User Guides
CTE-U Quick Start Guide
- Terminology and Components
- Install and Configure CTE-U with CipherTrust Manager
  - Installation Prerequisites
  - Installation and Registration
  - Verifying Package Signatures
  - Setting the SE Linux state
- Guarding with CTE-U and CipherTrust Manager
  - Access the CipherTrust Manager Domain
  - Create an Encryption Key
  - Guarding CTE files with CTE-U
- Exporting GuardPoints over NFS
- Migrating CTE Agents to CTE-U
- Multifactor Authentication for CTE-U
  - Introduction to Multifactor Authentication
  - Using CTE-U with Multi-factor Authentication
  - Use Cases for MFA on CTE
  - Exempting some users from authentication with a Whitelist
  - Setting up Multifactor Authentication with a One-Time-Password
  - Setting up Multifactor Authentication with an Inactivity Time Out
  - Administrator Tasks for Multifactor Authentication
  - Troubleshooting Multifactor Authentication
- Phased migration from CTE-U 9.x to CTE-U 10.x
CTE-U Health Manager Utility
- Performing Health Check
- Using the Monitor
- Service Commands
- Viewing the Service Status
- Gathering the Technical Dump Information
- Troubleshooting/ Debugging CTE-U
CTE-U Advanced Configuration Guide for Linux
- Getting Started with CTE for Linux
  - Silent Installation for CTE or CTE-U on Linux
  - Using external certificates for communication between CTE Agent and CipherTrust Manager
  - Configuring CTE-U with CipherTrust Manager
- Logging
  - Setting CTE Agent Logging Preferences
  - Audit Logs
  - Concise Logging
- CTE-U Overview
- Special Cases for CTE-U Policies
  - Re-Enabling Automatic Signing for Host Settings
  - Restricting Access Overrides from Unauthorized Identities
  - Blocking ptrace system calls to prevent process injection attacks
- Enhanced Encryption Mode
  - Disk Space
  - Using the AES-CBC-CS1 Encryption Mode in CM
  - File Systems Compatibility
- CTE with systemd
  - CTE Agent Control Changes on systemd
  - CTE Agent Control Changes on systemd
  - Adding Applications to the secfs-fuse.service File
  - Adding Dependencies to systemd Unit Configuration Files
- Utilities
  - CTE-U Linux Authentication and Client Settings
  - Individual GuardPoint Tuning
  - Agent Health Utility
  - Secfsd Utility
    - secfsd Examples
    - Secfsd Raw and Block Devices
  - agentinfo Utility (Java version)
  - check_host Utility
  - Displaying Information for Nested File Systems with the DF tool
  - Voradmin Utility
  - Restricting Access Overrides with Client Settings
  - register_host Utility
  - Using Advanced Encryption Set New Instructions (AES-NI)
  - vmd utility
  - vmsec Utility
- Upgrading CTE-U on Linux
- Uninstalling CTE-U from Linux
Using FreeBSD with CTE-U
- FreeBSD Jail
- Install CTE-U Dependencies
- FreeBSD Services
- Upgrade CTE-U Packages
- Remove CTE-U Packages
- Unsupported Features for CTE-U with FreeBSD

Exporting GuardPoints over NFS

Warning

CTE-U cannot guard a sub-directory of an exported NFS share directory. The guarded path must be the same as the NFS exported path.
Use of process sets or signature sets is not supported

Note

For CTE-U v10.3.0 and subsequent versions, user sets are supported. See Creating User Sets for more information.

Prerequisites

CTE-U does not support process-based access checks with the export scenario. To protect the operation of the necessary files for the NFS client, you must either disable the authenticator check or add the NFS process as an authenticator.

To disable the authenticator check, type:
```
voradmin secfs config uid_search 0
```
To add the NFS process as an authenticator, add the following in the CipherTrust Manager > Client Settings field:
```
|authenticator|/usr/sbin/rpc.mountd 
|authenticator|/usr/sbin/rpc.nfsd 
|authenticator|/usr/sbin/exportfs
```

Setup and Configuration

To setup and configure your NFS server so that you can export GuardPoints:

Make sure that CTE-U is started before the NFS server is started:

vi /usr/lib/systemd/system/nfs-server.service

Response

network-online.target local-fs.target secfs-fuse.service

Create your GuardPoints on your NFS server.

Verify that the /etc/exports file contains the following:

/guardpoint/path <nfs_server_IP>(rw,sync,fsid=3,no_root_squash)

Verify that secfs_fuse was started before NFSD:
```
ps -ef |grep secfs; ps -ef |grep nfsd nfsd pid
```
Note

The GuardPoint PID is valid as long as the NFS daemon is not restarted.
If secfs_fuse was not started before NFSD, or if you are unable to verify it, restart the NFS server:
```
service nfs-server restart
```
Mount the client:
```
mount -t nfs -o lookupcache=none <ip address>:/mount/share   /local/mountpoint
```
Note
1. Use the mount -o nocache option for an NFS (Network File System) client to disable client-side caching for file data. This ensures that all of the I/O requests are received on the CTE-U server so that CTE-U can provide valid access checks.
2. When mounting as a non-root user with NFS mount (guarded in NFS server):
  - Specify only the GID for the non-root user in the user set configuration in the policy.
  - Alternatively, include the root user as part of the user set configuration in the policy, but limit root user permissions. The following allows the root user to mount NFS, but they cannot read the actual data.
    - Action = d_rd-att
    - Effect = permit,audit

Suggest A Change

Exporting GuardPoints over NFS

Prerequisites

Setup and Configuration

On this page