Restricting Access Overrides with Client Settings
CipherTrust Transparent Encryption host/client settings are the means by which an administrator configures user authorization. Users with root privileges, on Linux or AIX systems, have the unfettered ability to override all file access and execution permissions imposed by the system.
CipherTrust Transparent Encryption access control allows you to restrict privileges of users, groups, application processes and binaries, including root users and setuid programs. By default, CipherTrust Transparent Encryption agent DOES NOT trust any process as authenticated. Any attempt to access a resource, by any process, will therefore be flagged with a “User Not Authenticated” notification. The CipherTrust Transparent Encryption agent must be instructed to trust the authenticator process progeny. For example, /usr/sbin/sshd
is a process that can be trusted to authenticate the user to the system and to CipherTrust Transparent Encryption.
In some setups, when editing a host, system administrators can use the host settings > |authenticator
| feature with su
to change identities and gain access to restricted data. You can instruct CipherTrust Transparent Encryption to not trust any authentication attempt performed by certain identities by assigning restricted users to a user shell that CipherTrust Transparent Encryption can block from authenticating other processes.
Any executable path that is marked with a |path_no_trust
| host setting marks the process, and all child processes, as not trusted. Non-trusted processes are treated as "User Not Authenticated" to prevent access on user-based policies.
CipherTrust Transparent Encryption prevents overrides from other host settings authenticators, using the |path_no_trust
| status. If a user runs the su
command from a non-trusted shell, that new shell is still marked as |path_no_trust
|, even if |authenticator|/usr/bin/su
is specified in the host-settings. The |path_no_trust
| feature overrides any and all authenticators under host settings.
Using |trust|*
before a |path_no_trust|
host setting no longer disables the |path_no_trust|
host setting.
For example, the following host setting denies authentication for users accessing through sshd:
|trust|*
|path_no_trust|/usr/sbin/sshd
To restrict access overrides:
-
In the CipherTrust Manager products page, click Transparent Encryption > Clients.
-
Click on an existing Client name to edit the host.
-
Click Client Settings tab.
-
Add the following to the settings:
|path_no_trust|<path of the binary>
Example:
|path_no_trust|/bin/ksh
The above example indicates that no process under the kshell executable will be authenticated.
-
Click Apply.