publib.boulder.ibm.compublib.boulder.ibm.com/tividd/td/security/pol_admin37/ja_ja/pdf/... ·...

Tivoli® SecureWay®

Policy Director for OperatingSystems�� 3 �� 7

4mU!\q"*hS\q,5]<H9k=Jr4HQKJk0K"XC-v`YK"klL*Jpsr,:*I_/@5$#

\^Ke"kKX9k4U+d46[O"!N URL +i*wj/@5$##eN2MK5;F$?@-^9#

http://www.ibm.com/jp/manuals/main/mail.html

J*"|\ IBM /TN^Ke"kO$s?<MCHP3Gb4X~$?@1^9#\7/O

http://www.ibm.com/jp/manuals/ NV4m8KD$FWr4w/@5$#

(URL O"Q9KJklg,"j^9)

!6 5' Tivoli® SecureWay®

Policy Director for Operating Systems

Administration Guide

Version 3 Release 7

!/ T' |\"$&S<&(`t0qR

!4 v' J7gJk&is2<8&5]<H

h1~ 2001.4

3N8qGO"?.@+N™W3"?.@+N™W9"?.Q47C/N™W3"?.Q47C/N™W5"*hS?.Q47C/N™W7rHQ7F$^9#3N (qN*) O"(b) |\,J(qHHQ@sryk7HQ7F$kbNG9#U)sHH7F5G#=9k3HOX_5lF$^9#

�* ��™W3��™W9��™W3��™W5��™W7

Translation: © Copyright IBM Japan 2001

xn"=(

© Copyright IBM Corporation 2000 All rights reserved.Tivoli Systems Software License Agreement"IBM Wm0i`N4HQrob7/OHQ@sro^?O3liKP9k Tivoli =JNi$;s9psb7/OC'K-\NroK7?,CFN_"3N8qrHQ9k3H,G-^9#$+JkA0^?OjJ ( ER*"!#*"'$*"wX*"JX*"j0^?O=N>NA0&jJr^`#) G"CFb"IBM NqLKhkv0NvzJ7K"\qN$+Jkt,b"#="w."#L"!w79F`XN-?"^?O$UN3sTe<?<@lXNQ9rT&3HOG-^;s# IBM O"*RM4+H,HQ9k\*GO<I3T<^?O!#DID=J8qN#=*rn.9k)B5l?"xrvz7^9,"=N#=*KO9YF"IBM Nxn"=(rU9kbNH7^9#xn"KpE/=N>N"xO"IBM NqLKhkv0NvzJ7KU?5lk3HO"j^;s#3N8qO"8:*JHQrU^7F*i:"$+Jk]ZbJ7KCj*H7F=89k^^NuVGs!5l^9#3N8qKO"&J-N]Z"Cj\*,g-N]Z*hS!'eNlS4]U$r^a"$+Jk]Zb,Q5l^;s#

&8

IBM"Tivoli"*hS Tivoli m4O" IBM Corporation ^?O Tivoli Systems Inc. NFq*hS=N>NqK*1k&8^?OP?&8G9#

UNIX O"The Open Group ,i$;s97F$kFq*hS=N>NqK*1kP?&8G9#

>NqR>"=J>*hS5<S9>yO=l>lFRN&8^?OP?&8G9#

C-v`

\qK*$F"Tivoli Systems ^?O IBM =J"Wm0i`"^?O5<S9KD$F@Z^?Ob@9klg,"j^9#7+7"3N3HO"Tivoli Systems ^?O IBM ,DHrTCF$k9YFNqK*$F3Nh&J=J"Wm0i`"^?O5<S9,xQD=G"k3Hr,:7b(9bNGO"j^;s#\qG3liN=J"Wm0i`"^?O5<S9K@Z7F$kt,,"CFb"3N3HO Tivoli Systems!^?O IBM =J"Wm0i`"^?O5<S9N_,HQD=G"k3HrU#9kbNGO"j^;s# Tivoli System ^?O IBM N-zJN*j-"^?O=N>N!*K]n5l?"xr/29k3HNJ$"!=*K1yN=J"Wm0i`"^?O5<S9rHQ9k3H,G-^9#?@7"Tivoli Systems ^?O IBM KhCF@(*KXj5l?bNr|-">RN=JHH_go;?lgN`nN>AH!ZO*RMNU$GTCF$?@-^9# Tivoli Systems ^?O IBM O"\qGb@9kgjKX9kCv"JCvPjr^`K&8""^?Oxn"rj-7F$klg,"j^9#\qNs!O"*RMK3liNCv"KD$FB\"rvz9k3HrU#9kbNGO"j^;s#HQvzKD$FO"!N8hKqLKF4Rp/@5$#

)106-0032 l~TAh;\Z 3 z\ 2-31AP vHjIBM World Trade Asia CorporationIntellectual Property Law & Licensing

iiiPolicy Director for Operating Systems ��

iv �� 3 �� 7

��

=. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix

^(,-. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi\qNP]IT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi

0sro*hSX"qA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi

\qN=. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi

\qN,' . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii

WiCHU)<`G-Nps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii

*RM5]<HXNd$go; . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii

h1O 5W . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1PDOS N}r . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

PDOS D- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

PDOS G<?Y<9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

PDOS vDbGk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

UNIX 1L"*hS PDOS f<6<1LHNX8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

PDOS vD]j7< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

h2O PDOS ]j7< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7]n*V8'/H>=$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

M<`&9Z<9&k<H. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

]j7<&VisA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

j=<9&?$W . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

*V8'/H> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

o$kI+<INHQ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

"/;9&3sHm<k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

"/;9&3sHm<k&j9H . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Q5*hS#G . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

]n*V8'/H&]j7< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

"/;9&3sHm<kGHQ5lk POP 0-. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

"/;9)B. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

"/;9)BNc . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

"/;9)BN>A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

]n79F`&j=<9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

U!$k&]j7< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

MCHo</&]j7< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

MCHo</&j=<9N"/;9&3sHm<k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

vPolicy Director for Operating Systems ��

m0$s&]j7< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

e}]j7<. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Sudo ]j7<. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

pdossudo 3^sI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

h3O PDOS is?$` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53PDOS G<bs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

PDOSD vDG<bs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

PDOSAUDITD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

PDOSWDD &)CAIC0&G<bs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

PDOS f<6<*hS PDOS 0k<W . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

osseal-admin 0k<W . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

osseal f<6< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Root f<6< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

osseal 0k<W . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

osseal-auditors 0k<W . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

osseal-unauth f<6< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

pdosd-hostname f<6< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

PDOS U!$kHG#l/Hj< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

PDOS i|]j7< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

osseal-audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

osseal-credentials. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

osseal-default . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

osseal-default-file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

osseal-default-login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

osseal-default-net-incoming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

osseal-default-net-outgoing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

osseal-default-sudo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

osseal-default-surrogate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

osseal-hla . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

osseal-logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

osseal-open . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

osseal-privileged-user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

osseal-restricted . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

osseal-restricted-read . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

osseal-runtime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

osseal-tcb . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

osseal-umsg. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

V%`n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

vi �� 3 �� 7

Policy Director Management Server +iNV% . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

Policy Director User Registry +iNV% . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

m<+kKJ$ UNIX User Registry +iNV% . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

Host Name Resolution Server +iNV% . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

h4O PDOS I}Q?9/ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73?9/N5W. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

lS-N"kf<6<>9Z<9NN). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

PDOS =.N40 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

PDOS Wm;9NI} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

]j7<N!: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Trusted Computing Base NI} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

Z@qNI}. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

"/;5< ID N=L . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

[9H>!wG<?Y<9. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

PDOS =.U!$kHG<?Y<9NPC/"CW*hS|5 . . . . . . . . . . . . . . . . . . . . 88

h5O PDOS F: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91vDhjNF: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

I}"/F#SF#<NF: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

F:m0&U!$k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

F:m0&l3<INA0. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

F:m0N=( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

PDOS F:Se<&D<kNHQ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

5sWk!w . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

U?A. PDOS 3^sI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101pdosaudview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

pdosbkup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

pdoscfg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

pdosctl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

pdosdestroy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

pdosexempt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

pdoshla . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

pdoslpadm. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

pdosobjsig . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

pdosrefresh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

pdosrevoke . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

viiPolicy Director for Operating Systems ��

pdosrgyimp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128

pdosrstr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

pdossudo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134

pdosucfg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

pdosuidprog. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

pdosunauth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

pdosversion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

pdoswhoami . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142

pdoswhois . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

U?B. PDOS ]j7<Na+= . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

U?C. o$kI+<I8zr_j9k0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

wz . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

viii �� 3 �� 7

�

1. PDOS r5]<H9kWiCHU)<`HP<8gs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii2. PDOS o$kI+<IN(lasH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93. o$kI+<INM-go;Nc . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94. o$kI+<IN(lasHN%hgLNk<k. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105. o$kI+<I&Q?<sN%hgLNc . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106. OSSEAL "/7gs&0k<WGjA5lk PDOS vD. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137. ]j7<I}KHQ5lk Policy Director 1 !"/7gs. . . . . . . . . . . . . . . . . . . . . . . . . . . . 148. ]j7<NhjKHQ5lk Policy Director N 1 !"/7gs . . . . . . . . . . . . . . . . . . . . . . . 149. U!$k&79F`&*V8'/H. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

10. PDOS U!$kvD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2111. PDOS G!PG-km0$s&Wm0i` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2912. WiCHU)<`4HNH|Wm0i` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3013. MCHo</&j=<9N?> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3114. MCHo</&j=<9KP9ke. (Incoming) \3^?O/. (Outgoing) \3K-zJ

vD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3215. <vKX9kQlNjA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3916. m0$s9k?aN-zJvD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3917. m0$s&"/F#SF#<&]j7<N0- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4018. e}*V8'/H> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4319. e}`nNvD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4320. PDOS Sudo *V8'/H . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4621. Sudo 3^sIN0- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4622. Sudo K,WJvD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4723. \Y3sHm<kN?aNH% Sudo 0- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4724. Sudo KhCF9HjCW5lkD-Qt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5025. Sudo KhCF_j5lkD-Qt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5126. PDOS Z@qN=.0- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5527. PDOSD H User Registry NL.r)f9k=.0- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5628. vDN=.0- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5729. vD]j7<&VisAN=.0-. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5830. PDOSD TCB U!$k&bK?<&j=<9N=.0- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5831. PDOSD m0N=.0- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5932. PDOS 0m<PkF:lYkN=.0- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6033. PDOSAUDITD N=.0- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6034. PDOSWDD N=.0- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6135. osseal.conf bN pdoscfg *W7gsNyA0- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7636. pdosd.conf bN pdoscfg *W7gsNyA0- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7637. pdosauditd.conf bN pdoscfg *W7gsNyA0- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7738. pdoswdd.conf bN pdoscfg *W7gsNyA0- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7739. PDOS G<bs&m0&U!$kr)f9k pdoscfg *W7gs . . . . . . . . . . . . . . . . . . . . . 7940. 79F`&j=<9*hSP~9k PDOS j=<9&?$W. . . . . . . . . . . . . . . . . . . . . . . . . 14741. [OSSEAL] "/7gs&0k<WfKjA5lF$k PDOS vD . . . . . . . . . . . . . . . . . . . . . 14742. ]j7<I}KHQ9k Policy Director Np\"/7gs . . . . . . . . . . . . . . . . . . . . . . . . . . . 14743. ]j7<=LKHQ9k Policy Director Np\"/7gs . . . . . . . . . . . . . . . . . . . . . . . . . . . 14844. o$kI+<I8z;CHNCl(lasH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14945. 9YFNm1<kK-zJo$kI+<I8z;CHN8z/i9 . . . . . . . . . . . . . . . . . . . . 150

ixPolicy Director for Operating Systems ��

x �� 3 �� 7

��

3N Tivoli SecureWay Policy Director for Operating Systems I},$I KO"Policy Director for Operating Systems (PDOS) NHQ}!H PDOS 3^sINjU!ls9,(5lF$^9#

��

\qO"J<NHTC/KX9kN1r}D79F`I}TrP]H7F$^9#

¶ UNIX® *Zl<F#s0&79F`

¶ $s?<MCH&WmH3k (HTTP"TCP/IP"FTP"TELNET"SSL JI)

¶ ;-ejF#<I}

¶ G#l/Hj<&5<S9

¶ 'Z

¶ vD

¶ Tivoli SecureWay Policy Director

79F`I}TO"J<NHTC/KX9kd-psbNCF$kHrK)D+b7l^;s#

¶ Tivoli Management Environment framework

¶ Tivoli Distributed Monitoring

¶ Tivoli Enterprise Console®

¶ Tivoli SecureWay Security Manager

¶ Tivoli User Administration

��

J<NqAKO"r)DX"ps,-\5lF$^9#

¶ Tivoli SecureWay Policy Director for Operating Systems Installation Guide Version3.7

¶ Tivoli SecureWay Policy Director Admininstration Guide Version 3.7

¶ Tivoli SecureWay Policy Director Base for AIX® Installation Guide Version 3.7

¶ Tivoli SecureWay Policy Director Base for HP-UX Installation Guide Version 3.7

¶ Tivoli SecureWay Policy Director Base for Solaris Installation Guide Version 3.7

¶ Tivoli SecureWay Policy Director Release Notes Version 3.7

��

Policy Director for Operating Systems I},$I O"J<N;/7gsG=.5lF$^9#

¶ 1Z<8NX5WY

PDOS H=N!=rRp7^9#

xiPolicy Director for Operating Systems ��

¶ 7Z<8NXPDOS ]j7<Y

PDOS ,]n9kj=<9KD$Fb@7"]nWoNWhru1^9#

¶ 53Z<8NXPDOS is?$`Y

PDOS Nis?$`&3s]<MsHH=ND-KD$Fb@7^9#3NOGO PDOS G<bsN3Hrhje2^9#

¶ 73Z<8NXPDOS I}Q?9/Y

PDOS rI}9k?aK,WJI}Q?9/KD$Fb@7^9#

¶ 91Z<8NXPDOS F:Y

PDOS F:!=rHQ7F]n!=*hSbK?<&"/F#SF#<XN"/;9rIW9k}!KD$Fb@7^9#

¶ 101Z<8NXPDOS 3^sIY

PDOS 3^sINjU!ls9G9#F3^sIH"=N=8"*W7gs"*hSHQ!rb@7^9#

¶ 147Z<8NXPDOS ]j7<Na+=Y

PDOS ]j7<&j=<9*hSvDN/#C/&jU!ls9G9#

¶ 149Z<8NXo$kI+<I8zr_j9k0Y

o$kI+<I8z;CHN0rss7F"jA7^9#

��

\qGO"ClJQl*hS"/7gsK5^6^JqNN,'rHQ7^9#=liN,'KOJ<NU#,"j^9#

@z 3^sI"-<o<I"U!$k>"v'DNrd"URL JINps

O" this Nh&K"@zG(7^9#&#sI&>"@$"m0"*hS=N>N3sHm<kb" this Nh&K"@zG(7^9#

$?jC/ Xj7J1lPJiJ$Qt^?OMO" this Nh&K"$?jC/G(7^9#/4lgb this Nh&K"$?jC/ G(7^9#

@z$?jC/77$Ql,F-9HfGjA5lklg" this Nh&K"@z$?jC/ G(7^9#

bN9Z<93<Ic"PO"79F`&aC;<8O" this Nh&K"��G(7^9#

��

J<N=O"3NqA,/T5lk~@G,+CF$k"5]<H5lkWiCHU)<`NP<8gsr(7F$^9#\Y*hSG7NpsKD$FO"jj<9&,$Ir2H7F/@5$#

= 1. PDOS r5]<H9kWiCHU)<`HP<8gs

WiCHU)<` 5]<H5lkP<8gs

AIX 4.x AIX P<8gs 4.3.1"4.3.2"4.3.3 (QCA PTF u470050 r,Q) rBT9

k IBM® RS/6000® 7j<:

HP-UX HP-UX P<8gs 11.00.47 rBT9k HP9000/700 *hS 800 7j<:

xii �� 3 �� 7

= 1. PDOS r5]<H9kWiCHU)<`HP<8gs (3-)WiCHU)<` 5]<H5lkP<8gs

Solaris Solaris P<8gs 2.6 (QCA 105181-23 r,Q)"2.7"2.8 rBT9k Sun

SPARC 7j<:

��

qA*hS+9?^<&5]<HKD$FODH4vTK*?:M/@5$#

xiiiPolicy Director for Operating Systems ��

xiv �� 3 �� 7

��

Policy Director for Operating Systems (PDOS) I},$Ir4xQ$?@-"j,H&46$^9# \qKO"PDOS D-"vDbGk"*hS PDOS 3^sIr^`"PDOS KD$FN\Y,^^lF$^9# \qO"2 DNt,K,+lF$^9# h 1 tGO" PDOS NXeK"k50rb@7^9# h 2 t"101Z<8NXPDOS 3^sIYO" PDOS 3^sIKD$FN2H;/7gsG9#

3NOGO" Policy Director for Operating Systems (PDOS) ,INh&K!=7F$k+rb@7"4HQN79F`GvD]j7<rzL*KWh*hS/)G-kh&K7^9# 3NOGO" PDOS *hS PDOS D-r5b7^9#

PDOS ��

PDOS O"M$F#V&*Zl<F#s0&79F`Khjs!5lkbNKC(F"vD]j7<)sXrs!7^9# "I_K9Hl<?<O"-<&79F`&j=<9XN"/;9r)B^?OvD9k-aNY+$"/;9&3sHm<kr,Q9k3HKhj"ICNvD]j7<rjA7^9# )fO"f<6<"0k<W&asP<7CW"`nN?$W"~o"k$OK|"*hS"/;99k"Wj1<7gsKpE-^9# "I_K9Hl<?<O"CjNU!$k&j=<9XN"/;9"m0$s*hSMCHo</&5<S9"*hS1LNQ9r)fG-^9# 3liN)fO"I}Wm7<8c<rI}7"f<6<4HKI}

!=r)B9kNKHQ9k3HbG-^9# vD]j7<N/)KC(F"PDOSO"jA5l?]j7<rN'7"vDhjrF:9k!=bs!7^9#

"/;9&3sHm<kO" Policy Director D-G8fI}5lk]j7<&G<?Y<9K]I5l^9# "/;9&f<6<jAO"3ND-G1MK8fI}

5lkf<6<&l89Hj<K]I5l^9# ]nj=<9K"/;95lkH" PDOS O""/;97F$kf<6<1L""/7gs"*hSj=<9N"/;9&3sHm<kK7?,CFvD!:rBT7"3N"/;9rvD9k+]

'9k+rhj7^9#

1

1Policy Director for Operating Systems ��

1.�

�

PDOS ��

PDOS O"^1 K(5lkH*j"Tivoli SecureWay Policy Director D-G!=7^9#

Policy Director O"vD]j7<rjA7"I}7"/)9k?aNPC/\<srs!9k"MCHo</&Y<9NvDUl<`o</G9# 3NUl<`o</O"#tNj=<9&^M<8c<,HQG-^9# PDOS O" Policy Director Khjs!5lkvD5<S9rHQ9kj=<9&^M<8c<N 1 DG9# >Nj=<9&^M<8c<KO" WebSEAL *hS NetSEAL ,^^l^9 (\YKD$FO"Policy Director NI-easF<7gsr2H7F/@5$)# PolicyDirector O"9YFNj=<9&^M<8c<,"/;9G-kf{5<P<rp7FI}5l^9# 3lKhj""I_K9Hl<?<O"1 DNf{_Vlj+i"t?/N`w7?^7sN]j7<r)fG-kh&KJj^9# PDOS O"]n,,WJ=l>lN^7sK$s9H<k5l^9#

PDOS ��Policy Director D-KO"j=<9&^M<8c<KhjHQ5lkgK 2 DNG<?Y<9r^_^9# GiNG<?Y<9G"k Policy Director f<6<&l89Hj<O"f<6<*hS0k<WjAr]I7" Policy Director D-Gf<6<rI}*hS1L9kNKHQ5l^9# PDOS Nlg"Policy Director D-

O"LDAP f<6<&l89Hj<rHQG-kh&K;CH"CW5lF$J1lPJj^;s# 2 V\NG<?Y<9"]j7<&G<?Y<9O"=l>lNj=<9&^M<8c<KjA5l?]j7<9YFr]I7";-ejF#<r/)7^9# ]j7<&G<?Y<9O""/;9&3sHm<k,]I5lkljG9# j=<9&^M<8c<O"Secure Socket Layers (SSL) Khj]n5lk

^ 1. PDOS N5W

2 �� 3 �� 7

TCP rHQ7F"MCHo</K"k3li 2 DNG<?Y<9K"/;97^9# 3NG<?Y<9KC(F" Policy Director O"9YFNvDhjrBT9k8`=5l?vD API rs!7^9#

PDOS O"8fI}5lF$k Policy Director G<?Y<9K]I5lF$kps

KM89kbNN"vDhj9kNK,WJpsO#=*hS-cC7e5l"Policy Director 5<P<^?O Policy Director f<6<&l89Hj<&5<P<,"/;9T=KJCFb"vD]j7<OQ3*KHQG-kh&K7^9# 3liNHTC/Nb@O"53Z<8NXPDOS is?$`Yr2H7F/@5$#

PDOS ��

PDOS 3s]<MsHO"f<6<&lYk&"Wj1<7gs&9Z<9*hSUNIX +<MkG`n5l^9# PDOS +<MkH%!=*hSf<6<&lYk&3s]<MsHO"[)K}g5l?;-e"}0GPC7"vD/)NH%X

rs!7^9# "Wj1<7gsO"API Khjs!5lk79F`rp7F79F`&j=<9K"/;97"3lO"7@$K"FoN!=rp7F UNIX +<MkK~e7^9#

PDOS Khj]n5lF$J$79F`GO"M$F#V&79F`N;-ejF#<O""/;97F$kf<6<NG-1LGWa5l?"/7gsrBT9kvD,"k+"*hS`nrBT9k+q]9k+r!:7^9#

PDOS +<MkH%!=N 1 !!=O" PDOS vD]j7<K>&j=<9XN"/;9r409k3HG9# PDOS +<MkH%!=O"vDG<bs&Wm;9"PDOSD rHQ7F"vDhj7"=l+i3Nhjr/)7^9# PDOS ]j7<,j=<9XN"/;9rvD9klg"`nOQ37"=l+i"M$F#V&79F`N;-ejF#<K>$^9# =N>NlgKO"j=<9&"/;9,q]5l^9#

PDOSD O"Policy Director N&+if<6<*hS0k<W&asP<7CWrb@9k Policy Director Z@qK" UNIX f<6<1Lr^CW7^9# =l+i"PDOSD O"3N Policy Director vD API rxQ7F"]j7<&G<?Y<9KjA5lF$kZ@q"BT9k`n""/;99kj=<9"*hSX"9k"/;9&3sHm<kKpE$?vDhjrh@7^9#

UNIX �� PDOS ��

vDhjr9kNK,WJZ@qrM@9kKO""/;97F$kf<6<NG-

tM UNIX ID , Policy Director f<6<K^CW5lF$J1lPJj^;s#f<6<N UNIX f<6<>O"tM ID rHQ7F79F`NM$F#V&f<6<&l89Hj<+iM@G-^9# 3Nf<6<>O"18>0N PolicyDirector f<6<K 1 P 1 G^CW5l" Policy Director f<6<&l89Hj<+iZ@qr!w7^9# 3liNZ@qO"f<6<N PDOS 1L*hS0k<W&asP<7CWrjA7^9#f<6<NM$F#V&f<6<>KP~9kPolicy Directory f<6<,J$lg"vDhjrBT9k]KO"3Nf<6<O5vDf<6<H7F7ol^9#"+&sH,HQTDKJCF$kf<6<b"5vDf<6<H7F7ol^9#

18 Policy Director D-r&Q9k79F`O9YF"D-bNB]Nf<6<=l>lKD$F"lS-,"j@NJG-Nf<6<>rHQ7J1lPJj^;s#


1.�

�

?H(P"Sally Smith Nf<6<>,"^7s A GO sally"^7s B GOssmith @C?H7^9#3Nlg"IAiN^7sKm0$s9k+KhCF"[Jk 2 DN Policy Director f<6<K^CW5lkkLKJj^9#3lO""/;9G-kj=<9KFAr?(k3HKJj^9#

UK"Sally Smith N^7s A GN UNIX f<6<>, sally H7^9#f<6<Sally Doe N^7s C GN UNIX f<6<>N sally G9#3Nlg"Sally SmithH Sally Doe N>},"18 Policy Director f<6<K^CW5lkkLKJj^9# 3liNuVN$:lb"4HQN;-ejF#<&]j7<N.QrnH9kLKJj^9#

f<6<,"PDOS ,BT7F$kVK PDOS 5]<H*hSjAm0$s&Wm0i`rHQ7F" UNIX 79F`Km0$s9k]K"Z@qOGiK PolicyDirector f<6<&l89Hj<+i!w^?OG7=(5l^9# 3Ne"3Nf<6<,BT9kWm;9KhjBT5lk`nGN PDOS vDhjO9YF"3liNZ@qrHQ7Fhj5l^9# 3lO"-zJf<6< ID rQ99kWm;9"?H(P"setuid() FSP7rBT9kWm0i`d" su 3^sIr5o

KBT7?eGBT9kWm0i`NlgKbvFO^j^9#

PDOS ��

PDOS vDN_jKO"]nN,WJ79F`&j=<9H,WJ]nNYg$r1L9k3H,X87^9# ;-ejF#<&]j7<O",ZJ"/;9&3sHm<k,]nN,WJj=<9K,Q5lklgK"5oK$sWjasH5l^9#

"/;9&3sHm<kH$&QlO"\qGOlS7F"79F`&j=<9r]

n9k?aKHQG-kFoNvD]j7<rX9NKHQ5l^9# "/;9&3sHm<kKO"J<NbN,^^l^9#

"/;9&3sHm<k&j9H (ACL)CjNf<6<"f<6<N0k<W"*hS"/;9r!$P]HJkf<6<N?$Wr1L7"j=<9GvD5lF$k`nrXj7^9#

]n*V8'/H&]j7< (POP)F:"Ypb<I"*hS~o"/;9JIN"]n*V8'/HXN"/;9NrorXj7^9#

H%0-

*V8'/H"ACL"^?O POP KO"ICNM,~lil"j=<9K"/;99kNKHQG-kWm0i`r)B7?j7F""/;9r5iK)B7^9#

\qGO" Policy Director pdadmin 3^sIrHQ7F]j7<r_j9kc,(5l^9# 3liNcGO"oKh,KWmsWH pdadmin> ,U-^9# PolicyDirector *hS pdadmin 3^sIG]j7<r_j9k3HKD$FN\YO"Policy Director Base Administration Guide r2H7F/@5$#

zL*KvD]j7<r_j9kKO"J<N3HrBT7J1lPJj^;s#

¶ 79F`&j=<9N}r

¶ ]nN,WJ-<&j=<9N1L

¶ 3liNj=<9XN"/;9r,WH9kf<6<N?$WN1L

4 �� 3 �� 7

¶ j=<9N]nKHQG-k PDOS *W7gsN}r


1.�

�

6 �� 3 �� 7

PDOS ��

PDOS O"Policy Director "/;9&3sHm<kGjA5lkvD]j7<r/)9k3HKhj"79F`&j=<9r]n7^9# PDOS O"J<N?$WN79F`&j=<9XN"/;9r)f7^9#

¶ U!$k&79F`&j=<9

¶ jb<H&MCHo</&5<S9

¶ m<+k&MCHo</&5<S9

¶ m0$s&5<S9

¶ f<6<*hS0k<WN1LNQ9

¶ Sudo 3^sI

3liNj=<9O"Policy Director *V8'/H>Khj1L5l^9# 3liO"Policy Director "/;9&3sHm<kK*V8'/H>rX"U1k3HKhj]n5l^9#

J<N;/7gsGO" PDOS ,]n9k79F`&j=<9GvD]j7<rj

A9k?aK Policy Director *V8'/H>*hS"/;9&3sHm<k,INh&KHQ5lk+rb@7^9#

��

9YFNj=<9KO"Policy Director Kj=<9r1L5;k?aN]n*V8'/H>,"j^9# Policy Director K*V8'/H>,jA5l?eO"3lK"/;9&3sHm<krdjvFk3H,G-^9# ]n*V8'/H>O"gKJ<NQ<DG=.5lF$^9#

¶ M<`&9Z<9&k<H

¶ ]j7<&VisA

¶ j=<9&?$W

¶ *V8'/H>

]n*V8'/H>N=l>lNQ<DKD$F"J<Kb@7^9#

��Policy Director N<Nj=<9&^M<8c<KO9YF"9YFNj=<9jA,k<H5lkM<`&9Z<9,"j^9# PDOS NM<`&9Z<9O"OSSEALG9# PDOS Khj]n5lk9YFN^7s^?ON<IO"OSSEAL rHQ7^9# OSSEAL M<`&9Z<9O /OSSEAL G9#

2


2.P

DO

S��

�

��4HQND-GO"18"k$O`w7?\*GHQ9k?aK"18"k$O`w

7?vD]j7<r,WH9k^7s,#t"kG7g&# PDOS rHQ9kH"f<6<jAN]j7<&VisAN<N`w7?^7sN]j7<r0k<W=9k3H,G-^9# ^7sO"CjN]j7<&VisAKC~9kh&K=.5l^9# 18]j7<&VisAKC~7F$k^7sO9YF"18vD]j7<K>&3HKJj^9# ]j7<&VisAO"/OSSEAL k<HN90eN*V8'/H>N(lasHKhjXj5l^9# ]j7<&VisAN>0O""I_K9Hl<?<,hj7^9# \qNDjNt,GO"]j7<&VisAr/OSSEAL/policy-branch H7^9#

>K"3 DN/i9N79F`"5<P<"o</9F<7gs"*hSF9H&^7s,"j"=l>lK[Jk;-ejF#<Wo,"kH7^9# ]j7<&VisAO"=l>lN/i9KD$FjAG-^9#

/OSSEAL/Servers/OSSEAL/Workstations/OSSEAL/Test

� ��]j7<&VisAN<KO"]n,D=J9YFNj=<9&?$W,"j^9#j=<9&?$WKO"U!$k*hSG#l/Hj<JIN79F`&j=<9""k$O"Sudo 3^sI"Surrogate "/7gs"*hS Network j=<9JIN=N>Nj=<9,^^l^9#j=<9&?$WO"]n5lF$kj=<9No`rXj7^9# ?H(P"9YFN]nU!$k&79F`&j=<9N]n*V8'/H>O"!Nh&K+OG-^9# /OSSEAL/policy-branch/File

1MK"9YFN Trusted Computing Base ;-e"&U!$kN]n*V8'/H>O"J<Nh&K+OG-^9#

/OSSEAL/policy-branch/TCB/Secure-Files

��j=<9&?$WN<KO"B]Nj=<9=NbN,"j^9# =l>lNj=<9&?$WKO"]n,D=JCjN*V8'/H,"j^9# ?H(P"Filej=<9O"U!$k*hSG#l/Hj<r]n7^9# 3lO"1lNj=<9rjA9k?a"G<LN]n*V8'/H>G9#

U!$k&79F`&j=<9Nlg"*V8'/H>O"U!$k^?OG#l/Hj<>G9#MCHo</&j=<9Nlg"*V8'/H>O"Xj5lk[9H*hS5<S9psG9#=l>lNj=<9&?$WO"*V8'/H>N3Nt,Gj=<9NCjN$s9?s9r1L9kpsrXj7^9#

PDOS *V8'/H>N?/O"o$kI+<I&Q?<sKM-go;k>0rH

Q7F79F`&j=<9r(93H,G-^9# o$kI+<I&Q?<sNp\*J(lasHKD$FO" Xo$kI+<INHQYGb@5lF$^9# o$kI+<I&Q?<srxQ9k=l>lNj=<9O"5^6^J}!G3lrT$^9# 20Z<8NX]n79F`&j=<9YGO"=ll>lNCjNj=<9Go$kI+<IrINh&KxQG-k+KD$Fb@7^9#

!��"��o$kI+<IO",XK^^lF$J$j=<9rqg*K]n9kNKHQG-^9# ?H(P"vxK .log ,U/9YFNU!$k"=7F"www ,h,KU

/9YFN[9H>JIG9# 9Z<8N=2 GO"o$kI+<I&Q?<sr=

8 �� 3 �� 7

.9kp\*J(lasHrb@7^9#

= 2. PDOS o$kI+<IN(lasH

o$kI+<IN(las

H

b@

* 9iC7e (/) 8zr^`"$UN95N9Hjs0rM-go;k

? $UN 1 8zrM-go;k

+ 0N(lasHN 1 D^?O#tN*+ls9KM-go;k

[8zN;CH] 8zN;CHN 1 DN1l8zKM-go;k# 8zN;CHO"POSIX

o$kI+<IH%k<kK7?,CFXj5l^9# ?H(P" [a-z]

O" a +i z NOON$UN ASCII 8zKM-go;^9#

8z Xj5l?8zN_M-go;k

_-f ( ¥ ) rHQ9kH">eN8zKCLJU#g$r}?;J$h&KG-^9# 1 DN_-frM-go;klgKO" 2 DN_-f ( ¥¥ ) rHQG-^9# =3 GO"M-go;ko$kI+<INQ?<s"*hSM-go;J$o$kI+<INQ?<sr(7^9#

= 3. o$kI+<INM-go;Nc

Q?<s ,g9k9Hjs0 ,g7J$9Hjs0

a* a

aa

a quick brown fox

ba

q a

over the dog

a¥* a* ab

a? aa

al

a

aaa

/use/local/*.log /usr/local/x.log

/usr/local/app/x.log

/usr/local/x.log.1

*.charity.org www.charity.org

ftp.charity.org

www.charity.org.com

[[:alpha:]]+ abcd

ABCD

/abcd

tty0

* *

("9?j9/NVK

9Z<9,"k)

a b

abcde ghijk lmnop

abcd

u9Hjs0

!��"��o$kI+<I&Q?<srHQ9k=l>lNo`Nj=<9KD$F" PDOSO"INo$kI+<I&Q?<sr,Q5;k+r=L9k,W,"j^9# ?H(P"J<N 2 DNQ?<s,"kH7^9#

/usr/local/*.log

*hS

/usr/local/user1/*.log

9Hjs0 /usr/local/user1/x.log O"3liN>}K,g7^9#

3N"$^$5rrh9k?aK"PDOS O%hgLk<kr,Q7^9# Q?<s,qN*G"lP"k[I"%hgLb=l@1b/Jj^9# 3N6'r,Q

9kH" /usr/local/user1/x.log O"/usr/local/*.log Q?<shjbhK


2.P

DO

S��

�

/usr/local/user1/*.log Q?<sKM-go;ilk3HKJj^9# M-go;,+

D+C??a"3NQ?<sKM-go;k*V8'/HK,QD=J$UN]j7<,,Q5l^9#

=4 GO"o$kI+<IN(lasHN%hgLr(7^9# 3N=GO"%hgLNb$gKe+i(lasHr(7F$^9#

= 4. o$kI+<IN(lasHN%hgLNk<k

%hgL (lasH c

1 8z=NbN a, ¥*, ¥¥

2 8zNOO [Aa], [[:digit:]]

3 $UN8z ?

4 +jV5lk8z a+

5 +jV5lk8zNOO [Aa]+, [[:digit:]]+

6 +jV5lk$UN8z ?+

7 $UN9Hjs0 *

j=<9No`K~8F"Q?<sr(lasH4HKfS9k3HKhj"%hg

L,h,+ivx+"^?O=NUg+,=L5l^9# U!$k>rM-go;k?aNQ?<sO"h,+ivxNgXHfS5l^9# [9H>rM-go;k?aNQ?<sO"vx+ih,XHfS5l^9#

95N>KOy7$ 2 DNQ?<sKD$FO""9?j9/ (*) ,U$F$k?aK"9Hjs0,9/JCF$klgO|-"9$Q?<sN},;$Q?<shjbqN*G"kH+J5l^9#

!��"��=5 GO"%hgLNb$bN+ic$bNNgK[s7?"U!$k>*hS[9H>No$kI+<I&Q?<sr(7^9#

= 5. o$kI+<I&Q?<sN%hgLNc

%hgL U!$k>Q?<s [9H>Q?<s

1 log/0[0-9]/error www.[a-z]tv.com

2 log/0?/error www.?tv.com

3 log/0*/error www.*tv.com

4 log/[0-9]+/error.1 www-help.[a-z]+v.com

5 log/*/error.1 www-help.*v.com

6 log*/error.1 www-help.*.com

7 log*/error www.*.com

8 log*/error* *www.*.com

9 log* *.com

10 * *

2 DNQ?<sNc$,"8z;CHKXj5lF$k8z@1G"klgKO"Q?<sr^` 2 DN9Hjs0r-qgKfS7F"%hgL,=L5l^9# 3lrM89k,W,"kNO"M-go;k8z;CHKJsi+N188z,"klg@1G9# 2 DN;CHNVK&LN8z,J$lgKO"IN9Hjs0b"1 DNQ?<sK7+lW7^;s#

10 �� 3 �� 7

#�$��%��&��

Policy Director O"2 DNp\*J"/;9&3sHm<krs!7^9#

"/;9&3sHm<k&j9H"/;9&3sHm<k&j9H (ACL) O"f<6<1L"*hSBT"k$OnT5lk"/7gsKpE$F"/;9&3sHm<krjA7^9#

]n*V8'/H&]j7<]n*V8'/H&]j7< (POP) O">Nps ("/;9,BT7F$k~VJI) KpE$F"/;9&3sHm<krjA7"hjrF:7Fbh$+I&+JIN"vDhjNILr)f7^9#

"/;9&3sHm<kO"ACL *hS POP rjA7"=Ne3lir*V8'/HKIC9k3HKhj,Q5l^9# *V8'/HN>0 (]n*V8'/H>)O"]n5lF$kj=<9r=7^9#

Policy Director O"]nG-k*V8'/HN;CHrjA9k?aK 2 DN}!

rs!7^9# 1 DO"j=<9&G#9+Pj<!=Khk0*jAG"j"b& 1 DO"]j7<&G<?Y<9G@(*K*V8'/Hrn.9kE*jAG9# PDOS O"E*b<IrHQ7^9# ]n5lk9YFN*V8'/H"D^j" ACL ^?O POP ,UC5lk*V8'/HO9YF"@(*Kn.5lF$J1lPJj^;s# ?H(P"!N pdadmin 3^sI"

pdadmin> object create /OSSEAL/Servers/File/etc/passwd "Password file" 3 ispolicyattachable yes

O" ″Password file″"?$W 3 (U!$krU#) H$&b@rU1? /etc/passwd U!$kr(7"3N*V8'/HKvD]j7<rUC9kh&KXj7F" PDOSFile j=<9rn.7^9# *V8'/HNn.3^sI*hS pdadmin 3^sIKD$FN\YO" Policy Director NI-easF<7gsr2H7F/@5$#

Policy Director O""Wj1<7gsG-N}!G]j7<&G<?Y<9K^^lkpsrH%9k!=rj=<9&^M<8c<Ks!7^9#"Wj1<7gsG

-NH%0-O"]j7<&G<?Y<9GjA5lk*V8'/H"ACL"*hSPOP NU#rH%9kNKHQ5l^9# PDOS O""/7gsrBT9kNKH

Q5lkWm0i`KpE$F"/;9&3sHm<kr$sWjasH9k?aNH% ACL 0-rjA7^9# PDOS b"H%*V8'/H0-rjA7F"Holidays *hS Sudo j=<9r$sWjasH7^9# 35Z<8NXm0$s&]j7<Y *hS 45Z<8NXSudo ]j7<Y GO"3liNH%0-KD$Fb@7^9# 3N;/7gsNDjNt,GO""/;9&3sHm<kN=l>lN?$W"*hS PDOS ,3lrINh&KHQ9k+rb@7^9#

#�$��%��&��Policy Director D-GN"/;9&3sHm<k&j9H (ACL) O"$U"/;9&3sHm<kbGkK>$^9# j=<9XN"/;9O"f<6<N1L*hS3liNf<6<,BT7F$k"/7gsKpE$F)f5l^9#

ACL O"ACL (sHj<Nj9HG=.5l^9# =l>lN ACL (sHj<KO""/;5<*hSvD;CH,"j^9# 3liN3s]<MsHO"J<NcNh&J=-}!G=5l^9#

accessor : permission-set

vDO"ACL ,UC5lF$k*V8'/HGBTG-k"/7gsr(91lN8zG(5l^9# ?H(P"x vDO"Wm0i`rBT9kvDr(7^9#


2.P

DO

S��

�

PDOS KhjHQ5lk04JvD;CHO" 13Z<8N=6 Kb@5llF$^9# "/;5<O" ACL (sHj<N,QP]HJkf<6<rb@7^9# "/;5<N?$WO"J<NH*jG9#

user 3N"/;5<&?$WO"CjNf<6<Nj=<9XN"/;9r)f9k ACL (sHj<rjA7^9# 3N?$WN"/;5<KO"f<6<N>0bXjG-^9# 3Nf<6<>O"{8N Policy Director f<6<r1L9kbNGJ1lPJj^;s#J<N ACL (sHj<O"k<H&f<6<K x vDr'D7^9#

user root : x

3NoN ACL (sHj<O"G%h5lkbNG9# f<6<&k<H,"x vDr]'5lF$k0k<WNasP<G"klg"3N ACL (sHj<,3lreq-7^9# UK"f<6<&k<H, y vDr?(il?0k<WNasP<G"klg"3N ACL (sHj<,%h5l"3NACL Khj]n5lF$kj=<9GNk<H y vDr]'7^9# ACL(sHj<GO"=l>lNf<6<Kf<6<&(sHj<, 1 D@1"kh&K9k?aK"f<6<&"/;5<Nf<6<>3s]<MsHOG

-GJ1lPJj^;s#

group3N"/;5<&?$WO"0k<W&asP<7CWKpE$Fj=<9XN"/;9r)f9k ACL (sHj<rjA7^9# 3N?$WN"/;5<KO"0k<WN>0bXjG-^9# 3N0k<W>O"{8NPolicy Director 0k<Wr1L9kbNGJ1lPJj^;s#J<N ACL(sHj<O"f<6<&0k<WK y vDr'D7^9#

group users : y

f<6<O"0k<W&asP<7CWKpE$FvDr?(il"asP<HJCF$k0k<WN0k<W ACL (sHj<K"k9YFNvDru1^9# ?H(P"f<6< kevin O"0k<W users *hS sys-admin NasP<G"kbNN" net-admin NasP<GOJ$lg"J<N ACL(sHj<O"kevin K a *hS b vDr?(kbNN"c vDO?(^;s#

group users : agroup sys-admin : bgroup net-admin : c

ACL (sHj<GO"=l>lN0k<WK0k<W&(sHj<, 1 D@1"kh&K9k?aK"0k<W&"/;5<N0k<W>3s]<MsHOG-GJ1lPJj^;s#

any-otherany-other ACL (sHj<O"ACL Nf<6<&(sHj<G@(*Kj9H5lF*i:" ACL N0k<W&(sHj<Kj9H5lF$k0k<WNasP<GbJ$"$UNvDf<6<KvDr?(^9# 3N?$WN(sHj<rHQ9kH"vDf<6<KP9kGU)kHvDNjA,D=

KJj^9# J<N(sHj<O" ACL Nf<6<^?O0k<W&(sHj<K~iJ$$UNvDf<6<K q vDr'D7^9#

any-other : q

ACL G=(G-k any-other ACL (sHj<O"1 D@1G9#

12 �� 3 �� 7

unauthenticatedunauthenticated ACL (sHj<O"5vDNf<6<KvDr'D7^9#3Z<8NXUNIX 1L"*hS PDOS f<6<1LHNX8Y GO"PDOS GN5vDf<6<NU#,b@5lF$^9# 5vDf<6<O"Policy Director f<6<>r}?:" Policy Director 0k<WNasP<GbJ$f<6<HjA5l^9# J<N(sHj<O"5vDNf<6<Kp vDr'D7^9#

unauthenticated : p

ACL G=(G-k unauthenticated ACL (sHj<O"1 D@1G9# 5v

Df<6<,"vDf<6<K?(ilF$J$vDru1k3HOG-^;s# D^j"unauthenticated ACL (sHj<G'D5lF$F" any-otherACL (sHj<GO'D5lF$J$vDO9YF5k5l^9# eNcGO"ACL N any-user (sHj<K p vD,U?5lF$klg"unauthenticated f<6<KU?G-kNO p vD@1KJj^9#

vDO"Policy Director Khj]n5lF$kj=<9eGBTG-k"/7gsrb@7^9# ACL (sHj<GXj5lkvDN;CHO" ACL (sHj<N"/;9KM-go;kf<6<KU?5l?vDN04;CHG9# f<6<,"vD;CHKJ$"/7gsrBT7h&H7Fb" ACL ,]n7F$kj=<9XN"/;9Oq]5l^9#

vDO"Policy Director "/7gsKhjjA5l^9# "/7gsO"vDr(918zNJ,-f"vDN>0",Q9kj=<9No`"*hS3N"/7gs&0k<WrjA7^9# "/7gs&0k<WO"X""/7gsN3l/7gsG9# 9YFN PDOS "/7gsO" OSSEAL "/7gs&0k<WNasP<H7FjA5l^9# OSSEAL "/7gs&0k<WN"/7gsO" PDOS,]n9kj=<9GBTG-k`nr(7^9# =6 GO"PDOS KhjHQ5lk9YFN"/7gsrjA7^9# =l>lNvDKD$FO"\qGo~b@5lF$^9#

= 6. OSSEAL "/7gs&0k<WGjA5lk PDOS vD

"/7g

s

b@ PDOS j=<9&?$W

C \3 NetIncoming *hS NetOutgoing

D G#l/Hj<NQ9 File

G e} Surrogate

K Wm0i`N kill File

L m0$s Login

N n. File

R >0Q9 File

U ?$`&9?sWN97 File

d o| File

l G#l/Hj<Nj9H File

o j-"NQ9 File

p vDNQ9 File

r I_hj File

w q-~_ File

x BT File *hS Sudo


2.P

DO

S��

�

Policy Director O"]j7<I}!=XN"/;9r)f9k"/7gsrjA7^9# PDOS O"3liN"/7gsrHQ7F"PDOS ]j7<r@l,Q9G-k+r)f7^9#3liN"/7gsO9YF" 1 !"/7gs&0k<WNasP<G9# PDOS ]j7<I}O"=7 G 1 !"/7gsrHQ7^9#

= 7. ]j7<I}KHQ5lk Policy Director 1 !"/7gs

"/7gs b@

a ACL ^?O POP rUC9k

b *V8'/H&9Z<9rVi&:7"*V8'/H>r2H9k

c ACL r)f^?OQ99k

d *V8'/Hro|9k

m *V8'/HN0-rQ99k

v *V8'/HN0-r=(9k

3liNvDN04JU#O"Policy Director NI-easF<7gsGb@5lF$^9#

=8 GO"vDhj,J5lk}!KFAr?(k>N 2 DN 1 ! Policy Director"/7gsrj9H7^9#

= 8. ]j7<NhjKHQ5lk Policy Director N 1 !"/7gs

"/7gs b@

B ~o)Br&s9k

T #G

f<6<K B vD,"klg"3Nf<6<KO",QD=JIN~o)Bb,Q

5l^;s# ]j7<&"I_K9Hl<?<,"~o"/;9)BK>&*V8'/HG]j7<rI}9kKO"3NvD,,WG9# ~o)BN\YKD$FO"16Z<8NX]n*V8'/H&]j7<Yr2H7F/@5$#

T"D^j#GvDrHQ9kH"j=<9NVisA4NXNzL*J"/;9r)fG-^9# \YO"XQ5*hS#GYr2H7F/@5$#

vD;CHKH_~^lk]KO"9YFN"/7gsKD$F""/7gs&0k<W>,\,tKU-^9# 1 !"/7gsN"/7gsGO"3lO"*W7gsG9# PDOS N ACL (sHj<O"Lo"J<Nh&KJj^9#

user root : T[OSSEAL]rwx

3lO"f<6<&k<HK PDOS NI_hj"q-~_"*hSBTvD"=7F#GvD,"k3Hr(7^9# >Nj=<9&^M<8c<b"PDOS KhjHQ5lkbNK`w7?J,>rHQ7F"/7gsrjA9klg,"j^9#?H(P"Policy Director WebSEAL O" ’r’ rHQ7F"WebSEAL Khj]n5lk Web Z<8rI_hkvDr?(^9# 3liNvDO"J,-f,18G"kKb++oi:"4/LDNbNG"j".17FOJj^;s# vD;CHBr[OSSEAL]wx N ACL (sHj<O" PDOS f<6<K"3N(sHj<N ACL,]n7F$kU!$kXNI_hj"/;9rU?7^;s#

��Policy Director D-O">Nj=<9+i ACL rQ59k3H,G-^9#

14 �� 3 �� 7

Q5NcH7F"U!$k&j=<9N]nr4Y^9#?H(P"4HQN79F`KG#l/Hj< project01 ,"klg"3NG#l/Hj<N]n*V8'/H>O /OSSEAL/default/File/project01 KJj^9# Wm8'/HNU!$k9YFr^`G#l/Hj< /project01 N]n*V8'/H>K ACL rV/3HKhj"3NG#l/Hj<K"k9YFN5VG#l/Hj<*hSU!$kO"3N ACLr project01 +iQ57^9#

ACL r"]n*V8'/H>,XNeLKV/H"Q5KhCF"?/Nj=<9K]j7<rJ1K,Q9k3H,G-^9#

Q5O"9YFNj=<9K,Q5l^9# j=<9K ACL ,UC5lF$J$lgKO" PDOS O"ACL r+D1k^G]n*V8'/H>r\07^9# ?H(P"

1. >K"]n*V8'/H>

/OSSEAL/default/NetIncoming/tcp/telnet/www.company.com NMCHo</&j=<9XN"/;9rn_F$kH7^9#

2. 3N]n*V8'/H>K ACL ,djvFilF$J$lg" PDOS O"/OSSEAL/default/NetIncoming/tcp/telnet K ACL ,djvFilF$J$+r4Y^9#

3. 90eNlYkK ACL ,UC5lF$J$lgKO" PDOS O"/OSSEAL/default/NetIncoming/tcp K ACL ,djvFilF$k+r4Y^9#

4. 3Nh&K7F"PDOS O"]j7<hjKHQG-k ACL r+D1k^G",Xre2FQ37^9#

3Nk<kKO"c0, 1 D"j^9# PDOS ,U!$k&79F`&j=<9r]n9k]KO"oK"9YFN"/;9rU?9k ACL G"kvF ACL O"U!$k&79F`Nk<HKUC5lkbNH7^9# 3lKhCF" PDOS ,3lr]n9k]b79F`OQ37F`nD=KJj"U!$k&79F`&j=<9K"/;95lk]KO PODS ,zL*JvDhjr9k3H,G-kh&K7^9#

]j7<hjr9k]KO" PDOS O",XGGcLN ACL rHQ7^9#3N<LlYk ACL O"$UNbLlYk ACL req-7^9# ?H(P"J<Nu7r[j7^9#

1. ]n*V8'/H> /OSSEAL/servers/File/usr/games/solitaire NU!$k&j=<9r}CF$kbNH7^9# solitaire (=jF#") 2<`OU!$kG"j"usr*hS games OG#l/Hj<G9#

2. G#l/Hj< usr KO9YFNMK04"/;9rs!9k ACL ,"j"solitaire KO""I_K9Hl<?<KN_04"/;9rs!9k ACL ,"kH7^9#

3. Q5KhlP"usr N<N games G#l/Hj<O"9YFNM,"/;9G-kbNN" usr G#l/Hj<N ACL KINh&J ACL (sHj<,"kK7Fb" solitaire O""I_K9Hl<?<7+"/;9G-^;s#

3Nk<kN#lNc0G",XG<LK"k ACL ,eLN ACL req-9kbNO" 1 ! Policy Director #GvD (’T’) N0nG9# f<6<,j=<9K"/;9G-kh&K9kKO"3Nf<6<O""/;97h&H7F$k*V8'/Hhjb,X,eLN9YFN ACL K#GvD,U?5lF$J1lPJj^;s# *V8'/H+NK"/;99kKO"#GvDO,WGO"j^;s# eNcGO""I_K9Hl<?<O"usr KUC5lF$k ACL KO#GvD,,W


2.P

DO

S��

�

G"kbNN" solitire KUC5lF$k ACL KO,WGO"j^;s# ACL ,games KV+l?lgKb""I_K9Hl<?<KO"3N ACL Khj#GvD,?(ilk,W,"j^9#

��

Policy Director O"]n*V8'/H&]j7< (POP) H$&lA0N"/;9&3sHm<krs!7^9# POP O""/;9&3sHm<krjA9kH-Kf<6< ID df<6<,BT9k"/7gsKpE+:"3N"/;9&3sHm<krHQ7F"vDhj,Tolk}!KD$FN=N>N\Yb)f7^9# POPO ACL H1M"I}TKhCFjA5l"]n5lF$kj=<9r=9 PolicyDirector G<?Y<9bN*V8'/HKUC5l^9# POP b ACL H18Q5

k<kK>$^9#

POP H ACL O=l>lDLKQ55lk?a"=lir*V8'/H,XbN18ljKUC9k,WO"j^;s#"k 1 DNljK[V5lF$k ACL +i"/;9&3sHm<krQ59k*V8'/Hb"lP"LNljK[V5lF$kPOP +i"/;9&3sHm<krQ59k*V8'/Hb"j^9#e-N=jF#"NcGO" games G#l/Hj<GN~o"/;9r)B9k POP Oq]5lk3HKJCF$^9#=jF#"XN"/;9O">\UC5l? ACL H"games KUC5l?"Q5Khk POP KhCF)f5l^9#

POP bNM9J0-O"jAD=G9# PDOS ,HQ9kNO"Ypb<I"F:

lYk"*hS~oN0-G9#]nNA"^?O IP (sI]$sH'ZN0-OHQ7^;s#

#�$��%��&�� POP ��POP KO$/D+N0-,w(ilF*j"3lrHQ7FCjN]j7<r$sWjasH9k3H,G-^9#

��3N"/;9&3sHm<kO"nT]j7<N$sWjasHrvD7^9# POPK]n5l?]n*V8'/HNYpr yes K_j9kH"Ypb<I,HQD=

KJj^9#Ypb<I,HQD=NuVG ACL ,*V8'/HXN"/;9rq

]9kH""/;9,q]5lkeojK"/;9",U?5l"F:l3<I,8.5l^9#]j7<rn9KO",jG ACL r,Q7"F:ZWr4:7F"q

]5lkY-"/;9,q]5l"U?5lkY-"/;9,U?5lk3Hr!:

7F/@5$#F:l3<IO" POP bNF:lYkN_jKX8J/8.5l^9#Ypb<I0-NcKD$FO"80Z<8NXj=<9Ypb<INHQD=

="HQTD"*hSHqYr2H7F/@5$#

GU)kHGO"Ypb<IOHQTDKJCF$^9#

��'��F:lYkKhk"/;9&3sHm<kO"*V8'/HXN"/;9KhjF:

l3<I,8.5lkD-rXj7^9#F:lYkO"J<N 1 DJeNlYkK_j5l^9#

permit3l,HQD=Jlg"F:$YsHO"j=<9XN"/;9,U?5lkH-K8.5l^9#

deny 3l,HQD=Jlg"F:$YsHO"j=<9XN"/;9,q]5lkH-K8.5l^9#

16 �� 3 �� 7

adminPDOS j=<9KO,Q5l^;s#

error PDOS j=<9KO,Q5l^;s#

all q]5l?9YFNF:lYk,HQD=KJj^9#

noneq]5l?INF:lYkbHQD=KJj^;s#

GU)kHNF:lYkO"none G9#

j=<9NF:lYkN_jcKD$FO" 81Z<8NXj=<9F:lYkN_j*hSHqYr2H7F/@5$#F:lYkKD$FN\YO"Policy DirectorqAr2H7F/@5$#

��~oKhk"/;9&3sHm<kO"j=<9K"/;9G-kK|H~orXj

7^9#~oKhk"/;9&3sHm<kNXjA0O"!NH*jG9#

day-range: time-range : [fixed | zone]

=l>lNU#O"J<NH*jG9#

day-rangeanyday" weekday"^?O sun"mon" tue"wed" thu"fri" sat r3s^GhZC?j9HG9# anyday *W7gsO"f<6<,5N9YFNK|Km0$srvD5lk3Hr(7^9# weekday (?|) *W7gsO"f<6<,ZK|H|K|r|/9YFNK|Km0$srvD5lk3Hr(7^9#K|Nj9HO"f<6<,=3GXj5l?K|N_"j=<9K"/;9G-k3Hr(7^9#

time-rangeanytime"^?O+O~oH*;~orXj7^9# anytime *W7gsO"f<6<," day-range GXj7?K|NIN~VKbj=<9K"/;9G-k3Hr(7^9# start_hhmm-end_hhmm NA0G~orXj9kl

g" start_hhmm KO~VH,r" end_hhmm KO*;~orXj7^9#~VO 24 ~VA0GXj7^9#

fixed ~o)Br Universal Coordinated Time (UTC) KpE$F,Q9k+I&+rXj7^9#

zone f<6<,m0$s9k"^?OHQ9k^7sN=O~VrXj7^9#GU)kHO zone G9#

GU)kHGO"o~"/;9,vD5lF$^9#

#�$��

PDOS O"ACL NH%0-rjA7^9#3lKhj"f<6<,CjN"/7gsrBT9k?aKHQG-kWm0i`,)f5l^9#3N)BO""/;9&3sHm<kKC(F"ACL KhCF\T5l^9# ACL `\KhCF^:f<6<K"/;9,U?5l?eG""/;9)B,,Q5l^9#0->OAccess-Restrictions G"=NA0O!NH*jG9#

accessor : permission-set : program-set


2.P

DO

S��

�

accessor O"ACL `\N"/;5<&3s]<MsHH18}!GjA5l?"/;5<G9# permission set b"ACL `\NbNH18h&KjA5l^9#?@7"3NH%0-O PDOS "/7gsKP7FN_,Q5lk?a" [OSSEAL] "/7gsN0k<W&/)jU!$"<OJ,D=G"k"H$&@,[Jj^9#

program set O"Wm0i`N9Z<9hZjj9HG9#"/;5<O=NWm0i`rHQ7F""/;9)BKhjH%5l? ACL Khj]n5lkj=<9KP7F" permission set GXj7?"/7gsrBT7^9# program set Kj9H5lkWm0iÒ" ACL KhCF]n5lkj=<9K"/;99k?aK.j

G-kbNG9#=lf("=liNWm0iÒ"Trusted Computing Base KH_~^lF$^9# Trusted Computing Base KD$FN\YO" 27Z<8NXHi9FCI&3sTe<F#s0&Y<9&j=<9Yr2H7F/@5$#

Cl program set * O""/7gsrBT9k?aK9YFNWm0i`,HQD=

G"k3HrU#7^9#

#�$��?H(P"9YFNf<6<KO /etc/passwd U!$kXN"/;9rvD7"sI}Tr /usr/bin/passwd 3^sIrHQ7?U!$kNq-~_@1K)B9kh&Jlg"J<N3^sIGjA7? ACL rHQG-^9#

pdadmin> acl create passwdpdadmin> acl modify passwd set any-other [OSSEAL]rwpdadmin> acl modify passwd set unauthenticated [OSSEAL]rwpdadmin> acl modify passwd set attribute ¥

Access-Restrictions "group sys-admin:w:*"pdadmin> acl modify passwd set attribute ¥

Access-Restrictions "any-other:w:/usr/bin/passwd"pdadmin> acl modify passwd set attribute ¥

Access-Restrictions "unauthenticated:w:/usr/bin/passwd"pdadmin> object create /OSSEAL/Servers/File/etc/passwd "passwd file" 3 ¥

ispolicyattachable yespdadmin> acl attach /OSSEAL/Servers/File/etc/passwd passwd

"/;9)BO"9YFN PDOS j=<9 (File" NetIncoming" NetOutgoing"Login ^?O Surrogate) K,QG-^9# Sudo j=<9QN Access-Restriction rjA7Fb5U#G9#"/;9&Wm0iÒ"oK pdossudo 3^sI@+iG9# Sudo ]j7<H pdossudo 3^sIKD$FN\YO" 45Z<8NXSudo]j7<Yr2H7F/@5$#

#�$��Access-Restrictions U-N ACL KhCF]n5lkj=<9,"/;9ru1kH"J<Nk<krHQ7F",Q9k"/;9)BMrhj7^9#

1. =NvD;CHK"Wa5lk4vD,^^lk9YFNMr!w7^9#?H(P"I_hj / q-~_"/;9,Wa5lklg" ’r’ *hS ’w’ vD (3lJ0Nlgb"k) N>}r}D`\@1,M85l^9#

2. f<6<,s'Zf<6<G"s'Z"/;5<`\,8_7J$lg""/;9"rU?7^9#

3. f<6<,s'Zf<6<G"Wm0i`&;CHKf<6<NWm0i`rj9H9ks'Z"/;5<`\ (#tNlgb"k) ,8_9klg""/;9"

rU?7"U?7J$lgO"/;9rq]7^9#

18 �� 3 �� 7

4. f<6<,'Zf<6<Nlg"f<6<WaN"/;9HlW9kf<6<&"/;5<r}D`\r!w7^9#=liN`\N$:l+,=NWm0i`&;CHKf<6<NWm0i`rH_~`lg""/;9"rU?7"U?

7J$lgO"/;9rq]7^9#

5. lW9kf<6<&"/;5<,!P5lJ+C?lg"f<6<WaN"/;9,asP<7CWr}D9YFN0k<WN0k<W&"/;5<`\r!w

7^9#=liN`\N$:l+,=NWm0i`&;CHKf<6<NWm0i`rH_~`lg""/;9"rU?7"U?7J$lgO"/;9rq]7^9#

6. lW9kf<6<&"/;5<`\^?O0k<W&"/;5<`\NIAib!P5l:"LN"/;5<`\,8_9k,Ilbf<6<NWm0i`rj9H7J$lg""/;9rq]7^9#

7. =lJ0Nlg""/;9"rU?7^9 (LK"/;5<`\,8_7J$+"^?O8_7F=liN$:l+,=NWm0i`&;CHKf<6<NWm0i`rj9H9k+iG9)#

#�$��J<N Access-Restrictions 0-Mr0sH7^9#

user root:rw:/usr/bin/vigroup sys-admin:r:/usr/bin/moregroup net-admin:r:/usr/bin/cat

3Nlg"user root O"I_hj"q-~_""k$O=N>}rT&H-KN_"/usr/bin/vi rHQG-^9# root f<6<O"/usr/bin/more ^?O the /usr/bin/cat Wm0i`N$:l+rHQ7F"U!$krI_hk3H,G-^;s# root f<6<OoKGiN`\HlW7F"0k<W&asP<7CWOM85lJ$+iG9#

sys-admin 0k<WNasP<@1," /usr/bin/more 3^sIrHQ7FU!$krI_hk3H,G-^9#

net-admin 0k<WNasP<O" /usr/bin/cat rHQ7FU!$krI_hiJ1lPJj^;s#

>}N0k<WNasP<G"kf<6< (root f<6<r|/) O" /usr/bin/more^?O /usr/bin/cat N$:l+rHQ7F"I_hjrT(^9#

Access-Restrictions 0-MO" sys-admin *hS net-admin 0k<WNasP< (rootf<6<r|/) Nq-~_"/;9r3lJe)B7J$?a"3liN0k<WNasP<Nq-~_"/;9O" Access-Restriction ,,Q5l? ACL bN ACL`\KhCFN_)f5l^9#3liN0k<WNasP<G"kf<6<,U!$kKq-~aJ$h&K9kKO" ACL `\,q-~_"/;9rq]9k,W

,"j^9# ACL `\,q-~_"/;9rU?9kH"3liN0k<WNasP<G"kf<6< (root r|/) O"U!$kKq-~_rT&?aK9YFNWm0i`,HQG-^9#

"/;9)BrjA9klg""/7gsr0k<W,19k,W,"j^9#e-

NcN)B user root:rw:/usr/bin/vi O"J<N 2 DN)BK,d5l^9#

user root:r:/usr/bin/vi

*hS


2.P

DO

S��

�

user root:w:/usr/bin/vi

root ,3liI_hjHq-~_N>}N)BKhCF]n5lkU!$kr+/l

g""/;9)BO,Q5l^;s#J<Ji")BKOWa5l?9YFNvD,^^lk+iG9#

��(��

3N;/7gsO"PDOS D-GjA5lk]n79F`&j=<9KD$Fb@7^9#33GO"PDOS ,]nG-kj=<9"j=<9,]j7<&M<`&9Z<9GjA5lk}!"*hSj=<9KjAG-k"/7gsrXj7^9#^?"j=<9, PDOS Trusted Computing Base (TCB) GjA5lk}!"*hSTCB j=<9,7olk}!bb@5l^9#

�)��PDOS KO"U!$k&79F`&j=<9XN"/;9r)f9k!=,woCF$^9#U!$k&79F`&j=<9O"J<G=.5l^9#

¶ U!$k

¶ G#l/Hj<

¶ =UH&js/

¶ O<I&js/

¶ uVU!$k

3N;/7gsGO"PDOS vD]j7<,3liNj=<9K,Q5lkH-K"Fj=<9N"/;9,u1kFAKD$Fb@7^9# PDOS O"J<N 2 DN}!G"U!$k&79F`&j=<9r]n7^9#

¶ "/;9&3sHm<kO""/;9rn_kf<6<N ID H"BT9k"/7gsKpE$F"U!$k&79F`&j=<9r]n7^9#=liO"File?$WN PDOS j=<9K,Q5l^9#

¶ TCB NasP<7CWO"asP<NbFH0-NQ9rbK?<9k3HKhj"U!$k&79F`&j=<9r]n7^9# TCB NasP<7CWO"TCB ?$WN PDOS j=<9Khjq]5l^9#

3li 2 DN]n!=KD$FO"J<N;/7gsGb@7^9#

�)�� U!$k&79F`&j=<9O"j=<9&?$W File r}D*V8'/H>rjA9k3HKhCF"^?]n9kU!$k&79F`&j=<9N>0rXj9k3HKhCF" Policy Director M<`&9Z<9K=5l^9#

/OSSEAL/policy-branch/File/filespec

21Z<8N=9 KO"U!$k&79F`&*V8'/HKD$FN\Y,-\5lF$^9#

20 �� 3 �� 7

= 9. U!$k&79F`&*V8'/H

*V8'/H> b@ ?$W

filespec U!$k&79F`&j=<9r=9

*V8'/H>#9Hjs0O"]n

5lkU!$k&j=<9NdPQ9

>rXj7^9#Q9>Ko$kI+

<Ir^ak3HbG-^9#

UNIX U!$k?>k<kK`8k9H

js0

U!$k&79F`&j=<9Nc

J<O"U!$k&79F`&j=<9XjNcG9#

/OSSEAL/Default/File/etc/passwd/OSSEAL/Default/File/usr/local/*/*.log/OSSEAL/Default/File/usr/sbin/httpd

J<N)BO"File j=<9r?>9kH-K,Q5l^9#

¶ "/;9&3sHm<kO root G#l/Hj< / KUCG-J$# PDOS Oo

K"vD"/;9&3sHm<k, /OSSEAL/policy-branch/File KUC5lk3Hr0sH7^9#

¶ U!$kXjNGiN(lasHK"o$kI+<Ir^ak3HOG-^;s(?H(P"/*.log"/*/tmp JI) root G#l/Hj<NCjNj=<9O""/;9&3sHm<kr}D3H,G-^9#

3liN)BKhj"PDOS Nz(*NI$vDhj,]Z5l^9#

�)�� #�$��%��&��File j=<9K,Q9k PDOS "/7gs,"=10 GjA5lF$^9#

Policy Director ACL O"M<`&9Z<9N"U!$k&79F`&j=<9bNI3KGb[VG-^9#5,N Policy Director ACL Q5k<kO"U!$k&79F`&j=<9Ks!5l^9#3lKO"namespace traversal (T) vD,^^l^9#

5, ACL Q5bGkN#lNc0O"U!$k&79F`&M<`&9Z<9Nroot (?H(P" /OSSEAL/policy-branch/File) G9# PDOS O""/;9 (*hS#G) r4f<6<KvD9k ACL ,"o~=NljK"k3Hr0sH7^9#3&7F"ACL rQ59k\*G"M<`&9Z<9N root ,z(I/K3NljK[V5l^9#D^j"File *V8'/H^?O=lJeKUC5lk@(* ACLO"U!$k&79F`N root G#l/Hj< ( / ) Gb"^?Q5N\*K*$Fb5k5lk"H$&3HG9#

=10 KO"U!$k&79F`&j=<9KX"7?-zJ ACL vD,b@5lF^9#

= 10. PDOS U!$kvD

vD> U?5l?vD

Read (r) I_hjN?aKU!$k&79F`&j=<9K"/;97^9#

Write (w) q-~_N?aKU!$k&79F`&j=<9K"/;97^9#

Create (N) CjNU!$k&79F`&j=<9rn.7^9#

Execute (x) U!$k&79F`&j=<9rBT7^9#


2.P

DO

S��

�

= 10. PDOS U!$kvD (3-)vD> U?5l?vD

Chown (o) U!$k&79F`&j=<9Nj-"rQ97^9#

Chmod (p) U!$k&79F`&j=<9KX"7?M$F#V UNIX U!$k&7

9F`vDrQ97^9#3lO"UNIX Nb<I&SCHrQ99k`

nH",QD=JWiCHU)<`Nj=<9NM$F#V ACL r97

9k`nN>}K,Q5l^9#

Chdir (D) G#l/Hj<rU!$k&79F`&G#l/Hj<&j=<9KQ

97^9 (G#l/Hj<N_)#

Rename (R) U!$k&79F`&j=<9r\0 (^?O>0Q9) 7^9#

Delete (d) U!$k&79F`&j=<9r|n7^9#

Utime (U) U!$k&79F`&j=<9KX"7?U!$k&"/;9*hSQ

9~orQ97^9#

Kill (K) U!$k&79F`&j=<9+iBT5l?Wm;9r*;7^9#

List (l) G#l/Hj<NbFrj9H7^9#

ClJ6kq$r}DvDb?/"j"1yN UNIX vD,8_9klgO"/7cC?6kq$r}A^9#J<O"=Nh&J6kq$G9#

¶ 79F`r7cCH@&s^?OjV<H9k!=r)f9k?aK" Kill (K)vDrCl File j=<9 /OSSEAL/policy-branch/unix K,QG-^9#

¶ Rename (R) vDO"Create *hS Delete vDHPC7^9#U!$kr>0Q

99kH-"f<6<O=<9&U!$k@1GJ/"?<2CHKbvDrn

.7F*/,W,"j^9#?<2CH,8_9klg"f<6<O5iK=lro|9kvDr}D,Wb"j^9#?H(P"G#l/Hj<K"

log.1 log.bak

H$&bF,8_9klg"

$ mv log.1 log.2

H$&3^sIrG#l/Hj<G/T9k?aK"f<6<O"U!$k log.1KP7F Rename vDr" log.2 KP7F Create vDr}CF$J1lPJj^;s#^?"

$ mv log.1 log.bak

H$&3^sIr/T9klg"f<6<O"U!$k log.bak KP9k CreatevDH Delete vDN>},,WKJj^9#

¶ Change permission (p) vDb"U!$kvDKC(F UNIX ACL rQ99k!

=r)f7^9#3lO"3N!=r5]<H9k79F`GN_,Q5l^9#

¶ Execute (x) vDO"U!$kKN_,Q5l^9#^?"UNIX ’x’ U!$kv

Db"G#l/Hj<,XrJS2<H9k!=r)f7^9# PDOS Changedirectory permission (D) *hS PDOS primary Traverse (T) vDr;Q7F"U!$k&79F`&G#l/Hj<rJS2<H9kf<6<N!=r)f9k3H,G-^9#

22 �� 3 �� 7

�)��(��U!$k&79F`KO"j=<9NL>rjA9k!=,woCF$^9#j=<9,L>KhCF"/;9ru1kH" PDOS Op\j=<9,^@]n5lF$k3HrN'7^9#U!$k&79F`L>OJ<NLjG9#

¶ 7s\jC/&js/

¶ O<I&js/

¶ uVU!$k

J<N;/7gsGO"]nj=<9,LoNL>KhCF"/;9ru1klg"*hSvD]j7<,B]Nj=<9GOJ/L>KX"U1ilklgK" PDOS,vD]j7<r\T9k}!rb@7^9#

J<O"PDOS ,L>HX"7F"/;9&3sHm<kN7$}rjA9kgWJ6'G9#

¶ L>K,Q5lk"/;9&3sHm<kO"L>KC(FB]Nj=<9b]

n9k,W,"j^9#

¶ 7,L>Nn.9k3HG"{KB]Nj=<9KP7F,Q5lF$k"/;9&3sHm<kr&s9kY-GO"j^;s#

J<N;/7gsrI`H-K"3N 2 DN6'rP(F*$F/@5$#

��*��^:GiK""/;9&3sHm<k,Q55lJ$lgN"7s\jC/&js/,]j7<N>ANE}K?(kFArM87^9#J<N 3 DN3H,M(il^9#

¶ ?<2CHK">\"/;9&3sHm<k,,Q5lF$^9#3Nh&Jl

g"D^j7s\jC/&js/N?<2CHO"/;9&3sHm<kr,Q

9kNK7s\jC/&js/,,Q7J$lg"$:l+N>0Khkj=<9XN"/;9O"?<2CHKUC5l?]j7<KhCF)f5l^9#7s\jC/&js/rHQ7F"vD]j7<rsr9k3HOG-^;s#

¶ 7s\jC/&js/K"/;9&3sHm<k,,Q5lF$^9#3Nh&Jlg"D^j7s\jC/&js/O"/;9&3sHm<kr,Q9kNK?<2CH,,Q7J$lg"$:l+N>0Khkj=<9XN"/;9b1

MK"7s\jC/&js/KUC5l?18]j7<KhCF)f5l^9#

¶ ?<2CH*hS7s\jC/&js/N>},"/;9&3sHm<kr,Q

7F$^9#"/;9&3sHm<k,7s\jC/&js/H=N?<2CHN>}K,Q5lklg"?<2CHXN>\N"/;9O">\,Q5l?"/;9&3sHm<kKhCFN_)f5l^9#7s\jC/&js/rP3

7?"/;9O">;CHN"/;9&3sHm<kKhCF)f5l""/;5<,>;CHN"/;9&3sHm<kKhCFvD5lklgKN_""/;9,j=<9KU?5l^9#

��

J<O"7s\jC/&js/N]j7<,?(kFANcG9#

� 1ACL ,UC5l?J<NU!$k,"kH7^9#

/usr/bin/vi

/usr/local/bin/vi


2.P

DO

S��

�

H$&U!$kO"J<N7s\jC/&js/G9#

/usr/bin/vi

=Ne"f<6<,$:l+N>0Khk vi NBTrn_kH-" /usr/bin/vi KUC5l? ACL rHQ7FvDhj,Tol^9# ACL , /usr/local/bin/viKUC5lkJi""/;9KIN>0,HolkH7Fb vi rz-3-]n9kG7g&# /usr/local/bin/vi O]n*V8'/HKJj^9#

ACL , /usr/bin/vi H /usr/local/bin/vi N>}KUC5lklg">0

/usr/bin/vi rP39k"/;9O" /usr/bin/vi KUC5l? ACL KhCF]n5l^9# /usr/local/bin/vi rP39k"/;9O">}N ACL KhCF]n5l^9#

� 2>K"

/home/joe/data

,""/;9&3sHm<kr,Q7J$U!$kG"kH7^9#

/home/joe/data.link

O"ACL ,UC5l?G<?XN7s\jC/&js/G9#

/tmp/data/joe_data

O"

/home/joe/data

XN7s\jC/&js/G"ACL ,UC5lF$^9#

J<NroO"3Nj=<9XN"/;9KFAr?(^9#

¶ U!$k,">0 /home/joe/data rP37F"/;9ru1klg""/;9"

,U?5lk0K>}N ACL ,O5lJ1lPJj^;s#

¶ U!$k,"7s\jC/&js/N$:l+rP37F"/;9ru1kl

g">}N ACL ,,Q5l^9#

¶ U!$k, /home/joe/data G<?H7F>\"/;9ru1kH-K ACL ,>

\ /home/joe/data KUC5lklg"3N ACL @1,,Q5l^9#

¶ 7s\jC/&js/N$:l+KhCF"/;9ru1klg"=N ACL H2 DN7s\jC/&js/eN ACL ,,Q5l^9#

¶ 7s\jC/&js/,"U!$k>GOJ/G#l/Hj<>KJklg#0

Kb@7?U!$kKX9kk<kH18k<k,3NlgKb,Q5l"kLH7F"]j7<,?<2CH&G#l/Hj<NbFKhCFQ55l^9#

� 3!KM89kNO"?<2CH&j=<9^?O7s\jC/&js/N$:l+,""/;9&3sHm<kr>\,Q9kNGOJ/"Q55l?"/;9&3sHm<kKhCF]n5lklgG9#7s\jC/&js/K>\"/;9&3sHm<k,,Q5lJ$lg"7s\jC/&js/N?<2CHO"7s\jC/&js/P3G?<2CHK"/;97?H-K7s\jC/&js/,Q57?"/;9&3sHm<kKhCFN_]n5l^9#7s\jC/&js/N?<2CHK>\"/;9&3sHm<k,,Q5lJ$lg"?<2CHKhCFQ55

24 �� 3 �� 7

l?"/;9&3sHm<kO"?<2CHK>\"/;99k+"^?O7s\jC/&js/P3Khj"oK,Q5l^9#J<Ncr+F/@5$#

>K"

/home/joe/data

O"ACL ,>\UC5l?U!$kG"kH7^9#

/tmp/data/joe_data

O"/tmp/data K ACL rUC7? /home/joe/data XN7s\jC/&js/G9#

¶ U!$k,>\"/;9ru1klg">\UC5l? ACL @1,,Q5l^9#

¶ U!$k,>0 /tmp/data/joe_data rP37F"/;9ru1kH">}N ACL,,Q5l^9#

� 4ACL , /home K7+UC5lF$J$ /home/joe/data U!$k,"kH7^9#

/tmp/data/joe_data O"/home/joe/data XN7s\jC/&js/G"3NlgO/tmp/data/joe_data K>\ ACL ,UC5lF$^9#

3Nlg"U!$kO$:l+N>0Khk"/;9ru1kH">}N ACL ,,

Q5l^9#

"/;9&3sHm<kr7s\jC/&js/rp7FAB5;kH"WiCHU)<`H+N]j7<rhjFWKN)9k3H,G-^9#CK"U!$k_WNc$,"B]NU!$kNj=<9>+"=lHb7s\jC/&js/Nj=<9>+N@@1Nlg"=N3H,D=G9#?H(=Nh&JlgGb"79F`KP9k PDOS vDN,Q,?(kFAr}r7"NBK"jA9k]j7<,U^9kH*jK\T5lkh&K9kY-G9#

7s\jC/&js/,n.5lk+^?Oo|5lkH",Q5lk"/;9&3sHm<k@1,"7s\jC/&js/K>\,Q5lk"^?O7s\jC/&js/,Q59k"/;9&3sHm<kKJj^9#

+��O<I&js/rjA9kH"U!$kKP7F#tNG#l/Hj<`\rn.9k3H,G-^9#3liNG#l/Hj<`\O=l>l"18U!$k&79F`KJ1lPJj^;s#O<I&js/r#t}DU!$k&79F`&j=<9XN"/;9&3sHm<kO"7s\jC/&js/r}Dj=<9NlgH`w

7F$^9#?@7"$C?sn.5lkH"?<2CH^?OB]Nj=<9H+

J5lkO<I&js/OJ/Jj^9#J<Nk<kO"6kq$rWs7F$^9#

¶ "/;9&3sHm<kr>\,Q9kO<I&js/K"/;99klg"=N"/;9&3sHm<k@1,,Q5l^9#

¶ =Nj=<9O"/;9&3sHm<kr,Q7J/Fb""/;9&3sHm<kr>\,Q9kO<I&js/rLK}Dj=<9K"/;99klg">

N9YFN"/;9&3sHm<k,O5lF"=Nj=<9XN"/;9"r~j7^9#


2.P

DO

S��

�

¶ j=<9NO<I&js/,"/;9&3sHm<kr>\,Q7J$lgKN_""/;9ru1?j=<9KhCFQ55lk"/;9&3sHm<k,,

Q5l^9#

��

J<O"O<I&js/eN]j7<,?(kFANcG9#

� 1/home/joe/data O"ACL ,>\UC5lF$J$U!$kG"kH7^9#/home/data/joe_data O" /home/joe/data XNO<I&js/G" /home/data KO ACL ,UC5lF$^;s#

/home/joe/data XN"/;9O" /home/joe/data K>\UC5l? ACL KN_>07^9#

^?"/home/data/joe_data XN"/;9b" /home/joe/data K>\UC5l?ACL KN_>07^9#

� 2/home/joe/data O"ACL ,UC5lF$J$U!$kG"kH7^9#

/home/data/joe_data.1 H /home/data/joe_data.2 O>}Hb" /home/joe/dataNO<I&js/G"=l>lKH+N ACL ,UC5lF$^9#

/home/joe/data XN"/;9O">}N ACL K>07^9#

/home/data/joe_data.1 +^?O /home/data/joe_data.2 N$:l+XN"/;9O">\,Q5l?=l>lN ACL KN_>07^9#

U!$kXNO<I&js/,[JlP UNIX U!$kvDb[Jk?a" PDOSO"CLJ}!G7,O<I&js/Nn.r)f7^9#7,O<I&js/rn

.9kH"f<6<OJ<NvD,,WKJj^9#

N 7,O<I&js/N>0KP9k Create vD#

R 7,O<I&js/N?<2CHKP9k Rename vD#

r 7,O<I&js/N?<2CHKP9k Read vD#

w 7,O<I&js/N?<2CHKP9k Write vD#

O<I&js/,!P5lkH"O<I&js/K,Q5lk"/;9&3sHm<k@1,\T5l^9#

��)��uVU!$kO"Wjs?<"G#9/uVJIN"79F`Np\j=<9r=7^9#{8NuVU!$kH18uVr=9uVU!$krn.9k3H,G-^9#7,L>U!$krn.9k3HG"uVK,Q5lk"/;9&3sHm<kr&s9kY-GO"j^;s#O<I&js/K,Q5lkNH18k<k,"u

VU!$kKb,Q5l^9#

¶ "/;9&3sHm<kr>\,Q9kuVU!$kK"/;99klg"=N"/;9&3sHm<k@1,,Q5l^9#

26 �� 3 �� 7

¶ "/;9&3sHm<kr,Q7J$uVU!$kK"/;99klgGb">

\"/;9&3sHm<kr,Q9k"18uVr=9uVU!$k,LK"klg">N9YFN"/;9&3sHm<k,O5lF"=Nj=<9XN"/;9"r~j7^9#

¶ uVr=9uVU!$k,"/;9&3sHm<kr>\,Q7J$lgKN_""/;9ru1?j=<9KhCFQ55lk"/;9&3sHm<k,,

Q5l^9#

��(��%�,-�(.�/�� PDOS KO"79F`eNU!$krHi9FCI&3sTe<F#s0&Y<9H7FjA9k!=,"j^9# Hi9FCI&3sTe<F#s0&Y<9NasP<G"kU!$kO"j-"NQ9"UNIX U!$kvD"?$`&9?sWNn

.HQ9"U!$k,79F`K8_9k+I&+"U!$kNbF"U!$kNo

s9kGP$9H$C?@rbK?<5l^9# 3liN0-r^HaF"U!$kN70KAc<HFS^9#

PDOS rxQ9lP"Wm0i`rHi9FCI&3sTe<F#s0&Y<9(TCB) KjA9k3HKhCF"CLJ PDOS C"rWm0i`KU?9k3H,G-^9# TCB KjA5l?Wm0i`N]4-,;u7?lg"=NWm0i`ObOd.j5l:"CLJC"rU?5l^;s# PDOS O"P?5lF$kWm0i`Nf+i"]4-N;ur(9Q9r+D1P7^9#=Nh&JQ9,!

P5lkH" PDOS OWm0i`,bOd.j5lJ$3Hr-?7^9# PDOSO"I}T, pdosobjsig 3^sIrHCF@(*KWm0i`r5NuVKa9^G".j5lJ$Wm0i`NBTrvD7^;s#

Wm0i`rJ<N$:l+N TCB j=<9N/i9KjA9k3HKhCF"C

LJC",Wm0i`KU?5l^9#

¶ Secure-Files (]nU!$k)

¶ Secure-Programs (]nWm0i`)

¶ Login-Programs (m0$s&Wm0i`)

¶ Impersonator-Programs (6>Wm0i`)

¶ Immune-Programs (H|Wm0i`)

1 DNU!$kO"#tN?$WN TCB j=<9H7F,`5lk3H,"j^9# 3liN,`+F4j<K?(ilkCLJC"r"J<Gb@7^9#

,ZJ>0N Policy Director ]j7<&*V8'/Hr@(*Kn.9k3HKhCF"U!$k, TCB Kn.5l^9# PDOS ,\T9kvD]j7<O"/OSSEAL/policy-branch /TCB j=<9&Dj<^?O=N<K,Q5lk"/;9&3sHm<kKpE/o1GO"j^;s# File j=<9&Dj<bN*V8'/HK"/;9&3sHm<krUC9k3HKhCF""/;9&3sHm<k,TCB NasP<G"kU!$kK,Q5l^9#?H(P"U!$k /etc/hosts.equivr Secure-File KIC7Fk<HKN_"/;9rvD9kKO" pdadmin 3^sIr!Nh&KHQ7^9#

1. hosts.equiv r TCB KIC9kKO"

pdadmin> object create /OSSEAL/Workstations/TCB/Secure-Files/etc/hosts.equiv ¥"Host equivalents" 0 ispolicyattachable yes

2. k<HN_, hosts.equiv K"/;9G-kh&K9kKO"


2.P

DO

S��

�

pdadmin> acl create hosts-equivpdadmin> acl modify hosts-equiv set user root T[OSSEAL]NRUdoprwpdadmin> object create /OSSEAL/Workstations/File/etc/hosts.equiv

"hosts equiv file" 3 ispolicyattachable yespdadmin> acl attach /OSSEAL/Workstations/File/etc/hosts.equiv hosts-equiv

$:l+N ACL N Access-Restrictions ("/;9)B) 0-Kj9H5lF$kWm0iÒ.j5lF*j"=N ACL ,]n9kj=<9K"/;9G-^9# 7?,CF"3liNWm0iÒ" TCB j=<9H7F@(*KjA5lF$k+I&+K++oi:" TCB K^^l^9#

TCB bN9YFNU!$kO"j09k/i9K++oi:"Q95lk+I&+bK?<5l^9# Q9,!P5lkH"U!$kObOd.j5l^;s#U!$kN.j-uVO"79F`4HK-?5l^9# =Ne".j5lJ$U!$kXN"/;9"*hS File j=<9H7F=NU!$kK,Q5lk"/;9&3sHm<kO"J<Nh&K)f5l^9#

¶ pdadmin G,ZJ object create 3^sIr/T7FU!$kriaF TCBKIC9kH"=NU!$kO.j5lkH^</U15lF"i|70KAc<,-?5l^9#

¶ U!$kN70KAc<,Q95l?3H,=@9lP"I}QNF:$YsH,8.5l^9#

¶ .j5lJ$U!$kO""/;9&3sHm<kHO5X8KBTG-J/Jj^9#

¶ "/;9&3sHm<kKhCFvD5lk".j5lJ$U!$kXN=N>

N"/;9 (?H(PI_hj) O"I}QF:$YsHr8.5;^9#

¶ "kU!$k, TCB U!$kH7F-?5lF$kbNN"79F`K8_7J$lgKO"=NU!$k,[email protected]$H+J5l^9#

¶ "kU!$k, TCB U!$kH7F-?5lF$kbNN"o|5l?lgKO"=NU!$kO.j5lJ$H^</U15l"?H(Fn.5lFb.j

5lJ$^^NuV,3-^9#

¶ $C?s.j5lJ/JC?U!$kO"I}TKhk@(*J"/7gsKhCFN_"FS.j5lkuVKa93H,G-^9# U!$krFS.j5lkuVKa9KO" pdosobjsig 3^sIrHQ7^9# 122Z<8NXpdosobjsigYr2H7F/@5$#

5^6^J?$WN TCB j=<9rJ<KjA7^9#

Login-Programs (m0$s&Wm0i`)UNIX 79F`KO"m0$sH7F,`G-kCjN"/7gsO"j^;s# PDOS O"CjNWm0i`Khk5^6^Je} (Surrogate) `nNBT+i"f<6<Nm0$sr!P7^9# =Nh&JCjNWm0iÒ" TCB U!$kN Login-Programs /i9NasP<H7FjA5l^9# PDOS D-G Login-Programs (m0$s&Wm0i`) H7F0n9kvDrv0K?(ilF$kNO"ltNWm0i`N_G9# =Nh&JWm0i`HO"m<+k\35l?<v"0iU#+k&G9/HCWD-"*hSlL*JMCHo</&WmH3k (FTP"RLOGIN"TELNET"REXEC"RSH) +i UNIX m0$srT&Wm0i`G9#

>NWm0i`r Login-Programs /i9KIC7F?Q9k3HbG-^9,"*Zl<F#s0&79F`=$5KhCF[[5l?i|uVGO"J

28 �� 3 �� 7

<NWm0i`@1 ," PDOS Khk!PD=J}!Gm0$srBT9kh&vD5lF$^9# GU)kHG Login-Programs H7FjA5lF$kWm0i`O"P~9kU!$kr PDOS ]nP]N79F`+io|7J$Bj"jA;CH+ih7Fo|7J$G/@5$# b73lK>oJ$lgO"79F`&;-ejF#<,;u9kD=-,"j^9#

= 11. PDOS G!PG-km0$s&Wm0i`

WiCHU)<` m0$s&Wm0i`

AIX /usr/dt/bin/dtlogin

/usr/sbin/ftpd

/usr/sbin/getty

/usr/sbin/login

/usr/sbin/rexecd

/usr/sbin/rlogind

/usr/sbin/telnetd

/usr/sbin/tsm

HP-UX /usr/dt/bin/dtlogin

/usr/bin/login

/usr/bin/tsm

/usr/lbin/ftpd

/usr/lbin/rexecd

/usr/lbin/rlogind

/usr/lbin/telnetd

/usr/sbin/getty

Solaris /usr/dt/bin/dtlogin

/usr/bin/login

/usr/lib/saf/ttymon

/usr/sbin/in.ftpd

/usr/sbin/in.rexecd

/usr/sbin/in.rlogind

/usr/sbin/in.rshd

/usr/sbin/in.telnetd

Secure-Files (]nU!$k)]nU!$kKO"IsJC"bU?5l^;s# 3liNU!$kO"1

K70KAc<,Q95l?+I&+bK?<5lk@1G9# PDOS O"GiN=.~KltN PDOS U!$kr Secure-Files H7FjA7^9#Secure-Files H7Fv0jA5lk79F`&U!$kO"j^;s#

Secure-Programs (]nWm0i`)?/N UNIX Wm0i`O" (=NWm0i`rBTG-kf<6<rXj

9k) UNIX vDHO[Jk UNIX C"r,WH7^9# =Nh&JWm0i`KO set user ID vDd set group ID vD,"j" su"mail" telnetNh&J3^sIr^`3H,"j^9# CLJ"/7gsrToJ$B

j"=Nh&JWm0i`rBT7F UNIX ID rQ99kH"=lr/09kf<6<O"Wm0i`Nj-"0-KhCF=5lk?<2CH&f<6<*hS?<2CH&0k<WKP9ke} (Surrogate) PDOS "B,,WKJj^9# ?H(Pa<k&Wm0i`, set UID root G"k79F`GO"Lo"9YFNf<6<,a<k&Wm0i`rBTG-^9#7+7"k<HNe} (Surrogate) rT&"BO"9YFNf<6<K?(ilko1GO"^j;s# \7/O"43Z<8NXe}]j7<Yr2H7F/@5$#


2.P

DO

S��

�

TCB U!$kN Secure-Programs (]nWm0i`) /i9KjA5lF$kWm0iÒ"Wm0i`BTfKi|N UNIX ID ,Q95l?lg"Surrogate ]j7<+i|05lF7ol^9# =Ne"Wm0i`BT~KUNIX f<6< ID ^?O0k<W ID ,FSQ95l?lg"=NQ9OSurrogate ]j7<N\TP]KJj^9#

i|=.~K PDOS KhCFjA5lk Secure-Program (]nWm0i`)O" su N_G9# )BN/$ Surrogate ]j7<r_j7?$lgKO"INh&J UID U!$k*hS set GID U!$kr TCB U!$kNSecure-Programs /i9KIC9k+rhj7J1lPJj^;s#3lO"LoNf<6<,",WJ Surrogate `nNBTr)B5lk3HJ/"=liNU!$krz-3-HQG-kh&K9k?aG9# 137Z<8NXpdosuidprogYGb@5lF$k pdosuidprog 3^sIO"79F`bNset UID Wm0i`*hS set GID Wm0i`r!P7^9#

Impersonator-Programs (6>Wm0i`)LoN UNIX 79F`GO"f<6<,79F`Km0$s7F$J$VK8gVrPCA`nH7FBT9kh&"918e<k_jG-ka+K:`,"j^9 (?H(P" cron)# Lo"=Nh&JWm0iÒ root f<6<H7FBT5l"?9/BT~K"=N918e<kr_j7?f<6<NID KQ95l^9# 3N ID Q9Oe} (Surrogate) `nH+J5l"CL

J"/7gsrToJ$Bj"f<6<N'ZpsGOJ/ root N PDOS'ZpsrHCFBT5l^9#3lO" Surrogate `n,Wm;9N PDOS"/;5< ID rQ97J$?aG9#

"kWm0i`, TCB N Impersonator-Programs (6>) /i9NasP<G"lP"Wm0i`rBT7F$kWm;9N-zJ UNIX f<6< ID ,Q95l?H-" PDOS OWm;9N"/;5< ID rQ97^9# )B

N/$ Surrogate ]j7<r_j7F$klg"?H(P cron rHQ7F"root r)B5l?f<6<N Surrogate K9k,W,"k+b7l^;s#=&9kKO" cron HQ~N_Ke}`nrD=K9k Access-Restrictions("/;9)B) 0-rXj7^9#

i|=.~K PDOS KhCFjA5lk Impersonator-Program (6>Wm0i`) O" cron N_G9#

Immune-Programs (H|Wm0i`)Wm0i`NfKO79F`HNkSU-,soK/$bN,"j"=NWm0i`rBT7F$kWm;9, PDOS N\T9kvD]j7<NP]KJkH"79F`N0n,_^CF7^&lg,"j^9# =Nh&JWm0i`r TCB N Immune-Programs (H|Wm0i`) /i9NasP<K9k3HKhCF"9YFN PDOS ]j7<+iH|5lF$kH^</U1k3H,G-^9# H|Wm0i`NBTO>N9YFNWm0i`H18v

DNbHK)B5l^9,"=Nh&JWm0i`r$C?sBT9kH"9YFN PDOS vD]j7<+iH|5l^9#3NH|KOF:b^^l"BTfNH|Wm0i`,T&9YFN`nO"F:ru1^;s#

Wm;9NH|O"=NWm;9KhCFn.5lkRWm0i`KOQ55l^;s# PDOS O"J<N79F`&Wm0i`rH|P]H7FjA7F$^9# 3liNWm0iÒ"U!$k&79F``n"f<6< ID^CTs0"(i<&m.s0JIN79F`&Wm;9HX","j^9#

30 �� 3 �� 7

= 12. WiCHU)<`4HNH|Wm0i`

WiCHU)<` H|Wm0i`

AIX /usr/lib/errdemon

/usr/sbin/automountd

/usr/sbin/biod

/usr/sbin/nfsd

/usr/sbin/rpc.lockd

/usr/sbin/rpc.statd

/usr/sbin/syncd

/usr/sbin/syslogd

HP-UX /usr/lib/netsvc/fs/automount/automount

/usr/sbin/biod

/usr/sbin/nfsd

/usr/sbin/pwgrd

/usr/sbin/rpc.lockd

/usr/sbin/rpc.statd

/usr/sbin/syncer

Solaris /usr/lib/autofs/automountd

/usr/lib/nfs/lockd

/usr/lib/nfs/nfsd

/usr/lib/nfs/statd

/usr/sbin/syslogd

��!��PDOS KO"m<+k&^7s+ijb<H&MCHo</&5<S9XN"/;9r)f9k!="*hSjb<H&m1<7gs+im<+k&MCHo</&5<S9XN"/;9r)f9k!=,"j^9# 3liN 2 o`NMCHo</&"/;9O"=l>l NetOutgoing ?$W*hS NetIncoming ?$WH$&jA5l?]nj=<9KhCF"L9K)f5l^9#3liNj=<9O" PolicyDirector M<`&9Z<9G!Nh&K=5l^9#

/OSSEAL/policy-branch/NetIncoming/protocol[/service[/host]]/OSSEAL/policy-branch/NetOutgoing[/hostspec[/protocol[/service]]]

=13 O"MCHo</&]j7<&*V8'/H>N(lasHr\7/b@7F$^9#

= 13. MCHo</&j=<9N?>

*V8'/H> b@ ?$W

protocol MCHo</&WmH3k>r=9#

5]<H5lkWmH3kO TCP/IP P

<8gs 4 N_G"3NWmH3kO

9Hjs0 tcp H=5lk#

9Hjs0r=99Hjs0 (g8z.

8zrhL)#


2.P

DO

S��

�

= 13. MCHo</&j=<9N?> (3-)*V8'/H> b@ ?$W

service 3Nj=<9KhCF=5lkl"N

5<S9KD$FN-R# NetIncoming

j=<9Nlg"3N service O"e.

5lk\3N8hHJCF$km<+

k&^7seN5<S9r=9#

NetOutgoing j=<9Nlg"3N

service O"\3nTN8hG"kjb

<H&^7seN5<S9r=9#

3s^GhZil?"$/D+N]<

H*hS]<HOO+iJkj9H#

]<HO"Vf^?O>0KhCF@

(*KXjG-k# ]<H>O"MC

Ho</&]j7<,\T5lF$k

^7seK"kU!$k /etc/services K

jA5l?^CTs0K>CF"]<

HVfK^CW5lk# CLJ]<H

OOV*WO"OO 1-65535 Kjv9

k# ]j7<NfGO"V*W^?O

V1-65535WN$:l+ 1 D@1rXj

G-k#

host 3Nj=<9KhCF=5lkl"N

[9HKD$FN-R# NetIncoming j

=<9Nlg"e.5lk\3nTN

/ . 5jb<H&[9Hr=9#

NetOutgoing j=<9Nlg"/.5l

k\3nTN8hjb<H&[9Hr

=9#

[9HO"J<N$:l+NA0GX

j9k#

¶ ip-address[:nbits]

¶ hostname

ip-address ICHU- IP "Il9=- (?H(P

10.0.0.5)#

IP P<8gs 4 N"Il9r=99H

js0#

nbits ip-address NfG"U#,"kH+J5

lkSCHt# SCHO8+i&Xt

(il" 0 OU#N"kSCH,8_

7J$3Hr(7" 32 O9YFNSC

H,U#N"kbNG"k3Hr(

9#[9H, ip-address[:nbits] A0GX

j5l" nbits ,^C?/Xj5lF$

J$lgKO" 32 ,[j5lk#

0 +i 32 ^GNOONt#

hostname 3Nj=<9KhCF=5lkl"N

[9HN>0r^CAs09k"o$

kI+<I&9Hjs0#

o$kI+<I&(lasHH-zJ

[9H>8z+iJk9Hjs0 (g8

z.8zrhL7J$)#

MCHo</&j=<9Nc

MCHo</&j=<9XjN$/D+NcrJ<K(7^9#

/OSSEAL/Default/NetIncoming/tcp/80/OSSEAL/Default/NetIncoming/tcp/telnet/*.dev.company.com/OSSEAL/Default/NetOutgoing/10.0.151.0:24/tcp/23/OSSEAL/Default/NetOutgoing/10.1.34.12

NetIncoming *hS NetOutgoing N>}Hb""/;9&3sHm<kN?aKACL GHolkvDO Connect (C) vDN_G9#

= 14. MCHo</&j=<9KP9ke. (Incoming) \3^?O/. (Outgoing) \

3K-zJvD

vD> b@

Connect (C) MCHo</&j=<9KP9ke.\3^?O/.\3rN)9k?

aNvD#

32 �� 3 �� 7

��!��0��1��2��MCHo</XN"/;9,nT5lkH"PDOS O"=N"/;9,IN]n*V8'/H>r(7F$k+r=L9k,W,"j^9# 1 DN"/;9,"=.5lF$k#tN*V8'/H>K^CA9klgb"j^9# ?H(P"[9H>

www.good.times.com O" www.*.com H www.*.times.com N>}K^CA7^9#1MK"Telnet 5<S9 (]<H 23) O"]<HOOV23,513WHV*WN>}K^CA7^9# PDOS OGbqN*KXj5l?Q?<srGiK^CAs09k?a"GiKlL*J]j7<rN)7F"=NeGc0rjA9k3H,G-^9#

*V8'/H>N%hgLrhj9kH-"*V8'/H>N=$b^?EWG9#NetIncoming H NetOutgoing NIAiNlgb"*V8'/H>NfGhjeLN3s]<MsH[I"%hgL,b/Jj^9# ?H(P"J<N 2 DN*V8'/HNlg"

NetOutgoing/www.good.times.com/tcp/*NetOutgoing/www.*.com/tcp/http

*V8'/H>N host 3s]<MsHN%hgL,Gbb$?a"www.good.times.com K~1F/.5lk http \3O"GiN*V8'/HKX"7?]j7<KhCF]n5l^9#

?H(P"J<N 2 DN*V8'/H+iJk NetIncoming Nlg"

NetIncoming/tcp/*/server.cracker.netNetIncoming/tcp/ftp/*

server.cracker.net +ie.5l"]n5l?79F`K~+& ftp O" (1 V\GOJ/) 2 V\N*V8'/HK,Q5lk]j7<KpE$FvD5l^9#

IN5<S9&Q?<sr*r9k+N%hgL,'O" NetIncoming HNetOutgoing G&LG9# ^?"IN[9H&Q?<sr*r9k+N%hgL,'

b18G9# 34Z<8NX[9H&Q?<sN%hgLYKO",',\7/b@

5lF$^9#

��0��2��5<S9&Q?<sN%hgLO"!Nh&J,'K>CFhj5l^9#

¶ =5lkD9N]<Ht,/J$Q?<sN},"hj?/N]<Hr=9Q?<shjb%hgL,b$#

¶ 2 DN5<S9&Q?<s,=9]<Ht,y7$lg"hjc$]<HVfr^sG$k},%h5lk#

¶ 2 DN5<S9&Q?<s,7)K18]<Hr=9bNN"*V8'/H&9Z<9N=-}!,lW7J$lg">TOT@FH+J5lk# >TN$:l+,$UK]j7<+i|05l" PDOSD O(i<&m0NfKYpr8.9kHHbK"T@FJ]j7<,q]5l?]rYp9kI}QF:$YsHr8.9k#

J<Ncr+F/@5$#

1. Q?<sVtelnetWO 1 DN]<Hr=7"Q?<sV20-25WO 6 DN]<Hr=9?a"VtelnetWN},V20-25Whjb%hgL,b$#

2. Q?<sV20-25WHQ?<sV21-26WOIAib 6 DN]<Hr=9," 20O 21 hjb.5$?a"V20-25WN},%hgL,b$#


2.P

DO

S��

�

3. Q?<sV20-25,50-60WHQ?<sV20-25,60-70WOIAib 17 DN]<Hr=

9," 50 O 60 hjb.5$?a"V20-25,50-60WN},%hgL,b$#

4. Q?<sV1-10,23-30WHQ?<sV1,2,3,4-9,10,telnet,24-30WO7)K18]<Hr=9?a">TOT@FH+J5lk#

1��2��[9H&Q?<sN%hgLO"!Nh&J,'K>CFhj5l^9#

¶ ip-address[:nbits] H$&A0NQ?<sN},"[9H>A0NQ?<shjbo

K%hgL,b$#

¶ ip-address[:nbits] A0N 2 DNQ?<sN ip-address 3s]<MsH,18G"klg"l}, nbits 3s]<MsHK 32 rXj7">}, nbits 3s]<MsHr?bXj7F$J1lP"]j7<OT@FH+J5lk# 2 DN*V8'/HN$:l+,$UK|05l" PDOSD O(i<&m0NfKYpr8.9kHHbK"T@FJ]j7<,q]5l?]r(9I}QF:$YsHr8.9k#

¶ U#N"kSCHt,hj?$ (D^j" nbits ,hjg-$) }Nip-address[:nbits] A0NQ?<sO"U#N"kSCHt,/J$Q?<shjb%hgL,b$#

¶ o$kI+<I&[9H>rHCFXj5lkD=-N"k[9H&Q?<sO"o$kI+<I&(lasHN%hgLK>CF%hgLrhj5l"vx

+ih,K~+CFfS5lk# 8Z<8NXo$kI+<INHQYKO"o$kI+<I&Q?<sN%hgL,b@5lF$^9#

J<Ncr+F/@5$#

1. Q?<s 10.1.2.3:32 OQ?<s 10.1.2.3:24 hjb%hgL,b$#

2. www.good.times.com N IP "Il9, 10.1.2.3 G"lP"Q?<s 10.1.2.3:32N},Q?<s www.good.times.com hjb%hgL,b$# ip-address[:nbits]A0NQ?<sN},oK%hgL,b$?a"3N]j7<OT@FHO+J5l^;s#

3. www.good.times.com N IP "Il9, 10.1.2.3 G"lP"Q?<s 10.1.0.0:16N},Q?<s www.good.times.com hjb%hgL,b$# 3lO"ip-address[:nbits] A0NQ?<sN},"oK[9H>A0hjb%hgL,b$?aG9#

4. [9H>A0NQ?<sOvx+ih,K~+CFfS5lk?a"Q?<swww.*.times.com N}, www.good.*.com hjb%hgL,b$#

��!�� #�$��%��&��MCHo</\3nT,/.5lkH-"=lrvD9k+I&+hj9k]KO"XWa5f<6<OXj5l?jb<H&[9HeK"kWah5<S9XN\3rvD5lk+ ?Y H$&Ad,c#5l^9# l}"MCHo</\3,[9HKe.5lkH-KO"=lrvD9k+I&+hj9k]"/7cC?Ad,c#5l^9# PDOS KO"e.5lkMCHo</\3NWa5jb<H&f<6<KX9kps,"j^;s# "/;5< ("/;97h&H7F$kT) O"e.5lk\3Nu1~l&Wm;9K*1k"/;5< ID G"kH+J5l^9# 7?,CF NetIncoming j=<9Nlg"vDrhj9k]KO"X3Nf<6<O"W

a7?5<S9N\3rCjNjb<H&^7s+iu1hk3HrvD5lk+?Y H$&Ad,c#5l^9# 7?,CF"NetIncoming j=<9eK"k ACLKhCF"/;9rvD5lk,WN"kf<6<O"Lo"root f<6<G9#3

34 �� 3 �� 7

lO"79F`&5<S9XNeF\3ru1~lk^7sGO"Lo" root f<6<H7FWm;9,BT5lk?aG9#

MCHo</4NG"/;9G-k"Wj1<7gs&5<S9O"?/Nlg"root J0Nf<6<H7FBT5l^9# 3Nh&J5<S9Nlg"NetIncoming j=<9r]n7F$k ACL KhCF"/;9r'D5lk,W,"kNO"=Nf<6<G9#

&/��PDOS rxQ9lP"f<6<,$D"I3+i79F`Km0$sG-k+r)f

9k3H,G-^9#f<6<&"/;9r)f9kp\*Ja+K:`O"!NH*jG9#

¶ f<6<,I3+im0$s9k+K++oi:"~oKpE/m0$s)BrjA9k#

¶ m<+k<v*hSjb<H<v+iN"/;9&3sHm<krjA9k#

PDOS KO"m0$s&"/F#SF#<X"]j7<r\T9k!=b"j^9(?H(P"Q9o<I-z|B~;"m0$s,ljst:T7?lgK"+&sHr+0*KHQTDK9k3H"xQ5lJ$"+&sHr+0*KHQTDK9k3HJI)#

��&/��~oKhkm0$s)BO" Policy Director f<6<&l89Hj<bNCLJ]j7<0-KhCFjA5l^9# 3liN0-O"0m<Pk"f<6<1L"^?O'Z5lF$J$f<6<lQKXj9k3H,G-^9#

~oKhk)BO"f<6<,m0$srvD5lkK|H~orjA7^9#Policy Director l89Hj<KjA5lF$kf<6<Nlg"Cjf<6<lQN]j7<O0m<Pk&]j7<r*<P<i$I7^9# Policy Director l89Hj<KjA5lF$kf<6< (7?,CF"'Z5lF$J$H PDOS ,+J9f<6<) Nlg"T@Jf<6<lQN]j7<,9YFN0m<Pk&]j7<r*<P<i$I7^9#

~oKhk)BO"J<Nh&JA0N9Hjs0rHCFjA7^9#

day-range:time-range[:fixed|zone]

33G"

day-rangeanyday" weekday"^?O sun"mon" tue"wed" thu"fri" sat r3s^GhZC?j9HG9# anyday *W7gsO"f<6<,5N9YFNK|Km0$srvD5lk3Hr(7^9# weekday (?|) *W7gsO"f<6<,ZK|H|K|r|/9YFNK|Km0$srvD5lk3Hr(7^9#K|Nj9HO"Xj5l?K|KN_"f<6<,m0$srvD5lk3Hr(7^9#

time-rangeanytime"^?O+O~oH*;~orXj7^9# anytime *W7gsO"f<6<,m0$srvD5lF$kK|N"$UN~VKm0$sG-k3Hr(7^9# start_hhmm-end_hhmm H$&A0G~orXj9kl

g" start_hhmm O+O~V (~o",) rXj7" end_hhmm O*;~

VrXj7^9#


2.P

DO

S��

�

fixed ~o)Br Universal Coordinated Time (UTC) KpE$F,Q9k+I&+rXj7^9#

zone f<6<Nm0$s5^7sN=O~VrHQ9k+I&+rXj7^9#GU)kHO zone G9#

~o)Br_j9kKO" Policy Director NI}3^sI pdadmin rHQ7F/@5$# ~o)BKhkm0$s&]j7<NcrJ<K(7^9#

1. ?|Na0 9:00 +iae 5:00 ^G (=O~V) NVKm0$s9k3Hr9YFNf<6<KP7FvD9kl}G" root f<6<O$DGbm0$sG-kh&K9kKO"J<Nh&K~O7^9#

pdadmin> policy set tod-access weekday:0900-1700:zonepdadmin> policy set tod-access anyday:anytime -user root

2. 3lKC(F"'Z5lF$J$f<6<Nm0$srnK|N_K)B9kKO"!Nh&K~O7^9#

pdadmin> policy set tod-access mon:0900-1700:zone -user ¥osseal-unauth

3. m0$s5N=O~VHO5X8Km0$s~or)B9kKO"!Nh&K~

O7^9#

pdadmin> policy set tod-access weekday:0900-1700:fixedpdadmin> policy set tod-access anyday:anytime -user rootpdadmin> policy set tod-access mon:0900-1700:fixed -user ¥

osseal-unauth

��&/��ICN~o)BH7F"Y|rjA9k3H,G-^9#Y|O"f<6<&l89Hj<KjA5lF$kLoN~o)BNc0rjA9k]nj=<9G9# Y|

]j7<O"f<6<,m0$s7?~@G,Q5l^9#

Y|rjA9kKO"*V8'/Hrn.7",ZJ0-r=N*V8'/HK_j

7^9# *V8'/HKO"=NY|r=9>0rU1^9#

Y|Kf<6<,m0$sG-k+I&+O"18j=<9KX"U1il? ACLKhCF)f5l^9# m0$srvD5lkf<6<KO"Login (L) vDr?(k,W,"j^9# Holiday-Dates H%0-NMNA0O"+O~oK3$F*;~

oG9 (=NVKO"*W7gsG9Z<9r~lk3H,G-^9)# Xj9k~

oNA0O!NH*jG9#

YYYY-MM-DD[-hh[:mm[:ss]]][Z]

33G"

YYYY >q/ (4 e)#

MM n (1 +i 12 ^GNtrXj)#

DD | (1 +i 31 ^GNtrXj)#

hh ~o (0 +i 23 ^GrXj)#

mm , (0 +i 59 ^GrXj)#

ss C (0 +i 59 ^GrXj)#

Z =O~VGOJ/"UTC rHQ9k3HrXj7^9#

36 �� 3 �� 7

+O~oH*;~o,t,*K7+Xj5lJ$lg"~orra9k?aK"J<N,',,Q5l^9#

1. *;~o,Xj5lF$J$lg"Y||VO"+O7?|H18|N<krbCF*;9k#

2. +O~oNfG"Xj5lF$J$3s]<MsH,"lP"GU)kHH7F<mK_j5lk#

3. *;~oN/"n"|,Xj5lF$kbNN"~o","C,Xj5lF$J$lgKO"Y||VOXj5l?|N<kK*;9k#

4. *;~oN~o"^?O~oH,,Xj5lF$lP"$XjN3s]<MsHO9YFGU)kHH7F<mK_j5lk#

5. +O~o^?O*;~oNIAi+, UTC GXj5lF$lP">}N?$`&9?sWHb UTC Hra5lk#

��&/��CEO (GbPDU$T) NB8| 1 n 18 |H"=N0el|rO5` 3 |VrY

|H7^9# 1 n 17"18"19 |KO"79F`I}TN_,nH9k3HrvD5l^9#3NY|)Br3<I=9kKO"J<N3^sIrHQ9k3H,G-^9#

pdadmin> object create /OSSEAL/Servers/Login/Holidays/CEO-Birthday-Time "Happy" ¥0 ispolicyattachble yes

pdadmin> object modify /OSSEAL/Servers/Login/Holidays/CEO-Birthday-Time ¥set attribute Holiday-Dates"2001-01-17-09:00:00 2001-01-19-17:00:00"

!K"Y|N ACL rn.7^9#

pdadmin> acl create ceo-birthday-time-aclpdadmin> acl modify ceo-birthday-time-acl set group sys-admins ¥

T[OSSEAL]Lpdadmin> acl attach /OSSEAL/Servers/Login/Holidays/CEO-Birthday-Time ¥

ceo-birthday-time-acl

3N]j7<O"]j7<&G#l/?<&0k<WN sys-admins N_," 2001/ 1 n 17 |Na0 9:00 +i 2001 / 1 n 19 |Nae 5:00 ^GNVKm0$s9k3HrvD7^9#

��Holiday-Dates H%0-K#tNMrXj9k3HKhCF"[DY|r_jG-^9# 18 CEO B8|r 2002 /KbjA9kKO"J<N3^sIrIC9k3H,G-^9#

pdadmin> object modify /OSSEAL/Servers/Login/Holidays/CEO-Birthday-Time ¥set attribute ¥

Holiday-Dates "2002-01-17-09:00:00 2002-01-19-17:00:00"

5iK"|V,E#9k#tNY|rXj9k3HbG-^9# =Nlg"$UN~@G,Q5lk]j7<O"!N,'K>CFhj5l^9#

1. |VNGb;$Y|,Xj5lF$lP"=l,,Q5lk#

2. 18|VN#tNY|,8_9klg"+O~o,Gba$Y||V,,Q5lk#

3. #tNMKhCFXj5l?E#9k|V,8_9klg"=lirkg7F 1DN9$|VrA.9k3HOJ$#


2.P

DO

S��

�

e-Ncrz-3-HQ9kH" CEO NB8|G"k 1 n 18 |KO79FÌ}TG5(m0$sG-J$h&K9k?aKO"J<Nh&JY|]j7<rjA

9k3H,G-^9#

pdadmin> object create/OSSEAL/Servers/Login/Holidays/CEO-Birthday ¥"VeryHappy" 0 ispolicyattachable yes

pdadmin> object modify /OSSEAL/Servers/Login/Holidays/CEO-Birthday ¥set attribute ¥Holiday-Dates "2001-01-18-09:00:00 2001-01-18-17:00:00"

Y|]j7< CEO-Birthday H CEO-Birthday-Time N>},B\5lkH""k79FÌ}T, 1 n 17 |Na0 9:00 Km0$srn_?lg" CEO-Birthday-TimeNY||VH^CA9k?am0$sO.y7^9#

79FÌ}T, 1 n 18 |Na0 9:00 J_Km0$srn_kH"=NnTOq

]5l^9# |VNhj;$ CEO-Birthday Y|N},%h7F,Q5l"m0$sO:T7^9#

Holiday-Dates 0-Ny7$#tNY|rjA7h&H9kH" PDOSD m0&U!$kNYpK"T@FJ]j7<XjG"k3H,(5l^9#=Nh&JnTOv

D5l^;s#

��Holidays j=<9&?$WN<NY|*V8'/H>N=$O"+3A0G9# Y

|jAO"ACL +iNQ5rHC?=$K9k3H,G-^9# ACL rQ57FY|rjA9klg"f<6<jA,XHO5X8K"]j7<,tbKjA5l?9YFNY|K%hgL,',,Q5lk3HKmU7F/@5$# ?H(P"!Nh&J>0NY|rjA9k3H,G-^9#

/OSSEAL/policy-branch/Login/Holidays/CEO-Birthday/2001/OSSEAL/policy-branch/Login/Holidays/CEO-Birthday/2002/OSSEAL/policy-branch/Login/Holidays/CEO-Birthday/2003

=l>lNj<UN<IKL9N Holiday-Dates 0-rIC9k3HKhCF"/4HK[Jk|UOOrXjG-^9# =Ne"1lN ACL r CEO-Birthday KIC9k3H,G-^9#

&/��f<6<,m0$s9kljrXj9k3H,G-^9# f<6<Nm0$slj

rXj9kKO" Login j=<9,XN Terminal ,tN<K]nj=<9rjA7^9# m0$sljO"3N8qNfG terminals H(5lF$^9#

&�"�� <vuVKO"m<+k<vHjb<H<v,"j^9# 7j"kuVd0iU#+k&3s=<k+i79F`Km0$s9kH-"HQ5lk<vOm<+k G9# TCP/IP MCHo</rp7FHQ5lk<vO"jb<H G9# >}No`

N<vrloK0k<W=7"Q5rHCF"/;9&3sHm<krjA9k3H,G-^9# <v*V8'/HN>0O"J<NA0K>$^9#

/OSSEAL/policy-branch/Login/Terminal/Local/termgroup/device/OSSEAL/policy-branch/Login/Terminal/Remote/termgroup/device

38 �� 3 �� 7

<v*V8'/HNjAKD$F" =15 r2H7F/@5$#

= 15. <vKX9kQlNjA

*V8'/H> b@ ?$W

termgroup I}T,jAG-k<vN@}0

k<W#Q5rHC?"/;9&

3sHm<kr3lK,Q9k3

H,G-k#

9Hjs0# *V8'/H>Nf

G"3N3s]<MsHO,\G

9#

device 79F`eN<vuVN>0# ?

H(P /dev/console or /dev/tty/0#

uVU!$krXj9k04$~

UNIX U!$k># o$kI+<

I>OHQG-^;s#

hostspec [9H"[9H&0k<W"^?

OMCHo</r=-7?bN#

J<N$:l+G9#

¶ /etc/hosts d DNS JIKpE

/04$~[9H>#>0K

O * d ? Nh&Jo$kI+<I8zr^`3H,G-

k," ,:04$~>r=

5J1lPJiJ$# J1

J;L>OHQG-J$#

¶ ICH=-rHC? IP "Il9HMCH^9/NH_g

o; (IP_address[nbits])# M

CH^9/,Xj5lF$J

$lg" 32 SCHNMCH^9/ (D^j[9H&"Il9) rE[*KU#9k#

m0$s&j=<9XjN$/D+NcrJ<K(7^9#

/OSSEAL/policy-branch/Login/Terminal/Local/Modems/dev/tty063/OSSEAL/policy-branch/Login/Terminal/Remote/Development/*.dev.company.com/OSSEAL/policy-branch/Login/Terminal/Remote/Xterms/10.1.34.2:24

&/�� #�$��%��&��j=<9r)f9k?aK",ZJ~@G" Login/Terminal *V8'/H,XNfKPolicy Director "/;9&3sHm<krIC7^9# ?H(P" jb<H&m1<7gs+iN79F`&"/;9r)f9kGU)kH&]j7<r_j9kKO" ACL ^?O POP r /OSSEAL/policy-branch/Terminal/Remote *V8'/HKI

C7^9#

=16 O",WJvDr(7F$^9#

= 16. m0$s9k?aN-zJvD

vD> b@

Login (L) X"9k<v+iNvD

�� =l>lN]j7<,tNfG" 1 DN<v,09k3HNG-k<v0k<WO?@ 1 DG9#"k<v,#tN0k<WK07F$klg" PDOSD (i<&m0NfKYp,8.5l^9# IN]j7<vDr%h9k+,jA5lF$J$?a" |T5l?kL,@ilJ$D=-,"j^9#


2.P

DO

S��

�

&/��#�(.0(.��PDOS O"m0$s&"/F#SF#<KX"7?]j7<rjA7F/)BT9k!=rw(F$^9# 3N]j7<r8fjA9kKO"/OSSEAL/policy-branch/Login *V8'/HNH%0-rHQ7^9#3N]j7<O"m0$s&"/F#SF#<NJ<NILr3sHm<k7^9#

¶ Q9o<IN-z|B

¶ m0$sNnT,:T7?lgN"+&sHfG

¶ "+&sH,s"/F#VG"klgN"+&sH&mC/"&H

D9Nf<6<&"+&sHNu7O^7s1LG-?5l^9# "+&sH,mC/uVKJC?jfGuVKJC?j9kNO""/F#VKJCF$k^7s+"^?Om0$sNnT,:T7?^7s@1G9# Q9o<IN-z|B~o

O^7s1LG]i5l^9# PDOS m0$s&"/F#SF#<&]j7<O"79F`KG-Kw(ilF$k9YFNo`N]j7<H&K,Q5l^9#PDOS ]j7<H79F`&]j7<N,QOOOBj5l^9# 3Nlg"Policy Director f<6<N Policy Director User Registry fKXj5l?Q9o<I&]j7<H" PDOS KhCFBu5l?G-N79F`&"+&sHNQ9o<I-z|BHO}g5l^;s# =17 KO"m0$s&"/F#SF#<&]j7<r3sHm<k9kH%0-,-R5lF$^9#

= 17. m0$s&"/F#SF#<&]j7<N0-

m0$s&"/F#SF#<0- b@ ?$W

Login-MinPasswordDays Q9o<IrQ9G-kh&KJ

k^GNG;~V#Xj7J$

H"GU)kHMN<m,HQ5

l^9#3NMO"f<6<,>

`H-K$DGbQ9o<IrQ

9G-k3Hr(7^9#

iGJ$0t

Login-MaxPasswordDays Q9o<IrQ97J1lPJi

J/Jk^GNG9~V#Xj7

J$H"GU)kHMN<m,[

j5l^9#3NMO"Q9o<

IN-z|B,"kH+J5lJ

$3Hr(7^9# f<6<NQ

9o<IN-z|B,Zl?lg

K"1=m0$s,HQD=KJ

CF$J1lP"!sNm0$s

~KQ9o<IrQ97J1lP

Jj^;s# 1=m0$srHQ

D =K9kKO"

Login-MaxGraceLogins 0-r<m

J0NMK_j7^9#

iGJ$0t

40 �� 3 �� 7

= 17. m0$s&"/F#SF#<&]j7<N0- (3-)m0$s&"/F#SF#<0- b@ ?$W

Login-MaxGraceLogins Q9o<IN-z|B,Zl?e

Kf<6<,m0$sG-ks

t# Xj7J$H"GU)kHM

N<m,[j5l^9#3NM

O"Q9o<IrQ97J1lP

f<6<&m0$s,vD5lk

3Hr(7^9# 1=m0$sN

Ggtr6(kH""+&sHO

J3mC/uVKJj^9#

iGJ$0t

Login-MaxInactiveDays s"/F#V&"+&sH,J3

mC/uVKJk^GKW9k|

t# 0s"+&sHKP9km0

$s,5oKTolFJ_"=N

"+&sHOs"/F#VG"k

H+J5l^9# Xj7J$H"

GU)kHMN<m,[j5l^

9#3NMO"s"/F#V&"

+&sH,mC/uVKJiJ$

3Hr(7^9#

iGJ$0t

Login-MaxFailedLogins "+&sH,fGuVKJk^G

K"=N"+&sHKP9km0

$sNn T,: T9ks t #

Login-LockMinutes 0-NMGXj

5l?~V@1""+&sHOf

GuVKJj^9# m0$snT

K:T7?st,+&sH5lk

|VO" Login-LoginMinutes 0-

KhCFX j5l^9#

Login-MaxFailedLogins 0-rXj

7J$H"GU)kHMN<m,

[j5l^9#3NMO"m0$

sNnT,:T7Fb"+&sH

,fGuVKJiJ$3Hr(7

^9#

iGJ$0t

Login-LockMinutes Login-MaxFailedLogins 0-GXj

5l?m0$s:TstNGgM

K#7?lgK""+&sH,f

GuVKJk|V (,1L )#

Login-LockMinutes 0-rXj7J

$H"GU)kHMN<m,[j

5l^9#3NMO""+&sH

NfGuV,J39k3Hr(7

^9#

iGJ$0t


2.P

DO

S��

�

= 17. m0$s&"/F#SF#<&]j7<N0- (3-)m0$s&"/F#SF#<0- b@ ?$W

Login-LoginMinutes Login-MaxFailedLogins 0-N_j

K#9k^G"m0$sNnTK

:T7?st,+&sH5lk|

V (,1L)# Login-LoginMinutes

0-rXj7J$H"GU)kH

MN<m,[j5l^9#3NM

O"~V)B,J$3Hr(7^

9# "+&sH,mC/uVdf

GuVGJ$lgN5zJm0$

snTO9YF":TstNGg

MK#9k^G+&sH5l^

9#

iGJ$0t

Login-PolicyDisabled m0$s&"/F#SF#<&]

j7<r9YFHQTDK9kN

KHQ5l^9# 3N0-NMK

uGJ$9Hjs0rXj9k

H"jA5lF$km0$s&"

/F#SF#<&]j7<O$:

lb/)BT5l^;s#

uGJ$9Hjs0

&/��#�(.0(.��m0$s&"/F#SF#<&]j7<N_jcrJ<K(7^9#

1. "+&sH,s"/F#VKJCF+i 30 |eKmC/uVKJkh&_j9kKO" pdadmin 3^sIrJ<Nh&KHQG-^9#

pdadmin> object modify /OSSEAL/Servers/Login ¥set attribute Login-MaxInactiveDays 30

2. $UN 1 ~VJbK 3 s^Gm0$srnTG-" 3 sHb:T9kH"+&sH, 30 ,VmC/5lkh&K9kKO" pdadmin 3^sIrJ<Nh&KHQG-^9#

pdadmin> object modify /OSSEAL/Servers/Login ¥set attribute Login-MaxFailedLogins 3

pdadmin> object modify /OSSEAL/Servers/Login ¥set attribute Login-LockMinutes 30

pdadmin> object modify /OSSEAL/Servers/Login ¥set attribute Login-LoginMinutes 60

3. m0$s&"/F#SF#<&]j7<N0-O9YF1lMG9# 1lMN0

-r$59kKO"^:GiK{8N0-Mr|n7J1lPJj^;s#?H(P"Login-MaxFailedLogins 0-r 5 KQ99kKO"J<Nh&K7^9#

pdadmin> object modify /OSSEAL/Servers/Login ¥delete attribute Login-MaxFailedLogins

pdadmin> object modify /OSSEAL/Servers/Login ¥set attribute Login-MaxFailedLogins 5

"+&sHNuVr=L7?j"smC/7?j9kKO" pdoslpadm 3^sIrHQ7F/@5$# 3N?9/N\YKD$FO"120Z<8NXpdoslpadmYr2

H7F/@5$#

42 �� 3 �� 7

��PDOS O"Wm;9N UNIX 1LrQ9G-k`nr3sHm<k9k!=rw(F$^9# 3NoN`nN3Hre} `nH$$" Surrogate ?$WNj=<9KhCF3sHm<k5l^9# e}`nKhj"Wm;9Nf<6<1Ld0k<W1LrQ9G-^9# f<6<*hS0k<WNe}`nN"/;9&3sHm<krN)9kKO"vD]j7<r Surrogate j=<9&?$WN User *hSGroup 5V?$WK,Q7^9# *V8'/H>Khj"e}`nN?<2CHK9kbNr1L7"!=r3sHm<k7^9 (?H(P"root f<6<d79F`&0k<WKP9ke}JI)# e}j=<9>OJ<NA0K>$^9#

/OSSEAL/policy-branch/Surrogate/User/user-name/OSSEAL/policy-branch/Surrogate/Group/group-name

=18 KO"e-Ne}*V8'/HN\Y,-R5lF$^9#

= 18. e}*V8'/H>

*V8'/H> b@ ?$W

user-name UNIX f<6<># 3N*V8'/H

K,Q5lk"/;9&3sHm<k

Khj"3Nf<6<KP9k1Lr

Q97h&H9k3H+iWmF/H

5l^9#

UNIX f<6<>r=99Hjs0#

tMNf<6< ID Ou1~lil^

;s#

group-name UNIX 0k<W># 3N*V8'/H

K,Q5lk"/;9&3sHm<k

Khj"3N0k<WKP9k1Lr

Q97h&H9k3H+iWmF/H

5l^9#

UNIX 0k<W>r=99Hjs0#

tMN0k<W ID Ou1~lil^

;s#

e}j=<9Nc

e}j=<9NXjcrJ<K(7^9#

/OSSEAL/Default/Surrogate/User/root/OSSEAL/Default/Surrogate/User/joe/OSSEAL/Default/Surrogate/Group/admin

m: /OSSEAL/policy-branch/Surrogate/User *V8'/H"/OSSEAL/policy-branch/Surrogate/Group *V8'/H"^?O3lir^`/OSSEAL/policy-branch/Surrogate *V8'/H+NKP9k"/;9&3sHm<kN"Wj1<7gsrHQ9kH"GU)kHNe}]j7<rjAG-^9# )BU-Ne}]j7<rN)9k]NYpKD$FO" Xe}]j7<rN)9klgNM8v`Yr2H7F/@5$#

e}j=<9KOo$kI+<IrHQG-^;s#

e}j=<9KP9k"/;9N3sHm<kKHQ5lkvDO" =19 K(5lF$ke} (G) vD@1G9#

= 19. e}`nNvD

vD >0 b@

G e} f<6<^?O0k<WNe}`nrBT9kvD#

��e}`nOp\*KJ<N 2 H*jN}!GTol^9#


2.P

DO

S��

�

¶ T/fNWm0i`NBTaxG"f<6<d0k<WN1L,Q95lk3H,"k#

¶ f<6< ID _j^?O0k<W ID _jNl}^?O>}N UNIX U!$kv

DN8g,"kWm0i`NBT~K1L,Q95lk#

>TNc$OEWG9# lL*KO"f<6< ID _j^?O0k<W ID _jv

DN8g,"kWm0i`rf<6<,BT9k]KO"Lof<6<,}CF$J$C",l~*K,WJ?9/rBT9k,W,"kH[j5l^9# 3NbLNC"GBT7F$kV"3NoNWm0iÒ",j5l?`nrBT9k3H@15'5l^9# e=*JcH7FO"/usr/bin/mail"/usr/bin/telnet"*hS /usr/bin/psJINWiCHU)<`K~8?H_~_Wm0i`,"j^9#

3liNWm0iÒ9YF setuid k<HG"kH[j7F/@5$# lLf<6<,G-k3Hr"k<HKP9ke}@1K)B9kH"lLf<6<,3liNWm0i`rBT9k3HOG-J/Jj^9# 3NbLNC"GBT7F$kV"3liNWm0iÒBj5l?`nN8grBT9k3H@15'5l^9#PDOS GO3liN`nr5'3sTe<F#s0&Y<9NltH7FjAG-kNG"Wm0i`NBT~Ke}`nrBT9k]K"vDr=L9k,WO"j^;s#

TCB j=<9&?$WN<G Secure-Programs H7FjA5lF$kWm0iÒ"e}vD]j7<KX87J$BT~N"f<6<^?O0k<W1LNQ9rvD5l^9# 27Z<8NXHi9FCI&3sTe<F#s0&Y<9&j=<9Yr2H7F/@5$# 3NoNWm0i`NBTeKe}`n,BT5lklg"e}vD]j7<KX87?e}`n,BT5l^9#

/usr/bin/su 3^sIrM87F/@5$# LNf<6<NQ9o<IrNCF$kf<6<,3N3^sIrHQ9kH"=NLNf<6<N1LK@(*KQ9G-^9# UNIX N;-ejF#<GO" root f<6<@1,f<6<1LrQ9G-kh&KJCF$k,W,"kNG"9YFN UNIX 79FèG setuid k<H&Wm0i`H7F su 3^sIr;CH"CW7^9# PDOS TCB fG su 3^sIr Secure-Programs K7J+C?lgO">Nsk<H&f<6<KP9ke}rv

D5lF$kf<6<O"B]Ke}KJj?$f<6<KC(Fk<HKP9ke

}KbJlk,W,"j^9# Secure-Programs H7F=.5lF$k3^sIrH

Q9kH" su N?<2CH&f<6<rWmF/H9k PDOS e}vD]j7<@1,/)BT5l^9#

?H(P"f<6< fred , sysop f<6<KP9k1LNQ9rvD5lF$kH7^9# fred OJ<N su 3^sIrBT7^9#

fred$ su sysop

9kH"e}`n,Tol^9# su , setuid k<H&Wm0i`G"klgO"^:"k<HKP9ke}`n,Tol^9# !K"fred , sysop "+&sHNQ9o<Ir57/~O9kH" su 3^sIKhj sysop f<6<KP9k1L,@(*KQ95l^9# fred , Secure-Programs H7F=.5lF$k su 3^sIrHQ9kKO"k<HKP9ke}KP9k PDOS "BO,WJ/" sysop KP9k"B@1,WG9#

GU)kHG Secure-Programs H7F=.5lF$k8` UNIX 3^sIO" su 3^sI@1G9# PDOS KO pdosuidprog 3^sI,w(ilF*j"3lO)BU-Ne}]j7<rN)9klgK" Secure-Programs H7FIC7?$>N

44 �� 3 �� 7

setuid Wm0i`d setgid Wm0i`r+D1kNKr)A^9# 3N3^sINBTD$F\7/O"137Z<8NXpdosuidprogYr2H7F/@5$#

)BU-Ne}]j7<rN)7":v9k setuid Wm0i`d setgid Wm0i`r Secure-Programs H7F TCB fKIC9klgKO"3liNWm0i`rBT

7F$kf<6<,M3H7F"=|;Lf<6<d0k<WKP9ke}"Br,

WH7F$k3H,,+k3H,"j^9# Wm0i`NBTeKe}`n,BT

5lk3Hb"j^9# 3Nh&JlgK"3liN)BU-f<6<1L*hS0k<W1LKP9k*<Ws&"/;9r_1?/J$lgO"Access-Restrictions rHQ7F"CjWm0i`NBT~@13liNe}`nrBT9k3Hrf<6<KvDG-^9# 17Z<8NX"/;9)BYKO"3NoN]j7<rjA9k}!,b@5lF$^9#

UNIX f<6<,e}`nr5oKBT7Fb" PDOS vDr=L9kNK,Q5lk"/;5<1LOQ95l^;s# f<6<,e}`nrHQ7F"PDOS +i+F>MKJk3HOG-^;s# TCB Wm0i`N 2 D\N/i9G"kImpersonator-Programs rHQ9kH"e}`nKhj"Wm;9N UNIX f<6<1L@1GJ/" PDOS "/;5<1LbQ9G-^9# TCB j=<9NImpersonator-Programs /i9KD$FN\YO" 27Z<8NXHi9FCI&3sTe<F#s0&Y<9&j=<9Yr2H7F/@5$#

e}j=<9N"/;9&3sHm<k

e}j=<9KX"7?vD]j7<O" Policy Director ACL rf<6<>^?O0k<W>*V8'/HKUC7F=7^9# ^?"Policy Director ACL r User^?O Group 3sFJ<&*V8'/HKUC7F" ACL Q5rHQ9kH"f<6<d0k<WNGU)kHNe}]j7<rjAG-^9# 5iK"ACL rSurrogate 3sFJ<&*V8'/HKUC9kH"9YFNf<6<H0k<WKX9kGU)kHNe}vD,]5l^9 (f<6<d0k<WN3sFJ<K ACL,@(*KUC5lF$J$3H,0sG9)# "/;9&3sHm<k=LNlt

H7F" Policy Director N#G (T) vDbHQ5l^9# 43Z<8N=19 KO"e}j=<9KX"7?-zJ ACL vD,\R5lF$^9#

Sudo ��Sudo j=<9KO"CjWm0i`rBTG-k+I&+H$&!5hj\YJ"/;9&3sHm<k,,WJ3^sI,-R5lF$^9# Sudo 3^sIrHQ

9kH"3^sI@1GJ/"3^sIKO5lkQia<?<KbpE$F"/;9&3sHm<krT(^9# Sudo 3^sIrHQ9kH"f<6<,I}Q?9/rBT9k]K79F`eNk<HKJk,W,J/Jj^9#3N?9/N?aK"Sudo KO"/0&J0N UNIX f<6<H7F3^sIrBT9k!=,w(ilF$^9#

J<N}!G"Policy Director M<`&9Z<9fG Sudo j=<9,1L5l^9#

/OSSEAL/policy-branch/Sudo/sudo-command[/sudo-argclass]


2.P

DO

S��

�

Sudo 3^sIN0-,"=20 Kj9H5lF$^9#

= 20. PDOS Sudo *V8'/H*V8'/H> b@ ?$W

sudo-command Sudo 3^sIN>0# 3N*V

8'/HKO"B]NWm0i

`"UNIX f<6<1L"*hS

Q9o<Ir-R7?Qia<?

<,X"7F$^9# IT,3N

>0rXj7^9#

Sudo 3^sIr=99Hjs

0#

sudo-argclass 3^sIz-tN/i9N>0#

"I_K9Hl<?<,3N>0

r*r7^9#

Sudo z-t/i9r=99Hj

s0#

Sudo 3^sIN0-rjA9kKO" Sudo 3^sIr1L9k*V8'/Hrn

.7^9# *V8'/HeN Sudo 3^sIH%0-r":v9kMK_j7^9# =21 KO"3N3^sIN0-,j9H5lF$^9#

= 21. Sudo 3^sIN0-

H%0- b@ ?$W

Sudo-Command Sudo 3^sIXN"/;9'D5

l?]KBT5lkWm0i`#

PDOS G Sudo *V8'/H,-

zH+J5lkKO"3NQia

<?<rXj7J1lPJj^;

s# 3N0-O1lNMG9#

Wm0i`rXj9k04$~

UNIX U!$k>#

Sudo-Target-User 3N UNIX f<6<>N<G"

Sudo-Command KhCFXj5l

?Wm0i`,BT5l^9# 3

N UNIX f<6<O" Sudo 3^

sIrBT9k,WN"k9YF

N79F`eKJ1lPJj^;

s# 3N0-O*W7gsG9#

GU)kHMOk<HG9# 3N

0-O1lNMG9#

UNIX f<6<N>0r=99H

js0#

Sudo-Invoker-Password 3N0-O"Sudo 3^sIrBT

9kKO"=N0K=N3^sI

N/0&,Q9o<Ir~O7J

1lPJiJ$3Hr(7^9#

GU)kHGO"/0&NQ9o

<IO,W"j^;s# 3N0-

O1lNMG9#

3NMOuGJ$9Hjs0GJ

1lPJj^;s#

46 �� 3 �� 7

= 21. Sudo 3^sIN0- (3-)H%0- b@ ?$W

Sudo-Target-Password 3N0-O"Sudo 3^sIrBT

9kKO"=N0K=N3^sI

N/0&," Sudo-Target-User 0

-GXj5l??<2CH&f<

6<NQ9o<Ir~O7J1l

PJiJ$3Hr(7^9# GU

)kHGO"/0&,?<2C

H&f<6<NQ9o<Ir~O

9k,WO"j^;s# 3N0-

O1lNMG9#

3NMOuGJ$9Hjs0GJ

1lPJj^;s#

=22 K(5lF$kh&K" Sudo 3^sIrBT9kKOBT (x) vD,,WG9#

= 22. Sudo K,WJvD

vD3<I vD> U?5lkvD

x BT Sudo 3^sINBT

Sudo ��sys-admin 0k<WNasP<@1, /usr/sbin/mount 79F`&Wm0i`rHQG-kh&K7"/0&,3^sIrBT9k]KOH+NQ9o<Ir~O9k,W

,"kh&K Sudo 3^sIrjA9kKO"J<N pdadmin 3^sIrHQG-^9#

pdadmin> object create /OSSEAL/Servers/Sudo/mount "mount" 2 ¥ispolicyattachable yes

pdadmin> object modify /OSSEAL/Servers/Sudo/mount set attribute ¥Sudo-Command /usr/sbin/mount

pdadmin> object modify /OSSEAL/Servers/Sudo/mount set attribute ¥Sudo-Invoker-Password "required"

pdadmin> acl create sudo-mountpdadmin> acl modify sudo-mount set group sys-admin T[OSSEAL]xpdadmin> acl attach /OSSEAL/Servers/Sudo/mount sudo-mount

Sudo 3^sI&*V8'/HKP9k Sudo z-t/i9&*V8'/H>0rj

A9kH"XjG-kz-tKD$F\YK3sHm<kG-^9# Sudo z-t/i9&*V8'/HO"=N*V8'/HNH%0-rjA9kH$&" Sudo 3^sI&*V8'/HH1MN}!GjA7^9# Sudo z-t/i9NjAKHQ5lkH%0-," =23 KjA5lF$^9#

= 23. \Y3sHm<kN?aNH% Sudo 0-

H%0- b@ ?$W

Sudo-Arguments 3^sITz-trM-go;k

NKH&o$kI+<I&9Hj

s0#3N0-O#tMrhkN

G"1lNz-t/i9r-R9

kNK#tNQ?<srHQG-

^9# GU)kHMO"j^;

s#

3^sITz-trM-go;k

NKH&o$kI+<I&9Hj

s0#


2.P

DO

S��

�

cN3-G"net-admin 0k<WNasP<@1, NFS U!$k&79F`r^&sHG-" sys-admin 0k<WNasP<@1,m<+k&U!$k&79F`r^&sHG-kh&K9kKO"e-N3^sIKC(FJ<N pdadmin 3^sIrHQ7F/@5$#

pdadmin> object create /OSSEAL/Servers/Sudo/mount/remote ¥"Remote mount argument patterns" 0 ispolicyattachable yes

pdadmin> object modify /OSSEAL/Servers/Sudo/mount/remote set attribute ¥Sudo-Arguments "[-]F nfs"

pdadmin> acl create sudo-net-mountpdadmin> acl modify sudo-net-mount set group net-admin T[OSSEAL]xpdadmin> acl attach /OSSEAL/Servers/Sudo/mount/remote sudo-net-mountpdadmin> object create /OSSEAL/Servers/Sudo/mount/local ¥

"Local mount argument patterns" 0 ispolicyattachable yespdadmin> object modify /OSSEAL/Servers/Sudo/mount/local set ¥attribute Sudo-Arguments "[-]F *"pdadmin> acl create sudo-local-mountpdadmin> acl modify sudo-local-mount set group sys-admin T[OSSEAL]xpdadmin> acl attach /OSSEAL/Servers/Sudo/mount/local sudo-local-mountpdadmin> acl modify sudo-mount set group sys-admin ""

��J<Nm-O"3NcNb@rdu9kbNG9#

1. pdadmin K0-Mr_j9k]KO"MNh,r@C7e8zK9k3HOG-^;s# @C7eOO$Us (-) @1r^`8zOO [-] H7F=5l^9#

2. 0RN]j7<Oo$kI+<I&Q?<sN%hgLKM87F$^9#V[-]F nfsWQ?<sN},V[-]F *WQ?<shjbCj=5l^9#

3. /OSSEAL/Servers/Sudo/mount KUC5l? Sudo ^&sH ACL N sys-admin 0k<W&(sHj<OCn5l^7?# 3N(sHj<,"kH"h,N*W7gsH7F -F Qia<?<rXj7J$Bj" Sudo ^&sH&3^sIK"/;9G-^;s#

4. o$kI+<I0r5iK#(K7F"WiCHU)<`Nc$Khk^&sH&3^sINo:+Jc$r4d9k3H,G-^9#?H(P"^&sHN]KU!$k&79F`N?$WrXj9kNK -F *W7gsNeojK -t *W7gs,=|5l?j" nfs NeojK NFS ,u1~lil?j9k3H,"j^9# 3li 2 DNvcN4dr^kKO"/OSSEAL/Servers/Sudo/mount/remote *V8'/HN Sudo-Arguments 0-NM

r" -[tF] [Nn][Ff][Ss] KV-9(k3H,G-^9#

5. 1lN Sudo 3^sIN 2 o`N Sudo z-t/i9K18Q?<s,"klg

O"YpaC;<8,P5lF" PDOSD m0&U!$kfK>AKhlk]j7<,8.5lF*jI}F:,8.5lk3Hr(7^9#3Nlg"IAiN]j7<,,Q5lk+$jAKJCF$^9#

3N UNIX 3^sI=8OsoK#(KJk3H,"j"3^sIT*W7gsdQia<?<O$UNgx*hSH_go;GXjG-^9# 7?,CF"9YFND=-rVe7?z-tQ?<srjA9k3H,q7/JkD=-,"j^9#Sudo 3^sIKP9k"/;9rq]9kGU)kHN0nrjA9kH"3^sIT*W7gsNH_go;dgxr"I}D=JOOK)BG-^9#

Sudo ��!��"��>Nj=<9&?$WH1MN}!G" Sudo-Arguments 0-K PDOS o$kI+<IrHQG-^9# Sudo-Arguments o$kI+<I&9Hjs0Np\(lasHO>N PDOS o$kI+<IH18G9,"J<Nc0,"j^9#

48 �� 3 �� 7

¶ o$kI+<I&"9?j9/ (*) O"$UN8zN7<1s9GOJ/"ur

GJ$8zN7<1s9rM-go;^9# ^?"3^sIT4NGOJ/"3^sITz-t4NrM-go;^9# ?H(P"J<NQ?<sO"h,Nz-tH7F$UN9Hjs0rM-go;" 2 V\Nz-tH7F9Hjs0root rM-go;^9#

* root

2 V\Nz-t, root GJ$lgO"3NQ?<sOlW7^;s#

¶ Q?<sfN7s0k&9Z<9O"M-go;P]N9Hjs0fNur8z

N7<1s9HM-go;il^9# 9Z<98zKClJU#,"klgO_

-f (¥) G(91<WG-"3NlgO 1 DN9Z<9@1HM-go;il^9#

¶ Sudo-Arguments 0-KM ″″ ,"klgOu9Hjs0HM-go;ilkNG"z-t, Sudo 3^sIKO5lJ$lgKM-go;kQ?<srjAG-^9#

¶ 0K"kz-t,Q?<s4NHlW7F$lP"eK3/z-t,Q?<sKlW7J/Fb"Q?<sO9Hjs0HlW7^9# ?H(P"

* root

3NQ?<sOJ<N>}N9Hjs0HlW7^9#

show rootadd root system

pdossudo %3��Sudo 3^sIrFSP9KO"pdossudo 3^sIr~O7F" Sudo 3^sI>

H$UNz-trXj7^9# 47Z<8NXSudo NHQcYGO"J<Nh&KSudo ^&sH&3^sIrFSP7^9#

$ pdossudo mount -F nfs host:/shared/directory /local

Sudo 3^sINvDWm;9O"J<NgxGJT7^9#

1. FSP7rT&f<6<,"Wa5l? Sudo 3^sIKP9kBTvDr}CF$k+I&+"^?O3^sITKXj5l?z-tHlW9kz-t,"klgO Sudo z-t/i9KP9kBTvDr}CF$k+I&+,=G5l^9#

2. lW7?lgO"FSP7rT&f<6<O,\Q9o<I ("klg) N~Oraail^9#

3. 9YFN,\Q9o<Ir57/~O7?i"Wm;9NBz UNIX f<6<ID ,?<2CH&f<6<Nf<6< ID KQ95l^9# 3N1LQ9Oe

}]j7<KX9kbNJNG"FSP7rT&f<6<KO?<2CH&f<6<Ne}KJk"B,J1lPJj^;s (Access-Restrictions 0-rHQ7F3Ne}"Br)B7" pdossudo 3^sIrFSP9H-@1f<6<Ke}rvD9k3H,G-^9)#

4. Xj5l?z-tGe-N`n,9YF5oK0;7?eKBj" Sudo 3^sI,BT5l^9#

Sudo-Command 0-fKXj5l?Wm0i`KP9k Access-Restrictions 0-rN)7F"3NWm0i`NBTr pdossudo 3^sI@1K)B9k3HbG-^9#


2.P

DO

S��

�

J<N pdadmin 3^sIO"3NoN Access-Restrictions rN)9k}!r(7F$^9#

pdadmin> object create /OSSEAL/Servers/Surrogate/User/root"surrogate root" 14 ispolicyattachable yes

pdadmin> acl create root-userpdadmin> acl modify root-user set any-other T[OSSEAL]Gpdadmin> acl modify root-user set unauthenticated T[OSSEAL]Gpdadmin> acl modify root-user set attribute ¥Access-Restrictions any-other:G:/opt/pdos/bin/pdossudopdadmin> acl modify root-user set attribute ¥

Access-Restrictions unauthenticated:G:/opt/pdos/bin/pdossudopdadmin> acl attach /OSSEAL/Servers/Surrogate/User/root root-user

pdadmin> object create /OSSEAL/Servers/File/usr/bin/mount"mount command" 3 ispolicyattachable yes

pdadmin> acl create mount-programpdadmin> acl modify mount-program set any-other T[OSSEAL]xpdadmin> acl modify mount-program set unauthenticated T[OSSEAL]xpdadmin> acl modify mount-program set attribute ¥Access-Restrictions any-other:x:/opt/pdos/bin/pdossudopdadmin> acl modify mount-program set attribute ¥

Access-Restrictions unauthenticated:x:/opt/pdos/bin/pdossudopdadmin> acl attach /OSSEAL/Servers/File/usr/bin/mount mount-program

3N]j7<KhCF1Lr root f<6<KQ99k}!O" pdossudo 3^sI7+"j^;s#

LN UNIX f<6<C"r}Df<6<_jD-QtKhCF" Sudo 3^sI,@^5lJ$h&KWmF/H9kKO"BT5lk Sudo Wm0i`KP9kD-

Qtr7EK3sHm<k7^9# 3NoNvcH7FO"T,ZJWm0i`rBTG-kMK PATH rQ99k3H,"j^9# =24 O" Sudo 3^sIrBT9k0Kf<6<ND-+i9HjCW5lkD-Qtr(7F$^9#

= 24. Sudo KhCF9HjCW5lkD-Qt

D-Qt m-

PATH 3^sINljrX9Q9

LD_* h,, LD_ N&Qi$Vij<!wQ9D-Qt

9YF

_RLD_* h,, _RLD_ NBT~js+<D-Qt9YF

SHLIB_PATH HP-UX lQN&Qi$Vij<!wQ9

LIBPATH AIX lQN&Qi$Vij<!wQ9

IFS ~OU#<kIhZj8z

ENV D-U!$kNlj

BASH_ENV bash D-U!$kNlj

KRB_CONF kerberos 4 =.U!$kNlj

KRB5_CONFIG kerberos 5 =.U!$kNlj

LOCALDOMAIN /etc/resolv.conf fNIa$s>NXjQ9

RES_OPTIONS [9H>rhN*W7gs

HOSTALIASES [9HL>EMU!$kNljNXjQ9

e-ND-Qtd=N>ND-QtNMrXj9kKO" pdossudo =.U!$k/opt/pdos/etc/pdossudo.conf fGjA7^9# 3NU!$kN [environment] 9?s6(3NU!$kN9?s6O3l@1G9) fK3liND-QtrjA7FXj7^

50 �� 3 �� 7

9# ?H(P":v9k!wQ9fK"Wj1<7gsN3^sIH&Qi$Vij<rH_~s@",ZJ pdossudo.conf =.MOJ<NH*jG9#

[environment]PATH=/usr/bin:/usr/sbin:/usr/application/binLD_LIBRARY_PATH=/usr/lib:/usr/application/lib

Sudo 3^sI, PATH *hS LD_LIBRARY_PATH NlgO"D-QtOpdossudo.conf =.U!$kfKXj5l?MK>CF_j5l^9#

pdossudo 3^sIG"9/jWHKhCF3^sIN/0&r1LG-kD-Qtb_jG-^9# =25 K3liNQt,jA5lF$^9#

= 25. Sudo KhCF_j5lkD-Qt

D-Qt b@

PDOS_SUDO_ACCESSOR_NAME Sudo 3^sIrFSP9f<6<N PDOS "/;

5< ID KP~7?f<6<>

PDOS_SUDO_ACCESSOR_ID Sudo 3^sIrFSP9f<6<N PDOS "/;

5< ID KP~7?tM ID

PDOS_SUDO_INVOKER_NAME pdossudo rFSP9 UNIX f<6<KP~7?f

<6<># m0$seK1LNQ9,Tol?lg

(?H(P"f<6<, su 3^sIrBT7?l

g)"3NMH"/;5<>,c&3H,"j^

9#

PDOS_SUDO_INVOKER_ID pdossudo rFSP9 UNIX f<6<KP~7?t

M ID# m0$seK1LNQ9,Tol?lg

(?H(P"f<6<, su 3^sIrBT7?l

g)"3NMH"/;5<>,c&3H,"j^

9#


2.P

DO

S��

�

52 �� 3 �� 7

PDOS ��

3NOGO"LoN PDOS is?$`!=rBT9k Policy Director for OperatingSystems N3s]<MsHH"=N3s]<MsH,!=9kD-KD$Fb@7^9#J<N3s]<MsH,b@5l^9#

¶ XPDOS G<bsY

¶ 61Z<8NXPDOS f<6<*hS PDOS 0k<WY

¶ 63Z<8NXPDOS U!$kHG#l/Hj<Y

¶ 65Z<8NXPDOS i|]j7<Y

¶ 68Z<8NXV%`nY

PDOS ��

J<O"PDOS NgW!=r.9G<bsG9#

PDOSDvDrhj7"Trusted Computing Base (TCB) rbK?<7^9#

PDOSAUDITDLN PDOS 3s]<MsH+iF:$YsHru1hj"F:ZWrI}7^9#

PDOSWDD>NG<bsrQ37FHQG-kh&K7^9#>NG<bsb_$rbK?<7^9#

=l>lN PDOS G<bsO"EWJ$YsH*hS(i<ror-?9km0&U!$kr]}7^9#m0&U!$kKq-~^lkl3<IKO" UTC ?$`&9?sW"aC;<8r-?9k PDOS 3s]<MsHr1L9kps"aC;<8NoL"aC;<8&F-9HJI,^^l^9# PDOS rFO07Fbm0&U!$kOQ37FHQ5l^9#m0&U!$kKq-~`3H,G-km0`\NDtr=.7F+i"U!$kNPC/"CWrhCF77$m0r+O9k3H,G-^9#^?"U!$kNFxQr+O9k^GKm0&U!$kr]}G-kDtr"G<bs4HK=.9k3HbG-^9#GU)kHGO"m0&U!$kO+0*Km<k*<P<5l^;s#

3N*W7gsd^?LNis?$`N*W7gsO" pdoscfg 3^sIrHQ7F_jG-^9# 106Z<8NXpdoscfgYKO"pdoscfg N*W7gs,j9H5lF$^9# 76Z<8NXPDOS =.N40YKO" pdoscfg *W7gsH3NO

Gb@5lk PDOS =.U!$k0-HNVN^CTs0,(5lF$^9#

3


3.P

DO

S��

PDOSD �� vDG<bsN PDOSD KO"J<Nh&J/-,"j^9#

¶ PDOS +<MkH%!=, PDOS ]j7<K>&`nreTu.9kH-K8.5lkvDWarh}7^9#

¶ Policy Director Nk@+if<6<*hS=NasP<7CWrb@9k PolicyDirector Z@qK UNIX f<6< ID r^CW7^9#

¶ TCB Ks?9kU!$krbK?<7F".j-rc<5;kh&JQ9r9YF!P7^9#

��Credential Acquisition Service O"PDOSD NvDhjWm;9KHCFTDgG9#7Z<8NXPDOS ]j7<YKO"UNIX f<6<N ID rHQ7F"vDhjrT&?aK,WJ Policy Director Z@qr~j9k}!KD$FNO$lYkJb@,-\5lF$^9#3N;/7gsGO"=NWm;9N"=lhjbc$lYkN&Lrb@7^9# PDOS ,z(*KvDhjrT&?a"^? LDAP f<6<&l89Hj<+iV%5lF$FbNBK!=9k?aK"Z@q,HQ5lkH"=lO PDOSD KhCF-cC7eK~lil^9# PDOSD Oabj<N-cC7eHG#9/N-cC7erHQ7^9#Z@qO9YFG#9/N-cC7eK~lil^9#"/F#V&f<6<@1,abj<&-cC7eNZ@qrx

QG-^9#

-cC7eK~lil?Z@q, 1 D=l>lNf<6<4HK"j^9#Z@q

O"f<6<,79F`Km0$s9kH-K-cC7eK~lil^9#f<6<,79F`Km0$s9kYK" PDOS O LDAP f<6<&l89Hj<+i7,

NZ@qr!w7"=lrZ@q-cC7eK]I7^9#18f<6<Khk7,

Nm0$s`n,!P5lk^G"=Nf<6<O-cC7eNZ@qrH$31^9#7,Nm0$s`n,!P5lkH" PDOS OFS LDAP f<6<&l89Hj<+i7,NZ@qr!w7"-cC7eNZ@qr77$Z@qKV-9(^9#

77$Z@q,-cC7eK~lil?i"=Nf<6<,m0$s&7'k+iT

&9YFN`nG"7?K-cC7eK~lil?=NZ@qrHQ7^9#3lO=NZ@q,V-9(ilk+"-cC7e+i|n5lk^G3-^9#

Z@qrG7=(9kH"f<6<N0k<W&asP<7CWGTol?9YFNQ9,?G5l^9#f<6<N0k<W&asP<7CWO"0k<WKIC5l?j0k<W+i|n5l?j9kHQ95lk3H,"j^9#0k<W&asP<7CWNQ9O"f<6<NZ@q,G7=(5lF+i?G5l^9#

pdosrefresh 3^sIrHQ9kH"f<6<NFm0$srT?:KZ@qNG7=(r/)9k3H,G-^9#3lKhj"0k<W&asP<7CWNQ9O9YF(~K?G5l^9#

-cC7eNZ@qKO=l>l"G7=(~oH]}~V,"j^9#

G7=(~o

Z@qNG7=(~oK#9kH" PDOSD O LDAP f<6<&l89Hj<+i7,NZ@qr!w7"-cC7eNZ@qr77$Z@qKV-9(^9#

54 �� 3 �� 7

]}~V

Z@qN]}~VK#9kH" PDOSD O-cC7e+iZ@qr|n7^9#Z@q, PDOSD G,WKJkH" LDAP f<6<&l89Hj<+i77$Z@q,!w5l^9#

�� PDOS f<6<O"J<N$:l+K,`5l^9#

¶ lLf<6<

¶ I}f<6<

I}f<6<O"osseal-admin Policy Director 0k<WK09k4f<6<H7Fj

A5l^9#I}f<6<KO"lLf<6<N0-KC(F!N0-,"j^9#

¶ I}f<6<NZ@qOG#9/&9Z<9+iCn5l^;s#

¶ I}f<6<NZ@qO (m0*s7?3H,J/Fb) 79F`K]}5l^9#

¶ (i<roN< PDOSD ,T&GU)kHNhjO""/;9U?G9#sI}

f<6<Nlg"GU)kHNhjO"q]G9#

=26O" /opt/pdos/etc/pdosd.conf =.U!$kN PDOS Credential Acquisition ServiceKX9k=.0-rj9H7F$^9#

= 26. PDOS Z@qN=.0-

9?s6 0- b@

[credentials] user-cred-refresh G7=(,,WKJk^GN"f<6<Z@q,Z@q-

cC7eKV+lk~V (,)#Z@q,-cC7eK~li

l?H-+i$s?<PkO+O7^9#G7=($s?

<Pkr6(kH"Z@qNG7=(,Tol^9#

admin-cred-refresh I}f<6<NZ@qNG7=(,TolkQY#3lK

hj"I}f<6<NZ@qNG7=(|Vr"lLf<

6<NG7=(|VNFAru1:KI}9k3H,G-

^9#3N0-b",1LGXj7^9#

cred-hold G*"/;9~oJ_"sI}f<6<NZ@qrZ@q

-cC7eKV/3HNG-k~V (,)#33GXj7?~

Vr6(kH"-cC7eKDCF$ksI}f<6<N

Z@qO-cC7e+iCn5l^9#I}f<6<NZ

@q,-cC7e+iCn5lk3HO"j^;s#

cred-hold $s?<PkO"user-cred-refresh $s?<Pkh

j9/J1lPJj^;s#

Z@qNG7=(,,WJH-K PDOS , Policy Director User Registry HL.G-J$lg" Registry HNL.,FSN)5lk^G=NZ@qO-cC7eKDj^9#=NV"-cC7eK"k=NZ@qr PDOS OH$31^9#

PDOS Policy Director User RegistryUser Registry r[V7FL.rN)9k?aK" PDOS O Policy Director RuntimeEnvironment =.rHQ7^9# PDOS O3lrHQ7F"f<6<&l89Hj<=. (User Registry NlWj+NljJI) r" Policy Director NLN3s]<MsHH&Q9k3H,G-^9# Policy Director Runtime Environment N=.KD$F


3.P

DO

S��

N\YO" Policy Director Administration Guide r2H7F/@5$# PolicyDirector User Registry H7F PDOS ,5]<H9kNO LDAP @1G9#

=27 O"PDOSD =.U!$k /opt/pdos/etc/pdosd.conf N=.0-r(7F$^9#3NU!$kO"PDOSD H User Registry HNL.r)f7^9#3N0-OPDOS N=.fKN)5l"Q9OG-^;s#

= 27. PDOSD H User Registry NL.r)f9k=.0-

9?s

6

0- b@

[ldap] ldap-server-config Policy Director Runtime LDAP =.U!$kNlj#

ssl-enabled LDAP rHC? SSL L.NHQN-5r(9V<k&Ui0#

SSL L.rHQ9kKO"3lr_j9k,W,"j^9#

bind-dn PDOSD , LDAP f<6<&l89Hj<K"/;99kH-

K"'ZGHQ9k1L> (DN)#

bind-pwd PDOSD , LDAP f<6<&l89Hj<K"/;99kH-

K"'ZGHQ9kQ9o<I#

$4-�(.��_j9k0-O"79F`N;-ejF#<KFArZ\7^9#_jMr_j7?jQ97?j9kH-O4mU/@5$#

LDAP 5<P<HNL.G SSL rHQ9kH" PDOSD H LDAP 5<P<VNj

_'Z,D=KJj^9# LDAP 5<P<NZ@qKp>9k'ZI (CA) NZ@

q (PDOS N=.~Ks!5lk) KhCF" PDOSD O"=N LDAP 5<P<,\*+I&+r!:G-kh&KJj^9# PDOSD O Policy Director Runtime rp7F LDAP 5<P<+i?(ilkpsrHQ9k?a"vDhjGHQ9kf<6<[email protected]=Nps,.jG-kbNGJ1lPJj^;s#PDOSD Khk LDAP 5<P<N'ZGO"3NlYkN.j,]Z5l^9#Policy Director for Operating Systems Installation Guide r2H7F/@5$#

33GO"PDOSD , LDAP f<6<&l89Hj<KP7F+Jr'Z9kH-KHQ9k DN *hSQ9o<IKX9k!)psb-\5lF$^9#[email protected]?aK PDOSD ,=Nps;r.j7J1lPJiJ$h&K" LDAP 5<P<O=NpsXN"/;9r)B7J1lPJj^;s#

3Npsr]n9kKO"PDOS ,N)7?GU)kHN]j7<O" PDOS =.U!$k,^^lk /opt/pdos/etc G#l/Hj<K osseal-restricted ACL rC(^9#3N ACL O"I}f<6<"D^j" osseal-admin 0k<WNasP<Khk"/;9N_vD7^9#

��&$�PDOSD O"m<+k&b<IN Policy Director Authorization API "Wj1<7gsG9# Policy Director NqAKO3lKX9k\Y,b@5lF$^9# PDOSDO^9?< Policy Director ]j7<&G<?Y<9r#=7"3Nm<+k&lWj+K]I5l?psKpE$FvDhjrT$^9#D^j"]j7<NlWj+r~j9k3H,vDhjrT&GiN9FCWKJj^9# PDOS NGiN=.GiaF]j7<&G<?Y<9O#=5l^9#^9?<&]j7<&G<?Y<9O"Policy Director Management Server KhCF]i5l^9#J<N!=Khj"]j7<,975lkHlWj+b975l^9#

56 �� 3 �� 7

"/F#VLN

^9?<&]j7<&G<?Y<9,975lkH" Policy DirectorManagement Server OLNrP?7?lWj+&5<P<K"97,Tol?3HrNi;^9#9kH"lWj+&5<P<O975l?G<?Y<9r@&sm<I7^9#

]<js0lWj+&5<P<Oj|*K Policy Director Management Server r]<js07F"^9?<&]j7<&G<?Y<9KP7F97,TolF$J$+N'7^9#97,TolkH"lWj+&5<P<O975l?G<?Y<9r@&sm<I7^9#

PDOS O"e-N&AN$:l+"^?O>}Na+K:`rHQ7^9# =28 Kj9H7?=.0-O" PDOSD Khk]j7<97LNN"/F#VJ listen"^?OljN$s?<PkGN Policy Director Management Server N]<js0r)f

7^9#3N=.0-O"/opt/pdos/etc/pdosd.conf =.U!$kK"j^9#

= 28. vDN=.0-

9?s6 0- b@

[policy] refresh-interval Policy Director Management Server r]<js07F97r

N'9k$s?<Pk (,)#M,<mNlg"]<js0O

Tol^;s#

[ssl] ssl-listening-port PDOSD , Policy Director Management Server +iN]j7

<97LNr listen 9k?aKdjvFilk TCP/IP ]<

H#M,<mNlg"]j7<97O listen 5l^;s#

vDhjr,WH9k79F``nr PDOS +<MkH%!=,eTu.9kH"PDOSD +iNhjrWa7^9#vDhjrT&?aK"+<Mk,s!9kBT

5lk`nKD$FNps,HQ5l^9#3NpsO"!NbN+i.j^9#

¶ `nrn_kf<6<NtM*J"/;5< ID#3N ID O`nrBT9kWm;9N UID H[Jklg,"j^9#3lO"e}`n,BT5lkWm;9,e}f<6< ID GBT5lk?aG9# PDOS Nk@+iN"/;5< IDO"Wm;9N*j8JkN ID N^^G9#"/;5< ID OlLK"m0$sNH-K_j5l"m0$sKP~9k ID KJj^9#

¶ `nK,Q5lkj=<9#

¶ nT5l?`n#

¶ `n,/87?~o#

¶ `nrBT9k?aKHQ7?Wm0i`#

PDOSD O3Npsr"]j7<&G<?Y<9Nm<+k&lWj+K]I5lF$k]j7<HfS7^9#3NfSKpE$F"PDOS O`nrvD9k+I&+rhj7^9#fSGHQ5lkNO"^7s,5V9/jW7gs7?]j7<&VisANfK^^lk]j7<@1G9#3N]j7<&VisAO"PDOS Ni

s=.~KXj5l^9# 58Z<8N=29 Kj9H5lF$k=.0-O"]j7<&VisAN>0rXj7^9#3lO"/opt/pdos/etc/osseal.conf U!$kK"j^9#

^7seGO<I&'"c2,/-klg"^?O79F`GHQD=J>[abj<,T-7F$klgK"Wm;9fK`n(i<,/89klg,"j^9#PDOS O"vDWm;9KWbr?(k=NoN$YsH,/89kD=-rG.B


3.P

DO

S��

K^(kh&K=.5lF$^9#vD]j7<KpE$FhjrT&3H,G-J$lg" PDOSD Of<6<,I}f<6<G"k+I&+KpE/GU)kHNh

jr,Q7^9#I}f<6<Nlg"(i<roGNGU)kHNhjO""/;9U?G9#sI}f<6<Nlg"(i<roK"kH"/;9Oq]5l^9#

= 29. vD]j7<&VisAN=.0-

9?s6 0- b@

[policy] branch =N^7s,5V9/jW7gsrT&]j7<&VisAN

>0#

TCB �5��PDOSD Oj|*K TCB NFU!$kr!:7"Q9,C(ilF$J$+I&+r4Y^9#bK?<5lkU!$kN0-;CHr"U!$kN70KAc< H$$^9#3liN0-N 1 DGbQ99kH"U!$kN70KAc<bQ95l^9#70KAc<NQ9,!P5lkH"PDOSD O=NU!$kr"sHi9FCIH7FuU1^9#"sHi9FCIN TCB U!$kO"BT9k3H,G-^;s#BTJ0N`nG"sHi9FCI TCB U!$kK"/;95lkH"I}F:$YsH,8.5l^9#

U!$kN70KAc<r=.9kNO"J<N0-G9#

¶ U!$k&5$:

¶ U!$kNn.~o

¶ U!$kNQ9~o

¶ U!$kNvD

¶ U!$kNj-"

¶ U!$k&?$W (5,U!$k"G#l/Hj<"=UH&js/JI)

¶ bFNA'C/5` (5,U!$kNlg)

PDOSD ,9YFN TCB U!$kr!:9k$s?<PkO=.D=G9#3N$s?<PkNVf"QyKU!$kN!:,Tol^9# TCB K?LNU!$k,^^lF$kH"$s?<Pk,;9.F=N~;0K9YFNU!$kr!:G-J$+b7l^;s#3Nh&Jlg"PDOSD Om0&U!$k/var/pdos/log/pdosd.log KYpr8.7^9#

PDOSD , TCB U!$kNbK?<K<Fkj=<9Lr)f9k?aKHQG-k=.0-O 3 D"j^9# 59Z<8N=30 KO" /opt/pdos/etc/pdosd.conf =.U!$kGXj5lF$k0-,b@5lF$^9#

58 �� 3 �� 7

= 30. PDOSD TCB U!$k&bK?<&j=<9N=.0-

9?s6 0- b@

[tcb] monitor-threads TCB bK?<GHQ5lk9lCINtr)f7^9# TCB

bK?<Nm<IO"QyK9lCIVK,67^9#^k

AWm;C5<&79F`GN_3NMrg-/9kHz(

*G9# CPU hj?/NbK?<&9lCIO,W"j^;

s#

interval TCB 4Nr9-cs7FQ9r!:9k$s?<Pk (,)#3

N$s?<Pkrg-/9kH"TCB bK?<&79F`Nm

<IO:j^9,"Q9r!P9kNKhj?/N~V,+

+k3HKJj^9#

max-checksum-file-size U!$kNA'C/5`NW;GEWHWolkP$Htr

)f7^9#3lKhj"gLN3sTe<F#s0&j=

<9r3_CH;:K"pgU!$kNA'C/5`&bK

?<NYg$,,+j^9#A'C/5`NW;GHQ5l

kP$Htr"U!$kNh,^?OvxGOJ/U!$k

4NK,65lF$klj+i*r9k3HKhj"Q9r

GgB!PG-kh&K7^9# TCB bK?<GBT5lk

`nN&AGbqQN++kN,"A'C/5`NW;G

9#

.juVH TCB U!$kN70KAc<O^7s4HK]}5l"f{ PolicyDirector I}5<P<KFS[[5lk3HO"j^;s#3N3HO"18U!$kGbLN^7sGO[Jk70KAc<r}D3H,"k3H"^?"^7sKhCFHi9FCIKJk3Hb"sHi9FCIKJk3Hb"k3Hr(7F$^9#U!$k,"sHi9FCIKJkH" pdosobjsig 3^sIrHQ7F=NU!$kN.jrFSs|9k^G"sHi9FCIN^^G9#^?"pdosobjsig3^sIrHQ7F"Hi9FCI^?O"sHi9FCINj9Hr8.7?j"^? TCB NuVN]i*hS4:KX9kLN?9/Nj9Hr8.9k3HbG-^9#

PDOSD ��^@b@7F$J$ PDOSD N=.0-, PDOSD Nm0&U!$k/var/pdos/log/pdosd.log rI}7^9# =31 O" /opt/pdos/etc/pdosd.conf =.U!$kKXj5lkLN0-rj9H7F$^9#

= 31. PDOSD m0N=.0-

9?s6 0- b@

[pdosd] log-entries +0*Km0&U!$k,7,U!$kKm<k*<P<5l

k0K" PDOSD m0&U!$kKq-~`3H,G-k`\N

Dt#M,<mNlg"m0&U!$kOm<k*<P<5l

^;s#

logs GiNm0&U!$k,FSHQ5lk^GKq-~_rT&

3HNG-km0&U!$kNt#M,<mNlg"m0&U

!$kOFxQ5l^;s# log-entries K<m,_j5lkl

g"3NMO5k5l^9#

PDOSAUDITDPDOSAUDITD F:G<bsO"PDOS F:ZWrI}7^9#F:G<bsOPDOS G<bs"+<MkH%!="*hS pdosobjsig 3^sI+iF:l3<


3.P

DO

S��

Iru1hj"vDr?(J$H$&hjNlg"PDOS 3s]<MsHOCjN$YsHN/8~K"=TN0m<PkF:lYkKpE$F=N$YsHNF:l3<Ir8.7^9#vDr?(kH$&hjNlg"0m<PkYplYkH"j=<9F:*hSj=<9YplYkbM85l^9#0m<PkF:lYkr)f9k=.0-O"=32 GXj5l^9#3N0-O /opt/pdos/etc/osseal.conf U!$kNfK"j"F PDOS G<bsOO0~K3NU!$krI_hj^9# pdosctl3^sIrHQ9kH"BT~K0m<PkF:lYkrQ99k3H,G-^9#PDOSAUDITD O"F:m0Kl3<Irq-~_^9#"/F#VF:m0/var/pdos/audit/audit.log O"P$Jj<A0G9#

= 32. PDOS 0m<PkF:lYkN=.0-

9?s6 0- b@

[audit] level G<bsNO0~K-zJ0m<PkF:lYk

PDOSAUDITD ��PDOSAUDITD KhkF:m0NI}}!r)f9k=.U!$k0-, 2 D"j^9# 1 DO"PDOSAUDITD ,m0Nl3<IrCn9kQYr)f7^9#b& 1 DO"PDOSAUDITD ,m<k*<P<7F7,Nm0&U!$krHQ9k^GK"m0&U!$k,}gD=JGg5$: (P$H) r)f7^9#m0&U!$k,Gg5$:K#9kHF:G<bsOm0&U!$kr"<+$V7^9,"3NH-"/F#VN audit.log KO77$U!$k>,U1il"7,Naudit.log U!$kr+O7^9#"<+$V5l?m0&U!$kKOU!$k>K?$`&9?sWrUC7F"=l>lrhLG-kh&K7^9#"<+$V&m0&U!$k>NA0O" audit.log.YYYY-MM-DD-HH-MM-SS G9#"<+$V&m0&U!$kO /var/pdos/audit Kb]I5l^9#

PDOSD G<bsH1M PDOSAUDITD Kb"H+Nm0&U!$k/var/pdos/log/pdosauditd.log NI}}!r)f9k 2 DN=.*W7gs,"j^9#GiN*W7gsO"U!$kNPC/"CWrhCF77$m0r+O9k0

K"m0&U!$kKq-~`3H,G-km0`\NDtr)f7^9# 2 V\

N*W7gsO"PDOSAUDITD ,U!$kNFxQr+O9k^GK]}G-km0&U!$kNDtr)f7^9#GU)kHGO"m0&U!$kO+0*Km<k*<P<5l^;s# =33 O" audit.log U!$k*hS pdosauditd.log U!$krI}9k" PDOSAUDITD N=.U!$k0-rb@7F$^9#3N0-O"/opt/pdos/etc/pdosauditd.conf U!$kK"j^9#

= 33. PDOSAUDITD N=.0-

9?s6 0- b@

[pdosauditd] log-entries +0*Km0&U!$k,7,U!$kKm<k*<P<5lk0

K" PDOSAUDITD m0&U!$kKq-~`3H,G-k`\N

Dt#M,<mNlg"m0&U!$kOm<k*<P<5l^;

s#

logs GiNm0&U!$k,FSHQ5lk^GKq-~_rT&3H

NG-km0&U!$kNt#M,<mNlg"m0&U!$kO

FxQ5l^;s# log-entries K<m,_j5lklg"3NMO

5k5l^9#

audit-logflush PDOSAUDITD G<bs, audit.log U!$kNF:l3<INCn

rT&$s?<Pk (C)#

audit-logsize PDOSAUDITD ,m<k*<P<7F7,Nm0&U!$krHQ9

k^GK" audit.log U!$k,}gG-kGg5$: (P$H)#

60 �� 3 �� 7

F:NHQD==KD$FN\YO" 80Z<8NXF:rHQ7?]j7<N!

:Yr2H7F/@5$#F:m0N=(KD$FN\YO" 99Z<8NXF:m0N=(Yr2H7F/@5$#

PDOSWDD 6��/� ��PDOSWDD &)CAIC0&G<bsO">NG<bsNDQ-rbK?<7^9# 3 DNG<bs9YF,18}!G_$rbK?<9k3N!=O"&)CAIC0@1N!=G9#=l>lNG<bsKhj$sWjasH5lk+JbK?<!=O"&)CAIC0& 79F`G9#&)CAIC0&79F`O"^7seN PDOS 5<S9NbDQ-r]Z7^9#

PDOS ,[V5lkH"PDOS ,]n9k"79F`N3"HJk3s]<MsHr=[7^9# PDOS rNBKHQG-kh&K7F*/3HO"79F`N]4-r]i9k?aKbTDgG"j"^? PDOS G<bsN[o*;rz-/37+MJ$6b+i]n9kNKbr)A^9#

PDOSWDD ��PDOSAUDITD Khkm0&U!$k /var/pdos/log/pdoswdd.log NI}}!r)f9k=.0-, 2 D"j^9# log-entries 0-O"U!$kNPC/"CWrhCF77$m0r+O9k0K"m0&U!$kKq-~`3HNG-km0`\NDtr)f7^9# logs 0-O"PDOSWDD ,U!$kNFxQr+O9k^GK]}

G-km0&U!$kNDtr)f7^9#GU)kHGO"m0&U!$kO+0

*Km<k*<P<5l^;s# =34 O" pdoswdd.file rI}9k PDOSWDD N=.U!$k0-rb@7F$^9#

= 34. PDOSWDD N=.0-

9?s6 0- b@

[pdoswdd] log-entries +0*Km0&U!$k,7,U!$kKm<k*<P<

5lk0K"&)CAIC0&G<bs&m0&U!$k

Kq-~`3H,G-k`\NDt#M,<mNlg"m

0&U!$kOm<k*<P<5l^;s#

logs GiNm0&U!$k,FSHQ5lk^GKq-~_r

T&3HNG-km0&U!$kNt#M,<mNlg"

m0&U!$kOFxQ5l^;s# log-entries K<m,_

j5lklg"3NMO5k5l^9#

PDOS G<bsN$:l+,[o*;7?lg"&)CAIC0,3lr!P7?e"[o*;r!P7?G<bsN(i<&m0fKm0&aC;<8r8.7^9#&)CAIC0Nm0&aC;<8O"PDOS G<bsNm0&U!$k(/var/pdos/log/pdosd.log" /var/pdos/log/pdosauditd.log"*hS /var/pdos/log/pdoswdd.log)N$:l+K=l^9#I}F:$YsHrhj~s@lg"[o*;r-?9kF:$YsHb8.5l^9#

PDOS �� PDOS /��

PDOS O"o9N Policy Director f<6< / 0k<W"*hS UNIX f<6< /0k<WrHQ7^9# PDOS ,HQ9k Policy Director f<6< / 0k<W,Policy Director bKn.5lkNO" PDOS N=.NH-G9#^?"UNIX f<6< / 0k<W,F PDOS ^7sKn.5lkNO"$s9H<kNH-G9#3N;/7gsGO"=l>lNrdKD$Fb@7^9#


3.P

DO

S��

osseal-admin /��osseal-admin 0k<WO"I}f<6<H+J5lkf<6<r1L7^9#J<Nk<kKhkH"I}f<6<N7ol}OlLf<6<H/7[Jj^9#

¶ I}f<6<NZ@qOG#9/&9Z<9+iCn5l^;s#sI}f<6<NZ@qO"=NZ@qN]}~V,~;7?eK"G#9/&9Z<9+iCn5l^9#

¶ I}f<6<NZ@qO (m0*s7?3H,J/Fb) 79F`K]}5l^9#3lO"J0Km0$s7?3H,J$79F`K" (Policy Director UserRegistry +iV%5l?H7Fb) I}T,"/;9G-kh&K9k?aKE

WG9#sI}f<6<O^:^7sKm0$s7F+i"=N^7sN-cC7eKZ@qr~l^9#

¶ (i<roN< PDOSD ,T&GU)kHNhjO"I}f<6<KP9k"/;9U?G9#sI}f<6<Nlg"GU)kHNhjO"q]G9# 54Z<8NXPDOSD vDG<bsYKO"(i<roKD$FN\Y,-\5lF$^9#

osseal-admin 0k<WO"Policy Director @1K"j"3lKP~9k UNIX 0k<WO"j^;s#isK PDOS ,=.5lkH-" osseal-admin 0k<WNasP<7CWO" root *hS osseal NsDNf<6<+i.j^9#

osseal ��osseal f<6<O"Policy Director H UNIX N>}KP=7^9# UNIX 79F`K*$F"PDOS O3Nf<6<rCLJ}!G7$^9#

osseal f<6<O"PDOS G<bs,BT~KNQ9k ID G9# PDOSD OBT~

K"-zJ root ID rHCF"=N TCB bK?<!=rBT7^9#3N ID N]j7<O"H|9k3HbG-^9# pdosexempt 3^sIKhj" osseal f<6<N PDOS ]j7<rH|G-^9# pdosrevoke 3^sIO=NH|rhjC7^9#

m: 3N!=O"PDOSD ,m0n9kJIN[^vVGN_HQ7F/@5$#osseal "+&sH"*hS=N"/;9vDJIN pdosexempt 3^sIN>}

r"/OK]n9k,W,"j^9#3lO"!N}!KhCFN_T(^9#

¶ jb<HKJ$<v

¶ Q9o<I&Y<9N1cJ'Zhjb/OJ'Z!=

¶ )BYNb$ pdosexempt N ACL

osseal-admin 0k<WNasP<@1," pdosexempt 3^sIrBTG-^9#

Root ��PDOS NisN=.G" root H$& Policy Director f<6<,n.5l^9#3Nf<6<O root UNIX f<6<HlW7" root ,s'Zf<6<H7F7olJ$h&K7^9# root f<6<OGi"osseal-admin 0k<WNasP<K~lil^9# root NZ@q,oK9YFN PDOS ^7sGHQG-kh&K9k?aK"root f<6<r osseal-admin 0k<W+i|n7J$G/@5$#

root f<6<O"18 Policy Director User Registry r&Q9k" PDOS ^7s4N

N UNIX root f<6<r=7^9#

62 �� 3 �� 7

osseal /��3lO UNIX 0k<WG" Policy Director KO3lKjv9kbNO"j^;s#3N0k<WO"o9N setgid PDOS 3^sIrH&3HKhCF" UNIX ;-ejF#<,]n9k /var/pdos G#l/Hj<bNj=<9XN"/;9rvD9k?a@1KHQ5l^9#3N0k<WO" osseal UNIX f<6<NfGbgWJ0k<WG9#3N0k<WK>N UNIX f<6<rIC9k,WO"j^;s#

osseal-auditors /��osseal-auditors 0k<WO"Policy Director @1NbNG9# UNIX G3lKjv9kbNO"j^;s#3lO PDOS F:ZWXN"/;9r)f7^9#>Nf<6<^?O0k<WN=.KpE$F"H+N]j7<rN)9k3H,G-^9#3N0k<WO"rK)DGU)kHN=.H7F!=7^9#3N0k<WXN2

HO osseal-audit ACL @1K"j"3lO"/OSSEAL/policy-branch/File/var/pdos/auditKUC5l^9#

osseal-unauth ��osseal-unauth f<6<O"Policy Director @1NbNG9# UNIX G3lKjv9kbNO"j^;s#3Nf<6<O"'Zf<6<HOLK" (Policy Director Nk@+i+?) s'Zf<6<N~om0$s)Br)f7^9#3lO"ACL `\

Ns'Z`\NrdH`w7F$^9#

pdosd-hostname ��Policy Director Management Server O"]j7<&G<?Y<9N#=r9YFNf<6<KvD9ko1GO"j^;s# Policy Director f<6<O" PDOSD G<bs (3lO"Policy Director Management Server KhCFI}5lk;-e"&Ia$sGBT9k) N"F$s9?s9 (^7s) 4HK"=.fKn.5l^9#3Nf<6<O"F PDOS ^7s4HKn.5lk?a"=N>0KO04$~

DNS [9H>,^^l^9#?H(P"pdosd-hostname Nh&KJj^9# DNS>,HQG-J$lgO"[9HN>0,HQ5l^9# PDOSD O3Nf<6<GPolicy Director Management Server K'ZrT$"]j7<N97ru1hj^9#3Nf<6<H=N0k<W&asP<7CWrQ99k3HOG-^;s#

PDOS �)�� .'��

PDOS O"4WiCHU)<`N&LNljK$s9H<k5l^9#3N3H,E

WJNO"PDOS No9N3s]<MsHO"79F`N;-ejF#<HN)\JX8,"j"=liN3s]<MsHXN"/;9O PDOS ]j7<rHQ7F)f5lk?aG9#&Lj=<9Nlj,9YFN^7sGlS7F$lP" PDOS]j7<NkLOhj1c=5l^9#

3N;/7gsO"G#l/Hj<bNo9N PDOS U!$k,}D" PDOS r`

n9keGNrdrWs7F$^9#

/opt/pdos/binPDOS f<6<&lYkNis?$`r=.9kP$Jj<NBTD=$a<89YF,"j^9#

/opt/pdos/etc=.U!$krHQ9kM9J PDOS 3s]<MsHN=.U!$k,"j^9#J<O=Ne=cG9#

osseal.conf9YFN PDOS 3s]<MsHK&L9k=.r^`FQ=.U!$k#


3.P

DO

S��

pdosd.confPDOSD N=.U!$k#

pdoswdd.confPDOSWDD N=.U!$k#

pdosauditd.confPDOSAUDITD N=.U!$k#

pdossudo.confPDOSSUDO N=.U!$k#

3NG#l/Hj<KO"=N>NI}psb^^lF$^9#?H(P"=

.N]KN)5l?i| PDOS ]j7<Nb@" pdosbkup *hSpdosrstr 3^sIKhCFPC/"CW,hil"^?|55lkU!$kHG#l/Hj<"*hSM9J PDOS =.0-Np\*Jb@,"kFsWl<H=.U!$kNpsJIG9#

/opt/pdos/kernelPDOS +<Mk!=KX87?P$Jj<*hSU!$k,"j^9#

/opt/pdos/libM9J PDOS 3^sIKhCF&Q5lkBTD=3<Ir^a?&Qi$Vij<,"j^9#

/var/pdos/auditPDOS F:ZWU!$k /var/pdos/audit/audit.log ,"j^9#

/var/pdos/aznPolicy Director ]j7<&G<?Y<9Nm<+k&lWj+(authzn_replica.db) ,"j^9#

/var/pdos/certsPolicy Director Management Server *hS LDAP f<6<&l89Hj<&5<P<N>}rj_'Z9kH-K" PDOSD ,HQ9kZ@qr^`U!$k,"j^9#

/var/pdos/cred-cC7eK~l? Policy Director Z@q,"j^9#

/var/pdos/hlaIP address to hostname ^CTs0r-cC7eK~lk?aKHQ9k[9H!wG<?Y<9,"j^9 (3N!=,HQD=Jlg)#

/var/pdos/logG<bs4HNm0&U!$k"*hS configuration 3^sI"unconfiguration 3^sI" backup 3^sI"restore 3^sINm0&U!$k,"j^9#

/var/pdos/lpmm0$s&"+&sH&"/F#SF#<*hSQ9o<I&]j7<r/=9k?aK,WJm<+k&^7sNps,"j^9#

/var/pdos/pdosauditd3NG#l/Hj<O" PDOSAUDITD BT~N=TnHG#l/Hj<H7FHQ5l^9#m0nKhCF3"&U!$k,8.5lklg"3"&U!$k,[V5lkG#l/Hj<,"3NG#l/Hj<KJj^9#

64 �� 3 �� 7

/var/pdos/pdosbkup3NG#l/Hj<O" pdosbkup *hS pdosrstr 3^sIBT~N=T

nHG#l/Hj<H7FHQ5l^9#m0nKhCF3"&U!$k,8.5lklg"3"&U!$k,[V5lkG#l/Hj<,"3NG#l/Hj<KJj^9#

/var/pdos/pdoscfg3NG#l/Hj<O" pdoscfg *hS pdosucfg 3^sIBT~N=T

nHG#l/Hj<H7FHQ5l^9#m0nKhCF3"&U!$k,8.5lklg"3"&U!$k,[V5lkG#l/Hj<,"3NG#l/Hj<KJj^9#

/var/pdos/pdosd3NG#l/Hj<O" PDOSD BT~N=TnHG#l/Hj<H7FH

Q5l^9#m0nKhCF3"&U!$k,8.5lklg"3"&U!$k,[V5lkG#l/Hj<,"3NG#l/Hj<KJj^9#

/var/pdos/pdoswdd3NG#l/Hj<O" PDOSWDD BT~N=TnHG#l/Hj<H7FHQ5l^9#m0nKhCF3"&U!$k,8.5lklg"3"&U!$k,[V5lkG#l/Hj<,"3NG#l/Hj<KJj^9#

/var/pdos/tcbTCB r=.9kU!$kKQ9,C(il?]K"=NQ9r!P9k?aKHQ9kps,^^lF$^9#

/var/pdos/uidf<6<>*hS0k<W>KP9k UID *hS GID N-cC7e,"j^9 (3N!=,HQD=Jlg)#-cC7eK~lil?3NpsNI}

OTWG9#

/var/pdos/umsgWm;9VL.*hS PDOS is?$`N3s]<MsHVN1|GHQ5lkU!$k,"j^9#

/var/pdos/uuidPolicy Director 0k<W>*hS UUID KX9kpsr-cC7eK~l^9#-cC7eK~lil?3NpsNI}OTWG9#

/var/pdos/watch&)CAIC0&79F`,G<bsN[o*;N!PGHQ9kU!$k,"j^9#

PDOS ��

J<N]j7<N3s]<MsHO"PDOS Nis=.~KN)5l^9#

once-only3N]j7<O"9YFN]j7<&VisAG&Q5l^9#3lO"PDOS `nr==9k?aKHQ9k"/7gs" PDOS j=<9r]n9k?aKHQ9k ACL"hK(l?f<6<*hS0k<W"*hS9YFN PDOS ]n*V8'/H,8_9k /OSSEAL N*V8'/H&9Z<9G=.5l^9#

per-policy3N]j7<O"HQ9kF]j7<&VisA4HKN)5l^9#3l


3.P

DO

S��

O"TCB NbFrb@7"=O,c<7J$h&K+Jr]n9k\*GPDOS ,HQ9k ACL *hS PDOS rUC7^9#

33+iO"PDOS ]j7<rn.9kH-KN)5lk ACL H"=l,]n9kj=<9KD$Fb@7^9#3N ACL rQ99klgOmU,,WG9#79F`eK"k>Nj=<9KvD]j7<rIC7J/Fb" PDOS NGU)kH&]j7<@1G=, PDOS r]nG-^9#?@7"TCB Ni|asP<H7Fj

A5l?79F`&Wm0i`Oc0G9# TCB Ni|asP<KD$FN\Y

O" 27Z<8NXHi9FCI&3sTe<F#s0&Y<9&j=<9Yr2H

7F/@5$#

osseal-audit3N ACL O"PDOS Z@q-cC7er=.9kG#l/Hj< (/var/pdos/cred *hS /var/pdos/uuid) XN"/;9r)f7^9#3N]j7<O"9YFNf<6<," pdosrefresh *hS pdosdestroy rH&3HKhCFN_"Z@qrG7=(*hSK~G-kh&K7^9#"/;9&3sHm<kKhCFZ@q-cC7e&G#l/Hj<XN"/;9,?(ilJ$lgK" PDOS O"f<6<,NBKH+NZ@q@1rG7=(*hSK~G-kh&K7^9#3N ACL O"f<6<NZ@qrG7=(^?OK~9k=Or" osseal-admin 0k<WNasP<@1K)B7^9#

osseal-credentials3N ACL O"PDOS F:ZW,8_9k /var/pdos/audit G#l/Hj<XN"/;9r)f7^9# ACL O osseal-auditors 0k<WNasP<@1K"G#l/Hj<^?O (Q5Khk) =NbFXN"/;9rvD7^9#U!$kr>0Q9"q-~_"n."^?Oo|9klgO" osseal-auditors NasP<NfGb5iK)B,C(il^9# pdosaudview rHQ7J1lPJj^;s#

osseal-default3lO"04vD ACL G9#3lO"PDOS NM<`&9Z<9Nk<H/OSSEAL G,Q5l^9#3l,"k3HKhCF"vDhjro6o6 PolicyDirectory *V8'/H&M<`&9Z<9Nk<HKA(:K9_^9#

osseal-default-file3lO04vD ACL G"j"Dj<N3N]$sHhjeKV+l? ACL rQ5

7J$3HG" PDOS U!$k&j=<9, Policy Director NQ5"k4j:`rc?7F$k3Hr$U+;krd,"j^9#

osseal-default-login3N ACL O"GU)kHN Login j=<9&]j7<rjA7^9#3lO4f<6<Km0$srvD7^9#

osseal-default-net-incoming3N ACL O"GU)kHN NetIncoming j=<9&]j7<rjA7^9#[9H+ie.\3rvD7"INf<6<b9YFN5<S9ru1~lilkh&K7^9#

osseal-default-net-outgoing3N ACL O"GU)kHN NetOutgoing j=<9&]j7<rjA7^9#[9HXN/.\3NN)r9YFNf<6<KvD7"INjb<H&5<S9Kb"/;9G-kh&K7^9#

66 �� 3 �� 7

osseal-default-sudo3N ACL O"GU)kHN Sudo j=<9&]j7<rjA7^9#3lO"9YFNf<6<K Sudo 3^sINBTrvD7^9#

osseal-default-surrogate3N ACL O"GU)kHN Surrogate j=<9&]j7<rjA7^9#3lO4

f<6<K""ifkf<6<^?O0k<WNeTrvD7^9#

osseal-hla3N ACL O"PDOS KhCF /var/pdos/hla K]}5lk[9H>-cC7eXN"IP "Il9Khk"/;9r)f7^9#3lO"osseal-admin 0k<WNasP<K" pdoshla 3^sIrHQ7?-cC7eNI}rvD7^9#

osseal-logs3N ACL O"PDOS G<bs*hS3^sIKhCF /var/pdos/log G#l/Hj<K8.5lkm0&U!$kXN"/;9r)f7^9#3lO"=NG#l/Hj<XN"/;9r osseal-admin 0k<WNasP<@1K)B7^9#5iK"Change Ownership (o)"Change Permission (p)"*hS Update Timestamp (U) "/7gsrX_7"3N"/7gsO"osseal-admin 0k<WNasP<bBTG-^;s#

osseal-open3N ACL O"/opt/pdos G#l/Hj<bK"k9YFNbNH"/opt/pdos/etc/pdossudo.conf U!$kXN"/;9r)f7^9#3NG#l/Hj<NfK"kCjNj=<9O"LN ACL KhCF]n5lF$^9#3lO"G#l/Hj<XNJS2<H"U!$kNI_hj"*hSWm0i`NBTrvD7^9#?@7"=liNQ9OvD5lF$^;s# osseal-admin 0k<WNasP<KO"3N ACL KhCF]n5lkj=<9XN04"/;9,?(il^9#

osseal-privileged-user3N ACL O"osseal UNIX f<6<reT9k!=r)f7^9#"/;9Oosseal-admin 0k<WNasP<@1K)B5l^9," pdossudo 3^sIrH

&H"INf<6<b osseal reT9k3H,G-^9#f<6<, Sudo 3^sINBTrn_kH-K5NJvDhjrT&KO" pdossudo O osseal f<6<KP7FeT!=rBT9k,W,"k?a"3lOJ/FOJiJ$3^sIG9# osseal f<6<reT9k pdossudo N!=rHQTDK9kH" Sudo 3^sIN!=bHQT=KJj^9#

osseal-restricted3N ACL O"/opt/pdos G#l/Hj<K"khj!)-Nb$psr]n7^9#osseal-admin 0k<WNasP<K04"/;9rU?7"sasP<KO4"/;9rq]7^9#3lO"/opt/pdos/etc *hS /opt/pdos/kernel KIC5l^9#

m: /opt/pdos/etc K"k pdossudo.conf U!$kO osseal-open ACL r>\C(^9#=NGU)kHN)BYO3lhjbc$G9#

osseal-restricted-read3lO"soK)BYNb$ ACL G9#3N]j7<O"osseal-admin 0k<WNasP<@1K" Change Directory (D)"Read (r)"List Directory (l)"*hSExecute (x) vDrU?7F"sasP<Khk9YFN"/;9rq]7^9#/var/pdos bN PDOS is?$`uV (I}"/7gsr,WH7J$) r]i9k


3.P

DO

S��

G#l/Hj<r]n7^9#^?"3N]j7<O" pdosexempt *hSpdosrevoke 3^sIN"/;9b)f7^9#

osseal-runtime3N ACL O"PDOS G<bsr+O*hSd_9k!=r)f7^9#osseal-admin 0k<WNasP<K" Read (r)"Execute (x)"*hS Kill (K) vDrU?7F"sasP<Khk9YFN"/;9rq]7^9#3N]j7<O"/opt/pdos/bin/pdosauditd"/opt/pdos/bin/pdosd"*hS /opt/pdos/bin/pdoswdd NFG<bsK,Q5l^9#

osseal-tcb3N ACL O"PDOS KhCF /var/pdos/tcb K]}5lk Trusted Computing Base*V8'/H&70KAc<&G<?Y<9XN"/;9r)f7^9#3N ACLO"osseal-admin 0k<WNasP<@1K"=NG#l/Hj<XN"/;9r)B7^9#3NasP<O"pdosobjsig 3^sIrHQ9k3HKhj"3NG#l/Hj<K"kj=<9KN_"/;9G-^9#

osseal-umsg3N ACL O"M9J PDOS 3s]<MsHVGNL.KX89k /var/pdos/umsgG#l/Hj<XN"/;9r)B7^9#=NG#l/Hj<XN"/;9rWa

9k PDOS 3^sINHQKhCFN_""/;9,D=G9#

��

Lo`nNV"PDOS OMCHo</r.j7F" Policy Director ManagementServer"Policy Director User Registry (LDAP)"^?"klgKO"NIS JINm<+kKJ$ UNIX User Registry d" DNS 5<P<JINm<+kKJ$[9H>G<?Y<9HNL.rT$^9#=liN5<P<"l89Hj<"^?OMCHo</=NbN+iV%5l?D-KV+lFb" PDOS O!=731k3H,G-^9#V%O"L.,T=KJk3HrU#7^9#3NL.T=,/-k}3O"M9G9#

¶ MCHo</+N,@&s7F PDOS ,9YFNbN+iV%5l?

¶ Policy Director Management Server ,@&s7?

¶ Policy Director User Registry (LDAP) ,@&s7?

¶ NIS 5<P<,@&s7?

¶ DNS 5<P<,@&s7?

J<N;/7gsGO"FoV%H"=l, PDOS K?(kFAKD$Fb@7^9#

Policy Director Management Server ��Policy Director Management Server +iV%5lkH" PDOS O]j7<&G<?Y<9KP9k97ru.T=K7^9# PDOS H Policy Director Management ServerNVNL.,FSN)5lk^G"^9?<&]j7<&G<?Y<9eN]j7<KP7FC(ilk97O PDOS KA(il^;s# PDOSD H Policy DirectorManagement Server HNPCKD$FN\YO" 56Z<8NXvDhjWm;9Yr2H7F/@5$# PDOSD NLo`nNV"]j7<hjO9YF"]j7<&G<?Y<9Nm<+k&lWj+H TCB HNH_go;KhCFTol^9#PDOSD , Policy Director Management Server +iV%5lF$kV"]j7<&G<?Y<9Nm<+k&lWj+rHQ9k3HKhCF"9YFN]j7<hj,

68 �� 3 �� 7

Q35l^9# PDOSD , Policy Director Management Server HNL.rFSN)

9kH"]1KJCF$?]j7<&G<?Y<9KP9k97O9YF"Xj5l?jJ ("/F#VLN^?O]<js0) KhCFu.5l^9#

Policy Director User Registry ��PDOS , Policy Director User Registry (LDAP) +iV%5lkH" PDOSD G<bsO"7,N Policy Director Z@qr~jT=KJj^9#3lO"f<6<,79F`Km0$s9kH-N77$Z@qr PDOSD ,~jG-J$3H"^?PDOSD ,-cC7eNZ@qrG7=(G-J$3HrU#7^9#Lo`nGNPDOSD KhkZ@qNI}}!KD$FN\YO" 54Z<8NXZ@qNh@Yr2H7F/@5$#

LDAP f<6<&l89Hj<+iV%5l?3Hr6N7?i" PDOSD O-cC7eK"kINZ@qb|n7J/Jj^9#=NZ@qrG7=(9k|B,a.F$?j"]}$s?<Pk,a.F7^C?H7Fb|nrT$^;s#3lKhj"=_79F`Km0$s7F$k9YFNf<6<O"=N-cC7eNZ@

qrHQ7F"LoI*j!=731k3H,D=G9#

-cC7eKZ@qr}DINf<6<b" PDOSD , LDAP f<6<&l89Hj<+iV%5lF$kV"79F`Km0$s9k3H,G-^9#=Nf<6<O"-cC7eK"kZ@qrHQ7^9#-cC7eKZ@qr}?J$f<6<," LDAP f<6<&l89Hj<+i PDOSD ,V%5lF$kH-Km0$s9kH"=Nf<6<O"s'Zf<6<H7FBT7^9#

I}f<6<OoK-cC7eKZ@q,"j^9#I}f<6<,"LDAP f<6<&l89Hj<+i PDOSD ,V%5lF$kH-Km0$s9kH"=NI}TOoK-cC7eNZ@qrHQG-^9#

LDAP f<6<&l89Hj<HNL.,FSD=KJkH" PDOSD O LDAP f<6<&l89Hj<+iV%5lF$?H-KTolkY-O:NG7=(r"9YFNZ@qKP7FT$^9#

f<6<4HN Policy Director N Time of Day Login Restrictions b" LDAP f<6<&l89Hj<K]I5l^9# Time of Day Login Restrictions O"f<6<,m0$s7?H-K PDOSD KhCF!w5l"Z@qH&K-cC7eK~lil^9# LDAP f<6<&l89Hj<+iV%5lkH" PDOSD O-cC7eK~lil? Time of Day Login Restrictions rHQ7^9#

&�"�� UNIX User Registry ��NIS JINm<+kKJ$ UNIX User Registry rHQ9k79F`O"=Nf<6<&l89Hj<+iV%5lklg,"j^9#3Nh&Jlg"f<6<O79F`Km0$sG-J$+b7l^;s#m0$s9kf<6<O"7,N PolicyDirector Z@qr!w9k+""k$O-cC7eK"k{8N Policy Director Z@

qrHQG-J1lPJj^;s#

f<6<G-NtM UNIX ID O"f<6<N UNIX >KQ95l^9,"=N]"m<+kKJ$ UNIX f<6<N NIS ^?O NIS+ l89Hj<KL.9k"UNIX *Zl<F#s0&79F`N8`!=,HQ5l^9# 3Z<8NXUNIX1L"*hS PDOS f<6<1LHNX8YGO" Policy Director Z@qr~j9k}!,b@5lF$^9#


3.P

DO

S��

PDOS 79F`,=Nf<6<&l89Hj<+iV%5lkH"3NQ9O:T7^9# PDOS O"PDOS N=.~KHQD=KJk UNIX uid/gid tousername/groupname Cache rH_~_^9# UNIX uid/gid to username/groupnameCache ,HQD=KJj" PDOSD ,=N UNIX User Registry +iV%5lkH"PDOSD O3N-cC7erHQ7F UNIX ID r UNIX >K^CW7^9# UNIX>,'15l?e" PDOSD O Policy Director User Registry (LDAP) ^?OZ@q

-cC7e+iZ@qr!wG-^9#

3N-cC7eOPC/"CWH7FN_HQ5l"^?f<6<,m0$s9k+"k$Oe}`nrBT9klgKN_HQ5l^9#

GU)kHGO"UNIX uid/gid to UNIX username/groupname Cache OHQD=KJCF$^;s#jb<H UNIX l89Hj<&5<S9O"=Npsr-cC7eK~lkH+N!=r}Dlg,"k+iG9#HQ7F$kjb<H UNIX l89Hj<&5<S9,=Nh&J-cC7e!=r}?J$lg"J<r~O7FPDOS uid/gid rHQD=K9k3H,G-^9#

pdoscfg -uid on

PDOS N=.KD$FN\YO" Policy Director for Operating Systems InstallationGuide r2H7F/@5$#

Host Name Resolution Server ��PDOS O"DNS ^?O NIS JIN Host Name Resolution Server +iV%5lkl

g,"j^9#3Nh&Jlg"PDOS O" Policy Director ManagementServer"Policy Director User Registry"^?"klgKOm<+kKJ$ UNIX UserRegistry +iV%5lF$kD=-,"j^9#0N;/7gsG"=l>lNlg

N PDOS N6kq$,b@5lF$^9#

Host Name Resolution Server +iV%5lkH" PDOS KLNdj,88klg,"j^9# PDOS Network ]j7<O"IP "Il9+^?O DNS [9H>N$:l+rHQ7FXjG-^9#[9H>KhCF1L5lkMCHo</&j=<9N]j7<hjrT&lgKO" PDOSD O IP "Il9r DNS [9H>KQ9G-J1lPJj^;s# PDOS O"IP Address to Hostname Cache rH_~sG"PDOSD ,jb<H Host Name Resolution Server +iV%5l?lgGb3NQ9,Q37FT(kh&K7^9#

GU)kHG"IP Address to DNS Hostname Cache OHQD=G9# IP Address toDNS Hostname Cache rI}9kKO" pdoshla 3^sIrHQ7^9#3N3^sIrHQ9kH"v0K`\r-cC7eKhj~`3H,G-^9#*Zl<F#s0&79F`,m<+kN IP Address to DNS Hostname Cache rs!9kl

g"3N!=rHQTDK9k3HbG-^9#3N!=rHQTDK9kKO"

pdoscfg -dns off

H~O9k+"^?O /opt/pdos/etc/osseal.conf =.U!$kK"k [cache] 9?s6N dns 0-r off K_j7^9# PDOS N=.KD$FN\YO" PolicyDirector for Operating Systems Installation Guide r2H7F/@5$#

jb<H&[9H>rh5<S9rHq9k0K^:" PDOS N IP Address toHostname Cache ,2H5l^9#3l,Tolk3HKhj"z(*JMCHo</&"/;9vDNBT,]Z5l^9# IP Address to Hostname Cache ,GiKHq5lk?a":z7?ps,HQ5lkD=-,"j^9# PDOS O IPaddress to host name ^CTs0r 6 ~VNV-cC7eK~lF*-"=Ne"!

70 �� 3 �� 7

s!w,Tol?H-K-cC7eN`\,G7=(5l^9#[9HN IP "Il9NQ9r(~K?G7J1lPJiJ$lg" pdoshla 3^sIrHQ9kH"(~K-cC7e+i:z7?psr|nG-^9#


3.P

DO

S��

72 �� 3 �� 7

PDOS ��

3NOGO"PDOS rI}9k?aK,WJI}Q?9/rrb7^9#!N?9/KD$Frb7^9#

¶ G-Nf<6<>9Z<9H Policy Director User Registry HNVK,ZJ^CTs0,8_9kh&K"lS-N"kf<6<>9Z<9rN)9k

¶ PDOS Wm;9"Trusted Computing Base"Z@q-cC7e"*hS[9H>!

wG<?Y<9NI}H$C?"PDOS NJTfNI}rTJ&

¶ 79F`eNvD]j7<NzLrbK?<7" PDOS =.U!$kHG<?Y<9&U!$kNPC/"CW*hS|5rTJ&

3NOO"PDOS NI}KX87?I}Q?9/r5b7^9#F PDOS 3^sIKD$FN\YO" 101Z<8NXPDOS 3^sIY r2H7F/@5$#

��

PDOS NI}O"!N?9/+i.CF$^9#

¶ XlS-N"kf<6<>9Z<9NN)Y

¶ 76Z<8NXPDOS =.N40Y

¶ 77Z<8NXPDOS Wm;9NI}Y

¶ 79Z<8NX]j7<N!:Y

¶ 83Z<8NXTrusted Computing Base NI}Y

¶ 84Z<8NXZ@qNI}Y

¶ 85Z<8NX"/;5< ID N=LY

¶ 87Z<8NX[9H>!wG<?Y<9Y

¶ 88Z<8NXPDOS =.U!$kHG<?Y<9NPC/"CW*hS|5Y

��PDOS D-r;CH"CW9kH-KO"79F`NG-f<6<&l89Hj<HPolicy Director User Registry HNVNX8r}r9k,W,"j^9# PDOS Nl

g" Policy Director User Registry O LDAP rpK7?f<6<&l89Hj<GJ1lPJj^;s#

vDhjrTJ&NK,WJZ@qrM@9kH-KO" PDOS OG-f<6< IDr Policy Director f<6<K^CW7^9#3NtM ID rHQ7F"f<6<NG-f<6<>,"79F`NG- User Registry +ih@5l^9#G-f<6<

4


4.P

DO

S�

��

>O>\"18>0N Policy Director f<6<K^CW5l^9# Policy Directorf<6<O"1 !f<6<psH0k<W&asP<7CWrjA7^9#3NlW

O PDOS vDhjGHQ5l^9#

m: G-f<6<jAN0k<W&asP<7CWO" PDOS hjGOHQ5l^;s#

f<6<NG-f<6<>KP~9k Policy Director f<6<,J$lgKO"v

DhjrTJ&]"=Nf<6<,s'ZH7F7ol^9#3NX8N?a"18Policy Director User Registry r&Q9k9YFN79F`O"D-bN=l>lNf<6<4HK"lS-N"kLDNG-Jf<6<>rHQ7^9# 3Z<8NXUNIX 1L"*hS PDOS f<6<1LHNX8YO"3NX8Ncr(7F$^9# pdosrgyimp 3^sIO" Policy Director User Registry N\"?9/rg

u7^9#3N?9/KO"mU<$Wh,,WH5l^9#

��/��0k<WrjA9kE}rM(F_^7g&#0k<Wr8gV!="Wm8'/H"^?OrdKhCF^HalP"D9Nf<6<&(sHj<GOJ/"0k<W&(sHj<rHQ7F ACL r_j9kNKr)A^9#3Nh&K9lP"]j7<NjA*hSI},J1G9#^?"PDOS Khk]j7<rz(*K>A9kNKbr)A^9#

^:GiK"IN UNIX f<6<*hS0k<Wr Policy Director User Registry KH_~`+r1L7^9#3N9FCWO"CjND-KP7FTJ&]j7<hj

KhCF[Jj^9#?H(P"t/J$CjNf<6<Z@qH>Ng>Nf<6<Ns'ZZ@qKpE$F""/;9r)B^?OvD5lk"/;9&3sHm<kKhCF*V8'/H,]n5lk"H$&h&K"]j7<r;CH"CW9k3H,G-^9#3NlgKO"X89kCjNf<6<@1, Policy Director(sHj<r}D,W,"j^9#>N9YFNf<6<O"s'ZZ@qKhCFBT9k3H,G-^9#

^?O"CjNf<6<*hS0k<WXN"/;9r)B9k"5iK*r*J]j7<r;CH"CW9k3H,G-^9#3NlgKO"4wGJ/Fb"[HsINf<6<, Policy Director (sHj<r}D,W,"j^9#

0k<WrjA9kE}rM(F_^7g&#0k<Wr8gV!="Wm8'/H"^?OrdKhCF^HalP"D9Nf<6<&(sHj<GOJ/"0k<W&(sHj<rHQ7F ACL rjA9kNKr)D3H,"j^9#3Nh&K9lP"]j7<NjA*hSI},J1KJk3H,"j^9#^?"PDOS Khk]j7<rz(*K>A9kNKbr)D3H,"j^9#

��!N9FCWrTJCF"l89Hj<r;CH"CW7^9#

1. Policy Director Ia$sKj09k9YFN^7sr2H7^9#

2. #tN^7sK^?,C?"E#7?f<6<^?O0k<W&(sHj<r1L7^9#

3. E#7?(sHj<rrh7^9#E#O"18M^?O0k<Wr=7F$k3H,"j^9#

?H(P"^7s A eNf<6< maggie , Maggie Smith H$&Mr=7"^7s B eN maggie b Maggie Smith H$&Mr=93H,"j^9#f<6<

74 �� 3 �� 7

maggie O18Mr=9NG" 1 DN Policy Director (sHj<,>}N maggie r+P<9k3H,G-^9#LN1<9H7F"E#>,"LNf<6<^?O0k<Wr=9lgb"j^9#?H(P"^7s A eNf<6< riley , Riley SmithH$&Mr=7"^7s B eN riley , Riley Jones H$&Mr=9lgG9#f<6< riley OL9N 2 MNMr=7F$kNG" 2 DN Policy Director (sHj<,,WG9# 3Z<8NXUNIX 1L"*hS PDOS f<6<1LHNX8YO"E#>N5iKLNcr(7F$^9#3NE#>rrh9kKO"f<6<N&AIAi+N UNIX >rQ97J1lPJj^;s#

pdosrgyimp ��$s]<H9k UNIX f<6<*hS0k<Wr1L7?JiP"$s]<H9kUNIX l89Hj<&f<6<*hS0k<WN"k=l>lN^7seG"pdosrgyimp 3^sIrHQ7^9# pdosrgyimp 3^sINb@O" 128Z<8NXpdosrgyimpY r2H7F/@5$# pdosrgyimp 3^sIO" UNIX l89Hj<K"k9YFN UNIX f<6<*hS0k<WKP7F"f<6<&(sHj<rn.7^9#^?"7,Kn.5l?0k<W,"lP" UNIX 0k<WNasP<KP~9kf<6<&(sHj<r\"7^9#=8O!NH*jG9#

pdosrgyimp -S o=tivoli -l sec_master

[HsI9YFN UNIX f<6<^?O0k<W,$s]<H5lklg"|09kf<6<*hS0k<WNj9Hr(7?|0U!$krn.9k3H,G-^9#3Nlg"|0U!$kKj9H5l?bNJ0N" UNIX l89Hj<bN9YFN UNIX f<6<*hS0k<W,$s]<H5l^9#=8O!NH*jG9#

pdosrgyimp -S o=tivoli -l sec_master -E excludefilename

t/J$ UNIX f<6<^?O0k<W@1,$s]<H5lklgKO"H_~

`f<6<*hS0k<WNj9Hr(7?H_~_U!$krn.9k3H,G-^9#3NlgKO"H_~_U!$kKj9H5l? UNIX f<6<*hS0k<W@1,$s]<H5l^9#=8O!NH*jG9#

pdosrgyimp -S o=tivoli -l sec_master -I includefilename

-u ^?O -g *W7gsrHQ7F" UNIX f<6<*hS0k<WrD9K$s]<H7^9#0k<Wr"f<6<HOLDK$s]<H9kH-KO"mU7F/@5$#0k<W,\"5lkH"s|0f<6<9YFr0k<WKIC9kn

T,TJol^9#3NlgKO"H_~_U!$kH|0U!$kN>}rXj9k3H,G-^9#H_~_U!$kK0k<Wrj9H7"0k<WK^aJ$f<6<r"|0U!$kKj9H7^9#=8O!NH*jG9#

pdosrgyimp -S o=tivoli -l sec_master -I includefilename -E excludefilename

pdosrgyimp 3^sIO"2 DNU!$krn.7^9#U!$kpdosrgyimp.import KO".y7? pdadmin 3^sINj9H,^^lF$^9#U!$k pdosrgyimp.conflict KO":T7? pdadmin 3^sINj9H,^^lF$^9#

:TN6xO[HsI"9GK(sHj<,8_7F$??a+"^?O PolicyDirector 5<P<,@&s7F$??aG9# pdosrgyimp.conflict U!$krHQ9lP"%grrh9kNKr)A^9# pdosrgyimp 3^sIrb&lYBT9keojK" pdosrgyimp.conflict U!$kNF-9HrQ97^9#=l+i"=lr>\ pdadmin 3^sIKQ$Ts07^9#

pdadmin -a sec_master -p password < pdosrgyimp.conflict


4.P

DO

S�

��

-n *W7gsO" pdosrgyimp , pdadmin 3^sINj9Hr"B]K=lirBT;:K8.9k3HrXj7^9#3N*W7gsrHQ7F"IN"/7gs,88k+r"$s]<HrBT9k0KF9H7^9# -n *W7gsO"e-NIN pdosrgyimp cGbHQ9k3H,G-^9# pdadmin 3^sINj9HO" pdosrgyimp.import U!$kK]I5l^9#

PDOS ��i|=.rTJC?e"CjN PDOS =.Qia<?<rF=.9klgO"=.3^sI pdoscfg rHQ7^9# pdoscfg rHQ7FTJC?Q9O"!sPDOS rd_7FFO07?H-K"-zKJj^9#+0O0"0m<PkYp"[9H>!wNHQ"*hS^CTs0r?>9k ID rHQD=^?OHQTDK9k3H,G-^9#Z@q-cC7eNI}r407" Trusted Computing BaserbK?<9k3H,G-^9#^?"PDOS G<bs,m0&U!$krh}9k}!rQ99k3HbG-^9#0m<PkF:lYkr_j9k3H,G-^9#,WG"lP"LDAP 5<P<N Certification Authority rG7=(9k3H,G-^9#

^?"pdoscfg 3^sIrHQ7F"=.U!$k+iQia<?<ro|7"!NFO0~KG<bs,GU)kHMrHQ9kh&K9k3HbG-^9#]j7<&VisA>H\xtO"Q99k3H,G-^;s#3liNQia<?<rQ

99kKO"^:GiK pdosucfg 3^sIrHQ7F PDOS N=.rhjC7?e" PDOS r=.7>7^9# 106Z<8NXpdoscfgY O"9YFN pdoscfg *W7gsrj9H7F$^9#

PDOS =.ps,"=l>lNG<bsKD- 1 D:D"=.U!$k&;CHK]}5l^9#U!$k>O daemon_name.conf G9#&L=.G<?r^`b& 1DNU!$kO"osseal.conf H$&>0G9#=.U!$kKO"0- = MNHN;CHr^`9?s6,"j^9# =35 *hS!N=O"INU!$kKIN9?s6,^^l"9?s60-,INh&K pdoscfg 3^sIT*W7gsK^CW9k+r(7F$^9#

= 35. osseal.conf bN pdoscfg *W7gsNyA0-

9?s6 0- *W7gs

[audit] level -audit_level

[authorization] warning -warning

[cache] dns -dns

uid -uid

[policy] branch -branch

= 36. pdosd.conf bN pdoscfg *W7gsNyA0-

9?s6 0- *W7gs

[ldap] ssl-certificate -ldap_ssl_cacert

[pdosd] kmsg-handler-threads -kmsg_hnd_threads

log-entries -pdosd_log_entries

logs -pdosd_logs

[credentials] admin-cred-refresh -admin_cred_refresh

cred-hold -cred_hold

user-cred-refresh -user_cred_refresh

[policy] refresh-interval -refresh_interval

[ssl] ssl-listening-port -ssl_listening_port

76 �� 3 �� 7

= 36. pdosd.conf bN pdoscfg *W7gsNyA0- (3-)9?s6 0- *W7gs

[tcb] interval -tcb_interval

max-checksum-file-size -tcb_max_file_size

monitor-threads -tcb_monitor_threads

= 37. pdosauditd.conf bN pdoscfg *W7gsNyA0-

9?s6 0- *W7gs

[pdosauditd] log-entries -audit_log_entries

audit-logflush -audit_logflush

logs -audit_logs

audit-logsize -audit_log_size

= 38. pdoswdd.conf bN pdoscfg *W7gsNyA0-

9?s6 0- *W7gs

[pdoswdd] log-entries -pdoswdd_log_entries

logs -pdoswdd_logs

$/D+N=."/7gsKP7FO" pdoscfg *hS pdosctl 3^sIN>}

rHQ9k3H,G-^9# pdoscfg 3^sIrHQ7F"=.U!$krQ9

7^9#3liNQ9O"!s PDOS ,d_7FFO09k^GO"-zKOJj^;s#

pdosctl 3^sIO"BTfK PDOS r0*K rQ97^9#Q9O(~K-zKJj"FO0~KO}37^;s #!NaGO":v9kJiP" pdoscfg *W7gs*hS pdosctl *W7gsN>}r(7F$^9#

PDOS �&$��3NaGO"PDOS Wm;9N+O"d_"*hSbK?<N}!rb@7F$^9#

PDOS ��

PDOS O"3^sIT+ij0G"^?O79F`&V<H~K+0*K+O9k3H,G-^9#vD]j7<N,5J)s,NBKTJolkh&K9kKO"PDOS r79F`NV<H~K+0*K+O9k,W,"j^9#V<H~K PDOSr+0*K+O5;kKO"!Nh&K~O7^9#

pdoscfg -autostart on

79F`NjV<H~KO"PDOS ,+0*K+O7^9#

V<H~N PDOS N+0O0rHQTDK9kKO"!Nh&K~O7^9#

pdoscfg -autostart off

79F`NjV<H~KO"PDOS ,+0*K+O7^;s#

3^sIT+i PDOS r+O9kKO"!Nh&K~O7^9#

rc.osseal start


4.P

DO

S�

��

GU)kHGO"79F`eG PDOS ,GiK=.5lkH-" PDOS ,79F`&V<H~K+0*K+O9kh&K;CH"CW5l^9#i|=.fK-autostart off rXj9k3HKhCF" pdoscfg 3^sITG+0O0rXjQ

99k3H,G-^9#

PDOS ��3^sIT+i PDOS rd_9k3H,G-^9#9YFN PDOS Wm;9rd_

7"PDOS +<MkH%rsh0=9kKO"!Nh&K~O7^9#

rc.osseal stop

^?"pdosctl 3^sIrHQ7F"CjN PDOS G<bsrd_9k3HbG-^9#?H(P"pdosauditd G<bsrd_7F"=lrLNm.s0&Qia<?<rXj7FFO09k3H,G-^9# PDOS G<bsr pdosctl KhCFd_

9kKO" -k *W7gsrHQ7"G<bs>rXj7^9#?H(P"pdosauditd G<bsrd_9kKO"!Nh&K~O7^9#

pdosctl -k pdosauditd

POO pdosauditd shutdown HJj^9#3^sI rc.osseal start rHQ7F"G<bsrFO07^9#

��pdosctl 3^sIrHQ9lP" PDOS G<bs,BTfG"k+r!:G-^9#z-tJ7G -s *W7gsrXj9lP"=l>lN PDOS G<bsNu7

r=(G-^9# -s *W7gsK31FG<bs>rXj9lP"1lG<bsNu7r=(G-^9# -s *W7gsO1lN3^sITG#tsHQ9k3H,G-^9#

-q *W7gsO" -s *W7gsHHbKHQ9k3H,G-^9# -q *W7gsO" -s *W7gsKhCF8.5lkaC;<8r^)7"j?<s&3<Ir".y7?lgKO 0"Hq5l?G<bsN$:l+,,@&s7F$klgKO 0K_j7^9# -q *W7gsO"7'k&9/jWHbGN pdosctl NHQrJ1K7^9#

!Nh&K~O7^9#

pdosctl -s

POO!NH*jG9#

pdosd is running normallypdoswdd is running normallypdosauditd is running normally

PDOSD G<bs,,%b<IGBTfNlgKO"POO!Nh&KJj^9#

pdosd is running under abnormal conditionsisolated from the user registry

pdoswdd is running normallypdosauditd is running normally

PDOS &/��)��=l>lN PDOS G<bsO"-zJ$YsHH(i<ror-?9km0&U!$kr]i7^9#m0&U!$kKq-~^l?l3<IKO"UTC ?$`&9?sW"aC;<8r-?9k PDOS 3<Ir1L9kps"aC;<8oL"*hSaC;<8&F-9H,^^l^9#aC;<8oLOaC;<8NEgYr(9bNG" NOTIFY"WARNING"ERROR"^?O FATAL ,"j^9#3liN

78 �� 3 �� 7

m0&U!$kO"G#l/Hj< /var/pdos/log KV+l" pdos_daemon_name.logH$&>0,U-^9#m0&U!$kOGGN]Kr)D3H,"j^9#

pdoscfg 3^sIrHQ9lP"G<bs,m0&U!$krINh&Kh}9k+r40G-^9#=l>lNG<bs4HK"m0&U!$k,77$U!$kK+0*K\T9k0Km0&U!$kKq-~ak(sHj<trXj9k3H,G-^9#^?"GiNU!$krj5$/k9k0Kq-~`m0&U!$kNtrXj9k3HbG-^9#GU)kH=.GO"#tNm0&U!$kKo?CFq

-~`3HO7^;s#

= 39. PDOS G<bs&m0&U!$kr)f9k pdoscfg *W7gsm0&U!$k m0&U!$kr)f9k*W7gs

pdosd -pdosd_log_entries

-pdosd_logs

pdoswdd -pdoswdd_log_entries

-pdoswdd_logs

pdosauditd -audit_log_entries

-audit_logs

��_j9k]j7<,-zG"k+r!:9k,W,"j^9#^?"]j7<rQ9

7?H-KO,:]j7<r!:7J1lPJj^;s#Ypb<I^?OF:b<IN$:l+rHQ7F"]j7<r!:9k3H,G-^9#

��Ypb<IrHQD=K9lP"]j7<N)srHQD==K;:K"79F`e

NvD]j7<NzLr!:9k3H,G-^9#Ypb<I,HQD=NlgKO"]j7<N?aKLoOq]5lk,"Ypb<IG"k?aK'D5lkj=<9XN"/;9KX9kF:l3<I,8.5l^9#F:m0r=(7F"=T

NvD]j7<,u>I*jNzLr/x7F$k+r=G7^9#Ypb<Ir9YFN]j7<KP7F0m<PkKHQD=K9k3HbG-^97"CjN]n

j=<9KP7FHQD=K9k3HbG-^9#

EW: 0m<PkYprHQD=K9kH")sOzL,J/Jj^9#,WG"lP")srb&lYHQD=K7F/@5$#

/&�7��0m<PkYpb<Ir(~KHQD=K9kKO"!Nh&K~O7^9#

pdosctl -w on

0m<PkYpb<Ir(~KHQTDK9kKO"!Nh&K~O7^9#

pdosctl -w off

!s PDOS ,FO09kH-K"0m<PkYpb<IrHQD=K9kKO"!Nh&K~O7^9#

pdoscfg -warning on

!s PDOS ,FO09kH-K"0m<PkYpb<IrHQTDK9kKO"!Nh&K~O7^9#

pdoscfg -warning off


4.P

DO

S�

��

_j5lF$k=TN0m<PkYpb<IrHq9kKO"z-tJ7G -w rX

j7^9#

pdosctl -w

POO!NH*jG9#

The global warning mode setting is off

� ��CjNj=<9KP7FYpb<IrHQD=K9kKO"Ypb<IrHQD=K7F POP r;CH"CW7"=lr]nj=<9KUC7^9#"/;9&3sHm<kKhCFLoOq]5lk]n*V8'/HXN"/;9O" POP ,UC5lF$k+"^?OYpb<IrHQD=K7FQ55lF$klgK"'D5l^9# POP G_j5lF$kF:lYk^?O0m<PkF:lYkKX8J/"F:l3<I,8.5l^9#GU)kHGO"Ypb<I,HQTDKJj^9#

?H(P"/OSSEAL/Default/NetIncoming/TCP/telnet/*.company.com H$&>0N]n

*V8'/HXN"/;9KD$F"Ypb<IrHQD=K9kKO"!Nh&K~O7^9#

pdadmin> pop create sample_poppdadmin> pop modify sample_pop set warning yespdadmin> pop attach /OSSEAL/Default/NetIncoming/TCP/telnet/*.company.com

*.company.com H$&Q?<sHlW9k[9H>r}D79F`+iN" TelnetrHQ7?MCHo</e."/;9O"LoOq]5l^9,"=l,33GOv

D5l^9#j=<9Ypb<IN?a"/;9,vD5l?3Hr(9F:l3<I,8.5l^9#Ypb<IrHQTDK9kKO"Yp0-r no K_j9k+"^?O]n*V8'/H>+i POP rZj%7^9#*V8'/HKD$FPOP bG>N0-rHQ7F*j"Ypb<I@1rHQTDK7F>N0-O=N^^K7F*-?$lgKO"!Nh&K7F"Ypb<Ir*UK_j7^9#pdadmin>pop modify sample_pop set warning no

3lG"Ypb<I,HQTDKJj^9#

3N POP rYpb<IKP7FN_HQ7F$k+"^?O"z-3-Ypb<IrHQD=K7F*-?$>N]n*V8'/Hrb POP ,)f7F$klgKO" POP r]n*V8'/H+iZj%7F"=N*V8'/HKP7F@1Yp

b<IrHQTDK7^9#

pdadmin> pop detach /OSSEAL/Default/NetIncoming/TCP/telnet/*.company.com

POP K_j5l?Ypb<IrHq9kKO"!Nh&K~O7^9#

pdadmin> pop show pop_name

��F:D<krHQ7F"79F`eNvD]j7<NzLrbK?<9k3H,G-^9#F:O"0m<PkK"^?OCjN]nj=<9KP7F_j9k3H,G-^9#5]<H5lkF:lYkO all"none"permit"deny"admin"verbose"*hS info G9#F:KD$FN\YO"91Z<8NXPDOS F:Y r2H7F/@5$#

pdosaudview 3^sIrHQ9lP"F:NkLr2HG-^9# pdosaudviewKD$FNb@O" 102Z<8NXpdosaudviewY r2H7F/@5$#

80 �� 3 �� 7

/&�7��'��!s PDOS ,FO09kH-K-zKJk0m<PkF:lYkr_j9kKO"!Nh&K~O7^9#

pdoscfg -audit_level level

pdosctl 3^sIrHQ9lP"BT~K"0m<PkF:lYkr_j^?Oj;CH9k3H,G-^9#

-A *W7gsrXj9lP"=TN0m<PkF:lYkrXjMKj;CHG-^9#1lN3^sITK#tN -A *W7gs,Xj5lF$klgKO"0m<PkF:lYk,XjM9YFK_j5l^9# -a *W7gsrXj9lP"Xj

5l?F:lYkKj;CH9k3HKhCF"0m<PkF:lYkrQ9G-^9#1lN3^sITG"#tN -a *W7gsrXj9k3H,G-^9#0m<PkF:lYkrj;CH^?OQ99kKO" -a *hS -A *W7gsNeK"F:lYkH-<o<I on ^?O off r"3msGhZCFXj9k,W,"j^9#F:lYkN-zJMO all"none"permit"deny"admin"verbose"*hSinfo G9#=TN0m<PkF:rCjNlYkK(~Kj;CH9kKO"!Nh&K~O7^9#

pdosctl -A level:[on | off]

ICN0m<PkF:lYkr*sK9kKO"!Nh&K~O7^9#

pdosctl -a level:[on | off]

0m<PkF:lYkr permit *hS deny K_j9kKO"!Nh&K~O7^9#

pdosctl -A permit:on -A deny:on

admin F:lYkr0m<PkF:lYkKIC9kKO"!Nh&K~O7^9#

pdosctl -a admin:on

=_HQD=JF:lYk,"z-3-HQD=G9# -a *hS -A *W7gsr"z-tJ7GXj9lP"PDOS G<bsN=TN0m<PkF:lYkr=(G-^9#

0m<PkF:lYkrHq9kKO"!Nh&K~O7^9#

pdosctl -a

POO!NH*jG9#

pdosd has the following audit levels on: permit, deny, adminpdoswdd has the following audit levels on: permit, deny, adminpdosauditd has the following audit levels on: permit, deny, admin

� ��'��CjNj=<9KP7FF:lYkr_j9kKO"F:lYkru>NlYkK_j7F POP r;CH"CW7"=lr]n*V8'/H>KUC7^9#Xj5l?F:lYkO"IND-<G*V8'/HXN"/;9,F:l3<Ir8.9k+r)f7^9#F:lYkO"!NMN&AN 1 DK_j9k3H,G-^9#

¶ permit (vD)

¶ deny (q])

¶ admin (I})


4.P

DO

S�

��

¶ all (9YF)

¶ none (J7)

GU)kHGO"F:lYk,_j5l^;s#?H(P" POP sample_pop rHQ

7?]n*V8'/H> /OSSEAL/Default/NetIncoming/TCP/telnet/*.company.com XN"/;9KP7F"F:lYk permit *hS deny r_j9kKO"!Nh&K~

O7^9#

pdadmin> pop modify sample_pop set audit-level permit,denypdadmin> pop attach /OSSEAL/Default/NetIncoming/TCP/telnet/*.company.com

*.company.com H$&Q?<sHlW9k[9H>r}D79F`+iN" TelnetrHQ7?MCHo</e."/;99YFKP7F"F:l3<I,8.5l^9#F:l3<IO""/;9,vD5lq]5lk+rX(7^9#F:l3<IN8.r^_9kKO"F:lYk0-r none K_j9k+"^?O POP r]n

*V8'/H>+iZj%7^9#*V8'/HKD$F POP G>N0-rHQ7F*j"F:lYk@1r*UK7F">N0-O=N^^K7F*-?$lgKO"F:lYkr none K_j7^9#

pdadmin> pop modify sample_pop set audit-level none

3N POP rj=<9F:KP7FN_HQ7F$k+"^?O"z-3-F:7?$>N]n*V8'/Hrb POP ,)f7F$klgKO" POP r]n*V8'/H+iZj%7F"=N*V8'/HKP7F@1Ypb<IrHQTDK7^9#

pdadmin> pop detach /OSSEAL/Default/NetIncoming/TCP/telnet/*.company.com

POP K_j5l?F:lYkrHq9kKO"!Nh&K~O7^9#

pdadmin> pop show pop_name

��&/��(��I}f<6<OLo"PDOS Z@qr}CF$kNG" PDOS Z@qr}?J$f<6<*hSD-KFAr?(k]j7<rF9H9kNO$qG9# pdosunauth3^sIO"s'ZH7F7olk7'krn.7^9# pdosunauth 3^sIKD$FO" 140Z<8NXpdosunauthY r2H7F/@5$#3N7'krHQ7F"s'Zf<6<*hSD-KFAr?(k]j7<r!:9k3H,G-^9#ICN3^sIrXj7?lgO"n.5l?7'kO"Xj5l?3^sI@1rBT7^9#!N7<1s9O" pdosunauth NHQcG9#

1. !N3^sIrk<HH7FBT7^9#

psdoswhoami -a

POO!NH*jG9#

0 root

2. pdosunauth 3^sIrBT7F" PDOS 'ZhjGs'ZH7F7olk7'krn.7^9#

pdosunauth

3. pdoswhoami 3^sIrb&lYBT7^9#

psdoswhoami -a

POO!NH*jG9#

Unauthenticated

82 �� 3 �� 7

3N7'kGBT5lk>N3^sIO" PDOS vDhjN?aKs'ZH7F7ol^9#3lKhjk<H&f<6<O"]j7<,s'Zf<6<N"/;9r"|TI*jKvD7?jq]7?j9k+r!:7^9#

EW: pdosunauth 3^sIO5(aKHQ7F/@5$#=lXN"/;9r?

tNf<6<K?(J$G/@5$#

Trusted Computing Base ��U!$kN Trusted Computing Base (TCB) r=.9kU!$k&;CHO"79F`NC~hG"k]j7<&VisAN<GjA5l^9# TCB U!$kN5'u

V*hSp>O"*V8'/Hp>G<?Y<9bG"^7s4HK]i5l^9#PDOSD OU!$kNp>KP9kQ9KD$F"TCB bNU!$krbK?<7^9# PDOSD Op>,Q95l?3Hr!P9kH"*V8'/Hp>G<?Y<9bG=NU!$kK"sHi9FCIN^</,U-^9#"sHi9FCI TCBU!$kNBTvDWa,q]5l^9#

*V8'/Hp>G<?Y<9bGU!$kNuV,"sHi9FCIK_j5lkH"@(*JI}"/7gs,BT5lF=NU!$k,FY5'5lk^G"=lO"sHi9FCIN^^G9#U!$kN97Q_P<8gs,79F`K$s9H<k5l?e" TCB U!$krb&lY5'9k,W,"j^9#

PDOSD � TCB �5��pdoscfg 3^sIKO" TCB bK?<r409k*W7gs,"j^9#tcb_interval Qia<?<O" TCB 4N,Q9r9-cs5lkVV (,) G9#3NVVrg-/9kH"79F`rbK?<9k TCB NiY,:j^9,"Q9

,!P5lk^GN~V,9/Jj^9#

tcb_max_file_size Qia<?<O"U!$kNA'C/5`W;K*$F-zH+

J5lkGgP$HtG9#

tcb_monitor_threads Qia<?<O"U!$kNbK?<Kj-5lk9lCItG9#3liNQia<?<NMO"PDOS ,GiK=.5lkH-" [tcb] 9?s6bN /opt/pdos/etc/pdosd.conf U!$kK]I5l^9# pdoscfg 3^sIrH

Q7F"Qia<?<rQ99k3H,G-^9#Q9O"!s PDOS ,79F`eGd_7FFO09kH-K-zKJj^9# pdoscfg 3^sI&Qia<?<KD$FN\YO" 106Z<8NXpdoscfgYr2H7F/@5$#

�� *V8'/Hp>G<?Y<9bN TCB U!$kN=_N5'uVr!:7?jQ

97?j9kKO" pdosobjsig 3^sIrHQ7^9# pdosobjsig 3^sIO"G<?Y<9bN9YFNU!$k"9YFNHi9FCI&U!$k"^?O9YFN"sHi9FCI&U!$krj9H9k3H,G-^9# -l Qia<?<O"INU!$kr!:^?OQ99k+rXj7^9#

-g *W7gsrHQ7F"CjNU!$kNuVr=(7^9#

pdosobjsig 3^sIO^?" TCB U!$kN=_N5'uVrQ99k3HbG-^9# -u *hS -s N>}r1~KHQ9k+"^?O -S *W7gs@1rH

Q7F"uVrQ97^9# -u Qia<?<O"CjNU!$kNuVr"Hi9FCI^?O"sHi9FCIK_j7^9# -S Qia<?<O"9YFNU!$kNuVr"Hi9FCI^?O"sHi9FCINIAi+K_j7^9#?H(P"7,"Wj1<7gs /usr/local/app/bin/applicationA r$s9H<k7"applicationA r TCB NQ<DK7?$H7^9#


4.P

DO

S�

��

1. =Nlg"!Nh&K~O7^9#

pdadmin> object create ¥/OSSEAL/<policy-branch>/TCB/Secure-Program/usr/local/app/bin/applicationA

2. uVrHi9FCIK_j7^9#

pdosobjsig -u /usr/local/app/bin/applicationA -s trusted

3. -h"applicationA N97Q_P<8gsr$s9H<k7^9#"/7gsr?bTJoJ1lP " PDOS TCB bK?<O"p>,Q95l?3Hr!P7F"uVr"sHi9FCIK_j7^9#=&9kH"@lb3N"Wj1<7gsrBTG-J/Jj^9#3lrr1kKO"97Q_ applicationA r@

(*KFY5'7^9#

pdosobjsig -u /usr/local/app/bin/ApplicationA -s trusted

��Z@qO-cC7eK~lilF" PDOS ,vDhjrz(*KTJ(kh&K"^? Policy Director User Registry +iH)7F!=G-kh&K5l^9#

PDOSD Oabj<bN-cC7e*hSG#9/&-cC7erHQ7^9#

��48��-��pdoscfg 3^sIKO" PDOSD NZ@q-cC7er409k?aN*W7gs,"j^9#

user-cred-refreshG7=(N~oKJk0K"f<6<NZ@q,Z@q-cC7ebK8_G-k,t#=NVVO"Z@q,-cC7eK~lil?H-+i+O7^9#G7=(VVr6a9kH"Z@q,G7=(5l^9#

admin-cred-refreshPDOS I}f<6<KX"7?Z@qNG7=(NQY#3lKhCF"lL

f<6<HOLDN"I}f<6<N?aNZ@qNG7=(|VrI}7^9#

cred-holdsI}f<6<,GeK"/;97?~oJe"sI}f<6<KX"7?Z

@qrZ@q-cC7ebK]}9k3HNG-k,t#sI}f<6<KX"7?Z@qO"3NVVe"-cC7e+iUiC7e5l^9#I}f<6<KX"7?Z@qO"-cC7e+iUiC7e5lk3HO"j^;s# cred-hold VVO"GcGb user-cred-refresh VVH18@1N95,,WG9#

3liNQia<?<NMO"PDOS ,iaF=.5lkH-K [credentials] 9?s6bN /opt/pdos/etc/pdosd.conf U!$kK]I5l^9#[HsIND-GO"*=i/GU)kHMG=,G9# pdoscfg 3^sIKhCFMrQ99k3H,G-^9,"=NQ9,-zKJkNO"!s PDOS r79F`eGd_7FFO07?H-G9# pdoscfg 3^sIKD$FN\YO" 106Z<8NXpdoscfgYr2H

7F/@5$#

��PDOS NBTfK"PDOS N5]<HHjA9km0$s&Wm0i`rHQ7F"f<6<,79F`Km0$s9kH-K"Z@q, Policy Director User Registry+iGiK!w^?O975l^9#3Nf<6<KhCF=NeBT5lkWm;9GBT5lk`nKD$FJ5lk9YFNvDhjO"3liNZ@qrHQ7FTJol^9#9GK79F`Km0$s7F$kf<6<NZ@qr@(*KG

84 �� 3 �� 7

7=(9k3HbG-^97"=Nf<6<,+,G+,NZ@qrG7=(9k3HbG-^9# pdosrefresh 3^sIO"Xjf<6<N"-cC7eK~lilF$kZ@qrG7=(7^9#

*W7gsrU1:K pdosrefresh 3^sIrFSP;P"=TNZ@qrG7=

(9k3H,G-^9#I}f<6<O"UID ^?O>0rXj7F"LNf<6<NZ@qrG7=(9k3H,G-^9#3^sINlsNFSP7G"#tNf<6<rXj9k3H,G-^9#

f<6< Hanako H Taro N Policy Director User l89Hj<bN0k<W&asP<7CWrQ99kH7^9#3NQ9r(~K-zK9kKO"3liNf<6<KX"7?Z@qr979k,W,"j^9#

1. f<6< Hanako H Taro NZ@qrG7=(9kKO"!Nh&K~O7^9#

pdosrefresh -n Hanako -n Taro

2. Hanako H Taro O=l>l pdosrefresh H~O7F"+,NZ@qrG7=(9k3H,G-^9#

��pdosdestroy 3^sIO"Xjf<6<N"-cC7eK~lil?Z@qr|n

7^9#=TNZ@qO"*W7gsrU1:K pdosdestroy 3^sIrFSP;P"K~9k3H,G-^9# UID ^?O>0rXj9lP"LNf<6<NZ@

qr|n9k3H,G-^9#3^sITK#tNf<6<rXj9k3H,G-^9#

FSP7&f<6<NZ@qrK~9kKO"!Nh&K~O7^9#

pdosdestroy

f<6< Hanako H"UID , 300 G"k Taro NZ@qrK~9kKO"!Nh&K~O7^9#

pdosdestroy -n sally -u 300

#�$�� ID ��f<6<ND-^?OBTWm;9ND-KX"7? PDOS "/;5< ID O"@

(*KA'C/9k,W,"j^9#

pdoswhoami 3^sIO"FSP7f<6<KX"7? PDOS "/;5<psr=

(7^9#3N3^sIO"*W7gsrU1J1lP"PDOS f<6<>r=(7^9#

-n *W7gsO"FSP7f<6<N"/;5< ID r=(7^9# -a *W7gsO"f<6<>H ID N>}r=(7^9#

-l *W7gsOf<6<N0k<W&asP<7CW"Z@q,GeKG7=(5l?~o"Z@q97~|"Z@q,GeK"/;95l?~o"*hSZ@qN]}

~V~|r=(7^9#

pdoswhoami �� pdoswhois ��f<6< Hanako O"PDOS rBT9k79F`Km0$s7^9# Hanako O!N3^sIr~O9k3HKhCF"+,NZ@qr=(9k3H,G-^9#

pdoswhoami -l


4.P

DO

S�

��

POO!NH*jG9#

106 sallyThe credential is associated with the following groups:osseal-testersosseal-developersThe credential was last refreshed at Sat Nov 4 14:07:21 2000The credential refresh time expires at Sun Nov 5 02:07:21 2000The credential was last accessed at Sat Nov 4 14:07:29 2000The credential hold time expires at Sat Nov 11 14:07:29 2000

PDOS I}f<6<Gb"kk<H&f<6<O"!N3^sIr~O7^9#

pdoswhoami -l

POO!NH*jG9#

0 rootThe credential is associated with the following groups:osseal-adminosseal-auditorsThe credential was last refreshed at Sat Nov 4 11:52:56 2000The credential refresh time never expires.The credential was last accessed at Sat Nov 4 14:12:56 2000The credential hold time never expires.

pdoswhois 3^sIO"Wm;9 ID (pid) KhCFXj5lk"BTfNWm;9KX"7? PDOS "/;5<psr=(7^9# pid Nj9HO" pdoswhois 3^sITNGeGXj9k,W,"j^9#Xj5l?=l>lN pid 4HK""/;5< ID *hSf<6<>,=(5l^9# -l *W7gs,Xj5l?lgKO"0k<W&asP<7CW"Z@q,GeK975l?~o"Z@qG7=(~

|"Z@q,GeK"/;95l?~o"*hSZ@q]}~V~|b=(5l^9#

I}TO"!Nh&K~O9k3HKhCF"INZ@q,BTfNWm;9 (Wm;9 ID , 1756 *hS 1806) KX"7F$k+r=L9k3H,G-^9#

pdoswhois 1756 1806

POO!NH*jG9#

Pid, 1756, is running under the uid = 106, user name = HanakoPid, 1806, is running under the uid = 300, user name = Taro

PDOS #�$�� ID UNIX ID ��f<6<^?OBTfNWm;9KP7F-zJ PDOS "/;5< ID H UNIX IDO"[JCF$k3H,"j^9#?H(P"su 3^sIr/T9kH"f<6<N UNIX ID ,Q95lk3H,"j^9,"f<6<N PDOS "/;5< ID OQ95l^;s# setuid ^?O setgid Wm0i`rBT9kH"Wm;9N UNIXID rQ99k3H,"j^9,"Wm;9KX"7? PDOS "/;5< ID O"=N/0&N ID N^^G9#?H(P"f<6< Hanako ," ID rk<H&f<6<KQ99k`nrBT9kvDr}CF*j" /bin/su 3^sIrBT7Fk<H&f<6<KJC?H7^9#3Nf<6<KX"7? PDOS "/;5< ID OHanako N^^G9," UNIX ID Ok<H&f<6<KJj^9#

^:GiK"f<6< Hanako O!N3^sIr/T7^9#

iduid = 106(sally)

86 �� 3 �� 7

pdoswhoami -a106 sally

/bin/su

/bin/su r/T7?e"

iduid=0(root)

pdoswhoami -a106 sally

1�� 9YFN IP "Il9^?O[9H>r!w9k?aK"G-N?>5<S9KjL

7J/Fbh$h&K9k?a" PDOS O[9H>!wG<?Y<9r]i7^9#3NG<?Y<9O"BT~K!w,88?H-"\"5l^9#3NG<?Y<9NHQO"PDOS ,79F`eGiaF=.5lkH-KO"GU)kHGHQ

D=KJCF$^9#

1�� pdoscfg 3^sIG" -dns off rXj9lP"[9H>!wG<?Y<9rHQT

DK7^9#[9H>!wG<?Y<9O"pdoscfg 3^sIrHCF"$DGbHQD=^?OHQTDK9k3H,G-^9#?@7=NQ9O"!s PDOS ,d_7FFO09kH-^G-zKJj^;s#

!s PDOS NFO0~K"[9H>!wG<?Y<9rHQD=K9kKO"pdoscfg -dns on H~O7^9#

!s PDOS NFO0~K"[9H>!wG<?Y<9rHQTDK9kKO"pdoscfg -dns off H~O7^9#

1�� pdoshla 3^sIrHQ7F"G<?Y<9rI}7^9#G-N?>5<S9GNQ9KhCF"-cC7eK~lil?ps,E/JC?H-KO"3N3HrTJ&,WO"j^;s# pdoshla 3^sIO"G<?Y<9bN(sHj<rIC"o|"G7=("*hS=(7^9#

-l *W7gsO"{8NG<?Y<9&(sHj<rj9H7^9#3lOall"stale"^?O fresh rXj9k3HKhCF"Bj9k3H,G-^9# -a *W7gsrHQ9lP"Xj5l? IP "Il9K(sHj<rIC9k3H,G-^9#

-H *W7gsrHQ7FX"7?[9H>rXj9kNGJ1lP"G-N?>5<S9rHQ7F"[9H>rrh7^9#

(sHj<NGU)kHN83~VO 6 ~V (21600 C) G9# -T *W7gsrH

Q7"83~VMr@(*KXj7"GU)kHrQ97^9#

-F *W7gsO"G<?Y<94NrUiC7e7^9# -f *W7gsO"G<?Y<9+i:z7?(sHj<rUiC7e7^9# -r *W7gsO"Xj5l?(sHj<rUiC7e7^9#

-u *W7gsrHQ9kH"G<?Y<9&(sHj<9YF,G7=(5l"G<?Y<9bN=l>lN(sHj<4HKG-?>5<S9!w,88^9#


4.P

DO

S�

��

pdoshla ��!O"pdoshla 3^sINHQcG9#

1. IP "Il9 146.84.107.11 N(sHj<rGU)kH&G<?Y<9KIC9kKO"!Nh&K~O7^9#

pdoshla -a 146.84.107.11

2. GU)kHNG<?Y<9bN(sHj<9YFr=(9kKO"!Nh&K~

O7^9#

pdoshla -l all

POO!NH*jG9#

# Internet Address Hostname9.41.3.101 test1.austin.lab.tivoli.com146.84.107.11 office1.tivoli.com9.41.3.123 test3.austin.lab.tivoli.com

3. GU)kHNG<?Y<9bK"k":z7?(sHj<r=(9kKO"!Nh&K~O7^9#

pdoshla -l stale

POO!NH*jG9#

# Internet Address Hostname9.41.3.123 test3.austin.lab.tivoli.com

4. GU)kHNG<?Y<9+i":z7?(sHj<rUiC7e9kKO"pdoshla -f H~O7^9#

5. GU)kHNG<?Y<9bK"k"9YFN(sHj<rG7=(9kKO"!Nh&K~O7^9#

pdoshla -u

PDOS ��)�� 7��#��pdosbkup *hS pdosrstr 3^sIO" PDOS =.U!$kHG<?Y<9r"PC/"CW*hS|57^9#

PDOS ��)�� 7��#��PDOS rPC/"CW9k0K"=lrd_9k,W,"j^9# PDOS G<bs,BTfK pdosbkup 3^sI,BT5lkH"PC/"CWfK"$/D+NU!$kNuV,Q95lk3H,"j^9#

pdosbkup 3^sIO" opt/pdos/etc/pdosbkuplist U!$kbN9YFNU!$kHG#l/Hj<rPC/"CW7^9# -x ,Xj5lkH"/opt/pdos/etc/pdosbkuplistx U!$kKj9H5l?U!$k*hSG#l/Hj<,PC/"CW5l^9#PC/"CW&j9HKG#l/Hj<,Xj5l?lgKO"=NG#l/Hj<N90<NU!$k@1,PC/"CW5l^9#5VG#l/Hj<O2H5l^;s#GU)kHGO"PC/"CW&U!$kH7Fn.5l? tar U!$k," /var/pdos/pdosbkup/pdosbkupdate.tar KV+l^9#

-p *W7gsrHQ7F"PC/"CW&U!$k,V+lkG#l/Hj<rQ

97^9# -f *W7gsrHQ7F"PC/"CW&U!$k>rQ97^9#

PDOS �7��#��!O"PDOS NPC/"CWNcG9#

88 �� 3 �� 7

1. PDOS GEWJ PDOS =.U!$krPC/"CW9kKO"!Nh&K~O7^9#

pdosbkup

2. H%5l? PDOS PC/"CWrTJ&KO"!Nh&K~O7^9#

pdosbkup -x

PDOS ��pdosrstr 3^sIO"J0K pdosbkup 3^sIrHQ7F]I5l? PDOS U!$kr|57^9#U!$kO" -f *W7gsKhCFXj5l?PC/"CW&U!$k+i|55l^9#

PDOS ��!O"PC/"CW&U!$k+i PDOS r|59kcG9#

1. pdosbkup25Oct2000.14: 32:41.tar U!$kK]I5l?U!$kr|59kKO"!Nh&K~O7^9#

pdosrstr -f /var/pdos/pdosbkup/pdosbkup25Oct2000.14:32:41.tar


4.P

DO

S�

��

90 �� 3 �� 7

PDOS ��

PDOS F:rHQ9lP"]nj=<9XNvD"/;9hjrHiC/G-^9#^?"PDOS G<bsN+O*hSd_JIN"I}"/F#SF#<rbK?<9k3HbG-^9#

PDOS O"!NF:lYkr5]<H7^9#

none (J7)F:r*UK7^9# GU)kHGO"PDOS F:OHQTDKJCF$^9#

permit (vD)]nj=<9XN"/;9rvD9k9YFNvDhjrHiC/7^9#

deny (q])]nj=<9XN"/;9rq]9k9YFNvDhjrHiC/7^9#

admin (I})I}"/F#SF#<rHiC/7^9# ?H(P"0m<PkF:lYk, admin (I}) lYkK_j5lF$klgKO" PDOS G<bsN7cCH@&s*hSFO0JIN"/7gsKD$F"m0&(sHj<,n.5l^9#

all (9YF)permit (vD)"deny (q])"*hS admin (I}) lYkrHQD=K7^9#

info (LN)-zJ]j7<97Nu.JI"+0*KBT5lk PDOS bN"/7gsrHiC/7^9#

verbose (\Y)permit (vD)"deny (q])"admin (I})"info (LN) lYkrHQD=K7^9#

3NOGO"PDOS bGF:9k3HNG-k$YsH&?$W"F:m0&(sHj<NA0"*hS PDOS F:m0N=(}!KD$FNpsrs!7^9#

��

j=<9rpK7?F:rHQD=K9k3HKhCF"CjNj=<9NvD"/;9hjrF:9k3H,G-^9# POP "/;9&3sHm<krHQ7F"j=<9rpK7?F:rHQD=K7^9# =lrHQD=K9kKO"!N9FCWrBT7^9#

1. POP rn.7^9#

5


5.P

DO

S�

�

2. F:lYk0-r permit (vD)"deny (q])"^?O=N>}K_j7^9#

3. POP r"F:7?$j=<9KUC7^9#

0m<PkF:lYkK permit (vD) ^?O deny (q]) lYk,_j5lkH"vD"/;9hjNF:l3<Ib8.5l^9# 0m<PkF:lYk*hSj=<9F:lYkNF:lYkO"_Q5l^9# ?H(P"0m<PkF:lYk, deny (q]) K_j5lF*j"+DF:lYk permit (vD) r_j7Fj=<9K POP ,UC5lF$klgKO"=Nj=<9XN"/;9KX9k9YFNvDhj,F:5l^9#

Ypb<I,HQD=G"klg"=_NF:lYkKX8J/" deny (q]) +ipermit (vD) XQ95l?vD"/;9hjKD$F"F:l3<I,8.5l^9# POP "/;9&3sHm<krHQ7F"j=<9rpK7?Ypb<IrH

QD=K7^9# ^?"F:H1M"0m<PkYpb<Ir*sK9k3HbG-^9# pdoscfg *hS pdosctl 3^sIrHQ7F"0m<PkF:*hSY

pb<IrHQD=K9k}!"^?" pdadmin 3^sIrHQ7F"j=<9rpK7?F:*hSYpb<IrHQD=K9kh&K POP "/;9&3sHm<kr_j9k}!KD$FO" 80Z<8NXF:rHQ7?]j7<N!:Y *hS 79Z<8NXYpb<IrHQ7?]j7<N!:Y r2H7F/@5$#

��#�(.0(.��

0m<PkF:lYkK admin (I}) F:lYkr_j9k3HKhCF"I}"/F#SF#<rF:9k3H,G-^9# admin (I}) F:lYkGO"PDOSG<bsN+OHd_" Policy Director User Registry HN\3NC:" TCB bK?<!=KhjU!$kKsHi9FCIN^</rU1kJIN TCB KX"7?"/F#SF#<"^?5zJ]j7<N!P"H$C?$YsHKX9kF:l3<Ir"PDOS ,8.7^9#

��&/��)��

PDOSAUDITD G<bsO"PDOS F:m0&U!$krI}7^9#PDOSAUDITD G<bsO"PDOS G<bs"+<MkH%"*hS pdosobjsig 3^sI+i"F:$YsHru.7^9# PDOS O$YsHrF:m0Kq-~^9# "/F#VF:m0,"U!$k /var/pdos/audit/audit.log K]}5l^9#F:

m0O"P$Jj<&U)<^CHGG#9/Kq-~^l^9# F:m0&U!$k,=.5l?_j5$:K#9kH" PDOSAUDITD Om0&U!$kr"<+$V7F"=N"<+$VrU!$k&79F`Kq-~_^9# "<+$V&m0&U!$kKO"U!$k>K?$`&9?sW,UC5lkNG"LNU!$kHhL9k3H,G-^9# "<+$V&m0&U!$k>NA0O"audit.log.YYYY-MM-DD-HH-MM-SS G9# "<+$V&m0&U!$kO""/F#V&m0&U!$k /var/pdos/audit H18G#l/Hj<K]I5l^9#PDOSAUDITD G<bsKD$FNpsO" 59Z<8NXPDOSAUDITDY r2H7F/@5$# pdoscfg 3^sIrHQ7F" PDOSAUDITD ,F:m0&U!$krh}9kE}r409k}!KD$FO" 76Z<8NXPDOS =.N40Y r2

H7F/@5$#

92 �� 3 �� 7

��&/�'%��

F:m0&l3<IO"9YF18A0G9# ?@7"Fl3<IK~CF$kp

sO"F:9kj=<9N?$WKhCF[Jj^9#!Nj9HK"F:m0&l3<IN-zJ(sHj<r(7^9#

Common Audit Event Section (&L$YsH&;/7gs)

Product ID (=J ID)OSSEAL Nlg"MO 100 G9#

Record version (l3<I&P<8gs)Policy Director NF:l3<I&P<8gsrXj7^9#

Record length (l3<I9)FF:l3<IN95rXj7^9#

Product record version (=Jl3<I&P<8gs)PDOS F:l3<I&P<8gsrXj7^9#

Timestamp (?$`&9?sW)$YsH,8.5l?~@N UTC A0N?$`&9?sW#

Audit event ID (F:$YsH ID)F:5l?$YsHr(9aC;<8#

Originating process ID (/@Wm;9 ID)F:$YsHr8.7?=UH&'"&3s]<MsH^?O5V79F`#MO"!NH*jG9#

¶ KERNEL

¶ PDOSD

¶ PDOSWDD

¶ PDOSAUDITD

¶ GENERAL

Audit view (F:Se<)FF:$YsHNX"9kF:Se<&lYk# MO"!NH*jG9#

deny (]')vDhjK*$F]'KX"9k$YsH#

permit (vD)vDhjK*$FvDKX"9k$YsH#

admin (I})I}NP]HJk$YsH# cH7F"G<bsNO0*hS7cCH@&s,"j^9#

info (ps)4L*JX4NP]HJk$YsH#

Audit action (F:"/7gs)F:$YsHN"/7gsNlL-R# -zJMO"!NH*jG9#

check_accessadd"deletechange


5.P

DO

S�

�

retrieveapplytrustuntruststartstopregistertraceisolatednot_isolatedunknown

Audit reason (F:}3)F:l3<I,8.5l?}3# -zJMO"!NH*jG9#

global audit (0m<PkF:)0m<PkF:Se<_j,"$YsHr/07^7?#

resource audit (j=<9F:)j=<9^?Of<6<NF:Se<_j,"$YsHr/07^7?#

global warning (0m<PkYp)0m<PkYpSe<_j,"$YsHr/07^7?#

resource warning (j=<9Yp)j=<9YpSe<_j,"$YsHr/07^7?#

Audit outcome (F:kL)F:$YsHNlL=5l?kLG9# MO"!NH*jG9#

success (.y)F:$YsHO"5o`nNkLG9#

failure (:T)F:$YsHO":T7?`nNkLG9# F:$YsHr8.7?h}Q9G(i<,/87^7?#

Audit fail status (F::Tu7)F:kL,:TNlg"F::Tu7O":TN6xKD$FNICN\Yrs!7^9# 3lO"F-9H&aC;<8G9# LoN5oJ:Tu7GO" "The operation completed successfully.(��)" H$&aC;<8,s(5l^9#

Audit resource type (F:j=<9&?$W)F:$YsH,-R9k?<2CH&$YsH"50^?O*V8'/HNlLoL# j=<9&?$WO"!NH*jG9#

AZN vDkLr-R9kF:$YsH#

DAEMON G<bsN`nu7KX"9kF:$YsH#

TCB Hi9FCIW;Y<9NuVNQ=r?G9kF:$YsH#

CRED Z@qM@KX"9k`nr-R9kF:$YsH#

POLICY jAQ_]j7<NQ9r?G9kF:$YsH#

94 �� 3 �� 7

GENERAL lL`n^?Oh}$YsHr-R9kF:$YsH#3lO"D-^?O@}Um<KD$FNICpsrs!7^9#

Audit parameter count (F:Qia<?<&+&sH)F:Qia<?<N<NFQG<?NQia<?<t# GU)kHO 0 G9#

Audit parameters length (F:Qia<?<9)F:Qia<?<N95# GU)kHO 0 G9#

Common Audit Data Section (&LF:G<?&;/7gs)

Accessor flags ("/;5<&Ui0)P~9kl3<IN-zJ ID ,~CF$k"/;5< ID U#<kIr(7^9# 3NU#<kIO"!K(9$:l+ 1 D^?O9YFG9#

ACCESSOR IDACCESSOR REAL IDACCESSOR EFFECTIVE IDACCESSOR PROCESS ID

Accessor ID ("/;5< ID)"/;5<N UNIX UID G9# 3lO""/;5<&Ui0K ACCESSORID ,~CF$klgK=(5l^9#

Accessor real ID ("/;5<B ID)"/;5<NB UNIX UID G9# 3lO""/;5<&Ui0KACCESSOR REAL ID ,~CF$klgK=(5l^9#

Accessor effective ID ("/;5<-z ID)"/;5<N-z UNIX UID G9# 3lO""/;5<&Ui0KACCESSOR EFFECTIVE ID ,~CF$klgK=(5l^9#

Accessor PID ("/;5< PID)"/;5<NWm;9 ID G9# 3lO""/;5<&Ui0KACCESSOR PROCESS ID ,~CF$klgK=(5l^9#

Originating location name length (/@m1<7gs>9)F:l3<Ir8.9k^7sN[9H>K 1 8zr-7?tM9# 95<mO"/@m1<7gs>,8_7J$3Hr=7^9#

Accessor name length ("/;5<>9)"/;5<>K 1 8zr-7?tM9# 95<mO""/;5<>,8_7J$3Hr=7^9#

Accessor effective name length ("/;5<-z>9)"/;5<-z>K 1 8zr-7?tM9#95<mO""/;5<-z>

,8_7J$3Hr=7^9#

Running Protected Obj (object) name length (BT]n*V8'/H>9)BTWm0i`G"k [Protected Object Name (]n*V8'/H>)] K 18zr-7?tM9# 95<mO"BTWm0i`G"k [Protected ObjectName (]n*V8'/H>)] ,8_7J$3Hr=7^9#

Running System Resr (resource) name length (BT79F`&j=<9>9)BTWm0i`G"k [System Resource Name (79F`&j=<9>)] K 18zr-7?tM9# 95<mO"BTWm0i`G"k [System ResourceName (79F`&j=<9>)] ,8_7J$3Hr=7^9#


5.P

DO

S�

�

Target and Resources Related Data (?<2CH*hSj=<9KX"9kG<?)

Protected Object name length (]n*V8'/H>9)[Protected Object Name (]n*V8'/H>)] K 1 8zr-7?tM9#95<mO"[Protected Object Name (]n*V8'/H>)] ,8_7J$3Hr=7^9#

System Resource name length (79F`&j=<9>9)[System Resource Name (79F`&j=<9>)] K 1 8zr-7?tM9#95<mO"[System Resource Name (79F`&j=<9>)] ,8_7J$3Hr=7^9#

Terminal Data Section (<vG<?&;/7gs)

Holiday Protected Object name length (K|]n*V8'/H>9)[Holiday Protected Object Name (K|]n*V8'/H>)] K 1 8zr-7?tM9#95<mO"[Holiday Protected Object Name (K|]n*V8'/H>)] ,8_7J$3Hr=7^9#

Variable Length Common Section (DQ9&L;/7gs)

Accessor credential ("/;5<Z@q)"/;5<Z@qN95reG_j7F"klgN""/;5<N?o=Z@

qG9# OSSEAL NlgO"3lO"j^;s#

Originating location name (/@m1<7gs>)F:l3<Ir8.9k OSSEAL ^7sN>0#

Accessor name ("/;5<>)"/;5< UNIX ID N;L># "/;5<>r=L9k79F`N=OKhCFO"3lOF:l3<IKJ$3Hb"j^9#

Accessor effective name ("/;5<-z>)"/;5<-z UNIX ID N;L># "/;5<>r=L9k79F`N=

OKhCFO"3lOF:l3<IKJ$3Hb"j^9#

Running program Protected Object Name (BTWm0i`]n*V8'/H>)95reG_j7F"klgN""/;9&Wm0i`N]n*V8'/H>

G9#

Running program System Resource Name (BTWm0i`&79F`&j=<9>) 95reG_j7F"klgN""/;9&Wm0i`N79F`&j=<9

>G9#

Protected Object Name (]n*V8'/H>)95reG_j7F"klgN"j=<9N]n*V8'/H>G9#

System Resource Name (79F`&j=<9>)95reG_j7F"klgN"j=<9N79F`&j=<9>G9#

Holiday Protected Object Name (K|]n*V8'/H>)95reG_j7F"klgN"j=<9NK|]n*V8'/H>G9#

Audit Parameters (F:Qia<?<)F:$YsHKIC5lkFQG<?G9# Qia<?<&+&sHO"X

j5lF$kQia<?<Ntr(7^9# Qia<?<O"G<?&?$WKP~9ktMH=NeK3/G<?G=.5l^9#9Hjs0Nlg"3lO"9Hjs0+N,eK3/Lk8zr^`9Hjs0N8ztG9#

96 �� 3 �� 7

Azn Decision Extension (Azn hjH%!=)

Azn permission (Azn vD)nTfN"/7gs# -zJMO"147Z<8N=41 KjA5lF$^9#

Azn resource type (Azn j=<9&?$W)vDhjKX89kj=<9&?$W# MO"J<N$:l+ 1 DG9#

FileNetincomingNetoutgoingLoginSurrogateSudo

.

Azn result (Azn kL)kLNvDhjM#!NH*jG9#

permit (vD)PDOS O"5o>AeK]j7<KpE$Fj=<9XN"/;9r'D7^7?#

deny (]') PDOS O"5o>AeK]j7<KpE$Fj=<9XN"/;9r]'7^7?#

permit warn (vDYp)"/;5<KO"j=<9KP7F"/7gsrBT9k?aN=,N"B,"j^;s# ?@7"PDOS O"Ypb<IN?aK"j=<9XN"/;9r'D7^7?#

permit error (vD(i<)$/D+N(i<roN?aK"PDOS O]j7<r>AG-^;sG7?# j=<9XN"/;9,'D5l^7?#

deny error (]'(i<)$/D+N(i<roN?aK"PDOS O]j7<r>AG-^;sG7?# j=<9XN"/;9,]'5l^7?#

Azn result qualifier (Azn kL/)jU!$"<)Azn kLKD$FNICpsrs!7^9# 3NpsO"F-9H&9Hjs0^?O 0 NMG9# 0 NMO"Azn kL,]j7<N5o>AKpE$F$k3Hr(7^9# ]j7<N5o>AO"[permit (vD)] ^?O[deny (]')] G9#

Network Data Extension (MCHo</&G<?H%!=)

Network flags (MCHo</&Ui0)M,"kNOINm<+k&U#<kI^?Ojb<H&U#<kIJN+r(9F-9H&9Hjs0#

local port (m<+k&]<H)local IP address (m<+k IP "Il9)remote port (jb<H&]<H)remote IP address (jb<H IP "Il9)


5.P

DO

S�

�

Local IP version (m<+k IP P<8gs)MO"4 ^?O 6 G9#

Local IP address (m<+k IP "Il9)m<+k&^7sN IP "Il9#

Local IP protocol (m<+k IP WmH3k)m<+k&^7s,HQ9k IP WmH3k#

Local IP port (m<+k IP ]<H)m<+k&^7s,HQ9k IP ]<H#

Remote IP version (jb<H IP P<8gs)MO"4 ^?O 6 G9#

Remote IP address (jb<H IP "Il9)jb<H&^7sN IP "Il9#

Remote IP protocol (jb<H IP WmH3k)jb<H&^7s,HQ9k IP WmH3k#

Remote IP port (jb<H IP ]<H)jb<H&^7s,HQ9k IP ]<H#

Sudo Data Extensions (Sudo G<?H%!=)

Sudo Flags (Sudo Ui0)?<2CH&f<6<^?O/0&rXj9kF-9H&9Hjs0# 3NUi0,<m (0) NlgO"?<2CH&f<6<b/0&b8_7^;s#

target user pw (?<2CH&f<6< pw)invoker pw (/0& pw)

Executable Length (BTD=3<I9)BTD=3<IK 1 8zr-7?tM9# <mN95O"BTD=3<I,J$3Hr(7^9#

Target User Length (?<2CH&f<6<9)BTD=3<IK 1 8zr-7?tM9# <mN95O"?<2CH&f<6<,$J$3Hr(7^9#

Cmd Args Length (3^sIz-t9)BTD=3<IK 1 8zr-7?tM9# <mN95O"3^sIz-t,J$3Hr(7^9#

Executable (BTD=3<I)sudo Wa,vD5lkH-K/05lkB]NBTD=3<IN9Hjs0MG9# 3NpsOJ$3Hb"j^9#

Target User (?<2CH&f<6<)BTD=3<Ir/09kf<6<>r1L9k9Hjs0MG9# ?<2CH&f<6<9U#<kI,<mNlg"3lO"j^;s#

Cmd Args (3^sIz-t)sudo Wa,vD5lkH-K]j7<bGM-go;,Tolk3^sIT

Q?<sG9#

TCB Data Extensions (TCB G<?H%!=)

98 �� 3 �� 7

Changed Data Attr flags (Q9G<?0-Ui0)TCB U!$k,sHi9FCIKJkH-K" TCB U!$kNfGQ95l?bNr(9F-9H&9Hjs0#

signature fail (70KAc<:T)explicit admin (@(*I})explicit access (@(*"/;9)

Policy Data Extensions (]j7<&G<?H%!=)

Policy flags (]j7<&Ui0)!NINU#<kI,_j5lF$kN+r(9F-9H&9Hjs0#

epoch ((]C/)version number (P<8gsVf)applied (,Q)

Policy epoch (]j7<&(]C/)GiN]j7<,_j5l?~+iG7=(7?]j7<Nt#

Policy version number (]j7<&P<8gsVf),Q5lF$k]j7<NP<8gsVfG9#

��&/��

F:m0,G#9/Kq-~^lkH-O"m0OP$Jj<&U)<^CHGq-~^l^9#m0&l3<Ir=(9k?aKO"3NP$Jj<&U)<^CHrF-9HA0KQ99k,W,"j^9# 3NQ9O"PDOS F:Se<&D<kKhCFTol^9# PDOS F:Se<&D<kNHQ!N\YKD$FO" 102Z<8NXpdosaudviewYGb@5lF$^9#F:Se<&D<k,P$Jj<F:

l3<Ir=8rO9kH"D<kO3Npsr text.log H$&>0NF-9H&U!$kKq-~_^9# 3NU!$kO"/var/pdos/audit/ K]I5l^9#

text.log U!$kNF:l3<INA0O"3s^G=5l?A0G9# key =value, key = value, ...key = value H$&=$K`r7F$^9# 3NA0O"ICN+0=D<k,I_hCF=(G-kh&K_W5lF$^9#

PDOS ��0-��9��

HQSe<&D<krHQ7F"F:m0&U!$kNfGpsr!w7"=Nps

rI`3HNG-kF-9HA0K=8rO7^9# j=<9&?$W"vDh

j"?$`&9?sW""/;5<&?$WJIN?/NQia<?<KhCF"m0&l3<IrU#k?<K]1k3H,G-^9# F:Se<&D<krHQ7F!wrjA9kH"D<kO"F:m0NP$Jj<&G<?r"!wHlW9k9YFNl3<Ir^`F-9H&U!$kK=8rO7^9# GU)kHGO"3NU!$kO text.log H$&>0G" audit.log U!$k,]I5lF$kNH1

8G#l/Hj<K]I5l^9#

!wrBT9k?SK"text.log U!$kO"!wHlW9kl3<IGV95l^9# -l *W7gsrXj7F pdosaudview r/T9kH"U#k?<K]1il?l3<Ir(~KhLK=(9k3HbG-^9#


5.P

DO

S�

�

F:Se<&D<kO"3^sITGT/7^9# F:Se<&D<kN3^sI*hSU#k?<&*W7gsO" 102Z<8NXpdosaudviewYKjA5lF$^9# 3^sIT(sHj<NcrJ<K(7^9#

��CjN|VfKjA5l?9YFNvDhjr!w9kbNH7^9# 9 nH 10nK"/;9nT,]'5l?j=<9rNj?$H7^9# 3N!wG!P5lkF:l3<IKO"j=<9XN"/;9rnT7?f<6<"j=<9"*hSvD,]'5l?}3d=N>KD$FNps,~CF$^9# 3Nh&J!wN3^sIT(sHj<O"!Nh&KJj^9#

pdosaudview -l -w deny -s 2000-09-01-00-00-00 -e 2000-10-31-23-59-59

100 �� 3 �� 7

PDOS %3��

3NU?GO"PDOS 3^sIH=N*ZisIKD$F5b7^9#

C",,WJ3^sIb$/D+"j^9#3liN3^sIr5oK^?;-e"K`nG-kh&K9k?aK"GU)kHN PDOS ]j7<,jA5lF$^9#3liN3^sIKFAr?(kGU)kH&]j7<rQ99kH"79F`N;-ejF#<,e^C?j"3liN3^sI,`nT=KJC?j9k3H,"j^9# 7Z<8NXPDOS ]j7<Yr2H7F/@5$#

?/N PDOS 3^sIGHQD=J -t trace-string *W7gsO"*RM,HQ9k?aNbNGOJ/"+9?^<&5]<H4vT,HQ9k?aNbNG9#7?,CF"-zJHl<9&9Hjs0NjAOs!5lF$^;s#

A


A.

PD

OS%3��

pdosaudview

��P$Jj<F:m0rI`3HNG-kA0K=8rO7^9#

��

pdosaudview [-h] [-?] [-V]

[ -l ] [ prints output to screen ]

[-g resource type]

[-z azn decision type]

[-p pid]

[-w audit view]

[-r reason]

[-o outcome]

[-n accessor name | accessor uid]

[-c accessor effective name | accessor effective uid]

[-s YYYY-MM-DD{-hh:mm:ss}]

[-e YYYY-MM-DD{-hh:mm:ss}]

[-s YYYY-MM-DD{-hh:mm:ss}]

[-f filename]

[-i audit log filename]

��:�

-V P<8gspsr=(7^9#

-h HQ!aC;<8r=(7^9#

-? HQ!aC;<8r=(7^9#

-l POrhLKu~7^9#

-g j=<9&?$W (azn"daemon"tcb"cred"policy)

-z azn_decision ?$W: (file"netincoming"netoutgoing"login"surrogate"sudo)

-p /@ PID (KERNEL"PDOSD"WATCHDOG"AUDITD"GENERAL)

-w F:Se< (permit"deny"admin"info)

-a "/7gs(check_access"add"delete"change"retrieve"apply"trust"untrust"start"stop"register"trace"isolated"non-isolated"unknown)

-r }3 (global_audit"resource_audit"global_warning"resource_warning)

-o kL (success"failure)

-n "/;5<> | "/;5< UID

-c "/;5<-z> | "/;5<-z UID

-s +O| (YYYY-MM-DD{-hh:mm:ss})

-e *;| (YYYY-MM-DD{-hh:mm:ss})

-f U!$k> - ASCII PONn.

-i F:m0&U!$k> - U#k?<K]1kCjNF:U!$k

102 �� 3 �� 7

��

0 3^sIO5oK0;7^7?#

1 (i<,/87^7?#

�!Nl3<IO"vDl3<INcG9#A0O"F:Se<&D<k (-l *W7gsrHQ7? pdosauditview) KhCF=(5lkA0H`w7F$^9# (u~5l?Z<8K,g9kh&FU)<^CH_jr?/TCF$^9#)*** START OF NEW RECORD ***COMMON AUDIT EVENT EXTENSION ===================Product ID: 100Record Version: 1Record Length: 201Timestamp: 2000-10-22-22:33:09Audit Event: An authorization decision was made.Originating Process: PdosdAudit View: PermitAudit Action: Check AccessAudit Reason: Global AuditAudit Outcome: SuccessAudit Fail Status: The operation completed successfully.Audit Resource Type: AznAudit Parameter Count: 0Audit Parameter Length: 0

COMMON AUDIT DATA EXTENSION ==========================Accessor Flag: ACCESSOR ID ACCESSOR REAL ID ACCESSOR EFFECTIVE ID

ACCESSOR PROCESS IDAccessor ID: 0Accessor Real ID: 0Accessor Effective ID: 0Accessor Process ID: 0Originating Location Length: 9Accessor Name Length: 5Accessor Effective Name Length: 5Running Protected Object Name Length: 0Running System Resource Name Length: 9

TARGET RESOURCE SECTION ==========================Running Protected Object Name Length: 0System Resource Name Length: 17

TERMINAL DATA SECTION ==========================Holiday Protected Object Name Length: 0

VARIABLE LENGTH COMMON SECTION ================================Originating Location Name: dfswitchAccessor Name: rootAccessor Effective Name: root


A.

PD

OS%3��

pdosbkup

��PDOS G<?Y<9*hS=.U!$krPC/"CW7^9#

��

pdosbkup [-Vh?]

[-x]

[-f filename]

[-p directory-path]

��pdosbkup 3^sIO" /opt/pdos/etc/pdosbkuplist U!$k"^?O -x *W7gsrXj9klgO" /opt/pdos/etc/pdosbkuplistx U!$kKj9H5lF$k9YFNU!$k*hSG#l/Hj<rPC/"CW7^9#

PC/"CW&j9HNfNG#l/Hj<rXj9klgO"=NG#l/Hj<N><NU!$k@1,PC/"CW5l^9#5VG#l/Hj<O"PC/"CW5l^;s#GU)kHGO"PC/"CW&U!$kH7Fn.5lk tar O"/var/pdos/pdosbkup/pdosbkupdate.tar KV+l^9#

PC/"CW&U!$krV/G#l/Hj<rQ99kKO" -p *W7gsrH

Q7^9#PC/"CW&U!$k>rQ99kKO" -f *W7gsrHQ7^9#

PDOS G<bsNBTfK pdosbkup 3^sIrBT9kH"PC/"CWfK$/D+NU!$kNuV,Q95lkD=-,"j^9#

pdosbkup 3^sIrHQ9kKO"C",,WG9#

��:�

-V P<8gspsr=(7^9#

-h HQ!aC;<8r=(7^9#

-? HQ!aC;<8r=(7^9#

-x H%PC/"CWrBT7^9#

-f filenamePC/"CW&U!$kN>0rXj7^9#

-p directory-pathPC/"CW&U!$krV/G#l/Hj<N>0rXj7^9#

��

0 3^sIO5oK0;7^7?#

1 (i<,/87^7?#

�pdosbkup NHQ!Ncr!K(7^9#

104 �� 3 �� 7

1. PDOS /jF#+k PDOS =.U!$krPC/"CW9kKO"!Nh&K~

O7^9#

pdosbkup

2. PDOS H%PC/"CWrT&KO"!Nh&K~O7^9#

pdosbkup -x


A.

PD

OS%3��

pdoscfg

��PDOS r=.7^9#

��

pdoscfg [-admin_cred_refresh number_of_minutes]

[-audit_level (all | none | permit | deny | admin | verbose | info)]

[-audit_log_entries number_of_log_entries]

[-audit_logflush number_of_seconds]

[-audit_logs number_of_logs]

[-audit_log_size number_of_bytes]

[-autostart (on | off)]

[-cred_hold number_of_minutes]

[-delete (comma_delimited_list_of_options)]

[-dns (on | off)]

[-help]

[-kmsg_hnd_threads number_of_threads]

-ldap_ssl_cacert ldap_certificate_file_name

[-login_policy (on | off)]

-branch policy_branch_name

[-operations]

[-pdosd_log_entries number_of_log_entries]

[-pdosd_logs number_of_logs]

[-pdoswdd_log_entries number_of_log_entries]

[-pdoswdd_logs number_of_logs]

[-refresh_interval number_of_minutes]

[-rspfile file_name]

[-sec_master_pwd security_master_password]

[-ssl_listening_port port_to_listen_for_notification]

-suffix policy_director_suffix

[-tcb_interval number_of_minutes]

[-tcb_max_file_size number_of_megabytes]

[-tcb_monitor_threads number_of_threads]

[-uid (on | off)]

[-usage]

[-user_cred_refresh number_of_minutes]

[-version]

[-warning (on | off)]

[-?]

��pdoscfg 3^sIrHQ7F"PDOS ri|=.7^9#i|=.eO"pdoscfgrHQ7F=.0-rQ97^9# pdoscfg rHQ7FTol?Q9O"!KPDOS ,d_5lFFO05lkH-K-zKJj^9#

pdoscfg 3^sIrHQ7F" PDOS =.U!$k+i0-ro|9k3HbG-^9#3Nh&K9kH"!K PDOS rFO09kH-K"G<bsOGU)kHMrHQ7^9#

106 �� 3 �� 7

]j7< - VisA>*hS\xtO"i|=.eKQ9G-^;s# pdosucfg3^sIrHQ7F PDOS r=.r|7F+i" pdoscfg rHQ7F"LN]j7< - VisA*hS\xtNMN PDOS rF=.9k,W,"j^9#

PDOS rd_7F+i" pdoscfg 3^sIr/T7F SSL listen ]<H^?OLDAP SSL CA Z@qrQ97F/@5$#

��:�

3N;/7gsGO"=.3^sIN*W7gsKD$Fb@7^9#F*W7gsNjAHGU)kH (:v9klg) r(7^9#

-admin_cred_refresh"I_K9Hl<?<NZ@qNjUlC7eN$s?<Pk (,1L)#

GU)kH: 360

-audit_levelF:lYkN3s^hZjj9H#lYkO"all"none"permit"deny"admin"verbose"info G9#

GU)kH: none

-audit_log_entries7,m0Km<js09k^GN pdosauditd m0&(sHj<Nt#GU)kHN 0 O"7,m0XNm<k,TolJ$3HrU#7^9#

GU)kH: 0

-audit_logflushF:m0&PCU!<rUiC7e9k$s?<Pk (C1L)#

GU)kH: 5

-audit_logsm0&U!$krj5$/k9k^GKHQ9k pdosauditd m0&U!$kNt# 0 NMO"m0&U!$k,j5$/k5lJ$3Hr(7^9#m0rs<mMK_j7F=l,-zHJkNO"audit_log_entries ,s<mNlg@1G9#

GU)kH: 0

-audit_log_sizem0&U!$k,7,m0Km<k9k^GNm0&U!$kNGg5$:(P$H1L)#

GU)kH: 1000000

-autostart79F`NjV<H~K=J PDOS r+0*K+O7^9#

GU)kH: on

-cred_hold"I_K9Hl<?<J0NZ@q,"/;95l:K-cC7eK~CF$kG9~V (,1L)#3NMO"admin_cred_refresh M*hSuser_cred_refresh MJeGJ1lPJj^;s#

GU)kH: 10080


A.

PD

OS%3��

-delete=.U!$k+i|n9k*W7gsN3s^hZjj9H#5]<H5lk*W7gsO"admin_cred_refresh"audit_level"audit_log_entries"audit_logflush"audit_logs"audit_log_size"cred_hold"dns"kmsg_hnd_threads"pdosd_log_entries"pdosd_logs"pdoswdd_log_entries"pdoswdd_logs"refresh_interval"tcb_interval"tcb_max_file_size"tcb_monitor_threads"uid"user_cred_refresh"warning G9#

-dns </PDOS ,"IP "Il9P[9H>N^CTs0psr]IG-kh&K7^9#

GU)kH: on

-help 9YFN*W7gsNXkWr=(7^9# 1 DN*W7gsKD$FNXkWr=(9kKO" -help -<option> H~O7^9#

-kmsg_hnd_threadsvDWarOsIk9k?aKHQ5lk9lCINt#50tGJ1lPJj^;s#

GU)kH: 4

-ldap_ssl_cacertLDAP SSL CA Z@q#

-login_policy79F`&m0$s*hSQ9o<I)BrHQD=K7^9#

GU)kH: on

-name3N^7sN5V9/jW7gsNP]HJk]j7<&VisAN>0#

-operations5]<H5lk*W7gsrj9H7^9#

-pdosd_log_entries7,m0Km<js09k^GKHQ9k pdosd m0&(sHj<Nt#GU)kHN 0 O"7,m0XNm<k,TolJ$3HrU#7^9#

GU)kH: 0

-pdosd_logsm0&U!$krj5$/k9k^GKHQ9k pdosd m0&U!$kNt# 0 NMO"m0&U!$k,j5$/k5lJ$3Hr(7^9#m0rs<mMK_j7F=l,-zHJkNO"pdosd_log_entries ,s<mNl

g@1G9#

GU)kH: 0

-pdoswdd_log_entries7,m0Km<js09k^GKHQ9k pdoswdd m0&(sHj<Nt#GU)kHN 0 O"7,m0XNm<k,TolJ$3HrU#7^9#

GU)kH: 0

-pdoswdd_logsm0&U!$krj5$/k9k^GKHQ9k pdoswdd m0&U!$kNt# 0 NMO"m0&U!$k,j5$/k5lJ$3Hr(7^9#m0rs<mMK_j7F=l,-zHJkNO"pdoswdd_log_entries ,s<mNlg@1G9#

108 �� 3 �� 7

GU)kH: 0

-refresh_intervalPolicy Director I}5<P<,]j7<N97N?aK]<js05lk$s?<Pk (,1L)# (Policy Director I}5<P<,=N$s?<PkNVK]j7<N97ru.7J+C?lg) <mNMO"]j7<&G<?Y<9N97,]<js0KhCFu.5lJ$3Hr(7^9#-ssl_listening_port HfS7F/@5$#

GU)kH: 10 ,

-rspfile=.N*W7gsM,~CF$kU!$kN>0#

-sec_master_pwdPolicy Director N;-ejF#<&^9?<&Q9o<I#

-ssl_listening_port]j7<&G<?Y<9N97LNr listen 9k]<H#<mNMO"]j7<&G<?Y<9N97,LNKhCFu.5lJ$3Hr(7^9#-refresh_interval HfS7F/@5$#

GU)kH: 0

-suffixLDAP \xt#

-tcb_interval70KAc<NQ9,"k+I&+9YFN TCB U!$k,A'C/5lk$s?<Pk (C1L)#o</m<IO"3N$s?<Pk4NKo?CF@$?$lMK,65l^9#

GU)kH: 1800

-tcb_max_file_sizeA'C/5`rW;9k?aKEWH+J5lkU!$kNGg MB t#A'C/5lkP$HO"U!$k4NK,65l^9#

GU)kH: 10

-tcb_monitor_threadsQ9,"k+I&+ TCB U!$krbK?<9kNKHQ5lk9lCINt#3NMr 1 hjg-/_j9k3H,r)DNO"^kAWm;C5<&^7sNlg@1G9#50tGJ1lPJj^;s#

GU)kH: 1

-uid uid/gid Pf<6< / 0k<W>N^CTs0psr-cC7eG-kh&K7^9#

GU)kH: off

-usage3^sINHQ!KD$FNXkWr=(7^9#

-user_cred_refreshf<6<NZ@qNjUlC7eN$s?<Pk (,1L)#

GU)kH: 720

-versionpdoscfg f<F#jF#<NP<8gsr=(7^9#


A.

PD

OS%3��

-warning0m<PkvDYpb<IrHQD=K7^9#

GU)kH: off

-? 3^sINHQ!KD$FNXkWr=(7^9#

110 �� 3 �� 7

pdosctl

��3sHm<k&aC;<8r PDOS G<bsKw.7^9#

��

pdosctl -k [daemon [-k daemon ...]]

-s [daemon [-s daemon ...]] [-q]

-w [on|off]

-a [audit-level[:{on|off}] [-a audit-level[:{on|off}] ...]]

-A [audit-level[:{on|off}] [-A audit-level[:{on|off}] ...]]

-t [daemon[:trace-string] [-t daemon[:trace-string] ...]]

[-Vvh?]

[-t trace-string]

��pdosctl 3^sIO"3sHm<k&aC;<8rXjN PDOS G<bsKw.7^9# pdosctl 3^sIO"9YFNDLNG<bsN7cCH@&s"F:Se<N)f"Ypb<IN)f"GPC0&Hl<9&lYkN_j"*hSG<bsNu

7N=(rT&3H,G-^9# PDOS G<bsO"pdosd"pdosauditd"*hSpdoswdd G9#

-k *W7gsrz-trXj7J$GXj9kH"9YFN PDOS G<bs,7cCH@&s5l^9# -k *W7gsO"emKG<bs>rXj9kH"D9NG<bsr7cCH@&s9k?aKHQ9k3HbG-^9# -k *W7gsO"1

lN3^sITG#tsXj9k3H,G-^9#

-s *W7gsrz-trXj7J$GXj9kH"F PDOS G<bsNu7,=(5l^9# -s *W7gsO"emKG<bs>rXj9kH"D9NG<bsNu

7r=(9k?aKHQ9k3HbG-^9# -s *W7gsO"1lN3^sIT

G#tsXj9k3H,G-^9#

-q *W7gsO" -s *W7gsHloKXj9k3H,G-^9# -q *W7gsO" -s *W7gsKhCF8.5lkaC;<8r^)7"j?<s&3<Ir 0(.yNlg) ^?O 1 (Hq7?G<bsK@&s7F$kbN,"klg) K_j

7^9#

-w *W7gsrz-trXj7J$GXj9kH" PDOS N0m<PkYpb<I,=(5l^9# -w *W7gsO"emK-<o<I on ^?O off rXj9kH"0m<PkYpb<Ir_j9k?aKHQ9k3HbG-^9#

-a *hS -A *W7gsrz-trXj7J$GXj9kH" PDOS G<bsN=

T0m<PkF:lYk,=(5l^9# -a *hS -A *W7gsrHQ7F"=

T0m<PkF:lYkrQ99k3HbG-^9#

¶ -A O"=T0m<Pk&lYkrXj7?MKj;CH7^9#1lN3^sITG#tN -A *W7gsrXj9klgO"0m<PkF:lYkO9YFNXj7?MK_j5l^9#

¶ -a O"Xj7?F:lYk@1rj;CH9k3HKhCF"0m<PkF:lYkrQ97^9#1lN3^sITK#tN -a *W7gsrXjG-^9#


A.

PD

OS%3��

F:lYkrj;CH^?OQ99kKO" -a *hS -A *W7gsNemK"F:lYkH-<o<I on ^?O off Hr3ms (:) GhZC?bNrXj9k,W

,"j^9#F:lYkN-zMO"all" none" permit" deny" admin"verbose" error" info G9#

-t *W7gsrz-trXj7J$GXj9kH"F PDOS G<bsN=THl<9&lYk,=(5l^9# -t *W7gsNemKG<bs>rXj9kH"Xj

NG<bsNHl<9&lYkr=(G-^9# -t *W7gsO"XjNG<bsNHl<9&lYkr_j9k?aKHQ9k3HbG-^9#G<bsNHl<9&lYkr_j9kKO" -t *W7gsNemK"G<bs>"3ms (:)"Hl<9&9Hjs0rXj9k,W,"j^9# -t *W7gsO" PDOS 5]<HNGPC0N?a@1KHQ7^9#Hl<9&9Hjs0NA0Ob@5lF$^;s# -t *W7gsO"1lN3^sITG#tsXj9k3H,G-^9#

pdosctl 3^sIrHQ9kKO"C",,WG9#

��:�

-V P<8gspsr=(7^9#

-v \YaC;<8r=(7^9#

-h HQ!aC;<8r=(7^9#

-? HQ!aC;<8r=(7^9#

-t trace-stringHl<9&aC;<8r=(9kh&Hl<9&9Hjs0r_j7^9#

-k [daemon]3sHm<k&aC;<8rw.7F"Xj7?G<bsr7cCH@&s7^9#

-s [daemon]3sHm<k&aC;<8rw.7F"Xj7?G<bsNu7rHq7^9#

-w 3sHm<k&aC;<8rw.7F"0m<PkYplYkr*sK7^9#

-a [audit level]3sHm<k&aC;<8rw.7F"0m<PkYplYkrQ97^9#

-A [audit level]3sHm<k&aC;<8rw.7F"0m<PkYplYkrQ97^9#

-t [daemon]3sHm<k&aC;<8rw.7F"Xj7?G<bsNHl<9&lYkr_j^?O=(7^9#

��

0 3^sIO5oK0;7^7?#

1 (i<,/87^7?#

�pdosctl NHQ!Ncr!K(7^9#

1. 9YFN PDOS G<bsr7cCH@&s9kKO"!Nh&K~O7^9#

112 �� 3 �� 7

pdosctl -k

POO"!Nh&KJj^9#

pdosd shutdownpdoswdd shutdownpdosauditd shutdown

2. pdoswdd G<bs@1r7cCH@&s9kKO"!Nh&K~O7^9#

pdosctl -k pdoswdd

POO"!Nh&KJj^9#

pdoswdd shutdown

3. PDOS Nu7rA'C/9kKO"!Nh&K~O7^9#

pdosctl -s

POO"!Nh&KJj^9#

pdosd is running normallypdoswdd is running normallypdosauditd is running normally

4. 0m<PkYpb<Ir*sK9kKO"!Nh&K~O7^9#

pdosctl -w on

5. 0m<PkYpb<IrHqK9kKO"!Nh&K~O7^9#

pdosctl -w

POO"!Nh&KJj^9#

The global warning mode setting is on

6. 0m<PkF:lYkr grant H deny K_j9kKO"!Nh&K~O7^9#

pdosctl -A permit:on -A deny:on

7. 0m<PkF:lYkK admin F:lYkrIC9kKO"!Nh&K~O7^9#

pdosctl -a admin:on

8. 0m<PkF:lYkrHqK9kKO"!Nh&K~O7^9#

pdosctl -a

POO"!Nh&KJj^9#

pdosd has the following audit levels on: permit, deny, adminpdoswdd has the following audit levels on: permit, deny, adminpdosauditd has the following audit levels on: permit, deny, admin


A.

PD

OS%3��

pdosdestroy

��Xj7?f<6<N PDOS Z@qrK~7^9#

��

pdosdestroy [-Vvh?]

[-t trace-string]

[-u uid] [-u uid ...]

[-n name] [-n name ...]

��pdosdestroy 3^sIO"Xj7?f<6<N-cC7eK~CF$k PDOS Z@

qr PDOS Z@q-cC7e+i|n7^9# -u ^?O -n *W7gsrXj7J$lgO"/0f<6<NZ@q,K~5l^9# -u *W7gsrXj9klg

O" UID GXj7?f<6<NZ@q,K~5l^9# -n *W7gsrXj9klgO">0GXj7?f<6<NZ@q,K~5l^9#

-u *hS -n *W7gsO"1lN3^sITG#tsXj9k3H,G-"lo

KHQ9k3H,G-^9# -u ^?O -n *W7gsrXj9klgO"pdosdestroy 3^sIrHQ9kKOC",,WG9#

��:�

-V P<8gspsr=(7^9#

-v \YaC;<8r=(7^9#

-h HQ!aC;<8r=(7^9#

-? HQ!aC;<8r=(7^9#


-u uidZ@qrK~9kf<6<N UID rXj7^9#

-n nameZ@qrK~9kf<6<N UNIX >rXj7^9#

��

0 3^sIO5oK0;7^7?#

1 (i<,/87^7?#

�pdosdestroy NHQ!Ncr!K(7^9#

1. /0f<6<NZ@qrK~9kKO"!Nh&K~O7^9#

pdosdestroy

2. f<6< anne *hS riley (UID O 300) NZ@qrK~9kKO"!Nh&K~O7^9#

pdosdestroy -n anne -u 300

114 �� 3 �� 7

pdosexempt

��PDOS vDhjrHQTDK7^9#

EW: 3N3^sIO"PDOS vDhjrHQTDK7^9# pdosrevoke 3^sIrHQ7F"vDhjN|0rhjC9h&K7F/@5$#

��

pdosexempt [-Vvh?]

[-t trace-string]

[-i]

[pid [pid ...]]

��pdosexempt 3^sIO"PDOS vDhjrHQTDK7^9# pdosexempt 3^sIrz-trXj7J$G/09kH" OSSEAL C"f<6< (osseal) N<GBT5lF$k9YFNWm;9,"]j7<+i|05l^9#5iK"OSSEAL C

"f<6< (osseal) H7FBT7F$k9YFN7,Wm;9b"]j7<+i|05l^9#

PID ^?O PID Nj9Hr pdosexempt 3^sITGXj9klgO"=liNPID KhCF=5lkWm;9O(~K]j7<+i|05l^9# PID Nj9HO"pdosexempt 3^sITNGeKJ1lPJj^;s#

-i *W7gsO" PID Nj9HHloKXj9k3H,G-^9# -i *W7gsrXj9klgO"Xj7? PID KhCF=5lkWm;9N7,NRO9YF"]j7<N|0rQ57^9#

pdosrevoke 3^sIO" pdosexempt 3^sIKhCF'D5l? PDOS vDN|0rhjC9?aKHQ7^9#

pdosexempt 3^sIrHQ9kKO"C",,WG9#

��:�

-V P<8gspsr=(7^9#

-v \YaC;<8r=(7^9#

-h HQ!aC;<8r=(7^9#

-? HQ!aC;<8r=(7^9#


-i Xj7? PID N7,NRWm;9,"]j7<N|0rQ59kKh&K7^9#

��

0 3^sIO5oK0;7^7?#

1 (i<,/87^7?#


A.

PD

OS%3��

�pdosexempt NHQ!Ncr!K(7^9#

1. OSSEAL C"f<6<N<GBT5lF$k9YFNWm;9r PDOS vDhj

+i|09kKO"!Nh&K~O7^9#

pdosexempt

POO"!Nh&KJj^9#

User osseal (uid 1444) is now exempt from PDOS policy.

2. CjNWm;9*hS=NWm;9NRr PDOS vDhj+i|09kKO"!Nh&K~O7^9#

pdosexempt -i 9688

POO"!Nh&KJj^9#

Process 9688 and any future children are now exempt from PDOS policy.

116 �� 3 �� 7

pdoshla

��IP "Il9 - [9H>kC/"5$I&G<?Y<9rI}7^9#

��

pdoshla [-Vvh?]

[-t trace-string]

[-D DB-path] -F

[-D DB-path] -f

[-D DB-path] -r IP-addr

[-D DB-path] -a IP-addr [-T TTL-secs -H hostname]

[-D DB-path] -l {all | stale | fresh }

[-D DB-path] -u

��pdoshla 3^sIO" IP "Il9 - [9H>kC/"5$I&G<?Y<9bN(sHj<r"IC"o|"jUlC7e"*hS=(7^9#

-D *W7gsrXj7J$lgO"GU)kH&G<?Y<9,HQ5l^9#GU)kH&G<?Y<9O"/var/pdos/hla G#l/Hj<K"j^9#XjN IP "Il9N(sHj<O" -a *W7gsrHQ9k3HKhCFG<?Y<9KIC9k3H,G-^9#

-T *W7gsr -a *W7gsHloKXj7J$lgO"83~VOGU)kHM

N 21600 C (6 ~V) K_j5l^9#

-H *W7gsrXj7J$lgO"DNS kC/"CW,BT5l"XjN IP "Il9KX"9k[9H>r=L5l^9#

G<?Y<9+i(sHj<r|n9kKO"!N*W7gsrHQ7^9#

¶ -F *W7gs#G<?Y<94NrUiC7e9k#

¶ -f *W7gs#T0g(sHj<@1rUiC7e9k#

¶ -r *W7gs#CjN(sHj<@1r|n9k#

9YFNG<?Y<9&(sHj<rjUlC7e9kKO" -u *W7gsrXj

7^9#3Nh&K9kH"G<?Y<9bG!P5lkF(sHj<KD$F"DNS [9H>kC/"CW,Tolkh&KJj^9#

G<?Y<9bN(sHj<O" all"stale ^?O fresh /)jU!$"<HloK-l *W7gsrHQ9k3HKhCF"=(9k3H,G-^9#

pdoshla 3^sIrHQ9kKO"C",,WG9#

��:�

-V P<8gspsr=(7^9#

-v \YaC;<8r=(7^9#

-h HQ!aC;<8r=(7^9#


A.

PD

OS%3��

-? HQ!aC;<8r=(7^9#


-D database_pathG<?Y<9NQ9>rXj7^9#

-F 9YFN(sHj<rG<?Y<9+iUiC7e9k,W,"k3HrXj

7^9#

-f T0g(sHj<rG<?Y<9+iUiC7e9k,W,"k3HrXj7^9#

-r IP_addressG<?Y<9+i(sHj<r|n7^9#

-a IP_addressG<?Y<9bN(sHj<rIC^?OV97^9#

-T TTL_seconds7,G<?Y<9&(sHj<Nn.~K"83~V (C1L) rXj7^9#

-H Hostname[9H>rXj7^9#

-l G<?Y<9&(sHj<rj9H7^9#

-u G<?Y<9bN9YFN(sHj<rjUlC7e7^9#

��

0 3^sIO5oK0;7^7?#

1 (i<,/87^7?#

�pdoshla NHQ!Ncr!K(7^9#

1. IP "Il9 146.84.107.11 NGU)kH&G<?Y<9K(sHj<rIC9kKO"!Nh&K~O7^9#

pdoshla -a 146.84.107.11

2. GU)kH&G<?Y<9bN9YFN(sHj<r=(9kKO"!Nh&K~O7^9#

pdoshla -l all

POO"!Nh&KJj^9#

# Internet Address Hostname9.41.3.101 carlb.austin.lab.tivoli.com146.84.107.11 riley.tivoli.com9.41.3.123 dfstest13.austin.lab.tivoli.com

3. GU)kH&G<?Y<9bG!P5lkT0g(sHj<r=(9kKO"!Nh&K~O7^9#

pdoshla -l stale

POO"!Nh&KJj^9#

# Internet Address Hostname9.41.3.123 dfstest13.austin.lab.tivoli.com

118 �� 3 �� 7

4. GU)kH&G<?Y<9+iT0g(sHj<rUiC7e9kKO"!Nh&K~O7^9#

pdoshla -f

.

5. GU)kH&G<?Y<9bG!P5lk9YFN(sHj<rjUlC7e9kKO"!Nh&K~O7^9#

pdoshla -u


A.

PD

OS%3��

pdoslpadm

��G- UNIX f<6<&"+&sHNuVH" PDOS N<IeNm0$s*hSQ9o<I&]j7<rHq7F977^9#

��

pdoslpadm [-hvq?]

-r [-e | -d] [uid | user] ...

-l [uid | user]

-u [uid | user]

-p

��pdoslpadm 3^sIrHQ7F" PDOS N<INm0$s*hSQ9o<I&]j7<rHq7^9#G- UNIX f<6<&"+&sHNuVrHq*hS979k3HbG-^9#

-r"-l"-u"*hS -p *W7gsO"j_KS>*G9#

-r *W7gsrHQ7F"M$F#V UNIX f<6<&"+&sHNuVNl]<Hr8.G-^9# -e rHQ9kHmC/uVN"+&sH,U#k?<GhjP

5l" -d rHQ9kH"smC/uVN"+&sH,U#k?<GhjP5l^9#f<6<Nj9HrXj9klgO"Xj7?U#k?<Nror~?9j9HfNf<6<NuV@1,=(5l^9#

-l *W7gsrHQ9kHf<6<&"+&sH,mC/^?Osh0=5l" -u*W7gsrHQ9kHf<6<&"+&sH,h0=5l^9#

-p rXj7F"N<IN=T]j7<_jrj9H7^9#

��:�

-h HQ!aC;<8r=(7^9#

-? HQ!aC;<8r=(7^9#

-v P<8gsVfr=(7^9#

-q ?b=(;:KBT7"P}u7@1ra7^9#

-r f<6<&"+&sHNuVrl]<H7^9#

-e l]<H+imC/uVNf<6<&"+&sHrU#k?<GhjP7^9#

-d l]<H+i"smC/uVNf<6<&"+&sHrU#k?<GhjP7^9#

-l Xj7?f<6<&"+&sHrmC/7^9#

-u Xj7?f<6<&"+&sHr"smC/7^9#

-p PDOS N<IN=T]j7<_jr=(7^9#

120 �� 3 �� 7

��

0 3^sIO5oK0;7^7?#

1 (i<,/87^7?#

�pdoslpadm NHQ!Ncr!K(7^9#

1. P<8gspsr=(9kKO"!Nh&K~O7^9#

#pdoslpadm -v

2. 9YFNmC/uVNf<6<rHq9kKO"!Nh&K~O7^9#

#pdoslpadm -r -d

POO"!Nh&KJj^9#

User State Time Reasonajones locked The Aug 17 09:26:00 CDT 2000 Expired onkevin locked The Jan 18 09:43:00 CDT 2000 Inactive

3. PDOS N<IeN=T]j7<r=(9kKO"!Nh&K~O7^9#

#pdoslpadm -p

POO"!Nh&KJj^9#

MaxPasswordDays 90MinPasswordDays 30MaxInactiveDays 180MaxFailedLogins 5MaxGraceLogins 3LoginMinutes 5LockMinutes 5LoginPolicyDisabled False


A.

PD

OS%3��

pdosobjsig

��PDOS *V8'/H&70KAc<&G<?Y<9rI}7^9#

��

pdosobjsig [-Vvh?]

[-t trace-string]

[-D DB-path] -g objname

[-D DB-path] -c objname

[-D DB-path] -u objname -s {trusted | untrusted}

[-D DB-path] -S {trusted | untrusted}

[-D DB-path] -l {all | trusted | untrusted}

��pdosobjsig 3^sIO" PDOS *V8'/H&70KAc<&G<?Y<9bN*V8'/HNuVr=("Q9"*hSA'C/7^9#

-D *W7gsrXj7J$lgO"GU)kH&G<?Y<9,HQ5l^9#GU)kH&G<?Y<9O"/var/pdos/tcb G#l/Hj<K"j^9#G<?Y<9bN*V8'/HO" -g ^?O -l *W7gsrHQ7F"=(9k3H,G-^9#

-l *W7gsO" all"trusted"^?O untrusted /)jU!$"<K>CF"G<?Y<9bG!P5lk9YFN*V8'/Hrj9H7^9#

-g *W7gsO"CjN*V8'/HNuVpsr=(7^9#

-u r -s *W7gs^?O -S *W7gsHH_go;FHQ9kH"G<?Y<9bG!P5lk*V8'/HNuVrQ9G-^9# -u *W7gsO"CjN*V8'/HNuVr trusted ^?O untrusted K_j9k?aKHQG-^9# -S *W7gsO"9YFN*V8'/HNuVr trusted ^?O untrusted K_j9k?aKHQG-^9#

pdosobjsig 3^sIrHQ9kKO"C",,WG9# pdosobjsig 3^sINu

Vr untrusted K_j9k3HOG-^;s#

��:�

-V P<8gspsr=(7^9#

-v \YaC;<8r=(7^9#

-h HQ!aC;<8r=(7^9#

-? HQ!aC;<8r=(7^9#


-g objnameXj7?*V8'/HNuVpsr=(7^9#

-c objnameXj7?*V8'/HNuVrA'C/7^9#

122 �� 3 �� 7

-u objnameG<?Y<9bNXj7?*V8'/HNuVr977^9#

-S G<?Y<9bN9YFN*V8'/HNuVr977^9#

-l G<?Y<9bN*V8'/Hrj9H7^9#

��

0 3^sIO5oK0;7^7?#

1 (i<,/87^7?#

�pdosobjsig NHQ!Ncr!K(7^9#

1. GU)kH&G<?Y<9bN /anne/usertest *V8'/HNuVrQ99kKO"!Nh&K~O7^9#

pdosobjsig -u /anne/usertest -s untrusted

2. GU)kH&G<?Y<9bG!P5lk9YFN untrusted uVN*V8'/Hr=(9kKO"!Nh&K~O7^9#

pdosobjsig -l untrusted

POO"!Nh&KJj^9#

Object Name : /anne/usertestCRC sum : 279204844Inode 289 on device 10/5Permissions : rwxr-xr-xOwner : 0 : rootGroup : 0 :system Size : 6446Last status update time : Fri Sep 15 11:04:12 2000Last modification time : Fri Sep 15 11:04:12 2000State : UntrustedReason : The Administrator changed the state explicitly.Last state transition time: Wed Oct 25 16:07:28 2000

3. GU)kH&G<?Y<9b /anne/usertest *V8'/HNuVrj;CH9kKO"!Nh&K~O7^9#

pdosobjsig -u /anne/usertest -s trusted

4. GU)kH&G<?Y<9bN9YFN*V8'/HNuVr trusted K_j9kKO"!Nh&K~O7^9#

pdosobjsig -S trusted

5. *V8'/H /anne/usertest r=(9kKO"!Nh&K~O7^9#

pdosobjsig -g /anne/usertest

POO"!Nh&KJj^9#

Object Name : /anne/usertestState : TrustedReason : The Administrator changed the state explicitly.Last state transition time: Wed Oct 25 16:16:45 2000


A.

PD

OS%3��

pdosrefresh

��Xj7?f<6<N PDOS Z@qrjUlC7e7^9#

��

pdosrefresh [-Vvh?]

[-t trace-string]

[-u uid] [-u uid ...]

[-n name] [-n name ...]

��pdosrefresh 3^sIO"Xj7?f<6<N-cC7eK~CF$k PDOS Z@q

rjUlC7e7^9#

-u ^?O -n *W7gsrXj7J$lgO"/0f<6<NZ@q,jUlC7e5l^9# -u *W7gsrXj9klgO" UID GXj7?f<6<NZ@q

,jUlC7e5l^9#

-n *W7gsrXj9klgO">0GXj7?f<6<NZ@q,jUlC7e5l^9# -u *hS -n *W7gsO"1lN3^sITG#tsXj9k3H,G-"loKHQ9k3H,G-^9#

-u ^?O -n *W7gsrXj9klgO" pdosrefresh 3^sIrHQ9kKOC",,WG9#

��:�

-V P<8gspsr=(7^9#

-v \YaC;<8r=(7^9#

-h HQ!aC;<8r=(7^9#

-? HQ!aC;<8r=(7^9#


-u uidZ@qrjUlC7e9kf<6<N UID rXj7^9#

-n nameZ@qrjUlC7e9kf<6<N UNIX >rXj7^9#

��

0 3^sIO5oK0;7^7?#

1 (i<,/87^7?#

�pdosrefresh NHQ!Ncr!K(7^9#

1. /0f<6<NZ@qrjUlC7e9kKO"!Nh&K~O7^9#

pdosrefresh

124 �� 3 �� 7

2. f<6< anne *hS riley (UID O 300) NZ@qrjUlC7e9kKO"!Nh&K~O7^9#

pdosrefresh -n anne -u 300


A.

PD

OS%3��

pdosrevoke

��PDOS vDhjN|0rhjC7^9#

��

pdosrevoke [-Vvh?]

[-t trace-string]

[pid [pid ...]]

��pdosrevoke 3^sIO"J0K pdosexempt 3^sIKhCF'D5l? PDOSvDhjN|0rhjC7^9#

pdosrevoke 3^sIrz-trXj7J$G/09kH" OSSEAL C"f<6<(osseal) N<GBT5lF$k9YFNWm;9O"]j7<+iN|0,r|5l^9#3lO"PID Qia<?<rXj7F/05lk pdosexempt 3^sIKhCF@(*K|05l?Wm;9KOFAr?(^;s#

PID ^?O PID Nj9Hr pdosrevoke 3^sITGXj9klgO"=liNPID KhCF=5lkWm;9O"(~K]j7<+iN|0,r|5l^9# PIDNj9HO"pdosrevoke 3^sITNGeKJ1lPJj^;s#

pdosexempt -i 3^sITUi0N1y!=O"j^;s#9YFN|0Wm;9NC"O"@(*KhjC9,W,"j^9#

pdosrevoke 3^sIrHQ9kKO"C",,WG9#

��:�

-V P<8gspsr=(7^9#

-v \YaC;<8r=(7^9#

-h HQ!aC;<8r=(7^9#

-? HQ!aC;<8r=(7^9#


��

0 3^sIO5oK0;7^7?#

1 (i<,/87^7?#

�pdosrevoke NHQ!Ncr!K(7^9#

1. pdosexempt 3^sIKhCF OSSEAL C"f<6<K'D5l?|0rhjC9KO"!Nh&K~O7^9#

pdosrevoke

POO"!Nh&KJj^9#

User osseal (uid 1444) is no longer exempt from PDOS policy.

126 �� 3 �� 7

UID O"4HQN79F`GO[Jklg,"j^9#

2. pdosexempt KhCF PID 9688 K'D5l?|0rhjC9KO"!Nh&K~O7^9#

pdosrevoke 9688

POO"!Nh&KJj^9#

Process 9688 is no longer exempt from PDOS policy.


A.

PD

OS%3��

pdosrgyimp

��UNIX f<6<*hS0k<Wr Policy Director f<6<&l89Hj<K$s]<H7^9#

��

pdosrgyimp [-u |-g |-a]

[-dinrVvh?]

[-G default-group]

-S suffix

[-P password]

[-L log-directory]

[-E exclude-file]

[-I include-file]

-l PD-login-id

[-p PD-password]

��pdosrgyimp 3^sIO" UNIX f<6<*hS0k<Wr UNIX l89Hj<+i Policy Director f<6<&l89Hj<K$s]<H7^9#9YFN PolicyDirector f<6<&"+&sHO"GU)kHG-zK_j5lF$^9#7+7"-d *W7gsO""+&sHrHQTD^?O5zK7^9#F Policy Directorf<6<&"+&sHNQ9o<IO"n.~KO5zK_j5l^9#

UNIX l89Hj<NltG"k3^sIT*W7gs,$s]<H5l^9#-u"-g *hS -a *W7gsO"f<6<r$s]<H9kN+"0k<Wr$s]<H9kN+""k$Of<6<H0k<WN>}r$s]<H9kN+r)f7^9#GU)kHGO"f<6<H0k<WN>},$s]<H5l^9#

-I *W7gsO"$s]<Hr UNIX l89Hj<bG!P5lkf<6<*hS0k<WNCjN;CHK)B7^9#

-E *W7gsO" UNIX l89Hj<bG!P5lkf<6<*hS0k<WNC

jN;CHr|n7^9#9GK8_9kf<6<N Policy Director f<6<&l89Hj<&(sHj<Nn.,nT5lklgO"=Nf<6<ODjN$s]<H+i|05l^9#|05l?9YFNf<6<O"0k<W&asP<7CWNhj~_fKH_~^lk3HO"j^;s#9GK8_9k0k<WN PolicyDirector f<6<&l89Hj<&(sHj<rn.7h&H9klgO" UNIX 0k<W&asP<7CWKP~9k(sHj<,{8N0k<WKhj~^lk3HO"j^;s# -r Ui0rHQ7F"3N6kq$rQ97^9#

UNIX 0k<WN Policy Director f<6<&l89Hj<XN$s]<HNltH7F"3^sIT*W7gsKhCFb%gKhCFb|05lJ+C? PolicyDirector f<6<," Policy Director 0k<WKhj~^l^9#0k<Wrf<6<HOLK$s]<H9k]KOmU7F/@5$#

-S Qia<?<O"9YFN$s]<HG,WG9#3lO"Ff<6<*hS0k<WN1L> (dn) GHQ5lk{8N Policy Director f<6<&l89Hj<N\xtrXj7^9# Policy Director Nf<6<*hS0k<WO"!N^CTs0rHQ7Fn.5l^9#

128 �� 3 �� 7

f<6<>UNIX-user-name

f<6< cnUNIX-user-name

f<6< snUNIX-user-name

f<6< dncn=pdos user UNIX-user-name, suffix

0k<W>UNIX-group-name

0k<W cnUNIX-group-name

0k<W dncn=pdos group UNIX-user-name, suffix

pdosrgyimp 3^sIO"=TnHG#l/Hj<K pdosrgyimp.import *hSpdosrgyimp.conflict H$& 2 DNU!$krn.7^9#l3<IO"PolicyDirector f<6<&l89Hj<Kn.5lk pdosrgyimp.import U!$kKq-~

^l^9# Policy Director f<6<&l89Hj<K9GK8_9kf<6<^?O0k<Wrn.7h&H9kH"=N%gNl3<I, pdosrgyimp.conflict U!$kKq-~^l^9#

3liN 2 DNU!$kO" pdadmin D<kKw.G-k3^sINA0G""/7gsr\YKb@9k3asHHloKq-~^l^9# pdosrgyimp.conflict U!$kKO"c2rb@9k3asHT,"j"=NemK%gr8.7?pdadmin 3^sI,3-^9#?H(P"!Nh&KJj^9#

### create user failed#user create "test1" "cn=pdos user test1,ou=tivoli,o=ibm" "test1" "test1" "s12t"

pdosrgyimp.import U!$k+ihil?cO"!NH*jG9#

### create user#user create "riley" "cn=pdos user riley,ou=tivoli,o=ibm" "riley" "riley" "3AD4l00u"user modify "riley" password-valid nouser modify "riley" account-valid yes### create user#user create "maggie" "cn=pdos user maggie,ou=tivoli,o=ibm" "maggie" "maggie" "34pkjTaU"user modify "maggie" password-valid nouser modify "maggie" account-valid yes### create group#group create "canine" "cn=pdos group canine,ou=tivoli,o=ibm" "canine"group modify "canine" add "riley"group modify "canine" add "maggie"


A.

PD

OS%3��

-n ^?O noaction *W7gsO" -n *W7gsrXj7J+C?lgKBT5lk pdadmin 9?$k&3^sINj9Hr8.7^9#

��:�

-V P<8gspsr=(7^9#

-v \YaC;<8r=(7^9#

-h HQ!aC;<8r=(7^9#

-? HQ!aC;<8r=(7^9#

-u UNIX f<6<@1r$s]<H9k3HrXj7^9#

-g UNIX 0k<W@1r$s]<H9k3HrXj7^9#

-a UNIX f<6<*hS0k<Wr$s]<H9k3HrXj7^9#

-i UNIX f<6<*hS0k<WN$s]<H~K"lW9k LDAP (sHj<,8_7"=N(sHj<, Policy Director Nf<6<^?O0k<WKJCF$J$lgO"=N(sHj<r LDAP +i$s]<H9k,W,"j^9#

-n "/7gsr?bToJ$3HrXj7^9# pdadmin 3^sINj9H,8.5l^9#

-r {8N0k<WN0k<W&asP<7CWrjUlC7e9k3HrXj7^9#$s]<H9kh&Wa5l?0k<W,9GK Policy Director K8

_9klgO" UNIX 0k<WN|05lF$J$9YFNf<6<,"{8N Policy Director 0k<WKIC5l^9#

-d 77/n.5l?9YFN Policy Director f<6<&"+&sHrHQTDK7^9#

-G default-group77/$s]<H5l?9YFNf<6<,asP<HJCF$k PolicyDirector 0k<WN>0rXj7^9#3N0k<W,8_7J$lgO"n

.5l^9#

-S suffix-stringPolicy Director f<6<&l89Hj<bK1L>rn.9kH-K"&L>

KUC5lk Policy Director \xtrXj7^9#3N\xtO"PolicyDirector f<6<&l89Hj<bK8_7F$k,W,"j^9#

-L log-directorypdosrgyimp.import *hS pdosrgyimp.conflict m0,n.5lkG#l/Hj<rXj7^9#

-E exclude-file$s]<H+i|09k UNIX f<6<*hS0k<WNj9H,~CF$kU!$k>rXj7^9#U!$kbN(sHj<NA0O"!NH*jG9#

# Comment charactersUSER UNIX_user_nameUSER UNIX_user_nameGROUP UNIX_group_nameGROUP UNIX_group_name...

130 �� 3 �� 7

-I include-file$s]<HKH_~` UNIX f<6<*hS0k<WNj9H,~CF$kU!$k>rXj7^9#U!$kbN(sHj<NA0O"!NH*jG9#

# Comment charactersUSER UNIX_user_nameUSER UNIX_user_nameGROUP UNIX_group_nameGROUP UNIX_group_name...

-P password3N$s]<HKhCFn.5l?9YFN Policy Director f<6<&"+&sHKHQ5lkGU)kH&Q9o<IrXj7^9#

-l PD-login-id'Z9k Policy Director "I_K9Hl<?<&m0$s ID rXj7^9#3Nf<6<O"iv-admin 0k<WNasP<GJ1lPJj^;s#

-p PD-passwordPolicy Director "I_K9Hl<?<&m0$s ID NQ9o<IrXj7^9#3^sITKQ9o<IrXj7J$lgO"WmsWH,P5l^9#

��

0 3^sIO5oK0;7^7?#

1 (i<,/87^7?#

�pdosrgyimp NHQ!Ncr!K(7^9#

1. UNIX l89Hj<+i9YFNf<6<*hS0k<Wr$s]<H9kKO"!Nh&K~O7^9#

pdosrgyimp -S o=ibm -l sec_master

2. UNIX l89Hj<+i9YFNf<6<*hS0k<Wr$s]<H7F"Policy Director f<6<&l89Hj<KJ0K8_7F$? UNIX 0k<WN0k<W&asP<7CWrjUlC7e9kKO"!Nh&K~O7^9#

pdosrgyimp -S o=ibm -l sec_master -r

3. exclude.1 H$&>0N|0U!$kNfG!P5lkf<6<*hS0k<Wr|$F" UNIX l89Hj<+i9YFNf<6<*hS0k<Wr$s]<H9kKO"!Nh&K~O7^9#

pdosrgyimp -S o=ibm -l sec_master -E exclude.1

4. include.1 H$&>0NH_~_U!$kKj9H5lF$kf<6<*hS0k<W@1r UNIX l89Hj<+i$s]<H9kKO"!Nh&K~O7^9#

pdosrgyimp -S o=ibm -l sec_master -I include.1

5. include.2 H$&>0NH_~_U!$kKj9H5lF$kf<6<@1rUNIX l89Hj<+i$s]<H7F"0k<W default-group NasP<H7FIC9kKO"!Nh&K~O7^9#

pdosrgyimp -S o=ibm -l sec_master -u -I include.2 -G default-group


A.

PD

OS%3��

6. include.2 H$&>0NH_~_U!$kKj9H5lF$k0k<W@1rUNIX l89Hj<+i$s]<H7F" exclude.2 H$&>0N|0U!$kKj9H5lF$kf<6<r0k<W&asP<7CW+i|09kKO"!Nh&K~O7^9#

pdosrgyimp -S o=ibm -l sec_master -g -I include.2 -E exclude.2

132 �� 3 �� 7

pdosrstr

��PDOS G<?Y<9*hS=.U!$kr|57^9#

��pdosrstr [-Vh?] -f filename

��pdosrstr 3^sIO" pdosbkup 3^sIrHQ7FJ0K]I5l? PDOS U!$kr|57^9#U!$kO"-f *W7gsGXj9kPC/"CW&U!$k+i|55l^9#

pdosrstr 3^sIrHQ9kKO"C",,WG9#

��:�

-V P<8gspsr=(7^9#

-h HQ!aC;<8r=(7^9#

-? HQ!aC;<8r=(7^9#

-f filenamePC/"CW&U!$kN>0rXj7^9#

��

0 3^sIO5oK0;7^7?#

1 (i<,/87^7?#

�pdosrstr NHQ!Ncr!K(7^9#

1. pdosbkup25Oct2000.14:32:41.tar U!$kK]I5lF$kU!$kr|59kKO"!Nh&K~O7^9#

pdosrstr -f /var/pdos/pdosbkup/pdosbkup25Oct2000.14:32:41.tar


A.

PD

OS%3��

pdossudo

��k<H UNIX f<6<H7F3^sIr/07^9#

��

pdossudo [-Vvh?]

[-t trace-string]

command-alias [arg [arg ...]]

��pdossudo 3^sIO"3N3^sIrHQ7J1lP"/0 UNIX f<6<,j}

7F$J$ UNIX C"r,WH9k3^sIr"vDf<6<,/0G-kh&K7^9#/0&O"3^sI,BT5lk0KJ<NvD!:rQ99k,W,"j^9#

¶ lL*J PDOS f<6<KO"Sudo ]n*V8'/HNH%0-GXj5lF$kh&K"?<2CH&f<6<re}9k?aNvD,,W#

¶ lL*J PDOS f<6<KO"Xj7? sudo-3^sI (^?O ACL ,"kl

gOlW9k>0z-t/i9) NBTvD,,W#

¶ z-t,"lW9kz-t/i9GXj5lF$k9YFN)sr~?7F$k#

pdossudo 3^sIrHQ9kKO"C",,WG9#

��:�

-V P<8gspsr=(7^9#

-v \YaC;<8r=(7^9#

-h HQ!aC;<8r=(7^9#

-? HQ!aC;<8r=(7^9#


��

0 3^sIO5oK0;7^7?#

1 (i<,/87^7?#

�pdossudo rHQ9k?aN3^sIN_jcKD$FO" 47Z<8NXSudo NHQ

cYr2H7F/@5$#

134 �� 3 �� 7

pdosucfg

��PDOS r=.r|7^9#

��

pdosucfg [-help]

[-operations]

[-remove_once_only (on | off)]

[-remove_per_policy (on | off)]

[-rspfile file_name]

[-sec_master_pwd Policy_Director_password]

[-usage] [-version] [-?]

��

��:�

-help 9YFN*W7gsNXkWr=(7^9# 1 DN*W7gsKD$FNXkWr=(9kKO" -help -option H~O7^9#

-operations5]<H5lk*W7gsrj9H7^9#

-remove_once_onlyPDOS =J]j7<rP?uC7^9#>N PDOS ^7s,3N PolicyDirector 5<P<K=.5lF$klgO">N^7s,`nT=HJkD=

-,"kNG"Xj7J$G/@5$#ICN]j7<rIC7F"klg

O"=lrj0G|n7J1lPJiJ$3Hb"j^9#

GU)kH: off

-remove_per_policy3N^7s,HQ9kh&=.5lF$k]j7<&VisAG-N PDOSpsrP?uC7^9#3N]j7<&VisAN<G>N PDOS ^7s,=.5lF$klgO"Xj7J$G/@5$#Xj9kH"^7s,`nT

=HJk3H,"j^9#3N]j7<&VisAN<KICN]j7<rI

C7F"klgO"=lrj0G|n7J1lPJiJ$3Hb"j^9#

GU)kH: off

-rspfile=.r|N*W7gsM,~CF$kU!$k#

-sec_master_pwdPolicy Director N;-ejF#<&^9?<&Q9o<I#

-usage3^sINHQ!KD$FNXkWr=(7^9#

-versionP<8gsr=(7^9#

-? 3^sINHQ!KD$FNXkWr=(7^9#

��

0 3^sIO5oK0;7^7?#


A.

PD

OS%3��

1 (i<,/87^7?#

136 �� 3 �� 7

pdosuidprog

��79F`eN setuid ^?O setgid Wm0i`r1L7F""I_K9Hl<?<,"=liNWm0i`r PDOS Hi9FCIW;Y<9 (TCB) KH_~`,W,"k+I&+rhjG-kh&K7^9#

��

pdosuidprog

pdosuidprog [-Vvh?]

[-t trace-string]

-l [-H] [-s] [-x dir [-x dir ...]] [directories [directories ...]]

-g [-c class-name][-H][-s] [-p policy-name] [-x dir [ -x dir...]] [directories ...]

��pdosuidprog 3^sIO"Xj5l?G#l/Hj<NfG setuid *hS setgidWm0i`r!w7^9#3^sITGG#l/Hj<rXj7J$lgO"!wO=TG#l/Hj<GO^j"=N<N9YFNG#l/Hj<rgK<_7FT-^9#

3^sITG#tNG#l/Hj<rXj9k3HKhCF"#tNG#l/Hj<r!wG-^9#G#l/Hj<rXj9klgO"3^sITNGeKXj9k,

W,"j^9#<_7J$G#l/Hj<O" -x *W7gsrHQ7FXj9k,

W,"j^9#

pdosuidprog 3^sIKhCFn.5lkPONA0O" -l ^?O -g *W7gsrXj9k+I&+KhCF[Jj^9# -l *W7gsrXj9klgO"pdosuidprog 3^sIO"!P5l?9YFN setuid *hS setgid Wm0i`Nj9Hr8.7^9#3Nj9HKO"U!$k>"setuid Wm0i`N UID *hS setgid Wm0i`N GID ,H_~^lF$^9#

-H *W7gsr -l *W7gsHloKXj9klgO"!P5lkE#O<I&js/Oj9H5l^;s#

-l *W7gsr -g *W7gsHloKHQ9k3HOG-^;s# -l + -g NIAi+rXj9k,W,"j^9# -g *W7gsrXj9klgO"pdosuidprog 3^sIO" setuid *hS setgid Wm0i`r PDOS TCB KV/NK,WJ pdadmin 3^sINj9Hr8.7^9#

-H *W7gsr -g *W7gsHloKXj9klgO"E#O<I&js/QK8.5lk3^sIO3asHA0KJj^9#

PDOS TCB (sHj<&3^sIr8.9k?aKHQ5lkGU)kH&/i9O"Secure-Programs G9#?@7"-c *W7gsrHQ7"=NemK/i9>rXj9k3HKhCF"GU)kH&/i9rQ9G-^9# class-name N-zJ(sHj<O"!NH*jG9#

¶ Login-Programs

¶ Secure-Files


A.

PD

OS%3��

¶ Secure-Programs

¶ Impersonator-Programs *hS

¶ Immune-Programs

PDOS TCB *V8'/Hn.3^sIr8.9k?aKHQ5lkGU)kH&]j7<&VisA>O" osseal.conf U!$k+i@il^9#]j7<&VisA>O"-p *W7gsrHQ9k3HKhCFQ9G-^9#

pdosuidprog 3^sIrHQ9kKO"C",,WG9#

��:�

-V P<8gspsr=(7^9#

-v \YaC;<8r=(7^9#

-h HQ!aC;<8r=(7^9#

-? HQ!aC;<8r=(7^9#


-l U!$k>Nj9Hr8.7^9#

-g pdadmin *V8'/Hn.3^sIr8.7^9#

-H O<I&js/QNE#r8.7^;s#

-s >NU!$k&79F`XN7s\jC/&js/r@!7^;s#

-c class-namepdadmin *V8'/Hn.3^sIGHQ9k/i9>rXj7^9#

-p policy-namepdadmin *V8'/Hn.3^sIGHQ9k]j7<&VisA>rXj7^9#

-x dir!wG_<7J$G#l/Hj<rXj7^9#G#l/Hj<>O04$~

Q9>GJ1lPJj^;s#

��

0 3^sIO5oK0;7^7?#

1 (i<,/87^7?#

�pdosuidprog NHQ!Ncr!K(7^9#

1. setuid *hS setgid Wm0i`N=TG#l/Hj<r!w7F"U!$kNj9Hr8.9kKO"!Nh&K~O7^9#

pdosuidprog -l

POO"!Nh&KJj^9#

/opt/pdos/bin/pdosunauth : 1444 : 228/opt/pdos/bin/pdosrefresh : 1444 : 228/opt/pdos/bin/pdosdestroy : 1444 : 228/opt/pdos/bin/pdoswhoami : : 228/opt/pdos/bin/pdoswhois : 1444 : 228

138 �� 3 �� 7

/opt/pdos/bin/pdossudo : 0 : 228/opt/pdos/bin/pdosexempt : 1444 : 228/opt/pdos/bin/pdosrevoke : 1444 : 228/opt/pdos/bin/pdosctl : : 228 /opt/pdos/bin/pdosd : 0 : 228/opt/pdos/bin/pdoswdd : 0 : 228/opt/pdos/bin/pdosauditd : 0 : 228/opt/pdos/etc/lpm.conf : : 228

2. /opt/pdos/bin K_<7J$G /opt G#l/Hj<NfG setuid *hS setgid Wm0i`r!w7F"]j7<&VisA testbranch N pdadmin 3^sINj9Hr8.9kKO"!Nh&K~O7^9#

pdosuidprog -g -x /opt/pdos/bin -p testbranch /opt

PO (u~5l?Z<8K,g9kh&U)<^CH_j7F"j^9) O"!NH*jG9#

object create ¥/OSSEAL/testbranch/TCB/Secure-Programs /opt/pdos/etc/lpm.conf ¥"" 2 ispolicyattachable yes


A.

PD

OS%3��

pdosunauth

��'Z5lF$J$D-G3^sIrBT9k7'krn.7^9#

��

pdosunauth [-Vvh?]

[-t trace-string]

[command]

��pdosunauth 3^sIO"PDOS 'ZhjN?aK"'Z5lF$J$bNH7F7olk7'krn.7^9#3N3^sIO"f<6<,'Z5lF$J$D-GWm0i`rF9HG-kh&K7^9# command *W7gsrXj9klgO"X

j7?3^sI@1rBT9kh&7'k,n.5l^9#

��:�

-V P<8gspsr=(7^9#

-v \YaC;<8r=(7^9#

-h HQ!aC;<8r=(7^9#

-? HQ!aC;<8r=(7^9#


commandBT9k3^sIN>0#

��

0 3^sIO5oK0;7^7?#

1 (i<,/87^7?#

�

1. 'Z5lF$J$f<6<H7F3^sIr/09k?aKHQG-k7'kr/09kKO"!Nh&K~O7^9#

pdosunauth

2. /var/pdos/cred G#l/Hj<r'Z5lF$J$f<6<H7Fj9H9kKO"!Nh&K~O7^9#

pdosunauth ls /var/pdos/cred

POO"!Nh&KJj^9#

ls: /var/pdos/cred:The file access permissions do not allow the specified action.

140 �� 3 �� 7

pdosversion

��PDOS NP<8gspsr=(7^9#

��pdosversion

��pdosversion 3^sIO" PDOS &Qi$Vij<NP<8gsr^a? PDOSNP<8gspsr=(7^9#

��

0 3^sIO5oK0;7^7?#

1 (i<,/87^7?#

�PDOS P<8gspsr=(9kKO"!Nh&K~O7^9#

pdosversion

POO"!Nh&KJj^9#

Policy Director for Operating Systems 3.7.0pdosversion 3.7.0.0 (001019b)libosseald 3.7.0.0 (001019b)libosseal 3.7.0.0 (001019b)libkosseal 3.7.0.0 (001019b)


A.

PD

OS%3��

pdoswhoami

��PDOS "/;5< ID psr=(7^9#

��

pdoswhoami [-Vvh?]

[-t trace-string]

[-{n | a | l}]

��pdoswhoami 3^sIO"/0f<6<KD$FN PDOS "/;5<psr=(7^9#

*W7gsrXj7J$lgO"pdoswhoami 3^sIO"/0f<6<N PDOSf<6<>r=(7^9#

-n *W7gsO"/0f<6<N"/;5< ID r=(7^9#

-a *W7gsO"/0f<6<N"/;5< ID H>0N>}r=(7^9#

-l *W7gsO"/0f<6<N"/;5< ID"PDOS >"*hS!NZ@qps

r=(7^9#

¶ PDOS 0k<W&asP<7CWps

¶ Z@q,jUlC7e5l?~o

¶ Z@qNjUlC7e-z|B

¶ Z@q,GeK"/;95l?~o

¶ Z@qN]}~V-z|B

��:�

-V P<8gspsr=(7^9#

-v \YaC;<8r=(7^9#

-h HQ!aC;<8r=(7^9#

-? HQ!aC;<8r=(7^9#


-n "/;5<N UID r=(7^9#

-a "/;5<N UID *hS>0r=(7^9#

-l "/;5<N UID">0"*hS PDOS Z@qpsr=(7^9#

��

0 3^sIO5oK0;7^7?#

1 (i<,/87^7?#

142 �� 3 �� 7

�pdoswhoami NHQ!Ncr!K(7^9#

1. /0f<6<N PDOS "/;5<>r=(9kKO"!Nh&K~O7^9#

pdoswhoami

POO"!Nh&KJj^9#riley

2. /0f<6<N PDOS "/;5<>*hS UID r=(9kKO"!Nh&K~

O7^9#

pdoswhoami -a

POO"!Nh&KJj^9#204 riley

3. /0f<6<N PDOS "/;5<>"UID"*hSZ@qpsr=(9kKO"!Nh&K~O7^9#

pdoswhoami -l

POO"!Nh&KJj^9#

204 rileyThe credential is associated with the following groups: staffThe credential was last refreshed at Wed Oct 25 08:21:40 2000The credential refresh time expires at Wed Oct 25 08:41:40 2000The credential was last accessed at Wed Oct 25 08:31:20 2000The credential hold time expires at Wed Oct 25 08:56:20 2000


A.

PD

OS%3��

pdoswhois

��Xj7?Wm;9 ID KX"9k PDOS "/;5< ID psr=(7^9#

��

pdoswhois [-Vvh?]

[-t trace-string]

[-l] pid [pid [pid ...]]

��pdoswhois 3^sIO"Xj7?Wm;9 ID j9HKD$FN PDOS "/;5<ID psr=(7^9# PID Nj9HO"pdoswhois 3^sITNGeKJ1lPJj^;s#Xj7?FWm;9N PDOS "/;5< ID *hS PDOS "/;5<&f<6< ID ,=(5l^9#

-l *W7gsrXj9klgO" pdoswhois 3^sIO"Xj7?FWm;9N!N PDOS Z@qpsb=(7^9#

¶ PDOS 0k<W&asP<7CWps

¶ Z@q,jUlC7e5l?~o

¶ Z@qNjUlC7e-z|B

¶ Z@q,GeK"/;95l?~o

¶ Z@qN]}~V-z|B

��:�

-V P<8gspsr=(7^9#

-v \YaC;<8r=(7^9#

-h HQ!aC;<8r=(7^9#

-? HQ!aC;<8r=(7^9#


-l Xj7?FWm;9N PDOS "/;5< UID"PDOS "/;5<>"*hSPDOS Z@qpsr=(7^9#

��

0 3^sIO5oK0;7^7?#

1 (i<,/87^7?#

�

1. 1lWm;9N PDOS "/;5< ID psr=(9kKO"!Nh&K~O7^9#

pdoswhois 170358

POO"!Nh&KJj^9#

Pid, 170358, is running under the uid = 204, user name = riley

144 �� 3 �� 7

2. #tWm;9N PDOS "/;5< ID psr=(9kKO"!Nh&K~O7^9#

pdoswhois 170358 53804 219134

POO"!Nh&KJj^9#

Pid, 170358, is running under the uid = 204, user name = riley.The process with pid, 53804, is running as unauthenticated.Pid, 219134, is running under the uid = 0, user name = root.

3. #tWm;9N PDOS "/;5< ID psrZ@qpsHloK=(9kKO"!Nh&K~O7^9#

pdoswhois -l 170358 219134

PO (u~5l?Z<8K,g9kh&U)<^CH_j7F"j^9) O"!NH*jG9#

Pid, 170358, is running under the uid = 204, user name = riley.The credential is associated with the following groups: staffThe credential was last refreshed at Wed Oct 25 08:56:39 2000The credential refresh time expires at Wed Oct 25 09:16:39 2000The credential was last accessed at Wed Oct 25 08:40:12 2000The credential hold time expires at Wed Oct 25 09:05:12 2000-------------------------------------------------------Pid, 219134, is running under the uid = 0, user name = root.The credential is associated with the following groups:

osseal-admin osseal-auditorsThe credential was last refreshed at Wed Oct 25 08:59:05 2000The credential refresh time never expires.The credential was last accessed at Wed Oct 25 09:00:51 2000The credential hold time never expires.


A.

PD

OS%3��

146 �� 3 �� 7

PDOS ��

= 40. 79F`&j=<9*hSP~9k PDOS j=<9&?$W

j=<9&?$W j=<9&?$W>

U!$k&79F`&j=<9 File

MCHo</&j=<9 NetIncoming

NetOutgoing

m0$s&j=<9 Login/Terminal/Local

Login/Terminal/Remote

Login/Holidays

e}j=<9 Surrogate

Sudo j=<9 Sudo

5'3sTe<F#s0&Y<9 TCB/Login-Programs

TCB/Secure-Files

TCB/Secure-Programs

TCB/Impersonator-Programs

TCB/Immune-Programs

= 41. [OSSEAL] "/7gs&0k<WfKjA5lF$k PDOS vD

"/7gs b@ PDOS j=<9&?$W

C \3 NetIncoming *hS NetOutgoing

D G#l/Hj<NQ9 File

G e} Surrogate

K Wm0i`N kill File

L m0$s Login

N n. File

R >0Q9 File

U ?$`&9?sWN97 File

d o| File

l G#l/Hj<Nj9H File

o j-"NQ9 File

p vDNQ9 File

r I_hj File

w q-~_ File

x BT File *hS Sudo

= 42. ]j7<I}KHQ9k Policy Director Np\"/7gs

"/7gs b@

a ACL ^?O POP NUC

b *V8'/H&9Z<9NVi&:H*V8'/H>N2H

B


B.

PD

OS��

��

��

�

= 42. ]j7<I}KHQ9k Policy Director Np\"/7gs (3-)"/7gs b@

c ACL N3sHm<k^?O$5

d *V8'/HNo|

m *V8'/HN0-N$5

v *V8'/HN0-N=(

= 43. ]j7<=LKHQ9k Policy Director Np\"/7gs

"/7gs b@

B P$Q9~oN)sv`

T #G

148 �� 3 �� 7

!��"��

o$kI+<I8zr_j9k0O"POSIX 5,== (RE) NVi1CH0jAK>

$^9# =44 K3NjA,Ws5lF$^9#

= 44. o$kI+<I8z;CHNCl(lasH

8z;CHN(lasH b@ c

| (J^) J^O"8z;CH+i|09k

8zN8gr(7^9# J^Ne

N8zO"8z;CHHM-go

;il^;s# J^8z,3NC

lJU#r}DNO"8z;CH

Nh,8zG"klg@1G9#

h,8zGJ$lgO"1KJ^

8z+Nr=7^9#

[|a-z]

.8zN ASCII 8zr|/9Y

FN8zrM-go;^9#

[ab|]

VaW"VbW"^?OV|WrM

-go;^9#

] (&Vi1CH) &Vi1CHO"LoO8z;C

Hr*;5;^9# 8z;CHN

h,8zKJCF$klgO"&

Vi1CH8zr=7^9#

[]]

V]W8zrM-go;^9#

[a]]

3N0O5zG9#

[.collating-symbol.] [..] Vi1CHrHQ9kH"1

l8zGJ$Hg7s\krXj

G-^9# ?H(P"[.ch.] Nh

&KXjG-^9# [..] Vi1C

HGO^l?9Hjs0,-zJ

Hg7s\kGJ$lgO"0O

5zH+J5l^9#

[[.ch.]]+c

9Hjs0VchchcWrM-go

;^9,"VhcWdVccWOM-

go;^;s#

[[.qx.]]

3N0O5zG9#

[=equivalence-class=] [= =] Vi1CHrHQ9kH"

8zNyA/i9rXjG-^

9# 8zNyA/i9O"g8z

.8z"&`i&H"^;JIr

5k7FM-go;k9YFN8

z+i.j^9#

[[=a=]]

VaW"VAW"VAW*hS>N

A 8zHM-go;^9#

C


C.!��"

��

��

��

��

��

= 44. o$kI+<I8z;CHNCl(lasH (3-)8z;CHN(lasH b@ c

[:character-class:] [::] Vi1CHrHQ9kH"8

zN/i94NrXjG-^9#

-zJ8z/i9O"]j7<,

/ ) B T5lkm1<kN

LC_CTYPE +F4j<KX8N"

k8zG9# 9YFNm1<kK

HCF-zJ8z/i9," =45

K(5lF$^9# PDOSD rB

T7F$km1<kKG-N8z

/i9b5]<H5lF$^9#

[[:digit:]]

9YFNtzrM-go;^9#

[[:lower:]]

3lO C m1<kN [a-z] H1

yG9,"?H(PUis9lm

1<kN;G#<f (q) JIN8zb^^l^9#

= 45. 9YFNm1<kK-zJo$kI+<I8z;CHN8z/i9

8z/i9 b@ c

[:alnum:] Qz*hS 10 Jtz VaW"VAW"V6W

[:alpha:] Qz VaW"VAW"VZW

[:blank:] Vis/8z 9Z<9"?V"~T

[:cntrl:] ASCII )f8z V|AW"V|CW

[:digit:] 10 Jtz V0W"V1W"V2W"V3W

[:graph:] ^A8z

[:lower:] Q.8z VaW"VbW"VcW

[:print:] u~D=8z [:alnum:]"[:graph:]"[:punct:] ^?

O9Z<98zHlW7" [:cntrl:]

HlW7J$9YFN8z

[:punct:] gI8z ’,’, ’″’

[:space:] ur8z: 9Z<9*hS?V 9Z<9"?V

[:upper:] Qg8z VAW"VBW"VCW

[:xdigit:] 16 Jtz V0W"V3W"VAW"VfW

150 �� 3 �� 7

��

|\l, tz, Qz, Cl8zNgK[s5lF$^9#J*, y;H>y;O6;H1yK7olF$^9#

N"TO"/;5< ID"=L 85"/;9)B 17"/;9)BN>A 18"/;9&3sHm<k 11

e}j=<9 45m0$s&j=<9 39

"/;9&3sHm<k&j9H 11#G 14~zU!$k"=.N

3^sIT*W7gsN0-XN^CTs0 760- 76

*V8'/Hp>G<?Y<9 83*V8'/H> 8*V8'/H>=$

*V8'/H> 8M<`&9Z<9&k<H 7]n 7]j7<&VisA 8j=<9&?$W 8

*W7gs

=. 107

N+TO+O"PDOS 775W 1D-"PDOS NRp 2F:=( 99V%

m<+kKJ$ UNIX User Registry 69Host Name Resolution Server 70Policy Director Management Server 68Policy Director User Registry 69

I}

40 76PDOS Wm;9NI} 77

I}"*V8'/Hp>G<?Y<9 83I}"Z@q 84I}"[9H>!wG<?Y<9 87I}"PDOS Wm;9N 77I}"Trusted Computing Base 83V%5l?]j7< 68I}Q?9/ 736>Wm0i` 30

Y|Nm0$s)B 36vD

PDOS bGk 3vDhjWm;9 56vD]j7< 40k<W*hSf<6< 61Wh"]j7<N 7Ypb<I0m<Pk 790m<Pk"CjNj=<9KP7F 80]j7< 79

Q5"ACL N 14!:"]j7< 79!:"PDOS G<bsu7 78=.

*W7gs 107=."[9H>!wG<?Y<9 87=.*W7gs"PDOS 107=.U!$k

PC/"CW 88|5 89

3^sI

pdosaudview 102pdosbkup 104pdoscfg 106pdosctl 111pdosdestroy 114pdosexempt 115pdoshla 117pdoslpadm 120pdosobjsig 122pdosrefresh 124pdosrevoke 126pdosrgyimp 128pdosrstr 133pdossudo 134pdossudo NHQ! 49pdosucfg 135pdosuidprog 137pdosunauth 140pdosversion 141pdoswhoami 142pdoswhois 144

N5TO1L

UNIX 3~o

m0$s)B 3579F`&j=<9 20U!$k&]j7< 20


��

Z@q

@(*JG7=( 84@(*JK~ 85

Z@q"I} 84Z@q-cC7e"40 84i|]j7< 65

osseal-audit 66osseal-credentials 66osseal-default 66osseal-default-file 66osseal-default-login 66osseal-default-net-incoming 66osseal-default-net-outgoing 66osseal-default-sudo 67osseal-default-surrogate 67osseal-hla 67osseal-logs 67osseal-open 67osseal-privileged-user 67osseal-restricted 67osseal-restricted-read 67osseal-runtime 68osseal-tcb 68osseal-umsg 68

7s\jC/&js/ 237s\jC/&js/Nc 23)f""/;9N 11;-ejF#<

vDhjWm;9 56;-ejF#<KX9kM8v` 560-

=.N~zU!$k 76

N?TOe}]j7< 43e}j=<9"/;9&3sHm<k 45

?9/N5W"I} 7340

Z@q-cC7e 84TCB bK?< 83

40"PDOS =.N 76G<?Y<9PC/"CW 88|5 89[9H>!w 87

G<?Y<9"PDOS 2G<bs

!= 53u7N!: 78PDOSAUDITD 59PDOSD 54PDOSWDD 61

d_ 78d_"PDOS 78Hi9FCI&3sTe<F#s0&Y<9&j=<9

27

NJTOM<`&9Z<9&k<H 7MCHo</&]j7< 31

NOTOO<I&js/ 25O<I&js/L>Nc 26ljKhkm0$s)B 38PC/"CW"PDOS 88U!$k*hSG#l/Hj< 63U!$k&79F`L> 23U!$k&79F`&j=<9"/;9&3sHm<k 21U!$k&]j7< 20

U!$k&79F`&j=<9eN"/;9&3sHm<k 21U!$k&]j7< 20|5"PDOS 88]n*V8'/H>=$ 7]n*V8'/H&]j7< 16

F:lYk 16Ypb<I 16~o 17

]n79F`&j=<9 20]nU!$k 29]nWm0i` 29[9H>!wG<?Y<9 87

I} 87=. 87

]j7<vDhjWm;9 56Wh 7Ypb<I 79i|=. 657s\jC/&js/ 23;-ejF#<KX9kM8v` 56e} 43MCHo</ 31O<I&js/ 25m0$s 35m0$s&"/F#SF#< 40PDOS vD 4Sudo 45

]j7<Ypb<I 79]j7<&VisA 8

N^TO^CTs0"3^sIT*W7gsN0-XN

=.N~zU!$k 76@(*JG7=("Z@qN 84@(*JK~"Z@qN 85H|Wm0i` 30

152 �� 3 �� 7

NdTOf<6<*hS0k<W 61f<6<1L 3

NiTOis?$` 53j=<9&?$W 8j=<9&^M<8c< 2c

"/;9)B 18"/;9)BN>A 19#GvD 15Y|)B 37Y|)B (3-) 38Q5 14~o)B 367s\jC/&js/ 23e}j=<9 43E#7?f<6<> 74MCHo</&j=<9 32O<I&js/L> 26PC/"CW"PDOS 88U!$k&79F`&j=<9Xj 21|5"PDOS 89f<6<>X8 3m0$s~ohk)B 36m0$sNY|)B 37m0$sNY|)B (3-) 38m0$s&"/F#SF#<&]j7< 42m0$s&j=<9Xj 39o$kI+<INM-go; 9o$kI+<I&U!$k>N%hgL 10o$kI+<I&[9H>N%hgL 10pdosaudview 100pdoshla NHQ 88pdoswhoami 85pdoswhois 85Sudo NHQ 47

m<+k<vHjb<H<v 38m<+kKJ$ UNIX User Registry NV% 69m0$s

Y|)B 36m0$s)B 35m0$sljN)B 38m0$s&"/F#SF#<&]j7< 40m0$s&Wm0i` 28m0$s&]j7< 35m0&U!$k 78

NoTOo$kI+<INHQ 8

Sudo z-t 48o$kI+<IN%hgL 9

AACL 11

HHost Name Resolution Server NV% 70

Oosseal 0k<W 63osseal f<6< 62osseal-admin 0k<W 62osseal-audit 66osseal-auditors 0k<W 63osseal-credentials 66osseal-default 66osseal-default-file 66osseal-default-login 66osseal-default-net-incoming 66osseal-default-net-outgoing 66osseal-default-sudo 67osseal-default-surrogate 67osseal-hla 67osseal-logs 67osseal-open 67osseal-privileged-user 67osseal-restricted 67osseal-restricted-read 67osseal-runtime 68osseal-tcb 68osseal-umsg 68osseal-unauth f<6< 63

PPDOS

=.*W7gs 1071L 3G<?Y<9 2

PDOS N}r 1PDOSAUDITD G<bs 59PDOSAUDITD N=. 60pdosaudview 3^sI 102pdosbkup 3^sI 104pdoscfg 3^sI 106pdosctl 3^sI 111PDOSD vDG<bs 54PDOSD m0N=.0- 59pdosdestroy 3^sI 114pdosd-hostname f<6< 63pdosexempt 3^sI 115pdoshla 3^sI 117pdoslpadm 3^sI 120pdosobjsig 3^sI 122


��

pdosrefresh 3^sI 124pdosrevoke 3^sI 126pdosrgyimp 3^sI 128pdosrstr 3^sI 133pdossudo 3^sI 49, 134pdosucfg 3^sI 135pdosuidprog 3^sI 137pdosunauth 3^sI 140pdosversion 3^sI 141PDOSWDD G<bs 61PDOSWDD N=. 61pdoswhoami 3^sI 142pdoswhois 3^sI 144Policy Director Management Server NV% 68Policy Director User Registry NV% 69

Rroot f<6< 62

SSudo

z-tGNo$kI+<INHQ 48

Sudo ]j7< 45

TTCB

I} 83bK?<N40 83

TCB bK?< 58TCB j=<9 27

6>Wm0i` 30]nU!$k 29]nWm0i` 29H|Wm0i` 30m0$s&Wm0i` 28

UUNIX

1L 3

154 �� 3 �� 7

publib.boulder.ibm.compublib.boulder.ibm.com/tividd/td/security/pol_admin37/ja_ja/pdf/... ·...

Documents