why these programs are used.
Fitzgerald & Long
Section 1 - 2 SENTRY User’s Guide
1.0 DATABASE CREATION AND VALUDATION MENU
This is the first submenu accessible from SENTRY's Main Menu. It is also the first selection you will make after installing SENTRY. Through this menu, you will execute programs which load all the UNIX passwd and group information on your system into SENTRY's database.
SENTRY Database Creation and Validation Menu 07 AUG 2000
1. Upload User and Group Profiles from UNIX
2. Create Database from File System
3. Validate the User Profile Database
"<RETURN>" to return to previous menu
Please select one of the above:
Figure 6 - The Database Creation and Validation Menu provides access to three programs through which you may create and validate the SENTRY database.
Three processes are available in this menu. These provide the capability of uploading the passwd and group files into the SENTRY database, uploading file system information and validating the SENTRY database.
The first selection, 1. Upload User and Group profiles from UNIX reads your existing UNIX passwd and group files and writes the information into SENTRY's database. This is the first program you will execute after SENTRY is installed.
The second selection, 2. Create Database from the File System transverses your local file systems reading all information and creating B-trees to index this information. Note that no remote (NFS) disks are read.
After SENTRY's database has been loaded with the passwd, group and file system data, selection 3. Validate the User Profile Database is used to test the consistency of the data in SENTRY's database. Tests include checks to insure that permissions do not reference users who do not exist in the passwd file or groups which have no registered users. Following extensive validation, a report is produced which documents the inconsistencies found.
The following sections present a detailed description of each program, the screens and the prompts.
Fitzgerald & Long
SENTRY User’s Guide Section 1 - 3
Fitzgerald & Long
Section 1 - 4 SENTRY User’s Guide
1.1 UPLOAD USER AND GROUP PROFILES FROM UNIX
This program loads the data from the UNIX passwd and group files into the SENTRY database. Existing data in the SENTRY database is checked and compared to that in these two files. The SENTRY database is updated to reflect the same configuration as these files.
DB.LOAD SENTRY Data Base Load 08/08/00
Enter "OK" to start the loading process or "<ESC>" to exit : OK
Loading user profiles.
Loading group information.
User and group information loaded.
Figure 7 - This is an example of the “SENTRY Database Load” screen. Enter “OK” to execute the program.
This is the first program you will execute after SENTRY is installed. After the initial upload you will use this program on a regular basis to insure that SENTRY is consistent with your UNIX files.
To invoke this program, enter 1. Database Creation and Validation Menu on SENTRY's Main Menu. Then, enter 1. Upload User and Group Profiles from UNIX from the submenu. This program will be invoked.
On first entering this program, only the prompt Enter 'OK' to start the loading process: is displayed. Enter “OK” to begin or <ESC> to exit the program.
The loading process is performed in two steps. First, the information in the passwd file is read. Second, the group file information is loaded into the SENTRY database. The screen will report the progress of the program as it begins each step. Figure 7 is an example of this screen after the two steps have been completed.
After loading your system information into SENTRY, you should use the SENTRY maintenance screens to update, add or delete users and groups. You may still continue to use the UNIX utilities to manage users and groups, but changes made will not be reflected in the SENTRY database until you perform the upload again.
Fitzgerald & Long
SENTRY User’s Guide Section 1 - 5
We recommend: Upload the passwd and group files into the SENTRY databases on a regular basis to INSURE that SENTRY reflects an accurate view of your system. Because of the numerous file system changes which occur daily in the normal course of operations, we recommend that you execute the program which creates the file system view on a regular basis as well. These programs should be scheduled as “over night” jobs at least once a week on systems with “normal” activity.
Because every site is unique, please discuss your system requirements with us if you are undecided about the frequency with which you should be uploading (recreating) the SENTRY database.
The program that loads the UNIX passwd and group data into SENTRY can be run outside SENTRY’s menu system, in “batch” mode. The program can be run at TCL, either directly or using the “PHANTOM” command. This allows you to schedule the process via cron, BENTON or some other utility. The command line to invoke the program is:
SENTRY.DB.LOAD (BATCH)
There is no difference in the actions performed whether the program is run from the menu for in “batch” mode.
Fitzgerald & Long
Section 1 - 6 SENTRY User’s Guide
1.2 CREATE DATABASE FROM FILE SYSTEM
This section describes the program which create the B-trees to index your file system directories, files, file owners and groups. On a system with a very large number of files, this process may take a number of hours. This is a “read only” process. If does NOT interfere with your normal processing.
FILE.LOAD Load SENTRY Filesystem Data Base 10/19/00
Enter "OK" to begin processing or "<ESC>" to exit : OK
Starting phantom to build sentry.output file...
Phantom task being performed by User 4097. Output file is "SENT978972046C".
Reading sentry.output file and building BTREE records...
Path - /usr/bin/mediainit
Count - 185
Figure 8 - This is an example of the messages displayed by the program which creates the B-tree indices of your file system.
We are very proud of SENTRY’s balanced B-tree system of indices. Through the use of B-trees, which are ordered cross reference files, we are able to index your entire file system offering you a “file manager” style window to view your file structure, permissions, file owners and groups in a very efficient manner conserving not only CPU cycles but disk storage space as well.
On entering “OK” to start execution of this program, the old B-trees (if any) are cleared. Two processes are started. One process reads the UNIX I-node tables and writes the information into a text file. A second process reads in the text file and creates the B-tree entries.
Because this can be a very time consuming process and should be repeated on a regular basis, SENTRY offers a “batch” processing option which may be scheduled through cron or executed through a phantom process. This command is:
SENTRY.FILE.LOAD (BATCH)
To execute as a background job enter:
PHANTOM SENTRY.FILE.LOAD (BATCH)
You must be in the “sentry” directory to execute this job. Therefore, if you plan to use cron, the cron process must “cd” into the “sentry” directory BEFORE executing the command.
Fitzgerald & Long
SENTRY User’s Guide Section 1 - 7
1.3 VALIDATE THE USER PROFILE DATABASE
This program is used to check the consistency of the users, groups and permissions which have been loaded into the SENTRY database via the first two programs described in this section. user IDs, groups, and their usage in the file system are analyzed and inconsistencies are reported. For example, the validation report might point out a file whose owner is not registered or a home pathname which does not exist on the system.
VALIDATION SENTRY Database Validation 08/16/00
Enter "OK" to start the validation or "<ESC>" to exit : OK
Do you want to print missing password messages? (Y/N) or <ESC> to exit: N
Validating user profiles
Validating groups
Validating file owners & groups
Validating COMMANDs
*** Problems found during validation ***
See Validation Report for Details
------------------------------ Database Invalid ------------------------------
Press <RETURN> to continue :
Figure 9 - This is an example of the messages displayed to the user during the execution of the validation program.
Validating the data you have loaded from your passwd and group files and from the file system is the third step which should be performed when you are first building the SENTRY database. Using this program you will be able to locate and correct any inconsistencies in your user profiles and groups. Use this program any time you wish to test for consistency of usage of user IDs, groups and file system protection. We encourage you to use it EVERY TIME you upload data from the passwd and group files and when you rebuild the B-tree files (which should be done on a regular basis).
Fitzgerald & Long
Section 1 - 8 SENTRY User’s Guide
This program will generate a printed report, using whatever printer setup is in effect at the time the program is run. To modify the printer, destination or form, use the SETPTR command at the TCL prior to running the program. Alternatively, the SENTRY XEQ function may be used to execute the SETPTR command.
To execute this program, select 1. Database Creation and Validation Menu from the SENTRY Main Menu. Next, select 3. Validate the User Profile Database from the Database Creation and Validation Menu.
Enter “OK” to start the validation or “<ESC>“ to exit: - This is the first of two input prompts in this program. If you enter “OK”, the program will continue. To exit at either prompt press <ESC> then enter <RETURN>.
Do you want to print missing password messages?(Y/N) or <ESC> to exit:
Your answer to this prompt controls whether or not the validation program tells you about users who have no passwords in the SENTRY database. If “Y” is entered the message
FATAL! User “USER.ID” does not have a password in the SENTRY database.
will print on the validation report.
When SENTRY retrieves the data from the passwd file, the password field is loaded into the SENTRY database. SENTRY cannot read the password or decrypt it! Only passwords created from the User Profile data entry screen, which are encrypted by SENTRY can be decrypted by SENTRY. Some system administrators choose to setup and track all user passwords through SENTRY. Others choose to have users manage their own passwords and not to maintain them in SENTRY. If you are not tracking user passwords, the “missing password” messages will be of little use to you.
We suggest that you answer “N”o don’t print these messages unless you have created all passwords through the User Profile data entry screen or through one of SENTRY’s password utilities.
Two types of errors are reported. These are called “FATAL” and “Warning”. “FATAL” errors are those which we believe could possibly create a serious security issue or those which would lead to an operational problem. The following is a list of errors which we have labeled as FATAL.
1. “User XXXXX not on the SENTRY.USERS file.” - The user name “XXXXX” was found in the list of SENTRY users in the SENTRY.CONTROL file, but no record was found for this user in the SENTRY.USERS file. This indicates an inconsistency in the SENTRY database; we suggest that the User Profiles be uploaded from UNIX again (selection 1 in the Database Creation and Validation Menu.)
2. “User XXXXX does not have a password in the SENTRY database.” - The user “XXXXX” has no password in SENTRY. This message will ONLY appear if you answered “Y” to the prompt, “Do you want to print missing password messages?”. If you are tracking passwords within SENTRY, this user should be assigned a password.
Fitzgerald & Long
SENTRY User’s Guide Section 1 - 9
3. “Password for User XXXXX is less than N characters.” - The user “XXXXX” has a password which is shorter than the minimum password length specified in the SENTRY System Profile screen, which is N. This user’s password should be updated to conform to the minimum length restrictions you have instituted.
4. “User XXXXX has no home directory.” - The user “XXXXX” has no home directory specified. This would prevent the user from logging in, as UNIX would not know where to attach the user upon login. The user should be updated and assigned a home directory.
5. “User XXXXX has an invalid home directory - /ZZZZZ.” - The user “XXXXX” has a home directory in the SENTRY database of “/ZZZZZ”, but SENTRY cannot locate this directory on your file system. Perhaps the directory was removed after it was assigned as the user’s home directory. The user should be updated and assigned a valid home directory.
6. “Group XXXXX is not on the SENTRY.GROUPS file.” - A Group name was found in SENTRY’s control list which does not exist in the SENTRY.GROUPS file. This indicates that one of SENTRY’s database files is damaged and should be rebuilt. Upload the passwd and group files to fix this problem.
7. “Command XXXXX not on the SENTRY.COMMANDS file.” - A VOC protection item was found in SENTRY’s control list which does not exist in the SENTRY.COMMANDS file. This indicates that one of SENTRY’s database files is damaged and should be rebuilt.
Errors beginning with the word “Warning” are informational - not serious database issues but situations you should be aware of. The following is a list of those warnings.
1. “User XXXXX will default to “other” protection on all objects and commands.” - The user “XXXXX” is not specifically mentioned, either by user ID or group membership, in the permissions for any file system object or any VOC command protected by SENTRY. He will fall into the “other” category for all protection on the system. This is NOT a problem, but could serve as an indication of a user ID which is obsolete and no longer used.
2. “Group XXXXX is not used by any user.” - The group “XXXXX” is not being used by any user on the system. Therefore, no users will receive their access permissions via this group. This may be a group which is obsolete and should be removed or renamed.
3. “Group XXXXX is not used to protect any object or command.” - The group “XXXXX” is not referenced in the permissions for any disk object or any VOC command. It may be assigned to users, but is not used to protect anything. This might be an obsolete group which should be removed or renamed.
4. “Owner (UID) XXXXX on /ZZZZZ does not exist.” - The user ID number “XXXXX” is the owner of a disk object whose path is “/ZZZZZ”. However, there is no user who is assigned this user ID number. Possibly, there once was a user but he has been deleted. The owner for this disk object should be replaced with a valid user on the system. Alternatively, a new or existing user could be assigned the same user ID number (UID).
Fitzgerald & Long
Section 1 - 10 SENTRY User’s Guide
5. “Group (GID) XXXXX on /ZZZZZ does not exist.” - The group number “XXXXX” is the registered group for a disk object whose path is “/ZZZZZ”. However, the group does not exist in SENTRY. Possibly, the group once existed but has been deleted. The group for this disk object should be replaced with a valid group on the system. Alternatively, a new or existing group could be assigned the same group number (GID).
6. “Command /VVVVV does not have any groups or users assigned.” - The database command whose path is “/VVVVV” has only “other” access rights assigned. No users or groups are referenced in the command’s protection. This may be because only “other” access rights are needed; everyone may have the same rights to the command. However, you should review the command protection to be sure it is what you intend.
7. . “User (UID) XXXXX on command /VVVVV does not exist.” - The user ID number “XXXXX” is referenced in the protection for a database command whose path is “/VVVVV”. However, there is no user who is assigned this user ID number. Possibly, there once was a user but he has been deleted. The user in this command’s protection should be replaced with a valid user on the system. Alternatively, a new or existing user could be assigned the same user ID number (UID).
8. “Group (GID) XXXXX on command /VVVVV does not exist.” - The group number “XXXXX” is referenced in the protection for a database command whose path is “/ZZZZZ”. However, the group does not exist in SENTRY. Possibly, the group once existed but has been deleted. The group in this command’s protection should be replaced with a valid group on the system. Alternatively, a new or existing group could be assigned the same group number (GID).
As the validation program progresses four messages will appear. These are: Validating user profiles Validating groups Validating file owners & groups Validating COMMANDs
When these four sections of the validation program are completed SENTRY will display “Problems found during validation, See Validation Report for Details.” The message “Database Invalid” will appear at the bottom of the screen if FATAL errors are encountered. If only WARNINGS are found the message displayed is “Questionable data found during validation.
Fitzgerald & Long
SENTRY User’s Guide Section 1 - 11
Fitzgerald & Long
Loading...
+ 83 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use