[ CA ControlMinder operation tip ]
- 기동 : INSTALL_PATH/bin/seload (root)
- 종료 : INSTALL_PATH/bin/secons -s (security admin 권한을 갖는 사용자)
- 확인 : INSTALL_PATH/bin/issec 또는 ps -ef | grep seos
2. AC DB 백업 및 복구 (DB Management)
- Cold Backup : INSTALL_PATH/seosdb 디렉토리 자체를 백업 (root)
- Hot Backup : DB 를 스크립트 형태의 텍스트 파일로 백업 (security admin 권한을 갖는 사용자)
. AC daemon up : INSTALL_PATH/bin/dbmgr -e -r > /tmp/db_backup
. AC daemon down : cd INSTALL_PATH/seosdb ; INSTALL_PATH/bin/dbmgr -e -l > /tmp/db_backup
- seosdb 디렉토리 자체 백업을 이용한 DB 복구
. AC daemon down
. INSTALL_PATH/seosdb 로 복사
- 스크립트 백업을 이용한 복구
. AC daemon up : INSTALL_PATH/bin/selang < /tmp/db_backup 또는 INSTALL_PATH/bin/selang -f /tmp/db_backup
. AC daemon down : INSTALL_PATH/bin/selang -l < /tmp/db_backup 또는 INSTALL_PATH/bin/selang -l -f /tmp/db_backup
3. AC DB 무결성 체크 (DB Integrity Check)
- AC daemon down
- cd INSTALL_PATH/seosdb ; INSTALL_PATH/bin/sepurgdb dbchk
- INSTALL_PATH/seosdb 에 dbchk.err 및 dbchk.log 파일이 생성됨
- AC DB 무결성 확인과 동시에 백업수행
- INSTALL_PATH/lbin/sedbpchk.sh (root)
- DB 무결성 확인 결과(정상) : " === Database is OK! === " 라는 메세지가 뜸
: INSTALL_PATH/backup 디렉토리에 DB파일이 복사됨
- DB 무결성 확인 결과(이상) : " Database may be corrupted === " 라는 메세지가 뜸
- DB 무결성 확인 결과 이상시 필요한 절차
① 기존 DB index 재생성후 DB 재사용
- AC daemon down
- cd INSTALL_PATH/seosdb ; INSTALL_PATH/bin/dbmgr -u -close
- INSTALL_PATH/bin/dbmgr -u -build all
- INSTALL_PATH/bin/dbmgr -u -check (DB 점검), "OK" 라는 메세지가 뜨면 정상
② ①번 시도 결과 복구가 되지 않을 경우 : empty DB 재생성 -> 백업 DB 복구
- AC daemon down
- cd INSTALL_PATH/seosdb ; INSTALL_PATH/bin/dbmgr -c -c
- INSTALL_PATH/bin/UxImport -at | INSTALL_PATH/bin/selang -l
- INSTALL_PATH/bin/selang -l -f FineName (FileName : 기존 DB 스크립트 백업)
* UxImport : User/Group/Host/Terminal/TCP 정보 AC DB로 Import
* 옵션 - u:user, g:group, h:host, c:"connect user to group", t:terminal, T:tcp, a:ughc
*** Database corruption Verification & Rebuild ***
- AC daemon down
- INSTALL_PATH/bin/dbmgr -u -close
- INSTALL_PATH/bin/dbmgr -u -check (-fast plus consistency check for all index files)
- INSTALL_PATH/bin/dbmgr -u -build all # AC databases should be rebuilt
*** dbmgr for NT
- AC daemon down
- \EMS\SeOS\bin\dbmgr -u -index filename (seos_cdf.dat | seos_odf.dat | seos_pdf.dat | seos_pvf.dat)
- \EMS\SeOS\bin\dbmgr -u -free filename (seos_cdf.dat | seos_odf.dat | seos_pdf.dat | seos_pvf.dat)
- \EMS\SeOS\bin\dbmgr -u -all filename (seos_cdf.dat | seos_odf.dat | seos_pdf.dat | seos_pvf.dat) (# index+free #)
- \EMS\SeOS\bin\dbmgr -u -build filename (seos_cdf.dat | seos_odf.dat | seos_pdf.dat | seos_pvf.dat)
*** dbmgr -c -c -u JPJUNG\Administrator for seosdb creation of NT
4. O/S 패치 및 타 프로그램 설치시 필요한 절차 : ①번 권고
(To do task before patching O/S and installing software)
① AC daemon down 경우 (recommended)
- cd INSTALL_PATH/seosdb
- INSTALL_PATH/bin/seretrust -l -a / > INSTALL_PATH/work/program-rules.txt
- INSTALL_PATH/bin/selang -l -f INSTALL_PATH/work/program-rules.txt
* seretrust : 등록된 SUID/SGID 프로그램 및 SECFILE retrust
* 옵션 - a:all(PROGRAM+SECFILE), -p:PROGRAM, -s:SECFILE
② AC daemon up 경우
- AC> so class-(FILE PROGRAM PROCESS)
- O/S 패치 및 타 프로그램 설치 완료
- INSTALL_PATH/bin/seretrust -a / | INSTALL_PATH/bin/selang (security admin 권한을 갖는 사용자)
: SUID 프로그램 및 SECFILE retrust
- AC> so class+(FILE PROGRAM PROCESS)
* seretrust : 등록된 SUID/SGID 프로그램 및 SECFILE retrust
* 옵션 - a:all(PROGRAM+SECFILE), -p:PROGRAM, -s:SECFILE
5. 사용자 추가/삭제, /etc/hosts 및 /etc/services 파일 변경시 필요한 절차
(To do task after adding user/group on O/S and modifying /etc/hosts file)
- INSTALL_PATH/bin/sebuildla -a (as root) : 4개의 ladb 모두 업데이트
- INSTALL_PATH/bin/sebuildla -u (as root) : user ladb 업데이트
- INSTALL_PATH/bin/sebuildla -g (as root) : group ladb 업데이트
- INSTALL_PATH/bin/sebuildla -h (as root) : host ladb 업데이트
- INSTALL_PATH/bin/sebuildla -s (as root) : service ladb 업데이트
* 각 옵션에서 소문자(u,g,h,s)는 ladb 업데이트를 의미하며 대문자(U,G,H,S)는 ladb의 내용 조회
6. 시스템 hostname 변경시 필요한 절차 (HostA -> HostB)
- AC Daemon down
- hostname 변경
- INSTALL_PATH/bin/sebuildla -a
- INSTALL_PATH/bin/selang -l
- AC> ren host HostA HostB
- AC> ren connect HostA HostB
- AC> ren terminal HostA HostB
또는
- cd INSTALL_PATH/seosdb ; INSTALL_PATH/bin/sedb2scr -l | grep HOST | grep 'HostA'|sed s/'HostA'/'HostB'/g > /tmp/tmphost
- cd INSTALL_PATH/seosdb ; INSTALL_PATH/bin/sedb2scr -l | grep CONNECT | grep 'HostA'|sed s/'HostA'/'HostB'/g >> /tmp/tmphost
- cd INSTALL_PATH/seosdb ; INSTALL_PATH/bin/sedb2scr -l | grep TERMINAL | grep 'HostA'|sed s/'HostA'/'HostB'/g >> /tmp/tmphost
- INSTALL_PATH/bin/selang -l -f /tmp/tmphost
7. PMDB 관리
- INSTALL_PATH/bin/sepmd -S <pmd> # pmd 데몬 기동 또는
- INSTALL_PATH/lbin/sepmdd <pmd> # pmd 데몬 기동
- INSTALL_PATH/bin/sepmd -L <pmd> # subscribers 리스트 및 상태 확인
- INSTALL_PATH/bin/sepmd -C <pmd> # pmd 업데이트 명령어 보기
- INSTALL_PATH/bin/sepmd -k <pmd> # pmd 데몬 중지
- INSTALL_PATH/bin/sepmd -e <pmd> # pmd 에러로그 보기
- INSTALL_PATH/bin/sepmd -c <pmd> # pmd 에러로그 삭제
- INSTALL_PATH/bin/sepmd -cl <pmd> # pmd 로그 삭제
- INSTALL_PATH/bin/sepmd -t <pmd> auto # pmd 업데이트 명령어 삭제
- INSTALL_PATH/bin/sepmd -p # pmd 리스트 및 상태 확인
- INSTALL_PATH/bin/sepmd -s <pmd> <subscriber> # Subscribe a subscriber to a policy model.
- INSTALL_PATH/bin/sepmd -n <pmd> <subscriber> # Subscribe a new subscriber, with all the previous updates.
- INSTALL_PATH/bin/sepmd -u <pmd> <subscriber> # Unsubscribe a subscriber to a policy model.
8. Dual Control (PMDB명은 반드시 maker)
: set is_maker_checker to yes in seos.ini & pmd.ini (pmd section) : seini -s pmd.is_maker_checker yes
- Creating a transaction : maker with admin
(makers can list, retrieve and edit, or delete unprocessed transactions)
(if deletion, locked transaction must be unlocked before deleting)
- Authorizing the transaction for execution : checker with admin
(checkers can lock transactions in order to authorize or reject them,
and they can unlock transactions for processing at a later time or processing by a different checker)
① Creating transactions as a maker
- AC> hosts maker@
- AC> start_transaction [transactionName] [transactionId]
- AC> newusr mary owner(bob) audit(failure,loginfailure)
- AC> chres TERMINAL tty30 defaccess(read) restrictions(days(weekdays)time(0800:1800))
- AC> end_transaction
② Checking and Processing transactions as a checker
- To view all the transactions that are waiting to be processed before execution
: sepmd -m la or lo
- you must lock the transactions before processing them
: sepmd -m r transactionId
- After a transaction is locked, then you can process it
: sepmd -m p transactionId code
: Code
■ 0 - The transaction is rejected. In this case, all the commands in the transaction are deleted and no changes are implemented in the PMDB.
■ 1 - The transaction is authorized. The commands in the transaction are immediately implemented in the PMDB.
■ 2 - The transaction is unlocked. The transaction returns to the queue of waiting transactions and can be processed later, perhaps by a different checker.
③ Sepmd utility
Parameter Description
-------------------------------------------------------------------------------------------
sepmd -m l Lists the unprocessed transactions of the user who invoked the parameter.
sepmd -m la Lists all the transactions of all the makers that are waiting to be processed.
sepmd -m lo Lists the transactions of all the makers except those of the user who invoked the parameter
-------------------------------------------------------------------------------------------
sepmd -m r transactionId Retrieve a specific transaction to the standard output
sepmd -m d transactionId Delete a specific transaction
(*) Each transaction in the list includes the name of the maker, the ID number of the transaction,
and a description of the transaction
9. File 과 Directory 의 접근 권한
- READ (R)
- WRITE (W)
- EXEC (X)
- DELETE (D)
- RENAME (V)
- CHMOD (M)
- CHOWN (O)
- UTIME (T)
- SEC (S)
- UPDATE (U = R + W + X)
- CONTROL (C = U + M + O + T + S)
- ALL (A = C + D + V)
10. 사용자별 ACL 리스트 확인
- AC> su root useprops(REVACL)
11. 설치 팁 (대규모 설치시 유용)
- 최초 설치(interactive setup)
. [Config 파일 생성] : # install_base -savecfg <Config파일명>
- 이후 설치(non-interactive setup)
. [Config 파일 이용] : # install_base -d <seos_path> -autocfg <Config파일명>
12. 사용자 세션로깅 (session logging)
12.1 설정 (to configure)
a. sh> INSTALL_PATH/bin/seini -s kblaudit.kbl_enabled yes
b. AC> eu user1 audit(loginf logins failure interactive)
12.2 세션 재생(replay)
a. 세션ID 확인 (first, to verify session id)
sh> seaudit -kbl -sd today -logout
26 Mar 2014 13:39:51 P LOGIN test01 57082342 12 testsvr cmdlog
|
|
세션ID
b. 세션 재생 (second, session replay)
sh> seaudit -kbl -sid 57082342 -rp
13. root 비번 변경을 위한 설정 (configure to be able to change root password)
1) AC> cu secadm admin
2) AC> so cng_adminpwd
3) AC> so cng_ownpwd
4) sh> INSTALL_PATH/bin/seini -s passwd.AllowedUidRange -1,60000
5) sh> INSTALL_PATH/bin/seini -s passwd.RootPwAsOwn yes
No comments:
Post a Comment