Additional Considerations
The following sections describe some of the things to keep in mind when configuring CTE.
Tracking and Preventing Local User Creation
CTE audits any attempts to change user authentication files. It also allows you to prevent any change to user authentication files using the host settings protect
. This includes, but is not limited to user creation, modification, and deletion, or to deny users.
- The
audit
setting is set to on by default. It logs access to the system credential files but does not prevent account modifications. - The
protect
setting both audits and prevents local user account modifications. You must manually enable theprotect
setting for tracking and prevention of local user account creation.
The protect
tag will prevent changes to the files mentioned below. In the absence of the protect
tag in host/client settings, operations on these files are permitted. When a log entry is generated, it is tagged with an [audit]
tag.
-
/etc/passwd
-
/etc/group
-
/etc/shadow
-
/etc/gshadow
-
/etc/ssh/sshd_config
-
/etc/ssh/sshrc
• You do not have to restart CTE after applying or removing these host settings.
Restricted Directories
Linux does not allow you to guard the following directories:
-
<secfs install root>/agent/secfs/
-
/etc
-
/tmp
-
/usr
-
/usr/lib
-
/usr/lib/pam
-
/var/log/vormetric
Linux does not allow you to guard the following directories and all of their subdirectories:
-
<install root>/agent/secfs/bin
-
<secfs install root>/agent/vmd
-
/etc/vormetric
-
/etc/pam.d
-
/etc/security
-
/usr/lib/security
-
/etc/rc*
Restricted Mode
If you install or upgrade in restricted mode, you cannot revert to unrestricted mode without uninstalling CTE.
You can install CTE in restricted mode. This mode prevents any user other than root
from accessing the following directories:
-
/var/log/vormetric
-
/opt/vormetric/DataSecurityExpert
Restricted Mode also prevents non-root
users from running the following utilities:
-
agenthealth
-
agentinfo
-
check_host
-
register_host
-
secfsd
-
vmd
-
vmsec
-
voradmin
Key Agents and Restricted Mode
-
On systems where CTE is installed in restricted mode, you cannot install a key agent (pkcs11) or CipherTrust TDE Key Management.
-
On systems where a key agent (pkcs11) or CipherTrust TDE are already installed, you cannot install CTE in restricted mode.
Restricted Mode Installation
To install in restricted mode, use the -r option.
./vee-fs-<release>-<build>-<system>.bin -r
For example:
./vee-fs-7.3.0-135-rh8-x86_64.bin -r
RPM Installation
If installing from an RPM directly, prior to installation, type:
export VOR_RESTRICTED_INSTALL_MODE=yes
Upgrade in Restricted Mode
The upgrade mode is the same as the installation mode.