ibm tivoli access manager for operating...

IBM Tivoli Access Manager for OperatingSystems

��

�� 5.1

SA30-1840-01

��

�!

� �� 353 �� E �� .

�� (2003� 11�)

� �� , IBM Tivoli Access Manager for Operating Systems �� 5, �� 1(��

�� 5698-PDO) � �� .

© Copyright International Business Machines Corporation 2000, 2003. All rights reserved.

��

� . . . . . . . . . . . . . . . . . vii

�� . . . . . . . . . . . . . . . . . ix

� �� . . . . . . . . . . . . . ix

� �� . . . . . . . . . . . . . . x

� . . . . . . . . . . . . . . . . . xi

Tivoli Access Manager for Operating Systems

�� . . . . . . . . . . . . . . xi

�� . . . . . . . . . . . . . . xii

�� . . . . . . . . . . . . . . xii

�� . . . . . . . . . . . xii

�� . . . . . . . . . . xiii

�� . . . . . . . . . . . . xiii

�� . . . . . . . . . . . xiii

� �� . . . . . . . . . . . xiv

� 1 � �� . . . . . . . . . . . . . . 1

�� . . . . . . . . . . . . . . . . . 1

�� . . . . . . . . . . . . . . . 3

UNIX ID � Tivoli Access Manager �� ID�

� �� . . . . . . . . . . . . . . . . 3

�� policy. . . . . . . . . . . . . . . 4

� 2 � Policy . . . . . . . . . . . . . 7

policy �� . . . . . . . . . . . . . . . 7

�� . . . . . . . . . . 9

�� . . . . . . . . . . . . 9

policy �� . . . . . . . . . . . . . 9

� �� . . . . . . . . . . . . . . 9

�� . . . . . . . . . . . . 10

� ��. . . . . . . . . . . . . . 10

�� . . . . . . . . . . . . . . 12

ACL(Access Control List) . . . . . . . . 13

�� . . . . . . . . . . . . 17

�� . . . . . . . . . . . . . 24

POP(Protected Object Policy) . . . . . . . . 26

�� POP �� . . . . . 26

�� . . . . . . . . . . . . 29

� policy . . . . . . . . . . . . . 29

�� policy . . . . . . . . . . . . 46

�� . . . . . . . . 49

�� policy . . . . . . . . . . . . 50

�� policy . . . . . . . . . . . 59

�� policy . . . . . . . . . . . . . 62

Sudo policy . . . . . . . . . . . . . 65

pdossudo �� . . . . . . . . . . . . 68

� � . . . . . . . . . . . . . . . 71

� �� . . . . . . . . . . . . 71

� � � . . . . . . . . . . . . 73

� 3 � �� . . . . . . . . . . . . . 77

�� . . . . . . . . . . . . . . . . . 77

pdosd �� . . . . . . . . . . . 78

pdosauditd � �� . . . . . . . . . . 87

pdoswdd �� . . . . . . . . . . 89

pdostecd Tivoli Enterprise Console �� . . . 91

�� . . . . . . . . . . 92

pdoslpmd �� policy � �� . . 93

pdoslrd �� . . . . . . . . 93

�� . . . . . . . . . . . . . 95

osseal-admin � . . . . . . . . . . . 95

osseal � . . . . . . . . . . . . . 95

osseal �� . . . . . . . . . . . . 96

root �� . . . . . . . . . . . . . 96

osseal-auditors � . . . . . . . . . . 96

ossaudit � . . . . . . . . . . . . 96

osseal-unauth �� . . . . . . . . . . 96

pdosd-hostname �� . . . . . . . . . 97

critical cred � . . . . . . . . . . . 97

� � �� . . . . . . . . . . . . 97

�� policy . . . . . . . . . . . . . . 101

osseal-audit . . . . . . . . . . . . . 101

osseal-audit-exec . . . . . . . . . . . 102

osseal-credentials . . . . . . . . . . . 102

osseal-default . . . . . . . . . . . . 102

osseal-default-file . . . . . . . . . . . 102

osseal-default-login . . . . . . . . . . 102

osseal-default-net-incoming . . . . . . . 102

osseal-default-net-outgoing . . . . . . . 103

osseal-default-sudo . . . . . . . . . . 103

osseal-default-surrogate . . . . . . . . . 103

osseal-exec-open . . . . . . . . . . . 103

osseal-exec-root . . . . . . . . . . . 103

osseal-hla . . . . . . . . . . . . . 103

osseal-kazndrv . . . . . . . . . . . . 103

© Copyright IBM Corp. 2000, 2003 iii

osseal-logs . . . . . . . . . . . . . 104

osseal-open . . . . . . . . . . . . . 104

osseal-privileged-user . . . . . . . . . 104

osseal-restricted . . . . . . . . . . . 104

osseal-restricted-read . . . . . . . . . 104

osseal-tcb . . . . . . . . . . . . . 105

osseal-umsg. . . . . . . . . . . . . 105

osseal-var-lpm . . . . . . . . . . . . 105

�� . . . . . . . . . . . . . . 105

Tivoli Access Manager policy �� 106

Tivoli Access Manager ��

�� . . . . . . . . . . . . . . . 106

�� UNIX �� . . 107

�� . . . . . . 107

� 4 � �� . . . . . . . . . 109

�� . . . . . . . . . . 109

�� . . . . . . . . 109

�� . . . . . . . . 110

XML � . . . . . . . . . . . . . 110

Server �� . . . . . . . . . . . . . 110

Router ��. . . . . . . . . . . . . 111

Channel �� . . . . . . . . . . . . 112

Filters �� . . . . . . . . . . . . . 113

Filter �� . . . . . . . . . . . . . 114

Conditional �� . . . . . . . . . . . 114

Field �� . . . . . . . . . . . . . 115

�� . . . . . . . . . . . . . 116

�� . . . . . . . . . . . . . . . . 117

�� . . . . . . . . . . . . . 118

�� . . . . . . . . . . . . 118

�� . . . . . . . . 120

�� . . . . . . . . . . . . 120

�� . . . . . . . . . . . 121

�� . . . . . . . . . . . . 121

�� . . . . . . . . . . . . . 121

�� . . . . . . . . . . . 123

�� . . . . . . . . . . 125

�� - LRD_FileOutput . . . . . 125

� � �� - LRD_EmailOutput . . . . 125

�� - LRD_NetOutput . . . . . 125

� �� . . . . . . . . . . . . . 126

�� . . . . . . . . . . . . . 126

� 5 � �� . . . . . . . . . . . 127

�� . . . . . . . . 128

�� . . . . . . . . 128

�� . . . . . . . . . . 129

�� . . . . . . . . . 129

pdosrgyimp �� . . . . . . . . . . . 129

�� . . . . . . . . . . . . . . 131

�� policy� �� ACL �� . . . . 133

policy �� . . . . . . 133

�� . . . . . . . . . . . . . 134

Tivoli Access Manager for Operating

Systems �� . . . . . . . . . . . . 134


Systems �� . . . . . . . . . . . . 135

�� . . . . . . . . . . . . 135

�� . . . . . . . . . . . . 135

policy � . . . . . . . . . . . . . . 136

�� policy � . . . . . 136

�� policy � . . . . . . . 138

Trusted Computing Base �� . . . . . . . 141

pdosd �� Trusted Computing Base ��

�� . . . . . . . . . . . . . . 141

�� . . . . . . 142

Trusted Computing Base� ��

� �� . . . . . . . . . . 143

� �� . . . . . . . . . 144

�� policy � �� . . . 145

�� . . . . . . . . . . . 145

�� . . . . . . . . . 146

�� . . . . . . . 146

�� policy� ��

�� . . . . . . . . . . . . . . . 147

�� policy� �� NIS �� . . . . 147

�� . . . . . . . . . . . . . . 148

�� . . . . . . . . . . . . 148

�� . . . . . . . . 149

�� . . . . . . . . . . 150

�� ID �� . . . . . . . . . . . . 150

pdoswhoami � pdoswhois � . . . . . 150

�� look-aside �� 152

�� . . . . . . . . . . . 152

�� . . . . . . . . . . . 152

�� . . . . 153

�� . . . . . . 154


Systems �� . . . . . . . . . . . . 154

� 6 � Tivoli �� 155

�� . . . . . . . . . . . . . . 155

wrunjob � wruntask �� . . . . . 157

iv IBM Tivoli Access Manager for Operating Systems: ��

PDOS ��/�� /�� . . . . . . . 157

wrunjob � wruntask� �� . . . . . . . . 159

PDOS �� . . . . . . . . . 160

wrunjob � wruntask� �� . . . . . . . 161

� �� . . . . . . . . . . . 161


PDOS � �� . . . . . . . . . . . . 163


PDOS �� . . . . . . . . . . . . 165


PDOS �� . . . . . . . . . . . . 167


PDOS �� policy �� . . . . . . 170


PDOS �� . . . . . . . . . . . . 171


PDOS TCB �� . . . . . . . . . . . . 175


PDOS �� . . . . . . . . 177


�� . . . . . 178


UNIX TCB �� . . . . . . . . . . . . 180


UNIX �� . . . . . . . . 181


PDOS �� . . . . . . . . . . 185


PDOS �� . . . . . . . . . . 186


PDOS TCB �� . . . . . . . . . . . . 188


PDOS �� . . . . . . . . 190


�� . . . . . . . . . . . 191


PDOS �� policy �� . . . . . . 192


PDOS �� . . . . . . . . . . 194


PDOS TCB �� . . . . . . . . . . . . 196


PDOS �� . . . . . . . . . 197


PDOS �� . . . . . . . . 198


PDOS �� . . . . . . . . 202


Setup TEC Event Server for PDOS . . . . . 204


PDOS � �� . . . . . . . . . . 207


PDOS ��/�� . . . . . . . . . 208


PDOS �� . . . . . . . . . . 209


PDOS �� . . . . . . . . . . 210


PDOS �� . . . . . . . . 211


PDOS �� . . . . . . . . . . 211


PDOS TCB �� . . . . . . . . . . 212


PDOS TEC �� . . . . . . . . . 213


PDOS TEC �� . . . . . . . . . 213


PDOS �� . . . . . . . . . . 214


PDOS �� . . . . . . . . 214


� 7 � �� . . . . . . . . . . . . . 217

�� . . . . . . . . . . . . . 217

�� . . . . . . . . . . . . . 219

� �� . . . . . . . . . . . . 220

� �� . . . . . . . . . . . . 222

�� . . . . . . . . . . . . . 222

� �� . . . . . . . . . . . . 225

�� . . . . . . . . . . . . 227

�� . . . . . . 228

�� . . . . . . . . . . . . . . 230

�� , ��

� �� . . . . . . . . . . . . . . 230

� �� , ��

�� . . . . . . . . . . . . . . . 231

� �� . . . . . . . . . . . . . 231

� �� . . . . . . . . . . . . . 232

� �� . . . . . . . . . . . . . 233

concise �� . . . . . . . . . . . . 233

keyvalue �� . . . . . . . . . . . . 233

verbose �� . . . . . . . . . . . . 234

�� v

� �� . . . . . . . . . . 237

� � �� . . . . . . . 237

� � �� . . . . . . . . 242

�� . . . . . . 244

� �� . . . . . . . 245

�� . . . . . . . . . . . . . 245

� 8 � �� . . . . . . . . . . . . . 247

pdosaudview . . . . . . . . . . . . . 248

pdosbkup . . . . . . . . . . . . . . 252

pdoscfg . . . . . . . . . . . . . . . 254

pdoscollview . . . . . . . . . . . . . 265

pdosctl . . . . . . . . . . . . . . . 269

pdosdestroy . . . . . . . . . . . . . . 273

pdosexempt . . . . . . . . . . . . . . 275

pdoshla . . . . . . . . . . . . . . . 277

pdoslpadm . . . . . . . . . . . . . . 280

pdoslradm . . . . . . . . . . . . . . 285

pdosobjsig . . . . . . . . . . . . . . 286

pdosrefresh . . . . . . . . . . . . . . 289

pdosrevoke . . . . . . . . . . . . . . 291

pdosrgyimp . . . . . . . . . . . . . . 293

pdosrstr . . . . . . . . . . . . . . . 298

pdosshowuser . . . . . . . . . . . . . 299

pdossudo . . . . . . . . . . . . . . 302

pdosteccfg . . . . . . . . . . . . . . 304

pdostecucfg . . . . . . . . . . . . . . 307

pdosucfg. . . . . . . . . . . . . . . 309

pdosuidprog . . . . . . . . . . . . . 311

pdosunauth . . . . . . . . . . . . . . 314

pdosversion . . . . . . . . . . . . . . 316

pdoswhoami . . . . . . . . . . . . . 317

pdoswhois . . . . . . . . . . . . . . 319

policyview . . . . . . . . . . . . . . 321

� 9 � Tivoli Enterprise Console� �� . . 323

�� . . . . . . . . . . . . . . . . 323

�� . . . . . . . 324

� 10 � IBM Tivoli Risk Manager� �� 327

�� . . . . . . . . . . . . . . . . 327

Tivoli Risk Manager� ��

� � �� . . . . . . . . . . . . . 328

IBM Tivoli Enterprise Data Warehouse� �� 329

�� A. Policy �� . . . . . . . . . 331

�� B. �� . . . . . 333

�� C. Tivoli Enterprise Console � Tivoli

Risk Manager �� . . . . . . . . . . 335

Tivoli Enterprise Console �� . . . . . . 336

Tivoli Risk Manager �� . . . . . . . . 342

�� D. �� . . . . . . . . . 351

�� E. �� . . . . . . . . . . . . 353

�� . . . . . . . . . . . . . . . . 355

�� . . . . . . . . . . . . . . . . 357

vi IBM Tivoli Access Manager for Operating Systems: ��

�

1. � �� . . . . . . . . . . . 10

2. � �� . . . . . . . . . 10

3. � �� . . . . . . . 11

4. � �� . . . . . . 12

5. OSSEAL �� . . . . 15

6. policy �� Tivoli Access

Manager �� . . . . . . . . . . 16


Manager �� . . . . . . . . . . 16

8. � �� . . . . . . . . . 29

9. � �� . . . . . . . . . . . . . 30

10. IBM Tivoli Access Manager for Operating

Systems� � �� . . . 39

11. �� policy� Immune-Programs� ��

�� . . . . . . . . . . . . 44

12. �� . . . . . . . . 46

13. ��

� �� . . . . . . . . . . . 47

14. � �� . . . . . . . . 54

15. �� . . . . . . . 55

16. �� policy �� . . . . . . . . 56

17. �� policy �� . . . . . . . . . 60

18. �� . . . . . . . . 62

19. �� . . . . . . . . . . . 63

20. Sudo �� . . . . . . . . . . . 65

21. Sudo �� . . . . . . . . . . . 66

22. Sudo� �� . . . . . . . . . 66

23. �� Sudo �� 67

24. Sudo� � �� . . . . . 70

25. Sudo� � �� . . . . . 70

26. �� . . . . . 71

27. �� . . . . . 74

28. Tivoli Access Manager for Operating

Systems �� . . . . . . . . 81

29. �� pdosd ��

�� . . . . . . . . . . . . . 82

30. �� . . . . . . . . . . . 83

31. �� policy �� . . . . . . 84

32. pdosd TCB � �� 86

33. pdosd �� . . . . . . . . . 87

34. �� . . . . . . . 88

35. pdosauditd �� . . . . . . . . . 89

36. pdoswdd �� . . . . . . . . . . 90

37. pdostecd �� . . . . . . . . . . 92

38. pdoslpmd �� . . . . . . . . . 93

39. pdoslrd �� . . . . . . . . . . 94

40. osseal.conf� pdoscfg �� 131

41. pdosd.conf� pdoscfg �� 131

42. pdosauditd.conf� pdoscfg ��

�� . . . . . . . . . . . . . . 132

43. pdoswdd.conf� pdoscfg ��

� . . . . . . . . . . . . . . . 132

44. pdoslrd.conf� pdoscfg ��

� . . . . . . . . . . . . . . . 132

45. �� pdoscfg �� 136

46. IBM Tivoli Access Manager for Operating

Systems �� . . . . . . 156

47. �� . . . . . . . . . . 222

48. � � �� . . . . . . 237

49. � �� ID� �� . . . . . . 240

50. � �� . . . . . . . . 241

51. � � �� . . . . . . 242

52. �� . . . . 244

53. �� IBM Tivoli Access

Manager for Operating Systems � �� . 331

54. [OSSEAL] �� Tivoli

Access Manager for Operating Systems �

� . . . . . . . . . . . . . . . 331


Manager �� . . . . . . . . . 332


Manager �� . . . . . . . . . 332

57. � �� . . . . 333

58. ��

�� . . . . . . . . . . . . 334

59. �� Tivoli Enterprise Console �

�� . . . . . . . . . . . . . . 336

60. � �� Tivoli Enterprise Console �� 337

61. �� Tivoli Enterprise Console �

�� . . . . . . . . . . . . . . 337

62. Sudo �� Tivoli Enterprise Console �� 338

63. ��(��) �� Tivoli Enterprise Console

�� . . . . . . . . . . . . . . 338

© Copyright IBM Corp. 2000, 2003 vii

64. ��(�) �� Tivoli Enterprise Console

�� . . . . . . . . . . . . . . 339

65. TCB �� Tivoli Enterprise Console �� 339

66. policy �� Tivoli Enterprise Console ��

� . . . . . . . . . . . . . . . 340

67. �� Tivoli Enterprise Console ��

� . . . . . . . . . . . . . . . 341

68. �� Tivoli Enterprise Console �� 341

69. �� Tivoli Enterprise Console

�� . . . . . . . . . . . . . . 342

70. �� Tivoli Risk Manager �� 342

71. � �� Tivoli Risk Manager �� 343


73. Sudo �� Tivoli Risk Manager �� 344

74. ��(��) �� Tivoli Risk Manager ��

� . . . . . . . . . . . . . . . 345

75. ��(�) �� Tivoli Risk Manager �� 345

76. TCB �� Tivoli Risk Manager �� 346

77. policy �� Tivoli Risk Manager �� 347




viii IBM Tivoli Access Manager for Operating Systems: ��

��

IBM® Tivoli® Access Manager for Operating Systems� ��

� �� policy �� .

�: IBM Tivoli Access Manager for Operating Systems� �� Tivoli SecureWay®

Policy Director for Operating Systems(�� 3.7) � Tivoli Policy Director for

Operating Systems(�� 3.8) �� . �� Tivoli SecureWay Policy

Director �� policy ��

��.

IBM Tivoli Access Manager for Operating Systems �� IBM Tivoli Access

Manager for Operating Systems� �� .

� ��

� ��

�� .

v UNIX® � ��

v �� (HTTP, TCP/IP, FTP, Telnet, SSL)

v ��

v �

v ��

v IBM Tivoli Access Manager Base

v LDAP(Lightweight Directory Access Protocol) � ��

�� .

v IBM Tivoli Management Environment® framework

v IBM Tivoli Enterprise Console®

v IBM Tivoli Directory Server(LDAP)

v IBM Tivoli User Administration

© Copyright IBM Corp. 2000, 2003 ix

� ��

� �� .

v 1 �� 1 � ��

Tivoli Access Manager for Operating Systems � � �� .

v 7 �� 2 � �Policy�

Tivoli Access Manager for Operating Systems� ��

�� .

v 77 �� 3 � ��

Tivoli Access Manager for Operating Systems ��

��. �� Tivoli Access Manager for Operating Systems ��

��.

v 109 �� 4 � ��


� �� .

v 127 �� 5 � ��


�� .

v 155 �� 6 � �Tivoli ��

Tivoli �� Tivoli Access Manager for Operating Systems� ��

�� .

v 217 �� 7 � ��

��

��.

v 247 �� 8 � ��

�� Tivoli Access Manager for Operating Systems ��

��. �� , �� .

v 323 �� 9 � �Tivoli Enterprise Console� ��

Tivoli Access Manager for Operating Systems� Tivoli Enterprise Console� �

�� .

v 327 �� 10 � �IBM Tivoli Risk Manager� ��

Tivoli Access Manager for Operating Systems� Tivoli Risk Manager� ��

�� .

v 331 �� A �Policy ��

policy � � �� .

v 333 �� B ��

x IBM Tivoli Access Manager for Operating Systems: ��

� �� .

v 335 �� C �Tivoli Enterprise Console � Tivoli Risk Manager ��

��

Tivoli Enterprise Console� �� .

v 351 �� D �� IBM Tivoli Access Manager Base

�� Tivoli Access Manager for Operating Systems� �

� � �� .

��

�� Tivoli Access Manager for Operating Systems

��, �� . ��

�� .


�� Tivoli Access Manager for Operating Systems �� .

v IBM Tivoli Access Manager for Operating Systems �� , SA30-1840


��. �� Tivoli ��

� �� IBM Tivoli Enterprise Console� IBM Tivoli Risk Manager�

�� .

v IBM Tivoli Access Manager for Operating Systems � ��, SA30-1841

Tivoli Access Manager for Operating Systems �, ��, ��

�� .

v IBM Tivoli Access Manager for Operating Systems �� , SA30-1842

�� , �� , � ��, �� Tivoli Access

Manager for Operating Systems� �� . ��

�� .

v IBM Tivoli Access Manager for Operating Systems �� , GA30-1843

Tivoli Access Manager for Operating Systems� �� .

v IBM Tivoli Access Manager for Operating Systems Read This First Card,

GA30-1844

Tivoli Access Manager for Operating Systems� � � ��

� ��.

�� xi

��

� ��

�� .

v IBM Tivoli Access Manager Base � ��, SA30-2207

v IBM Tivoli Access Manager Base Administration Guide, GC23-1360

v IBM Tivoli Access Manager for e-business �� , GA30-2206

��


� ��.

v IBM Tivoli Access Manager for e-business Performance Tuning Guide, SC32-1351

IBM �� Tivoli Access Manager� ��

� �� .

v IBM Tivoli Access Manager for e-business Problem Determination Guide,

SC32-1352

Tivoli Access Manager �� .

v IBM Tivoli Access Manager Error Message Reference, SC32-1353

IBM Tivoli Access Manager, Tivoli Access Manager for Operating Systems �


��.

v IBM Tivoli Access Manager for e-business Command Message Reference,

SC32-1354


v Tivoli Software Library�� , ��, ��, ��

�� Tivoli �� . �� Tivoli Software Library� �

��.

http://www.ibm.com/software/tivoli/library/.

v Tivoli Glossary�� Tivoli ��

�. Tivoli Glossary� �� .

http://www.ibm.com/software/tivoli/library/

��

�� IBM Tivoli Access Manager for Operating Systems

� �� IBM Tivoli Access Manager for Operating Systems ��

� ��.

xii IBM Tivoli Access Manager for Operating Systems: ��



��

� �� PDF(Portable Document Format), HTML(Hypertext Markup

Language) �� Tivoli Software Library(http://www.ibm.com/

software/tivoli/library)�� .

�� Product

manuals �� . �� , Tivoli Software Information Center ��

�� .

�� , � ��, �� , �� , ��

�� .

�: PDF �� , Adobe Acrobat ��(�� → ��

� ��)� �� .

��

��

� �� . � ��

�� . ��

�� .

�� D ″�� ″� ��.

��

�� IBM Tivoli Software ��

Tivoli Support �� IBM Tivoli Software ��

�.

http://www.ibm.com/software/support/

�� IBM Software ��

�� .

http://techsupport.services.ibm.com/guides/handbook.html

�� .

v � � ��

v ��

v ��

� �� IBM Tivoli Access Manager for Operating Systems

�� .

�� xiii



http://www.ibm.com/software/support/

http://techsupport.services.ibm.com/guides/handbook.html

� ��

� �� , � ��

�� .

� �� .

�� , �� , ��

�� .

� � ��

�� .

�� , �� , ��

��.

�� , �� , �� , ��,

�� .

�� , ��

�� , Java �� , HTML � XML ��

�� .

xiv IBM Tivoli Access Manager for Operating Systems: ��

� 1 � ��

IBM Tivoli Access Manager for Operating Systems �� . �

�� Tivoli Access Manager for Operating Systems� ��

�� , �� .

� �� policy� �

�� .


�� policy � �� . ��

� ��

policy� ��. �� ID, � ��, �� , ��

� �� . �� , ��

�� ID �� . ��

� ��

��. �� policy � �� policy � � ��

�� .

�� IBM Tivoli Access Manager �� policy

�� . ��

� �� . �� , Tivoli Access Manager for

Operating Systems� �� ID, ��

� ��

��.

��

2 �� 1� Tivoli Access Manager �� Tivoli Access Manager for

Operating Systems �� .

© Copyright IBM Corp. 2000, 2003 1

Tivoli Access Manager� �� policy� ��,

�� . ��

� ��. Tivoli Access Manager for Operating Systems� Tivoli Access

Manager� �� . ��

�� IBM Tivoli Access Manager WebSEAL � IBM Tivoli Access Manager

for Business Integration� ��. Tivoli Access Manager� ��

�� . ��

�� policy� �� . Tivoli Access Manager

for Operating Systems� �� .


� ��. �� Tivoli Access Manager ��

� � � �� Tivoli Access Manager ��

��. Tivoli Access Manager �� LDAP ��

�� . � �� Tivoli Policy ��

�� policy� ��. policy ��

�� . � ��

�� 1. IBM Tivoli Access Manager for Operating Systems� ��

2 IBM Tivoli Access Manager for Operating Systems: ��

SSL(Secure Socket Layers)� �� TCP �� . ��

�� Tivoli Access Manager� ��

�� API� ��.

Tivoli Access Manager for Operating Systems� �� Tivoli Access

Manager �� , ��

�� Tivoli Access Manager policy �� Tivoli Access

Manager �� policy� �

� � �� . �� 77 �� 3 � ��

�.

��


� �� UNIX � �� . Tivoli Access Manager for Operating

Systems � ��

�� . �� API� �

�� , �� UNIX ��

�.

Tivoli Access Manager for Operating Systems� �� , �

� �� ID� ��

�� .

� �� policy� ��

� ��. � �� (PDOSD)� ��

�� . policy� �� , ��

�� . �� , � ��

� ��.

PDOSD �� UNIX �� ID� Tivoli Access Manager ��

�� Tivoli Access Manager �� . �� , PDOSD

�� Tivoli Access Manager �� API� �� , �� , ��

� � � policy ��

��.

UNIX ID � Tivoli Access Manager �� ID��

�� , ��

UNIX ID� Tivoli Access Manager �� . �� UNIX

�� ID� �� .

� �� Tivoli Access Manager ��

� 1 � �� 3

� � �� Tivoli Access Manager �� . � ��

�� ID � �� . �� Tivoli Access

Manager �� , �� . �

� �� .

� � Tivoli Access Manager ��

�� . � ��, Sally

Smith� �� A� sally �� B� ssmith ��

�� . �� Tivoli Access

Manager �� . ��

�. ��, Sally Smith� �� A� UNIX �� sally� ��

��. �� C� �� Sally Doe� UNIX �� sally� ��

��. Sally Smith� Sally Doe �� Tivoli Access Manager ��

��. �� policy� �� .

�� Tivoli Access Manager for Operating Systems �� Tivoli Access

Manager� �� Tivoli Access Manager for

Operating Systems �� . ��

� ��

� ��. �� ID� �� (: setuid() ��

�� su �� )�� .

�� policy�� policy� ��

�� . �� policy�

�� .

��

�� policy� ��. ��

��.

ACL(Access Control List)

�� , ��

�� .

POP(Protected Object Policy)

�� (: �, �� )� ��

��.

��

��

�� , ACL �� POP� ��


�� policy� �� .

v ��

v ��

v ��

v � �� Tivoli Access Manager for Operating Systems �

� �

� 1 � �� 5

� 2 � Policy

IBM Tivoli Access Manager for Operating Systems� Tivoli Access Manager �

�� policy� �� . ��

� �� .

v � ��

v ��

v ��

v ��

v �� ID �

v Sudo ��

v ��

� �� Tivoli Access Manager �� . ��

Tivoli Access Manager �� . Tivoli Access

Manager �� policy�

�� .


�� policy�� policy� ��

� Tivoli Access Manager ��

��.

policy ��

Tivoli Access Manager �� IBM Tivoli Web Portal Manager � ��

�� pdadmin ��

, � � �� policy� �� .

Tivoli Access Manager� ��

��. �� (policy) �� . � ��

�� . �� Tivoli Access Manager ��

�� . ��

� �� . �� . ��

�� , � � �� , ��

�� . ��

� �� , ��


�� LDAP �� ID� �� . Tivoli

Access Manager �� ID� �� .

�� . ��

� policy �� . Tivoli Access Manager for Operating

Systems� policy ��

�� . � �� . �

�� policy� �� policy ��

� �� . �� policy ��

�� .

server_domain �� server_branch� ��, �� client_domain ��

�� client_branch� �� . � ��

�� policy �� . ��

�� . �� policy� �� (: client_branch)�

policy �� client_domain�� .

� �� .

� ��, osseal-admin �� root, osseal, liz � anne� �

�� , �� root, osseal, bill � rusty

� �� . � � ��

�� .

�: � �� , �� policy� �

�� .


��. �� policy �� , �� ,

�� , �� policy��.

IBM Tivoli Web Portal Manager� Tivoli Access Manager for Operating Systems

�� CD-ROM��

��. � � �� IBM Tivoli Access Manager Base � �� IBM

Tivoli Access Manager Base Administration Guide� ��.

IBM pdadmin �� IBM Tivoli Access Manager ��

� ��. pdadmin �� IBM Tivoli Access Manager

Command Reference� ��.

� �� policy �� pdadmin �� . � ��

�� pdadmin� ��.


��


� ��. �� , �� .

�� .

v ��

v policy ��

v � ��

v ��

�� .

��


�� . Tivoli Access Manager for Operating Systems� ��

OSSEAL��. �� OSSEAL� ��. OSSEAL �

� �� /OSSEAL��.

policy ��

�� policy� �� , ��

�� . Tivoli Access Manager for

Operating Systems� �� policy �� policy

� �� . �� policy �� . �

� policy �� policy� �� .

policy �� /OSSEAL �� . ��

� policy �� . � �� policy ��

/OSSEAL/policy-branch�� .

�� (��, ��

�� )� �� . � �� policy ��

� ��.

/OSSEAL/Servers/OSSEAL/Workstations/OSSEAL/Test

��

policy �� . � ��

� �(: � � ��) �� (: Sudo ��, ��

� � � �)� ��. � �� .

� ��, �� /OSSEAL/ policy-

branch/File� �� .

� 2 � Policy 9

��, �� TCB(Trusted Computing Base) ��

�� .

/OSSEAL/policy-branch/TCB/Secure-Files

��

� �� . � � ��

�� . � ��, � �� . �

�� .

� �� , �� . ��

�� , �� . � � ��

�� .

��

�. � �� . � ��

� �� . 29 ��

�� .

��

� �� .

� ��, .log� �� www� ��

� �� . � 1��

��.

� 1. � ��

��

* �� (��(/) � �)� ��.

? �� .

+ �� .

[set of characters] � �� . � �� POSIX �

�� . � ��, [a-z]� a - z ��

�� ASCII �� .

� �� .

��(\)� �� . � ��

�� (\\)� �� . � 2��

�� .

� 2. � ��

��

a* a

aa

a quick brown fox

ba

q a

over the dog


� 2. � �� (��)

��

a\* a* ab

a? aa

al

a

aaa

/usr/local/*.log /usr/local/x.log

/usr/local/app/x.log

/usr/local/x.log.1

*.charity.org www.charity.org

ftp.charity.org

www.charity.org.com

[[:alpha:]]+ abcd

ABCD

/abcd

tty0

* *

(��

��)

a b

abcde ghijk lmnop

abcd

the empty string

��

� �� Tivoli Access Manager for

Operating Systems� � � �� . � ��, ��

�� .

/usr/local/*.log

�

/usr/local/user1/*.log

/usr/local/user1/x.log �� .

� �� . ��

� � ��. � �� /usr/local/user1/x.log�

/usr/local/*.log �� /usr/local/user1/*.log ��

��. �� , � �� policy� ��

��.

� 3�� . ��

�� .

� 3. � ��

��

1 �� a, \*, \\

2 � �� [Aa], [[:digit:]]

3 �� ?

4 �� a+

5 �� [Aa]+, [[:digit:]]+

6 �� ?+

7 �� *

� 2 � Policy 11

�� , ��

�� . � �� . ��

� �� .

�� , �� (*)� �

� �� .

��

� 4��

� �� .

� 4. � ��

��

1 log/0[0-9]/error www.[a-z]tv.com

2 log/0?/error www.?tv.com

3 log/0*/error www.*tv.com

4 log/[0-9]+/error.1 www-help.[a-z]+v.com

5 log/*/error.1 www-help.*v.com

6 log*/error.1 www-help.*.com

7 log*/error www.*.com

8 log*/error* *www.*.com

9 log* *.com

10 * *

� �� , ��

�� . ��

� �� . � ��

�� , �� .

��

Tivoli Access Manager� �� .


ACL(Access Control List)� �� ID � ��

�� .

POP(Protected Object Policy)

POP(Protected Object Policy)� �� (: �� ) � ��

�(: �� )� ��

� ��.


ACL � POP� �� . ��

�(�� )� �� .


�� . � �� policy ��

� �� . Tivoli Access Manager

for Operating Systems� � �� . �� (ACL �

� POP� �� )� �� . � ��, �

� pdadmin ��

pdadmin> object create /OSSEAL/Servers/File/etc/passwd "Password file" \3 ispolicyattachable yes

� /etc/passwd � � ″�� ″, �� 3(� � � ��

policy� �� )� �� Tivoli Access Manager

for Operating Systems � �� . �� pdadmin

�� IBM Tivoli Access Manager ��

�.

Tivoli Access Manager� � �� policy ��

�� . ��

�� policy �� , ACL � POP� � � ��

��. Tivoli Access Manager for Operating Systems� ��

�� ACL � � ,

Access-Restrictions� ��. ��

�� POP ��

(audit_permit_actions � audit_deny_actions)� ��. �� Holiday, Login

Activity, Password Management � Sudo ��

��. 50 �� policy� � 65 �� Sudo policy��

�� . � ��


��.


Tivoli Access Manager �� ACL(Access Control List)� ��

� �� . �� ID� ��

�� .

ACL� ACL �� . � ACL ��

��. �� .

accessor : permission-set

� 2 � Policy 13

�� ACL� ��

��. � ��, x �� . Tivoli

Access Manager for Operating Systems� �� 15 ��

� 5� �� . �� ACL �� . ��

� �� .

user � �� ACL ��

��. �� . � �

� �� Tivoli Access Manager �� . ��

ACL �� x �� .

user root : x

�� ACL �� . ��

�� x �� ACL �� . �

��, �� y �� ACL ��

�� ACL� �� y �� . �

�� ACL� � �� ACL ��

�� .

group � �� ACL

�� . �� . � �

�� Tivoli Access Manager �� . �� ACL �

�� y �� .

group users : y

�� ACL ��

� �� . � ��, ��

kevin� users � sys-admin �� net-admin ��

�� , �� ACL �� kevin�� a � b �� c

�� .

group users : agroup sys-admin : bgroup net-admin : c

� �� ACL� � �� ACL ��

�� .

any-other

�� ACL �� ACL �� ACL �

� � ��

�� . � ��

�� . �� q �� ACL� ��

�� .


any-other : q

ACL� � �� any-other ACL �� .

unauthenticated

�� ACL �� . 3

�� UNIX ID � Tivoli Access Manager �� ID��

IBM Tivoli Access Manager for Operating Systems� ��


Manager �� Tivoli Access Manager ��

�� . �� p ��

��.

unauthenticated : p

ACL� � �� ACL �� . ��

��

�. �� ACL �� ACL ��

� �� , �� . �� p ��

�� ACL� �� p �

�� .


�. ACL �� ACL ��

� �� . ��

ACL� �� .

�� Tivoli Access Manager �� . ��

��, �� , ��

��. �� . �� Tivoli Access Manager for

Operating Systems �� OSSEAL �� . OSSEAL

�� IBM Tivoli Access Manager for Operating Systems� �

�� . � 5� Tivoli Access Manager for

Operating Systems� �� . � ��

� � ��.

� 5. OSSEAL ��

��

C �� NetIncoming � NetOutgoing

D �� File

G �� Surrogate

K Kill �� File

L �� Login

N �� File

� 2 � Policy 15

� 5. OSSEAL �� (��)

��

R �� File

U �� File

d �� File

l �� File

o �� File

p �� File

r �� File

w �� File

x �� File � Sudo

Tivoli Access Manager� policy ��

��. Tivoli Access Manager� � �� policy� ��

� ��. � �� . policy �� 6

� �� .

� 6. policy �� Tivoli Access Manager ��

��

a ACL �� POP ��

b ��

c ACL ��

d ��

m ��

v ��

� �� IBM Tivoli Access Manager Base Administration Guide

� �� .

� 7� �� Tivoli Access

Manager �� .


��

B POP(Protected Object Policy) ��

T ��

R ��

B �� POP policy� ��. � ��, ��

�� . policy ��



�� . �� POP �� 26

�� POP(Protected Object Policy)�� .

T ��

� ��. �� 24 �� .

R �� . ��

� �� Tivoli Access Manager �� .

�� . �

� �� , �� . IBM Tivoli Access Manager

for Operating Systems� �� ACL �� .

user root: T[OSSEAL]rwx

�� Tivoli Access Manager for Operating Systems ��, ��, �

� �� . �� Tivoli

Access Manager for Operating Systems� ��

�� . � ��, Tivoli Access Manager WebSEAL� r� ��

�� WebSEAL� �� . ��

�� .

Br[OSSEAL]wx �� ACL �� IBM Tivoli Access Manager

for Operating Systems �� ACL� ��

� �� .

��


� �� ACL� ��. ��

�� Access-Restrictions��. �� ID, ��

� ��, �� .

� �� ACL� �� . �

�� ACL ��

��.

Access-Restrictions �� (: �� )�

��.

��

�� , ��

�� policy� �� . ��

��

�� , �� .

� 2 � Policy 17

��

�� , ��

�� policy� �� . ��

�� . ��

� �� , ��

�� .

� � ��

��.

�� File, NetIncoming, NetOutgoing, Login �� Surrogate

�� ACL� � �� . �� pdossudo

�� Sudo �� .

Sudo policy � pdossudo �� 65 �� Sudo policy��

��.

�� Access-Restrictions �� .

rule : accessor : permission-set : program-set

� � �� . �� permit �� deny��. � �

�� . � �� permit ��

��.

�� . �� ACL �

�� (��, �, �� )� � ��.

�� ACL �� . �, ��

� �� Tivoli Access Manager �� [OSSEAL] ��

�� . �� . �

� ��

�� . � ��, �

� � �� , r � w ��(� �� )� ��

��. �� *� �� OSSEAL ��

� �� .

�� .

�� (� � �� )��

��

��. ��

�� , ��

�� . ��

� ��. ��


� �� . permit �� ACL�

�� . �� Trusted Computing Base�

��. Trusted Computing Base� �� 37 �� Trusted Computing

Base �� . �� *� ��

�� .

�� (� � ��)��

� �� . ��

� �� , ��

�� . ��

�� , ��

�� . �� *� ��

�� . ��

�� Trusted Computing Base� �� .

� � ��

��.

��

�� Access-Restrictions �� ID, ��

� �� , ��

� � ��. �� AccessRestrictions �� ACL� �

�� .

v ��

� �� .

deny : accessor : permission-set : program-set

v ��

�� .

permit : accessor : permission-set : program-setaccessor : permission-set : program-set

v ��

�� .

deny : accessor : * : program-set

v ��

�� .

permit : accessor : * : program-setaccessor : * : program-set

v ��

�.

� 2 � Policy 19

deny : accessor : permission-set : *

v �� .

permit : accessor : permission-set : *accessor : permission-set : *

v ��

��.

deny : accessor : * : *

v �� .

permit : accessor : * : *accessor : * : *

��

�� ACL �� . ��

�� ACL� �� Access-Restrictions �� ACL�

��

��. Access-Restrictions �� (��

�) �� . ″�� ″ ��

� �� . ��

�� , �� ACL� ��

�� .

�� , � � �� . �

� ��

�� . � ��, �

� � �� , r � w ��(� �� )� ��

��. *� ��

� ��.

v �� .

– ��

�� *� �� ,

�� .

– ��

�� *� ��

�, �� .

– ��

��

�� *� �� ,

�� .


v �� , � ��

� ��.

– ��

� �� *� ��

� �, �� .

– ��

� �� *� ��

� �, �� .

– ��

��

�� *� �� ,

�� .

v �� , ��

�� .

– �� *�

�� , �� .

– �� *�

�� , �� .

– ��

�� *� ��

�� , �� .

�� , �� . �

� ��

��

��.

v ��

� *� �� , �� .

v ��

� *� �� , �� .

v ��

� �� *� ��

�� , �� .

Access-Restrictions �� , �� ACL

� �� .

� 2 � Policy 21

� ��, �� Access-Restrictions �� . �� ACL

� �� ACL� � ��

�.

permit : user root : r : *permit : group MgmtB : * : *permit : group ProjectB : rw : /opt/projectB/bin/applicationYdeny : group RestrictAccess : * : *deny : any-other : * : *

�� .

��

�� .

root �� , root ��

� �� . ��, root ��

� �� (: �� )� �� , ��

� �� . � �, root ��

�� r� �� w� �� .

RestrictAccess �� ProjectB � ��

/opt/projectB/bin/applicationY �� /��

�� . �� RestrictAccess ��

�� ProjectB ��

��.

ProjectB �� RestrictAccess ��

/opt/projectB/bin/applicationY �� /��

�� . �� (: �� )� ��

��

��. � �, ProjectB � �� r� ��

� �� o� �� .

MgmtB �� RestrictAccess ��

�� .

��

�� . ��

�� . � ��, Access-Restrictions �� root ��

�� . ��

� �� , �� Access-Restrictions �� ACL� �� ACL

�� . root �� ,

� �� ACL �� root ��


�� . �� ACL ��

� �� , root ��

��.

��

�� AIX�� Tivoli Access Manager for Operating Systems�

policy-branch �� Servers� �� .

�� 1: � �� /etc/passwd � � �

� �� , sys-admin ��

/usr/bin/passwd �� .

1. �� (any-other) � �� rw ��

� �� ACL� ��.

pdadmin> acl create passwdpdadmin> acl modify passwd set any-other T[OSSEAL]rwpdadmin> acl modify passwd set unauthenticated T[OSSEAL]rw

2. �� ACL� �� Access-Restrictions

�� .

a. �� sys-admin ��

� �� .

pdadmin> acl modify passwd set attribute \Access-Restrictions "group sys-admin:rw:*"

b. ��

(any-other) � ��

� ��.

pdadmin> acl modify passwd set attribute \Access-Restrictions "any-other : r : *"

pdadmin> acl modify passwd set attribute \Access-Restrictions "unauthenticated : r : *"

c. /usr/bin/passwd ��

(any-other) � ��

� ��.

pdadmin> acl modify passwd set attribute \Access-Restrictions "any-other : rw : /usr/bin/passwd"

pdadmin> acl modify passwd set attribute \Access-Restrictions "unauthenticated : rw : /usr/bin/passwd"

3. /etc/passwd � � �� passwd ACL� ��

� �� .

pdadmin> object create /OSSEAL/Servers/File/etc/passwd "passwd file" 3 \ispolicyattachable yespdadmin> acl attach /OSSEAL/Servers/File/etc/passwd passwd

� 2 � Policy 23

�� 2: � ��

�� .

v top-admin ��

�� .

v app-admin� �� ftpd� ��

�� .

v �� telnetd� ��

��.

v �� .

1. �� (any-other) �� (L)� ��

�� ACL� ��.

pdadmin> acl create remote-loginpdadmin> acl modify remote-login set any-other T[OSSEAL]Lpdadmin> acl modify remote-login set unauthenticated T[OSSEAL]

2. � ��

�� ACL� �� Access-Restrictions ��

� �� .

a. �� sys-admin ��

�� .

pdadmin> acl modify remote-login set attribute \Access-Restrictions "permit : group sys-admin : L : *"

b. /usr/sbin/ftpd �� app-admin� ��

� �� . ��

��.

pdadmin> acl modify remote-login set attribute \Access-Restrictions "deny : group app-admin : L : /usr/sbin/ftpd"

c. /usr/sbin/telnetd �� (any-other)

� �� .

pdadmin> acl modify remote-login set attribute \Access-Restrictions "permit : any-other : L : /usr/sbin/telnetd"

3. �� ACL� ��

�� .

pdadmin> object create /OSSEAL/Servers/Login/Terminal/Remote "remote login" 3 \ispolicyattachable yespdadmin> acl attach /OSSEAL/Servers/Login/Terminal/Remote remote-login

��

Tivoli Access Manager �� ACL� ��

��.


� �� . � ��, �� project01

�� , � �� /OSSEAL/default/

File/project01 � ��. ACL� ��

/project01 �� ACL� ��

�� project01�� ACL� ��.

�� ACL� ��

policy� � � �� .

�� . �� ACL� ��, Tivoli Access Manager

for Operating Systems� ACL� ��

�. � �� .

v � �� , Tivoli Access Manager for Operating Systems�

� �� ACL(�, �� ACL)� ��

�� . �� Tivoli Access Manager for Operating Systems� �

� � �� Tivoli


��.

v Tivoli Access Manager for Operating Systems� �� ACL� net_ACL_limited

�� policy �� /OSSEAL/branch/NetIncoming �

/OSSEAL/branch/NetOutgoing ��

�(133 �� policy� �� ACL �� ). �� Tivoli

Access Manager for Operating Systems� ACL� ��

��

�� .

� ��, �� /OSSEAL/default/NetIncoming/tcp/

telnet/www.company.com� �� .

�� ACL� �� , Tivoli Access Manager for

Operating Systems� /OSSEAL/default/NetIncoming/tcp/telnet� �� ACL

� �� . �� ACL� �� , Tivoli Access Manager for

Operating Systems� /OSSEAL/default/NetIncoming/tcp� �� ACL� ��

��. Tivoli Access Manager for Operating Systems� policy ��

� �� ACL� �� , �� ACL(/OSSEAL/branch/

NetIncoming)� �� , �� ACL ��

�� .

policy �� , Tivoli Access Manager for Operating Systems� � �

�� ACL� ��. � � �� ACL� ��

ACL� ��. � ��, �� .

� 2 � Policy 25

v �� /OSSEAL/servers/File/usr/games/solitaire� �

�� . solitaire �� usr � games� ��

��.

v �� ACL� usr ��

� �� ACL� solitaire� ��.

v �� , usr�� games �� ,

solitaire� usr �� ACL� �� ACL ��

�� .

� �� ACL� �� ACL� ��

� Tivoli Access Manager Traverse ��(T)� ��. ��

��, �� ACL

� �� . ��

�� . �� , �� usr� �� ACL� ��

�� solitaire� �� ACL� �� . ACL� games�

�� ACL� �� .

POP(Protected Object Policy)Tivoli Access Manager� POP(Protected Object Policy)��

�� . POP� �� ID ��

� �� . �� POP� ��

� ��. ACL� �� POP� �� Tivoli

Access Manager �� . POP� ACL� � �

�� .

POP� ACL� �� . ��

�� . �� ACL��

� �� POP�� . ��

� solitaire �� , �� POP� ��

�� . �� ACL� �� solitaire� ��

�� games� �� POP� �� .

POP �� . Tivoli Access Manager for Operating

Systems� �� , � �� . �� IP ��

�� .

�� POP ��

POP� �� policy� �� .


��

�� policy� �� . ��

yes� �� POP� �� . �

� �� ACL� �� , ��

�� . ACL� ��

�� ACL� ��

�� policy� �� . � ��

� �� POP� � �� . ��

�� 231 �� , ��

�� .

��, �� .

��

� ��

��. � �� .

permit

�� , �� .

deny �� , �� .

admin

Tivoli Access Manager for Operating Systems �� .

error Tivoli Access Manager for Operating Systems �� .

all �� .

none �� . ��.

�� , ��

�� POP�� .

�� audit_permit_actions � audit_deny_actions��. ��

�� .

audit_permit_actions permission-setaudit_deny_actions permission-set

Permission-set� ACL �� . ��

Tivoli Access Manager for Operating Systems �� . [OSSEAL] �

�� .

audit_permit_actions � audit_deny_actions �� POP ��

� � �� .

� 2 � Policy 27

�� audit_permit_actions� POP

�� , ��

�� . ��

� � � �� .

�� audit_deny_actions� POP�

� �� , ��

�� . ��

� � � �� .

� � �� 225 ��

��. � �� Tivoli Access Manager ��

��.

��

�� . ��

� �� .

day-range : time-range [:utc | local]

��,

day-range

anyday, weekday� sun, mon, tue, wed, thu, fri �� sat� ��

� ��. anytime ��

��. weekday ��

�� . � ��

�� .

time-range

anytime �� . anytime ��

� �� .

start_hhmm-end_hhmm �� , start_hhmm� � �

�� end_hhmm� �� . �� 24�

� �� .

utc �� UTC(Universal Coordinated Time)� ��

� ��.

local ��

�� . ��.

��, �� , �� .


��

� �� Tivoli Access Manager for Operating Systems ��

�� . �� , policy ��

�� . ��

TCB(Trusted Computing Base)� �� TCB ��

� ��.

�� policy

Tivoli Access Manager for Operating Systems� � ��

� �� . � �� .

v �

v ��

v ��

v ��

v ��

� �� policy� � � � ��

��. � �� .

v �� ID� ��

�� . �� .

v TCB� ��

�� . TCB� �� TCB �� .

�� .

��

� ��

�� Tivoli Access Manager �� .

/OSSEAL/policy-branch/File/filespec

� 8� � �� .

� 8. � ��

��

filespec � ��

��. ��

� �� . ��

� � �� .

UNIX � ��

�

��

� � � �� .

� 2 � Policy 29

/OSSEAL/Default/File/etc/passwd/OSSEAL/Default/File/usr/local/*/*.log/OSSEAL/Default/File/usr/sbin/httpd

� �� .

v �� (/)� �� . Tivoli Access Manager for

Operating Systems� �� /OSSEAL/policy-branch/File�

�� . � ��

ACL� � �� (/)� �� ACL ��

��.

v � � � � �� (: /*.log �� /*/tmp)� ��

��. �� .

�� .

�� : � �� Tivoli Access Manager for

Operating Systems �� 9� �� .

Tivoli Access Manager ACL� ��

�� . � Tivoli Access Manager ACL ��

�� . �� (T) �� .

�� ACL �� (: /OSSEAL/policy-

branch/File)��. Tivoli Access Manager for Operating Systems� ��

� �� (� ��)� �� ACL� �� . �

�� ACL �� . �, �

�� ACL� � ��

�� (/)� �� .

�� policy� ��, /OSSEAL/policy-branch/

RootDir �� policy(ACL � POP)� ��. ��

�� 31 �� .

� 9� � �� ACL ��

��.

� 9. � ��

��

Read(r) �� .

Write(w) �� .

Create(N) �� .

Execute(x) � �� .

Chown(o) � �� .


� 9. � �� (��)

��

Chmod(p) � �� UNIX � �� .

�� UNIX ��

�� ACL� �� .

Chdir(D) �� (��

�).

Rename(R) � �� (�� )��.

Delete(d) � �� .

Utime(U) � �� .

Kill(K) � �� .

List(l) �� .

�� UNIX ��

��. � �� .

v Kill(K) ��

� /OSSEAL/policy-branch/File/unix� ��.

v �� (R) �� . � ��

� �, ��

�� . �� , ��

� �� . � ��, �� ,

log.1 log.bak

�� ,

$ mv log.1 log.2

log.1 � � �� log.2� �� . �

� �� ,

$ mv log.1 log.bak

�� log.bak � � � �� .

v �� (p) �� UNIX ACL� ��

�. �� .

v ��(x) �� . UNIX ‘x’ � ��

�� . Tivoli Access Manager for Operating Systems

�� (D) � �� (T) ��

�� .

�� : �� (/)� ��

/OSSEAL/policy-branch/RootDir �� .

� 2 � Policy 31

�� (/)� �� policy� ��, /OSSEAL/policy-branch/

RootDir �� policy(ACL � POP)� ��.

RootDir �� ACL � POP� �� , ��


��. � �� policy� RootDir �� policy��

�� . �� policy� ��

�� .

v RootDir �� policy� ��

��. RootDir� �� policy� � �� policy� ��

�� . � ��, ��


(: /tmp � /home)� �� .

v RootDir �� . ��

/OSSEAL/policy-branch/RootDir object��

/var/pdos/log/msg__pdosd.log� ��.

v � �� , RootDir �� ACL � POP

� �� .

�� (/)� �� policy� �� . ��

� � �� policy� ��

��. �� (any-other)��

��

��

� � �� policy� �� . policy�

admin ��

�� . ��, �� /tmp ��

�� . � ��, �� system��.

pdadmin> object create /OSSEAL/system/RootDir "root dir" \ispolicyattachable yespdadmin> acl create rootdir_aclpdadmin> acl modify rootdir_acl set unauthenticated T[OSSEAL]Dlrpdadmin> acl modify rootdir_acl set any-other T[OSSEAL]Dlrpdadmin> acl modify rootdir_acl set group admin T[OSSEAL]DKNRUdloprwxpdadmin> acl attach /OSSEAL/system/RootDir rootdir_aclpdadmin> object create /OSSEAL/system/File/tmp "tmp dir" 0 \ispolicyattachable yespdadmin> acl create tmpdir_aclpdadmin> acl modify tmpdir_acl set unauthenticated T[OSSEAL]DNRUdloprwxpdadmin> acl modify tmpdir_acl set any-other T[OSSEAL]DNRUdloprwxpdadmin> acl attach /OSSEAL/system/File/tmp tmpdir_acl

�� : � ��

��. �� , Tivoli Access Manager for Operating Systems

� �� . � �� .


v ��

v ��

v ��



policy� �� .


�� .

v �� .

v � ��

��.

�� .

�� : ��, �� policy� ��

� �� . �� .

v �� . �� , ��

� �� , � � ��

�� policy� � ��. ��


v �� . �� , ��

�� , � ��

�� policy� � ��.

v �� . ��

� �� , ��

�� . ��

� ��

�� .

�� : �� policy �� .

�� 1: ACL� �� .

/usr/bin/vi

/usr/local/bin/vi

� � �� .

/usr/bin/vi

� 2 � Policy 33

�� vi� �� /usr/bin/vi

� �� ACL� �� . �� ACL� /usr/local/bin/vi� ��

�� vi� �� . ��

/usr/local/bin/vi� ��.

ACL� /usr/bin/vi� /usr/local/bin/vi �� /usr/bin/vi ��

�� /usr/bin/vi� �� ACL� ��. /usr/local/bin/vi

�� ACL �� .

�� 2:

/home/joe/data

� �� .

/home/joe/data.link

� ACL� �� . ACL� ��

/tmp/data/joe_data

�

/home/joe/data

� �� .

�� .

v /home/joe/data �� , � �� ACL ��

�� .

v � �� , � �� ACL ��

��.

v ACL� �� /home/joe/data� �� , � � /home/joe/data� ��

�� ACL� ��.

v � �� , � ACL� � � ��

ACL� ��.

v �� , ��


�� .

�� 3: ��

�� . ��

�� , ��

�� . ��

�� , ��

�� . �� .


��

/home/joe/data

� ACL� �� ,

/tmp/data/joe_data

� /tmp/data� ACL� �� /home/joe/data� ��

�.

v � � �� , �� ACL� ��.

v � � /tmp/data/joe_data �� , � �� ACL ��

��.

�� 4: �� /home/joe/data� /home�� ACL� ��

/tmp/data/joe_data� �� ACL� �� /tmp/data/joe_data� /home/joe/data

� �� .

�� , � �� ACL ��

��.

�� policy� � ��

��. ��

�� . �� , �� Tivoli

Access Manager for Operating Systems ��


��

�� .

�� : ��

��. � �� . ��

��

��. �� , ��

� �� . �� .

v �� , ��

��.

v ��

�� , ��

� ��.

v ��

�� .

�� : �� policy �� .

� 2 � Policy 35

�� 1: /home/joe/data� ACL� �� /home/data� �� ACL

� �� /home/data/joe_data� /home/joe/data� ��

��.

/home/joe/data� �� /home/joe/data� �� ACL� ��

��.

/home/data/joe_data� �� /home/joe/data� �� ACL�

��.

�� 2: �� ACL� �� /home/joe/data� � �� ACL� ��

/home/data/joe_data.1� /home/data/joe_data.2� �� /home/joe/data� �

� �� .

/home/joe/data� �� ACL �� .

/home/data/joe_data.1 �� /home/data/joe_data.2� ��

� �� ACL� ��.

� � �� UNIX � �� , Tivoli

Access Manager for Operating Systems� � ��

��. �� .

N � ��

R � ��

r � ��

w � ��

�� , �� .

�� : �� (: ��

��)� ��. ��

� �� . � ��

�� . ��

��.

v �� , ��

��.

v ��

� �� , ��

�� .

v �� , ��

�� .


NFS �� : Tivoli Access Manager for Operating Systems

policy� NFS �� . �

�� NFS ��

��.

� ��, NFS �� NFS �� /usr/tools/bin� � � ��

�� /usr/shared/hrtools/bin�� .

payroll �� NFS ��

/usr/tools/bin/payroll � �� . � policy�

NFS � � �� Tivoli Access Manager for Operating

Systems �� . ��,

� �� NFS �� .

��, /usr/shared/hrtools/bin/payroll� NFS ��

�� NFS � �� NFS ��

�.

NFS� �� NFS ��

�� NFS ��

� �� . � ��, Tivoli Access Manager for Operating Systems policy�

NFS �� NFS �� , � � ��

�� NFS �� . ��

, NFS ��

�� . �

� � �� (: �� )� �� .

Trusted Computing Base ��

Tivoli Access Manager for Operating Systems� �� Trusted Computing

Base� �� . Trusted Computing Base� ��

�� , UNIX � ��, �� , ��

�� , � � �� . ��

�� .

Tivoli Access Manager for Operating Systems� TCB(Trusted Computing Base)

� �� . Trusted Computing Base

� �� , � ��


� �� . �� , Tivoli Access Manager

for Operating Systems� �� dosobjsig

��

�� .

�� TCB � �� .

� 2 � Policy 37

v Secure-Files

v Secure-Programs

v Login-Programs

v Impersonator-Programs

v Immune-Programs

v Immune-Surrogate-Programs

� � � �� Trusted Computing Base � �� . ��

� � �� .

� � �� Tivoli Access Manager policy �� Trusted

Computing Base� ��. Tivoli Access Manager for Operating Systems�

/OSSEAL/policy-branch/TCB � ��

� �� policy� ��. � � ��

� �� Trusted Computing Base� �� .

� ��, �� /etc/hosts.equiv � � Secure-File

� ��, �� pdadmin �� .

1. hosts.equiv TCB� ��.

pdadmin> object create /OSSEAL/Workstations/TCB/Secure-Files/etc/hosts.equiv \"Host equivalents" 0 ispolicyattachable yes

2. hosts.equiv �� .

pdadmin> acl create hosts-equivpdadmin> acl modify hosts-equiv set user root T[OSSEAL]NRUdoprwpdadmin> object create /OSSEAL/Workstations/File/etc/hosts.equiv

"hosts equiv file" 3 ispolicyattachable yespdadmin> acl attach /OSSEAL/Workstations/File/etc/hosts.equiv hosts-equiv

� �� Access-Restrictions ��

�� ACL� �� . ��

�� Trusted Computing Base ��

Trusted Computing Base� ��.

�� Trusted Computing Base� ��

� ��. �� , � � �� . � � ��

�� . � ��

� � �� .

v � � �� pdadmin� object create �� Trusted Computing

Base� �� .

v � � �� .

v �� .


v �� (: ��)� ��

� �� .

v � � Trusted Computing Base � � �� , �

� �� .

v � � Trusted Computing Base � � ��

�� , �� .

v ��

��. � � �� pdosobjsig �� . 286 ��

�pdosobjsig��

�� Trusted Computing Base �� .

Login-Programs

UNIX �� . Tivoli


� �� . �� Trusted

Computing Base � � �� Login-Programs ��

��. �� Tivoli Access Manager for Operating Systems ��

�� Login-Programs� �� . � ��

�� , �� (FTP,

RLOGIN, TELNET, REXEC, RSH, SSH)� UNIX ��

��.

�� Login-Programs ��

�, � �� 10� �� IBM Tivoli

Access Manager for Operating Systems� � � ��

� �� . ��, Login-Programs� ��

� Tivoli Access Manager for Operating Systems� ��

� � � �� . �� ,

�� .

� 10. IBM Tivoli Access Manager for Operating Systems� � ��

��

AIX /usr/dt/bin/dtlogin

/usr/sbin/ftpd

/usr/sbin/getty

/usr/sbin/login

/usr/sbin/rexecd

/usr/sbin/rlogind

/usr/sbin/rshd

/usr/sbin/sshd

/usr/sbin/telnetd

/usr/sbin/tsm

� 2 � Policy 39

� 10. IBM Tivoli Access Manager for Operating Systems� � �� (��)

��

HP-UX /usr/bin/login

/usr/bin/tsm

/usr/dt/bin/dtlogin

/usr/lbin/ftpd

/usr/lbin/remshd

/usr/lbin/rexecd

/usr/lbin/rlogind

/opt/ssh/sbin/sshd

/usr/lbin/telnetd

/usr/sbin/getty

/usr/sbin/tsm

Solaris /usr/bin/login

/usr/dt/bin/dtlogin

/usr/lib/saf/ttymon

/usr/sbin/in.ftpd

/usr/sbin/in.rexecd

/usr/sbin/in.rlogind

/usr/sbin/in.rshd

/usr/local/sbin/sshd (freeware)

/usr/lib/ssh/sshd (Solaris)

/usr/sbin/in.telnetd

Linux /bin/login

/sbin/getty

/sbin/mingetty

/usr/bin/gdm

/usr/bin/gdmlogin

/usr/bin/kdm

/usr/sbin/in.ftpd

/usr/sbin/in.rexecd

/usr/sbin/in.rlogind

/usr/sbin/in.rshd

/usr/sbin/sshd

/usr/sbin/in.telnetd

/usr/sbin/in.tftpd

/usr/sbin/in.wuftpd

/usr/sbin/wu.ftpd

/usr/X11R6/bin/xdm

/usr/sbin/vsftpd

/opt/gnome2/bin/gdm

/opt/kde2/bin/kdm

/opt/kde3/bin/kdm

�� sshd� ��

Tivoli Access Manager for Operating Systems �� sshd

� �� , �� .

v �� sshd� �� pdosobjsig

� �� sshd� �� .


# ln -sf /expected_path/sshd /actual_path/sshd# pdosobjsig -u /expected_path/sshd -s trusted

v pdadmin� �� sshd� ��

�� OSSEAL �� .

# pdadmin -a sec_master -p passwdpdadmin> object create \/OSSEAL/policy_branch/TCB/Login-Programs/actual_path/sshd \"sshd-daemon" 2 i yes

Linux, Solaris � HP-UX� �� PAM(Pluggable Authentication

Modules)� �� sshd �� PAM� ��

� �� . � �� sshd �� ldd ��

libpam �� .

�� sshd� �� Tivoli Access Manager for

Operating Systems �� policy� �� . pdosd.conf� ��

�� . �� policy ��

, pdoscfg� �� .

# cat /opt/pdos/etc/pdosd.conf | grep login login-policy = off# pdoscfg -login_policy on

Secure-Files

�� . ��

�� . IBM Tivoli Access Manager for Operating Systems

� �� Tivoli Access Manager for Operating Systems �

� Secure-Files� ��. Secure-Files� ��

��.

Secure-Programs

�� UNIX �� UNIX ��

�� UNIX �� . �� ID ��

�� ID �� su, mail �� telnet� ��

�� . �� , �� UNIX ID

� ��, ��


�� . � ��, � �� UID ��

�� . ��

�� . �� 62 �� policy�

� ��.

Trusted Computing Base � � Secure-Programs ��

�� UNIX ID� �� policy��

�. �� UNIX �� ID� � �

, �� policy� ��. �� UNIX ID � � ��

� 2 � Policy 41

�� policy� �� . Tivoli

Access Manager for Operating Systems policy� ��

�� .


Secure-Program�� su ��

�. �� policy� ��, ��

�� TCB � � Secure-Programs ��

� �� ID �� GID � � �� . 311 ��

�pdosuidprog�� pdosuidprog �� UID

� �� GID �� .

�� IBM Tivoli Access Manager for Operating Systems ��

Secure-Programs� ��.

/opt/pdos/bin/pdosdestroy/opt/pdos/bin/pdoslpadm/opt/pdos/bin/pdosrefresh/opt/pdos/bin/pdossudo/opt/pdos/bin/pdosunauth/opt/pdos/bin/pdoswhoami/opt/pdos/bin/pdoswhois/opt/pdos/sbin/kosserrs/opt/pdos/bin/pdosshowuser/opt/pdos/bin/rc.lpm

Immune-Surrogate-Programs

Immune-Surrogate-Programs �� policy� ��

�� . � ��

�� (�� UID �� GID ��

�� )� �� (setuid()/setgid() ��

��) �� policy� ��

�. Tivoli Access Manager for Operating Systems policy� ��

�� .

Immune-Surrogate-Programs �� Secure-Programs ��

�� Secure-Programs ��

� ��. � ��, � �� UID ��

�� UNIX ID � �� . ��

Surrogate-to-root policy� ��

Surrogate-to-root policy� ��

�� . Secure-Programs ��

�� UNIX ID�� policy ��

�� . �� Immune-Surrogate-Programs��

�� .


Impersonator-Programs

UNIX ��

�� (: cron)� ��.

�� , �

�� ID� ��. ID ��

� �� Tivoli Access Manager for

Operating Systems �� ID� ��


TCB(Trusted Computing Base)� Impersonator-Programs ��

�� Tivoli Access Manager for Operating Systems��

�� UNIX �� ID� � � ��

�� ID� �� . �� policy� ��

(: cron), ��

� ��. cron� ��

Access-Restrictions �� .

�� IBM Tivoli Access Manager for Operating Systems� �

�� Impersonator-Program� cron ��.

Immune-Programs

�� , ��


policy� �� , �� . ��

�� Trusted Computing Base� Immune-Programs� ��

� �� Tivoli Access Manager for Operating Systems policy��

�� . ��

� ��

Tivoli Access Manager for Operating Systems �� policy��

�. � �� . ��

�� .

��

��. Tivoli Access Manager for Operating Systems� 44 ��

11� �� policy� �� . ��

�� , �� ID ��

��.

� 2 � Policy 43

� 11. �� policy� Immune-Programs� ��

��

AIX /usr/bin/AIXPowerMgtDaemon

/usr/ccs/bin/shlap

/usr/ccs/bin/shlap64

/usr/lib/errdemon

/usr/lpp/diagnostics/diagd

/usr/sbin/automountd

/usr/sbin/biod

/usr/sbin/nfsd

/usr/sbin/rpc.lockd

/usr/sbin/rpc.statd

/usr/sbin/syncd

/usr/sbin/syslogd

HP-UX /usr/lib/netsvc/fs/autofs/automountd

/usr/lib/netsvc/fs/automount/automount

/usr/sbin/biod

/usr/sbin/nfsd

/usr/sbin/pwgrd

/usr/sbin/rpc.lockd

/usr/sbin/rpc.statd

/usr/sbin/syncer

Solaris /usr/lib/autofs/automountd

/usr/lib/nfs/lockd

/usr/lib/nfs/nfsd

/usr/lib/nfs/statd

/usr/sbin/rpcbind

/usr/sbin/syslogd

Linux /sbin/klogd

/sbin/portmap

/sbin/rpc.lockd

/sbin/rpc.statd

/sbin/syslogd

/usr/sbin/apmd

/usr/sbin/automount

/usr/sbin/rpc.quotad

/usr/sbin/rpc.mountd

/usr/sbin/rpc.nfsd

� 11� �� Tivoli Access Manager for

Operating Systems �� Immune-Programs� ��

�.

/opt/pdos/bin/pdosauditd/opt/pdos/bin/pdosaudview/opt/pdos/bin/pdosbkup/opt/pdos/bin/pdoscfg/opt/pdos/bin/pdosctl/opt/pdos/bin/pdosd/opt/pdos/bin/pdosexempt


/opt/pdos/bin/pdoslpmd/opt/pdos/bin/pdosobjsig/opt/pdos/bin/pdosrevoke/opt/pdos/bin/pdosteccfg/opt/pdos/bin/pdostecd/opt/pdos/bin/pdostecucfg/opt/pdos/bin/pdoswdd/opt/pdos/bin/pdoslrd/opt/pdos/bin/pdoslrdadm

�� Tivoli Access Manager for Operating Systems � � �

Immune-Programs� ��.

/opt/pdos/kernel/kossd/opt/pdos/sbin/ossdump.sh/opt/pdos/sbin/kazntrace/opt/pdos/sbin/kossdump.sh/opt/pdos/sbin/kosserrs/opt/pdos/sbin/kossinfo/opt/pdos/kernel/kossctl

Immune-Programs, Secure-Programs �� Immune-Surrogate-Programs ��

�� .

v Immune-Programs �� , �� Tivoli

Access Manager for Operating Systems policy ��

�. Tivoli Access Manager for Operating Systems policy� ��

� �� .

v Secure-Programs �� UNIX

ID �� policy �� . Tivoli

Access Manager for Operating Systems policy� ��

��. �� , � ��

policy� �� .

v Immune-Surrogate-Programs ��

�� UNIX ID �� policy �� , ��

�� . Tivoli Access Manager for Operating

Systems policy� �� .

� ��

�� . ��

��

� �� . � ��, Secure-Programs �� Immune-Surrogate-Programs

��

��, �� policy� � ��

��.

� �� . ��

� �� . ��

� 2 � Policy 45

� �� . � ��, � Immune-Surrogate-

Programs �� Secure-Programs ��

� �� . ��

�� .

�� policy


��

�� . � � �� NetOutgoing

� NetIncoming �� . ��


/OSSEAL/policy-branch/NetIncoming/protocol[/service[/host]]/OSSEAL/policy-branch/NetOutgoing[/hostspec[/protocol[/service]]]

�� /OSSEAL/policy-branch/NetIncoming � /OSSEAL/policy-branch/

NetOutgoing ��

��. �� ACL� ��

, ��

�� . �� -net_ACL_limited �� pdoscfg� �

�� (�� IBM Tivoli Access Manager for

Operating Systems � �� 254 �� pdoscfg�, pdoscfg ��). � �

��

(/OSSEAL/policy-branch/File, � �� ), ��

�� .

� 12� �� policy �� .

� 12. ��

��

protocol �� . ��

� � �� TCP/IP ��

4��. � �� tcp ��

��.

��

�

service � �� .

NetIncoming �� , � ��

��

�� . NetOutgoing

�� , � ��

��

��.

��

�. ��

�� . � ��

� policy� � ��

/etc/services � � ��

�� . ��

�� ‘*’� 1-65535 �� .

‘*’ � ‘1-65535’ � �� policy

� �� .


� 12. �� (��)

��

host � ��

�. NetIncoming �� , ��

��

� ��. NetOutgoing ��

, ��

� �� .

��

��.

v ip-address[:nbits]

v hostname

ip-address IP �� (:

192.168.1.42)

IP �� 4 ��

nbits ip-address�� . ��

� �� . 0� �

�� 32�

��

��. �� ip-address[:nbits] �

�� nbits ��

� �� 32�� .

0 - 32 ��

hostname � ��

��

� �� legal ��

��

��

�� .

/OSSEAL/Default/NetIncoming/tcp/80/OSSEAL/Default/NetIncoming/tcp/telnet/*.dev.company.com/OSSEAL/Default/NetOutgoing/10.0.151.0:24/tcp/23/OSSEAL/Default/NetOutgoing/10.1.34.12

NetIncoming � NetOutgoing �� , �� ACL��

�� Connect(C) ��.

� 13. ��

��

Connect(C) ��

��

�� Tivoli Access Manager for Operating Systems�

�� . ��

� �� . � ��, ��

www.ibm.tivoli.com� www.*.com� www.*.tivoli.com �� . ��

�� Telnet ��(� 23)� � �� ″23,513″� �� ″*″ �� . �

� �� Tivoli Access Manager for Operating Systems�


� 2 � Policy 47

�� . � NetIncoming �

NetOutgoing� �, � ��

�� . � ��, �� ,

NetOutgoing/www.ibm.tivoli.com/tcp/*NetOutgoing/www.*.com/tcp/http

��

www.ibm.tivoli.com�� http �� policy� �

��.

�� NetIncoming �,

NetIncoming/tcp/*/server.ibm.netNetIncoming/tcp/ftp/*

server.ibm.net�� ftp ��


�� NetIncoming� NetOutgoing ��

��. �� . 49 ��

�� .

��

�� .

v � ��

� �� .

v � �� , ��

�� .

v � ��

�� . � � �� policy��

� �� PDOSD �� policy� ��

� �� .

�� .

v ″telnet″� � �� ″20-25″� 6�� ″telnet″�

″20-25″�� .

v ″20-25″ �� ″21-26″ �� 6�� 20� 21��

�� ″20-25″ �� ″21-26″�� .

v ″20-25,50-60″ �� ″20-25,60-70″ �� 17�� 50� 60��

�� ″20-25,50-60″ �� ″20-25,60-70″��

�� .


v �� ″1-10,23-30″�

″1,2,3,4-9,10,telnet,24-30″� ��.

��

�� .

v �� ip-address[:nbits] ��

�� .

v � � ip-address �� ip-address[:nbits] ��

�� 32 nbits �� nbits ��

�� , policy� �� . �� policy��

� �� pdosd �� policy� ��

� �� .

v � �� (nbits� � �)� �� ip-address[:nbits] ��

� �� .

v ��

�� . � ��

�� 10 �� .

�� .

v � 10.1.2.3:32� � 10.1.2.3:24�� .

v www.ibm.tivoli.com� IP �� 10.1.2.3� � 10.1.2.3:32� �

www.ibm.tivoli.com�� . ip-address[:nbits] �


�� .

v www.ibm.tivoli.com� IP �� 10.1.2.3� � 10.1.0.0:16� �

www.ibm.tivoli.com�� . ip-address[:nbits] �

� �� .

v �� www.*.tivoli.com�

www.ibm.*.com�� .

��

��

�� ?�� .

��


� �� . ��

� �� ID� ��. NetIncoming ��

� ��

�� ?�� . NetIncoming ��

� 2 � Policy 49

ACL��

� ��

� ��.

��

�� . �� , NetIncoming �� ACL

� � �� .

�� policy


�� . ��

�� .

v ��

v ��

Tivoli Access Manager for Operating Systems� �� , � ��

��

�� policy� � � �� .

��

�� Tivoli Policy Director �� policy

�� . �� , ��

� � �� .

�� . Tivoli Access

Manager �� , �� policy�

�� policy� ��. Tivoli Access Manager ��


� �� , �� osseal-unauth ��

policy� �� policy� ��.

�� .

day-range: time-range[:utc|local]

��,

day-range

anyday, weekday� sun, mon, tue, wed, thu, fri �� sat� ��

� ��. anyday ��

��. weekday ��

�� . � ��

�� .


time-range

anytime �� . anytime ��

� �� . start_hhmm-end_hhmm

�� , start_hhmm� � � ��

�� end_hhmm� �� .

utc �� UTC(Universal Coordinated Time)� ��

� ��.

local ��

��. ��.

Tivoli Access Manager �� pdadmin� ��

�. �� policy �� .

v �� 9:00�� 5:00��

� �� .

pdadmin> policy set tod-access weekday:0900-1700:localpdadmin> policy set tod-access anyday:anytime -user root

v ��

��.

pdadmin> policy set tod-access mon:0900-1700:local -user \osseal-unauth

v ��

��.

pdadmin> policy set tod-access weekday:0900-1700:utcpdadmin> policy set tod-access anyday:anytime -user rootpdadmin> policy set tod-access mon:0900-1700:utc -user \

osseal-unauth

��

� �� . � ��

�� . policy

� �� .

�� . � ��

�� .

�� ACL� � ��

��. Login(L) �� .

Holiday-Dates �� , � ��

� ��. �� .

YYYY-MM-DD[-hh[:mm[:ss]]][Z]

��,

� 2 � Policy 51

YYYY

� � ��

MM 1 - 12� ��

DD 1 - 31� ��

hh 0 - 23� ��

mm 0 - 59� ��

ss 0 - 59� ��

Z �� UTC� ��

�� .

v �� 12��

�.

v �� 0(��)�� .

v �� , � � � �� , � ��

�, �� 12�� .

v � �� , �� 0(�

�)�� .

v �� UTC� �� UTC� ��.

�� : CEO� � (1�18 ) �� 3 � �� .

1� 17 , 18 � 19 �� . ��

�� .

pdadmin> object create /OSSEAL/Servers/Login/Holidays/CEO-Birthday-Time "Happy" \0 ispolicyattachble yes

pdadmin> object modify /OSSEAL/Servers/Login/Holidays/CEO-Birthday-Time \set attribute Holiday-Dates"2001-01-17-09:00:00 2001-01-19-17:00:00"

�� , � �� ACL� ��.

pdadmin> acl create ceo-birthday-time-aclpdadmin> acl modify ceo-birthday-time-acl set group sys-admins \

T[OSSEAL]Lpdadmin> acl attach /OSSEAL/Servers/Login/Holidays/CEO-Birthday-Time \

ceo-birthday-time-acl

� policy� Tivoli Access Manager � �� 2001� 1� 17

�� 9:00� 2001� 1� 19 �� 5:00 �� .

��

�� Holiday-Dates ��

��. � � CEO � policy� 2002��

� � ��.


pdadmin> object modify /OSSEAL/Servers/Login/Holidays/CEO-Birthday-Time \set attribute \

Holiday-Dates "2002-01-17-09:00:00 2002-01-19-17:00:00"

�� . �� , ��

policy� �� .

v �� , �� .

v � � �� , ��

��.

v �� .

�� CEO� �� 1� 18 � �� , �

� policy� �� .

pdadmin> object create/OSSEAL/Servers/Login/Holidays/CEO-Birthday \"VeryHappy" 0 ispolicyattachable yes

pdadmin> object modify /OSSEAL/Servers/Login/Holidays/CEO-Birthday \set attribute \Holiday-Dates "2001-01-18-09:00:00 2001-01-18-17:00:00"

CEO-Birthday � CEO-Birthday-Time � �� policy ��

�� 1� 17 �� 9:00� �� , ��

CEO-Birthday-Time �� .

�� 1� 18 �� 9:00 �� .

CEO-Birthday � �� .

� � Holiday-Dates �� , pdosd ��

�� policy � � ��. �� .

�� : Holidays � ��

� �� . �� ACL ��

��. ACL �� , ��

�� policy �� . � ��, ��

�� .

/OSSEAL/policy-branch/Login/Holidays/CEO-Birthday/2001/OSSEAL/policy-branch/Login/Holidays/CEO-Birthday/2002/OSSEAL/policy-branch/Login/Holidays/CEO-Birthday/2003

� �� Holiday-Dates ��

� �� . �� , CEO � � � ACL� �� .

��

�� . ��

��

��. � �� .

� 2 � Policy 53

�� : � �� . ��

�� . TCP/IP ��

�� . � ��

�� . � � �� .

/OSSEAL/policy-branch/Login/Terminal/Local/termgroup/device/OSSEAL/policy-branch/Login/Terminal/Remote/termgroup/hostspec

� � �� 14� ��.

� 14. � ��

��

termgroup ��

��

��

��. ��

� �� .

device ��

�(: /dev/console ��

/dev/tty/0)

��

UNIX � ��. � ��

�� .

hostspec ��, ��

� ��

�� .

v /etc/hosts, DNS ��

�� . ��

� � �� (: * ��

?)� � � ��

�� .

��

��.

v � �� IP ��/��

��(IP_address[nbits]). ��

�� 32��

��, � ��

� ��.

�� .

/OSSEAL/policy-branch/Login/Terminal/Local/Modems/dev/tty063/OSSEAL/policy-branch/Login/Terminal/Remote/Development/*.dev.company.com/OSSEAL/policy-branch/Login/Terminal/Remote/Xterms/10.1.34.2:24

�� : �� /� � ��

�� Tivoli Access Manager �� . � ��, ACL

�� POP� /OSSEAL/policy-branch /Terminal/Remote ��

� �� policy �� .


� 15�� .

� 15. ��

��

Login(L) ��

�� : �� policy ��

� �� . � �� , pdosd ��

�� . �� policy �� . � ��

� � ��.

�� policyTivoli Access Manager for Operating Systems� �� policy� �

�� . policy� /OSSEAL/policy-branch/Login

��

��.

v ��

v ��

v ��

� �� . ��

� �� . ��

��. Tivoli Access Manager for Operating Systems �� policy�

� �� policy� �� . Tivoli Access

Manager for Operating Systems policy� � �� policy � � �� policy

� ��.

�� policy� �� $HOME/.rhosts �

/etc/hosts.equiv� �� . ��

�� . � ��, AIX �� (: rlogin �

rsh)� �� Tivoli Access Manager for Operating

Systems� �� policy� �� . ��

policy(: � �, �� )� �� .

Tivoli Access Manager �� Tivoli Access Manager ��

� �� policy� �� Tivoli Access Manager for Operating Systems

� �� . 56 �� 16� �� policy

� �� .

� 2 � Policy 55

� 16. �� policy ��

��

Login-MinPasswordDays ��

��. �� , ��

0(��)� ��

��

� �� .

��

Login-MaxPasswordDays �� .

�� , �� 0(�

�)� ��

�� .

�� , grace

��

��

��. Login-MaxGraceLogins

�� 0(��)� ��

�� grace ��

��.

��

Login-MaxGraceLogins ��

� �� . ��

�� , �� 0(��)�

��

�� .

grace ��

�, �� .

��

Login-MaxConcurrent ��

�� . � � �

��

�� . � �

� �� IP ��

�� . ��

� � �� policy� ��

�� .

�� , �� 0(�

�)� ��

��

�� .

��

Login-MaxInactiveDays ��

�� . ��

��

�� . ��

� �, �� 0(��)� ��

� ��

��.

��


� 16. �� policy �� (��)

��

Login-MaxFailedLogins ��

�� . ��

� Login-LockMinutes ��

��

��. ��

�� Login-

LoginMunutes ��

�. Login-MaxFailedLogins ��

� �� , ��

0(��)� ��

��

��.

��

Login-LockMinutes Login-MaxFailedLogins ��

��

��

�� . Login-LockMinutes �

�� , ��

0(��)� ��

��

� �� .

��

Login-LoginMinutes Login-MaxFailedLogins ��

��

��

�� . Login-LoginMinutes

�� , ��

0(��)� ��

�� . �

��

��

��

�.

��

Login-PolicyDisabled �� policy� ��

�� .

� ��

��


�.

��

�� policy ��: �� policy �� .

v �� 30 �� pdadmin ��

� ��.

pdadmin> object modify /OSSEAL/Servers/Loginset attribute Login-MaxInactiveDays 30

v 30� ��

�� pdadmin �� .

� 2 � Policy 57

pdadmin> object modify /OSSEAL/Servers/Loginset attribute Login-MaxFailedLogins 3

pdadmin> object modify /OSSEAL/Servers/Loginset attribute Login-LockMinutes 30

pdadmin> object modify /OSSEAL/Servers/Loginset attribute Login-LoginMinutes 60

v �� policy �� . �� , ��

�� . � ��, Login-MaxFailedLogins �� 5�

�� .

pdadmin> object modify /OSSEAL/Servers/Logindelete attribute Login-MaxFailedLogins

pdadmin> object modify /OSSEAL/Servers/Loginset attribute Login-MaxFailedLogins 5

pdoslpadm �� . � ��

� �� 280 �� pdoslpadm�� .

�� policy�� policy� �� policy� ��

��. � �� policy� ��


�� policy� /OSSEAL/policy-branch/Login/UserExceptions/user-name �

�� . � ��

�� . �� 0(�

�) �� . ��

� �� .

�� policy� Tivoli �� . ��

pdadmin �� .

�� policy ��

�� policy-branch Default� �� policy� � ��

��.

1. �� policy� 30 ��

�� bob� �� policy� �� policy �� 0(policy

� �� )�� pdadmin �� .

pdadmin> object modify /OSSEAL/Default/Login set attribute Login-MaxInactiveDays30

pdadmin > object create /OSSEAL/Default/Login/UserExceptions/bob "" 2 iyes

2. �� bob� �� 90 ��

� �� pdadmin �� .


pdadmin > object modify /OSSEAL/Default/Login/UserExceptions/bob set attributeLogin-MaxInactiveDays 90

3. �� bob� ��

�� 70�� pdadmin �� .

pdadmin > object modify /OSSEAL/Default/Login/UserExceptions/bob deleteattribute Login-MaxInactiveDays

pdadmin > object modify /OSSEAL/Default/Login/UserExceptions/bob set attributeLogin-MaxInactiveDays 70

�� policy

Tivoli Access Manager for Operating Systems� �� policy� �

�� . ��

� �� (: �� )� �� . policy�

/OSSEAL/policy-branch/Password ��

��, �� .

v ��

v ��

Tivoli Access Manager for Operating Systems �� policy� � ��

�� policy� �� . Tivoli Access Manager

for Operating Systems policy � � �� policy � � �� policy� ��

��. Tivoli Access Manager for Operating Systems ��

� �� . �� ,

�� policy� �� . � ��, � ��

�� , �� policy� �� .

�: Tivoli Access Manager for Operating Systems� ��

�� 34�� .

� �� . ��

�� . �� policy� ��

� � $HOME/.rhosts� /etc/hosts.equiv� �� .

Tivoli Access Manager �� Tivoli Access Manager ��

� �� policy� �� Tivoli Access Manager for Operating Systems

� �� . 60 �� 17� �� policy

� �� .

�: �� MinPasswordDays ��

��. ��, �� , �� MinPasswordDays �

�� .

� 2 � Policy 59

� 17. �� policy ��

��

Password-MinPasswordLen �� . ��

� �� , �� 0(��)� �

��

��.

��

Password-MinPasswordAlpha ��

�. �� , ��

0(��)� ��

�� .

��

Password-

MinPasswordAlphaNum

��

�. �� , ��

0(��)� ��

�� .

��

Password-MinPasswordNumeric �� . �

�� , �� 0(��)

� ��

�� .

��

Password-MinPasswordLower �� .

�� , �� 0(�

�)� ��

� �� .

��

Password-MinPasswordUpper �� .

�� , �� 0(�

�)� ��

� �� .

��

Password-MinPasswordSpecial ��

�. �� , ��

0(��)� ��

�� .

��

Password-MinPasswordDays ��

��. �� , ��

0(��)� ��

��

� �� .

��

Password-MaxPasswordRepeat ��

�� . ��

, �� 0(��)� ��

� ��

�.

��

Password-PasswordNameCheck �� ID� ��

� �� ID� ��

�� . �

�� , �� 0(��)

� �� ID� �

��

��.

0 �� 1


� 17. �� policy �� (��)

��

Password-PasswordHistory �� .

� ��

�� . ��

�� . ��

�� 10��. ��

� �� , �� 0(��)� �

��

��.

��

Password-

PasswordOldPwdCheck

� ��

� ��

��

�� .

0 �� 1

Password-

PasswordMaxConsPrev

� �, � � � ��

��

� �� .

��

Password-

PasswordNonNumFirstLast

� �, � ��

��

� ��.

0 �� 1


�� policy �� .

v �� 7 � �, �� pdadmin ��

� � ��.

pdadmin> object modify /OSSEAL/Servers/Passwordset attribute Password-MinPasswordLen 7

v �� , �� pdadmin ��

��.

pdadmin> object modify /OSSEAL/Servers/Passwordset attribute Password-MaxPasswordRepeat 1

v �� policy �� . �� , ��

� �� . � ��, Password-PasswordHistory �� 5�

�� .

pdadmin> object modify /OSSEAL/Servers/Passworddelete attribute Password-PasswordHistory

pdadmin> object modify /OSSEAL/Servers/Loginset attribute Password-PasswordHistory 5

pdoslpadm �� . � ��

� �� 280 �� pdoslpadm�� .


�� policy-branch Default� �� policy� � ��

��.

� 2 � Policy 61

1. �� policy �� 10 ��

�, �� bob� �� policy� �� policy �� 0(policy

� �� )�� pdadmin �� .

pdadmin> object modify /OSSEAL/Default/Password set attributePassword-MinPasswordLen 10

pdadmin > object create /OSSEAL/Default/Password/UserExceptions/bob ""2 i yes

2. �� bob� �� 5 ��

� pdadmin �� .

pdadmin > object modify /OSSEAL/Default/Password/UserExceptions/bob setattribute Password-MinPasswordLen 5

3. �� bob� ��

� � �� 8� �� pdadmin �� .

pdadmin > object modify /OSSEAL/Default/Password/UserExceptions/bob deleteattribute Password-MinPasswordLen

pdadmin > object modify /OSSEAL/Default/Password/UserExceptions/bob setattribute Password-MinPasswordLen 8

�� policy

Tivoli Access Manager for Operating Systems� �� UNIX ID� � �

�� . ��

�� . �� ID �� ID�

� � ��. ��

�� policy� �� . ��

��

� � ��. �� .

/OSSEAL/policy-branch/Surrogate/User/user-name/OSSEAL/policy-branch/Surrogate/Group/group-name

� 18� �� .

� 18. ��

��

user-name UNIX �� . � ��

ID ��

� �� .

UNIX �� .

� �� ID� �� .

group-name UNIX � ��. � �� ID

��

�� .

UNIX � �� .

� � ID� �� .

��

�� .


/OSSEAL/Default/Surrogate/User/root/OSSEAL/Default/Surrogate/User/joe/OSSEAL/Default/Surrogate/Group/admin

�: �� /OSSEAL/ policy-branch/Surrogate/User,

/OSSEAL/ policy-branch/Surrogate/Group ��

/OSSEAL/policy-branch/Surrogate �� policy� �

� � ��. �� policy� ��


�� .

�� 19� �� Surrogate(G)

�� .

� 19. ��

��

G Surrogate �� .


�� .

v �� ID� � � ��.

v �� ID � �� ID UNIX � ��

� �� ID� ��.

� �� . �� ID � �� ID ��

��

�� . ��

�� .

�� /usr/bin/mail, /usr/bin/telnet � /usr/bin/ps� ��

�� .

�� setuid �� . � ��

�� . ��

� �� .


� �� Trusted Computing Base� ��

� �� .

Trusted Computing Base � �� Secure-Programs� ��

� �� ID� � � ��. 37 ��

�Trusted Computing Base �� . ��

�� , � �� policy� ��

�.

� 2 � Policy 63

/usr/bin/su �� . � ��

� �� ID� � � ��. UNIX ��

�� ID� � � �� UNIX �� su �� setuid �

� �� . su �� Tivoli Access Manager for Operating Systems

Trusted Computing Base�� Secure-Program�� , ��

��

� �� . �� Secure-Program

�� , �� Tivoli Access Manager for Operating

Systems �� policy� su� �� policy��.

� ��, �� fred�� sysop �� ID� � � ��

��. fred� su �� .

fred$ su sysop

� �� . �� su� setuid ��

�� . � �� fred� �� sysop �� su �

�� ID� sysop �� . su �� Secure-Program��

�� fred� �� Tivoli Access Manager for Operating

Systems �� sysop� �� .

su �� Secure-Program�� UNIX ��

�. Tivoli Access Manager for Operating Systems� �� policy� ��

�, Secure-Programs� �� setuid � setgid ��

�� pdosuidprog �� . � �� 311 ��

�� pdosuidprog�� .

�� policy� �� setuid � setgid �� Trusted Computing

Base� Secure-Programs� ��

� �� . ��

�� . �� ID

�� , Access-Restrictions� ��

� �� .

17 �� policy� �� .

UNIX �� Tivoli Access Manager for Operating Systems

�� ID� �� . ��

� �� ID� � � ��. Trusted Computing Base ��

��(Impersonator-Programs)� �� UNIX �� ID� ��

IBM Tivoli Access Manager for Operating Systems �� ID� � � ��

� ��. TCB �� Impersonator-Programs �� 37

�� Trusted Computing Base �� .


��

�� policy� �� Tivoli

Access Manager ACL� �� . ��, ��

� policy� �� Tivoli Access Manager ACL�

�� ACL �� . ��

ACL� �� (��

� �� ACL� �� ). Tivoli Access Manager �

�(T) �� . 63 �� 19� ��

�� ACL �� .

Sudo policy

Sudo ��

�� . Sudo ��

�� . ��

�� Sudo ��

��. Sudo� �� UNIX ��

�� .

Sudo �� Tivoli Access Manager ��

�.

/OSSEAL/policy-branch/Sudo/sudo-command[/sudo-argclass]

Sudo �� 20� �� .

� 20. Sudo ��

��

sudo-command Sudo �� . �� ,

UNIX �� ID � ��

��

��. � �� .

Sudo ��

sudo-argclass �� . ��

� �� .

Sudo ��

�

Sudo �� Sudo �� . ��

�� Sudo �� . 66 �� 21� ��

�� .

� 2 � Policy 65

� 21. Sudo ��

��

Sudo-Command Sudo ��

� � �� . Sudo �

��

Tivoli Access Manager for

Operating Systems� � � �

�� . � �

�� .

��

UNIX � ��

UNIX � ��(: /usr/bin/

mount)� � � ��, ��

� ��(: /usr/bin/rm -i)�

� � ��. ��

��

�� .

Sudo-Target-User Sudo-Command� ��

�� UNIX ��

�. � UNIX �� Sudo �

��

� �� . � ��

��. �� .

� �� .

UNIX ��

��

Sudo-Invoker-Password � ��

� Sudo ��

�� .

��

� �� . � ��

� ��.

� � ��

��.

Sudo-Target-Password � ��

�� S u d o ��

Sudo-Target-User ��

��

�� . ��

��

�� . � ��

� � ��.

� � ��

��.

� 22�� Sudo �� (x) �� .

� 22. Sudo� ��

��

x Execute Sudo ��

Sudo ��

sys-admin �� /usr/sbin/mount ��

�� Sudo �� , �� pdadmin

�� .

pdadmin> object create /OSSEAL/Servers/Sudo/mount "mount" 2 \ispolicyattachable yespdadmin> object modify /OSSEAL/Servers/Sudo/mount set attribute \

Sudo-Command /usr/sbin/mountpdadmin> object modify /OSSEAL/Servers/Sudo/mount set attribute \

Sudo-Invoker-Password "required"


pdadmin> acl create sudo-mountpdadmin> acl modify sudo-mount set group sys-admin T[OSSEAL]xpdadmin> acl attach /OSSEAL/Servers/Sudo/mount sudo-mount

Sudo �� Sudo ��

�� . Sudo �� Sudo ��

�� Sudo �� . Sudo ��

�� 23� �� .

� 23. �� Sudo ��

��

Sudo-Arguments ��

�� . � ��

��

��. �� .

��

��

�� net-admin� �� NFS � �� sys-admin

� ��

�� pdadmin �� .

pdadmin> object create /OSSEAL/Servers/Sudo/mount/remote \"Remote mount argument patterns" 0 ispolicyattachable yes

pdadmin> object modify /OSSEAL/Servers/Sudo/mount/remote set attribute \Sudo-Arguments "[-]F nfs"

pdadmin> acl create sudo-net-mountpdadmin> acl modify sudo-net-mount set group net-admin T[OSSEAL]xpdadmin> acl attach /OSSEAL/Servers/Sudo/mount/remote sudo-net-mountpdadmin> object create /OSSEAL/Servers/Sudo/mount/local \"Local mount argument patterns" 0 ispolicyattachable yes

pdadmin> object modify /OSSEAL/Servers/Sudo/mount/local set \attribute Sudo-Arguments "[-]F *"pdadmin> acl create sudo-local-mountpdadmin> acl modify sudo-local-mount set group sys-admin T[OSSEAL]xpdadmin> acl attach /OSSEAL/Servers/Sudo/mount/local sudo-local-mountpdadmin> acl modify sudo-mount set group sys-admin ""

� �� : �� .

v pdadmin� �� , � �� . ��

[-]� �� (-)� �� .

v �� policy� � �� . ‘[-]F nfs’ �� ‘[-]F *’

�� .

v /OSSEAL/Servers/Sudo/mount� �� sudo-mount ACL� �� sys-admin �

�� . �� -F ��

�� mount Sudo �� .

v ��

� �� . � ��, � ��

� -F �� -t �� nfs �� NFS� � � � ��.

� 2 � Policy 67

� �� /OSSEAL/Servers/Sudo/mount/remote ��

Sudo-Arguments� � [-][tF] [Nn][Ff][Ss]� � � ��.

v � � �� Sudo �� Sudo ��

�� policy� �� pdosd ��

� �� . �� policy� �� .

UNIX ��

�� . ��

�� . Sudo ��

�� .

Sudo ��

Sudo-Arguments �� IBM Tivoli Access Manager for Operating Systems �

�� . Sudo-Arguments � �

�� .

v � �� (*)� ��

��. �� . � ��, �

� ��

� root� ��.

* root

� �� root� � �, � �� .

v ��

��. �� (\)� �� ,

� �� .

v Sudo-Arguments �� ″″� �� Sudo ��

�� .

v �� , ��

�� . � ��,

* root

�� :

show rootadd root system

pdossudo �

pdossudo �� Sudo �� Sudo ��

��. 66 �� Sudo �� Sudo ��

��.

$ pdossudo mount -F nfs host:/shared/directory /local


Sudo �� .

1. �� Sudo ��

�, Sudo �� .

2. � �, �� (�� )� ��

� ��.

3. �� UNIX �� ID� ��

�� . � ID �� policy� ��

� �� .(� �

� �� pdossudo ��

Access-Restrictions �� .) �� policy�

�� .

4. Sudo �� .

�� Sudo-Command �� Access-Restrictions ��

�� pdossudo �� .

�� pdadmin �� Access-Restrictions� �� .

pdadmin> object create /OSSEAL/Servers/Surrogate/User/root \"surrogate root" 14 ispolicyattachable yes

pdadmin> acl create root-userpdadmin> acl modify root-user set any-other T[OSSEAL]Gpdadmin> acl modify root-user set unauthenticated T[OSSEAL]Gpdadmin> acl modify root-user set attribute \Access-Restrictions any-other:G:/opt/pdos/bin/pdossudopdadmin> acl modify root-user set attribute \Access-Restrictions unauthenticated:G:/opt/pdos/bin/pdossudopdadmin> acl attach /OSSEAL/Servers/Surrogate/User/root root-user

pdadmin> object create /OSSEAL/Servers/File/usr/bin/mount \"mount command" 3 ispolicyattachable yes

pdadmin> acl create mount-programpdadmin> acl modify mount-program set any-other T[OSSEAL]xpdadmin> acl modify mount-program set unauthenticated T[OSSEAL]xpdadmin> acl modify mount-program set attribute \Access-Restrictions any-other:x:/opt/pdos/bin/pdossudopdadmin> acl modify mount-program set attribute \Access-Restrictions unauthenticated:x:/opt/pdos/bin/pdossudopdadmin> acl attach /OSSEAL/Servers/File/usr/bin/mount mount-program

� policy� �� pdossudo �� ID� ��

�, � � �� .

�� UNIX �� Sudo ��

� �� Sudo ��

�. �� PATH

� �� . 70 �� 24�� Sudo ��

�� .

� 2 � Policy 69

� 24. Sudo� � ��

��

PATH ��

LD_* LD_� ��

_RLD_* _RLD_� ��

SHLIB_PATH HP-UX� ��, ��

LIBPATH AIX� ��, ��

IFS ��

ENV ��

BASH_ENV bash ��

KRB_CONF kerberos 4 ��

KRB5_CONFIG kerberos 5 ��

LOCALDOMAIN /etc/resolv.conf� ��

RES_OPTIONS �� (name resolution)� ��

HOSTALIASES ��

�� pdossudo ��

��. /opt/pdos/etc/pdossudo.conf. �� [environment] �

�(�� )� �� . � ��, ��

��

pdossudo.conf �� .

[environment]PATH=/usr/bin:/usr/sbin:/usr/application/binLD_LIBRARY_PATH=/usr/lib:/usr/application/lib

Sudo �� PATH � LD_LIBRARY_PATH �� pdossudo.conf

�� .

�� pdossudo ��

��. �� 25� �� .

� 25. Sudo� � ��

��

PDOS_SUDO_ACCESSOR_NAME Sudo �� Tivoli Access

Manager �� ID� ��

PDOS_SUDO_ACCESSOR_ID Sudo �� Tivoli Access

Manager �� ID� �� ID

PDOS_SUDO_INVOKER_NAME pdossudo �� UNIX ��

� ��. � � �� ID ��

(: �� su �� ) ��

� � ��.


� 25. Sudo� � �� (��)

��

PDOS_SUDO_INVOKER_ID pdossudo �� UNIX ��

ID. � � �� ID �� (

: �� su �� ) ��

��.

��

� �� policy �� Tivoli Access Manager for Operating

Systems �� . ��

� � policy� �� .

��

Tivoli Access Manager for Operating Systems�� UNIX �� Tivoli Access

Manager � ��

��. �� Tivoli Access Manager ��

UNIX �� policy� �� . �� policy� ��

� � �� policy �� policy

� ��. ��

�.

�� AuditAuth � ��

� Tivoli Access Manager �� . ACL �� POP� ��

�� . �� .

/OSSEAL/policy-branch/AuditAuth/Unauth/audit-level/OSSEAL/policy-branch/AuditAuth/User/user-name/audit-level/OSSEAL/policy-branch/AuditAuth/Group/group-name/audit-level

� 26. ��

��

user-name UNIX �� UNIX ��

group-name Tivoli Access Manager � �

�


� ��

� 2 � Policy 71

� 26. �� (��)

��

audit-level ��

� ��

�� .

permit: ��

� ��

��.

deny: ��

� ��

��.

loginpermit:

��

�� .

logindeny:

��

�� .

all: ��

�(permit, deny, loginpermit, �

logindeny).

none: ��

��. � � ��

� ��

�� . ��

��

� � ��.

�� . ��

��.

1. �� Unauth � ��

�� . ��

�, �� . ��

�� .

2. ��

��.

3. �� , �� policy

� � �� .

4. �� , ��

�� .


��

/OSSEAL/Default/AuditAuth/User/root/all/OSSEAL/Default/AuditAuth/Unauth/all/OSSEAL/Default/AuditAuth/Group/osseal-admin/permit/OSSEAL/Default/AuditAuth/Group/osseal-admin/deny/OSSEAL/Default/AuditAuth/User/admin1/loginpermit

��

osseal-admin �� policy-branch Servers

� � �� policy� �� pdadmin �� .

pdadmin> object create /OSSEAL/Servers/AuditAuth/Group/osseal-admin/all "AuditAuth"11 ispolicyattachable no


pdadmin �� .

pdadmin> object create /OSSEAL/Servers/AuditAuth/User/root/loginpermit "AuditAuth"11 ispolicyattachable no

pdadmin> object create /OSSEAL/Servers/AuditAuth/User/root/logindeny "AuditAuth"11 ispolicyattachable no

�� osseal-admin ��

�� policy� �� pdadmin �� .

pdadmin> object create /OSSEAL/Servers/AuditAuth/Group/osseal-admin/all "AuditAuth"11 ispolicyattachable no

pdadmin> object create /OSSEAL/Servers/AuditAuth/User/root/none"AuditAuth" 11ispolicyattachable no

��


� �� pdadmin �� .

pdoscfg -audit_level permitpdadmin> object create /OSSEAL/Servers/AuditAuth/User/root/deny "AuditAuth" 11

ispolicyattachable no

��

Tivoli Access Manager for Operating Systems�� UNIX ��

�� . �� policy� ��

� � �� policy �� policy� ��. ��

�� .

�� AuditTrace � ��

� Tivoli Access Manager �� . ACL �� POP� ��

�� . /OSSEAL/policy-branch/AuditTrace/User/

user-name/trace-level� �� .

� 2 � Policy 73

� 27. ��

��

user-name UNIX �� UNIX ��

trace-level ��

��

�� .

exec: exec()� ��

��, � ��

� ��

�� Tivoli Access Manager for

Operating Systems�� .

exec_l: �� ID� ��

� ID� �� (��

�� ), exec()� ��

� �� , � ��

��

� ��


Systems�� .

file: � ��

� ��. Tivoli Access Manager for

Operating Systems� ��

��

��.

all: � �� exec, exec_1 �

file� ��.

none: � ��

��. ��

�. ��

� � �� .

�� 1024 AuditTrace �� . AuditTrace policy� ��

�� .

/OSSEAL/Default/AuditTrace/User/root/exec_l/OSSEAL/Default/AuditTrace/User/admin1/exec/OSSEAL/Default/AuditTrace/User/admin2/exec

��

policybranch �� ID� root � � exec � ��


pdadmin> object create /OSSEAL/Servers/AuditTrace/User/root/exec "AuditTrace" 11ispolicyattachable no

�� ID� root�� ID� �� exec � ��


pdadmin> object create /OSSEAL/Servers/AuditTrace/User/root/exec_l "AuditTrace" 11ispolicyattachable no


�� ID� root � � � �� policy� ��

pdadmin �� .

pdadmin> object create /OSSEAL/Servers/AuditTrace/User/root/file "AuditTrace" 11ispolicyattachable no

�� ID� admin1, admin2 �� admin3 � � exec � ��


pdadmin> object create /OSSEAL/Servers/AuditTrace/User/admin1/exec "AuditTrace" 11ispolicyattachable no



� 2 � Policy 75

� 3 � ��

� �� Tivoli Access Manager for Operating Systems� ��

� �� . �� .

v 78 �� pdosd ��

v 87 �� pdosauditd � ��

v 89 �� pdoswdd ��

v 91 �� pdostecd Tivoli Enterprise Console ��

v 93 �� pdoslpmd �� policy � ��

v 93 �� pdoslrd ��

� �� .

v 95 ��

v 97 ��

v 101 �� policy�

v 105 ��

��


�� .

pdosd- ��

�� Trusted Computing Base� ��.

pdosauditd- ��


�� .

pdoswdd- ��

�� . �� .

pdostecd- Tivoli Enterprise Console ��

�� Tivoli Access Manager for Operating Systems � �� Tivoli

Enterprise Console�� .

pdoslpmd- �� policy � ��

�� .

pdoslrd- ��

� �� .


� �� . ��

� � �� UTC �� , �� , �

�� . ��, � ��


��.

� ��

��. ��

� �� .

�� , ��

� � �� . � ��,

msg__pdosd.log � � �� , msg__pdosd.log.1� ��

msg__pdosd.log � � ��. msg_pdosd.log � � ��

� �� , msg__pdosd.log.2� �� . ��

�� , ��

� � 1�� . � ��, �� 2� �, ��

msg__pdosd.log � � �� msg__pdosd.log.1� �� . ��,

�� , ��

�� . ��

� � �� 0�� 0� �� , ��

�� .

�� , �� . ��

�� , �� . ��

� �� .

pdoscfg �� .

pdoscfg �� . �� Tivoli Access

Manager for Operating Systems� �� . pdosctl


� �� . pdosctl ��

�� . ��

��.

v 254 �� pdoscfg�� pdoscfg �� .

v 131 �� pdoscfg ��

� �� .

v 269 �� pdosctl�� pdosctl �� .

pdosd ��

pdosd �� .


v � �� Tivoli Access Manager for Operating Systems�� policy� ��

��

v Tivoli Access Manager �� Tivoli Access

Manager �� UNIX ��

v �� Trusted Computing Base� ��

��

� ��

�� pdosd �� . 3 �

�� UNIX ID � Tivoli Access Manager �� ID�� UNIX �

�� ID� �� Tivoli Access Manager ��

�� . � ��

��. Tivoli Access Manager�� , LDAP ��

�� , �� pdosd

�� . pdosd ��

��. �� . ��

�� .

� �� . ��

� ��. �� Tivoli Access Manager for

Operating Systems� LDAP ��

��. � � ��

�� . � �� , Tivoli Access Manager

for Operating Systems� �� LDAP ��

�� .

� ��

� �� (� �� ).

�� LDAP �� . �

� �� . � �

�� .

pdosrefresh ��

�� . � �, � ��

��.

�� .

��

�� , pdosd �� LDAP ��

�� .

� 3 � �� 79

� �

�� , pdosd �� . ��

� pdosd �� LDAP ��

��.

� �� : Tivoli Access Manager for Operating Systems ��

� �� .

v � ��

v ��

v ��

�� osseal-admin Tivoli Policy Director � � osseal UNIX ��

�� . ��

�� .

v �� .

v ��

��.

v �� , pdosd �� .

� �� , �� .

�� . �

�� pdoscfg �� -critical_cred_group �� Tivoli Access


� �� .

v �� .

v ��

��.

�� cred �� . � �� UNIX �

� �� . �� UNIX ID� ��

�, �� .

81 �� 28� /opt/pdos/etc/pdosd.conf �� IBM Tivoli Access

Manager for Operating Systems ��

��.


� 28. Tivoli Access Manager for Operating Systems ��

��

[credentials]

user-cred-refresh ��

� �� (�). ��

�� . � � ��

��.

admin-cred-refresh �� . � ��

admin ��

� � �� . � ��

� � �� .

critical-cred-refresh �� . � ��

� ��

� ��

�. � �� .

cred-hold � ��

�� (�). � ��

�� . ��

� �� .

cred-hold �� user-cred-refresh ��

��.

critical-cred-group �� Tivoli

Access Manager �� . � ��

�� . � ��

� �� . ��

��

� � �� . �� (Tivoli

Access Manager osseal-admin �� )� � �

� �� .

cred-response-wait �� pdosd �� Tivoli Access

Manager ��

�� (�)

�� Tivoli Access Manager for Operating Systems�� Tivoli

Access Manager �� , ��

�� . � ��

� Tivoli Access Manager for Operating Systems�� .

Tivoli Access Manager for Operating Systems � Tivoli Access Manager

�� : Tivoli Access Manager for Operating Systems� Tivoli Access


Tivoli Access Manager for Operating Systems� Tivoli Access Manager� ��

��(: �� )� ��

��. Tivoli Access Manager �� IBM Tivoli

Access Manager Base Administration Guide� ��. Tivoli Access Manager

for Operating Systems� Tivoli Access Manager �� LDAP� �

��.

� 3 � �� 81

� 29�� pdosd ��

/opt/pdos/etc/pdosd.conf� �� . ��

�� .

� 29. �� pdosd ��

��

[ldap]

ldap-server-config Tivoli Access Manager �� LDAP ��

ssl-enabled LDAP�� SSL �� . �

� SSL �� .

bind-dn LDAP �� pdosd ��

�� (DN)

bind-pwd LDAP �� pdosd ��

��

�� : �� . ��

�� .

LDAP �� SSL� �� PDOSD �� LDAP ��

� ��. Tivoli Access Manager for Operating Systems� �� , LDAP

�� (CA)� �� pdosd �� LDAP ��

� LDAP �� . pdosd �� LDAP ��

�� Tivoli Access Manager ��

�� , � �� . pdosd �� LDAP

�� . IBM Tivoli Access Manager for

Operating Systems � �� .

�� DN � ��, pdosd �� LDAP ��

� �� . pdosd ��

��, LDAP �� .

�: ��(bind-pwd)� � �� pdosd.conf � � �� . ��

/opt/pdos/etc/pdosd.conf.obf � � �� pdosd.conf �

� �� .

[configuration-database]file = /opt/pdos/etc/pdosd.conf.obf

� �� , Tivoli Access Manager for Operating Systems��

� �� policy� Tivoli Access Manager for Operating Systems ��

�� /opt/pdos/etc �� osseal-restricted ACL� ��. � ACL�

osseal-admin �� .


��

pdosd �� Tivoli Access Manager �� API ��. Tivoli

Access Manager �� . pdosd �� Tivoli

Access Manager policy �� , � ��

�� . �� policy� ��

�� . Tivoli Access Manager for Operating Systems� ��

policy �� . Tivoli Access Manager policy ��

� �� policy �� . Tivoli Access Manager policy �

�� , �� policy ��

�� . policy� ��

�.

��

�� policy �� , Tivoli Access Manager policy ��

� � �� . ��

� �� .

�� Tivoli Access Manager policy ��

�� policy �� . �� ,

�� .


�� . � 30� �� refresh-interval � ssl-listening-port �

� �� pdosd �� policy � ��

�� Tivoli Access Manager policy �� .

ssl-local-domain �� . �� pdosd


/opt/pdos/etc/pdosd.conf �� .

� 30. ��

��

[policy] refresh-interval Tivoli Access Manager policy ��

� ��(�). 0� � �� .

[ssl] ssl-listening-port Tivoli Access Manager policy �� policy � ��

�� pdosd �� TCP/IP �. 0� �

policy �� .

ssl-local-domain �� . �� pdosd ��

�� Tivoli Access Manager �� . Tivoli

Access Manager policy ��

�� , � �� policy ��

��.

� 3 � �� 83

Tivoli Access Manager � ��

�, pdosd �� . ��

�� . � �� .

v �� ID. ��

�� ID� ��, � ID� �� UID� ��.

Tivoli Access Manager for Operating Systems �� ID� ��

�� ID��. �� ID� ��

ID��.

v ��

v ��

v ��

v ��

pdosd �� policy �� policy� �


�� . �� policy branch �� policy�

�� . policy branch� Tivoli Access Manager for Operating Systems

� �� . � 31� �� policy branch ��

�� /opt/pdos/etc/osseal.conf � � ��.

� ��

� �� . Tivoli Access Manager

for Operating Systems� ��

� �� . pdosd �� policy� ��

�� , �� . �

� �� , �� . ��

� �, �� .

� 31. �� policy ��

��

[policy] branch � �� policy ��

TCB ��

Trusted Computing Base� �� 37 �� Trusted Computing Base

�� . �� .

v Secure-Files

v Secure-Programs

v Login-Programs


v Immune-Programs



��, �� Access-Restrictions �� TCB�

��. ��

�� . �� Access-Restrictions ��

�� TCB� �� (�� TCB� ��

�(: Secure-Programs)� �� ).

�� .

v � ��

v � ��

v � ��

v � ��

v � ��

v � ��(: � � , �� )

v �� ( � � � �)

pdosd �� TCB � � �� . � ��

�� . TCB� �� , � ��

� �� . � �, pdosd

�� /var/pdos/log/msg__pdosd.log� �� .

TCB� �� pdosd ��

� � � �� . ��, �� CRC �

�� . �� -tcb_nocrc_on_exec ��

��.

pdosd �� TCB � ��

� �� . 86 �� 32� /opt/pdos/etc/

pdosd.conf �� .

� 3 � �� 85

� 32. pdosd TCB � ��

��

[tcb]

monitor-threads Trusted Computing Base ��

��. TCB ��

��. !��

��. CPU �� .

interval �� TCB� �� (�). � ��

� TCB �� , ��

�� .

max-checksum-file-size � � ��

��. � � ��

�� . ��

��

� ��

� �� . TCB ��

�� .

ignore-ctime TCB �� ctime� �� . � ��

� �� ctime� �� TCB �� .

tcb_nocrc_on_exec �� TCB� ��

� �� CRC �� . � �

�� 2� � � � CRC ��

� ��.

�� TCB � � ��

��, �� Tivoli Access Manager policy �� . � �

��

�� . � � �� ,

pdosobjsig ��

�. �� pdosobjsig ��

��, Trusted Computing Base ��

� �� .

pdosd ��

pdosd �� /var/pdos/log/msg__pdosd.log�� , �

� � �� . � � � ��

� �� .

v UTC(Universal Time Coordinated) ��

v ��

v ��

v ��


� 33�� .

� 33. pdosd ��

��

[pdosd]

log-entries pdosd �� pdosd �� .

�� 0� �� pdosd ��

� �� . log-entries� 0

� �� logs� 0� �� , pdosd ��

� �� log-entries� ��

� pdosd �� . log-entries

� 0� �� logs� 0� �, pdosd ��

�� log-entries� �� pdosd

�� .

logs pdosd �� pdoswdd �

� �� . pdosd �� 0� ��

�� log-entries� 0� ��

�. pdosd �� log-entries� �

�� pdosd ��

��. �� 0� pdosd ��

�� .

pdosauditd ��

pdosauditd � �� Tivoli Access Manager for Operating Systems � ��

� ��. � �� pdosobjsig ��, � �� 2� � ��

�� .

�� /var/pdos/audit/audit.log��.

pdostecd � pdoslrd �� audit.log � � ��. � � ��

�, �� audit.log � � ��

� �� . pdosauditd �� , �� audit.log

� � �� .

�� . �� ,

�� , �� , � � ��, � ��

� � �� . �� , ��

��.

�� /opt/pdos/etc/osseal.conf �� . �

� � �� 88 �� 34� �� . ��

�� . pdosctl ��

� �� .

� 3 � �� 87

� 34. ��

��

[audit] level ��

permit_actions �� permit_actions

deny_actions �� deny_actions

pdosauditd �� /var/pdos/log/msg__pdosauditd.log��

��, � � � ��

��. � � � �� .


v ��

v ��

v ��

pdosauditd ��

pdosauditd �� /opt/pdos/etc/pdosauditd.conf � � � ��

��.

� � � �� .

v audit-logflush �� pdosauditd ��

�� (�)� ��. ��, �� 5�� .

v audit-logsize ��

� � �� . 0� � � ��

� �� . �� 1,000,000��.

� �� , /var/pdos/audit ��

� � �� audit.log�� audit.log.YYYY-MM-DD-HH-MM-SS

� �� . �� audit.log � �� .

�� pdosauditd �� .

v log-entries ��

� �� . �� 0��, ��

�� .

v logs ��

�� . log-entries �� 0 �, � � ��.

89 �� 35� audit.log � � msg__pdosauditd.log � � ��

�� pdosauditd �� . �� 254 ��

� �pdoscfg�� pdoscfg �� .


� 35. pdosauditd ��

��

[pdosauditd]

audit-logflush pdosauditd �� (�)

audit-logsize pdosauditd� � ��

� �� (��)

log-entries pdosauditd �� pdosauditd �

� �� . �� 0� ��

pdosauditd �� .

log-entries� 0� �� logs� 0� �� , pdosauditd �

� � � � � � �� log-entries� ��

� �� pdosauditd ��

��. log-entries� 0� �� logs� 0� �, pdosauditd

�� log-entries� ��


�.

logs pdosaditd �� pdosauditd

�� . pdosauditd �� 0� �

� �� log-entries� 0� ��

��. pdosauditd �� log-entries


� � ��. �� 0� pdosauditd ��

�� .

� �� 138 �� policy ��

�. � �� 233 �� .

pdoswdd ��

pdoswdd �� pdosd, pdosauditd, pdoslpmd � pdoslrd ��

� ��. �� . ��

� �� . � ��

� ��. �� Tivoli Access Manager for


�: 91 �� pdostecd Tivoli Enterprise Console �� pdostecd �

�� .


�� . � �� , ��

� ��

��.

pdoswdd �� /var/pdos/log/msg__pdoswdd.log��

�, � � � �� . � �

� �� .


� 3 � �� 89

v ��

v ��

v ��

pdoswdd ��

pdoswdd �� pdoswdd �� /opt/pdos/etc/pdoswdd.conf� �

�� .

�� pdoswdd �� .


� �� . �� 0��, ��

�� .

v logs ��

�� . log-entries �� 0 �, � � ��.

� 36� msg__pdoswdd.log � � �� pdoswdd �� .

� 36. pdoswdd ��

��

[pdoswdd]

log-entries pdoswdd �� pdoswdd �

� �� . �� 0� ��

pdoswdd ��

��. log_entries� 0� �� logs� 0� �� ,

pdoswdd ��

log_entries� ��

pdoswdd �� .

log_entries� 0� �� logs� 0� �, pdoswdd �

� � � � � � �� log_entries� ��

� �� pdoswdd ��

��.

logs pdoswdd ��

pdoswdd �� . pdoswdd ��

� �� 0� �� log_entries� 0�

�� . pdoswdd ��

� � �� log_entries� ��

� �� pdoswdd �� .

�� 0� pdoswdd ��

�� .

�� , ��

�� . ��

�� .

pdosd /var/pdos/log/msg__pdosd.log


pdosauditd

/var/pdos/log/msg__pdosauditd.log

pdoswdd

/var/pdos/log/msg__pdoswdd.log

pdoslpmd

/var/pdos/log/msg__pdoslpmd.log

pdoslrd

/var/pdos/log/msg__pdoslrd.log

�� , � ��

�� .

pdostecd Tivoli Enterprise Console ��

pdostecd �� Tivoli Enterprise Console� �� Tivoli Access Manager

for Operating Systems� �� . � ��

�� /var/pdos/audit/audit.log� �� /var/pdos/tec/tec.log

� � �� . � � � Tivoli Enterprise Console ��

�� . �� 335 �� C

�Tivoli Enterprise Console � Tivoli Risk Manager �� .

pdostecd �� /var/pdos/audit/audit.log � � �� , �

�� . audit.log � � ��

� ��.

tec.log � � �� , �� /var � ��

�� . �� 92 ��

��.

pdostecd �� /var/pdos/pdostecd/msg__pdostecd.log��

��, � � � �� .

� � � �� .


v ��

v ��

v ��

pdostecd ��

pdostecd �� pdostecd �� /opt/pdos/etc/pdostecd.conf� �

�� .

� 3 � �� 91

�� pdostecd �� .


� �� . �� 0��, ��

�� .

v logs ��

�� . log-entries �� 0 �, � � ��.

� 37� /var/pdos/pdostecd/msg__pdostecd.log � � ��

pdostecd �� .

� 37. pdostecd ��

��

[pdostecd]

log-entries � � � �� pdostecd ��

� � �� . �� 0� ��

�� .

logs ��

� �. 0� � �� .

log-entries �� 0 �, � � ��.

��

/var/pdos/tec/tec.log� �� . /var � ��

�� . Tivoli �� UNIX

cron �� .

�� .

1. pdostecd �� . ��

��.

/opt/pdos/bin/rc.pdostecd stop

2. Tivoli Enterprise Console �� tec.log � � ��

�� . � ��, �� 5�

� ��.

sleep 300

3. pdostecd �� . �� tec.log � � ��

� ��.

/opt/pdos/bin/rc.pdostecd start

� �� . pdostecd ��

�� . ��

� �� , � �� . pdostecd ��

�� , �� .


pdoslpmd �� policy � ��

pdoslpmd �� Tivoli Access Manager for Operating Systems �� policy

� �� . �� pdoslpmd

� �� Tivoli Access Manager for Operating Systems policy ��

�� .

�� Tivoli Access Manager for Operating Systems� �� , ��

� �� policy �� . �� policy� ��

�� , pdoslpmd �� . �� Tivoli

Access Manager for Operating Systems �� policy� ��

�� , �� Tivoli Access Manager for Operating Systems� ��

pdoslpmd �� .

� 38�� /opt/pdos/etc/pdosd.conf ��

� �� .

� 38. pdoslpmd ��

��

[pdoscfg]login-policy on | off �� policy ��

��.

pdoslpmd �� pdosd �� . pdoslpmd� ��

�� pdosd� �� , �� policy ��

��.

pdoslpmd ��

pdoslpmd �� . /opt/pdos/etc/lpm.conf �

� Tivoli Access Manager for Operating Systems ��

�� policy� �� . Tivoli Access Manager for Operating Systems

�� policy� policy� �

�� . �� . Tivoli Access

Manager for Operating Systems �� policy� ��

� �� .

pdoslrd ��

pdoslrd �� Tivoli Access Manager for Operating Systems �

�� , �� , ��

��. � �� , �� (��

�� ), �� , ��

��, �� . pdoslrd �� audit.log � � ��.

� 3 � �� 93

� � �� , �� audit.log � � ��

�� . pdosauditd �� , ��

audit.log � � �� .

pdoslrd ��

pdoslrd �� . �� , �

� ��

� � ��. �� , �� 109 ��

4 � �� .

� 39� pdoslrd �� .

� 39. pdoslrd ��

��

[pdoslrd]

state � � �� . pdoslrd� ��

� �� . �� , ��

�.

log-entries pdoslrd �� pdoslrd �

� �� . �� 0� ��

pdoslrd ��

�. log_entries� 0� �� logs� 0� �� ,

pdoslrd �� log_entries�

�� pdoslrd ��

�� . log_entries� 0� �,

pdoslrd �� log_entries�


� ��.

logs pdoslrd �� pdoslrd

�� . pdoslrd �� 0

� �� log_entries� 0� ��

� �� . pdoslrd ��

�� log_entries� ��

pdoslrd �� . �� 0

� pdoslrd ��

��.

lrd-local-domain pdoslrd�� Tivoli Access Manager for Operating Systems

� �� , �

�� .

lrd-admin-name admin �� pdoslrd� �� . pdoslrd


�� , � ��

Tivoli Access Manager �� admin ��

��.


��

Tivoli Access Manager for Operating Systems� �� Tivoli Access Manager

� UNIX �� . �� Tivoli Access Manager ��

� �� Tivoli Access Manager for Operating Systems �� . UNIX


�� .

� �� .

osseal-admin ��

osseal-admin �� Tivoli Access

Manager ��. UNIX �� osseal��. ��

�� .

v �� . ��

�� .

v �� . �

��

��( �� Tivoli Access Manager �� ).

� ��

��.

v �� , pdosd ��

�� . � �� , �� . ��

�� 78 �� pdosd �� .

Tivoli Access Manager for Operating Systems� �� osseal-admin �

� �� (root � osseal)�� . � �� osseal �

� ID� �� .

osseal ��

osseal �� UNIX

��. � �� Tivoli Access Manager� osseal-admin �� .

� �� Tivoli Access Manager for Operating Systems�� setgid

�� /var/pdos �� UNIX ��

� �� . � �� osseal UNIX �� ID� ��

��. � �� osseal �� ID� �� .

osseal-admin �� osseal � �� Tivoli Access Manager

for Operating Systems �� Tivoli Access Manager for Operating

Systems �� .

� 3 � �� 95

osseal ��

osseal �� Tivoli Access Manager� UNIX �� . Tivoli Access

Manager for Operating Systems� UNIX ��

��. osseal �� Tivoli Access Manager for Operating Systems ��

�� ID��.

root ��

�� Tivoli Access Manager for Operating Systems� �� root� Tivoli Access

Manager �� ID� ��. � �� UNIX �� , root

� �� . root �� osseal-admin ��

�� . osseal-admin �� , root ��


� ��.

root �� Tivoli Access Manager ��

Tivoli Access Manager for Operating Systems �� UNIX ��

��.

osseal-auditors ��

osseal-auditors �� Tivoli Access Manager �

��. UNIX �� ossaudit��.

Tivoli Access Manager for Operating Systems� �� osseal-auditors

�� (root � ossaudit)�� .

ossaudit ��

ossaudit �� UNIX ��. � �� Tivoli

Access Manager� osseal-auditors �� . osseal ��

� ��.

osseal-auditors �� ossaudit � �� Tivoli Access

Manager for Operating Systems �� Tivoli Access Manager for

Operating Systems � � ��

��. � �� osseal �� ID� �� .

osseal-unauth ��

osseal-unauth �� Tivoli Access Manager �� . UNIX �

� ��. � �� Tivoli Access Manager� ��

� �� . �� ACL

�� .


pdosd-hostname ��

Tivoli Access Manager policy �� policy ��

� �� . Tivoli Access Manager policy ��

� �� pdosd �� Tivoli Access Manager ��

��. �� Tivoli Access Manager for Operating Systems

�� , �� DNS �� (

: pdosd-hostname ��). DNS �� , ��

� ��. pdosd �� Tivoli Access Manager policy ��

�� policy �� . � �� .

critical cred ��

critical cred �� Tivoli

Access Manager �� . pdoscfg �� critical_cred_group ��

� �� . ��

� �� .

v �� .

v ��

�. ��

�� ( �� Tivoli Access Manager ��

� ��).

�� cred �� . � �� UNIX �

� �� . �� UNIX ID� ��

�, �� .

��


� ��. ��

�� Tivoli Access Manager for Operating Systems policy�

�� . ��


� �� Tivoli Access Manager for Operating Systems��

� �� .

/opt/pdos/bin

�� 2� �� .

/opt/pdos/etc

�� . �

� � �� policy� �� , pdosbkup �

� 3 � �� 97

pdosrstr �� , ��

��

��. �� .

/opt/pdos/etc/trace


� �� .

osseal.conf

��

pdosd.conf

pdosd ��

pdosauditd.conf

pdosauditd ��

pdoslrd.conf

pdoslrd ��

pdoslrd.xml

pdoslrd ��

pdoswdd.conf

pdoswdd ��

pdostecd.conf

pdostecd ��

pdossudo.conf

pdossudo ��

lpm.conf

�� policy � ��

/opt/pdos/kernel

Tivoli Access Manager for Operating Systems � �� 2� �

� � ��.

/opt/pdos/lib

��

��.

/opt/pdos/nls

�� .

/opt/pdos/sbin

�� 2� � �� .


/var/pdos/audit

Tivoli Access Manager for Operating Systems � �

/var/pdos/audit/audit.log� ��.

/var/pdos/azn

authzn_replica.db� Tivoli Policy Director policy ��

� �� .

/var/pdos/certs

Tivoli Access Manager policy �� LDAP ��

�� pdosd � pdoslrd ��

� �� .

/var/pdos/cred


/var/pdos/ffdc

� ��

� ��.

/var/pdos/hla

� �� IP ��

�� look-aside �� .

/var/pdos/log

�� (pdostecd �� )� ��, �� , ��

�� .

/var/pdos/login


/var/pdos/lpm


�� .

/var/pdos/pdosauditd


� ��. �� , � ��

� ��.

/var/pdos/pdosbkup

� �� pdosbkup � pdosrstr ��

�� . pdosbkup ��

� �� . ��

�, � �� .

� 3 � �� 99

/var/pdos/pdoscfg

� �� pdoscfg � pdosucfg ��

� �� . �� , � ��

� �� .

/var/pdos/pdosd

� �� pdosd ��

��. �� , � ��

��.

/var/pdos/pdoslrd

� �� pdoslrd ��

��. �� (.lrp) � � ��

�� .

/var/pdos/pdosteccfg

� �� pdosteccfg � pdostecufg ��

� �� . �� , �

�� .

/var/pdos/pdostecd

� �� pdostecd ��

��. �� , � ��

� ��. �� pdostecd �� .

/var/pdos/pdoswdd

� �� pdoswdd ��

��. �� , � ��

� ��.

/var/pdos/tcb


� �� .

/var/pdos/tec

Tivoli Enterprise Console ��

� ��.

/var/pdos/tracelogs


� �� .

/var/pdos/uid

�� UID � GID� ��(� ��

)� ��. �� .


/var/pdos/umsg


�� .

/var/pdos/watch

�� pdosd, pdosauditd, pdoswdd, pdoslrd �� pdoslpmd

�� .

�� policyTivoli Access Manager for Operating Systems� �� policy� ��

�� .

once-only

� policy� �� policy �� . � plicy� Tivoli Access

Manager for Operating Systems �� , � �

�� ACL, ��

�� /OSSEAL �� .

per-machine

� policy� � �� . � policy� ��

�� .

per-policy

� policy� �� policy �� . �

policy� Trusted Computing Base� �� , Tivoli Access

Manager for Operating Systems� �� ACL

� POP� ��.

Tivoli Access Manager for Operating Systems�� policy� ��

�� . �� policy� ��

�.

� �� policy �� ACL� ACL��

��. �� policy� �� policy� � ��

Tivoli Access Manager for Operating Systems� �� (Trusted

Computing Base� �� ). Trusted Computing

Base� �� 37 �� Trusted Computing Base

�� .

osseal-audit

� ACL� Tivoli Access Manager for Operating Systems � ��

/var/pdos/audit �� . �� /var/pdos/pdoslrd,

� 3 � �� 101

/var/pdos/pdostecd � /var/pdos/tec� �� . ACL�

osseal-auditors ��

� ��.

osseal-audit-exec

� ACL� pdosaudview �� /opt/pdos/bin/pdosaudview� ��

��. osseal-auditors ��

��. �� .

osseal-credentials

� ACL� Tivoli Access Manager for Operating Systems ��

�� /var/pdos/cred� /var/pdos/uuid� �� . � ACL

� �� , pdosrefresh �

pdosdestroy �� . Tivoli Access Manager for Operating

Systems� ��

� �� , �� . � ACL�

�� osseal-admin ��

��.

osseal-default

�� ACL��. � ACL� Tivoli Access Manager for Operating Systems:

/OSSEAL� root �� . � ACL� � �� Tivoli Access

Manager �� .

osseal-default-file

�� ACL��, Tivoli Access Manager for Operating Systems � ��

�� ACL� �� Tivoli Access Manager ��

�� .

osseal-default-login

� ACL� �� policy� ��. � ACL� ��

�� .

osseal-default-net-incoming

� ACL� �� NetIncoming � policy� ��. � ACL� ��

� �� . ��

�� (-net_ACL_limited �� ), NetIncoming �� ACL� �

�� osseal-default-file ACL� �� ACL� ��

�� .


osseal-default-net-outgoing

� ACL� �� NetOutgoing � policy� ��. � ACL� ��

��

��. �� (-net_ACL_limited ��

�), NetOutgoing �� ACL� �� osseal-default-file

ACL� �� ACL� �� .

osseal-default-sudo

� ACL� �� Sudo � policy� ��. � ACL� �� Sudo

�� .

osseal-default-surrogate

� ACL� �� policy� ��. � ACL� ��

� �� .

osseal-exec-open

� ACL� /opt/pdos/lib � /opt/pdos/nls �� ,

/opt/pdos/bin �� (pdosdestroy, pdosrefresh, pdossudo �

pdoswhoami)� �� . � ACL� ��


�� .

osseal-exec-root

� ACL� /opt/pdos/bin/pdoslpmd,/opt/pdos/bin/pdostecd,

/opt/pdos/bin/pdosshowmsg � /opt/pdos/bin/rc.pdostecd ��

�� . � ACL� �� root � osseal-admin �

� �� .

osseal-hla

� ACL� Tivoli Access Manager for Operating Systems� /var/pdos/hla

�� IP �� . �

ACL� pdoshla �� osseal-admin ��

��.

osseal-kazndrv

� ACL� Tivoli Access Manager for Operating Systems �� /dev/kazndrv

� �� . Tivoli Access Manager for Operating Systems � ��

�� PAM ��

��. osseal-admin � �� .

� 3 � �� 103

osseal-logs

� ACL� /var/pdos/log, /var/pdos/ffdc � /var/pdos/tracelogs ��


� �� . � ACL� �� osseal-admin

�� , �� (o), �� (p) � �� (U) �

�� .

osseal-open

� ACL� /opt/pdos/etc/lpm.conf � /opt/pdos/etc/pdossudo.conf � � �

� �� . � ACL� ��

�� . �� osseal-admin �� ACL� ��

�� .

osseal-privileged-user

� ACL� osseal UNIX �� . ��

pdossudo �� osseal� �� , �� osseal-admin

�� . �� Sudo ��

�� pdossudo �� osseal ��

� � ACL� ��. pdossudo �� osseal ��

�� Sudo �� .

osseal-restricted

� ACL� Tivoli Access Manager for Operating Systems� ��

�� . � ACL� osseal-admin ��

��, �� . � ACL�

/opt/pdos/etc, /opt/pdos/etc/trace, /var/pdos/pdosbkup, /var/pdos/pdoscfg,

/var/pdos/pdosteccfg � /var/pdos/certs �� .

�: /opt/pdos/etc �� pdossudo.conf � � osseal-open ACL� ��

�� .

osseal-restricted-read

� �� ACL� Tivoli Access Manager for Operating Systems ��

�� . � ACL�

osseal-admin �� (D), ��(r), �� (l), Kill(k)

� ��(x) �� , �� . �

ACL� �� /var/pdos �

/opt/pdos �� .


osseal-tcb

� ACL� Tivoli Access Manager for Operating Systems� /var/pdos/tcb��

�� TCB �� . � ACL

� �� osseal-admin �� .

osseal-admin �� pdosobjsig ��

�� .

osseal-umsg

� ACL� �� Tivoli Access Manager for Operating Systems ��

�� /var/pdos/umsg �� . � ��


�� .

osseal-var-lpm

� ACL� /var/pdos/lpm � /var/pdos/login �� .

� ACL� /var/pdos/lpm ��

��. �� policy � �� .

osseal-admin �� ACL� ��

� �� .

��

� �� , Tivoli Access Manager for Operating Systems� ��

� Tivoli Access Manager policy ��, Tivoli Access Manager ��

(LDAP), � �� UNIX �� (: NIS), ��

��(: DNS ��)� ��. �� , ��


� �� . �� . � ��

� �� .

v IBM Tivoli Access Manager for Operating Systems� ��

��

v Tivoli Access Manager policy ��

v Tivoli Access Manager �� (LDAP)� ��

v NIS ��

v DNS ��


� �� .

� 3 � �� 105

Tivoli Access Manager policy ��

Tivoli Access Manager for Operating Systems� Tivoli Access Manager policy

�� , pdosd �� policy ��

��. Tivoli Access Manager for Operating Systems� Tivoli Access Manager policy

�� policy �� policy ��

Tivoli Access Manager for Operating Systems� �� . pdosd ��

Tivoli Access Manager policy �� 83 ��

�� . pdosd �� policy �� Trusted

Computing Base� policy �� . pdosd

�� Tivoli Access Manager policy �� , �� policy ��

policy �� . pdosd �� Tivoli Access Manager

policy �� policy ��

�� (�� )� � ��.


Tivoli Access Manager for Operating Systems� Tivoli Access Manager ��

��(LDAP)� �� , PDOSD �� Tivoli Access Manager ��

� �� . �, pdosd ��

�� , �� . �

�� pdosd �� 79 ��

�� .

pdosd �� LDAP ��

�� . ��

��

��.

pdosd �� LDAP ��

�� . pdosd

�� LDAP ��

�� , �� .

�� . pdosd �� LDAP

�� ,

�� .

pdosd �� LDAP �� LDAP

�� .

�� Tivoli Access Manager� �� LDAP ��

�� . �� pdosd ��


�� . pdosd �� LDAP ��

� �� .

�� UNIX ��

�� UNIX �� (: NIS)� ��

�� . � �, ��

�. �� Tivoli Access Manager ��

�� .

�� UNIX ID� �� UNIX �� NIS �� NIS+ ��

�� UNIX � �� UNIX �� .

Tivoli Access Manager �� 3 �� UNIX ID �

Tivoli Access Manager �� ID�� .


� �, � �� . Tivoli Access Manager for Operating Systems��

Tivoli Access Manager for Operating Systems �� UNIX uid/gid

� �� /� �� . UNIX uid/gid � �� /� �

� �� pdosd �� UNIX �� , pdosd

�� UNIX ID� UNIX �� . UNIX ��

�� pdosd �� Tivoli Access Manager �� (LDAP) ��

�� .

� ��

�� .

��, �� UNIX �� UNIX uid/gid � UNIX �� /

� �� , UNIX uid/gid � UNIX

�� /� �� . �� UNIX ��

�� , �� Tivoli Access

Manager for Operating Systems uid/gid �� .

pdoscfg -uid on


� �� .

��

Tivoli Access Manager for Operating Systems� �� (DNS

�� NIS)� �� . � �, IBM Tivoli Access Manager for Operating

Systems� Tivoli Access Manager policy ��, Tivoli Access Manager ��

� 3 � �� 107

��, �� UNIX �� . ��


��.

�� . IP ��

DNS �� Tivoli Access Manager for Operating Systems ��

�� policy� �� . ��

policy �� pdosd �� IP �� DNS ��

��. Tivoli Access Manager for Operating Systems�� IP �

�� , �� pdosd �

�� .

��, IP �� DNS �� . pdoshla ��

�� IP �� DNS �� . � ��

� �� . � �� IP �� DNS ��

� �� , � �� . � ��

� ��

pdoscfg -dns off

� �� /opt/pdos/etc/osseal.conf �� [cache] �� dns

�� off� ��. �� IBM Tivoli Access Manager

for Operating Systems � �� .


Operating Systems IP �� . ��

�� . � �� , ��

�� . Tivoli Access Manager for Operating Systems� 6�

� �� IP �� , � ��

�� . �� IP ��

�, pdoshla �� .


� 4 � ��

� �� pdoslrd ��

�� . �� .

v ��

v ��

v ��

��


�. � � � �� /opt/pdos/etc/pdoslrd.xml��. � � � ��

�� . pdoslradm ��

�� . � �� XML 1.0 � � ��

��.

�: �� pdoslrd.xml� UTF-8� ��. ��

�� UTF-8� �� . �� UTF-8�

�� . �� en_US� ASCII�

�� .

�� pdoslrd� �� . ��

�� .

��

��

��. �� gerrywaix�� Tivoli Access Manager ��

��. �� LRD_EmailOutput �� . file-admin ��

��.

<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE Server SYSTEM "opt/pdos/etc/pdoslrd.dtd"><Server>

<Router name="router 1" state="on"<Channel name="input" type="LRD_AuditInput"

path="var/pdos/audit/audit.log" state="on"/><Channel name="file-admin" type="LRD_FileOutput"

path="var/pdos/pdoslrd/audit.out" format="keyvalue" state="off"/><Channel name="mail-admin" type="LRD_EmailOutput"

server="devmail.dev.tivoli.com" port="25"address="[email protected]" port="7136" filter="login-deny"state="on"/>


<Channel name="netout-admin" type="LRD_NetOtput"server="gerrywaix.dev.tivoli.com" port="7136"compress="yes" state="on"

</Router>

<Filters><Filter name="login-deny"><Conditional type="include"><Field name="resource_type" value="Login"/><Field name="view" value="D"/>

</Conditional></Filter>

</Filters>

</Server>

��

�� .

v XML �

v ��

v ��

v ��

v ��

v ��

v Conditional ��

v Field ��

XML �

XML �� XML � � ��

��. � �� .

<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE Server SYSTEM "opt/pdos/etc/pdoslrd.dtd">

Server �

�� . ��

�� .

��

<Server> ��

</Server> ��

��


completion_action � �� . �� ″

��″��. �� ″rename″��, �� .lrd� �

�� , ″delete″� � � ��

� � ��.

Router �

�� Router �� . � Router �

�� .

�� Router �� .

��

��

<Router> ��

</Router> ��

��

name �� (�� ). �� .

state �� (� �� ). �� .

hi_ water �� . ��

�� , ��

��

��. �� 50��. 0� �� pdoslrd ��

�� , ��

��.

batch_mode batch_mode� �� pdoslradm��

��, ��

� �� . �� pdoslradm

�� . � ��

��

�� .(�� .) � �

�� 285 �� pdoslradm�� pdoslradm �

�� -b �� .

��

<Server><Router name="router1" state="on" hi_water="500"

<Channel name="audlog" type="LRD_AuditInput"path="/var/pdos/audit/audit.log" state="on" />

<Channel name="file" type="LRD_FileOutput" path="/home/sysadmin/audit.out"format="concise" state="on"/>

</Router></Server>

� 4 � �� 111

Channel �

Channel ��

� �� . ��

�� . ��

�� . ��

� Filter �� , Filter ��

� �� Conditional �� . Channel� ��

� �� . Channel ��

�� .

��

��

<Channel.../> ��

��

name �� (�� ). �� .

type �� (: LRD_FileOutput). �� .

state �� (� �� ). �� .

path ��

filter �� (�� ). ��

� � ��.

error �� . �� (��

� ��). [default=2]

format � �� (LRD_FileOutput � LRD_EmailOutput ��

��). � concise, keyvalue �� verbose� � � ��. [defaults:

LRD_FileOutput=keyvalue; LRD_EmailOutput=verbose]

�: �� pdosaudview �� .

max_files �� . � ��

��. 0� � ��

(LRD_FileOutput �� ). [default=0]

rollover_size �� (��). ��

� ��. 0� � � � ��

(LRD_FileOutput �� ). [default=0]

delimiter �� . � � concise �� keyvalue ��(� �� )�

��

��(LRD_FileOutput � LRD_EmailOutput �� ).

server �� (LRD_EmailOutput � LRD_NetOutput �

� ��)

port �� (LRD_EmailOutput � LRD_NetOutput �� ).

[defaults: LRD_EmailOutput=25; LRD_NetOutput=7136]

rebind �� . ��

(LRD_EmailOutput � LRD_NetOutput �� ). [defaults:

LRD_EmailOutput=60; LRD_NetOutput=300]


compress �� ( �� ) (LRD_NetOutput �� ). ��

�� . [default=no]

dn �� (LRD_NetOutput �� )

buffer � �� (��).

� �� (LRD_NetOutput �� ).

[default=16384]

flush_interval � �� (LRD_NetOutput

�� ). [0=no limit; default=1000]

queue_size ��

(LRD_NetOutput �� ). [0=no limit; default=1000]

hi_water �� . ��

�� (LRD_NetOutput ��

�). [default=2/3 x � ��. � �� 0� �, default =100]

address � � ��(LRD_EmailOutput �� )

��

�� .



<Channel name="log_input" type="LRD_AuditInput" path="/var/pdos/audit/audit.log"state="on" />



<Channel name="fileout1" type="LRD_FileOutput" path="/var/pdos/pdoslrd/audit.out"format="concise" state="on" />

<Channel name="mail1" type=LRD_EmailOutput" server="mailserv.tivoli.com"

port="25" [email protected] state="on"/>



<Channel name="netout-admin" type=LRD_NetOutput" server="toasty.ibm.com"port="7136" state="on" />

Filters �

�� Filter �� . �� Filter �

�� Filter �� . �� .

��

��

<Filters> ��

</Filters> ��

��

��

� 4 � �� 113

Filter �

Filter �� . Filter

�� Conditional �� . �� Filter ��

Filters �� . �� Filter ��

��.

��

��

<Filter> ��

</Filter> ��

��

name ��

��

<Filters>

<Filter name="filter1"><Conditional type="include">

<Field name="resource_type" value="Login" /><Field name="view" value="D" />




<Filter name="filter2"><Conditional type="exclude">

Field name="view" value="Trace" /></Conditional>

</Filter></Filters>

Conditional �

Conditional �� Filter �� . Filter

�� Conditional �� . True� ��

Conditional �� . include ��

Conditional �� true� ��, �� . exclude ��

Conditional �� true� ��, �� .

Conditional �� true� ��

��. �, Field �� Field ��

� � ��.

Filter �� Conditional �� true�� , ��

� �� Filter �� Conditional �� .

�� include�, �� . �� exclude�, �� .

��

��

<Conditional> ��

</Conditional> ��

��

type ″include″ �� ″exclude″

��



<Filter name="filter1><Conditional type="include">

<Field name="resource_type" value="Login" /><Field name= "view" value="D" />

</Conditional><Conditional type="include"><Field name="outcome" value="F" />


Field �

Field �� . ��

��

��. Field �� . � ��

�� .

��

��

<Field.../> Field ��

��

name �� . �� .

value �� name ��

name2 � �� . name �� name2 ��

� �� .

value_list �� (� �� ). name� ��

��

�. � �� .

� 4 � �� 115

��





<Conditional type="include"><Field name="view" value="D"/>

</Conditional>



<Conditional type="exclude"><Field name="acc_name" name2="acc_eff_name" />

</Conditional>

��

�� . �� Field �� (value

� name2)�� Conditional �� (include � exclude)� ��

��. �� /opt/pdos/etc/pdoslrd.xml.template � � ��

� �� .

�: � �� Field �� value ��

�� . value="abc*xyz"� �� value="*xyz", value="xyz*" ��

value="*xyz*"� �� . Conditional �� Field �

�

value="abc*" � value="*xyz"� �� abc*xyz� ��

� ��. ��(?)� �� , �� (*)�

�� . ��, � �� value="a?b"� "azb", "a1b", "aab"

� ��. �� (:

value="a?c?e?"). � �� Field �� name2 ��

��. �� value �� .

<Filter name="login-deny"><Conditional type="include"><Field name="resource_type" value="Login"/><Field name="view" value="D"/></Conditional></Filter>

<Filter name="root-login><Conditional type="include"><Field name="resource_type" value="Login"/><Field name="acc_name" value="root"/>


<Filter name="non-root-login"><Conditional type="exclude"><Field name="acc_name" value="root"/></Conditional

<Conditional type="include"><Field name="resource_type" value="Login"/></Conditional>

</Filter>

<Filter name="su"><Conditional type="exclude"><Field name="acc_name" name2="acc_eff_name"/></Conditional></Filter>

<Filter name="account-locked"><Conditional type="include"><Field name="event_id" value="2"/></Conditional><Conditional type="include"><Field name="event_id" value="3"/></Conditional>

</Filter>

<Filter name="etc-file-failures"><Conditional type="include"><Field name="resource_type" value="File"/><Field name="view" value="D"/><Field name="sys_res_name" value="/etc/*" /></Conditional>

</Filter>

<Filter name="file-untrust"

<Conditional type="include"><Field name="event_id" value="22" /></Conditional>

</Filter>

<Filter name="isolation"

<Conditional type="include"><Field name="event_id" value="12" /></Conditional>

</Filter>

<Filter name="incoming"

<Conditional type="include"><Field name="resource_type" value="NetIncoming" /><Field name="view" value="D" /></Conditional>

</Filter>

��

�� . � ��

� �� LRD_AuditInput� ��, � �� LRD_FileOutput,

LRD_EmailOutput � LRD_NetOutput� ��.

� 4 � �� 117

��

LRD_AuditInput

Tivoli Access Manager for Operating Systems � ��(��

/var/pdos/audit/audit.log*�)� ��, ��

�� .

LRD_FileOutput

�� , ��

�� .

LRD_EmailOutput

�� , ��

� �� .

LRD_NetOutput

�� , ��

� pdacld �� .

��

�� (/opt/pdos/etc/pdoslrd.xml)� ��

��.

LRD_AuditInput�� . ��

� � � �� LRD_AuditInput��. � �� Tivoli Access Manager

for Operating Systems � �� . � ��

/var/pdos/audit �� audit.log* �� .

audit.log � � �� , audit.log� ��

� � � �� . audit.log � � ��

�� audit.log.YYYY-MM-DD-hh-mm-ss �� .

pdoslrd �� /var/pdos/pdoslrd ��

input_channel_name.lrp �� . ��, input_channel_name�

�� . � �� input.lrp��. � �

� �� pdoslrd� ��

uniqifier� �� . �� input_channel_name.lrp � �

�� uniqifier� ��

/var/pdos/audit�� audit.log* � � ��. �� , ��

� �� . � �� pdoslrd ��

� �� . ��

input_channel_name.lrp � � �� audit.log* ��

� �� .


�: uniqifier� Tivoli Access Manager for Operating Systems � ��

��. � � �� . � �

�� (�) �� 0� �� uniqifier

� ��. ��, 0� �� uniqifier� �� uniqifier��

� ��. � ��

�� .

LRD_FileOutput� �� . � ��

�� . ��

� �� tail-f ��

� �� (�� ). ��

� �� (gauge)�� . ��

��.

v �� !

v � ��

v pdoslrd.xml � ��

LRD_EmailOutput� �� . � ��

��

�� . � �� , �

�� . ��

� �, � � �� , ��

�� . ��

��. ��

� �� , ��

� � ��.

LRD_NetOutput� �� Tivoli Access Manager �� pdacld� �

�� . � ��

� �� . � ��

�� pdacld �� . � �

�� . � ��

LRD_AuditInput �� LRD_NetOutput ��

�� , �� Tivoli Access Manager �� API� �

�� pdacld �� . pdacld �� pdacld� � �

� 4 � �� 119

� �� Tivoli Access Manager �� . � ��

�� /opt/PolicyDirector/etc/ivalcd.conf � � �� aznapi ��

� �� .

[aznapi-configuration]logcfg = remote.channel_name:file path=/var/PolicyDirector/pdacld/amos_collection

��, channel_name� �� LRD_NetOutput �� (:

netout-admin)��.

��, pdacld ��

� � � � ��. ��, ��

� � � � �� . � ��

�� ivalcd.conf � � �� .

[aznapi-configuration]logcfg = remote.channel_name.hostname1:file \path=/var/PolicyDirector/pdacld/hostname1/amos_collectionlogcfg = remote.channel_name.hostname2:file \path=/var/PolicyDirector/pdacld/hostname2/amos_collection

� �� hostname1��

hostname2�� .

pdacld� � �� , �� ivalcd.conf

� � aznapi �� .

mode = remote

� �� pdacld� Tivoli Access Manager ��

� �� .

��

�� .

v ��

v � � � ��

v ��

��

�� Tivoli Access Manager for Operating Systems � ��

� ��. �� Tivoli Access Manager for Operating Systems audit.log �

�� . �� keyvalue, concise � verbose �� pdosaudview

�� .

�� .


v pdosaudview �� concise �� . �� keyvalue ��

��. �� ( �, � � ��)�

� ��. �� 217 �� 7 � ��

��.

v host_name ��. �� .

v ��

��

�� pdosaudview �� verbose � concise

�� keyvalue� ��. � ��, audit_outcome �� verbose �

Success � Failure��, �� concise �� keyvalue� S � F��.

Concise � keyvalue �� . � �� event_id �

�� verbose � ��. ��

� 217 �� 7 � �� .

��

�� .

v Concise ��(pdosaudview ��)

v Keyvalue ��(pdosaudview ��)

v Verbose ��(pdosaudview ��)

v �� . �� host_name �� concise ��

�� .

v � � �� . �� pdosaudview verbose �� .

��

�� .

v �� 217 �� 7 � �� .

v � �� . ��

Field �� .

v � �� keyvalue �� . �� Field

�� .

v � �� .

– C� �� concise(� keyvalue)� � �� .

– E� �� (�� = LRD_EmailOutput)� � ��

� �� .

– N� �� (�� = LRD_NetOutput)� � ��

�� .

� 4 � �� 121

�� Keyvalue

� ��

��

--- host_name --- E N

�� local_domain LD E N

�� time_stamp TS C E

� �� ID event_id E C E N

� �� V C N

� �� view_verb --- E

� �� R C N

� �� reason_verb --- E

� � �� resource_type RT C E N

�� acc_name AN C E N

�� acc_eff_name AEN C E N

� �� A C E N

� �� P C N

� �� permissions_verb --- E

� �� Q C E N

policy �� branch_name PBN C E N

�� prot_obj_name PON C E N

�� sys_res_name SRN C E N

�� sname SN C E N

�� ID net_rem_host_id NRH C E N

�� net_protocol NP C E N

�� net_service NS C E N

�� ID login_location_id LL C E N

�� ID accessor_pid APID C E N

*�� run_prog_prot_name RPPN C E N

*�� run_prog_sys_name RPSN C E N

Sudo �� sudo_cmdargs SC C E N

Sudo �� sudo_user SU C E N

Sudo �� sudo_flags SF C E N

�� param AP C E N

TCB �� chg_attr_flags CDAF C E N

Policy Epoch policy_epoch PE C E N

Policy �� policy_version PVN C E N

� �� O C N

� �� outcome_verb --- E

� �� fail_status FS C E N

� �� uniqifier UQ C E N

*�� prot_res_spec PRS C E N

*�� acc_res_spec ARS C E N


�� Keyvalue

� ��

��

*″�� ″ � ″�� ″ � ��

�� . ″�� ″ � ″�� ″� � � ��

�� .

��

� ��

event_id �� 10��. �� 237 �� 48� ��

��.

view �� .

P-permit

D-deny

A-admin

I-info

T-trace

W-warning

reason �� 1 - 5� 10��.

1-��

2-� �

3-��

4-� ��

5-��

outcome �� .

S-��

F-��

resource_type �� .

Azn

Process

TCBCred

Policy

File

Login

Logout

TraceExecTraceFilePassword

NetIncoming

NetOutgoing

Surrogate

Sudo

� 4 � �� 123

� ��

action �� .

Check Access

Add

Delete

Change

Retrieve

Apply

Trust

Untrust

Start

Stop

Register

TraceIsolated

Not Isolated

Login

Logout

Enable

Disable

qualifier �� 10��. �� 240 �� 49� ��

��.

Permissions �� (: rwx).

r-read

w-write

x-execute

o-change ownership

D-change directory

p-change permission

R-rename

N-create

d-delete

U-utime

K-kill

L-login

C-connect

G-surrogate

l-readdir

T-traverse


��

�� .

v �� : LRD__FileOutput

v � � ��: LRD__EmailOutput

v �� : LRD__Output

�� - LRD_FileOutput

�� (Channel type= LRD_FileOutput)� ��

�� concise, keyvalue �� verbose� �� . �� pdosaudview �

�� concise, keyvalue � verbose �� .

�� - LRD_EmailOutput

�� (Channel type=LRD_EmailOutput)��

� �� concise, keyvalue �� verbose� �� . � � ��

� � �� . ��

� � �� . � ��, ��

� �� . �� .

Subject: audit record notification

The following audit record was sent by the log router daemon on host swingin local domain Default:

Timestamp Mon 29 Oct 2001 04:35:45 PM CSTAudit Event An authorization decision was made.Audit View PermitAudit Reason Global AuditAudit Resource Type FileAccessor Name rootAccessor Effective Name rootAudit Action Check accessAudit Permissions readAudit Qualifier All resource policy checks permitted access.Policy Branch Name bvtProtected Object Name File/opt/pdosSystems Resource Name /usr/lib/liblpm.soAccessor Process ID 1233Running Program System Resource Name /usr/sbin/in.telnetdAudit Outcome SuccessAudit Uniqifier 1

�� - LRD_NetOutput

�� LRD_NetOutput��. �

� �� pdacld ��

� ��. ��

��. � � �� host_name ��, local_domain ��

�� pdosaudview concise �� . (� �

�� , �� pdosaudview concise(keyvalue

� 4 � �� 125

� verbose)� �� .) ��

�� UTF-8� ��.

� pdacld ��

�. �� . �� , ��

� �� . � ��

�� , ��

��. �� . ��

� �� pdacld ��

� �� .

��

�� rollover_size �� . �� (��)� ��

�� . �� LRD_FileOutput �� . 0� � � � �

�� . � �� audit.log� ��

� �� . �, � � �� , � ��

�� . � ��, auditout �� auditout.2002-02-28-16-02-33

� �� .

�� max_files �� . � ��

� ��. � ��

��. max_files �� 0� �� .

� � � �� . �� pdacld ��

ivalcd.conf � � (�� ) ��.

logcfg = remote.netout.aushat12:File path = /home/amos/collection,rollover_size=50000000

�: � �� .

��

�� . �� . �

� LRD_NetOutput �� . �� pdacld �

�� , � � � ��. ��

�� , � � � �� .


� 5 � ��


�� , �� . �

� �� .

v �� Tivoli Access Manager ��

� ��

v ��, TCB(Trusted Computing Base), �� look-aside


��

v �� policy� �� Tivoli Access Manager for Operating

Systems ��

� �� . � �� 247 �

�� 8 � �� . Tivoli Access Manager for Operating Systems

�� Tivoli �� . �� 155 ��

� � 6 � �Tivoli �� .


��.

v 128 ��

v 128 ��

v 131 ��

v 133 �� policy ��

v 134 ��

v 136 �� policy ��

v 141 �� Trusted Computing Base ��

v 145 �� policy � ��

v 148 ��

v 150 �� ID ��

v 152 �� look-aside ��

v 153 ��


��


�� . ��

� �� .

v Tivoli Access Manager �� osseal-admin �

v UNIX� osseal �


�� . �� .

v Tivoli Access Manager �� osseal-auditors �

v UNIX� ossaudit �

�� pdosaudview �� /var/pdos/audit � /var/pdos/tec

�� .

�� .

��



��. Tivoli Access Manager for Operating Systems� �, Tivoli Access Manager

�� LDAP �� .

�� Tivoli Access Manager for Operating

Systems� �� ID� Tivoli Access Manager �� . ��

� �� ID� ��


� �� . Tivoli Access Manager ��

�� . � ID� Tivoli Access Manager for Operating Systems ��

�� .

�: �� Tivoli Access Manager for Operating Systems

�� .

�� Tivoli Access Manager �� ,

�� . �� , �


� � �� . 3 ��

� �UNIX ID � Tivoli Access Manager �� ID��


�� . pdosrgyimp �� Tivoli Access Manager ��

�� . � �� .

��

�� . �� , ��

� �� ACL� �� . �

�� policy �� . �� IBM Tivoli

Access Manager for Operating Systems� �� policy �� .

��, Tivoli Access Manager �� UNIX ��

�� . � �� policy �� .

� ��, ��

� ��

policy� � � ��. �� , �� Tivoli Access Manager

�� . ��

�.

�� policy� � � �

��. � �, �� (�� )� Tivoli Access

Manager �� .

��

�� .

1. Tivoli Access Manager �� .

2. �� .

3. �� . �� .

� ��, �� A� �� maggie� Maggie Smith��

� B� �� maggie� Maggie Smith�� . ��

maggie� � � �� , � Tivoli Access Manager ��

�. �� . � ��, �� A

� �� riley� Riley Smith�� B� riley� Riley

Jones�� . �� riley� � ��

��, � �� Tivoli Access Manager �� . 3 �� UNIX ID

� Tivoli Access Manager �� ID��

�. � �� UNIX �� .

pdosrgyimp ��

�� UNIX �� , �� UNIX ��

� �� pdosrgyimp �� . pdosrgyimp ��

� 5 � �� 129

�� 293 �� pdosrgyimp�� . pdosrgyimp �� UNIX �

�� UNIX �� . ��

�� UNIX �� . ��

�� .

pdosrgyimp -S o=tivoli -l login-id

�� UNIX �� , ��

� � �� . � �, ��

�� UNIX �� UNIX �� . ��

��.

pdosrgyimp -S o=tivoli -l login-id -E excludefilename

� �� UNIX �� , � ��

�� . � �, �� UNIX ��

� �� . �� .

pdosrgyimp -S o=tivoli -l login_id -I includefilename

UNIX �� -u �� -g �� . ��

�� . �� , ��

� �� . � �, ��

�� . �� . ��

�� . �� .

pdosrgyimp -S o=tivoli -l login_id -I includefilename -E excludefilename

pdosrgyimp �� . pdosrgyimp.import � ��

� pdadmin �� . pdosrgyimp.conflict � ��

pdadmin �� .


� ��. pdosrgyimp.conflict � � � ��

��. pdosrgyimp �� , pdosrgyimp.conflict � � �

�� . �� , pdadmin �� .

pdadmin -a login_id -p password < pdosrgyimp.conflict

-n �� pdosrgyimp� pdadmin ��

��. �� .

-n �� pdosrgyimp �� . pdadmin �

�� pdosrgyimp.import � � ��.


��


�� pdoscfg� ��. pdoscfg� ��


��. � ��, �� , �� ACL �� , ��

(look-aside) � ID � ��

�. �� Trusted Computing Base� �� . �


� �� . �� . �� ,

LDAP �� .

�� pdoscfg ��

� �� . �� policy ��

� � ��. �� pdosucfg �� Tivoli

Access Manager for Operating Systems� �� . 254

�� pdoscfg�� pdoscfg �� .


�� . � � �� daemon_name.conf��. ��

�� osseal.conf��. ��

attribute=value �� . � 40 � ��

�� pdoscfg ��

��. � ��, �� , �� ACL �� , �� (look-aside)

� ID � �� . ��

�� , �� .

� 40. osseal.conf� pdoscfg ��

��

[audit] level -audit_level

permit_actions -audit_permit_actions

deny_actions -audit_deny_actions

[authorization] warning -warning

[cache] dns -dns

uid -uid

[policy] branch -branch

[ffdc] capture -ffdc_capture

� 41. pdosd.conf� pdoscfg ��

��

[ldap] ssl-certificate -ldap_ssl_cacert

� 5 � �� 131

� 41. pdosd.conf� pdoscfg �� (��)

��

[pdoscfg] autostart -autostart

login-policy -login_policy

net-ACL-limited -net_ACL_limited

[pdosd] kmsg-handler-threads -kmsg_hnd_threads

log-entries -pdosd_log_entries

logs -pdosd_logs

init-wait-minutes -pdosd_init_wait

[credentials] admin-cred-refresh -admin_cred_refresh

cred-hold -cred_hold

user-cred-refresh -user_cred_refresh

critical-cred-refresh -critical_cred_refresh

cred-response-wait -cred_response_wait

critical-cred-group -critical_cred_group

[policy] refresh-interval -refresh_interval

[ssl] ssl-listening-port -ssl_listening_port

[tcb] interval -tcb_interval

max-checksum-file-size -tcb_max_file_size

monitor-threads -tcb_monitor_threads

tcb_nocrc_on_exec -tcb_nocrc_on_exec

tcb_ignore_ctime -tcb_ignore_ctime

� 42. pdosauditd.conf� pdoscfg ��

��

[pdosauditd] log-entries -pdosauditd_log_entries

audit-logflush -audit_logflush

logs -pdosauditd_logs

audit-logsize -audit_log_size

� 43. pdoswdd.conf� pdoscfg ��

��

[pdoswdd] log-entries -pdoswdd_log_entries

logs -pdoswdd_logs

� 44. pdoslrd.conf� pdoscfg ��

��

[pdoslrd] log-entries -pdoslrd_log_entries

logs -pdoslrd_logs


� �� pdoscfg � pdosctl �� . pdoscfg �


Manager for Operating Systems� �� .

pdosctl �� Tivoli Access Manager for Operating Systems� ��

��. �� . ��

�� pdoscfg �� pdosctl �� .

�� policy� �� ACL ��

�� ACL

�� . � ��

�� OSSEAL �� ACL� ��

� ��. � �� , �� /OSSEAL/policy-branch/File� ��

� �� ACL� ��. �� , �� ACL

�� OSSEAL �� /OSSEAL/policy-branch/NetIncoming

� /OSSEAL/policy-branch/NetOutgoing �� ACL� ��

��.

� �� pdoscfg �� -net_ACL_limited ��

� ��.

#pdoscfg -net_ACL_limited on

�� .

#pdoscfg -net_ACL_limited off


/OSSEAL/policy-branch/NetIncoming � /OSSEAL/policy-branch/NetOutgoing

�� ACL� � ��

��. ��, � �� policy� ��

/OSSEAL/policy-branch/NetIncoming � /OSSEAL/policy-branch/NetOutgoing

��

�� .

policy ��

Tivoli Access Manager for Operating Systems �� policy branch

� �� LDAP � �� . policy ��

�� policy �� LDAP �� .

� 5 � �� 133

pdadmin �� Tivoli Web Portal Manager� �� Tivoli Access


��.

�� policy branch� �� .

pdadmin> group show-members pdosd-branch/policy-branch


pdadmin> user show-groups pdosd/hostname

�� , pdosd-branch/policy-branch �� .

��

� �� Tivoli Access Manager for Operating Systems �� , �

��, �� .



�� . �� policy ��

� � Tivoli Access Manager for Operating Systems� �� .

�� .

pdoscfg -autostart on

� �� Tivoli Access Manager for Operating

Systems� �� .

�� .

pdoscfg -autostart off


Systems� �� .


��.

rc.osseal start

�: �� Tivoli Access Manager for Operating Systems

� �� , � �� .

��, Tivoli Access Manager for Operating Systems� ��

�� . �� -autostart

off� �� pdoscfg �� .



�� Tivoli Access Manager for Operating Systems� �� .

�� .

rc.osseal stop

�� pdosctl �� . � ��,

pdosauditid ��

��. pdosctl� �� -k �� .

� ��, pdosauditid �� .

pdosctl -k pdosauditd

�� pdosauditd shutdown��. �� rc.osseal start ��

� ��.

��

pdosd, pdosauditid, pdoswdd, pdoslpmd, � pdoslrd ��

�� pdosctl �� . �� -s ��

�� . -s ��

�. � �� -s �� .

-q �� -s �� . -q �� -s ��

�� , �� 0��

1� ��. -q �� pdosctl �� .

�� .

pdosctl -s

�� .

pdosd�(�) �� .pdoswdd�(�) �� .pdosauditd�(�) �� . pdoslpmd�(�) �� .pdoslrd�(�) �� .

pdosd �� , �� .

pdosd�(�) �� .�� policy �� .

pdoswdd�(�) �� .pdosauditd�(�) �� . pdoslpmd�(�) �� .pdoslrd�(�) �� .

�: pdosctl �� pdostecd �� .

��


�� . �� UTC �

� 5 � �� 135

� ��, �� Tivoli Access Manager for Operating Systems ��, �

�� . ��

��, ��, �� . �� /var/pdos/log ��

�� msg__pdos-daemon-name.log��. (� ��

Tivoli Access Manager for Operating Systems, �� 4.1�� . ��

� � �� .) �� . ��

�� IBM Tivoli Access Manager for Operating

Systems �� .

�� pdoscfg �� . ��

� ��(pdosd, pdosauditd, pdoswdd �� pdoslrd)� �, ��

�� . ��

� � �� . ��

�� .

� 45. �� pdoscfg ��

��

msg__pdosd.log -pdosd_log_entries

-pdosd_logs

msg__pdoswdd.log -pdoswdd_log_entries

-pdoswdd_logs

msg__pdosauditd.log -pdosauditd_log_entries

-pdosauditd_logs

msg__pdoslpmd.log ��

msg__pdoslrd.log -pdoslrd_log_entries

-pdoslrd_logs

�: pdostecd �� pdoscfg ��

� �� .

policy �

�� policy� �� , policy� � �� policy� �

��. �� policy� � � ��.


�� policy �� policy

� �� . �� , �� policy ��

�� . ��

policy� �� . �

� policy �� .


�: �� , �� . �� , ��

� �� .

�� , ��

�� .

pdosctl -w on

�� .

pdosctl -w off


� �� .

pdoscfg -warning on

��

��.

pdoscfg -warning off

�� -w� ��.

pdosctl -w

�� .

The global warning mode setting is off

�� , ��

�� , �� POP(Protected

Object Policy)� �� . ��, ��

�� POP� ��

� �� . � �� POP� � ��

�� . ��, �� .

� ��, �� /OSSEAL/Default/NetIncoming/TCP/telnet/*.company.com

� �� .

pdadmin> pop create sample_poppdadmin> pop modify sample_pop set warning yespdadmin> pop attach /OSSEAL/Default/NetIncoming/TCP/telnet/*.company.com

�� *.company.com �� Telnet� ��

NetIncoming ��, �� . � ��

�� . ��

�� , �� no� �� POP� ��

��. POP��

��, �� .

� 5 � �� 137

pdadmin> pop modify sample_pop set warning no

�� .

�� POP� ��

� �� POP� �� , �� POP� ��

�� .

pdadmin> pop detach /OSSEAL/Default/NetIncoming/TCP/telnet/*.company.com sample_pop

POP� �� .

pdadmin> pop show pop_name



�� .


� �� . policy� ��

� �� permit, deny, loginpermit � logindeny��. policy� ��

�� permit � deny��. ��

�, �� OSSEAL ��(: ��)�� permit � deny ��

�� . �� 217 �� 7 � ��

� ��.

� �� pdosaudview �� . pdosaudview ��

�� 248 �� pdosaudview�� . pdosaudview ��

Tivoli Access Manager for Operating Systems �� . �

� �� 128 �� .

��


� �� .

pdoscfg -audit_level level

�� level� �� . policy� ��

� �� permit, deny, loginpermit � logindeny��.

pdosctl ��

��.

-A �� . � �� -A

�� , �� . -a ��

� �� . � �� -a


�� . �� -a

� -A �� on �� off� �� (:)��

��. �� on �� off �� , on �� . �

�� all, none, permit, deny, loginpermit, logindeny, admin, verbose,

info, trace_exec � trace_file��. ��

� �� .

pdosctl -A level:[on | off]

�� .

pdosctl -a level:[on | off]

�� .

pdosctl -A permit:on -A deny:on

�� admin deny � �� .

pdosctl -a admin deny:on

�� . �� , -a � -A

�� pdosd, pdoslpmd, pdoslrd, pdosauditd � pdoswdd ��

� �� .

�� .

pdosctl -a

�� .

pdosd�� .(permit, deny, admin)pdoswdd �� .(permit, deny, admin)pdoslpmd �� .(permit, deny, admin)pdoslrd �� .(permit, deny, admin)pdosauditd �� .(permit, deny, admin)

��

�� , �� POP� ��

�� POP� ��. ��

� �� . policy� ��

� �� .

v permit

v deny

�� .

� 5 � �� 139

� ��, sample_pop POP� �� /OSSEAL/Default/

NetIncoming/TCP/telnet/*.company.com� �� permit �

deny� �� .

pdadmin> pop modify sample_pop set audit-level permit,denypdadmin> pop attach /OSSEAL/Default/NetIncoming/TCP/telnet/*.company.com sample_pop

�� *.company.com �� Telnet� ��

NetIncoming �� . � ��

�� . � �� , � ��

�� none�� POP� ��. POP��

�� , ��

� �� none�� .

pdadmin> pop modify sample_pop set audit-level none

� �� POP� ��

�� POP� �� , �� POP� ��

�� .

pdadmin> pop detach /OSSEAL/Default/NetIncoming/TCP/telnet/*.company.com

POP� � �� .


��


�, Tivoli Access Manager for Operating Systems ��

�� policy� �� . pdosunauth ��

� �� . pdosunauth �� 314 ��

�pdosunauth�� . � ��

�� policy� � � ��. �� , ��

� �� . �� pdosunauth �� .

1. �� .

psdoswhoami -a

�� .

0 root

2. pdosunauth �� IBM Tivoli Access Manager for Operating Systems

� �� .

pdosunauth

3. pdoswhoami �� .

psdoswhoami -a


�� .

Unauthenticated


� �� . �� policy��

��

��.

�: pdosunauth �� . ��

�� .

Trusted Computing Base ��

�� TCB(Trusted Computing Base)� ��

policy �� . � �� TCB ��

�, ACL� �� . TCB � � �

� �� . pdosd

�� Trusted Computing Base� � �� . pdosd

�� , � � ��

�� . �� TCB � � ��

��.

� � ��

�� . �

� �� TCB � � �� .

pdosd �� Trusted Computing Base ��

pdoscfg �� Trusted Computing Base �� .

tcb_interval �� Trusted Computing Base� ��

� ��(�)��. � �� Trusted Computing Base ��

� �� , �� .

tcb_max_file_size ��

� ��.

tcb_monitor_threads �� .

tcb_ignore_ctime �� Trusted Computing Base ��

�� ctime� �� . � �� ctime� ��

Trusted Computing Base �� .

� 5 � �� 141

tcb_nocrc_on_exec �� TCB� ��

�� CRC �� . � ��

� 2� � � � CRC �� .


� � [tcb] �� /opt/pdos/etc/pdosd.conf � � ��. pdoscfg �

�� . �� IBM Tivoli Access

Manager for Operating Systems� ��

��. pdoscfg �� 254 �� pdoscfg��

��.

��

�� Trusted Computing Base � � ��

�� pdosobjsig �� . -l ��

� �� . ��, � ��

�� . �� -n ��

��.

�� -g �� .

�� pdosobjsig �� Trusted Computing Base� ��

��. �� -c �� -C

�� . �� . -c

�� . -C ��

�� . �� -u� -s� �� -S ��

��. -u ��

��. -S ��

��. � ��, Trusted Computing Base� ��

/usr/local/app/bin/examplebinaryA� � � ��.

1. �� .

pdadmin> object create \/OSSEAL/<policy-branch>/TCB/Secure-Programs/usr/local/app/bin/examplebinaryA

2. �� TCB�� , � � �� . TCB�

� � � �� , ��

�� .

pdosobjsig -u /usr/local/app/bin/examplebinaryA -s trusted

�� example binaryA� ��

, Tivoli Access Manager for Operating Systems Trusted Computing Base ��

�� . �� , �


�� . �� , ��

� �� examplebinaryA� �� .

pdosobjsig -u /usr/local/app/bin/examplebinaryA -s trusted


��

Trusted Computing Base� �� . �� , ��

�� pdosd ��

� �� . pdosobjsig -C ��

�� . ��

��, � �� . pdosobjsig��

�� . �� , pdosobjsig -l

��

��. ��, � �� , �

�� . �� -n ��

��. ��

�� , pdosobjsig -S ��

�� . �� pdosobjsig -u objname -s ��

�� .

�� 2�� Trusted Computing Base� ��

�� .

1. ��

�. � � ��

��

�. ��

��.

pdosobjsig -l untrusted> untrusted.output

2. �� .

3. �� , �� . �

��

�. ��

�� .

pdosobjsig -C

4. ��

��.

pdosobjsig -n -l untrusted > after.upgrade.untrusted.output

5. ��

� �� . � �� 1�� .

� 5 � �� 143

��

�� .

pdosobjsig -S trusted

��


�� . ��

� � Trusted Computing Base� �� policy ��

�� . ��

�� .

1. � ��

�� . � � ��

��

� � �� . ��

�� .

pdosobjsig -l untrusted

2. �� Tivoli Access Manager for Operating Systems� �

�� . �� .

rc.osseal stop

�� policy �� . �

�� PAM ��


��. login policy� �� .

pdoscfg -login_policy off

�� , ��

� �� . �� pdosd ��

� �� .

� �� .

pdoscfg -autostart off

3. � �� .

4. �� , Trusted Computing Base� ��

��

�. ��

pdosobjsig -C �� . � ��

� � �� .


5. ��

��.

pdosobjsig -n -l untrusted > after.upgrade.untrusted.output

6. ��

�� . � �� 1�� .

��

�� .


7. 2�� policy � � ��

�� .

pdoscfg -autostart on -login_policy on

8. �� Tivoli Access Manager for Operating Systems� ��

��. ��

��.


Tivoli Access Manager for Operating Systems �� policy�

�� . pdoslpadm ��

�� .

� ��

�� policy� ��, �� policy� ��

�� . �� pdoslpadm

�� -r �� . ��

�� -r �� .

# pdoslpadm -r

�� (uid) ��<: �� >----------------------------- ---------------------gbland(1114) �� root(0) �� uduck(1118) ��

�� -f �� . gbland � uduck

�� ID� �� .

# pdoslpadm -r -f gbland uduck--------------------------------------------------id 1114, gbland� �� :

�� : �� : Sun 02 Dec 2001 05:53:01 PM CST�� : 0�� : Thu 08 Nov 2001 12:00:00 AM CST

� 5 � �� 145

�� :�� (��): 0(0)

----------------------------------------------------------------------------------------------------id 1118, uduck� �� :

�� : �� : Sun 02 Dec 2001 03:09:25 PM CST�� : 0�� : Thu 04 Oct 2001 12:00:00 AM CDT�� :�� 1:

TTY ��: /dev/pts/4rhost ��: bigserv.mycomp.comruser ��:�� pid: 657(��)�� : Sun 02 Dec 2001 03:04:22 PM CST

�� (��): 0(10)--------------------------------------------------

� ��

�� policy �� . �

� Tivoli Access Manager for Operating Systems �� pdoslpadm �� -l

�� . bsmith �� ID� ��

�� .

pdoslpadm -l bsmith


� �� -u ��

�.

pdoslpadm -u bsmith

��


�. � �� UNIX ��

�� . ��

��. �� HP-UX �� (: NIS, NIS+

� DCE)� �� .


Operating Systems �� pdoslpadm �� -m ��

� � �� . �� (: � ��

�(grace login) policy �� policy)� �� policy

� �� .



�� policy � � ��

� � �� .

� �� . � ��


� policy� �� .

�� , ��

� �� .

1. �� (: AIX�� mkuser, Solaris�� useradd)� ��

�� .

2. �� policy� ��

�� , pdoslpadm -m ��

� ��. � �� , ��

�� policy� MinPasswordDays �� .


� � �� .

�� policy� �� NIS ��

146 �� , ��

�� NIS �� policy� ��

� �� . pdoslpadm -m ��

� �� , ��

� ��.


�� NIS ��

� � �� NIS �� . �� NIS ��

� �� NIS �� .

�� ID� � �� NIS ��

�� NIS �� .

pdoslpadm -c on -n server

� � �� NIS �� passwd �� . NIS

�� cron �� passwd ��

passwdchg �� .

NIS �� NIS �� passwdchg �� NIS

�� .

� 5 � �� 147

pdoslpadm -c on -n client

NIS �� NIS �� -c off ��

� �� .

��

Tivoli Access Manager for Operating Systems�� ,


��.

pdosd �� .

� ��

pdoscfg �� pdosd �� .

user_cred_refresh

��

�(�). �� . � � ��

� �� .

admin_cred_refresh


� � � ��. � ��

�� .

cred_hold

� ��

�� (�). � ��

��. ��

�� . cred-hold �� user-cred-refresh ��

��.

critical_cred_refresh

�� . � ��

� ��

� � ��. � �� .

critical_cred_group

�� Tivoli Access Manager

�� . � �� . � ��

�� . ��

� ��


�� . �� (Tivoli Access Manager osseal-admin

�� )� � �� .

cred_response_wait

�� pdosd �� IBM Tivoli Access Manager �

� �� (�)


� � [credentials] �� /opt/pdos/etc/pdosd.conf � � ��. ��

�� , �� . pdoscfg �� , �


�� . pdoscfg �� 254 �� pdoscfg�

� ��.

��


�� Tivoli Access


�� .

� ��

�� . pdosrefresh ��

��, �� .

�� pdosrefresh �� .

�� UID ��

��. �� , �� . -C ��

�� .

�� sally � riley� �� Tivoli Access Manager ��

�� . � ��

�� .

1. sally � riley �� .

pdosrefresh -n sally -n riley

2. sally � riley �� pdosrefresh� ��

��.

3. �� .

pdosrefresh -C

� 5 � �� 149

��

pdosdestroy �� . ��

� �� pdosdestroy �� . UID ��

�� . ��

� � �� .

�� .

pdosdestroy

UID� 300� sally � riley �� .

pdosdestroy -n sally -u 300

�� ID ��


Operating Systems �� ID� �� .

pdoswhoami �� Tivoli Access Manager for Operating

Systems �� . �� Tivoli Access

Manager for Operating Systems �� .

-n �� ID� ��. -a �� ID

�� .

-l �� , �� , ��

�, �� .

pdoswhois �� ID(PID)� �� Tivoli Access

Manager for Operating Systems �� . PID �� pdoswhois

�� . �� PID� �, �� ID � ��

�� . -l �� , ��

�, �� , ��

� ��.

pdoswhoami � pdoswhois ��

�� sally� Tivoli Access Manager for Operating Systems� ��

� ��. �� sally� ��

� ��.

pdoswhoami -l

�� .


106 sally�� .osseal-testersosseal-developers�� Sat Nov 4 14:07:21 2000� �� .�� Sun Nov 5 02:07:21 2000� ��.�� Sat Nov 4 14:07:29 2000��.�� Sat Nov 11 14:07:29 2000� ��.

root ��(��, Tivoli Access Manager for Operating Systems ��)�

�� .

pdoswhoami -l

�� .

0 root�� .osseal-adminosseal-auditors�� Sat Nov 4 11:52:56 2000� �� .�� .�� Sat Nov 4 14:12:56 2000��.�� .

�� ID� 1756 � 1806� ��

�� .

pdoswhois 1756 1806

�� .

1756 PID� �� . UID = 106, �� = sally.1806 PID� �� . UID = 300, �� = riley.

�� ID� UNIX ID� ��


�� ID� UNIX ID� �� . � ��, su ��

�� UNIX ID� � � �� Tivoli Access Manager for

Operating Systems �� ID� �� . setuid �� setgid ��

�� UNIX ID� � � �� Tivoli Access

Manager for Operating Systems �� ID� �� ID� ��

��. � ��, �� user sally� �� ID � ��

�� /bin/su �� . � �, � �� Tivoli

Access Manager for Operating Systems �� ID� �� sally�� UNIX ID

� �� .

�� sally� �� .

iduid = 106(sally)

� 5 � �� 151

pdoswhoami -a106 sally/bin/su

/bin/su� �� .

iduid=0(root)

pdoswhoami -a106 sally

�� look-aside ��

�� IP ��


�� look-aside �� . � ��

� � �� . �� Tivoli Access Manager for Operating

Systems� �� .

��

-dns off� �� look-aside ��

pdoscfg �� . pdoscfg �� look-aside ��

��


��.


��.

pdoscfg -dns on


�� .

pdoscfg -dns off

��

�� pdoshla �� . ��

�� , �� . pdoshla

�� , ��, � � � ��.

-l �� . �� all, stale �� fresh

� �� . -a �� IP ��

�� .


-H �� , ��

�� .

�� 6��(21600�)��. �� -T ��

�� .

-F �� . -f ��

� �� . -r �� .

��

� �� -u �� .

pdoshla ��

�� pdoshla �� .

1. IP �� 146.84.107.11� ��

��.

pdoshla -a 146.84.107.11

2. �� .

pdoshla -l all

�� .

# Internet Address Hostname9.41.3.101 test1.austin.lab.tivoli.com146.84.107.11 office1.tivoli.com9.41.3.123 test3.austin.lab.tivoli.com

3. �� .

pdoshla -l stale

�� .

# Internet Address Hostname9.41.3.123 test3.austin.lab.tivoli.com

4. �� .

pdoshla -f

5. �� .

pdoshla -u

��

pdosbkup � pdosrstr �� IBM Tivoli Access Manager for Operating Systems

�� .

� 5 � �� 153

��


��. �� pdosbkup ��

�� .

pdosbkup �� /opt/pdos/etc/pdosbkuplist � � ��

��. -x� �� /opt/pdos/etc/pdosbkuplistx � � ��

�� . �� .

��, ��

(/var/pdos/pdosbkup/pdosbkupDDMMMYYYY.HH_MM_SS.tar)� � � ��.

� ��, 2001� 11� 19 12:34:56� �� .

/var/pdos/pdosbkup/pdosbkup19Nov2001.12_34_56.tar

�� -p �� . ��

� �� -f �� .



1. �� .

pdosbkup

2. �� .

pdosbkup -x


pdosrstr �� pdosbkup �� Tivoli Access Manager

for Operating Systems � � ��. � � -f ��

��.


�� .

1. pdosbkup25Oct2001.14_32_41.tar � � ��

��.

pdosrstr -f /var/pdos/pdosbkup/pdosbkup25Oct2001.14_32_41.tar


� 6 � Tivoli ��

� �� IBM Tivoli Access Manager for Operating

Systems �� . � ��

� �� IBM Tivoli Access Manager for Operating Systems � ��

��. Tivoli Access Manager for Operating Systems ��

� �� . ��


� 127 �� 5 � �� .


PDOS Task �� Tivoli �� . Tivoli ��

�� Tivoli Access Manager for Operating Systems � ��

� ��. PDOS Task �� Policy Director Region policy

region� ��.

�: �� Tivoli Access Manager for Operating Systems ��

�� . �� Tivoli Access Manager for Operating Systems

�� . �� ID� Tivoli Access


� �� .

Tivoli Access Manager for Operating Systems� �� , ��

�� . ��

�� . �� , �� Tivoli

Management Framework �� .

�� (: ��

�)� �� . �� , ��

� �� , �� Stage � �� .

��

�� . ��, �



Manager for Operating Systems �� (PDOS)� ��


�� . Subscribe PDOS Endpoints �� Tivoli Access

Manager for Operating Systems �� PDOS ��

�� .

� �� . ��

�� . � ��, �� Tivoli Access


� ��. �� , ��

�� Tivoli Management Framework �� .


�� . � ��

��.

�: PDOS �� Policy Director for Operating Systems� �� Tivoli

Access Manager for Operating Systems� �� . � ��


�� .

� 46. IBM Tivoli Access Manager for Operating Systems ��

��

PDOS ��/�� /�� admin

PDOS �� admin

� �� user

PDOS � �� admin

PDOS �� admin

PDOS �� admin

PDOS �� policy �� admin

PDOS �� admin

PDOS TCB �� admin

PDOS �� admin

�� user

UNIX TCB �� admin

UNIX �� admin

PDOS �� admin

PDOS �� admin


PDOS �� admin

�� admin

PDOS �� policy �� admin

PDOS �� admin


PDOS �� admin


� 46. IBM Tivoli Access Manager for Operating Systems �� (��)

��

PDOS �� admin

PDOS �� admin

Setup TEC Event Server for PDOS admin, senior, super

PDOS � �� admin

PDOS ��/�� admin

PDOS �� admin

PDOS �� admin

PDOS �� admin

PDOS �� admin


TEC �� admin

TEC �� admin

PDOS �� admin

PDOS �� admin

wrunjob � wruntask ��

wrunjob � wruntask �� IBM Tivoli Access Manager

for Operating Systems �� , wschedjob ��

� ��. �� IBM Tivoli Access Manager for Operating Systems

�� wruntask � wrunjob� �� . ��

� �� , �� . wruntask � wrunjob

��, �� wschedjob �� Tivoli Management

Framework Reference Manual� ��.

PDOS ��/�� /��


�� . ��

�� UNIX � osseal� �� Tivoli Access Manager �

osseal-admin� �� . ��

� �� UNIX � ossaudit� �� Tivoli Access Manager �

osseal-auditors� �� .

�� osseal �� . �

�� ossaudit �� .

osseal-auditors �� osseal-admin�� , �� Tivoli Access


� 6 � Tivoli �� 157

�� . osseal-auditors � osseal-admin� ��


�: �� Tivoli Access Manager for Operating Systems ��

�� . �� Tivoli Access Manager for Operating Systems

�� . �� ID� Tivoli Access


� �� . �� , ��

� �� Tivoli Management Framework �� .

�� PDOS ��/�� /�� .

� �� .

1. osseal-auditors �� osseal-admin ��

�, � �� .

2. �� .

3. �� , �� .

4. �� .

�� 2. PDOS ��/�� /��


wrunjob � wruntask� ��

wrunjob �� wruntask� ��

� �� .

wrunjob ″Add/Remove PDOS Auditors/Administrators″ -l ″PDOS Tasks″ -a

pd_admin_id -a pd_admin_passwd -a account -a action -a ossaudit -a

osseal_auditors -a osseal -a osseal_admin

wruntask -t ″Add/Remove PDOS Auditors/Administrators″ -l ″PDOS Tasks″

-a pd_admin_id -a pd_admin_passwd -a account -a action -a ossaudit -a

osseal_auditors -a osseal -a osseal_admin -h task_endpoint

��,

pd_admin_id


�� . � �� osseal_auditors �� osseal_admin �

�� True� �� .

pd_admin_passwd

�� . � �� osseal_audits �� osseal_admin

�� True� �� .

account

�� . � ��

��.

action �� . � �

�� .

ossaudit

� �� TRUE� �� UNIX � ossaudit� �

�� . � � TRUE �� FALSE� ��.

osseal_auditors

� �� TRUE� �� Tivoli Access Manager �

osseal-auditors� �� . � � TRUE ��

FALSE� ��.

osseal � �� TRUE� �� UNIX � osseal� ��

�� . � � TRUE �� FALSE� ��.

osseal_admin

� �� TRUE� �� Tivoli Access Manager �

osseal-admin� �� . � � TRUE ��

FALSE� ��.

� 6 � Tivoli �� 159

task_endpoint

�� , ��

��. �� , ��

��.

PDOS ��

� �� Tivoli Access


� �� . �� ,

/var/pdos/pdosbkup �� . � �� date ��

� �� . �� . �

�� , �� /var/pdos/pdosbkup/pdosbkup%m%d%y.tar

��.

��, �� Tivoli Access Manager ��

� � ��. Tivoli Access Manager ��

�� .

�� PDOS �� .

� �� .

1. Tivoli Access Manager for Operating Systems ��

� ��. � �� . ��

�, /var/pdos/backup� �� . � �� date

�� . ��

��. �� , /var/pdos/pdosbkup/pdosbkup%m%d%y.tar � �

�� .

�� 3. PDOS ��


2. �� , �� .

3. �� .



� �� .

wrunjob ″Backup PDOS Database″ -l ″PDOS Tasks″ -a file_name -a

extended_backup

wruntask -t ″Backup PDOS Database″ -l ″PDOS Tasks″ -a file_name -a

extended_backup -h task_endpoint

��,

file_name �� . � � � �

� �, �� .

extended_backup

�� . � TRUE �� FALSE��.

task_endpoint �� , ��

�� . �� , ��

�� .

� � ��


� �� Tivoli Access Manager �� Tivoli Access Manager

for Operating Systems� �� CA �� .

Tivoli Access Manager for Operating Systems� LDAP �� SSL ��

�� LDAP SSL �� Tivoli Access Manager policy �� CA ��

��. Tivoli Access Manager �� CA ��

�� policy �� , policy ��

��. � ��

�. �� . � ��

�� . � ��

� �� .

�� .

� 6 � Tivoli �� 161

� �� .

1. LDAP SSL �� . � �� TMR(Tivoli

Management Region) �� . ��

� �� .

2. Policy �� . � �� TMR(Tivoli

Management Region) �� . ��

� �� .

3. �� . ��

�� .

4. �� .

5. �� .



� �� .

wrunjob ″Certificate_Transfer″ -l ″PDOS Tasks″ -a ldap_certificate -a

pd_certificate -a dest_directory -a dest_system [-a dest_system,...]

wruntask -t ″Certificate_Transfer″ -l ″PDOS Tasks ″ -a ldap_certificate -a

pd_certificate -a dest_directory -a dest_system [-a dest_system,...] -h task_endpoint

�� 4. � ��


�: Tivoli Access Manager for Operating Systems � �� , ��

��

��. �� (: FTP)� �� Tivoli Access Manager for Operating

Systems �� , � ��

�.

��,

ldap_certificate LDAP SSL �� .

pd_certificate Tivoli Access Manager ��

��.

dest_directory �� .

dest_system �� . �� ″system

(Endpoint)″ �� ″system(ManagedNode)″��

��.

task_endpoint ��

�. � ��

� �� .

PDOS ��


Systems �� .

� �� .

� �� , �� . ��


��.

�� PDOS �� .

� 6 � Tivoli �� 163

� �� .

1. �� . � ��

� ��.


�� , �� . �� , ��


�.

3. �� .



� �� .

wrunjob ″Configure PDOS Auditing″ -l ″PDOS Tasks″ -a apply_now -a size

-a frequency

wruntask -t ″Configure PDOS Auditing″ -l ″PDOS Tasks″ -a apply_now -a

size -a frequency -h task_endpoint

��,

apply_now �� Tivoli Access Manager for Operating Systems�

�� . � � TRUE �� FALSE� ��

�.

size � �� (�� )� ��. � � � ��

�, �� .

frequency � �� (� ��)� ��. � � � ��

�, �� .

�� 5. PDOS � ��



�� . �� , ��

�� .

PDOS ��


Systems �� .

�� , �� , ��

�, �� , ��

LDAP �� , �� , ��

�� 8��

��. � �� , �� . ��


�� .

�� PDOS �� .

� �� .

1. �� . � ��

�� . � � �� .

�� 6. PDOS ��

� 6 � Tivoli �� 165

2. Tivoli Access Manager for Operating Systems� �� IP ��

� �� , �� IP �� .

3. Tivoli Access Manager for Operating Systems�� /� �� /

� ID� �� , �� uid/gid� ��

��.


�� , �� . �� , ��


�.

5. �� .



� �� .

wrunjob ″Configure PDOS Caching″ -l ″PDOS Tasks″ -a apply_now -a

admin_refresh -a user_refresh -a user_cred_hold -a cache_hosts -a cache_users-a

crit_cred_group -a crit_cred_refresh -a cred_response_wait

wruntask -t ″Configure PDOS Caching″ -l ″PDOS Tasks″ -a apply_now -a

admin_refresh -a user_refresh -a user_cred_hold -a cache_hosts -a cache_users

-a crit_cred_group -a crit_cred_refresh-a cred_response_wait -h task endpoint

��,


�� . � � TRUE �� FALSE� ��

�.

admin_refresh �� (� ��)� ��. �

� � �� , �� .

user_refresh �� (� ��)� ��. �

� � �� , �� .

user_cred_hold

�� (� ��)� ��.

� � ��

�� . � � � �� , ��

�.

cache_hosts �� . � �

TRUE �� FALSE� ��.


cache_users �� . � �


crit_cred_group



crit_cred_refresh

�� (� ��)� ��.

cred_response_wait

�� LDAP �� (� ��)�

��.


�� . �� , ��

�� .

PDOS ��


Systems �� .

�� 8�� . ��

� �� Tivoli Access Manager for Operating Systems daemons, pdosd, pdoswdd,

pdosauditd � pdoslrd��

�. � �� , �� . ��


� � ��.

�� PDOS �� .

� 6 � Tivoli �� 167

� �� .

1. �� . � �� , ��

�� .


�� , �� . �� , ��


�.

3. �� .



� �� .

�� 7. PDOS ��


wrunjob ″Configure PDOS Logging″ -l ″PDOS Tasks″ -a apply_now -a

pdosd_logs -a pdosd_entries -a pdoswdd_logs -a pdoswdd_entries -a pdosauditd_logs

-a pdosauditd_entries -a pdoslrd_logs -a pdoslrd_entries

wruntask -t ″Configure PDOS Logging″ -l ″PDOS Tasks″ -a apply_now -a

pdosd_logs -a pdosd_entries -a pdoswdd_logs -a pdoswdd_entries -a pdosauditd_logs

-a pdosauditd_entries -a pdoslrd_logs -a pdoslrd_entries -h task_endpoint

��,


�� . � � TRUE �� FALSE� ��

�.

pdosd_logs pdosd �� . � � �

�� , �� .

pdosd_entries pdosd �� . �

� � �� , �� .

pdoswdd_logs pdoswdd �� . � �

� �� , �� .

pdoswdd_entries

pdoswdd �� .

� � � �� , �� .

pdosauditd_logs

pdosauditd �� . �

� � �� , �� .

pdosauditd_entries

pdosauditd �� .

� � � �� , �� .

pdoslrd_logs pdoslrd �� . � �

� �� , �� .

pdoslrd_entries

pdoslrd �� . � �

� �� , �� .


�� . �� , ��

�� .

� 6 � Tivoli �� 169

PDOS �� policy ��


�� policy� �� . �� policy� ��

� ��.

v Tivoli Access Manager for Operating Systems �� policy� ��

� �� . ��, ��

�� .

v �� , ��

�� .

�� PDOS �� policy �� .

� �� .

1. �� Tivoli Access Manager for Operating Systems ��

policy� �� .

2. �� .

3. �� .

4. �� .

5. �� .

�� 8. PDOS �� policy ��




� �� .

wrunjob ″Configure PDOS Login and Password Policy″ -l ″PDOS Tasks″ -a

enable_login -a account -a action

wruntask -t ″Configure PDOS Login and Password Policy″ -l ″PDOS Tasks″

-a enable_login -a account -a action -h task_endpoint

��,

enable_login

Tivoli Access Manager for Operating Systems �� policy ��

�� . � � TRUE �� FALSE� ��. � �

� �� , �� .

account

� �� , ��

�� .

action �� . �� DELETE, LOCK,

UNLOCK � CHANGEDATE��.

task_endpoint

�� , ��

��. �� , ��

��.

PDOS ��

� �� Tivoli Access Manager for Operating Systems

�� .

8�� .

v Tivoli Access Manager for Operating Systems�� policy ��

��

v policy� � �� (�)

v ��

v ��

v LDAP ��

v �� Tivoli Access Manager for Operating Systems� ��

��

� 6 � Tivoli �� 171

v Tivoli Access Manager for Operating Systems ��

� ��

v Tivoli Access Manager for Operating Systems ��

�

� �� , �� .

�� PDOS �� .

� �� .

1. �� policy � �� Tivoli Access Manager for

Operating Systems� �� . Policy �� 0��

policy �� . � �� , ��

�� . Tivoli Access Manager for Operating Systems, �� 4.1

�� 9. PDOS ��


� �� , �� . �

� �� 5.1�� .

2. policy �� Tivoli Access Manager policy �� Tivoli

Access Manager for Operating Systems� �� . Policy ��

� � � �� , 0� � policy � ��

��. � �� , �� .

3. �� Tivoli Access Manager for

Operating Systems� �� .

� �� , �� .

4. �� . � � ��

��. � �� , �� .

5. LDAP SSL CA �� LDAP ��

�� . � �� , �� .

6. �� Tivoli Access Manager for Operating Systems

� �� .

7. Tivoli Access Manager for Operating Systems� �� PDOS

�� . � �� , ��

�� .

8. ��

��. �� Tivoli Access Manager ��


�� . �� pdosd� ��

�� .

9. �� . Tivoli Access Manager for Operating

Systems �� .



� �� .

wrunjob ″Configure PDOS Server″ -l ″PDOS Tasks″ -a notification_port -a

password-a refresh_interval -a login_policy -a threads -a ldap_certificate -a autostart

-a password -a first_failure -a lrd_config -a lrd_local_domain -a lrd_admin_name

-a lrd_admin_pwd

wruntask -t ″Configure PDOS Server″ -l ″PDOS Tasks″ -a notification_port

-a password -a refresh_interval -a login_policy -a threads -a ldap_certificate -a

autostart -a password -a first_failure -a lrd_config -a lrd_local_domain -a

lrd_admin_name -a lrd_admin_pwd -h task_endpoint

� 6 � Tivoli �� 173

��,

notification_port policy � ��

�. 0� � policy � ��

��. � � � �� , ��

��. � �� password� ��

��.

refresh_interval Tivoli Access Manager policy �� policy �

� � �� (� ��)� ��. 0�

� policy �� . � � �

�� , �� .

login_policy Tivoli Access Manager for Operating Systems��

��

��. � � TRUE, FALSE ��

� � ��.

threads ��

��. � � � �� , ��

��.

password �� . Tivoli Access

Manager for Operating Systems, �� 4.1 � ��

��

�� .

ldap_certificate LDAP �� . �

� ��

�. � � � �� , ��

��. � �� password� ��

��.

autostart �� Tivoli Access Manager for Operating

Systems� �� . � �

TRUE, FALSE �� .

first_failure Tivoli Access Manager for Operating Systems �

� ��

� ��. � � TRUE �� FALSE� ��.

lrd_config Tivoli Access Manager for Operating Systems �

� �� . �

� TRUE, FALSE ��

�.

lrd_local_domain �� Tivoli Access Manager


�� . � � ��

� �� pdosd� ��

�� .

lrd_admin_name Tivoli Access Manager �� .

lrd_admin_pwd Tivoli Access Manager �� .


�� . ��

� ��, ��

�.

PDOS TCB ��

� �� TCB(Trusted Computing Base)� �� Tivoli Access

Manager for Operating Systems �� . ��

5�� .

v ��

v �� (�)

v ��(TCB ��) �� (MB �)

v TCB �� ctime� ��

v �� CRC(Cyclic Redundancy Check) � � � ��

� �� , ��

��. �� Tivoli Access Manager for Operating

Systems �� .

�� PDOS TCB �� .

� 6 � Tivoli �� 175

� �� .

1. �� . � �� , ��

�� .


�� , �� . �� , ��


�.

3. �� .



� �� .

wrunjob ″Configure PDOS TCB″ -l ″PDOS Tasks″ -a apply_now -a threads

-a interval -a checksum_max_size -a ignore_ctime -a nocrc_on_exec

wruntask -t ″Configure PDOS TCB″ -l ″PDOS Tasks″ -a apply_now -a threads

-a interval -a checksum_max_size -a ignore_ctime -a nocrc_on_exec -h task_endpoint

��,


�� . � � TRUE �� FALSE� ��

�.

�� 10. PDOS TCB ��


threads TCB �� . �

� � �� , �� .

interval TCB �� (�)� ��. � � � ��

�, �� .

checksum_max_size

��(TCB ��) � � �� (MB �)� ��

��. �� . �

� � �� , �� .

ignore_ctime � �� TRUE(�� )� �� ctime� �� TCB �

� �� . �� ctime� �� TCB ��

�� . � � TRUE �� FALSE� ��. ��

� FALSE��.

nocrc_on_exec

� �� TRUE(�� )� �� Tivoli Access Manager

for Operating Systems �� TCB �� CRC

�� . � � TRUE ��

FALSE� ��. �� FALSE��.


�� . �� , ��

�� .

PDOS ��


�� IP ��/�� .

�� , �� .

�� PDOS �� .

� 6 � Tivoli �� 177

� �� .

1. �� (, � �� )� ��.

2. �� .



� �� .

wrunjob ″Display PDOS Hostname Cache″ -l ″PDOS Tasks″ -a display_valid

-a display_stale

wruntask -t ″Display PDOS Hostname Cache″ -l ″PDOS Tasks″ -a display_valid

-a display_stale -h task_endpoint

��,

display_valid �� . � � TRUE ��

FALSE� ��.

display_stale �� . � � TRUE

�� FALSE� ��.


�� . �� , ��

�� .

��

pdoslrd.xml � � Tivoli Access Manager for Operating Systems ��

�� pdoslrd� �� . � �

� �� XML 1.0 � � �� . � �� pdoslrd.xml

� �� . � � �� .

� �� .

�� 11. PDOS ��


�� .

� �� .

1. pdoslrd.xml � � �� . � �� TMR(Tivoli

Management Region) �� .

2. �� .

3. �� .



�� .

wrunjob ″Distribute_Log_Router_Daemon_Control _File″ -l ″PDOS Tasks″ -a

lrd_cont_file -a dest_system [-a dest_system,...]

wruntask ″Distribute_Log_Router_Daemon_Control _File″ -l ″PDOS Tasks″ -a

lrd_cont_file -a dest_system [-a dest_system,...] -h task_endpoint

��,

lrd_cont_file pdoslrd.xml� �� .

dest_system �� . �� ″system(Endpoint)″ ��

″system(ManagedNode)″�� .

task_endpoint �� . � ��

�� .

�� 12. ��

� 6 � Tivoli �� 179

UNIX TCB ��

� �� UNIX �� setuid/setgid ��

� �� TCB(Trusted Computing Base)� �� .

�� (Immune-Surrogate-Programs, Secure-Files,

Impersonator-Programs �� Immune-Programs)� �� . ��

Secure-Programs��. ��

� �� . � �, ��

� �� . �� policy �� . �

� �, �� policy �� . �� TCB

� ��

�� .

��, � � �� TCB� ��

� ��.

�� UNIX TCB �� .

� �� .

1. �� .

2. � ��, �� .

�� 13. UNIX TCB ��


3. � �� TCB� � �� ,

�� . �� , ��

��.

4. � � �� TCB��

, �� . �� , � � ��

� �� .

5. �� .



� �� .

wrunjob ″Import UNIX TCB″ -l ″PDOS Tasks″ -a class -a branch -a directories

-a excludes -a duplicate_links -a generate_script

wruntask -t ″Import UNIX TCB″ -l ″PDOS Tasks″ -a class -a branch -a

directories -a excludes -a duplicate_links -a generate_script -h task_endpoint

��,

class �� TCB �� . � � ��

� � �� .

branch TCB �� policy �� . �� , �

� �� policy �� .

directories �� (�� )� ��.

excludes �� (�� )� ��.

duplicate_links

�� . �

� TRUE �� FALSE� ��.

generate_script

TCB� ��

�. � � TRUE �� FALSE� ��.


�� . �� , ��

�� .

UNIX ��

� �� UNIX �� Tivoli Access Manager

�� .

� 6 � Tivoli �� 181

�� UNIX��

��. � �� . �� /

�� . � �� /��

�/�� . *� �� . �

� �� UID/GID� �� /� �� . ��/��

� �� LDAP � �� . �� Tivoli Access

Manager� �� . LDAP� � �� /��

�� . �� /�� LDAP�

�� , �� LDAP �� UNIX ��

�� .

�� . ��

� �, �� (��) ��

� � ��. ��

��(�� )� �� . �� , �

� Tivoli Access Manager� � �� , ��

�. �� Tivoli Access Manager� � ��

�� .

�� UNIX �� .



�� pdosd� �� .

� �� .

1. Access Manager �� . ��

� ��.

2. �� .



� �� .

wrunjob ″Import UNIX Users and Groups″ -l ″PDOS Tasks″ -a admin_id -a

admin_pwd -a suffix -a ldap_import -a report_only -a user_list -a user_list_type

-a create_disabled -a default_group -a default_passwd -a group_list -a

group_list_type -a group_refresh -a local_domain

�� 14. UNIX ��

� 6 � Tivoli �� 183

wruntask -t ″Import UNIX Users and Groups″ -l ″PDOS Tasks″ -a admin_id

-a admin_pwd -a suffix -a ldap_import -a report_only -a user_list -a user_list_type

-a create_disabled -a default_group -a default_passwd -a group_list -a

group_list_type -a group_refresh -a local_domain -h task_endpoint

��,

admin_id �� Tivoli Access Manager ��

�� . � �� .

admin_pwd �� . � �� .

suffix �� LDAP � �� . � �

�� .

ldap_import �� Tivoli Policy Director ��

� � �, LDAP��

�. � � TRUE �� FALSE� ��.

report_only ��

� �� . � � TRUE �� FALSE�

��.

user_list �� (�� ) �� (�� )� �

��.

user_list_type �� .

� � �� .

create_disabled

�� . � � TRUE �

� FALSE� ��.

default_group � �� , �� Tivoli

Access Manager �� .

default_passwd

�� .

group_list �� (�� )� ��

��.

group_list_type

� �� . � � ��

� �� .

group_refresh �� , UNIX ��

� �� . � � TRUE �� FALSE�

��.


local_domain �� Tivoli Access Manager �� . �

� �� pdosd� ��

�� .


�� . �� , ��

�� .

PDOS ��


�� .

�� , ��

� �� . � �� . ��

�� UID �� .

�� PDOS �� .

� �� .

1. � � �� UID� ��(�� )� ��

��. � �� . ��(*)� ��

� �� .

2. �� UID� ��(�� )� ��.

� �� .

3. �� .

�� 15. PDOS ��

� 6 � Tivoli �� 185



� �� .

wrunjob ″Manage PDOS Credential Cache″ -l ″PDOS Tasks″ -a refresh_list

-a destroy_list

wruntask -t ″Manage PDOS Credential Cache″ -l ″PDOS Tasks″ -a refresh_list

-a destroy_list -h task_endpoint

��,

refresh_list � � �� UID/�� . ��

�� .

destroy_list �� UID/�� . ��

� �� .


�� . �� , ��

�� .

PDOS ��


Systems �� .

pdosd, pdosauditd, pdoswdd, pdoslpmd � pdoslrd �� , � ,

� �� . ��

�� . � � Tivoli Access Manager for Operating Systems ��

�� . ��

�� . �� Tivoli Access Manager for Operating Systems �

�� .

�� PDOS �� .


� �� .

1. � �� .

2. �� .



� �� .

wrunjob ″Manage PDOS Server State″ -l ″PDOS Tasks″ -a pdosd_state -a

pdosauditd_state -a pdoswdd_state -a pdoslpmd -a pdoslrd_state

wruntask -t ″Manage PDOS Server State″ -l ″PDOS Tasks″ -a pdosd_state -a

pdosauditd_state -a pdoswdd_state -a pdoslpmd -a pdoslrd_state -h task_endpoint

��,

�� 16. PDOS ��

� 6 � Tivoli �� 187

pdosd_state pdosd �� . � , � ��

�� , �� .

pdosauditd_state

pdosauditd �� . � , � ��

� �� , �� .

pdoswdd_state pdoswdd �� . � , � ��

� �� , �� .

pdoslpmd_state

pdoslpmd �� . � , � ��

� �� , �� .

pdoslrd_state pdoslrd �� . � , � ��

� �� , �� .


�� . �� , ��

�� .

PDOS TCB ��


TCB(Trusted Computing Base)� ��

� � ��.

�� (�� ) � �� . ��

� �� , �� . ��

�� . ��

��. ��

� �� . �� . *� ��

� TCB� �� .



� �� .

1. �� TCB� �� (�� )� ��. *�

� TCB� �� .

2. �� . �� . �

�� . ��

�� .

3. �� .



� �� .

wrunjob ″Manage PDOS TCB″ -l ″PDOS Tasks″ -a operation -a objects

wruntask -t ″Manage PDOS TCB″ -l ″PDOS Tasks″ -a operation -a objects

-h task_endpoint

��,

operation � �� . � � �� , ��

�� .

objects �� . � � � �� , �

�� .


�� . �� , ��

�� .

�� 17. PDOS TCB ��

� 6 � Tivoli �� 189

PDOS ��


�� IP ��/�� .

�� , � ��

� ��. �� IP ��

��. � �� *� �� . ��

�� .

�� PDOS �� .

� �� .

1. �� IP �� /�� (�� )� ��.

*� � �� .

2. �� , ��

� � �� .

3. �� .



� �� .

wrunjob ″Purge PDOS Hostname Cache″ -l ″PDOS Tasks″ -a remove_entries

-a remove_stale

wruntask -t ″Purge PDOS Hostname Cache″ -l ″PDOS Tasks″ -a remove_entries

-a remove_stale -h task_endpoint

�� 18. PDOS ��


��,

remove_entries

�� . � � � �� , ��

� �� .

remove_stale �� . � � TRUE ��

FALSE� ��.


�� . �� , ��

�� .

��


�� .

�� .

� �� .



3. �� policy �� .

4. �� .



� �� .

�� 19. ��

� 6 � Tivoli �� 191

wrunjob ″Query Branch Membership″ -l ″PDOS Tasks″ -a pd_admin_id -a

pd_admin_passwd -a policy_branch

wruntask -t ″Query Branch Membership″ -l ″PDOS Tasks″ -a pd_admin_id

-a pd_admin_passwd -a policy_branch -h task_endpoint

��,

pd_admin_id


�� .

pd_admin_passwd

�� .

policy_branch


task_endpoint

�� , ��

��. �� , ��

��.

PDOS �� policy ��


�� policy� �� . ��

�� .

v �� Tivoli Access Manager for Operating Systems

��

�� .

v �� policy �� policy� ��

�� .

�� PDOS �� policy �� .


� �� .

1. ��

�� .

2. �� (�� )� �� .

3. �� , �� policy �� .

4. �� policy� �� (�� )� ��

��.

5. �� .



� �� .

wrunjob ″Query PDOS Login and Password Policy″ -l ″PDOS Tasks″ -a

generate_report -a detailed -a enabled -a disabled -a report_users -a display_policy

-a policy_users

wruntask -t ″Query PDOS Login and Password Policy″ -l ″PDOS Tasks″ -a

generate_report -a detailed -a enabled -a disabled -a report_users -a display_policy

-a policy_users -h task_endpoint

��,

�� 20. PDOS �� policy ��

� 6 � Tivoli �� 193

generate_report


�� . � � TRUE

�� FALSE� ��.

detailed

��

�� . � � TRUE �� FALSE� ��.

enabled

� �� TRUE� �� (enabled) ��

��. � �� TRUE� �� disabled� TRUE� � � �

��.

disabled

� �� TRUE� �� (disabled) �� . �

�� TRUE� �� enabled� TRUE� � � ��.

report_users

�� (�� )� �� . ��

�� .

display_policy

Tivoli Access Manager for Operating Systems �� policy� �

�� . � � TRUE �� FALSE

� ��.

policy_users

�� (�� )� �� . �� Tivoli

Access Manager for Operating Systems �� policy� ��

�. � �� , �� Tivoli Access Manager for Operating

Systems �� policy� ��.

task_endpoint

�� , ��

��. �� , ��

��.

PDOS ��


Systems �� .

�� PDOS �� .


� �� .

1. �� .

2. �� .



� �� .

wrunjob ″Query PDOS Server State″ -l ″PDOS Tasks″ -a query_pdosd -a

query_pdosauditd -a query_pdoswdd -a query_pdoslpmd -a query_pdoslrd

wruntask -t ″Query PDOS Server State″ -l ″PDOS Tasks″ -a query_pdosd -a

query_pdosauditd -a query_pdoswdd -a query_pdoslpmd -a query_pdoslrd -h

task_endpoint

��,

query_pdosd pdosd �� . � � TRUE �


query_pdosauditd

pdosauditd �� . � �


query_pdoswdd

pdoswdd �� . � � TRUE

�� FALSE� ��.

�� 21. PDOS ��

� 6 � Tivoli �� 195

query_pdoslpmd

pdoslpmd �� . � � TRUE

�� FALSE� ��.

query_pdoslrd pdoslrd �� . � � TRUE

�� FALSE� ��.


�� . �� , ��

�� .

PDOS TCB ��


TCB(Trusted Computing Base)� �� .

�� (�� )� �� . ��

�� . ��

��. *� TCB� �� , AnyTrusted� TCB� ��

� �� , AnyUntrusted� TCB� ��

��.


� �� .

1. �� / ��

� �� .

2. �� .

3. �� .

�� 22. PDOS TCB ��




� �� .

wrunjob ″Query PDOS TCB″ -l ″PDOS Tasks″ -a query_objects

wruntask -t ″Query PDOS TCB″ -l ″PDOS Tasks″ -a query_objects -h

task_endpoint

��,

query_objects �� . ��

� �� . *� TCB� ��

��, AnyTrusted� TCB� ��

��, AnyUntrusted� TCB� ��

��.


�� . �� , ��

�� .

PDOS ��


�� . ��

��. �� , /var/pdos/pdosbkup� �� .

�� PDOS �� .

� �� .

�� 23. PDOS ��

� 6 � Tivoli �� 197

1. �� . � ��

��. �� , /usr/pdos/pdosbkup� ��

2. �� .



� �� .

wrunjob ″Restore PDOS Database″ -l ″PDOS Tasks″ -a filename

wruntask -t ″Restore PDOS Database″ -l ″PDOS Tasks″ -a filename -h

task_endpoint

��,

filename �� .


�� . �� , ��

�� .

PDOS ��


�� .

� �� , �� , ��

�, �� , Tivoli Access Manager for Operating Systems �, ��

�, �� , �� .

�� . �� Tivoli Access Manager for Operating

Systems� �� , ��

�� . ��

�� . �� , ��

�. ��

�. ��

��. ��

��.

��

� �� . Tivoli Access Manager for Operating

Systems� �� .

C ��

D ��


G ��

K Kill ��

L ��

N ��

R ��

U ��

d ��

l ��

o ��

p ��

r ��

w ��

x ��

�� PDOS �� .

� 6 � Tivoli �� 199

� �� .

1. �� . ��

��. �� .

��

� ��.

2. Tivoli Access Manager for Operating Systems� �� policy� ��

policy� �� , �� .

�� 24. PDOS ��


3. � �� . ��


��. �� Tivoli Access Manager for Operating

Systems� �� . �� Tivoli


�.

4. �� .



� �� .

wrunjob ″Set PDOS Server Audit Level″ -l ″PDOS Tasks″ -a audit_permit -a

audit_permit_C -a audit_permit_D -a audit_permit_G -a audit_permit_K -a

audit_permit_L -a audit_permit_N -a audit_permit_R -a audit_permit_U -a

audit_permit_d -a audit_permit_l -a audit_permit_o -a audit_permit_p -a

audit_permit_r -a audit_permit_w -a audit_permit_x -a audit_deny -a audit_deny_C

-a audit_deny_D -a audit_deny_G -a audit_deny_K -a audit_deny_L -a audit_deny_N

-a audit_deny_R -a audit_deny_U -a audit_deny_d -a audit_deny_l -a audit_deny_o

-a audit_deny_p -a audit_deny_r -a audit_deny_w -a audit_deny_x -a audit_admin

-a audit_info -a logpermit -a logdeny -a trace_exec -a trace_file -a warning_mode

-a change_type

wruntask -t ″Set PDOS Server Audit Level″ -l ″PDOS Tasks″ -a audit_permit

-a audit_permit_C -a audit_permit_D -a audit_permit_G -a audit_permit_K -a

audit_permit_L -a audit_permit_N -a audit_permit_R -a audit_permit_U -a

audit_permit_d -a audit_permit_l -a audit_permit_o -a audit_permit_p -a

audit_permit_r -a audit_permit_w -a audit_permit_x -a audit_deny -a audit_deny_C

-a audit_deny_D -a audit_deny_G -a audit_deny_K -a audit_deny_L -a audit_deny_N

-a audit_deny_R -a audit_deny_U -a audit_deny_d -a audit_deny_l -a audit_deny_o

-a audit_deny_p -a audit_deny_r -a audit_deny_w -a audit_deny_x -a audit_admin

-a audit_info -a logpermit -a logdeny -a trace_exec -a trace_file -a warning_mode

-a change_type -h task_endpoint

��,

audit_permit �� . � � TRUE �


audit_[permit | deny] -[C | D | G | K | L | N | R | U | d | l | o | p | r | w

| x] ��

�. � � TRUE �� FALSE� ��.

� 6 � Tivoli �� 201

audit_deny �� . � � TRUE �


audit_admin �� . � � TRUE ��

FALSE� ��.

audit_info �� Tivoli Access Manager for Operating Systems ��

�� (: �� policy �� )� ��

��. � � TRUE �� FALSE� ��.

logpermit �� .

� � TRUE �� FALSE� ��.

logdeny �� .

� � TRUE �� FALSE� ��.

trace_exec �� . � � TRUE

�� FALSE� ��.

trace_file ��

�. � � TRUE �� FALSE� ��.

warning_mode �� Tivoli Access Manager for Operating

Systems� ��. � � TRUE �� FALSE� ��.

change_type � �� . � � ��, ��

��.


�� . �� , ��

�� .

PDOS ��


�� , Tivoli ��

� �� . � ��

��.

�� PDOS �� .


� �� .

1. �� .

2. �� .



� �� .

wrunjob ″Set PDOS Server Trace Level″ -l ″PDOS Tasks″ -a pdosd_trace -a

pdosauditd_trace -a pdoswdd_trace -a pdoslpmd_trace -a pdoslrd_trace

wruntask -t ″Set PDOS Server Trace Level″ -l ″PDOS Tasks″ -a pdosd_trace

-a pdosauditd_trace -a pdoswdd_trace -a pdoslpmd_trace -a pdoslrd_trace -h

task_endpoint

��,

�� 25. PDOS ��

� 6 � Tivoli �� 203

pdosd_trace pdosd �� . � ��

, �� .

pdosauditd_trace

pdosauditd �� . � ��

� �, �� .

pdoswdd_trace

pdoswdd �� . � ��

, �� .

pdoslpmd_trace

pdoslpmd �� . � ��

�, �� .

pdoslrd_trace pdoslrd �� . � ��

, �� .


�� . �� , ��

�� .

Setup TEC Event Server for PDOSSetup TEC Event Server for PDOS �� Tivoli Access Manager for Operating

Systems �� Tivoli Enterprise Console ��

��. Tivoli Access Manager for Operating Systems Enterprise Console

Integration� Tivoli Enterprise Console Server� ��

�� . Tivoli Access Manager for Operating Systems ��

Tivoli Enterprise Console �� Tivoli Access Manager for

Operating Systems �� 323 ��

9 � �Tivoli Enterprise Console� �� . Tivoli Enterprise Console

� �� Tivoli Enterprise Console �� .

��, � �� Tivoli Enterprise Console �� (� �

�� Tivoli Enterprise Console �� ). �� Setup

TEC Event Server for PDOS �� .


� �� .


��. �� Tivoli Enterprise Console� �� Tivoli

Risk Manager� ��. �� .

2. � ��

��.

v � � �� , �� .

– � �� : � � �� . ��

�� , �� . �� PDOS��

�.

– �� : ��

�. �� Default��. Tivoli Risk Manager� �� ,

Tivoli Risk Manager�� .

�� Tivoli Risk Manager �� .

– � �� : � � �� Tivoli Enterprise

Console �� . � �� .

�� 26. Setup TEC Event Server for PDOS Task �

� 6 � Tivoli �� 205

v �� , ��

�. �� PDOS��. ��

��.

3. �� . �� Tivoli Access

Manager for Operating Systems �� (� �� Tivoli Access

Manager for Operating Systems �� )� � ��

��. �� Tivoli Access Manager for


4. �� .



� �� .

wrunjob ″Setup TEC Event Server for PDOS″ -l ″PDOS Tasks″ -a IntegrateTEC

-a IntegrateRM -a NeworExisting -a ExistingRuleBase -a NewRuleBase -a

CloneRuleBase -a RuleBasePath -a EventConsole

wruntask -t ″Setup TEC Event Server for PDOS″ -l ″PDOS Tasks″ -a

IntegrateTEC -a IntegrateRM -a NeworExisting -a ExistingRuleBase -a NewRuleBase

-a CloneRuleBase -a RuleBasePath -a EventConsole -h task_endpoint

��,

IntegrateTEC Tivoli Enterprise Console� �� . ��

on(Tivoli Enterprise Console� ��) � off(�� )��.

IntegrateRM Tivoli Risk Manager� �� . ��

on(Tivoli Risk Manager� ��) � off(�� )��.

NeworExisting � � ��

�. �� new(� �� ) � exist(��

��)��. new� �� , NewRuleBase� ��

��. exist� �� ExistingRuleBase� ��

��.

ExistingRuleBase

�� . exist ��

, �� . �� PDOS

��.

NewRuleBase � � �� . ��

� �, �� . new �� , � ��

�� .


CloneRuleBase

�� . ��

Default��.

RuleBasePath � � �� Tivoli Enterprise Console ��

� �� . � ��

��.

EventConsole � � �� .


�� . �� , ��

�� .

�:

1. Tivoli Risk Manager� �� , �� Tivoli Enterprise Console

�� Microsoft Windows NT �� , pdosrm.baroc

� � �� $RMADHOME/etc/riskmgr_baroc.lst � � ��

��. �� Tivoli Enterprise Console� ��

�� pdos.baroc � � ��. � �� bash �

� �� .

cp $BINDIR/../generic_unix/TME/PDOSTASKS/pdosrm.baroc \$RMADHOME/etc/baroc/

cp $BINDIR/../generic_unix/TME/PDOSTASKS/pdos.baroc \$RMADHOME/etc/baroc/$RMADHOME/bin/rmcorr_cfg -update

2. Tivoli Access Manager for Operating Systems Risk Manager �� IBM

Tivoli Enterprise Data Warehouse� �� . �� Data

Warehouse �� .

�� 327 �� 10 � �IBM Tivoli Risk Manager� ��

��.

PDOS ��


� �� . ��

� �� . �� , � ��

� �� (� ��)� ��. ��

� �� .



� �� .

� 6 � Tivoli �� 207

wrunjob ″Show PDOS Auditing Configuration″ -l ″PDOS Tasks″

wruntask -t ″Show PDOS Auditing Configuration″ -l ″PDOS Tasks″ -h

task_endpoint

��,


�� . �� , ��

�� .

PDOS ��/��

��

�. �� osseal-auditors Tivoli Access Manager ��

ossaudit UNIX �� . �� osseal-admin

Tivoli Access Manager �� osseal UNIX �� .

�� UNIX � Tivoli Access Manager �

� �� . � �� Tivoli Access Manager ��

�� .

�� PDOS ��/�� .

� �� .

1. � �� .


��.

�� 27. PDOS ��/��


3. �� .



� �� .

wrunjob ″Show PDOS Auditors/Administrators″ -l ″PDOS Tasks″ -a

pd_admin_id -a pd_admin_passwd -a show_auditors -a show_admins

wruntask -t ″Show PDOS Auditors/Administrators″ -l″PDOS Tasks″ -a

pd_admin_id -a pd_admin_passwd -a show_auditors -a show_admins -h

task_endpoint

��,

pd_admin_id


��. � �� .

pd_admin_passwd

�� . � �� .

show_auditors

� �� TRUE� �� Tivoli Access Manager osseal-auditors

� � UNIX osseal �� . � � TRUE ��

FALSE� ��.

show_admins

� �� TRUE� �� Tivoli Access Manager osseal-admin �

� UNIX ossadmin �� . � � TRUE ��

FALSE� ��.

task_endpoint

�� , ��

��. �� , ��

��.

PDOS ��


� �� . ��

�� . �� (�

��), �� (� ��), ��

�� (� ��), �� , ��

� ��(� ��), �� LDAP �� (� ��),

� 6 � Tivoli �� 209

�� . ��

�� .



� �� .

wrunjob ″Show PDOS Caching Configuration″ -l ″PDOS Tasks″

wruntask -t ″Show PDOS Caching Configuration″ -l ″PDOS Tasks″ -h

task_endpoint

��,


�� . �� , ��

�� .

PDOS ��

� �� Tivoli Access Manager for Operating Systems ��, pdosd,

pdoswdd, pdosauditd � pdoslrd� ��

��. �� . ��

�� . ��

�� .



� �� .

wrunjob ″Show PDOS Logging Configuration″ -l ″PDOS Tasks″

wruntask -t ″Show PDOS Logging Configuration″ -l ″PDOS Tasks″ -h

task_endpoint

��,


�� . �� , ��

�� .


PDOS ��


� �� . ��

�� . �� (�� ,

�� )� Tivoli Access Manager for Operating Systems�

�� . ��

�� . ��

��. �� Tivoli Access Manager for Operating Systems

� �� . ��

�� .



� �� .

wrunjob ″Show PDOS Server Audit Level″ -l ″PDOS Tasks″

wruntask -t ″Show PDOS Server Audit Level″ -l ″PDOS Tasks″ -h task_endpoint

��,


�� . �� , ��

�� .

PDOS ��


�� . ��

�� . ��

�� . �� .

v Tivoli Access Manager for Operating Systems�� policy ��

��

v policy �� (� ��)

v ��

v ��

v �� Tivoli Access Manager for Operating Systems� ��

��

v policy ��

v ��

� 6 � Tivoli �� 211

v �� pdoslrd� ��



� �� .

wrunjob ″Show PDOS Server Configuration″ -l ″PDOS Tasks″

wruntask -t ″Show PDOS Server Configuration″ -l ″PDOS Tasks″ -h

task_endpoint

��,


�� . �� , ��

�� .

PDOS TCB ��

� �� Tivoli Access Manager for Operating Systems TCB

� �� . ��

�� . �� TCB ��

�� , TCB �� (� ��) � ��(TCB ��)� ��

� � � �� (MB ��)� ��. ��

�� .



� �� .

wrunjob ″Show PDOS TCB Configuration″ -l ″PDOS Tasks″

wruntask -t ″Show PDOS TCB Configuration″ -l ″PDOS Tasks″ -h task_endpoint

��,


�� . �� , ��

�� .


PDOS TEC ��

� �� Tivoli Access Manager for Operating Systems Tivoli

Enterprise Console �� Tivoli Enterprise Console ��

� ��. ��

��.



� �� .

wrunjob ″Start TEC Adapter″ -l ″PDOS Tasks″

wruntask -t ″Start TEC Adapter″ -l ″PDOS Tasks″ -h task_endpoint

��,


�� . �� , ��

�� .

PDOS TEC ��

� �� Tivoli Access Manager for Operating Systems Tivoli

Enterprise Console �� Tivoli Enterprise Console ��

� ��.



� �� .

wrunjob ″Stop TEC Adapter″ -l ″PDOS Tasks″

wruntask -t ″Stop TEC Adapter″ -l ″PDOS Tasks″ -h task_endpoint

��,


�� . �� , ��

�� .

� 6 � Tivoli �� 213

PDOS ��


�� . �� PDOS

�� .



� �� .

wrunjob ″Subscribe PDOS Endpoints″ -l ″PDOS Tasks″

wruntask -t ″Subscribe PDOS Endpoints″ -l ″PDOS Tasks″ -h task_endpoint

��,


�� . �� , ��

�� .

PDOS ��


�� IP ��/�� , ��

�� .

��

��. �� IP ��

��. � �� . ��

�� (�)� �� . ��

� �, �� .

�� .


� �� .

1. �� /IP �� (�� )� ��

�. �� .

2. �� (�)� ��

��.

3. �� , ��

� �� .

4. �� .



� �� .

wrunjob ″Update Hostname Cache″ -l ″PDOS Tasks″ -a add_entries -a entry_ttl

-a refresh

wruntask -t ″Update Hostname Cache″ -l ″PDOS Tasks″ -a add_entries -a

entry_ttl -a refresh -h task_endpoint

��,

add_entries �� . � � � �� , ��

�� .

entry_ttl �� (�)� ��. � � � �

� �, �� .

�� 28. ��

� 6 � Tivoli �� 215

refresh �� . � �



�� . �� , ��

�� .


� 7 � ��


�� ! � �� (: �� )

� �� . � ��

��, �� .

��

��

��.

� �� .

POP(Protected Object Policy) �� , ��

�� . POP � ��

�� POP� ��

�� . POP � �� POP�

��

��. policy�� POP ��

� � �� Tivoli Access Manager for Operating Systems �

�� policy� ��.

��

�� . ��

�� . ��

� ��

� ��. �� .

�� . � ��, ��

� �� POP� �� , ��

�� .

��

� � ��. ��

�� . � ��

�. � ��, � �� , � �� (: OSSEAL

�� kill ��(K), ��(N), �� (R), ��(d), �� (o), ��

(p) � ��(w))� �� . ��

� �� , �� , ��


�� , ��

��. �� . � ��, ��

�� POP� ��, � �� , ��

� �� , �� . �

��, POP� �� , ��

� �� .

�� loginpermit � logindeny � ��

�� . loginpermit ��

�� . logindeny ��

� ��

�� . ��

�� . loginpermit � logindeny � ��

� �� .

AuditAuth � �� policy� ��

�� . �� policy� ��

, � �� . ��

� policy� �� permit, deny, loginpermit, logindeny, all �

none��. permit � ��

� �� . deny � ��

��

�� . loginpermit � ��

�� . logindeny � ��

� ��

��. all� �� . none ��

��

�� . �� policy� ��

�� , � � �� Tivoli


� policy� ��. ��

�� . ��

� �� . none

� �� all � �� .

� ��, /var/testd/data ��

� �� . �� POP� �

�� /OSSEAL/policy-branch/File/var/testd/data ��

�. testd �� ID� �� /var/testd/data ��

�� testdm �� . � �� testd �

� ID� � ��


/OSSEAL/policy-branch/AuditAuth/User/testd/none �� testd

�� none�� . � �, testd ��

� �� .


�� .

�� /OSSEAL/policy-branch/AuditAuth/Group/osseal-admin/permit ��

�� . �� osseal-admin ��

�� . �� , ��

osseal-admin �� . ��, ��

�� . � �� /OSSEAL/policy-branch/

AuditAuth/User/root/deny �� . ��, ��

� � �� policy� ��, � policy�� osseal-admin

� policy� � �� . ��

� ��(�� , �� )� ��, ��

/OSSEAL/policy-branch/AuditAuth/User/root/all �� .

�� , ��

� �� . POP ��

�� . ��

�� .

��

�� admin �� Tivoli Access Manager

for Operating Systems �� . admin � ��

Tivoli Access Manager for Operating Systems �� (: ��

��, Tivoli Access Manager �� )� � ��,

Trusted-Computing-Base �� (: Trusted Computing Base ��

�� ) � �� policy �� .

admin � �� policy� ��

�� . ��

� �� info �� policy ��

��(: pdosd ��)� � �� . info ��

� �� . � ��

��.

� 7 � � 219

��

Tivoli Access Manager for Operating Systems� TraceExec � TraceFile � �

�� . trace-style � �� user-level � policy ��

�� trace_exec, trace_exec_l, trace_exec_root �� trace_file ��

� �� .

trace_exec �� Tivoli Access Manager for Operating Systems

� �� exec() ��


Systems�� . � �� exec() ��

TraceExec � �� . � �� Tivoli Access

Manager for Operating Systems policy� �� . ��

� �� trace_exec ��

� �� . trace_exec_l � trace_exec_root ��

� � �� traceExec �� .

trace_exec_l �� trace_exec � ��

� ��, �� ID� �� UNIX ID� �� (��

� �� ) TraceExec � �� exec() ��

��. trace_exec� �� trace_exec_l ��

�� ID� �� UNIX ID� � � TraceExec � ��

��.

trace_exec_root �� trace_exec � ��

�� , �� ID� �� TraceExec � �

�� exec() �� . �� ID� ��

�� Tivoli Access Manager for Operating Systems� �� ID��

�� UNIX ID� �� .

Trace_exec� �� trace_exec_root � trace_exec_l � ��

�� ID� �� ID��, �� UNIX ID�

�� , exec() �� TraceExec

� �� , � ��


��.

trace_file �� exec() ��

�� Tivoli Access

Manager for Operating Systems�� .



��. �� exec, exec_l, file, all � none��

�. exec � �� Tivoli Access Manager for Operating Systems


�� exec() ��

��. � �� exec() �� TraceExec � �

�� . � �� Tivoli Access Manager for

Operating Systems policy� � �� . exec_l

� �� ID� �� UNIX ID� � ��

(�� ) � ��

�� exec()� �� TraceExec � ��

�. � � ��

� � TraceFile � �� . all� �� exec � �� file

� �� . none ��

�� . �


�� , � � �� Tivoli Access Manager for Operating

Systems �� policy� ��. ��

� �� . ��

��

��. none � �� all � ��

�.

� ��, �� exec� �� . � � policy

��

/OSSEAL/policy-branch/AuditTrace/User/root/exec �� .

� �� trace_exec_root ��

� � �� .

TraceExec � TraceFile � �� Tivoli Access Manager for Operating Systems

� �� . TraceExec �

� TraceFile � �� .

v �� UNIX init ��

v Tivoli Access Manager for Operating Systems � ��

� ��

v TCB(Trusted Computing Base)� ��

��

��, TraceExec � TraceFile � ��

� �� . � ��, �� (: �� )��

� 7 � � 221

�� , Tivoli Access Manager for Operating Systems� ��

�� .

��

�� . ��

�� . ��

� �� , �� OSSEAL ��(: ��)�� permit �

deny �� .

��


� �� .

� 47. ��

��

none �� . ��.

permit �� !��.

deny �� !��.

loginpermit �� !��.

logindeny �� !��.

admin �� !��. � ��, �� admin

�� Tivoli Access Manager for Operating Systems �

� � �� .

trace_exec Tivoli Access Manager for Operating Systems� ��

�� exec()� �� !�

��.

trace_exec_l �� ID� �� UNIX ID� �� (��

�� ) Tivoli Access Manager for

Operating Systems� ��

�� exec()� �� !��.

trace_exec_root �� ID� �� Tivoli Access Manager

for Operating Systems� ��

�� exec()� �� !��.

trace_file �� !��. ��

��.

v � � ��

v ��


�� .


� 47. �� (��)

��

all �� .

permit

deny

loginpermit

logindeny

admin

info �� (: �� policy � ��)� �!��.

verbose �� .

permit

deny

loginpermit

logindeny

admin

info

��


� �� .

pdoscfg -audit_level level

�� level� 222 ��

��.

pdosctl ��

��.

-A �� . � �� -A

�� . -a ��

� �� . � �� -a

�� . �� -a �

-A �� (:)�� on �� off� ��.

�� on �� off �� , on �� . � ��

� �� 222 �� . �� all, none,

permit, deny, loginpermit, logindeny, admin, verbose, info, trace_exec, trace_exec_l,

trace_exec_root, � trace_file��.

�� .

pdosctl -A level:[on | off]

�� .

pdosctl -a level:[on | off]

� 7 � � 223

�� .


�� .

pdosctl -a admin:on

�� . �� -a � -A �

�� pdosd, pdoswdd, pdoslpmd, pdoslrd � pdosauditd ��

� �� .

�� .

pdosctl -a

�� .

pdosd�� .(permit, deny, admin)pdoswdd�� .(permit, deny, admin)pdoslpmd�� .(permit, deny, admin)pdoslrd�� .(permit, deny, admin)pdosauditd�� .(permit, deny, admin)

��

��

�� . � ��

�� . ��

�� . � ��, � ��

, � �� (: OSSEAL �� kill ��(K), ��(N),

�� (R), ��(d), �� (o), �� (p) � ��(w))� ��

�� . ��

� � �� .


� �� .

pdoscfg -audit_permit_actions permission-setpdoscfg -audit_deny_actions permission-set

�� permission-set� � �� OSSEAL ��

��. [OSSEAL] �� permission-set� �� . � �

�, ��

��

� �� pdoscfg ��

�� .

pdoscfg -audit_level permit,deny -audti_permit_actions [OSSEAL]NdwpoUR


pdosctl ��

��. � �� .

pdosctl -p audit [OSSEAL]permission-set

�� .

pdosctl -d audit [OSSEAL]permission-set

�� permission-set� � �� OSSEAL ��

��. [OSSEAL] �� permission-set� �� .

� ��, ��

��

� �� pdosctl �� .

pdosctl -a deny -a permit -p [OSSEAL]NdwpoUR

�: � �� . ��

�� . � ��,

� �� .

� ��

�.

��


��. admin � info �� .

POP(Protected Object Policy) ��

� �� . policy�� POP ��

� �� Tivoli Access

Manager for Operating Systems �� policy� ��

��.

��

�� POP� ��

�� POP� ��. ��

� �� . � ��

��.

permit

�� , POP� ��

�� .

deny �� , POP� ��

�� .

� 7 � � 225

all permit� deny �� .

none �� . ��.

pdadmin �� POP � �� . ��

�.

pdadmin> pop modify pop_name set audit-level level

�� level� �� .

� ��, sample_pop POP� �� /OSSEAL/Default/

NetIncoming/TCP/telnet/*.company.com� �� permit�

deny� �� .

pdadmin> pop create sample_poppdadmin> pop modify sample_pop set audit-level permit,denypdadmin> pop attach /OSSEAL/Default/NetIncoming/TCP/telnet/*.company.com sample_pop

�� *.company.com �� telnet ��

NetIncoming �� . � ��

�� .

� �� none��

�� POP� ��. POP��

�� , �� , �� none��

��.

pdadmin> pop modify sample_pop set audit-level none

� �� POP� ��

�� POP� �� , �� POP� ��

�� .

pdadmin> pop detach /OSSEAL/Default/NetIncoming/TCP/telnet/*.company.com

POP� � �� .


��

POP � ��

� �� . � ��

��

�� , ��

�� . ��


�� . ��

�� POP��

�� .

�� audit_permit_actions � audit_deny_actions��. ��

� �� .

audit_permit_actions permission-setaudit_deny_actions permission-set

permission-set� ACL �� . ��

Tivoli Access Manager for Operating Systems �� . [OSSEAL] �

�� .

audit_permit_actions � audit_deny_actions �� POP ��

�� .

�� audit_permit_actions� POP

�� , ��

�� . ��

� � � �� .

�� audit_deny_actions� POP

�� , ��

�� . ��

� � � �� .

� ��, /etc/passwd � � ��

��

�� .

pdadmin> pop create passwdpop pop modify passwdpop set audit-level permit,denypdadmin> pop modify passwdpop set attribute audit_permit_actions [OSSEAL]NdwpoURpdadmin> pop attach /OSSEAL/policy_branch/File/etc/passwd passwdpop

��


� �� . Admin � info ��

� ��. �� Tivoli Access Manager policy ��

��. �� . �� policy� ��

��

�� (permit, deny, loginpermit, logindeny, trace_exec, trace_exec_l �

trace_file)� � � �� . �� 71 ��

��.

� 7 � � 227

��

��

� � ��. �� AuditAuth � ��

�� . �� AuditTrace � ��

�� .


� � policy� ��. ��

�� . ��

� �� . � ��, �� permit � deny� ��

�� none �� , ��

�� .

AuditAuth �� Unauth �� Tivoli Access Manager

�� . AuditAuth

�� Group �� Tivoli Access Manager ��

�� . AuditAuth ��

� �� User �� UNIX ��

�. User �� Unauth � Group �� .

AuditAuth � policy� permit, deny, loginpermit, logindeny, all � none� �

�� .

permit � ��

� �� . deny � ��

� �� .

loginpermit � ��

�� . logindeny � ��

� ��

�� . all� �� . none ��

� ��

�� .

AuditAuth �� .

/OSSEAL/policy-branch/AuditAuth/Unauth/audit-level/OSSEAL/policy-branch/AuditAuth/Group/group-name/audit-level/OSSEAL/policy-branch/AuditAuth/User/user-name/audit-level

��, � �� permit, deny, loginpermit, logindeny, all � none� ��

� �� .

�� osseal-admin Tivoli Access Manager ��



pdadmin> object create /OSSEAL/Default/AuditAuth/Group/osseal-admin/permit \"Audit all permit access decisions" 11 ispolicyattachable no

osseal-admin Tivoli Access Manager ��


pdadmin> object create /OSSEAL/Default/AuditAuth/Group/osseal-admin/loginpermit \"Audit all loginpermit access decisions" 11 ispolicyattachable nopdadmin> object create /OSSEAL/Default/AuditAuth/Group/osseal-admin/logindeny \"Audit all logindeny access decisions" 11 ispolicyattachable no


�� .

pdadmin> object create /OSSEAL/Default/AuditAuth/User/root/none "Audit no \access decisions" 11 ispolicyattachable no


�� .

pdadmin> object create /OSSEAL/Default/AuditAuth/Unauth/all "Audit all \access decisions" 11 ispolicyattachable no

AuditTrace �� User �� UNIX ��

�� . �� exec, exec_l, file,

all � none��. exec � �� Tivoli Access Manager for Operating

Systems � �� Tivoli Access Manager for Operating Systems��

�� exec() ��

�� . � �� exec() �� TraceExec

� �� . � �� Tivoli Access Manager

for Operating Systems policy� �� . exec_l � �

�� ID� �� UNIX ID� � �� (��

�� ) � ��

exec()� �� TraceExec � �� . �

� ��

TraceFile � �� . all� �� exec � �� file � ��

� �� . none ��

� � �� . ��

�� . none � �

�� all � �� .

AuditTrace �� .

/OSSEAL/policy-branch/AuditTrace/User/user-name/trace-level

��, trace-level� exec, exec_l, file, all � none� ��

��.

� 7 � � 229

�� exec� �� policy� ��

��.

pdadmin> object create /OSSEAL/Default/AuditTrace/User/root/exec "Trace all execs" \11 ispolicyattachable no

pdosshowuser ��

� ��. � ��, Tivoli Access Manager for Operating Systems ��


� ��.

$ pdosshowuser -a -n root

pdosshowuser �� OSSEAL �� .

��

Tivoli Access Manager for Operating Systems� �� . �

� �� policy ��

� �� policy� �� . �� , �� policy

�� .


��. �� policy ��

��.

�: �� , �� . �� , ��

� �� .

�� , ��

�� .

pdosctl -w on

�� .

pdosctl -w off


� �� .

pdoscfg -warning on

��

��.

pdoscfg -warning off

�� -w� ��.


pdosctl -w

�� .

The global warning mode setting is off

�� , ��

�� POP(Protected

Object Policy)� �� . ��

� �� POP� ��

�� . � �� POP� � ��

�� . ��, �� .

� ��, �� /OSSEAL/Default/NetIncoming/TCP/telnet/*.company.com

� �� .

pdadmin> pop create sample_poppdadmin> pop modify sample_pop set warning yespdadmin> pop attach /OSSEAL/Default/NetIncoming/TCP/telnet/*.company.com

�� *.company.com �� telnet� ��

NetIncoming ��, �� . � ��

�� . ��

�� no� �� POP� ��

�. POP��

� �� , �� off� ��.

pdadmin> pop modify sample_pop set warning no

�� .

�� POP� ��

� �� POP� �� , �� POP� ��

�� .

pdadmin> pop detach /OSSEAL/Default/NetIncoming/TCP/telnet/*.company.com sample_pop

POP� �� .


��

pdosauditd �� Tivoli Access Manager for Operating Systems � ��

� ��. �� 87 �� pdosauditd

� �� .

� 7 � � 231

�� /var/pdos/audit/audit.log��. � �� 2� �

�� . pdosauditd �� , � ��

�� audit.log � � �� ,

� �� . �� (

:audit.log.YYYY-MM-DD-HH-MM-SS), �� .

audit.log � � pdostecd Tivoli Enterprise Console �� pdoslrd ��

� �� . ��

� �� . audit.log � � ��

�� , �� . �� 91 �� pdostecd Tivoli

Enterprise Console �� 93 �� pdoslrd ��

�.

��

Tivoli Access Manager for Operating Systems� �� (��

� , � � ��, �� (Tivoli Access Manager �� , pdacld)

�� )�� . ��

�� .

� �� pdoslrd �� . �� Tivoli

Access Manager for Operating Systems � �� (� ��)��

��, �� , �� (�� , � � ��

�� )�� . ��

��. � � � �� /opt/pdos/etc/pdoslrd.xml��. pdoslrd �

�� .

pdoslradm �� pdoslrd ��

� �� .


� � � �� Tivoli Access Manager pdacld ��

�� . �� pdoscollview� ��

� � �� .

�: Tivoli Access Manager for Operating Systems� Tivoli Access Manager pdacld

�� pdoscollview ��

� �� . ��, �� .

pdoslrd �� 109 �� 4 �

�� . pdoslradm �� 285 ��

�pdoslradm�� . pdoscollview �� 265 ��


�pdoscollview�� . pdacld �� IBM Tivoli Access

Manager Base � �� .

��

� �� 2� ��

�(pdosaudview)� �� . �� 248 �� pdosaudview�

� �� . ��, � �� /var/pdos/audit ��

� �� text.log �� .

� �� (concise, keyvalue

� verbose) � �� . � � ��

�� (237 �� ).

concise ��

concise �� , ��

� �� . ��

�� , �� . �� .

Concise �� . ��

�� .

Mon 29 Oct 2001 04:35:27 PM CST,28,P,1,TraceFile,ossyes,ossyes,Trace,wr,,/export/home/ossyes,.sh_history,1235,/usr/bin/ksh,6Mon 29 Oct 2001 04:35:27 PM CST,7,P,1,File,ossyes,ossyes,Check Access,wr,34,bvt,File/export/home/ossyes,.sh_history,,,,,,1235,,/usr/bin/ksh,,,,,,,,S,,7Mon 29 Oct 2001 04:35:38 PM CST,7,P,1,NetOutgoing,ossyes,ossyes,Check Access,C,34,bvt,NetOutgoing/*/tcp/telnet,,,dfstest08.austin.lab.tivoli.com,tcp,23,,1239,,/usr/bin/telnet,,,,,,,,S,,0Mon 29 Oct 2001 04:35:44 PM CST,17,A,1,Policy,root,root,Apply,,,,,,,,,,,831,,,,,,,,,14711,S,,0Mon 29 Oct 2001 04:35:44 PM CST,17,A,1,Policy,root,root,Apply,,,,,,,,,,,831,/opt/pdos/bin/pdosd,/opt/pdos/bin/pdosd,,,,,,,14711,S,,1Mon 29 Oct 2001 04:35:45 PM CST,6,P,1,Logout,ossyes,,Logout,1235,goblue.tivoli.com,0Mon 29 Oct 2001 04:35:45 PM CST,7,P,1,File,root,root,Check Access,r,34,bvt,File/opt/pdos,/usr/lib/liblpm.so,,,,,,1233,,/usr/sbin/in.telnetd,,,,,,,,S,,1

� ��

�� .

keyvalue ��

keyvalue �� , �� concise ��

� �� . �� (1[]4)

� �(=)� ��. �, �� = �� . ��

�� , �� . keyvalue ��

�. �� .

� 7 � � 233

TS=Mon 29 Oct 2001 04:35:27 PM CST,E=28,V=P,R=1,RT=TraceFile,AN=ossyes,AEN=ossyes,A=Trace,P=wr,PRS=/export/home/ossyes,ARS=.sh_history,APID=1235,RPSN=/usr/bin/ksh,UQ=6TS=Mon 29 Oct 2001 04:35:27 PM CST,E=7,V=P,R=1,RT=File,AN=ossyes,AEN=ossyes,A=Check Access,P=wr,Q=34,PBN=bvt,PON=File/export/home/ossyes,SRN=.sh_history,APID=1235,RPSN=/usr/bin/ksh,O=S,UQ=7TS=Mon 29 Oct 2001 04:35:38 PM CST,E=7,V=P,R=1,RT=NetOutgoing,AN=ossyes,AEN=ossyes,A=Check Access,P=C,Q=34,PBN=bvt,PON=NetOutgoing/*/tcp/telnet,NRH=dfstest08.austin.lab.tivoli.com,NP=tcp,NS=23,APID=1239,RPSN=/usr/bin/telnet,O=S,UQ=0TS=Mon 29 Oct 2001 04:35:44 PM CST,E=17,V=A,R=1,RT=Policy,AN=root,AEN=root,A=Apply,APID=831,PVN=14711,O=S,UQ=0TS=Mon 29 Oct 2001 04:35:44 PM CST,E=17,V=A,R=1,RT=Policy,AN=root,AEN=root,A=Apply,APID=831,RPPN=/opt/pdos/bin/pdosd,RPSN=/opt/pdos/bin/pdosd,PVN=14711,O=S,UQ=1TS=Mon 29 Oct 2001 04:35:45 PM CST,E=6,V=P,R=1,RT=Logout,AN=ossyes,A=Logout,APID=1235,LL=goblue.tivoli.com,UQ=0TS=Mon 29 Oct 2001 04:35:45 PM CST,E=7,V=P,R=1,RT=File,AN=root,AEN=root,A=Check Access,P=r,Q=34,PBN=bvt,PON=File/opt/pdos,SRN=/usr/lib/liblpm.so,APID=1233,RPSN=/usr/sbin/in.telnetd,O=S,UQ=1

� ��

� ��.

�� -l �� stdout� �� pdosaudview ��

� ��.

verbose ��

verbose �� , ��

� �� , �� . � �

�, � �� . �

�� .

***START OF NEW RECORD***

�� . ��

�� , �� .

�� .

*** START OF NEW RECORD ***

�� Mon 29 Oct 2001 04:35:27 PM CST�� TRACE �� TraceFile�� ossyes�� ossyes�� Trace�� /export/home/ossyes�� .sh_history�� ID 1235�� /usr/bin/ksh�� 6



�� Mon 29 Oct 2001 04:35:27 PM CST�� .�� File�� ossyes�� ossyes�� Check Access�� policy� ��

��.Policy Branch �� bvt�� File/export/home/ossyes�� .sh_history�� ID 1235�� /usr/bin/ksh�� Success�� 7


�� Mon 29 Oct 2001 04:35:38 PM CST�� .�� NetOutgoing�� ossyes�� ossyes�� Check Access�� connect�� policy� ��

��.Policy Branch �� bvt�� NetOutgoing/*/tcp/telnet�� ID dfstest08.austin.lab.tivoli.com�� tcp�� 23�� ID 1239�� /usr/bin/telnet�� Success�� 0


�� Mon 29 Oct 2001 04:35:44 PM CST�� Policy �� Kernel Policy Cache�

��.�� Admin�� Policy�� root�� root�� Apply�� ID 831Policy �� 14711�� Success�� 0

� 7 � � 235


�� Mon 29 Oct 2001 04:35:44 PM CST�� Policy �� Kernel Policy Cache�

��.�� Admin�� Policy�� root�� root�� Apply�� ID 831�� /opt/pdos/bin/pdosd�� /opt/pdos/bin/pdosdPolicy �� 14711�� Success�� 1


�� Mon 29 Oct 2001 04:35:45 PM CST�� .�� Logout�� ossyes�� Logout�� ID 1235�� ID goblue.tivoli.com�� 0


�� Mon 29 Oct 2001 04:35:45 PM CST�� .�� File�� root�� root�� Check Access�� read�� policy� ��

��.Policy Branch �� bvt�� File/opt/pdos�� /usr/lib/liblpm.so�� ID 1233�� /usr/sbin/in.telnetd�� Success�� 1

-l �� pdosaudview �� .


��

� �� (��, �� )

�� . ��

� �� .

� ��

�.

��

�� . ��

�.

v ��

v ��

v ��

v ��

� � �� 48� �� .

� 48. � � ��

��

1 TS ��

2 E � �� ID �� . � �� ID� 240 �

�� 49� �� .

3 V � ��

D Deny

P Permit

A Admin

I Info

T Trace

W Warning

4 R � ��

1 ��

2 � �

3 ��

4 � ��

5 ��

5 RT � � �� . Process, TCB, Cred, Policy, Login,

Logout, Password, File, NetIncoming,

NetOutgoing, Surrogate �� Sudo � ��

6 AN ��

7 AEN ��

� 7 � � 237

� 48. � � �� (��)

��

8 A � �� . Check Access, Add,

Delete, Change, Retrieve, Apply, Trust, Untrust,

Start, Stop, Register, Trace, Isolated, Not Isolated,

Login, Logout, Enable �� Disable � ��

9 P � �� Check Access �, � �

��

�.

C connect

D chdir

G surrogate

K kill

L login

N create

R rename

U utime

d delete

l readdir

o chown

p chmod

r read

w write

x execute

10 Q � �� . �� 241

�� 50� ��.

11 PBN policy �� Policy �� . ��

� �� .

12 PON ��

�� Check Access� �� :

��

��

�� Policy�� Apply

� �� :

policy� ��


� 48. � � �� (��)

��

13 SRN �� File� ��:

��

�� TCB�� Trust �

� Untrust� ��:

��

� TCB ��

�� Login��, �� Admin

�� Disable �� Enable� ��:

��

��

14 SN �� Surrogate �, ��

� �� ID��, ��

�� ID

15 NRH �� ID�� NetIncoming� ��

��

�� NetOutgoing� ��

��

� ��

�, �� IP ��.

16 NP �� NetIncoming �� NetOutgoing

�, �� .

17 NS �� NetIncoming� ��

��

� � ��

�� NetOutgoing� ��

��

� ��

18 LL �� ID � � �� Login��

�� . ��

� �� , ��

�� IP ��.

19 APID �� ID �� ID

20 RPPN ��

��

�� TCB(Trusted Computingn

Base)� �� , ��

�� .

21 RPSN ��

� � ��

��

22 SC Sudo �� Sudo �, Sudo policy� �

�� .

� 7 � � 239

� 48. � � �� (��)

��

23 SU Sudo �� Sudo �, Sudo policy� �

�� Sudo ��

��.

24 SF Sudo �� Sudo �, � ��

Sudo policy� ��

� ��, ��

� �� . �� , � ��

� � ��.

25 AP ��

26 CDAF TCB ��

��

TCB(Trusted Computing Base) ��

� ��

27 PE Policy Epoch Policy ��

28 PVN Policy �� Policy ��

29 O � ��

�� , � �� Failure(F)� �

��. �� , �� Success(S)

� ��.

30 FS � �� Failure �, � ��

�� .

31 UQ � �� (�) ��

�� . � 0(� ��

��)�� , ��(�)� ��

�� .

� 49. � �� ID� ��

��

ID(E) ��

1 �� .

2 �� (��) �� .

3 �� ( ��) �� .

4 �� .

5 �� .

6 �� .(� �� 244 ��

�� .)

7 �� .

8 �� API �� .

9 TCB �� .

10 Tivoli Access Manager for Operating Systems �� pdosd� ��

�. �� .

11 Tivoli Access Manager for Operating Systems �� pdosd� ��

��. �� policy� ��.

12 Tivoli Access Manager �� (�� ).

13 Tivoli Access Manager �� .


� 49. � �� ID� �� (��)

��

ID(E) ��

14 �� .

15 �� policy� �� .

16 �� Policy� ��.

17 � policy �� policy �� .

18 � policy �� epoch� ��.

19 TCB �� .

20 TCB �� .

21 � � �� .

22 � � �� .

23 Tivoli Access Manager for Operating Systems �� .

24 Tivoli Access Manager for Operating Systems �� .

25 �� .

26 �� kosseal_register �� .

27 TRACE Exec ��(� �� 242 ��

�� .)

28 TRACE File ��(� �� 242 ��

� �� .)

29 �� .

30 �� .

� 50. � ��

��

(Q) ��

��

1 �� .

2 �� .

3 �� .

4 �� .

5 �� .

6 �� .

7 �� .

8 �� .

9 �� .

10 �� policy� �� .

11 �� policy� �� .

12 �� policy� �� .

13 �� policy� �� .

14 �� policy� �� .

15 � �� .

16 �� .

� 7 � � 241

� 50. � �� (��)

��

(Q) ��

17 �� .

18 �� policy� �� .

��

30 � �� policy� �� .

31 � �� policy� �� .

32 TCB �� .

33 �� .

34 �� policy� �� .

��

50 �� .

51 �� .

51 �� .

53 �� .

54 �� .

55 �� .

56 �� .

57 �� .

58 �� .

59 �� .

60 �� .

61 �� .

62 �� .

�� .

��

� � �� exec()� ��

��.

� � �� 51� ��.

� 51. � � ��

��

1 TS ��

2 E � �� ID ��

27 TRACE Exec ��

28 TRACE File ��


� 51. � � �� (��)

��

3 V � ��

D Deny

P Permit

T Trace

4 R � ��

1 ��

2 ��

5 RT � � ��

v TraceExec

v TraceFile

6 AN ��

7 AEN ��

8 A � �� Trace

9 P � ��

��.

D chdir

K kill

N create

R rename

U utime

d delete

l readdir

o chown

p chmod

r read

w write

x execute

10 Q � �� . �� 241 �

�� 50� ��.

11 PRS ��

� 7 � � 243

� 51. � � �� (��)

��

12 ARS �� TraceFile� ��:

��

�� TraceExec� ��:

exec() ��

� � setuid �� [SU]

�� . � � setgid ��

�� [SG] �� . �

� setuid �� setgid ��

� �� [SUG] �� .

�� exec() �� argv

��( ��

�)� � �� . � �, ��

� ��.

/usr/bin/ps [SG] (ps -elf |grep pdos)


14 RPSN ��

� � ��

��

15 UQ � �� (�) ��

� �� . � 0(� ��

��)�� , ��(�)� ��

�� .

��

�� . � 52� ��

�� .

� 52. ��

��

1 TS ��

2 E � �� ID ��

6 ��

3 V � ��

P Permit

4 R � ��

1 ��

2 ��

5 RT � � �� . Logout

6 AN ��


� 52. �� (��)

��

7 AEN ��

8 A � �� . Logout


10 LL �� ID ��

� �� . ��

�� (: /dev/tty0)��

� IP ��.

11 UQ � �� (�) ��

�� . � 0(� ��

��)�� , ��(�)� ��

�� .

��

� ��

�� . �� (: � ��, �

� ��, �� )� �� . � ��

� �� , �� 2� ��

�� . ��, � � � �� text.log��

audit.log � � �� .

�� , text.log � � �� . �

� pdosaudview� -l ��

��.

� �� . � ��

248 �� pdosaudview�� . ��

�� .

��

�� .

v ��

��.

pdosaudview -w deny

v �� ID maggie� � ��

��.

pdosaudview -s today -e today -g login -w deny -n maggie

v �� 30�� .

pdosaudview -s now-30

� 7 � � 245

v 2002� 10� 25 � 10� 31 �� ID bjones� ��

�� /tmp/audout/bjones�� concise ��

� �� .

pdosaudview -F concise -s 2002-10-25-00:00 \-e 2002-10-31-23:59 -g file \-w deny -n bjones -f /tmp/audout/bjones

v �� (�)� �� .

pdosaudview -s now


� 8 � �


�� .

�� Tivoli Access Manager for Operating

Systems �� . ��

��.

v Tivoli Access Manager �� osseal-admin �

v UNIX� osseal �

pdosaudview �� Tivoli Access Manager ��

��. �� .

v Tivoli Access Manager �� osseal-auditors �

v UNIX� ossaudit �

�� policy� ��. � ��


�� . �� policy� �� 7 �� 2 � �Policy�

� ��.

�: �� -t trace-string �� Tivoli ��

� �� . trace-string� ��

��. �� IBM Tivoli Access Manager for Operating Systems ��

� �� .


pdosaudview

��

Tivoli Access Manager for Operating Systems� �� 2� � ��

�� .

��

pdosaudview [-h] [-?] [-V]

[ -l ] [ prints output to screen ]

[-g resource type]

[-z azn decision type]

[-p pid]

[-w audit view]

[-a action]

[-r reason]

[-o outcome]

[-n accessor name | accessor uid]

[-c accessor effective name | accessor effective uid]

[-s [YYYY-MM-DD{-hh:mm:ss}] | today [-n] | now [-n] ]

[-e [YYYY-MM-DD{-hh:mm:ss}] | today [-n] | now [-n] ]

[-R YYYY-MM-DD-hh:mm:ss n]

[-f filename]

[-i audit log filename]

[-F concise | keyvalue | verbose]

[O] output domain name

[N ] output hostname

[-L filter filename]

[-I filter name]

[-M keyword | event | view | permission | qualifier | outcome |

all]

��

pdosaudview �� Tivoli Access Manager for Operating Systems� �� 2�

� � � �� . ��

� ��, �� .

pdosaudview �� concise, keyvalue � verbose � ��

��. �� 233 ��

�.

�� (-g, -z,

-p, -w, -a, -o, -u, -c, -s, -e, -R � -I). � �� , �� ,

�� .


��, �� /var/pdos/audit �� .

�� -i �� .

�� 217 �� 7 � �� .


��.

�

-V �� .

-h �� .

-? �� .

-l �(stdout)�� . -F ��

� �, �� verbose �� .

-g � ��(azn, daemon, tcb, cred, password, policy, login, logout, trace_exec,

trace_file)

�� , -z �� .

-z azn_decision ��(file, netincoming, netoutgoing, login, surrogate, sudo)

-p � �� . �� KERNEL,

PDOSD, WATCHDOG, AUDITD, LPM, � GENERAL��. � ��

� �� pdosaudview �� . ��

��

��.

-w � ��(permit, deny, admin, info, trace, warning)

-a ��(check_access, add, delete, change, retrieve, apply, trust, untrust, start,

stop, register, trace, isolated, not-isolated, unknown, login, logout, enable,

disable)

-r ��(global_audit, resource_audit, global_warning, resource_warning,

user_audit)

-o ��(success, failure)

-n �� | �� uid

-c �� | �� uid

-s �� . YYYY-MM-DD{-hh:mm:ss} ��

� �� today � now� ��

� 8 � �� 249

� ��. �� , �� (n)� ��

� n �� n�� . ��

� �� .

-e �� . YYYY-MM-DD{-hh:mm:ss} ��

� �� today � now� ��

� ��. �� , �� (n)� ��

� n �� n�� . ��

�� .

-R �� (YYYY-MM-DD-hh:mm:ss) � � ��(n)� ��

� ��.

-f � ��-ASCII ��

-i �� . � �� , ��

/var/pdos/audit �� .

-F � �� . -l �� keyvalue �

��. -F �� -l �� verbose ��

��.

-O �� . �� . �

�� concise, keyvalue � verbose �� . � ��

� �� .

-N �� . � �� concise, keyvalue

� verbose �� . � ��

�� .

-L �� , �, -I ��

� . ��, �� /opt/pdos/etc/pdoslrd.xml��. ��

��, �� -I �� -L �� .

-I �� . �� -L ��

��. -L �� , /opt/pdos/etc/pdoslrd.xml �

� ��. �� pdoslrd� ��

��. � �� pdosaudview ��

� ��. ��

�(: -g, -z, -p, -w, -a).

-M � �� .

��

0 �� .

1 �� .


��

v �� .

pdosaudview -g login

v �� .

pdosaudview -s today-1 -e today-1 -g surrogate -w permit

v �� (�) �� stdout� ��

��.

pdosaudview -l -s now-1 -e now-1

245 �� .

� 8 � �� 251

pdosbkup

��


��.

��

pdosbkup [-Vh?]

[-x]

[-f filename]

[-p directory-path]

��

pdosbkup �� /opt/pdos/etc/pdosbkuplist � � ��

�� -x �� , /opt/pdos/etc/pdosbkuplistx � � ��

� � � �� .

��, �� tar � � /var/pdos/pdosbkup ��

pdosbkupDDMMMYYYY.hh_mm_ss.tar �� .

-p �� . -f ��

�� .

Tivoli Access Manager for Operating Systems �� pdosbkup

�� .


� ��.

�

-V �� .

-h �� .

-? �� .

-x �� .

-f filename

�� .

-p directory-path

�� .


��

0 �� .

1 �� .

��

�� pdosbkup �� .

v �� Tivoli Access Manager for Operating Systems ��

�� .

pdosbkup

�� 2002� 12� 7 , 04:30:00� ��

��.

/var/pdos/pdosbkup/pdosbkup07Dec2002.04_30_00.tar

v �� Tivoli Access Manager for Operating Systems ��

/var/disaster_rcvy/December2002.tar� ��

�.

pdosbkup -x -p /var/disaster_rcvy -f December2001.tar

� 8 � �� 253

pdoscfg

��

Tivoli Access Manager for Operating Systems� ��.


��

pdoscfg [-admin_cred_refresh number_of_minutes]

[-admin_name admin_user_name]

[-admin_pwd admin_user_password]

[-audit_deny_actions (osseal action_groupl | [OSSEAL} osseal action bits)]

[-audit_level (all | none | permit | deny | loginpermit | logindeny |

admin | verbose | info | trace_exec | trace_file | trace_exec_l |

trace_exec_root)]

[-audit_logflush number_of_seconds]

[-audit_log_size number_of_bytes]

[-audit_permit_actions (osseal action_group | [OSSEAL] osseal action bits)]

[-autostart (on | off)]

-branch policy_branch_name

[-cred_hold number_of_minutes]

[-cred_response_wait number_of_minutes]

[-critical_cred_group critical_cred_group_name]

[-critical_cred_refresh number_of_minutes]

[-delete (comma_delimited_list_of_options)]

[-dns (on | off)]

[-ffdc_capture (on | off)]

[-help]

[-hostname hostname]

[-kmsg_hnd_threads number_of_threads]

-ldap_ssl_cacert ldap_certificate_file_name

[-local_domain domain_name]

[-login_policy (on | off)]

[-lrd_admin_name user_admin_name]

[-lrd_admin_pwd user_admin_password]

[-lrd_config (on | off)]

[-lrd_local_domain domain_name]

[-net_ACL_limited (on | off)]

[-operations]

[-pdosauditd_log_entries number_of_log_entries]

[-pdosauditd_logs number_of_logs]

[-pdosd_init_wait number_of_minutes]

[-pdosd_log_entries number_of_log_entries]

[-pdosd_logs number_of_logs]

[-pdoslrd_log_entries number_of_log_entries]

[-pdoslrd_logs number_of_logs]

[-pdoswdd_log_entries number_of_log_entries]

[-pdoswdd_logs number_of_logs]

[-refresh_interval number_of_minutes]

[-rspfile file_name]

[-ssl_listening_port port_to_listen_for_notification]

-suffix policy_director_suffix

[-tcb_ignore_ctime (on | off)]

[-tcb_interval number_of_seconds]

[-tcb_max_file_size number_of_megabytes]

[-tcb_monitor_threads number_of_threads]

[-tcb_nocrc_on_exec (on | off)]

[-uid (on | off)]

[-usage]

[-user_cred_refresh number_of_minutes]

[-version]

[-warning (on | off)]

[-?]

� 8 � �� 255

��

pdoscfg �� Tivoli Access Manager for Operating Systems� ��

��. �� pdoscfg� �� . pdoscfg


�� .

�� pdoscfg �� . �� Tivoli


��.

policy �� . pdosucfg ��


pdoscfg �� policy �� .

pdoscfg �� SSL �� LDAP SSL CA ��

� Tivoli Access Manager for Operating Systems� ��.

�

�� . � ��

��(� �� ).

-admin_cred_refresh

�� (� ��)� � ��.

��: 360

-admin_name


��: sec_master

-admin_pwd

Tivoli Access Manager �� . -admin_name� ��

-sec_master_pwd �� .

-audit_deny_actions

� osseal �� osseal �� [OSSEAL]. �

� osseal �� DKNRUdloprwxCGL��.

��: none

-audit_level

�� . �� all, none, permit, deny, loginpermit,

logindeny, admin, verbose, info, trace_exec, trace_exec_l, trace_exec_root,

�� trace_file��.


��: none

-audit_logflush

pdosauditd �� (� �

�)

��: 5

-audit_log_size

pdosauditd� � ��

� �� (�� )

��: 1000000

-audit_permit_actions

�� osseal �� osseal �� [OSSEAL]. �

� osseal �� DKNRUdloprwxCGL��.

��: none

-autostart


� ��.

��: on

-branch

� �� policy ��

-cred_hold

�� (� ��). � �

-admin_cred_refresh � -user_cred_refresh �� .

��: 10080

-cred_response_wait

�� (� �

�)

��: 2

-critical_cred_group

��


-critical_cred_refresh

-critical_cred_group �� (� ��)

��: 720

� 8 � �� 257

-delete

�� . ��

��.

v admin_cred_refresh

v audit_level

v audit_log_entries

v audit_logflush

v audit_logs

v audit_log_size

v audit_deny_actions

v audit_permit_actions

v cred_hold

v cred_response_wait

v critical_cred_refresh

v critical_cred_group

v dns

v ffdc_capture

v kmsg_hnd_threads

v pdosd_log_entries

v pdosd_logs

v pdoswdd_log_entries

v pdoswdd_logs

v refresh_interval

v tcb_ignore_ctime

v tcb_interval

v tcb_max_file_size

v tcb_monitor_threads

v tcb_nocrc_on_exec

v uid

v user_cred_refresh

v warning

-dns Tivoli Access Manager for Operating Systems� IP ��

� �� .

��: on


-ffdc_capture


�� .

��: on

-help �� . ��

� -help -option� ��.

-hostname


�� , ��

��.

-kmsg_hnd_threads

�� . �� .

9� �� !��

� �� . ��

�� 8�� . ��

�� 24��.

��: 8

-ldap_ssl_cacert

Tivoli Access Manager �� LDAP� CA �. �

�� Tivoli Access Manager for Operating Systems � LDAP ��

�� .

install_ldaps �� LDAP �� Tivoli

Access Manager �� /etc/gsk/pd_ldapcert.arm � � ��


��.

-local_domain

pdosd �� Tivoli Access Manager �� . � ��


�� . (Tivoli Access Manager ��

� �� (��) ��

��.)

Tivoli Access Manager �� -admin_name �

-admin_pwd ��

� ��.

-login_policy

�� .

� 8 � �� 259

�� policy� �� , ��

�� policy� �� (:

dtlogin)� �� . ��


��: on

-lrd_admin_name

pdoslrd �� Tivoli Access Manager policy ��


-lrd_admin_pwd



-lrd_config

pdoslrd �� .

��: off

-lrd_local_domain

pdoslrd �� Tivoli Access Manager �� .

pdoslrd �� Tivoli Access Manager ��

(pdacld)� � �� , pdoslrd �� pdacld �

�� . Tivoli

Access Manager policy ��

pdoslrd �� pdosd ��

� ��. � �� , �� pdosd ��

�� .

� Tivoli Access Manager �� -lrd_admin_name

� -lrd_admin_pwd ��

� �� .

-net_ACL_limited

�� policy �� /OSSEAL/branch/NetIncoming

� /OSSEAL/branch/NetOutgoing �� ACL

� �� . policy �� policy

� �� ACL ��

�� .

��: off

-operations

�� .


-pdosauditd_log_entries

pdosauditd �� pdosauditd �� .

�� 0� �� pdosauditd ��

�� . -pdosauditd_log_entries� 0� ��

-pdosauditd_logs� 0� �� , pdosauditd ��

� �� -pdosauditd_log_entries� ��

pdosauditd �� . -pdosauditd_log_entries

� 0� �� -pdosauditd_logs� 0� �, pdosauditd ��

� �� -pdosauditd_log_entries� ��

� pdosauditd �� .

��: 0

-pdosauditd_logs

pdosaditd �� pdosauditd ��

� �. pdosauditd �� 0� ��

-pdosauditd_log_entries� 0� �� . pdosauditd

�� -pdosauditd_log_entries� ��

� �� pdosauditd �� . ��

0� pdosauditd �� .

��: 0

-pdosd_init_wait

�� policy �� pdosd ��

� ��

��: 5

-pdosd_log_entries

pdosd �� pdosd �� . �� 0�

�� pdosd ��

�� . -pdosd_log_entries� 0� �� -pdosd_logs� 0� ��

�, pdosd ��

-pdosd_log_entries� �� pdosd ��

�� . -pdosd_log_entries� 0� ��

-pdosd_logs� 0� �, pdosd ��

-pdosd_log_entries� �� pdosd ��

�� .

��: 0

-pdosd_logs

pdosd �� pdoswdd ��

�. pdosd �� 0� ��

� 8 � �� 261

-pdosd_log_entries� 0� �� . pdosd ��

� � � � �� -pdosd_log_entries� ��

�� pdosd �� . �� 0� pdosd ��

� � �� .

��: 0

-pdoslrd_log_entries

pdoslrd �� pdoslrd �� . ��

0� �� pdoslrd ��

�� . -pdoslrd_log_entries� 0� �� -pdoslrd_logs

� 0� �� , pdoslrd ��

-pdoslrd_log_entries� �� pdoslrd ��

� �� . -pdoslrd_log_entries� 0� ��

-pdoslrd_logs� 0� �, pdoslrd ��

-pdoslrd_log_entries� �� pdoslrd ��

� �� .

��: 0

-pdoslrd_logs

pdoslrd �� pdoslrd ��

�. pdoslrd �� 0� ��

-pdoslrd_log_entries� 0� �� . pdoslrd ��

� � � � �� -pdoslrd_log_entries� ��

� �� pdoslrd �� . �� 0� pdoslrd

�� .

��: 0

-pdoswdd_log_entries

pdoswdd �� pdoswdd �� . ��

0� �� pdoswdd ��

� �� . -pdoswdd_log_entries� 0� ��

-pdoswdd_logs� 0� �� , pdoswdd ��

� -pdoswdd_log_entries� �� pdoswdd �

�� . -pdoswdd_log_entries� 0� ��

-pdoswdd_logs� 0� �, pdoswdd ��

-pdoswdd_log_entries� �� pdoswdd ��

�� .

��: 0

-pdoswdd_logs

pdoswdd �� pdoswdd ��


�. pdoswdd �� 0� ��

-pdoswdd_log_entries� 0� �� . pdoswdd �

� � � � � � �� -pdoswdd_log_entries� ��

� � �� pdoswdd �� . �� 0�

pdoswdd �� .

��: 0

-refresh_interval

Tivoli Access Manager policy ��

�� , policy �� (� ��). 0 � policy

�� .

-ssl_listening_port� ��.

��: 0

-rspfile

��

-ssl_listening_port

policy �� . 0 � policy ��

�� . -refresh_interval

� ��.

��: 7134

-suffix �� Tivoli Access Manager for Operating Systems� �� Tivoli

Access Manager �� LDAP � �. � �,

� �� ou=austin,o=ibm,c=us��. � �� (″″)

� ��.

-tcb_ignore_ctime

TCB(Trusted Computing Base) �� ctime� ��.

� �� ctime� �� TCB �� .

��: off

-tcb_interval

�� TCB � � �� (� ��). ��

� �� (��) ��.

��: 1800

-tcb_max_file_size

�� MB �. ��

�� .

��: 10

� 8 � �� 263

-tcb_monitor_threads

�� TCB � � �� . � � 1

�� !�� . ��

��.

��: 1

-tcb_nocrc_on_exec

�� TCB� ��

�� CRC �� . � �� 2� � �

� CRC �� .

��: off

-uid UID/GID� ��/� �� .

��: off

-usage �� .

-user_cred_refresh

�� (� ��)� � ��.

��: 720

-version

pdoscfg �� .

-warning

�� .

��: off

-? �� .


pdoscollview

��

pdsolrd �� .

��

pdoscollview [-h] [-?] [-V]

[ -l ] [ prints output to screen ]

[-g resource_ type]

[-z azn-decision-type]

[-w audit_type]

[-a action]

[-r reason]

[-o outcome]

[-n accessor_name]

[-c accessor_effective_name]

[-s [YYYY-MM-DD{-hh:mm:ss}] | today [-n] | now [-n] ]

[-e [YYYY-MM-DD{-hh:mm:ss}] | today [-n] | now [-n] ]

[-f output_filename]

[-i audit log filename]

[-F concise | keyvalue | verbose]

[-M keyboard | event | view | permission | qualifier | outcome | all]

[-R YYYY-MM-DD-hh:mm:ss n]

[-D local domain-name]

[-H hostname]

[-b base_collectiion_file_pathname]

[-d delimiter]

[N ] output hostname]

[-O ] output local domain name

[-L filter filename]

[-I filter name]

��

pdoscollview �� pdacld �� .

�� , �� .

�

-V �� .

-h �� .

-? �� .

-l �(stdout)�� .

� 8 � �� 265

-g resource_type

� ��(azn, daemon, tcb, cred, password, policy, login, logout, trace_exec,

trace_file). �� , -z �� .

-z azn_decision_type

azn_decision ��(file, netincoming, netoutgoing, login, surrogate, sudo)

-w audit_view

� ��(permit, deny, admin, info, trace, warning)� ��.

-a action

��(check_access, add, delete, change, retrieve, apply, trust, stop, register,

trace, isolated, not_isolated, unknown, login, logout, enable, disable)� �

��.

-r reason

��(global_audit, resource_audit, global_warning, resource_warning,

user_audit)

-o outcome

��(success, failure)

-n accessor_name

�� | �� uid

-c accessor_effective _name

�� | �� uid

-s [YYYY-MMDD{hh:mm:ss} today[-n] | now{-n}]

�� . YYYY-MM-DD{-hh:mm:ss} ��

�� today � now� ��

�� . �� , ��

(n)� �� n �� n�� . ��

�� .

-e [YYYY-MMDD{hh:mm:ss} today[-n] | now{-n}]

�� . YYYY-MM-DD{-hh:mm:ss} ��

�� today � now� ��

�� . �� , �� (n)

� �� n �� n�� . ��

� �� .

-f output_filename

�� ASCII �� .

-i input_collection_file_pathname

�� .


-F concise | keyvalue | verbose

� �� . -F �� -l ��

� �� keyvalue ��, �� verbose �� .

-M � �� .

-R YYYY-MM-DD-hh:mm:ss n

�� (YYYY-MM-DD-hh:mm:ss) � � ��(n)� ��

� ��.

-H hostname

��

�.

-D �� . �� .

-b base_collection_file_pathname

�� . �� . � ��

� ��

� � ��. � ��, �� /x/y/audit_collect��

/x/y �� audit_collect.2002-10-13-09:34:55,

audit_collect.2002-10-14-10:55:03 � audit.collect � � � �

� �� , �� . ��

��(�� )� ��

�, �� .

-d delimiter

��. concise � keyvalue �� . �

� �� , �� . � � ��

� �� . � ��, ��

� ��(l)� �� -d ″|″� ��.

-N �� . � �� concise, keyvalue

� verbose �� . � ��

�� .

� � � ��

�� -H �� .

-O �� . �� . �

�� concise, keyvalue � verbose �� . � ��

� �� . � �

� �� -D �

�� .

-L �� , �, -I ��

� 8 � �� 267

� . ��, �� /opt/pdos/etc/pdoslrd.xml��. ��

��, �� -I �� -L �� .

-I �� . �� -L ��

��. -L �� , /opt/pdos/etc/pdoslrd.xml �

� ��. �� pdoslrd� ��

��. � �� pdoscollview ��

� ��. ��

�(: -g, -z, -p, -w, -a).


pdosctl

��


��.

��

pdosctl -k [daemon [-k daemon ...]]

-s [daemon [-s daemon ...]] [-q]

-w [on|off]

-a [audit-level[:{on|off}] [-a audit-level[:{on|off}] ...]]

-A [audit-level[:{on|off}] [-A audit-level[:{on|off}] ...]]

-t [daemon[:trace-string] [-t daemon[:trace-string] ...]]

[-Vvh?]

[-t trace-string]

[-p [OSSEAL]osseal actions

[-d [OSSEAL]osseal actions

��

pdosctl �� . pdosctl ��

��, � �� , �� , ��

��. �� pdosd, pdosauditd, pdoswdd, pdoslpmd � pdoslrd

��.

�� -k �� 5�� Tivoli Access Manager for Operating

Systems �� . �� -k ��

�� . -k ��

��.

�� -s �� 5�� . �� -s ��

� ��

��. -s �� .

-q �� -s �� . -q �� -s ��

�� , �� 0�� , ��

�� 1� ��.

�� -w �� Tivoli Access Manager for Operating Systems� �

� �� . �� -w �� on �� off�

�� .

� 8 � �� 269

�� -a � -A �� . �

� -a � -A �� .

v -A� �� . � ��

-A �� , �� .

v -a� �� . � ��

�� -a �� .

�� -a � -A �� (:)��

� �� on �� off� ��. �� on �� off ��

�� , on �� . � �� all, none, permit, deny,

loginpermit, logindeny, admin, verbose, info, trace_exec, trace_exec_l, trace_exec_root

� trace_file��.

�� -t �� . -t ��

�� . �� -t ��

�� . ��

�� , -t �� , �(:)� ��

��. -t �� Tivoli Access Manager for Operating Systems ��

�� . -t �� . �


�� .


� ��.

�

-V �� .

-v �� .

-h �� .

-? �� .

-t trace-string

� �� .

-k [daemon]

�� .

-s [daemon]

�� .

-w �� .


-a [audit level]

�� .

-A [audit level]

�� .

-d �� , ��

�.

-p �� , ��

�.

-t [daemon]

�� .

��

0 �� .

>=1 �� .

��

�� pdosctl �� .

v pdosd, pdosauditd, pdoslpmd, pdoswdd � pdoslrd ��

��.

pdosctl -k

�� .

pdosd ��pdoswdd ��pdoslpmd ��pdoslrd ��pdosauditd ��

v pdoswdd �� .

pdosctl -k pdoswdd

�� .

pdoswdd ��

v Tivoli Access Manager for Operating Systems� ��

��.

pdosctl -s

�� .

� 8 � �� 271

pdosd�(�) �� .pdoswdd�(�) �� .pdoslpmd�(�) �� .pdoslrd�(�) �� .pdosauditd�(�) �� .

v �� .

pdosctl -w on

v �� .

pdosctl -w

�� .

�� on��.

v �� .


v �� .

pdosctl -a admin:on

v �� .

pdosctl -a

�� .

pdosd�� .(permit, deny, admin)pdoswdd�� .(permit, deny, admin)pdoslrd�� .(permit, deny, admin)pdoslpmd�� .(permit, deny, admin)pdosauditd�� .(permit, deny, admin)

v �� .

pdosctl -d [OSSEAL] rw


pdosdestroy

��


��

pdosdestroy [-Vvh?]

[-t trace-string]

[-u uid] [-u uid ...]

[-n name] [-n name ...]

��

pdosdestroy �� Tivoli Access Manager for Operating Systems ��

�� . -u �� -n �� , �

�� . -u �� , UID� ��

� �� . -n �� , ��

��.

-u �� -n �� Tivoli Access Manager for Operating Systems ��

�� .-u � -n ��

�� .

�

-V �� .

-v �� .

-h �� .

-? �� .

-t trace-string

� �� .

-u uid

�� UID� ��.

-n name

�� UNIX �� .

��

0 �� .

1 �� .

� 8 � �� 273

��

�� pdosdestroy �� .

1. �� .

pdosdestroy

2. �� anne � UID� 300� �� riley� ��

��.

pdosdestroy -n anne -u 300


pdosexempt

��


��: � �� Tivoli Access Manager for Operating Systems ��

�� . pdosrevoke �� .

��

pdosexempt [-Vvh?]

[-t trace-string]

[-i]

[pid [pid ...]]

��

pdosexempt �� Tivoli Access Manager for Operating Systems ��

� �� . �� pdosexempt �� OSSEAL ��

(osseal) �� policy�� . ��, OSSEAL

�� (osseal)� �� policy�� .

osseal �� pdosexempt ��

�� .

v ��

v ��

v pdosexempt� �� ACL

pdosexempt �� pid �� pid �� pid� ��

� �� policy�� . pid �� pdosexempt ��

�� .

pid �� -i �� . -i �� , �� pid� �


pdosrevoke �� pdosexempt �� Tivoli Access Manager

for Operating Systems �� .


� ��.

�

-V �� .

� 8 � �� 275

-v �� .

-h �� .

-? �� .

-t trace-string

� �� .

-i �� pid� � �� policy �� .

��

0 �� .

1 �� .

��

�� pdosexempt �� .

1. OSSEAL �� Tivoli Access Manager


pdosexempt

�� .

�� osseal(uid 1444)�(�) � �� PDOS policy�� .

2. �� Tivoli Access Manager for Operating

Systems �� .

pdosexempt -i 9688

�� .

�� 9688�(�) � �� PDOS policy�� .


pdoshla

��

Host Name Lookaside Database� �� IP �� .

��

pdoshla [-Vvh?]

[-t trace-string]

[-D DB-path] -F

[-D DB-path] -f

[-D DB-path] -r IP-addr

[-D DB-path] -a IP-addr [-T TTL-secs -H hostname]

[-D DB-path] -l {all | stale | fresh }

[-D DB-path] -u

��

pdoshla �� Host Name Lookaside Database� �� IP �� , �

�, � � � �� .

-D �� . ��

/var/pdos/hla �� . �� IP �� -a ��

�� .

-T �� -a �� , �� 21600�(6��)�

��.

-H �� , �� IP ��

DNS �� .

�� .

v -F ��

v -f ��

v -r ��

-u �� . � ��

�� DNS �� .

all, stale �� fresh �� -l ��

� � ��.


� ��.

� 8 � �� 277

�

-V �� .

-v �� .

-h �� .

-? �� .

-t trace-string

� �� .

-D database_path

�� .

-F �� .

-f �� .

-r IP_address

�� .

-a IP_address

�� .

-T TTL_seconds

� �� (� ��)� ��.

-H Hostname

�� .

-l �� .

-u �� .

��

0 �� .

1 �� .

��

�� pdoshla �� .

1. IP �� 146.84.107.11� ��

��.

pdoshla -a 146.84.107.11

2. �� .

pdoshla -l all

�� .


# Internet Address Hostname9.41.3.101 carlb.austin.lab.tivoli.com146.84.107.11 riley.tivoli.com9.41.3.123 dfstest13.austin.lab.tivoli.com

3. �� .

pdoshla -l stale

�� .

# Internet Address Hostname9.41.3.123 dfstest13.austin.lab.tivoli.com

4. �� .

pdoshla -f

5. �� .

pdoshla -u

� 8 � �� 279

pdoslpadm

��


�� .

��

pdoslpadm [-hvq?]

-r [-f] [-e | -d] [user [user ...]]

-m user [MMDDhhmm[[CC]YY]]

-c [on | off] [-n {client | server} ]

-p [user [user ...]]

-P [user [user...]]

-x user [user ...]

-l user [user ...]

-u [-z] user [user ...]

��

pdoslpadm �� UNIX �� policy� ��

�� . Tivoli Access Manager for Operating Systems� �� policy� �

�� , � �� policy �� . � ��

� �� .

-r �� UNIX ��

�� . -r ��

�� , �� . -r ��

�� , �� .

-e �� -r �� (�� ) ��

�� . -d �� -r �� (� ) ��

�� . -f �� -r ��

�� .

�: -r � -f �� rhost name ��

�. ��

policy �� .

-m ��

� �� . �� , ��

� �� policy� MinPasswordDays� �� . � �

�, �� 5 �, -m� � �� 5 ��. ��

� �� , �� MMDDhhmm[[CC]YY]� ��. ��,


MM �(00-12)

DD (01-31)

hh �(00-23)

mm �(00-59)

CC ��, 20 �� 21. , �� .

YY ��(00-99). , �� .

-m ��

� � ��(grace �� )� �� policy� ��

�� . �� POSIX API� ��

� �� (: NIS)� �� . ��

�� HP-UX �� .

-m �� , ��

� ��

�� . �� (passwd ��), ��

� �� UNIX ��

� ��.

pdoslpadm �� , �� .

��

�. Tivoli Access Manager for Operating Systems ��

� �� , ��

�� .

-c �� UNIX �� policy� ��

� �� . -n �� NIS ��

�� NIS �� .

-c �� -n �� -m ��

� � �� Tivoli Access Manager for Operating Systems �

�� NIS �� . �� , NIS �

� � Tivoli Access Manager for Operating Systems� �� NIS ��

� �� policy� �� .

-p �� policy� ��. �� , �� policy

� ��. � � �� , � �� policy� ��

��. �� policy� �� , ��


� 8 � �� 281

-P �� policy� ��. �� , �� policy

� ��. � � �� , � �� policy� ��

��. �� policy� �� , ��


-x ��

�� .

-l �� UNIX �� .(��

�� .) �� .

-u �� UNIX �� . �

� � �� . � ��

�� . -u �� -z ��

��

0�� .

pdoslpadm �� 145 �� policy

� �� .

�

-v �� .

-h �� .

-? �� .

-q �� .

-r �� .

-f �� .

-e �� (�� ) �� .

-d � (�� ) �� .

-m �� . �� , ��

�� policy� MinPasswordDays� ��

��. � � MMDDhhssCCYY �� .

-c �� policy� ��

��.

-n -c �� NIS �� NIS

�� .

-p �� policy� ��.

-P �� policy� ��.


-x �� .

-l �� .

-u �� .

-z �� . (0

�� .)

��

<0 �� .

>=0 �� .

��

�� pdoslpadm �� .

1. Tivoli Access Manager for Operating Systems ��

� �� .

pdoslpadm -r

�� (uid), �� .

��(uid) ��<:�� >-------------------------------root(0) �� anne(202) �� riley(204) ��

2. anne� �� .

pdoslpadm -l anne

3. ��

�� .

pdoslpadm -r -d

�� (uid), �� .

��(uid) ��<:�� >-------------------------------anne(202) ��(��): Tue Mar 27 14:38:58 CST 2001

4. anne� �� .

pdoslpadm -u anne

5. �� policy� �� .

pdoslpadm -p root

�� .

� 8 � �� 283

Policy for root is:MinPasswordDays = 0MaxPasswordDays = 0MaxInactiveDays = 0MaxFailedLogins = 5MaxGraceLogins = 3LoginMinutes = 0LockMinutes = 0MaxConcurrent = 5PolicyDisabled = 0

6. �� policy� �� .

pdoslpadm -P root

�� .

Policy for root is:MinPasswordLen = 6MaxPasswordAlpha = 0MaxPasswordAlphaNum = 0MaxPasswordNumeric = 1MinPasswordLower = 0MinPasswordUpper = 0MinPasswordSpecial = 0MaxPasswordRepeat = 0PasswordNameCheck = 0PasswordHistory = 5PasswordOldPwdCheck = 1PasswordMaxConsPrev = 0PasswordNonNumFirstLast = 0MinPasswordDays = 0

7. �� anne ��

��.

pdoslpadm -x anne


pdoslradm

��

�� .

��

pdoslradm [-h] [-?] [-V]

[-c channel_name [-S option=value][-D options] [-d]]

[-d]

[-R]

[-b]

�

-V �� .

-h �� .

-? �� .

-c channel_name

�� , �� .

v -S option=value. �� . ��

�.

v -D option. �� .

-d pdoslrd.xml � � �� .

-R pdoslrd� �� (: �

� � �� ; �� ).

-b �� batch_mode �� pdoslrd� ��

� ��. pdoslrd �� pdoslradm ��

� �� . ��

�� pdoslradm �� -b ��

��. pdoslradm �� cron ��

��. Cron ��

��.

� 8 � �� 285

pdosobjsig

��


��.

��

pdosobjsig [-Vvh?]

[-t trace-string]

[-D DB-path] -g objname

[-D DB-path] -c objname

[-D DB-path] -u objname -s {trusted | untrusted}

[-D DB-path] -S {trusted | untrusted}

[-D DB-path] [-n] -l {all | trusted | untrusted}

[-D DB-path] -C

��

pdosobjsig �� Tivoli Access Manager for Operating Systems ��

�� , �� .

-D �� , �� . ��

/var/pdos/tcb �� . �� -g �� -l �

�� .

-g �� .

-l �� all, trusted �� untrusted ��

�� . ��, �� . -n ��

�� .

-c �� -C ��

�� . �� , ��

�� . -c ��

� ��. -C ��

� � ��.

-u� -s �� -S ��

� ��. -u ��

�� . -S ��

�� .

pdosobjsig �� .



� ��.

�� Trusted Computing Base� �

�� 84 �� TCB �� .

�

-V �� .

-v �� .

-h �� .

-? �� .

-t trace-string

� �� .

-g objname

�� .

-C �� .

-c objname

�� .

-u objname -s { trusted | untrusted }

�� .

-S �� .

-l �� .

-n -l �� .

��

0 �� .

1 �� .

��

�� pdosobjsig �� .

1. �� /anne/usertest ��

��.

pdosobjsig -u /anne/usertest -s untrusted

2. ��

�� .

pdosobjsig -l untrusted

� 8 � �� 287

�� .

�� : /anne/usertestCRC � : 27920484410/5 �� 289 Inode�� : rwxr-xr-x� : 0 : root�� : 0 :�� : 6446�� : Fri Sep 15 11:04:12 2000�� : Fri Sep 15 11:04:12 2000�� : �� : �� .�� : Wed Oct 25 16:07:28 2000

3. �� /anne/usertest ��

� ��.

pdosobjsig -u /anne/usertest -s trusted

4. ��

�� .


5. /anne/usertest �� .

pdosobjsig -g /anne/usertest

�� .

�� : /anne/usertest�� : �� : �� .�� : Wed Oct 25 16:16:45 2000


pdosrefresh

��

�� , �� Tivoli Access Manager


��

pdosrefresh [-Vvh?]

[-t trace-string]

[-u uid] [-u uid ...]

[-n name] [-n name ...]

[-C]

��

pdosrefresh �� , �� Tivoli Access


-u, -n, �� -C �� , ��

�. -u �� , uid� �� . -n ��

� �� , �� . -u � -n ��

� � �� . -C ��

� ��.

-C �� , �� .

pdosrefresh �� -u, -n �� -C �� Tivoli Access Manager for


�

-V �� .

-v �� .

-h �� .

-? �� .

-t trace-string

� �� .

-u uid

� � �� UID� ��.

� 8 � �� 289

-n name

� � �� UNIX �� .

-C �� .

��

0 �� .

1 �� .

��

�� pdosrefresh �� .

1. �� .

pdosrefresh

2. UID� 300� anne � riley ��

��.

pdosrefresh -n anne -u 300

3. �� .

pdosrefresh -C


pdosrevoke

��


��

pdosrevoke [-Vvh?]

[-t trace-string]

[pid [pid ...]]

��

pdosrevoke �� pdosexempt �� Tivoli Access


�� pdosrevoke �� OSSEAL �� (osseal) ��

�� policy� �� . �� pid ��

� pdosexempt� �� .

pdosrevoke �� pid �� pid �� pid� ��

�� policy� �� . pid �� pdosrevoke ��

� �� .

pdosexempt -i �� . ��

�� .


� ��.

�

-V �� .

-v �� .

-h �� .

-? �� .

-t trace-string

� �� .

��

0 �� .

1 �� .

� 8 � �� 291

��

�� pdosrevoke �� .

1. pdosexempt �� OSSEAL ��

� ��.

pdosrevoke

�� .

�� osseal(uid 1444)�(�) �� PDOS policy�� .

�� uid� �� .

2. pdosexempt �� pid 9688� ��

�.

pdosrevoke 9688

�� .

�� 9688�(�) �� PDOS policy�� .


pdosrgyimp

��

UNIX �� Tivoli Access Manager �� .

��

pdosrgyimp [-u |-g |-a]

[-dinrVvh?]

[-G default-group]

[-S suffix ]

[-P password]

[-L log-directory]

[-E exclude-file]

[-I include-file]

[-l PD-login-id ]

[-p PD-password]

[-D domain]

��

pdosrgyimp �� UNIX �� UNIX �� Tivoli Access

Manager �� . �� Tivoli Access Manager ��

�� ‘��’�� . �� -d ��

�� . � Tivoli Access Manager ��

�� ‘�� ’�� .

�� UNIX �� . -u, -g � -a �

�� , ��

�� . �� .

-I �� UNIX ��

�.

-E �� UNIX �� .


�� , �� . � ��

�� . � ��

Tivoli Access Manager �� , ��

� UNIX � �� . -r ��

� � �� .

� 8 � �� 293

UNIX �� Tivoli Access Manager ��

Tivoli Access Manager �� UNIX ��


�� .

�� -S �� . � ��

�(dn)� �� Tivoli Access Manager ��

��. Tivoli Access Manager �� .

user name

UNIX ��

user cn

UNIX ��

user sn

UNIX ��

user dn

cn=pdos �� UNIX-user-name, suffix

group name

UNIX � ��

group cn

UNIX � ��

group dn

cn=pdos � UNIX-user-name, suffix

pdosrgyimp �� pdosrgyimp.import �

pdosrgyimp.conflict� � �� . Tivoli Access Manager ��

�� pdosrgyimp.import � � ��

��. � Tivoli Access Manager ��

�� , �� pdosrgyimp.conflict

� � ��.

�� pdadmin ��

�� . pdosrgyimp.conflict � � ��

�� pdadmin �� . � �, ��

� ��.

### create user failed#user create "test1" "cn=pdos user test1,ou=tivoli,o=ibm" "test1" "test1" "s12t"

pdosrgyimp.import � �� .


### create user#user create "riley" "cn=pdos user riley,ou=tivoli,o=ibm" "riley" "riley""3AD4l00u"user modify "riley" password-valid nouser modify "riley" account-valid yes### create user#user create "maggie" "cn=pdos user maggie,ou=tivoli,o=ibm" "maggie" "maggie""34pkjTaU"user modify "maggie" password-valid nouser modify "maggie" account-valid yes### create group#group create "canine" "cn=pdos group canine,ou=tivoli,o=ibm" "canine"group modify "canine" add "riley"group modify "canine" add "maggie"

-n �� noaction �� -n �� pdadmin ��

�� .

�

-V �� .

-v �� .

-h �� .

-? �� .

-u UNIX �� .

-g UNIX �� .

-a UNIX �� .

-i UNIX �� , �� LDAP ��


LDAP�� .

-n �� . pdadmin �� .

-r �� . ��

� � Tivoli Access Manager� �� , UNIX ��

� �� Tivoli Access Manager �� .

-d �� Tivoli Access Manager ��

��.

� 8 � �� 295

-G default-group


�� . � �� .

-S suffix-string


�� Tivoli Access Manager � �� . � � �� Tivoli

Access Manager �� .

-L log-directory

pdosrgyimp.import � pdosrgyimp.conflict ��

��.

-E exclude-file

�� UNIX ��

�. � � �� .

# Comment charactersUSER UNIX_user_nameUSER UNIX_user_nameGROUP UNIX_group_nameGROUP UNIX_group_name...

-I include-file

�� UNIX �� .

� � �� .

# Comment charactersUSER UNIX_user_nameUSER UNIX_user_nameGROUP UNIX_group_nameGROUP UNIX_group_name...

-P password


� �� .

-l PD-login-id

�� Tivoli Access Manager �� ID� ��. � ��

� iv-admin �� .

-p PD-password

Tivoli Access Manager �� ID� �� . ��

�� , �� .

-D domain


�. � �� , Tivoli Access Manager for Operating Systems


� �� . Tivoli Access Manager for Operating

Systems� �� , Tivoli Access Manager� ��

��.

��

0 �� .

1 �� .

��

�� pdosrgyimp �� .

1. UNIX �� .

pdosrgyimp -S o=ibm -l sec_master

2. UNIX �� Tivoli Access

Manager �� UNIX ��

� �� .

pdosrgyimp -S o=ibm -l sec_master -r

3. �� exclude.1� �� UNIX

�� .

pdosrgyimp -S o=ibm -l sec_master -E exclude.1

4. �� include.1� �� UNIX �

�� .

pdosrgyimp -S o=ibm -l sec_master -I include.1

5. �� include.2� �� UNIX ��

�� default-group �� .

pdosrgyimp -S o=ibm -l sec_master -u -I include.2 -G default-group

6. �� include.2�� UNIX ��

�� exclude.2� ��

�� .

pdosrgyimp -S o=ibm -l sec_master -g -I include.2 -E exclude.2

� 8 � �� 297

pdosrstr

��


� � � ��.

��

pdosrstr [-Vh?] -f filename

��

pdosrstr �� pdosbkup �� Tivoli Access Manager

for Operating Systems � � ��. � � -f ��

��.


� ��.

�

-V �� .

-h �� .

-? �� .

-f filename

�� .

��

0 �� .

1 �� .

��

�� pdosrstr �� .

1. �� pdosbkup25Oct2001.14_32_41.tar � � ��

� � �� .

pdosrstr -f /var/pdos/pdosbkup/pdosbkup25Oct2001.14_32_41.tar


pdosshowuser

��

�� .

��

pdosshowuser [-Vvh?cgalp] -u uid | -n name]

[-t trace_string]

��

pdosshowuser �� . ��

�� , -c, -g, -l, -a � -p ��

�� .

�

-V �� .

-v �� .

-h �� .

-? �� .

-u uid

�� UID� ��.

-n name

�� UNIX� ��.

-c �� .

-a �� .

-l �� policy �� .

-g �� Tivoli Access Manager � ��

�.

-p �� policy �� .

-t trace-string

� �� .

��

pdosshowuser �� .

� 8 � �� 299

v �� , root� �� (Tivoli Access Manager �, �

�� , �� , �� policy � �� policy) ��

��.

pdosshowuser

�� .�� root (uid 0)��

root�(�) �� Access Manager �� .osseal-adminosseal-auditors��

root�(�) ��.�� Mon Aug 11 12:14:12 CDT 2003� �� .

�� .�� Mon Aug 11 12:23:44 CDT 2003� �� .

�� . �� AuditAuth policy� root� �� .

none root� �� AuditTrace policy� ��.�� policy �� MaxInactiveDays = 0

MaxFailedLogins = 0MaxGraceLogins = 0

LoginMinutes = 0LockMinutes = 0

MaxConcurrent = 0PolicyDisabled = 1

MinPasswordDays = 0MaxPasswordDays = 0

�� policy ��MinPasswordLen = 8MinPasswordAlpha = 4MinPasswordAlphaNum = 0MinPasswordNumeric = 2MinPasswordLower = 0MinPasswordUpper = 0MinPasswordSpecial = 0MaxPasswordRepeat = 0PasswordNameCheck = 0PasswordHistory = 0PasswordOldPwdCheck = 0PasswordMaxConsPrev = 0PasswordNonNumFirstLast = 0

MinPasswordDays = 0

v riley �� .

pdosshowuser -c -n riley

riley� �� , �� .

�� riley (uid 204)��

riley�(�) ��.riley� �� .

riley� �� , �� .


riley�(�) ��.�� Mon Aug 11 12:30:06 CDT 2003� �� .


�� Mon Aug 11 12:45:06 CDT 2003� ��.�� Mon Aug 11 12:30:06 CDT 2003� �� .�� Mon Aug 11 12:50:06 CDT 2003� ��.

v riley �� .

pdosshowuser -a -n riley

�� .


�� AuditAuth policy� riley� �� .deny �� AuditTrace policy� riley� �� .

exec_l

� 8 � �� 301

pdossudo

��

�� UNIX �� .

��

pdossudo [-Vvh?]

[-t trace-string]

command-alias [arg [arg ...]]

��

pdossudo �� UNIX �� UNIX ��

� �� . ��

�� .

v �� Tivoli Access Manager for Operating Systems �� Sudo ��

��

� �� .

v �� Tivoli Access Manager for Operating Systems �� sudo �

�(�� ACL� �� )� ��

�� .

v �� .

�

-V �� .

-v �� .

-h �� .

-? �� .

-t trace-string

� �� .

��

0 �� .

1 �� .


��

pdossudo �� 66 �� Sudo ��

��.

� 8 � �� 303

pdosteccfg

��

Tivoli Enterprise Console �� pdostecd� ��.

��

pdosteccfg [-vh?]

[-admin_name user_admin_name]

[-admin_pwd user_admin_password]

[-autostart ( on | off) ]

[-burst number-of-events]

[-delay number-of-seconds]

[-delete option [, option ...]]

[-help]

[-interval number-of-seconds]

[-log_entries number-of-entries]

[-logs number-of-logs]

[-operations]

[-rspfile response-file-name]

[-sec_master_pwd Policy_Director_password]

[-usage]

[-version]

��

pdosteccfg �� pdostecd �� .

pdostecd �� /var/pdos/audit/audit.log � � ��

�. � � � �� pdostecd �� . ��

�, �� . �� audit.log � � �� ,

pdostecd �� .


� ��.

�

-v �� .

-h � �� .

-? �� .

-admin_name

Tivoli Access Manager �� . -admin_pwd� ��

-sec_master_password� ��.


-admin_pwd



-autostart

pdostecd �� .

-burst ��

-delay �� (�)

-delete

�� . ��

� �� .

v burst

v delay

v interval

v log_entries

v logs

.

-help � �� .

-interval

�� (�)

-log_entries

� �� msg__pdostecd.log �� . 0(��

)� � �� .

-logs �� msg__pdostecd.log � �. 0� �

�� . � �� log_entries � 0� �

�� .

-operations

�� .

-rspfile

�� . ��

� �� .

-sec_master_pwd


-usage �� .

-version

�� .

� 8 � �� 305

��

0 �� .

1 �� .

��

pdostecd �� .

pdosteccfg -autostart on


pdostecucfg

��

Tivoli Enterprise Console �� pdostecd� �� .

��

pdostecucfg [-admin_name user_admin_name]


[-help]

[-operations]

[-remove_per_policy (on | off)]


[-sec_master_pwd Policy_Director_password]

[-usage]

[-version]

[-?]

��

pdostecucfg �� pdostecd �� . pdosucfg �


� pdostecd �� .


� ��.

�

-admin_name



-admin_pwd



-help �� . ��

� �� .

pdostecucfg -help option

-operations

�� .

-remove_per_policy

� �� policy �� Tivoli Access Manager

� 8 � �� 307

for Operating Systems �� . �� Tivoli Access Manager

for Operating Systems �� policy ��

�� . �� , �� . policy

�� policy� �� , ��

��.

��: off

-rspfile

��

-sec_master_pwd


-usage �� .

-version

�� .

-? �� .

��

0 �� .

1 �� .


pdosucfg

��


��

pdosucfg [-admin_name user_admin_name]


[-help]

[-lrd_admin_name user_admin_name]

[-lrd_admin_pwd user_admin_password]

[-operations]

[-remove_once_only (on | off)]

[-remove_per_policy (on | off)]


[-usage]

[-version]

[-?]

��

pdosucfg �� pdosd �� . Tivoli Access

Manager for Operating Systems� �� pdostecucfg ��

�� pdostecd �� . 307 �� pdostecucfg��

��


� ��.

�

-admin_name



-admin_pwd



-help �� . ��

� -help -option� ��.

-lrd_admin_name



� 8 � �� 309

-lrd_admin_pwd



-operations

�� .

-remove_once_only

Tivoli Access Manager for Operating Systems �� policy� � ��

��. �� IBM Tivoli Access Manager for Operating Systems ��

� Tivoli Access Manager �� , �� . ��

�� . �� policy� �� , ��

�� .

��: off

-remove_per_policy

� �� policy �� Tivoli Access Manager

for Operating Systems �� . �� Tivoli Access Manager

for Operating Systems �� policy ��

�� . �� , � �� .

policy �� policy� �� , ��

� ��.

��: off

-rspfile

��

-usage �� .

-version

�� .

-? �� .

��

0 �� .

1 �� .


pdosuidprog

��

�� setuid �� setgid �� TCB(Trusted

Computing Base)� � � �� .

��

pdosuidprog

pdosuidprog -l [-H] [-s] [-x directory [-x directory ...]] [directories [directories ...]]

-g [-c { Secure-files | Secure Programs | Impersonator Programs

| Immune-Programs | Immune-Surrogate Programs}] [-H] {-s}

[-p policy-branch]

[-x directory [ -x directory...]] [ directories

[directories ...]]

[-Vvh?] [-t trace-string]

��

pdosuidprog �� setuid � setgid �� . �

�� , ��

�� . � �� /dev ��

�� Solaris �� Linux �� /proc ��

�.

�� . ��

�, �� . �� -x �

�� .

pdosuidprog ��

��. �� . �

� �� -x �� .

pdosuidprog �� -l �� -g ��

� �� . -l �� , pdosuidprog ��

� �� setuid � setgid �� . �� , setuid

�� uid, �� setgid �� gid� ��.

-H �� -l �� , ��

�.

-l �� -g �� -l �� -g� �� . -g ��

�� , pdosuidprog �� setuid � setgid �� TCB(Trusted Computing

Base)� �� pdadmin �� .

� 8 � �� 311

-H �� -g �� , ��

� ��.

Tivoli Access Manager TCB ��

Secure-Programs��. �� -c �� .

class-name� �� .

v Secure-Files

v Secure-Programs


v Immune-Programs


Trusted Computing Base �� policy �

�� osseal.conf � �� . -p �� policy ��

� � ��.


� ��.

�

-V �� .

-v �� .

-h �� .

-? �� .

-t trace-string

� �� .

-l � �� .

-g pdadmin �� .

-H �� .

-s �� .

-c class-name

pdadmin �� .

-p policy-name

pdadmin �� policy �� .

-x dir

�� . ��

�� .


��

0 �� .

1 �� .

��

�� pdosuidprog �� .

1. �� setuid � setgid ��

�� .

pdosuidprog -l

�� .

/opt/pdos/bin/pdosunauth : 1444 : 228/opt/pdos/bin/pdosrefresh : 1444 : 228/opt/pdos/bin/pdosdestroy : 1444 : 228/opt/pdos/bin/pdoswhoami : : 228/opt/pdos/bin/pdoswhois : 1444 : 228/opt/pdos/bin/pdossudo : 0 : 228/opt/pdos/bin/pdosexempt : 1444 : 228/opt/pdos/bin/pdosrevoke : 1444 : 228/opt/pdos/bin/pdosctl : : 228 /opt/pdos/bin/pdosd : 0 : 228/opt/pdos/bin/pdoswdd : 0 : 228/opt/pdos/bin/pdosauditd : 0 : 228

2. /opt �� /opt/pdos/bin�� setuid � setgid ��

� �� policy branch testbranch� �� pdadmin ��

�� .

pdosuidprog -g -x /opt/pdos/bin -p testbranch /opt

��(�� )� �� .

object create \/OSSEAL/testbranch/TCB/Secure-Programs /opt/local/bin/ansuprog \"" 2 ispolicyattachable yes

� 8 � �� 313

pdosunauth

��

�� .

��

pdosunauth [-Vvh?]

[-t trace-string]

[command]

��

pdosunauth �� Tivoli Access Manager for Operating Systems ��

�� . � ��

�� . command� �� , ��

�� .

�

-V �� .

-v �� .

-h �� .

-? �� .

-t trace-string

� �� .

command

��

��

0 �� .

1 �� .

��

1. ��

� ��.

pdosunauth

2. �� /var/pdos/cred ��

��.


pdosunauth ls /var/pdos/cred

�� .

ls: /var/pdos/cred:The file access permissions do not allow the specified action.

� 8 � �� 315

pdosversion

��


��

pdosversion

��

pdosversion �� Tivoli Access Manager for

Operating Systems� �� .

��

0 �� .

1 �� .

��


��.

pdosversion

�� .

IBM Tivoli Access Manager for Operating Systems 5.1.0pdosversion 5.1.0.0 (030725)libosseald 5.1.0.0 (030725)libosseal 5.1.0.0 (030725)libkosseal 5.1.0.0 (030725)liblpm 5.1.0.0 (030725)


pdoswhoami

��

Tivoli Access Manager for Operating Systems �� ID �� .

��

pdoswhoami [-Vvh?]

[-t trace-string]

[-{n | a | l}]

��

pdoswhoami �� Tivoli Access Manager for Operating

Systems �� .

�� , pdoswhoami �� Tivoli Access Manager


-n �� ID� ��.

-a �� ID � �� .

-l �� ID, Tivoli Access Manager for Operating Systems

�� .


v ��

v ��

v ��

v ��

�

-V �� .

-v �� .

-h �� .

-? �� .

-t trace-string

� �� .

-n �� UID� ��.

-a �� UID � �� .

� 8 � �� 317

-l �� UID, �� Tivoli Access Manager for Operating Systems �

�� .

��

0 �� .

1 �� .

��

�� pdoswhoami �� .


� �� .

pdoswhoami

�� riley��.


� UID� �� .

pdoswhoami -a

�� 204 riley��.

3. �� Tivoli Access Manager for Operating Systems �� ,

UID � �� .

pdoswhoami -l

�� .

204 riley�� . staff�� Wed Oct 25 08:21:40 2001� �� .�� Wed Oct 25 08:41:40 2001� ��.�� Wed Oct 25 08:31:20 2001��.�� Wed Oct 25 08:56:20 2001� ��.


pdoswhois

��

�� ID� �� Tivoli Access Manager for Operating Systems ��

� ID �� .

��

pdoswhois [-Vvh?]

[-t trace-string]

[-l] pid [pid [pid ...]]

��

pdoswhois �� ID �� Tivoli Access Manager for

Operating Systems �� ID �� . pid �� pdoswhois ��

�� . �� Tivoli Access Manager for

Operating Systems �� ID � �� ID� ��.

-l �� , pdoswhois ��

��.


v ��

v ��

v ��

v ��

�

-V �� .

-v �� .

-h �� .

-? �� .

-t trace-string

� �� .

-l �� Tivoli Access Manager for Operating Systems

�� UID, �� .

� 8 � �� 319

��

0 �� .

1 �� .

��

1. � �� Tivoli Access Manager for Operating Systems �� ID �

�� .

pdoswhois 170358

�� .

170358 PID� �� . UID = 204, �� = riley.

2. �� Tivoli Access Manager for Operating Systems �� ID �

�� .

pdoswhois 170358 53804 219134

�� .

170358 PID� �� . UID = 204, �� = riley.PID� 53804� �� .219134 PID� �� . UID = 0, �� = root.

3. �� Tivoli Access Manager for Operating Systems �� ID �

�� .

pdoswhois -l 170358 219134

��(�� )� �� .

170358 PID� �� . UID = 204, �� = riley.�� : staff�� Wed Oct 25 08:56:39 2000� �� .�� Wed Oct 25 09:16:39 2000� ��.�� Wed Oct 25 08:40:12 2000��.�� Wed Oct 25 09:05:12 2000� ��.-------------------------------------------------------219134 PID� �� . UID = 0, �� = root.�� .osseal-admin osseal-auditors�� Wed Oct 25 08:59:05 2000� �� .�� .�� Wed Oct 25 09:00:51 2000��.�� .


policyview

��

Tivoli Access Manager �� policy� ��.

��

policyview [-h] [-?] [-V] [-v] [-u]

[-a admin_name]

[-p admin_password]

[-d domain]

[-r resource]

[-o out file]

[-c low | medium | high ]

[-t trace-string]

��

policyview �� Tivoli Access Manager policy ��

� �� policy� �� . �� pdadmin

�� .

�

-V �� .

-v �� .

-h �� .

-? �� .

-u �� (upward)� ��.

-a -admin_name� ��. �� Tivoli Access Manager for Operating

Systems �� , �� -sec_master� ��

� ��.

-p admin_name �� . �� , ��

�� .

-d �� . Tivoli Access Manager for Operating Systems� �

�� , �� Tivoli Access

Manager �� .

-r � �� . Tivoli Access Manager for Operating Systems

� ��, �� /OSSEAL �� /OSSEAL/branch��.

-o �� . �� ./objectview��.

� 8 � �� 321

-c �� . �� .

-t trace-string

� �� .

��

0 �� .

1 �� .

��

��

v �: �� , ACL ��(�� ), POP ��(��

)� ��.

v ��: � �� , Tivoli Access Manager for Operating

Systems� POP ��, POP � ACL� �� ACL �� .

�� .

v ��: �� . ��, ��, ACL � POP

� �� ACL �� .

��

1. Trusted Computing Base�� .

policyview -a sec_master -p dever -r /OSSEAL/branch/TCB

2. Tivoli Access Manager �� research�� policy �� dev� TCB

�� .

policyview -a research_admin -p mysecret -d research -r /OSSEAL/dev/TCB

3. /opt/pdos� � ��

��.

policyview -p dever -r /OSSEAL/branch/File/opt/pdos -c medium


� 9 � Tivoli Enterprise Console� ��

IBM Tivoli Access Manager for Operating Systems�� Tivoli Enterprise Console

�� . � �� IBM Tivoli Access Manager for

Operating Systems� Tivoli Enterprise Console �� Tivoli Enterprise

Console �� . Tivoli Access Manager for Operating

Systems, �� 5.1� Tivoli Enterprise Console, �� 3.8 �� 3.9� ��. Tivoli

Enterprise Console� �� Tivoli

Enterprise Console �� .

�

Tivoli Access Manager for Operating Systems� � �� Tivoli

Enterprise Console �� . Tivoli Access Manager for Operating

Systems� Tivoli Enterprise Console� �� Tivoli Access

Manager for Operating Systems Enterprise Console Integration ��

��.

v TMR(Tivoli Management Region)

v Tivoli Enterprise Console ��


� ��

�� Tivoli Access Manager for Operating Systems� �� Tivoli

Access Manager for Operating Systems� �� Tivoli Enterprise Console ��

�� . Tivoli Access Manager for Operating Systems

Enterprise Console Integration �� IBM Tivoli Access Manager for

Operating Systems � �� . Tivoli Enterprise Console ��

�� .

�: Tivoli Enterprise Console �� Tivoli

Enterprise Console� ��


Integration �� Tivoli Enterprise Console ��

� � ��

Tivoli Access Manager for Operating Systems Enterprise Console Integration

� �, �� PDOSTECD �� . Tivoli Access

Manager for Operating Systems� Tivoli Enterprise Console ��


� �� . � �� , Tivoli

Access Manager for Operating Systems� �� .

�:

1. �� , ��

� �� .

2. Tivoli Access Manager for Operating Systems �� Tivoli Risk Manager

�� Tivoli Enterprise Console � ��

Tivoli Enterprise Console �� . �� Tivoli

Access Manager for Operating Systems �� Tivoli Enterprise Console


3. /var/pdos/audit/audit.log � � pdostecd �� . � � � �

�� , pdostecd ��

�� . � � �� pdostecd ��

�� .

��

Tivoli Access Manager for Operating Systems �� Tivoli

Enterprise Console ��

��.

�:

1. Tivoli Access Manager for Operating Systems� ��

�� . ��

�� .

2. Tivoli Enterprise Console �� Tivoli




� � ��.

3. �� PDOS-ACPROF �� Tivoli Access Manager



� �� PDOS �� (PDOS-ACPROF)�

�� tecad_logfile_pdos �� . ��

�� Tivoli Enterprise Console �� .

�� .


1. Tivoli Enterprise Console �� Tivoli Access Manager for

Operating Systems �� PDOS-ACPROF� ��.

� �� Tivoli Access Manager for Operating Systems� Tivoli

Enterprise Console �� .

2. Setup TEC Event Server for PDOS �� , �� Tivoli

Access Manager for Operating Systems� Tivoli Enterprise Console ��

�� .

�� 204 �� Setup TEC Event Server for PDOS��

��.

3. PDOSTECD �� . �� 91 �� pdostecd

Tivoli Enterprise Console �� .

Setup TEC Event Server for PDOS �� Tivoli Enterprise Console


��. �� Tivoli Access Manager for Operating Systems � ��

LOGFILE �� .

Tivoli Access Manager for Operating Systems� Tivoli Enterprise Console ��

� �� , �� /etc/Tivoli/tecad/pdos/bin ��

� �� stop_tecad_pdos� ��. �� Stop TEC Adapter ��

� �� . �� , � � ��

�� start_tecad_config_pdos� ��. �� Start TEC Adapter ��

� �� . �� Tivoli Enterprise Console ��

�� .

�� 213 �� PDOS TEC �� 213 �� PDOS TEC

�� .

� 9 � Tivoli Enterprise Console� �� 325

� 10 � IBM Tivoli Risk Manager� ��

IBM Tivoli Access Manager for Operating Systems�� IBM Tivoli Risk Manager

�� . � �� IBM Tivoli Access Manager for

Operating Systems� Tivoli Risk Manager �� Tivoli ��

�� . Tivoli Access Manager for Operating Systems,

�� 5.1� �� Tivoli Risk Manager �� .

v Tivoli Risk Manager, �� 4.1(Tivoli Enterprise Console, �� 3.8 �)

v Tivoli Risk Manager, �� 4.2(Tivoli Enterprise Console, �� 3.9 �)

Tivoli Risk Manager� �� IBM Tivoli Risk Manager ��

�� .

�

IBM Tivoli Access Manager for Operating Systems� � �� Tivoli

Risk Manager �� . Tivoli Access Manager for Operating Systems�

Tivoli Risk Manager� �� Tivoli Access Manager for

Operating Systems Enterprise Console Integration� � ��.

v TMR(Tivoli Management Region)

v Tivoli Enterprise Console ��


��

�� Tivoli Access Manager for Operating Systems� �� Tivoli

Access Manager for Operating Systems� �� Tivoli ��

� �� . Tivoli Access Manager for Operating Systems Enterprise Console

Integration �� IBM Tivoli Access Manager for Operating Systems

� �� . Tivoli ��

�� .


� �, Tivoli Access Manager for Operating Systems� Tivoli Risk Manager �

�� . � ��

� ��, Tivoli Access Manager for Operating Systems� ��

��.


�:

1. �� , ��

� �� .

2. Tivoli Access Manager for Operating Systems �� Tivoli Risk Manager

�� Tivoli Enterprise Console � ��

Tivoli Enterprise Console �� . �� Tivoli

Access Manager for Operating Systems �� Tivoli Enterprise Console


3. /var/pdos/audit/audit.log � � pdostecd �� . � � � �

�� , pdostecd ��

�� . � � �� pdostecd ��

�� .

Tivoli Risk Manager� ��

Tivoli Access Manager for Operating Systems �� Tivoli �

� � �� .

�:

1. Tivoli Access Manager for Operating Systems� �� Tivoli ��

� �� . ��

�� .

2. Tivoli Enterprise Console �� Tivoli




� � ��.

3. �� PDOS-RISKMGR-ACPROF �� Tivoli Access


��.


� �� PDOS �� (PDOS-RISKMGR-

ACPROF)� �� tecad_logfile_pdos_riskmgr ��

��. �� Tivoli Enterprise Console ��

�� .

�� .

1. Tivoli Risk Manager �� Tivoli Access Manager for

Operating Systems �� PDOS-RISKMGR-ACPROF� ��.


� �� Tivoli Access Manager for Operating Systems� Tivoli

�� .

2. Setup TEC Event Server for PDOS �� , �� Tivoli

Access Manager for Operating Systems� Tivoli Risk Manager ��

�� .

�� 204 �� Setup TEC Event Server for PDOS��

��.

3. �� Tivoli Enterprise Console �� Microsoft Windows

NT �� , pdosrm.baroc � � ��

$RMADHOME/etc/riskmgr_baroc.lst � � �� . ��

�� Tivoli Enterprise Console� �� pdos.baroc

� � ��. � �� bash ��

�� .

cp $BINDIR/../generic_unix/TME/PDOSTASKS/pdosm.baroc $RMADHOME/etc/baroc/cp $BINDIR/../generic_unix/TME/PDOSTASKS/pdos.baroc $RMADHOME/etc/baroc/$RMADHOME/bin/rmcorr_cfg -update

4. pdostecd �� . �� 91 �� pdostecd


Setup TEC Event Server for PDOS �� Tivoli Enterprise Console


��. �� IBM Tivoli Access Manager for Operating Systems � ��

� LOGFILE �� .

Tivoli Access Manager for Operating Systems� �� Tivoli ��

��, /etc/Tivoli/tecad/pdos/bin �� stop_tecad_pdos

� �� Stop TEC Adapter �� . ��

�� , � � �� start_tecad_config_pdos� ��

�� Start TEC Adapter �� . Tivoli Access

Manager for Operating Systems� �� Tivoli ��

�� .

�� 213 �� PDOS TEC �� 213 �� PDOS TEC

�� .

IBM Tivoli Enterprise Data Warehouse� ��

Tivoli Access Manager for Operating Systems Risk Manager �� IBM Tivoli

Enterprise Data Warehouse� �� . �� IBM Tivoli Enterprise

Data Warehouse� �� .

� 10 � IBM Tivoli Risk Manager� �� 329

1. IBM Tivoli Risk Manager, �� 4.1� ��

��.

2. Tivoli Risk Manager �� .

. /etc/Tivoli/setup_env.sh

�

. /etc/Tivoli/rma_eif_env.sh

3. Tivoli Risk Manager �� , �� .

$RMADHOME/bin/wrmadmin --k

4. �� .

cp $BINDIR/../generic_unix/TME/PDOSTASKS/pdosrm.baroc $RMADHOME/etc/baroc

5. �� .

cp $BINDIR/../generic_unix/TME/PDOSTASKS/pdos.baroc $RMADHOME/etc/baroc

6. $RMADHOME/etc �� riskmgr_baroc.lst � � �� pdosrm.baroc

� � baroc � �� . �� Tivoli Enterprise

Console� �� pdos.baroc � � ��.

7. ��:

$RMADHOME/bin/rmcorr_cfg --update

8. �� Tivoli Risk Manager �� .

$RMADHOME/bin/wrmadmin --r

�: $RMADHOME� Tivoli Risk Manager� ��

��.



A. Policy � ��

� 53. �� IBM Tivoli Access Manager for Operating Systems � ��

� � � � ��

� �� File

RootDir

�� NetIncoming

NetOutgoing

�� Login

Login/Terminal/Local

Login/Terminal/Remote

Login/Holidays

�� Surrogate

Sudo � Sudo

Trusted Computing Base � TCB/Login-Programs

TCB/Secure-Files

TCB/Secure-Programs

TCB/Impersonator-Programs

TCB/Immune-Programs

TCB/Immune-Surrogate-Programs

�� Password

� � AuditAuth

AuditTrace

� 54. [OSSEAL] �� Tivoli Access Manager for Operating Systems ��

�� IBM Tivol i Access Manager for

Operating Systems � �

C �� NetIncoming � NetOutgoing

D �� File

G �� Surrogate

K Kill �� File

L �� Login

N �� File

R �� File

U �� File

d �� File

l �� File

o �� File

p �� File

r �� File

w �� File

x �� File � Sudo



��

a ACL �� POP ��

b ��

c ACL ��

d ��

m ��

v ��


��

B ��

T ��


B. ��

� �� POSIX RE(Regular Expression) ��

� ��. � 57� � �� .

� 57. � ��

��

^( � ��) � ��

�� . �

��

�� . � �

��

� � ��

� ��. ��

� ��

� ��.

[^a-z]

� �� ASCII ��

�� .

[ab^]

� �� ‘a’, ‘b’ �� ‘^’�

��.

](�� ) ��

�� . � ��

��

��

��.

[]]

� �� ‘]’ ��

�.

[a]]

�� .

[.collating-symbol.] [..] ��

� ��

��. � �, [.ch.]��

�. [..] ��

� � �� , ��

��

��.

[[.ch.]]+c

� �� ″chchc″� ��

″hc″ �� ″cc″ ��

� ��.

[[.qx.]]

�� .

[=equivalence-class=] [= =] ��

� � � ��. ��

�� , ��,

��

�� .

[[=a=]]

� �� ‘a’, ‘A’, ‘A’ � �

� A �� .


� 57. � �� (��)

��

[:character-class:] [::] ��

� � ��. ��


� LC_CTYPE ��

� ��. ��

�� 58� �

� ��. PDOSD� ��

��

��.

[[:digit:]]

� ��

��.

[[:lower:]]

� �� C �� [a-z]�

� �� (: ��

� ��(q))� ��.

� 58. ��

��

[:alnum:] �� 10�� ‘a’, ‘A’, ‘6’

[:alpha:] �� ‘a’, ‘A’, ‘Z’

[:blank:] �� space, tab, newline

[:cntrl:] ASCII �� ‘^A’, ‘^C’

[:digit:] 10�� ‘0’, ‘1’, ‘2’, ‘3’

[:graph:] ��

[:lower:] �� ‘a’, ‘b’, ‘c’

[:print:] �� [:alnum:], [:graph:], [:punct:]�

��

� [:cntrl:]� ��

[:punct:] �� ‘,’, ‘″’

[:space:] �� : space � tab �� , � �

[:upper:] �� ‘A’, ‘B’, ‘C’

[:xdigit:] 16� � ‘0’, ‘3’, ‘A’, ‘f’


C. Tivoli Enterprise Console � Tivoli Risk Manager �

��

IBM Tivoli Access Manager for Operating Systems� Tivoli Enterprise Console

�� UNIX ��

� �� . �� Tivoli Enterprise Console� �

��. �� . � ��

�� Tivoli Enterprise Console� ��

�� .


v ��(��/��/��)

v ��

– ��

– ��

– ��

v ��

v �� (��/��/��)

v ��

v ��

v �� (��/��)

v �� (��/��)

v �� (��/��)

v ��

v ��

v �(��/��)

v LDAP ��(��/�� )

v � �(��/��)

v Trusted Computing Base ��(��/��)

v Trusted Computing Base ��(��/��)

v policy(��/�� )

v policy ��(��/��)

v �� (��/��)


v �� (��/��)

v �� (��/��)

v � ��(��/��)

v ��

v su ��(��/��/��)

v �� (��/��)

Tivoli Enterprise Console �� , Tivoli Access Manager for

Operating Systems �� 323

�� 9 � �Tivoli Enterprise Console� �� . Tivoli Enterprise

Console� �� Tivoli Enterprise Console ��

��.

Tivoli Enterprise Console ��

� 59. �� Tivoli Enterprise Console ��

��

AMOS Process Started

Successfully. Process:

AMOS_run_srn

Tivoli Access Manager

for Operating Systems

�� .

AMOS_ProcessStartSuccess �

AMOS Process Start

Failed. Process:

AMOS_run_srn



��

�.

AMOS_ProcessStartFail ��

AMOS Process Stopped


AMOS_run_srn



�� .

AMOS_ProcessStopSuccess �

AMOS Process Stop

Failed. Process:

AMOS_run_srn



��

��.

AMOS_ProcessStopFail ��

AMOS Process

Adopted Successfully.

Process: AMOS_run_srn



��

�� .

AMOS_ProcessAdoptSuccess �

AMOS Process Adopt

Failed. Process:

AMOS_run_srn

��


for Operating Systems �

��

��.

AMOS_ProcessAdoptFail ��

AMOS Authorization

Decision API Failed.

�� API��

��.

AMOS_AznApiFailure ��


� 59. �� Tivoli Enterprise Console �� (��)

��

Kernel lost contact with

pdosd

AMOS �� pdosd �

� � ��

�. ��

��.

AMOS_LostContact ��

Kernel has regained

contact with pdosd.


� � ��

�.

AMOS_ContactRestored ��

A kosseal_register call

was made to acquire

privileged access.



��

��.

AMOS_RegisterSuccess �


failed to acquire

privileged access.



��

� �� .

AMOS_RegisterFail ��

Policy Director user

registry is available.


��

��. policy �

��

��.

AMOS_LdapServerUp �


register is unavailable

(isolation mode).


��

��. policy� ��

� � ��.

AMOS_LdapServerDown ��

� 60. � �� Tivoli Enterprise Console ��

��

Failed File Access. File

AMOS_acc_name

Program:

AMOS_run_srn Action:

AMOS_permission

� � ��

��.

AMOS_FileAccessDeny ��

Warning File Access.

File AMOS_acc_name

Program:

AMOS_run_srn Action:

AMOS_permission

policy� ��

� ��, �

� ��

��.

AMOS_FileAccessWarning ��


��

Failed Incoming

Network Connection.

From Host:

AMOS_ipaddress

Services: AMOS_port

��

��

��.

AMOS_IncomingNetConn

Deny

��

�� C. Tivoli Enterprise Console � Tivoli Risk Manager �� 337


��

Warning Incoming

Network Connection.

From Host:

AMOS_ipaddress

Services: AMOS_port

policy� ��

� ��, ��

��

� �� .

AMOS_IncomingNetConn

��

��

Failed Outgoing Network

Connection. To Host:

AMOS_ipaddress User:

AMOS_acc_name

Program: AMOS_run_srn

��

� ��

�.

AMOS_OutgoingNetConn

Deny

��

Warning Outgoing

Network Connection. To

Host: AMOS_ipaddress

User: AMOS_acc_name

Program: AMOS_run_srn

policy� ��

��, ��

��

��.

AMOS_OutgoingNetConn

��

��

� 62. Sudo �� Tivoli Enterprise Console ��

��

Successful Sudo

operation. User:

AMOS_acc_name

Program: AMOS_exe

Sudo ��

�.

AMOS_SudoPermit �

Failed Sudo operation.

User: AMOS_acc_name

Program: AMOS_exe

Sudo ��

�.

AMOS_SudoDeny ��

Warning Sudo operation.

User: AMOS_acc_name

Program: AMOS_exe

policy� ��

��, Sudo ��

� ��.

AMOS_SudoWarning ��

� 63. ��(��) �� Tivoli Enterprise Console ��

��

Failed Substitution to

User. To User:

AMOS_sname From

User: AMOS_acc_name

Program:

AMOS_run_srn

��

�.

AMOS_SetUserDeny �

Warning Substitution to

User. To User:

AMOS_sname From

User: AMOS_acc_name

Program:

AMOS_run_srn

policy� ��

� ��, ��

�� .

AMOS_SetUserWarning ��


� 64. ��(�) �� Tivoli Enterprise Console ��

��


Group. To Group:

AMOS_sname From

User: AMOS_acc_name

Program:

AMOS_run_srn

� ��

�.

AMOS_SetGroupDeny �


Group. To Group:

AMOS_sname From

User: AMOS_acc_name

Program:

AMOS_run_srn

policy� ��

� ��, �

�� .

AMOS_SetGroupWarning ��

� 65. TCB �� Tivoli Enterprise Console ��

��

Access allowed to

untrusted file. File:

AMOS_srn User:

AMOS_acc_name

Program:

AMOS_run_srn

��

�� .

AMOS_AccessUntrust ��

Access allowed to a

TCB file in an

unknown state. File:

AMOS_srn User:

AMOS_acc_name

Program:

AMOS_run_srn

� ��

TCB(Trusted Computing

Base) � � ��

�� .

AMOS_AccessUnknownTrust

��

��

A file has been marked

trusted. File: AMOS_srn

User: AMOS_acc_name

� � ��

��.

AMOS_TrustSuccess �

AMOS failed to mark a

file trusted. File:

AMOS_srn User:

AMOS_acc_name

Fail_Status:

AMOS_fail_status


for Operating Systems�

� � � ��

�� .

AMOS_TrustFail ��


untrusted. File:

AMOS_srn User:

AMOS_acc_name Reason:

AMOS_cdata



� � � ��

��.

AMOS_UntrustSuccess ��


� 65. TCB �� Tivoli Enterprise Console �� (��)

��

AMOS failed to mark a

file untrusted. File:

AMOS_srn User:

AMOS_acc_name Reason:

AMOS_cdata Fail_Status:

AMOS_fail_status



� � � ��

�� .

AMOS_UntrustFail ��

New file added to TCB

database. File: AMOS_srn

User: AMOS_acc_name


Base) ��

� ��.

AMOS_TcbAddSuccess �

AMOS failed to add new

file to TCB database.

File: AMOS_srn User:

AMOS_acc_name

Fail_Status:

AMOS_fail_status



� TCB(Trusted

Computing Base) ��

��

��.

AMOS_TcbAddFail ��

File removed from TCB


User: AMOS_acc_name

� � TCB(Trusted


��

�.

AMOS_TcbRemoveSuccess ��

AMOS failed to remove

a file from TCB


User: AMOS_acc_name

Fail_Status:

AMOS_fail_status



� TCB(Trusted


��

�� .

AMOS_TcbRemoveFail ��

� 66. policy �� Tivoli Enterprise Console ��

��

Policy applied for a

protected object name.

Name: AMOS_pon

��

policy� ��.

AMOS_PolicyValid �

Policy not applied for an

invalid protected object

name. Name: AMOS_pon

policy ��

�� policy�

��.

AMOS_PolicyInvalid ��

Policy version set in

Kernel Policy Cache.

policy ��

��.

AMOS_PolicySetSuccess ��

Failed to set policy

version in Kernel Policy

Cache..

policy ��

��.

AMOS_PolicySetFail ��



��

Login successful. User:

AMOS_acc_name From

Host:

AMOS_login_location

Program: AMOS_exe

��

��.

AMOS_LoginPermit �

Login Failed. User:

AMOS_acc_name From

Host:

AMOS_login_location

Program:

AMOS_run_srn Reason:

AMOS_qualifier

��

��.

AMOS_LoginDeny ��

Login Warning. User:

AMOS_acc_name From

Host:

AMOS_login_location

Program:

AMOS_run_srn Reason:

AMOS_qualifier

policy� ��

��, ��

�� .

AMOS_LoginWarning ��

User Account AMOS_srn

enabled for login.

��

�� .

AMOS_LoginEnabled ��


disabled for login.

��

�� .

AMOS_LoginDisabled ��


locked for login.

��

�� .

AMOS_LoginLocked ��


suspended for login.

��

��

��.

AMOS_LoginSuspended ��

Password change time

was modified by

administrator. User:

AMOS_acc_name

��

��

��.

AMOS_LoginAdm ��

Password successfully

changed. User:

AMOS_srn

��

�� .

AMOS_LoginPwdChange ��

Logout occurred. User:

AMOS_acc_name

Location:

AMOS_login_location

��

��.

AMOS_Logout �


��

Obtained credential.

User: AMOS_acc_name

�� . AMOS_GetCredSuccess �



��

Failed to obtain

credential. User:

AMOS_acc_name



� ��

��.

AMOS_GetCredFail ��


��

Password-change-related

authorization decision

was made. User:

AMOS_acc_name

��

��.

AMOS_PasswordChgPermit �



was denied. User:

AMOS_acc_name

��

� ��.

AMOS_PasswordChgDeny ��


authorization was

made.AMOS_acc_name

policy� ��

��, ��

� ��.

AMOS_PasswordChgWarning ��

Tivoli Risk Manager ��

� 70. �� Tivoli Risk Manager ��

��

PDOS Process Started


RMAMOS_run_srn



�� .

RMAMOS_ProcessStart

Success

�

PDOS Process Start

Failed. Process:

RMAMOS_run_srn



��

�.

RMAMOS_ProcessStartFail ��

PDOS Process Stopped


RMAMOS_run_srn



�� .

RMAMOS_ProcessStop

Success

�

PDOS Process Stop

Failed. Process:

RMAMOS_run_srn



��

��.

RMAMOS_ProcessStopFail ��

PDOS Process Adopted


RMAMOS_run_srn



��

�� .

RMAMOS_ProcessAdopt

Success

�


� 70. �� Tivoli Risk Manager �� (��)

��

PDOS Process Adopt

Failed. Process:

RMAMOS_run_srn

� � � ��



��

��.

RMAMOS_ProcessAdoptFail ��

PDOS Authorization

Decision API Failed.

�� API��

��.

RMAMOS_AznApiFailure ��

Kernel lost contact with

pdosd


� � ��

�. ��

��.

RMAMOS_LostContact ��

Kernel has regained

contact with pdosd.


� � ��

�.

RMAMOS_ContactRestored ��


was made to acquire

privileged access.



��

��.

RMAMOS_RegisterSuccess �


failed to acquire

privileged access.



��

� �� .

RMAMOS_RegisterFail ��


registry is available.


��

��. policy �

��

��.

RMAMOS_LdapServerUp �


register is unavailable

(isolation mode).


��

��. policy� ��

� � ��.

RMAMOS_LdapServerDown ��

� 71. � �� Tivoli Risk Manager ��

��

Failed File Access. File

RMAMOS_srn User:

RMAMOS_acc_name

Program:

RMAMOS_run_srn

Action:

RMAMOS_permissions

� � ��

��.

RMAMOS_FileAccessDeny ��


� 71. � �� Tivoli Risk Manager �� (��)

��

Warning File Access.

File RMAMOS_srn

User:

RMAMOS_acc_name

Program:

RMAMOS_run_srn

Action:

RMAMOS_permissions

policy� ��

� ��, �

� ��

��.

RMAMOS_FileAccess

��

��


��

Failed Incoming

Network Connection.

From Host:

RMAMOS_ipaddress

Services:

RMAMOS_port

��

��

��.

RMAMOS_IncomingNetConn

Deny

��

Warning Incoming

Network Connection.

From Host:

RMAMOS_ipaddress

Services: AMOS_port

policy� ��

� ��, ��

��

� �� .

RMAMOS_IncomingNetConn

��

��

Failed Outgoing Network

Connection. To Host:

RMAMOS_ipaddress

User:

RMAMOS_acc_name

Program:

RMAMOS_run_srn

��

� ��

�.

RMAMOS_OutgoingNetConn

Deny

��

Warning Outgoing

Network Connection. To

Host:

RMAMOS_ipaddress

User:

RMAMOS_acc_name

Program:

RMAMOS_run_srn

policy� ��

��, ��

��

��.

RMAMOS_OutgoingNetConn

��

��

� 73. Sudo �� Tivoli Risk Manager ��

��

Successful Sudo

operation. User:

RMAMOS_acc_name

Program: RMAMOS_exe

Sudo ��

�.

RMAMOS_SudoPermit �


� 73. Sudo �� Tivoli Risk Manager �� (��)

��

Failed Sudo operation.

User:

RMAMOS_acc_name

Program: RMAMOS_exe

Sudo ��

�.

RMAMOS_SudoDeny ��

Warning Sudo operation.

User:

RMAMOS_acc_name

Program: RMAMOS_exe

policy� ��

��, Sudo ��

� ��.

RMAMOS_SudoWarning ��

� 74. ��(��) �� Tivoli Risk Manager ��

��


User. To User:

RMAMOS_sname From

User:

RMAMOS_acc_name

Program: RMAMOS_exe

��

�.

RMAMOS_SetUserDeny �


User. To User:

RMAMOS_sname From

User:

RMAMOS_acc_name

Program: RMAMOS_exe

policy� ��

� ��, ��

�� .

RMAMOS_SetUserWarning ��

� 75. ��(�) �� Tivoli Risk Manager ��

��


Group. To Group:

RMAMOS_sname From

User:

RMAMOS_acc_name

Program: RMAMOS_exe

� ��

�.

RMAMOS_SetGroupDeny �


Group. To Group:

RMAMOS_sname From

User:

RMAMOS_acc_name

Program: RMAMOS_exe

policy� ��

� ��, �

�� .

RMAMOS_SetGroupWarning ��


� 76. TCB �� Tivoli Risk Manager ��

��

Access allowed to

untrusted file. File:

RMAMOS_srn User:

RMAMOS_acc_name

Program: RMAMOS_exe

��

�� .

RMAMOS_AccessUntrust ��

Access allowed to a

TCB file in an

unknown state. File:

RMAMOS_srn User:

RMAMOS_acc_name

Program: RMAMOS_exe

� ��


Base) � � ��

�� .

RMAMOS_AccessUnknown

TrustState

��


trusted. File:

RMAMOS_srn User:

RMAMOS_acc_name

Program: RMAMOS_exe

� � ��

��.

RMAMOS_TrustSuccess �

PDOS failed to mark a

file trusted. File:

RMAMOS_srn User:

RMAMOS_acc_name

Program: RMAMOS_exe

Fail_Status:

RMAMOS_fail_status



� � � ��

�� .

RMAMOS_TrustFail ��


untrusted. File:

RMAMOS_srn User:

RMAMOS_acc_name

Program: RMAMOS_exe



� � � ��

��.

RMAMOS_UntrustSuccess ��

PDOS failed to mark a

file untrusted. File:

RMAMOS_srn User:

RMAMOS_acc_name

Program: RMAMOS_exe

Fail_Status:

RMAMOS_fail_status



� � � ��

�� .

RMAMOS_UntrustFail ��

New file added to TCB

database. File:

RMAMOS_srn User:

RMAMOS_acc_name


Base) ��

� ��.

RMAMOS_TcbAddSuccess �

AMOS failed to add new

file to TCB database.

File: RMAMOS_srn User:

RMAMOS_acc_name

Fail_Status:

RMAMOS_fail_status



� TCB(Trusted


��

��.

RMAMOS_TcbAddFail ��


� 76. TCB �� Tivoli Risk Manager �� (��)

��

File removed from TCB

database. File:

RMAMOS_srn User:

RMAMOS_acc_name

� � TCB(Trusted


��

�.

RMAMOS_TcbRemove

Success

��

PDOS failed to remove a

file from TCB database.

File: RMAMOS_srn User:

RMAMOS_acc_name

Fail_Status:

RMAMOS_fail_status



� TCB(Trusted


��

�� .

RMAMOS_TcbRemoveFail ��

� 77. policy �� Tivoli Risk Manager ��

��

Policy applied for a

protected object name.

Name: RMAMOS_pon

��

policy� ��.

RMAMOS_PolicyValid �

Policy not applied for an

invalid protected object

name. Name:

RMAMOS_pon

policy ��

�� policy�

��.

RMAMOS_PolicyInvalid ��

Policy kernel version set

in Kernel Policy Cache.

policy ��

��.

RMAMOS_PolicySetSuccess ��

Failed to set policy

version in Kernel Policy

Cache.

policy ��

��.

RMAMOS_PolicySetFail ��


��

Login successful. User:

RMAMOS_acc_name

From Host:

RMAMOS_

login_location

P r o g r a m :

RMAMOS_run_srn

��

��.

RMAMOS_LoginPermit �

Login Failed. User:

RMAMOS_acc_name

From Host:

RMAMOS_

login_location

Program: RMAMOS_exe

R e a s o n :

RMAMOS_qualifier

��

��.

RMAMOS_LoginDeny ��


� 78. �� Tivoli Risk Manager �� (��)

��

Login Warning. User:

RMAMOS_acc_name

From Host:

RMAMOS_

login_location

P r o g r a m :

R M A M O S _ r u n _ s r n

R e a s o n :

RMAMOS_qualifier

policy� ��

��, ��

�� .

RMAMOS_LoginWarning ��

User Account

RMAMOS_srn enabled

for login.

��

�� .

RMAMOS_LoginEnabled ��

User Account

RMAMOS_srn disabled

for login.

��

�� .

RMAMOS_LoginDisabled ��

User Account

RMAMOS_srn locked for

login.

��

�� .

RMAMOS_LoginLocked ��

User Account

RMAMOS_srn suspended

for login.

��

��

��.

RMAMOS_LoginSuspended ��

Password change time

was modified by

adminis t ra tor . User :

RMAMOS_srn

��

��

��.

RMAMOS_LoginAdm ��

Password successfully

changed. User:

RMAMOS_acc_name

��

�� .

RMAMOS_LoginPwdChange ��

Logout occurred. User:

RMAMOS_acc_name

��

��.

RMAMOS_Logout �


��

Obtained credential.

User:

RMAMOS_acc_name

�� . RMAMOS_GetCredSuccess �

Failed to obtain

credential. User:

RMAMOS_acc_name



� ��

��.

RMAMOS_GetCredFail ��



��



was made. User:

RMAMOS_acc_name

��

��.

RMAMOS_PasswordChg

��

�



was denied. User:

RMAMOS_acc_name

��

� ��.

RMAMOS_PasswordChg

Deny

��


authorization was made.

RMAMOS_acc_name

policy� ��

��, ��

� ��.

RMAMOS_PasswordChg

��

��


D. ��


�� . Tivoli


�� Tivoli ��

��.(Tivoli �� IBM Tivoli Management

Framework �� .) � ��

�� InstallShield Multiplatform � ��. ��

� �� .

Tivoli Access Manager for Operating Systems �� PDF(Portable Document

Format)� HTML �� . ��

��.




E. ��

� �� . IBM� ��

�� , �� . �

� �� IBM ��

�. � �� IBM ��, �� IBM ��, �

�� . IBM� � �

�� , �� , ��

��. �� IBM ��, ��

�� .

IBM� � ��

�� . � ��

�� . �� .

135-270

�� 467-12, ��

� ��.�.� ��

��

��: 080-023-8080

2��(DBCS) �� IBM ��

�� .

IBM World Trade Asia Corporation

Licensing

2-31 Roppongi 3-chome, Minato-ku

Tokyo 106, Japan

�� .

IBM� �� , ��

��(�,�� ) ��

�� .

� ��

��, � �� .

� �� . � �

�� , � �� . IBM� � ��

�� (��) �� (��) � � ��

��.


� �� IBM� � �� , ��

�� . � ��

IBM ��

� � ��.

IBM� ��

� �� .

(1) �� (� �� )��

(2) ��

�� .

135-270

�� 467-12, ��

� ��.�.� ��

��

�� (� ��, �� ) � ��

��.

� ��

�� IBM� IBM �� , IBM �� (IPLA) ��

� �� .

� �� . ��

� �� . � ��

��

�� . ��, � ��

�� . � ��

� �� .

�IBM �� , ��

�� . IBM�� IBM �� , ��

�� , �� .

�IBM �� .

IBM� ��

�.

� �� . � ��

�� .

� ��

��. �� , ��, ��


�� . ��

� �� .

��:

� ��

�� . ��

�� (API)� �� , ��, �

� �� ,

�� . ��

� �� . �� IBM� �� , ��

�� . �� IBM� ��

��(API)� �� , ��, ��

�� , ��

�.

� ��

� ��.

��

�� IBM Corporation� ��.

AIX

DB2

IBM

IBM(��)

OS/390

SecureWay

Tivoli

Tivoli(��)

TME(Tivoli Management Environment)

Tivoli Enterprise Console

zSeries

Lotus� �� IBM Corporation � Lotus Development

Corporation� ��.

Microsoft, Windows, Windows NT, � Windows ��

�� Microsoft Corporation� ��.

Java � �� Java �� Sun Microsystems,

Inc.� �� .

�� E. �� 355

UNIX� �� Open Group� ��.

�� , �� .


��

��

�� 219

�� 217

�� 222

�� 222

�� 227

� �� 225

� �� 220

� ��

� 73

� �� 71

� 73

� �� 87

� ��

�� 237

�� 233

�� 232

� 231

� �� 237

� �� 233

� �� 245

� �� 222

� ��

� 237

� � 71

� � � 73

� 74

�� policy � 138

�� 96, 247

�� 230

�� 137, 230

� 231

�� 137

policy 136

�� 145

�� 146

�� 127

�� 131

��

153

�� policy� �� ACL ��

133

�� (��)

�� 128

�� policy

� 145

�� 148

�� 128

�� 134


� �� 152

policy �� 133

�� 219

�� 247

��

�� 256

�� 131

�� 256

��

�� 154

�� 154

�� 153

�� 153

�� 217

�� 83

�� 78

�� 3

��

�� 156

�� policy 4

� � �� 95

�� 222

��

� � �� 138, 223

�� 138, 223

��

�� , �� , � �� 230

��

�� 224

�� 33

�� 47

�� 49

�� policy 46

�� policy (��)

ACL �� 133

�� policy� �� ACL �� 133

�� 55

��

�� 65

� 62

�� policy 62

�� policy �� 63

��

�� 77

�� 135

pdosauditd 87

pdosd 78

pdoslpmd 93

pdoslrd 93

pdostecd 91

pdoswdd 89

�� 135

�� 135

�� 2

�� 154

�� 154

�� look-aside 152

�� 7

�� 36

�� 77

�� 95

��

� �� 120

�� 117

�� 125

�� 109

�� 109

� 109

�� 110

��

�� 135


�� 78

�� 244

��

�� 51

�� 53

�� 54

��

�� 50

��

policy 55

�� policy 55

� 57, 61

NIS �� 147

�� policy �

�� 145

�� policy� �� NIS �� 147

�� policy 50

�� 54

��

�� 31

�� 96

��

pdosaudview 248

pdosbkup 252

pdoscfg 254

pdoscollview 265

pdosctl 269

pdosdestroy 273

pdosexempt 275

pdoshla 277

pdoslpadm 280

pdoslradm 285

pdosobjsig 286

pdosrefresh 289

pdosrevoke 291

pdosrgyimp 293

pdosrstr 298

pdosshowuser 299

pdossudo 68, 302

pdosteccfg 304

pdostecucfg 307

pdosucfg 309

pdosuidprog 311

pdosunauth 314

pdosversion 316

�� (��)

pdoswhoami 317

pdoswhois 319

policyview 321

wrunjob 157

wruntask 157

wschedjob 157

�� 52

��

�� 83

�� 82

�� 29

�� 9

��

�� UNIX �� 107

�� 107

policy �� 106


� 106

�� 105

�� UNIX �� 107

��

�� 146

�� 147

�� 146

�� 227

� � �� 228

�� 228

�� 81

�� 106

�� 95

�� policy 58

� 58, 61

�� ID 3

�� 24

�� 48

� xi

�� xii

�� xiii

�� xii

�� xiii

�� xiii

��

�� 50

��

� policy 29

��

�� 148

�� 149

�� 150

�� 148

�� 149

�� 150

��

�� 148

�� 79

�� 80

� �

� 33

�� policy 59

�� policy �

�� 145

�� ID

�� 150

�� ID �� 150

�� ID� UNIX ID� �� 151

�� 12

�� 49

�� 65

�� 54

�� 31

� �� 30

�� 13

��

�� 20

�� 17

� 23

�

�� 47

�� 54

�� 4

�� 129

PDOS �� 154

PDOS �� 154

pdoshla �� 153

traverse �� 25

�� 10


��

�� 9

�� 10

�� 9

� �� 9

policy �� 9

��

�� 142

�� 142

�� xiii

��

�� 256

� �� 10

� �� 333

� � 10, 11

�� 11

� �� 12

�� 12

Sudo �� 68

� ��

�� 144

� �� 144

�� 9

��

Tivoli Enterprise Console 336

Tivoli Risk Manager 342

�� 140

��

� �� 71

� � 73

� � ��

� � �� 139, 225

� � �� 139

� ��

�� , �� 231

� �� 1

� �� 225

�� 226

� �� 9

�� 19

��

�� 131

�� 148

Trusted Computing Base �� 141

�� policy 101

osseal-audit 101

osseal-audit-exec 102

osseal-credentials 102

osseal-default 102

osseal-default-file 102

osseal-default-login 102

osseal-default-net-incoming 102

osseal-default-net-outgoing 103

osseal-default-sudo 103

osseal-default-surrogate 103

osseal-hla 103

osseal-kazndrv 103

osseal-logs 104

osseal-open 104

osseal-privileged-user 104

osseal-restricted 104

osseal-restricted-read 104

osseal-tcb 105

osseal-umsg 105

osseal-var-lpm 105


147

� � �� 242

� �� 220

��

�� 125

��

�� 156

�� 24

�� xiii, 351

��

�� 143

� �� 30

� � �� 97

� �� 32

� ��

�� 30

� policy 29

� policy 29

� � �� 143

�� 134

�� 134

�� 135

�� xii

�� 35

��

� 35

�� 107


�� 152

�� 152

�� 152


152


152

�� 49

�� 1

�� 52

�� 51

�� 53

AACL 13

ACL� �� 24

Cconcise �� 233

critical cred � 97

IIBM Tivoli Enterprise Data

Warehouse 329

IBM Tivoli Enterprise Data Warehouse�

�� 329

ID

�� 3

UNIX 3

Immune-Programs 43

Immune-Surrogate-Programs 42

Impersonator-Programs 43

�� 359

Kkeyvalue �� 233

Llogfile �� 324

Login-Programs 39

NNFS �� 37

Oossaudit � 96

osseal � 95

osseal �� 96

osseal-admin � 95

osseal-audit 101

osseal-auditors � 96

osseal-audit-exec 102

osseal-credentials 102

osseal-default 102

osseal-default-file 102

osseal-default-login 102

osseal-default-net-incoming 102

osseal-default-net-outgoing 103

osseal-default-sudo 103

osseal-default-surrogate 103

osseal-hla 103

osseal-kazndrv 103

osseal-logs 104

osseal-open 104

osseal-privileged-user 104

osseal-restricted 104

osseal-restricted-read 104

osseal-tcb 105

osseal-umsg 105

osseal-unauth �� 96

osseal-var-lpm 105

Ppdadmin 7, 38

PDOS Task 155

�� 155

PDOS ��

��

178

�� 191

� �� 161

PDOS TCB �� 188

PDOS TCB �� 175

PDOS TCB �� 196

PDOS TEC �� 213

PDOS TEC �� 213

PDOS � �� 163

PDOS � �� 207, 212

PDOS ��/�� /�� 157

PDOS ��/�� 208

PDOS �� 160

PDOS �� 197

PDOS �� policy �� 170

PDOS �� policy �� 192

PDOS �� 167

PDOS �� 210

PDOS �� 198

PDOS �� 211

PDOS �� 171

PDOS �� 211

PDOS �� 186

PDOS �� 194

PDOS �� 202

PDOS �� 185

PDOS �� 214

PDOS �� 165

PDOS �� 209

PDOS �� 214

PDOS �� 190

PDOS �� 177

Setup TEC Event Server for

PDOS 204

UNIX TCB �� 180

UNIX �� 181

pdosauditd 87

pdosauditd �� 88

pdosaudview 102, 245, 247, 248

� 245

pdosbkup 252

pdoscfg 254

pdoscollview 265

pdosctl 269

pdosd 78

pdosd �� 86

pdosdestroy 273

pdosd-hostname �� 97

pdosexempt 275

pdoshla 277

pdoslpadm 280

pdoslpmd 93

pdoslpmd �� 93

pdoslpmd �� 93

pdoslradm 285

pdoslrd 93, 109

pdoslrd �� 94

pdoslrdlog �� 93

pdosobjsig 37, 286

pdosrefresh 289

pdosrevoke 291

pdosrgyimp 293

pdosrstr 298

pdosshowuser 299

pdossudo 68, 302

pdosteccfg 304

pdostecd 91, 324

�� 92

pdostecd �� 91

pdostecd �� 91

pdostecucfg 307

pdosucfg 309

pdosuidprog 311

pdosunauth 314

pdosversion 316

pdoswdd 89

pdoswdd �� 89

pdoswdd �� 90

pdoswhoami 317

� 150

pdoswhois 319

� 150

policy

�� 136

� 7

�� 4

�� 83

�� 33

�� 46

�� 62

�� 50

�� 55

�� 82

�� 58


policy (��)

�� 59

�� 101

�� 35

sudo 65

policy � 136

� �� 138

policy �� 136

policy � 7

policy �� 7

policy �� 9

policy �� 133

policy �� 331

policy �� 106

policyview 321

POP(Protected Object Policy) 26

� �� 27

�� 27

�� 28

�� 26

SSecure-Files 41

Secure-Programs 41

Sudo

� �� 68

sudo policy 65

sudo ��

� 66

TTCB

�� 141

�� 141

TCB �� 84

TCB � 37

Immune-Programs 43

Immune-Surrogate-Programs 42

Impersonator-Programs 43

Login-Programs 39

Secure-Files 41

Secure-Programs 41

TEC ��

� � �� 324

Tivoli Risk Manager�� 328

TEC �� 328


Systems �� xi

Tivoli Enterprise Console

Risk Manager�� 327

Tivoli Security Management��

323

Tivoli Risk Manager

Tivoli Enterprise Console�� 327

Tivoli Security Management

Tivoli Enterprise Console�� 323

Trusted Computing Base

�� 141

�� 141

Trusted Computing Base �� 141

Trusted Computing Base � 37

UUNIX

ID 3

Vverbose �� 234

Wwrunjob �� 157

wruntask �� 157

wschedjob �� 157

�� 361

��

Printed in Denmark by IBM Danmark A/S

SA30-1840-01

ibm tivoli access manager for operating...

Documents