Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

back

Managing Clients

Setting Client Locks

search

Please Note:

Setting Client Locks

Agent Lock and System Lock are used to protect the CTE Agent and certain system files. CTE Agent protection includes preventing:

  • Certain changes to the CTE Agent installation directory.

  • Unauthorized termination of the CTE Agent processes.

These locks can be applied to individual clients or client groups. By default, the Agent Lock and System Lock are disabled.

Uninstallation of the Agent software might fail when the Agent Lock and System Lock are enabled. It is recommended to disable the:
• Agent Lock before uninstalling the Agent software on the client system.
• Agent Lock before deleting the client records from the CipherTrust Manager GUI.
• System Lock before updating, deleting, or modifying the protected system files.

Agent Lock

Agent Lock locks the contents of the CTE Agent directories on the client. These directories are /<install root>/agent/secfs and /<install root>/agent/vmd.

Files in these directories cannot be modified or removed when Agent Lock is enabled; however, the CipherTrust Manager can still propagate updates to the client system.

The CTE Agent directories secfs/.sec/conf/ (on Linux) and secfs\sec\conf\ (on Windows) contain sensitive configuration files. It is highly recommended to enable the Agent Lock to avoid data exposure to unauthorized users.

When Agent Lock is Disabled

  • CTE Agent software on the client is not protected

    Do not unregister or delete the CTE Agent while locks are applied. The locks stay in effect after the Agent is unregistered, and without Agent credentials, the CipherTrust Manager can neither administer that Agent nor disable the locks. You must boot the client into single-user mode and manually modify the Agent configuration to disable the locks.

When Agent Lock is Enabled

  • Certificates are exchanged and the client is bound to the CipherTrust Manager

  • CTE Agent installation directory cannot be deleted or overwritten

  • CTE Agent services cannot be stopped

  • CTE Agent GuardPoints cannot be forcefully unmounted

  • On Linux systems:

    • All operations are permitted on the following directory:

      1
      /<install root>/agent/secfs/tmp
      
    • Following directories cannot be removed or renamed, and directory and file creation will fail.

      1
      2
      /<install root>/agent/secfs/bin
      /<install root>/agent/vmd
      
    • File creations and other operations will work for the following directory, but the directory cannot be removed or renamed.

      1
      /<install root>/agent/secfs/
      
  • On AIX systems:

    • Contents of the following directories cannot be changed or moved.

      1
      /<install root>/agent/vmd
      
    • Contents of the following files and directories can be modified, but not removed or renamed.

      1
      2
      /<install root>/agent/secfs/
      /<install root>/agent/secfs/tmp
      
  • On Windows systems:

    • Following folder cannot be moved and its contents cannot be modified.

      1
      C:\Program Files\Vormetric\DataSecurityExpert\Agent\secfs\sec
      
    • CTE Agent entries in the registry cannot be modified or deleted.

System Lock

System Lock applies an internal policy to the client to lock client system directories, such as /var, /bin, and /etc.

System Lock must be disabled before upgrading or installing third-party software, adding new applications, opening SSH sessions remotely, or modifying system directories.

(Windows only) Verify that the volume letter and the path for the Windows system are correct before proceeding. When the CTE Agent is installed, the volume letter defaults to C:. The executables on the Client Settings tab may be on a different volume or in a different folder. If the volume or path information is incorrect, the CipherTrust Manager cannot sign the applications and apply Agent Lock and System Lock.

When System Lock is Disabled

  • The internal policy is disabled.

  • You can install or update system software.

When System Lock is Enabled

  • Agent Lock is automatically enabled.

  • Operating system directories on the client are protected.

  • Microsoft Update cannot be run on Windows systems to protect the client. Microsoft update and other installation-related executables are specifically blocked. Executables like wuacuclt.exe and msiexec.exe cannot be run.

  • The installation utility checks if System Lock is enabled on the client system. If it is, the utility aborts installation and displays a message informing you to unlock system before running install/update program. Other third-party installation utilities do not check whether System Lock is enabled, and are not prevented from installing software.

  • New file or directory creation inside a protected directory is not allowed.

The following files, directories, and subdirectories are, by default, automatically protected when System Lock is enabled. Asterisks (*) indicate pattern matching.

  • On Linux systems:

    • Following files and the contents of the following directories cannot be changed or moved.

      • /etc/pam.d

      • /etc/rc*

      • /etc/security

      • /usr/lib/security

    • Contents of the following files and directories can be modified, but not removed or renamed.

      • /etc

      • /etc/init.d/secfs

      • /usr

      • /usr/bin/vmd

      • /usr/bin/vmsec

      • /usr/bin/secfsd

      • /usr/bin/dataxform

      • /usr/lib

      • /usr/lib/pam

      • /usr/lib/security

      • /var/log/vormetric

  • On AIX systems:

    • Following files and the contents of the following directories cannot be changed or moved when System Lock is enabled.

      • /etc/rc.d

      • /etc/security

      • /usr/lib/security

      • /sbin/helpers/mount_secfs

    • Contents of the following files and directories can be modified, but not removed or renamed when System Lock is enabled.

      • /var/log/vormetric
  • On Windows systems:

    • Files with the following extensions in the Windows OS installation folder (for instance: \Windows, \WinNT, and so on) cannot be moved or modified:

      • .exe

      • .dll

      • .sys

      • .cmd

      • .com

When System Lock is applied, a protected file or path cannot be renamed or deleted; however, if it is a directory, other files may be added to it. For example, /etc cannot be deleted nor renamed, though you can add files to it. A file that cannot be modified cannot be opened and edited in any way.

Setting Locks on Individual Clients

To apply locks to an individual client:

  1. Make sure that no one is currently in or accessing the Agent installation directories; otherwise, the CipherTrust Manager might not lock the Agent software.

  2. Open the Transparent Encryption application.

  3. Under Client Name, click the desired client.

  4. On the lock bar, click Agent Lock. This protects the CTE Agent files from modification and deletion.

  5. Click System Lock. This protects a set of system files from modification and deletion.

    Agent Lock is automatically enabled when System Lock is enabled. You can manually enable or disable Agent Lock only when System Lock is disabled.

  6. Click Apply.

  7. Verify the locks. Refer to Verifying Locks on Clients.

Setting Locks on a Client Group

To apply locks to a client group:

  1. Make sure that no one is currently in or accessing the Agent installation directories; otherwise, the CipherTrust Manager might not lock the Agent software.

  2. Open the Transparent Encryption application.

  3. Click Clients > Client Groups.

  4. Under Client Group Name, click the desired client group.

  5. On the lock bar, click Agent Lock. This protects the CTE Agent files from modification and deletion.

  6. Click System Lock. This protects a set of system files from modification and deletion.

    Agent Lock is automatically enabled when System Lock is enabled. You can manually enable or disable Agent Lock only when System Lock is disabled.

  7. Click Apply.

  8. Verify the locks. Refer to Verifying Locks on Clients.

To disable the locks on a client group, select the client, click Unlock, and click Apply.

Verifying Locks on Clients

A client administrator can verify that the locks are applied to the Agent on the client.

To verify the locks:

  1. Log on to the client system.

  2. Run the secfsd command with the lockstat argument:

    1
    2
    3
    # secfsd -status lockstat
    FS Agent Lock: true
    System Lock: true
    

Sometimes, the CipherTrust Manager reports the CTE Agent configuration different than the actual configuration. This can be because of the delay between log uploads to the CipherTrust Manager, or because a GuardPoint is in use when the lock is applied.

In some cases, when the locks are enabled, the CipherTrust Manager cannot administer the client. In such cases, after changing authentication credentials or removing the certificate fingerprint, the client administrator must unlock the client manually.

Unlocking Clients Manually

Unlocking Linux Clients

To unlock the client manually:

  1. Boot the client into single-user mode.

  2. Edit the secfs/.sec/conf/configuration/secfs_config file.

  3. Set both coreguard_locked and system_locked to false.

  4. Save the file.

  5. Boot the system into multi-user mode.

You can now administer the client again.

Unlocking Windows Clients

To unlock the client manually:

  1. Boot in safe mode.

  2. Rename C:\Windows\system32\drivers\vmmgmt.sys and .\drivers\vmfiltr.sys to something else.

  3. Boot in regular mode.

You can now administer the client again.

Disabling Locks

To disable the locks on a client or client group, select the client or client group, click Unlock, and click Apply. The lock bar should look like the following:

Administering Locking Issues

The client administrator must inform the Security Administrator of changes to the system hierarchy.

  • Example 1: The client system administrator can request to have the locks temporarily disabled to do administrative functions.

  • Example 2: The client system administrator can remove directories and files, then, later when the lock is reapplied, the CipherTrust Manager protects non-existent data.

  • Another common administrative issue pertains to mounted GuardPoints. The client system administrator can remove or unmount an unlocked, non-automounted GuardPoint. The CipherTrust Manager GUI is not aware of this change and does not issue a warning when you reapply the lock to the now non-existent mounted GuardPoint.

  • To recover an unmounted GuardPoint:

    1. Disable the GuardPoint for the file system on the CipherTrust Manager GUI.

    2. Mount the file system on the client.

    3. Enable the GuardPoint for the file system.