Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

secfsd Utility

secfsd Examples

search

Please Note:

secfsd Examples

Display GuardPoint Information

To display the GuardPoint paths, applied policies, policy type, and guard status, use the secfsd -status guard command. For example:

secfsd -status guard

GuardPoint   Policy           Type             ConfigState   Status       Reason
----------   ----------       -----            -----------   ------       -----
/opt/apl/lib allow AllOps_fs  local            guarded       guarded      N/A
/dev/sdb     watchaccess_rd   rawdevice        guarded       guarded      N/A
/dev/sdc     watchaccess_rd   manualrawdevice  guarded       guarded      N/A
/dev/sdd     watchaccess_rd   manualrawdevice  unguarded     not guarded  Inactive
/opt/apl/tmp MSSQL00123       manual           unguarded     not guarded  Inactive
Column Description
GuardPoint Full path of the GuardPoint.
Policy Name of the policy applied to the GuardPoint.
Type Can be local, automount, manual, raw device, or manual raw device. Configured in the GuardPoints tab.
ConfigState Guard status of the GuardPoint, as recognized by the key manager. It can be guarded or unguarded.
Status Current guard status, as recognized by CTE. State can vary.
Reason Additional information about the status, if any.

Note

  • Config State and Status can vary. As an example, if you apply a GuardPoint and someone is currently working in the GuardPoint, the policy cannot be applied at that time. In this case, the ConfigState is guarded and the Status is not guarded.

  • When the user removes an auto-mounted GuardPoint from CipherTrust Manager, the CTE Agent is only deleted after the configured autofs timeout expires. This timeout does not start until the GuardPoint is free.

Display GuardPoint Information in a Different Format

To display the same information in a block format, use the secfsd -status guard -v command. For example:

secfsd -status guard -v

GuardPoint: 1
        Policy:          allowAllOps_fs
        Directory:       /opt/apps/apps1/tmp
        Type:            local
        ConfigState:     guarded
        Status:          guarded
        Reason:          N/A
GuardPoint: 2
        Policy:          allowAllRootUsers_fs
        Directory:       /opt/apps/apps1/lib
        Type:            local
        ConfigState:     guarded
        Status:          guarded
        Reason:          N/A

Display Host Settings

To display the SHA2 hash signature for each protected host setting, use the secfsd -status auth command. For example:

secfsd -status auth

|authenticator|/bin/su 3E765375897E04C39AB17D4C755F50A35195535B6747DBA28DF9BD4AA672DFF9
|authenticator|/usr/sbin/sshd 98FC599D459EDEA52A60AB394B394803B5DAB96B53148DC608732DDA6777FA1A
|authenticator|/usr/sbin/in.rlogind 5C9A0EDD8BF54AE513F039476D21B3032507CF957AA0CB28C368EB8AB6E684FB
|authenticator|/bin/login 0D2EE0B995A30AE382B4B1CA5104715FC8902F457D283BDABAAD857B09259956
|authenticator|/usr/bin/gdm-binary 363780522E3CCF9ABF559F059E437743F9F97BBBB0EE85769007A464AD696BD1
|authenticator|/usr/bin/kdm BAD41BBCDD2787C7A33B5144F12ACF7ABC8AAA15DA9FDC09ECF9353BFCE614B5

Display Key Status

To display the status of CTE keys, use the secfsd -status keys command. For example:

secfsd -status keys
Encryption keys are available

Display Lock Status

To display the status of CTE locks, use the secfsd -status lockstat command. For example:

secfsd -status lockstat
FS Agent Lock: false
System Lock: false

The value is true if the lock is applied. The value is false if the lock is not applied. System Lock corresponds to System Locked in the Host window. FS Agent Lock corresponds to FS Agent Locked in the Host window.

Note

Before you upgrade, remove CTE software, or change operating system files, the status of FS Agent Lock and System Lock must be false.

Agent Security Configuration Protection

The Agent lock directory, /opt/vormetric/DataSecurityExpert/agent/secfs/.sec contains secfs secret files, configuration files, host setting signatures, etc. Thales recommends protecting the directory whenever secfs is online.

Applying improved directory protection ensures that only CTE applications (vmd, secfsd, voradmin, etc.) can modify the .sec directory and the files in it. All users, including root, are denied read/write access to the files. They also do not have permissions to modify conf and bin directories, using other tools.

A new command has been created to protect the directory: voradmin secfs config

Syntax

voradmin secfs config <configuration_parameter> <value>

Example

voradmin secfs config pagecache_writeback 1

Previously, you would have had to use the following command to achieve the same results as the example above:

echo 1 > /opt/vormetric/DataSecurityExpert/agent/secfs/.sec/conf/pagecache_writeback

Note

When CTE is upgraded to v7.2.0 from the previous release, it may display ‘Permission Denied’ warnings which display when files are removed from subdirectories of the .sec directory. You can ignore these warnings. They are harmless.

Display CTE Log Status

To display the status of CTE log service, use the secfsd -status logger command. For example:

secfsd -status logger

Upload URL: https://vmSSA06:8444/upload/logupload,https://vmSSA07:8444/upload/logupload, \
https://vmSSA05:8444/upload/logupload
Logger Certificate directory: /opt/vormetric/DataSecurityExpert/agent/vmd/pem

This command sequence returns the URL to which the log service sends log data. It also returns the directory that contains the CTE certificate. CTE uses the certificate to authenticate CTE when it uploads the log data to the CipherTrust Manager.

Display Applied Policies

To display the policies that are applied to CTE, use the secfsd -status policy command. For example:

secfsd -status policy

Policy: enc-audit
Type: ONLINE

Display CTE Process Information

To display CTE processes, use the secfsd -status pslist command. This command shows the process number associated with each CTE process. To show the details about a specific CTE process, use the ps -fp <process #> command, where <process #> is the process number from the secfsd -status pslist command.

For example:

secfsd -status pslist
Protected pid list:     739   731

ps -fp 739
UID     PID   PPID  C   STIME      TTY  TIME   CMD
root    739   1     0   11:04:56    -   0:00 /opt/vormetric/   \
    DataSecurityExpert/agent/vmd/bin/vmd

Display CTE Version Information

To display CTE version information, use the secfsd -version command. For example:

secfsd -version
version: <Release.build-number>

Manually Enable a GuardPoint in CipherTrust Manager

To manually enable a GuardPoint on an AIX host:

  1. Click CTE > Clients> <clientName> GuardPoints

  2. Click Create GuardPoint.

  3. In the Policy field, select a policy.

  4. Set Type to Manual Directory.

  5. Click Browse and enter the GuardPoint path.

  6. Click Create.

  7. Log onto the system hosting CTE as the root user.

  8. To manually enable the GuardPoint, use the secfsd -guard <path> command. For example:

    secfsd -guard /opt/apps/etcsecfsd: Path is Guarded

  9. To verify the change, use the secfsd -status guard command. For example:

    secfsd -status guard

GuardPoint      Policy          Type    ConfigState  Status    Reason
----------      ------          ----    -----------  ------    ------
/opt/apps/etc   allowAllOps_fs  manual  guarded      guarded   N/A

On this page