Automatic and Manual GuardPoints
The following table lists the type of GuardPoints and policies they should be used for:
Type | Description |
---|---|
Auto Directory | Select for file system directories. |
Manual Directory | Select for file system directories to be guarded manually. |
Auto Raw or Block Device | Select for standard policies for raw (block) devices. |
Manual Raw or Block Device | Select for standard policies for raw (block) devices to be guarded manually. |
Auto Cloud Storage | Select for Cloud Storage policies. |
Manual Cloud Storage | Select for Cloud Storage policies to be guarded manually. |
A GuardPoint is usually applied immediately after it is configured on the CipherTrust Manager GUI; however, it can be applied later on the client system.
When an auto GuardPoint is applied, regardless of whether it is a file system directory or a raw device, the change is pushed to the client system, and the GuardPoint is applied immediately.
Use the df
command to display secfs
mounts (for example, GuardPoints) or secfsd
to display the GuardPoints themselves. The secfsd
output shows a guard type of local for directories configured with Directory (Auto Guard).
Run:
Output:
Run:
Output:
When a manual GuardPoint is applied, regardless if it is a file system directory or a raw device, the change is pushed to the client system only. The client is aware of the GuardPoint but the client does not mount it. This is indicated in the Type
column of the secfsd -status guard
command output.
For example, the GuardPoint /opt/apps/apps2/bin
has been configured with Manual Directory, so the guard type is set to manual
.
Output:
Note the Type
value. A Type
of manual
indicates a manual GuardPoint. A Type
of local
indicates an automatic GuardPoint.
A manually applied GuardPoint remains Inactive until the GuardPoint is applied on the client. After the GuardPoint is applied on the client, and the client communicates the change to the server, the status changes to Active. It returns to the Inactive state when the GuardPoint is manually unguarded.
Use the secfsd
command to guard and unguard Manual GuardPoints. The secfsd
command syntax is:
To guard, run:
To unguard, run:
Example
To manually guard and unguard a file system directory:
As CipherTrust Manager administrator, configure a GuardPoint with the type Manual Directory.
Log on to the client as an administrator with root permissions.
Wait until the configuration change is downloaded to the Agent system.
Run the status command until the manual GuardPoint is displayed.
Run:
Output:
Enable the GuardPoint.
Run:
Output:
The manual GuardPoint is active and the policy is enforced.
Disable the GuardPoint.
Run:
Output: