Setting Client Locks
Agent Lock and System Lock are used to protect the CTE Agent and certain system files. CTE Agent protection includes preventing:
Certain changes to the CTE Agent installation directory.
Unauthorized termination of the CTE Agent processes.
These locks can be applied to individual clients or client groups. By default, the Agent Lock and System Lock are disabled.
Note
Uninstallation of the Agent software might fail when the Agent Lock and System Lock are enabled. It is recommended to disable the:
• Agent Lock before uninstalling the Agent software on the client system.
• Agent Lock before deleting the client records from the CipherTrust Manager GUI.
• System Lock before updating, deleting, or modifying the protected system files.
Agent Lock
Agent Lock locks the contents of the CTE Agent directories on the client. These directories are /<install root>/agent/secfs
and /<install root>/agent/vmd
.
Files in these directories cannot be modified or removed when Agent Lock is enabled; however, the CipherTrust Manager can still propagate updates to the client system.
Note
The CTE Agent directories secfs/.sec/conf/
(on Linux) and secfs\sec\conf\
(on Windows) contain sensitive configuration files. It is highly recommended to enable the Agent Lock to avoid data exposure to unauthorized users.
When Agent Lock is Disabled
CTE Agent software on the client is not protected
Note
Do not unregister or delete the CTE Agent while locks are applied. The locks stay in effect after the Agent is unregistered, and without Agent credentials, the CipherTrust Manager can neither administer that Agent nor disable the locks. You must boot the client into single-user mode and manually modify the Agent configuration to disable the locks.
When Agent Lock is Enabled
Certificates are exchanged and the client is bound to the CipherTrust Manager
CTE Agent installation directory cannot be deleted or overwritten
CTE Agent services cannot be stopped
CTE Agent GuardPoints cannot be forcefully unmounted
On Linux systems:
All operations are permitted on the following directory:
/<install root>/agent/secfs/tmp
Following directories cannot be removed or renamed, and directory and file creation will fail.
/<install root>/agent/secfs/bin /<install root>/agent/vmd
File creations and other operations will work for the following directory, but the directory cannot be removed or renamed.
/<install root>/agent/secfs/
On AIX systems:
Contents of the following directories cannot be changed or moved.
/<install root>/agent/vmd
Contents of the following files and directories can be modified, but not removed or renamed.
/<install root>/agent/secfs/ /<install root>/agent/secfs/tmp
On Windows systems:
Following folder cannot be moved and its contents cannot be modified.
C:\Program Files\Vormetric\DataSecurityExpert\Agent\secfs\sec
CTE Agent entries in the registry cannot be modified or deleted.
System Lock
System Lock applies an internal policy to the client to lock client system directories, such as /var
, /bin
, and /etc
.
Note
System Lock must be disabled before upgrading or installing third-party software, adding new applications, opening SSH sessions remotely, or modifying system directories.
Note
(Windows only) Verify that the volume letter and the path for the Windows system are correct before proceeding. When the CTE Agent is installed, the volume letter defaults to “C:” The executables on the Client Settings tab may be on a different volume or in a different folder. If the volume or path information is incorrect, the CipherTrust Manager cannot sign the applications and apply Agent Lock and System Lock.
When System Lock is Disabled
The internal policy is disabled.
You can install or update system software.
When System Lock is Enabled
Agent Lock is automatically enabled.
Operating system directories on the client are protected.
Microsoft Update cannot be run on Windows systems to protect the client. Microsoft update and other installation-related executables are specifically blocked. Executables like
wuacuclt.exe
andmsiexec.exe
cannot be run.The installation utility checks if System Lock is enabled on the client system. If it is, the utility aborts installation and displays a message informing you to
unlock system before running install/update program
. Other third-party installation utilities do not check whether System Lock is enabled, and are not prevented from installing software.New file or directory creation inside a protected directory is not allowed.
The following files, directories, and subdirectories are, by default, automatically protected when System Lock is enabled. Asterisks (*
) indicate pattern matching.
On Linux systems:
Following files and the contents of the following directories cannot be changed or moved.
/etc/pam.d
/etc/rc*
/etc/security
/usr/lib/security
Contents of the following files and directories can be modified, but not removed or renamed.
/etc
/etc/init.d/secfs
/usr
/usr/bin/vmd
/usr/bin/vmsec
/usr/bin/secfsd
/usr/bin/dataxform
/usr/lib
/usr/lib/pam
/usr/lib/security
/var/log/vormetric
On AIX systems:
Following files and the contents of the following directories cannot be changed or moved when System Lock is enabled.
/etc/rc.d
/etc/security
/usr/lib/security
/sbin/helpers/mount_secfs
Contents of the following files and directories can be modified, but not removed or renamed when System Lock is enabled.
- /var/log/vormetric
On Windows systems:
Files with the following extensions in the Windows OS installation folder (for instance:
\Windows
,\WinNT
, and so on) cannot be moved or modified:.exe
.dll
.sys
.cmd
.com
When System Lock is applied, a protected file or path cannot be renamed or deleted; however, if it is a directory, other files may be added to it. For example, /etc
cannot be deleted nor renamed, though you can add files to it. A file that cannot be modified cannot be opened and edited in any way.
Setting Locks on Individual Clients
To apply locks to an individual client:
Make sure that no one is currently in or accessing the Agent installation directories; otherwise, the CipherTrust Manager might not lock the Agent software.
Open the CTE application.
Under Client Name, click the desired client.
On the lock bar, click Agent Lock. This protects the CTE Agent files from modification and deletion.
Click System Lock. This protects a set of system files from modification and deletion.
Agent Lock is automatically enabled when System Lock is enabled. You can manually enable or disable Agent Lock only when System Lock is disabled.
Click Apply.
Verify the locks. Refer to Verifying Locks on Clients.
Setting Locks on a Client Group
To apply locks to a client group:
Make sure that no one is currently in or accessing the Agent installation directories; otherwise, the CipherTrust Manager might not lock the Agent software.
Open the CTE application.
Click Clients > Client Groups.
Under Client Group Name, click the desired client group.
On the lock bar, click Agent Lock. This protects the CTE Agent files from modification and deletion.
Click System Lock. This protects a set of system files from modification and deletion.
Agent Lock is automatically enabled when System Lock is enabled. You can manually enable or disable Agent Lock only when System Lock is disabled.
Click Apply.
Verify the locks. Refer to Verifying Locks on Clients.
Note
To disable the locks on a client group, select the client, click Unlock, and click Apply.
Verifying Locks on Clients
A client administrator can verify that the locks are applied to the Agent on the client.
To verify the locks:
Log on to the client system.
Run the
secfsd
command with thelockstat
argument:# secfsd -status lockstat FS Agent Lock: true System Lock: true
Note
Sometimes, the CipherTrust Manager reports the CTE Agent configuration different than the actual configuration. This can be because of the delay between log uploads to the CipherTrust Manager, or because a GuardPoint is in use when the lock is applied.
In some cases, when the locks are enabled, the CipherTrust Manager cannot administer the client. In such cases, after changing authentication credentials or removing the certificate fingerprint, the client administrator must unlock the client manually.
Unlocking Clients Manually
Unlocking Linux Clients
To unlock the client manually:
Boot the client into single-user mode.
Edit the
secfs/.sec/conf/configuration/secfs_config
file.Set both
coreguard_locked
andsystem_locked
tofalse
.Save the file.
Boot the system into multi-user mode.
You can now administer the client again.
Unlocking Windows Clients
To unlock the client manually:
Boot in safe mode.
Rename
C:\Windows\system32\drivers\vmmgmt.sys
and.\drivers\vmfiltr.sys
to something else.Boot in regular mode.
You can now administer the client again.
Disabling Locks
To disable the locks on a client or client group, select the client or client group, click Unlock, and click Apply. The lock bar should look like the following:
Administering Locking Issues
The client administrator must inform the Security Administrator of changes to the system hierarchy.
Example 1: The client system administrator can request to have the locks temporarily disabled to do administrative functions.
Example 2: The client system administrator can remove directories and files, then, later when the lock is reapplied, the CipherTrust Manager protects non-existent data.
Another common administrative issue pertains to mounted GuardPoints. The client system administrator can remove or unmount an unlocked, non-automounted GuardPoint. The CipherTrust Manager GUI is not aware of this change and does not issue a warning when you reapply the lock to the now non-existent mounted GuardPoint.
To recover an unmounted GuardPoint:
Disable the GuardPoint for the file system on the CipherTrust Manager GUI.
Mount the file system on the client.
Enable the GuardPoint for the file system.