secfsd Examples
Display GuardPoint Information
To display the GuardPoint paths, applied policies, policy type, and guard status, use the secfsd -status guard
command. For example:
Column | Description |
---|---|
GuardPoint | Full path of the GuardPoint. |
Policy | Name of the policy applied to the GuardPoint. |
Type | Can be local, automount, manual, raw device, or manual raw device. Configured in the GuardPoints tab. |
ConfigState | Guard status of the GuardPoint, as recognized by the key manager. It can be guarded or unguarded. |
Status | Current guard status, as recognized by CTE. State can vary. |
Reason | Additional information about the status, if any. |
Note
• Config State and Status can vary. As an example, if you apply a GuardPoint and someone is currently working in the GuardPoint, the policy cannot be applied at that time. In this case, the ConfigState is guarded and the Status is not guarded.
• When the user removes an auto-mounted GuardPoint from CipherTrust Manager, the CTE Agent is only deleted after the configured autofs
timeout expires. This timeout does not start until the GuardPoint is free.
The timeout can be changed in the auto.master
file on the host.
Display GuardPoint Information in a Different Format
To display the same information in a block format, use the secfsd -status guard -v
command. For example:
Display Host Settings
To display the SHA2 hash signature for each protected host setting, use the secfsd -status auth
command. For example:
Display Key Status
To display the status of CTE keys, use the secfsd -status keys
command. For example:
Display Lock Status
To display the status of CTE locks, use the secfsd -status lockstat
command. For example:
The value is true if the lock is applied. The value is false if the lock is not applied. System Lock corresponds to System Locked in the Host window. FS Agent Lock corresponds to FS Agent Locked in the Host window.
Note
Before you upgrade, remove CTE software, or change operating system files, the status of FS Agent Lock and System Lock must be false.
Agent Security Configuration Protection
The Agent lock directory, /opt/vormetric/DataSecurityExpert/agent/secfs/.sec
contains secfs secret files, configuration files, host setting signatures, etc. Thales recommends protecting the directory whenever secfs is online.
Applying improved directory protection ensures that only CTE applications (vmd, secfsd, voradmin
, etc.) can modify the .sec directory and the files in it. All users, including root, are denied read/write access to the files. They also do not have permissions to modify conf
and bin
directories, using other tools.
A new command has been created to protect the directory: voradmin secfs config
Syntax
Example
Previously, you would have had to use the following command to achieve the same results as the example above:
Note
When CTE is upgraded to v7.2.0 from the previous release, it may display ‘Permission Denied’ warnings which display when files are removed from subdirectories of the .sec
directory. You can ignore these warnings. They are harmless.
Display CTE Log Status
To display the status of CTE log service, use the secfsd -status logger
command. For example:
Upload URL: https://vmSSA06:8444/upload/logupload,https://vmSSA07:8444/upload/logupload, \ https://vmSSA05:8444/upload/logupload Logger Certificate directory: /opt/vormetric/DataSecurityExpert/agent/vmd/pem
This command sequence returns the URL to which the log service sends log data. It also returns the directory that contains the CTE certificate. CTE uses the certificate to authenticate CTE when it uploads the log data to the CipherTrust Manager.
Display Applied Policies
To display the policies that are applied to CTE, use the secfsd -status
policy command. For example:
Display CTE Process Information
To display CTE processes, use the secfsd -status pslist
command. This command shows the process number associated with each CTE process. To show the details about a specific CTE process, use the ps -fp <process #>
command, where <process #>
is the process number from the secfsd -status pslist
command.
For example:
Display CTE Version Information
To display CTE version information, use the secfsd -version
command. For example:
Display CTE Crypto Information
To display CTE support information for encryption modes, use the voradmin secfs crypto
command. For example:
Manually Enable a GuardPoint in CipherTrust Manager
To manually enable a GuardPoint on an AIX host:
-
Click CTE > Clients> <clientName> GuardPoints
-
Click Create GuardPoint.
-
In the Policy field, select a policy.
-
Set Type to Manual Directory.
-
Click Browse and enter the GuardPoint path.
-
Click Create.
-
Log onto the system hosting CTE as the root user.
-
To manually enable the GuardPoint, use the
secfsd -guard <path>
command. For example: -
To verify the change, use the
secfsd -status guard
command. For example: