secfsd Examples
Display GuardPoint Information
To display the GuardPoint paths, applied policies, policy type, and guard status, use the secfsd -status guard
command. For example:
secfsd -status guard
GuardPoint Policy Type ConfigState Status Reason
---------- ---------- ----- ----------- ------ -----
/opt/apl/lib allow AllOps_fs local guarded guarded N/A
/dev/sdb watchaccess_rd rawdevice guarded guarded N/A
/dev/sdc watchaccess_rd manualrawdevice guarded guarded N/A
/dev/sdd watchaccess_rd manualrawdevice unguarded not guarded Inactive
/opt/apl/tmp MSSQL00123 manual unguarded not guarded Inactive
Column | Description |
---|---|
GuardPoint | Full path of the GuardPoint. |
Policy | Name of the policy applied to the GuardPoint. |
Type | Can be local, automount, manual, raw device, or manual raw device. Configured in the GuardPoints tab. |
ConfigState | Guard status of the GuardPoint, as recognized by the key manager. It can be guarded or unguarded. |
Status | Current guard status, as recognized by CTE. State can vary. |
Reason | Additional information about the status, if any. |
Note
• Config State and Status can vary. As an example, if you apply a GuardPoint and someone is currently working in the GuardPoint, the policy cannot be applied at that time. In this case, the ConfigState is guarded and the Status is not guarded.
• When the user removes an auto-mounted GuardPoint from CipherTrust Manager, the CTE Agent is only deleted after the configured autofs
timeout expires. This timeout does not start until the GuardPoint is free.
The timeout can be changed in the auto.master
file on the host.
Display GuardPoint Information in a Different Format
To display the same information in a block format, use the secfsd -status guard -v
command. For example:
secfsd -status guard -v
GuardPoint: 1
Policy: allowAllOps_fs
Directory: /opt/apps/apps1/tmp
Type: local
ConfigState: guarded
Status: guarded
Reason: N/A
GuardPoint: 2
Policy: allowAllRootUsers_fs
Directory: /opt/apps/apps1/lib
Type: local
ConfigState: guarded
Status: guarded
Reason: N/A
Display Host Settings
To display the SHA2 hash signature for each protected host setting, use the secfsd -status auth
command. For example:
secfsd -status auth
|authenticator|/bin/su 3E765375897E04C39AB17D4C755F50A35195535B6747DBA28DF9BD4AA672DFF9
|authenticator|/usr/sbin/sshd 98FC599D459EDEA52A60AB394B394803B5DAB96B53148DC608732DDA6777FA1A
|authenticator|/usr/sbin/in.rlogind 5C9A0EDD8BF54AE513F039476D21B3032507CF957AA0CB28C368EB8AB6E684FB
|authenticator|/bin/login 0D2EE0B995A30AE382B4B1CA5104715FC8902F457D283BDABAAD857B09259956
|authenticator|/usr/bin/gdm-binary 363780522E3CCF9ABF559F059E437743F9F97BBBB0EE85769007A464AD696BD1
|authenticator|/usr/bin/kdm BAD41BBCDD2787C7A33B5144F12ACF7ABC8AAA15DA9FDC09ECF9353BFCE614B5
Display Key Status
To display the status of CTE keys, use the secfsd -status keys
command. For example:
secfsd -status keys
Encryption keys are available
Display Lock Status
To display the status of CTE locks, use the secfsd -status lockstat
command. For example:
secfsd -status lockstat
FS Agent Lock: false
System Lock: false
The value is true if the lock is applied. The value is false if the lock is not applied. System Lock corresponds to System Locked in the Host window. FS Agent Lock corresponds to FS Agent Locked in the Host window.
Note
Before you upgrade, remove CTE software, or change operating system files, the status of FS Agent Lock and System Lock must be false.
Agent Security Configuration Protection
The Agent lock directory, /opt/vormetric/DataSecurityExpert/agent/secfs/.sec
contains secfs secret files, configuration files, host setting signatures, etc. Thales recommends protecting the directory whenever secfs is online.
Applying improved directory protection ensures that only CTE applications (vmd, secfsd, voradmin
, etc.) can modify the .sec directory and the files in it. All users, including root, are denied read/write access to the files. They also do not have permissions to modify conf
and bin
directories, using other tools.
A new command has been created to protect the directory: voradmin secfs config
Syntax
voradmin secfs config <configuration_parameter> <value>
Example
voradmin secfs config pagecache_writeback 1
Previously, you would have had to use the following command to achieve the same results as the example above:
echo 1 > /opt/vormetric/DataSecurityExpert/agent/secfs/.sec/conf/pagecache_writeback
Note
When CTE is upgraded to v7.2.0 from the previous release, it may display ‘Permission Denied’ warnings which display when files are removed from subdirectories of the .sec
directory. You can ignore these warnings. They are harmless.
Display CTE Log Status
To display the status of CTE log service, use the secfsd -status logger
command. For example:
secfsd -status logger
Upload URL: https://vmSSA06:8444/upload/logupload,https://vmSSA07:8444/upload/logupload, \ https://vmSSA05:8444/upload/logupload Logger Certificate directory: /opt/vormetric/DataSecurityExpert/agent/vmd/pem
This command sequence returns the URL to which the log service sends log data. It also returns the directory that contains the CTE certificate. CTE uses the certificate to authenticate CTE when it uploads the log data to the CipherTrust Manager.
Display Applied Policies
To display the policies that are applied to CTE, use the secfsd -status
policy command. For example:
secfsd -status policy
Policy: enc-audit
Type: ONLINE
Display CTE Process Information
To display CTE processes, use the secfsd -status pslist
command. This command shows the process number associated with each CTE process. To show the details about a specific CTE process, use the ps -fp <process #>
command, where <process #>
is the process number from the secfsd -status pslist
command.
For example:
secfsd -status pslist
Protected pid list: 739 731
ps -fp 739
UID PID PPID C STIME TTY TIME CMD
root 739 1 0 11:04:56 - 0:00 /opt/vormetric/ \
DataSecurityExpert/agent/vmd/bin/vmd
Display CTE Version Information
To display CTE version information, use the secfsd -version
command. For example:
secfsd -version
version: <Release.build-number>
Display CTE Crypto Information
To display CTE support information for encryption modes, use the voradmin secfs crypto
command. For example:
voradmin secfs crypto
AES CBC, CBC_CS1, XTS modes are supported
Encryption key protection is supported
Manually Enable a GuardPoint in CipherTrust Manager
To manually enable a GuardPoint on an AIX host:
-
Click CTE > Clients> <clientName> GuardPoints
-
Click Create GuardPoint.
-
In the Policy field, select a policy.
-
Set Type to Manual Directory.
-
Click Browse and enter the GuardPoint path.
-
Click Create.
-
Log onto the system hosting CTE as the root user.
-
To manually enable the GuardPoint, use the
secfsd -guard <path>
command. For example:secfsd -guard /opt/apps/etcsecfsd: Path is Guarded
-
To verify the change, use the
secfsd -status guard
command. For example:secfsd -status guard GuardPoint Policy Type ConfigState Status Reason ---------- ------ ---- ----------- ------ ------ /opt/apps/etc allowAllOps_fs manual guarded guarded N/A