Setting Client Locks
Agent Lock and System Lock are used to protect the CTE Agent and certain system files. CTE Agent protection includes preventing:
-
Certain changes to the CTE Agent installation directory.
-
Unauthorized termination of the CTE Agent processes.
These locks can be applied to individual clients or client groups. By default, the Agent Lock and System Lock are disabled.
Note
Uninstallation of the Agent software might fail when the Agent Lock and System Lock are enabled. It is recommended to disable the:
-
Agent Lock before uninstalling the Agent software on the client system.
-
Agent Lock before deleting the client records from the CipherTrust Data Security Platform Service GUI.
-
System Lock before updating, deleting, or modifying the protected system files.
Agent Lock
Agent Lock locks the contents of the CTE Agent directories on the client. These directories are /<install root>/agent/secfs
and /<install root>/agent/vmd
.
Files in these directories cannot be modified or removed when Agent Lock is enabled; however, the CipherTrust Data Security Platform Service can still propagate updates to the client system.
Note
The CTE Agent directories secfs/.sec/conf/
(on Linux) and secfs\sec\conf\
(on Windows) contain sensitive configuration files. It is highly recommended to enable the Agent Lock to avoid data exposure to unauthorized users.
When Agent Lock is Disabled
-
CTE Agent software on the client is not protected
Note
Do not unregister or delete the CTE Agent while locks are applied. The locks stay in effect after the Agent is unregistered, and without Agent credentials, the CipherTrust Data Security Platform Service can neither administer that Agent nor disable the locks. You must boot the client into single-user mode and manually modify the Agent configuration to disable the locks.
When Agent Lock is Enabled
-
Certificates are exchanged and the client is bound to the CipherTrust Data Security Platform Service
-
CTE Agent installation directory cannot be deleted or overwritten
-
CTE Agent services cannot be stopped
-
CTE Agent GuardPoints cannot be forcefully unmounted
-
On Linux systems:
-
All operations are permitted on the following directory:
/<install root>/agent/secfs/tmp
-
Following directories cannot be removed or renamed, and directory and file creation will fail.
/<install root>/agent/secfs/bin /<install root>/agent/vmd
-
File creations and other operations will work for the following directory, but the directory cannot be removed or renamed.
/<install root>/agent/secfs/
-
-
On AIX systems:
-
Contents of the following directories cannot be changed or moved.
/<install root>/agent/vmd
-
Contents of the following files and directories can be modified, but not removed or renamed.
/<install root>/agent/secfs/ /<install root>/agent/secfs/tmp
-
-
On Windows systems:
-
Following folder cannot be moved and its contents cannot be modified.
C:\Program Files\Vormetric\DataSecurityExpert\Agent\secfs\sec
-
CTE Agent entries in the registry cannot be modified or deleted.
-
System Lock
System Lock applies an internal policy to the client to lock client system directories, such as /var
, /bin
, and /etc
.
Note
System Lock must be disabled before upgrading or installing third-party software, adding new applications, opening SSH sessions remotely, or modifying system directories.
Note
(Windows only) Verify that the volume letter and the path for the Windows system are correct before proceeding. When the CTE Agent is installed, the volume letter defaults to C:
. The executables on the Client Settings tab may be on a different volume or in a different folder. If the volume or path information is incorrect, the CipherTrust Data Security Platform Service cannot sign the applications and apply Agent Lock and System Lock.
When System Lock is Disabled
-
The internal policy is disabled.
-
You can install or update system software.
When System Lock is Enabled
-
Agent Lock is automatically enabled.
-
Operating system directories on the client are protected.
-
Microsoft Update cannot be run on Windows systems to protect the client. Microsoft update and other installation-related executables are specifically blocked. Executables like
wuacuclt.exe
andmsiexec.exe
cannot be run. -
The installation utility checks if System Lock is enabled on the client system. If it is, the utility aborts installation and displays a message informing you to
unlock system before running install/update program
. Other third-party installation utilities do not check whether System Lock is enabled, and are not prevented from installing software. -
New file or directory creation inside a protected directory is not allowed.
The following files, directories, and subdirectories are, by default, automatically protected when System Lock is enabled. Asterisks (*
) indicate pattern matching.
-
On Linux systems:
-
Following files and the contents of the following directories cannot be changed or moved.
-
/etc/pam.d
-
/etc/rc*
-
/etc/security
-
/usr/lib/security
-
-
Contents of the following files and directories can be modified, but not removed or renamed.
-
/etc
-
/etc/init.d/secfs
-
/usr
-
/usr/bin/vmd
-
/usr/bin/vmsec
-
/usr/bin/secfsd
-
/usr/bin/dataxform
-
/usr/lib
-
/usr/lib/pam
-
/usr/lib/security
-
/var/log/vormetric
-
-
-
On AIX systems:
-
Following files and the contents of the following directories cannot be changed or moved when System Lock is enabled.
-
/etc/rc.d
-
/etc/security
-
/usr/lib/security
-
/sbin/helpers/mount_secfs
-
-
Contents of the following files and directories can be modified, but not removed or renamed when System Lock is enabled.
- /var/log/vormetric
-
-
On Windows systems:
-
Files with the following extensions in the Windows OS installation folder (for instance:
\Windows
,\WinNT
, and so on) cannot be moved or modified:-
.exe
-
.dll
-
.sys
-
.cmd
-
.com
-
-
When System Lock is applied, a protected file or path cannot be renamed or deleted; however, if it is a directory, other files may be added to it. For example, /etc
cannot be deleted nor renamed, though you can add files to it. A file that cannot be modified cannot be opened and edited in any way.
Setting Locks
You can apply locks to individual clients or to client groups. To apply the locks:
-
Make sure that no one is currently in or accessing the Agent installation directories; otherwise, the CipherTrust Data Security Platform Service might not lock the Agent software.
-
Open the Transparent Encryption application.
-
Click the desired tab to view the instructions.
Under Client Name, click the desired client.
-
Click Clients > Client Groups.
-
Under Client Group Name, click the desired client group.
-
-
On the lock bar, click Agent Lock. This protects the CTE Agent files from modification and deletion.
-
Click System Lock. This protects a set of system files from modification and deletion.
Agent Lock is automatically enabled when System Lock is enabled. You can manually enable or disable Agent Lock only when System Lock is disabled.
-
Click Apply.
-
Verify the locks. Refer to Verifying Locks on Clients.
Note
To disable the locks on a client group, select the client, click Unlock, and click Apply.
Verifying Locks on Clients
A client administrator can verify that the locks are applied to the Agent on the client.
To verify the locks:
-
Log on to the client system.
-
Run the
secfsd
command with thelockstat
argument:# secfsd -status lockstat FS Agent Lock: true System Lock: true
Note
Sometimes, the CipherTrust Data Security Platform Service reports the CTE Agent configuration different than the actual configuration. This can be because of the delay between log uploads to the CipherTrust Data Security Platform Service, or because a GuardPoint is in use when the lock is applied.
In some cases, when the locks are enabled, the CipherTrust Data Security Platform Service cannot administer the client. In such cases, after changing authentication credentials or removing the certificate fingerprint, the client administrator must unlock the client manually.
Unlocking Clients Manually
Unlocking Linux Clients
To unlock the client manually:
-
Boot the client into single-user mode.
-
Edit the
secfs/.sec/conf/configuration/secfs_config
file. -
Set both
coreguard_locked
andsystem_locked
tofalse
. -
Save the file.
-
Boot the system into multi-user mode.
You can now administer the client again.
Unlocking Windows Clients
To unlock the client manually:
-
Boot in safe mode.
-
Rename
C:\Windows\system32\drivers\vmmgmt.sys
and.\drivers\vmfiltr.sys
to something else. -
Boot in regular mode.
You can now administer the client again.
Disabling Locks
To disable the locks on a client or client group, select the client or client group, click Unlock, and click Apply. The lock bar should look like the following:
Administering Locking Issues
The client administrator must inform the Security Administrator of changes to the system hierarchy.
-
Example 1: The client system administrator can request to have the locks temporarily disabled to do administrative functions.
-
Example 2: The client system administrator can remove directories and files, then, later when the lock is reapplied, the CipherTrust Data Security Platform Service protects non-existent data.
-
Another common administrative issue pertains to mounted GuardPoints. The client system administrator can remove or unmount an unlocked, non-automounted GuardPoint. The CipherTrust Data Security Platform Service GUI is not aware of this change and does not issue a warning when you reapply the lock to the now non-existent mounted GuardPoint.
-
To recover an unmounted GuardPoint:
-
Disable the GuardPoint for the file system on the CipherTrust Data Security Platform Service GUI.
-
Mount the file system on the client.
-
Enable the GuardPoint for the file system.
-