Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Managing GuardPoints

Automatic and Manual GuardPoints

search

Automatic and Manual GuardPoints

The following table lists the type of GuardPoints and policies they should be used for:

TypeDescription
Auto DirectorySelect for file system directories.
Manual DirectorySelect for file system directories to be guarded manually.
Auto Raw or Block DeviceSelect for standard policies for raw (block) devices.
Manual Raw or Block DeviceSelect for standard policies for raw (block) devices to be guarded manually.
Auto Cloud StorageSelect for Cloud Storage policies.
Manual Cloud StorageSelect for Cloud Storage policies to be guarded manually.

A GuardPoint is usually applied immediately after it is configured on the CipherTrust Data Security Platform Service GUI; however, it can be applied later on the client system.

When an auto GuardPoint is applied, regardless of whether it is a file system directory or a raw device, the change is pushed to the client system, and the GuardPoint is applied immediately.

Use the df command to display secfs mounts (for example, GuardPoints) or secfsd to display the GuardPoints themselves. The secfsd output shows a guard type of local for directories configured with Directory (Auto Guard).

Run:

df

Output:

Filesystem  1K-blocks   Used Available Use% Mounted on
/dev/mapper/VolGroup00-LogVol00
40123784    11352236    26733380    30% /
/dev/sda1   101086  14590   81277   16% /boot
none    254492  0   254492  0% /dev/shm
/opt/vormetric/DataSecurityExpert/agent/secfs/.sec
40123784    11352236    26733380    30%
/opt/vormetric/DataSecurityExpert/agent/secfs/.sec
/opt/apps/apps1/tmp 40123784    11352236    26733380    30% /opt/apps/apps1/tmp
/opt/apps/apps1/lib 40123784    11352236    26733380    30% /opt/apps/apps1/lib
/opt/apps/apps1/doc 40123784    11352236    26733380    30% /opt/apps/apps1/doc

Run:

secfsd -status guard

Output:

GuardPoint  Policy  Type    ConfigState Status Reason
----------  ------  ----    --------    ------  ---
/opt/apps/apps1/tmp allowAllOps_fs  local   guarded guarded N/A
/opt/apps/apps1/lib allowAllRootUsers_fs    local   guarded guarded N/A
/opt/apps/apps1/doc allowAllOps-winusers1_fs local  guarded guarded N/A

When a manual GuardPoint is applied, regardless if it is a file system directory or a raw device, the change is pushed to the client system only. The client is aware of the GuardPoint but the client does not mount it. This is indicated in the Type column of the secfsd -status guard command output.

For example, the GuardPoint /opt/apps/apps2/bin has been configured with Manual Directory, so the guard type is set to manual.

secfsd -status guard

Output:

GuardPoint  Policy  Type    ConfigState Status Reason
----------  ------  ----    --------    ------  ---
/opt/apps/apps1/tmp allowAllOps_fs  local   guarded guarded N/A
/opt/apps/apps1/lib allowAllRootUsers_fs    local   guarded guarded N/A
/opt/apps/apps1/doc allowAllOps-winusers1_fs local  guarded guarded N/A
/opt/apps/apps2/bin HR_policy01 manual  unguarded   not guarded Inactive

Note the Type value. A Type of manual indicates a manual GuardPoint. A Type of local indicates an automatic GuardPoint.

A manually applied GuardPoint remains Inactive until the GuardPoint is applied on the client. After the GuardPoint is applied on the client, and the client communicates the change to the server, the status changes to Active. It returns to the Inactive state when the GuardPoint is manually unguarded.

Use the secfsd command to guard and unguard Manual GuardPoints. The secfsd command syntax is:

To guard, run:

secfsd -guard path

To unguard, run:

secfsd -unguard path

Example

To manually guard and unguard a file system directory:

  1. As CipherTrust Data Security Platform Service administrator, configure a GuardPoint with the type Manual Directory.

  2. Log on to the client as an administrator with root permissions.

  3. Wait until the configuration change is downloaded to the Agent system.

  4. Run the status command until the manual GuardPoint is displayed.

    Run:

    secfsd -status guard

    Output:

    GuardPoint  Policy  Type    ConfigState Status  Reason
----------  ------  ----    ----------- ------  ------
/opt/apps/etc   allowAllOps_fs  manual unguarded    not guarded N/A
/opt/apps/lib/dx3 allowAllOps_fs    local   guarded guarded N/A

  5. Enable the GuardPoint.

    Run:

    secfsd -guard /opt/apps/apps2/bin

    Output:

    secfsd: Guard initiated

    The manual GuardPoint is active and the policy is enforced.

  6. Disable the GuardPoint.

    Run:

    secfsd -unguard /opt/apps/apps2/bin

    Output:

    secfsd: Unguard initiated

On this page