Linux System and IDT-Capable GuardPoint Administration
Note
For details about how to create a GuardPoint in CM, see the chapter, “Managing GuardPoints", CTE Administration Guide.
Voradmin IDT Commands on Linux
The voradmin
command is a command line utility for management of CTE specific configuration and status reporting. The voradmin
command also supports configuration management related IDT-Capable GuardPoints (IDT).
For details about the Linux voradmin idt
command options, see the man page for the voradmin
command.
File System Mount Points on Linux
You can create and mount a file system on an IDT-Capable GuardPoint. CTE imposes one restriction on the mount point pathname selected for a device. Once you mount the device on a pathname, you cannot change the mount point to a different pathname. This restriction is enforced to allow the file system mount point to be guarded using a separate policy to enforce access control rules on the mounted file system namespace.
The following example shows the mount point of the IDT-Capable GuardPoint as the /xfs
directory. The example also shows a failed attempt to mount the file system on a different directory pathname.
voradmin idt status /dev/sdc1
IDT Header on /dev/secvm/dev/sdc1
Version: 1
Change: 0
Private Region Size: 129024 sectors
Exported Device Size: 9627648 sectors
Key UUID: 9cc3c8e4-7ea7-310f-85c7-6f911de1ab52
Mount Path: /xfs
# unmount /xfs
# makedir /other-xfs
# mount -t xfs /dev/secvm/dev/sdc2 /other-xfs
mount: permission denied
# mount -t xfs /dev/secvm/dev/sdc2 /xfs
Auto Mount Options for File System Devices on Linux
IDT-Capable GuardPoints containing file systems can also be added to the /etc/fstab
configuration file for auto mount at startup or unmount at shutdown. An entry can be for a GuardPoint configured for either Auto Guard or Manual Guard. For more information about Auto and Manual Guard options, see Guard the Linux Device with an IDT-Capable GuardPoint.
Use the device path corresponding to an IDT-Capable GuardPoint device when specifying fstab
entries, such as /dev/secvm/dev/sdh
. Do not use the native device pathnames, such as /dev/sdh
, or device mapper device names. You must also include several settings in the fstab
entry for each IDT-Capable GuardPoint, as shown in the following table:
Option | Description |
---|---|
x-systemd.requires= secvm-barrier.service |
Ensure that the IDT-Capable GuardPoint is enabled before the device is mounted at startup and disabled after the device is unmounted at shutdown. The secvm-barrier.service service is a proxy for all the services that make up CTE. |
nofail |
The system boot will proceed without waiting for the IDT-Capable device if it can’t be mounted successfully. |
x-systemd.wanted-by=<idt device>.device |
Required for Linux distributions running systemd 242 or later.Instructs systemd to add a Wants= dependency on the IDT-Capable device to ensure that, when the device becomes available, this mount operation is executed.<idt device>.device is the name of the device specified in fstab with the '/' replaced with '-'. For example, /dev/secvm/dev/sdb becomes dev-secvm-dev-sdb.device . |
This is an example of an entry in /etc/fstab
for an IDT-Capable GuardPoint with an xfs file system that is mounted on /xfs:
/dev/secvm/dev/sdh /xfs xfs x-systemd.requires=secvm-barrier.service, \
x-systemd.wanted-by=dev-secvm-dev-sdh.device,nofail 0 0
For information about configuring systemd for CTE, see [CTE and systemd].
Linux System Utilities for Signing
The following table includes recommendations on the system and file system specific utilities for inclusion in the signature set to allow or deny root execution.
EXT Utilities | Deny/Allow | XFS | Deny/Allow | Generic Utilities | Deny/Allow |
---|---|---|---|---|---|
badblock |
Allow | fsck.xfs |
Allow | mount |
Allow |
debugfs |
Deny | mkfs.xfs |
Allow | umount |
Allow |
e2freefrag |
Allow | xfs_repair |
Allow | dmsetup |
Allow |
e2fsck |
Allow | xfs_admin |
Allow | ||
e2image |
Allow | xfs_bmap |
Allow | ||
e2label |
Allow | xfs_check |
Allow | ||
e2undo |
Allow | xfs_copy |
Deny | ||
filefrag |
Allow | xfs_db |
Deny | ||
fsck.ext2 |
Allow | xfs_estimate |
Allow | ||
fsck.ext3 |
Allow | xfs_freeze |
Allow | ||
fsck.ext4 |
Allow | xfs_fsr |
Allow | ||
logsave |
Allow | xfs_growfs |
Allow | ||
mke2fs |
Allow | xfs_info |
Allow | ||
mkfs.ext2 |
Allow | xfs_logprint |
Allow | ||
mkfs.ext3 |
Allow | xfs_mdrestore |
Allow | ||
mkfs.ext4 |
Allow | xfs_metadump |
Allow | ||
resize2fs |
Allow | xfs_mkfile |
Deny | ||
tune2fs |
Allow | xfs_ncheck |
Allow |