Re-Enabling Automatic Signing for Host Settings
Starting with VTE for Linux release 6.0.2, VTE blocks automatic re-signing of the host settings. Some users may have established procedures for updating system software that are based on the assumption that restarting the vmd will generate new signatures when signed software is updated. This is no longer true. However, you can re-enable automatic re-signing if your environment requires it.
Caution
Re-enabling the automatic regeneration of signatures exposes a potential security vulnerability for CTE Agents. When enabled, host setting binaries are re-signed when CTE receives a push from the associated key manager. If an attacker were to replace a binary with a Trojan, and then force a push from the key manager by, for example, restarting the CTE Agent, CTE could generate a signature for the malicious binary and pass it.
To re-enable automatic re-signing for host settings:
-
Change to the directory where the
agent.conf
file resides. For example, type:cd /opt/vormetric/DataSecurityExpert/agent/vmd/etc/
-
Edit the
agent.conf
file. -
Change or add the following line:
AUTO_RESIGN_HOST_SETTINGS=TRUE
Note
Previously this setting was known as
RE_SIGN_HOST_SETTINGS
. Starting with VTE for Linux 6.1.3, the attribute name isAUTO_RESIGN_HOST_SETTINGS
as shown above. -
Save your changes and exit the file.
-
Restart the
vmd
to set the changes. Type:/etc/vormetric/secfs restart
-
Type the following to verify that the host settings is set to true:
vmsec vmdconfig