IBM Tivoli Access Manager for Operating Systems 5.1 SA

Size: px

Start display at page:

Download "IBM Tivoli Access Manager for Operating Systems 5.1 SA"

Shanon Daniels
6 years ago
Views:

1 IBM Tivoli Access Manager for Operating Systems 5.1 SA

3 IBM Tivoli Access Manager for Operating Systems 5.1 SA

5 vii ix ix x xi Tivoli Access Manager for Operating Systems xi xii xii xii xiii xiii xiii xiv UNIX ID Tivoli Access Manager ID policy Policy policy policy ACL(Access Control List) POP(Protected Object Policy) POP policy policy policy policy policy Sudo policy pdossudo pdosd pdosauditd pdoswdd pdostecd Tivoli Enterprise Console pdoslpmd policy.. 93 pdoslrd osseal-admin osseal osseal root osseal-auditors ossaudit osseal-unauth pdosd-hostname critical cred policy osseal-audit osseal-audit-exec osseal-credentials osseal-default osseal-default-file osseal-default-login osseal-default-net-incoming osseal-default-net-outgoing osseal-default-sudo osseal-default-surrogate osseal-exec-open osseal-exec-root osseal-hla osseal-kazndrv Copyright IBM Corp. 2000, 2003 iii

6 osseal-logs osseal-open osseal-privileged-user osseal-restricted osseal-restricted-read osseal-tcb osseal-umsg osseal-var-lpm Tivoli Access Manager policy 106 Tivoli Access Manager UNIX XML Server Router Channel Filters Filter Conditional Field LRD_FileOutput LRD_ Output LRD_NetOutput pdosrgyimp policy ACL policy Tivoli Access Manager for Operating Systems Tivoli Access Manager for Operating Systems policy policy policy Trusted Computing Base pdosd Trusted Computing Base Trusted Computing Base policy policy policy NIS ID pdoswhoami pdoswhois look-aside Tivoli Access Manager for Operating Systems Tivoli wrunjob wruntask iv IBM Tivoli Access Manager for Operating Systems:

7 PDOS / / wrunjob wruntask PDOS wrunjob wruntask wrunjob wruntask PDOS wrunjob wruntask PDOS wrunjob wruntask PDOS wrunjob wruntask PDOS policy wrunjob wruntask PDOS wrunjob wruntask PDOS TCB wrunjob wruntask PDOS wrunjob wruntask wrunjob wruntask UNIX TCB wrunjob wruntask UNIX wrunjob wruntask PDOS wrunjob wruntask PDOS wrunjob wruntask PDOS TCB wrunjob wruntask PDOS wrunjob wruntask wrunjob wruntask PDOS policy wrunjob wruntask PDOS wrunjob wruntask PDOS TCB wrunjob wruntask PDOS wrunjob wruntask PDOS wrunjob wruntask PDOS wrunjob wruntask Setup TEC Event Server for PDOS wrunjob wruntask PDOS wrunjob wruntask PDOS / wrunjob wruntask PDOS wrunjob wruntask PDOS wrunjob wruntask PDOS wrunjob wruntask PDOS wrunjob wruntask PDOS TCB wrunjob wruntask PDOS TEC wrunjob wruntask PDOS TEC wrunjob wruntask PDOS wrunjob wruntask PDOS wrunjob wruntask , , concise keyvalue verbose v

8 pdosaudview pdosbkup pdoscfg pdoscollview pdosctl pdosdestroy pdosexempt pdoshla pdoslpadm pdoslradm pdosobjsig pdosrefresh pdosrevoke pdosrgyimp pdosrstr pdosshowuser pdossudo pdosteccfg pdostecucfg pdosucfg pdosuidprog pdosunauth pdosversion pdoswhoami pdoswhois policyview Tivoli Enterprise Console IBM Tivoli Risk Manager Tivoli Risk Manager IBM Tivoli Enterprise Data Warehouse 329 A. Policy B C. Tivoli Enterprise Console Tivoli Risk Manager Tivoli Enterprise Console Tivoli Risk Manager D E vi IBM Tivoli Access Manager for Operating Systems:

9 OSSEAL policy Tivoli Access Manager policy Tivoli Access Manager IBM Tivoli Access Manager for Operating Systems policy Immune-Programs policy policy Sudo Sudo Sudo Sudo Sudo Sudo Tivoli Access Manager for Operating Systems pdosd policy pdosd TCB pdosd pdosauditd pdoswdd pdostecd pdoslpmd pdoslrd osseal.conf pdoscfg pdosd.conf pdoscfg pdosauditd.conf pdoscfg pdoswdd.conf pdoscfg pdoslrd.conf pdoscfg pdoscfg IBM Tivoli Access Manager for Operating Systems ID IBM Tivoli Access Manager for Operating Systems [OSSEAL] Tivoli Access Manager for Operating Systems policy Tivoli Access Manager policy Tivoli Access Manager Tivoli Enterprise Console Tivoli Enterprise Console Tivoli Enterprise Console Sudo Tivoli Enterprise Console ( ) Tivoli Enterprise Console Copyright IBM Corp. 2000, 2003 vii

10 64. () Tivoli Enterprise Console TCB Tivoli Enterprise Console policy Tivoli Enterprise Console Tivoli Enterprise Console Tivoli Enterprise Console Tivoli Enterprise Console Tivoli Risk Manager Tivoli Risk Manager Tivoli Risk Manager Sudo Tivoli Risk Manager ( ) Tivoli Risk Manager () Tivoli Risk Manager TCB Tivoli Risk Manager policy Tivoli Risk Manager Tivoli Risk Manager Tivoli Risk Manager Tivoli Risk Manager 349 viii IBM Tivoli Access Manager for Operating Systems:

11 IBM Tivoli Access Manager for Operating Systems policy. : IBM Tivoli Access Manager for Operating Systems Tivoli SecureWay Policy Director for Operating Systems( 3.7) Tivoli Policy Director for Operating Systems( 3.8). Tivoli SecureWay Policy Director policy. IBM Tivoli Access Manager for Operating Systems IBM Tivoli Access Manager for Operating Systems.. v UNIX v (HTTP, TCP/IP, FTP, Telnet, SSL) v v v v IBM Tivoli Access Manager Base v LDAP(Lightweight Directory Access Protocol). v IBM Tivoli Management Environment framework v IBM Tivoli Enterprise Console v IBM Tivoli Directory Server(LDAP) v IBM Tivoli User Administration Copyright IBM Corp. 2000, 2003 ix

12 . v 1 1 Tivoli Access Manager for Operating Systems. v 7 2 Policy Tivoli Access Manager for Operating Systems. v 77 3 Tivoli Access Manager for Operating Systems. Tivoli Access Manager for Operating Systems. v Tivoli Access Manager for Operating Systems. v Tivoli Access Manager for Operating Systems. v Tivoli Tivoli Tivoli Access Manager for Operating Systems. v v Tivoli Access Manager for Operating Systems.,. v Tivoli Enterprise Console Tivoli Access Manager for Operating Systems Tivoli Enterprise Console. v IBM Tivoli Risk Manager Tivoli Access Manager for Operating Systems Tivoli Risk Manager. v 331 A Policy policy. v 333 B x IBM Tivoli Access Manager for Operating Systems:

13 . v 335 C Tivoli Enterprise Console Tivoli Risk Manager Tivoli Enterprise Console. v 351 D IBM Tivoli Access Manager Base Tivoli Access Manager for Operating Systems. Tivoli Access Manager for Operating Systems,.. Tivoli Access Manager for Operating Systems Tivoli Access Manager for Operating Systems. v IBM Tivoli Access Manager for Operating Systems, SA Tivoli Access Manager for Operating Systems. Tivoli IBM Tivoli Enterprise Console IBM Tivoli Risk Manager. v IBM Tivoli Access Manager for Operating Systems, SA Tivoli Access Manager for Operating Systems,,. v IBM Tivoli Access Manager for Operating Systems, SA ,,, Tivoli Access Manager for Operating Systems.. v IBM Tivoli Access Manager for Operating Systems, GA Tivoli Access Manager for Operating Systems. v IBM Tivoli Access Manager for Operating Systems Read This First Card, GA Tivoli Access Manager for Operating Systems. xi

14 . v IBM Tivoli Access Manager Base, SA v IBM Tivoli Access Manager Base Administration Guide, GC v IBM Tivoli Access Manager for e-business, GA Tivoli Access Manager for Operating Systems. v IBM Tivoli Access Manager for e-business Performance Tuning Guide, SC IBM Tivoli Access Manager. v IBM Tivoli Access Manager for e-business Problem Determination Guide, SC Tivoli Access Manager. v IBM Tivoli Access Manager Error Message Reference, SC IBM Tivoli Access Manager, Tivoli Access Manager for Operating Systems Tivoli Access Manager. v IBM Tivoli Access Manager for e-business Command Message Reference, SC Tivoli Access Manager. v Tivoli Software Library,,, Tivoli. Tivoli Software Library. v Tivoli Glossary Tivoli. Tivoli Glossary. IBM Tivoli Access Manager for Operating Systems IBM Tivoli Access Manager for Operating Systems. xii IBM Tivoli Access Manager for Operating Systems:

15 PDF(Portable Document Format), HTML(Hypertext Markup Language) Tivoli Software Library( software/tivoli/library). Product manuals., Tivoli Software Information Center.,,,,. : PDF, Adobe Acrobat ( ).... D. IBM Tivoli Software Tivoli Support IBM Tivoli Software. IBM Software. v v v IBM Tivoli Access Manager for Operating Systems. xiii

16 ,..,,..,,.,,,,.,, Java, HTML XML. xiv IBM Tivoli Access Manager for Operating Systems:

17 1 IBM Tivoli Access Manager for Operating Systems. Tivoli Access Manager for Operating Systems,. policy. Tivoli Access Manager for Operating Systems policy. policy. ID,,,., ID.. policy policy. IBM Tivoli Access Manager policy.., Tivoli Access Manager for Operating Systems ID,. 2 1 Tivoli Access Manager Tivoli Access Manager for Operating Systems. Copyright IBM Corp. 2000,

1. IBM Tivoli Access Manager for Operating Systems Tivoli Access Manager policy,.. Tivoli Access Manager for Operating Systems Tivoli Access Manager. IBM Tivoli Access Manager WebSEAL IBM Tivoli Access Manager for Business Integration.

18 1. IBM Tivoli Access Manager for Operating Systems Tivoli Access Manager policy,.. Tivoli Access Manager for Operating Systems Tivoli Access Manager. IBM Tivoli Access Manager WebSEAL IBM Tivoli Access Manager for Business Integration. Tivoli Access Manager. policy. Tivoli Access Manager for Operating Systems. Tivoli Access Manager. Tivoli Access Manager Tivoli Access Manager. Tivoli Access Manager LDAP. Tivoli Policy policy. policy. 2 IBM Tivoli Access Manager for Operating Systems:

19 SSL(Secure Socket Layers) TCP. Tivoli Access Manager API. Tivoli Access Manager for Operating Systems Tivoli Access Manager, Tivoli Access Manager policy Tivoli Access Manager policy Tivoli Access Manager for Operating Systems UNIX. Tivoli Access Manager for Operating Systems. API, UNIX. Tivoli Access Manager for Operating Systems, ID. policy. (PDOSD). policy,.,. PDOSD UNIX ID Tivoli Access Manager Tivoli Access Manager., PDOSD Tivoli Access Manager API,, policy. UNIX ID Tivoli Access Manager ID, UNIX ID Tivoli Access Manager. UNIX ID. Tivoli Access Manager 1 3

20 Tivoli Access Manager. ID. Tivoli Access Manager,.. Tivoli Access Manager., Sally Smith A sally B ssmith. Tivoli Access Manager.., Sally Smith A UNIX sally. C Sally Doe UNIX sally. Sally Smith Sally Doe Tivoli Access Manager. policy. Tivoli Access Manager for Operating Systems Tivoli Access Manager Tivoli Access Manager for Operating Systems.. ID ( : setuid() su ). policy policy. policy. policy.. ACL(Access Control List),. POP(Protected Object Policy) ( :, )., ACL POP 4 IBM Tivoli Access Manager for Operating Systems:

21 policy. v v v v Tivoli Access Manager for Operating Systems 1 5

22 6 IBM Tivoli Access Manager for Operating Systems:

23 2 Policy IBM Tivoli Access Manager for Operating Systems Tivoli Access Manager policy.. v v v v v ID v Sudo v Tivoli Access Manager. Tivoli Access Manager. Tivoli Access Manager policy. Tivoli Access Manager for Operating Systems policy policy Tivoli Access Manager. policy Tivoli Access Manager IBM Tivoli Web Portal Manager pdadmin, policy. Tivoli Access Manager. (policy).. Tivoli Access Manager...,,., Copyright IBM Corp. 2000,

24 LDAP ID. Tivoli Access Manager ID.. policy. Tivoli Access Manager for Operating Systems policy.. policy policy. policy. server_domain server_branch, client_domain client_branch. policy.. policy ( : client_branch) policy client_domain.., osseal-admin root, osseal, liz anne, root, osseal, bill rusty.. :, policy. policy. policy,,, policy. IBM Tivoli Web Portal Manager Tivoli Access Manager for Operating Systems CD-ROM. IBM Tivoli Access Manager Base IBM Tivoli Access Manager Base Administration Guide. IBM pdadmin IBM Tivoli Access Manager. pdadmin IBM Tivoli Access Manager Command Reference. policy pdadmin. pdadmin. 8 IBM Tivoli Access Manager for Operating Systems:

25 Tivoli Access Manager.,.. v v policy v policy v. Tivoli Access Manager. Tivoli Access Manager for Operating Systems OSSEAL. OSSEAL. OSSEAL /OSSEAL. policy,. Tivoli Access Manager for Operating Systems policy policy. policy. policy policy. policy /OSSEAL. policy. policy /OSSEAL/policy-branch. (, ). policy. /OSSEAL/Servers /OSSEAL/Workstations /OSSEAL/Test policy. ( : ) ( : Sudo, ).., /OSSEAL/ policybranch/file. 2 Policy 9

26 , TCB(Trusted Computing Base). /OSSEAL/policy-branch/TCB/Secure-Files..,..,., ,.log www * ( (/) ).?. +. [set of characters]. POSIX., [a-z] a-z ASCII.. (\). (\\) a* a aa a quick brown fox ba qa over the dog 10 IBM Tivoli Access Manager for Operating Systems:

27 2. () a\* a* ab a? aa al /usr/local/*.log /usr/local/x.log /usr/local/app/x.log *.charity.org [[:alpha:]]+ ** ( ) ftp.charity.org abcd ABCD ab abcde ghijk lmnop a aaa /usr/local/x.log.1 /abcd tty0 abcd the empty string Tivoli Access Manager for Operating Systems.,. /usr/local/*.log /usr/local/user1/*.log /usr/local/user1/x.log... /usr/local/user1/x.log /usr/local/*.log /usr/local/user1/*.log., policy a, \*, \\ 2 [Aa], [[:digit:]] 3? 4 a+ 5 [Aa]+, [[:digit:]]+ 6?+ 7 * 2 Policy 11

28 ,..., (*) log/0[0-9]/error 2 log/0?/error 3 log/0*/error 4 log/[0-9]+/error.1 www-help.[a-z]+v.com 5 log/*/error.1 www-help.*v.com 6 log*/error.1 www-help.*.com 7 log*/error 8 log*/error* * 9 log* *.com 10 * *,..,. Tivoli Access Manager. ACL(Access Control List) ACL(Access Control List) ID. POP(Protected Object Policy) POP(Protected Object Policy) ( : ) ( : ). 12 IBM Tivoli Access Manager for Operating Systems:

29 ACL POP. ( ). Tivoli Access Manager. policy. Tivoli Access Manager for Operating Systems. (ACL POP )., pdadmin pdadmin> object create /OSSEAL/Servers/File/etc/passwd "Password file" \ 3 ispolicyattachable yes /etc/passwd, 3( policy ) Tivoli Access Manager for Operating Systems. pdadmin IBM Tivoli Access Manager. Tivoli Access Manager policy. policy, ACL POP. Tivoli Access Manager for Operating Systems ACL, Access-Restrictions. POP (audit_permit_actions audit_deny_actions). Holiday, Login Activity, Password Management Sudo. 50 policy 65 Sudo policy. Tivoli Access Manager for Operating Systems. ACL(Access Control List) Tivoli Access Manager ACL(Access Control List). ID. ACL ACL. ACL.. accessor : permission-set 2 Policy 13

30 ACL., x. Tivoli Access Manager for Operating Systems ACL.. user ACL.. Tivoli Access Manager. ACL x. user root : x ACL. x ACL., y ACL ACL y. ACL ACL. group ACL.. Tivoli Access Manager. ACL y. group users : y ACL., kevin users sys-admin net-admin, ACL kevin a b c. group users : a group sys-admin : b group net-admin : c ACL ACL. any-other ACL ACL ACL.. q ACL. 14 IBM Tivoli Access Manager for Operating Systems:

31 any-other : q ACL any-other ACL. unauthenticated ACL. 3 UNIX ID Tivoli Access Manager ID IBM Tivoli Access Manager for Operating Systems. Tivoli Access Manager Tivoli Access Manager. p. unauthenticated : p ACL ACL.. ACL ACL,. p ACL p. Tivoli Access Manager. ACL ACL. ACL. Tivoli Access Manager.,,.. Tivoli Access Manager for Operating Systems OSSEAL. OSSEAL IBM Tivoli Access Manager for Operating Systems. 5 Tivoli Access Manager for Operating Systems.. 5. OSSEAL C NetIncoming NetOutgoing D File G Surrogate K Kill File L Login N File 2 Policy 15

32 5. OSSEAL () R File U File d File l File o File p File r File w File x File Sudo Tivoli Access Manager policy. Tivoli Access Manager policy.. policy policy Tivoli Access Manager a ACL POP b c ACL d m v IBM Tivoli Access Manager Base Administration Guide. 7 Tivoli Access Manager. 7. policy Tivoli Access Manager B POP(Protected Object Policy) T R B POP policy.,. policy policy 16 IBM Tivoli Access Manager for Operating Systems:

33 . POP 26 POP(Protected Object Policy). T. 24. R. Tivoli Access Manager..,. IBM Tivoli Access Manager for Operating Systems ACL. user root: T[OSSEAL]rwx Tivoli Access Manager for Operating Systems,,. Tivoli Access Manager for Operating Systems., Tivoli Access Manager WebSEAL r WebSEAL.. Br[OSSEAL]wx ACL IBM Tivoli Access Manager for Operating Systems ACL. Tivoli Access Manager for Operating Systems ACL. Access-Restrictions. ID,,. ACL. ACL. Access-Restrictions ( : )., policy.,. 2 Policy 17

34 , policy..,.. File, NetIncoming, NetOutgoing, Login Surrogate ACL. pdossudo Sudo. Sudo policy pdossudo 65 Sudo policy. Access-Restrictions. rule : accessor : permission-set : program-set. permit deny.. permit.. ACL (,, ). ACL., Tivoli Access Manager [OSSEAL]...,, r w ( ). * OSSEAL.. ( ).,.. 18 IBM Tivoli Access Manager for Operating Systems:

35 . permit ACL. Trusted Computing Base. Trusted Computing Base 37 Trusted Computing Base. *. ( ).,.,. *. Trusted Computing Base.. Access-Restrictions ID,,. AccessRestrictions ACL. v. deny : accessor : permission-set : program-set v. permit : accessor : permission-set : program-set accessor : permission-set : program-set v. deny : accessor : * : program-set v. permit : accessor : * : program-set accessor : * : program-set v. 2 Policy 19

36 deny : accessor : permission-set :* v. permit : accessor : permission-set :* accessor : permission-set :* v. deny : accessor :*:* v. permit : accessor :*:* accessor :*: * ACL. ACL Access-Restrictions ACL. Access-Restrictions ( ).., ACL.,..,, r w ( ). *. v. *,. *,. *,. 20 IBM Tivoli Access Manager for Operating Systems:

37 v,. *,. *,. *,. v,. *,. *,. *,.,.. v *,. v *,. v *,. Access-Restrictions, ACL. 2 Policy 21

38 , Access-Restrictions. ACL ACL. permit : user root :r:* permit : group MgmtB :*:* permit : group ProjectB : rw : /opt/projectb/bin/applicationy deny : group RestrictAccess :*:* deny : any-other :*:*.. root, root., root ( : ),., root r w. RestrictAccess ProjectB /opt/projectb/bin/applicationy /. RestrictAccess ProjectB. ProjectB RestrictAccess /opt/projectb/bin/applicationy /. ( : )., ProjectB r o. MgmtB RestrictAccess..., Access-Restrictions root., Access-Restrictions ACL ACL. root, ACL root 22 IBM Tivoli Access Manager for Operating Systems:

39 . ACL, root. AIX Tivoli Access Manager for Operating Systems policy-branch Servers. 1: /etc/passwd, sys-admin /usr/bin/passwd. 1. (any-other) rw ACL. pdadmin> acl create passwd pdadmin> acl modify passwd set any-other T[OSSEAL]rw pdadmin> acl modify passwd set unauthenticated T[OSSEAL]rw 2. ACL Access-Restrictions. a. sys-admin. pdadmin> acl modify passwd set attribute \ Access-Restrictions "group sys-admin:rw:*" b. (any-other). pdadmin> acl modify passwd set attribute \ Access-Restrictions "any-other :r:*" pdadmin> acl modify passwd set attribute \ Access-Restrictions "unauthenticated :r:*" c. /usr/bin/passwd (any-other). pdadmin> acl modify passwd set attribute \ Access-Restrictions "any-other : rw : /usr/bin/passwd" pdadmin> acl modify passwd set attribute \ Access-Restrictions "unauthenticated : rw : /usr/bin/passwd" 3. /etc/passwd passwd ACL. pdadmin> object create /OSSEAL/Servers/File/etc/passwd "passwd file" 3 \ ispolicyattachable yes pdadmin> acl attach /OSSEAL/Servers/File/etc/passwd passwd 2 Policy 23

40 2:. v top-admin. v app-admin ftpd. v telnetd. v. 1. (any-other) (L) ACL. pdadmin> acl create remote-login pdadmin> acl modify remote-login set any-other T[OSSEAL]L pdadmin> acl modify remote-login set unauthenticated T[OSSEAL] 2. ACL Access-Restrictions. a. sys-admin. pdadmin> acl modify remote-login set attribute \ Access-Restrictions "permit : group sys-admin :L:*" b. /usr/sbin/ftpd app-admin.. pdadmin> acl modify remote-login set attribute \ Access-Restrictions "deny : group app-admin : L:/usr/sbin/ftpd" c. /usr/sbin/telnetd (any-other). pdadmin> acl modify remote-login set attribute \ Access-Restrictions "permit : any-other :L:/usr/sbin/telnetd" 3. ACL. pdadmin> object create /OSSEAL/Servers/Login/Terminal/Remote "remote login" 3 \ ispolicyattachable yes pdadmin> acl attach /OSSEAL/Servers/Login/Terminal/Remote remote-login Tivoli Access Manager ACL. 24 IBM Tivoli Access Manager for Operating Systems:

41 ., project01, /OSSEAL/default/ File/project01. ACL /project01 ACL project01 ACL. ACL policy.. ACL, Tivoli Access Manager for Operating Systems ACL.. v, Tivoli Access Manager for Operating Systems ACL(, ACL). Tivoli Access Manager for Operating Systems Tivoli Access Manager for Operating Systems. v Tivoli Access Manager for Operating Systems ACL net_acl_limited policy /OSSEAL/branch/NetIncoming /OSSEAL/branch/NetOutgoing (133 policy ACL ). Tivoli Access Manager for Operating Systems ACL., /OSSEAL/default/NetIncoming/tcp/ telnet/ ACL, Tivoli Access Manager for Operating Systems /OSSEAL/default/NetIncoming/tcp/telnet ACL. ACL, Tivoli Access Manager for Operating Systems /OSSEAL/default/NetIncoming/tcp ACL. Tivoli Access Manager for Operating Systems policy ACL, ACL(/OSSEAL/branch/ NetIncoming), ACL. policy, Tivoli Access Manager for Operating Systems ACL. ACL ACL.,. 2 Policy 25

42 v /OSSEAL/servers/File/usr/games/solitaire. solitaire usr games. v ACL usr ACL solitaire. v, usr games, solitaire usr ACL ACL. ACL ACL Tivoli Access Manager Traverse (T)., ACL.., usr ACL solitaire ACL. ACL games ACL. POP(Protected Object Policy) Tivoli Access Manager POP(Protected Object Policy). POP ID. POP. ACL POP Tivoli Access Manager. POP ACL. POP ACL.. ACL POP. solitaire, POP. ACL solitaire games POP. POP. Tivoli Access Manager for Operating Systems,. IP. POP POP policy. 26 IBM Tivoli Access Manager for Operating Systems:

43 policy. yes POP. ACL,. ACL ACL policy. POP. 231,.,... permit deny admin error all none,.,. Tivoli Access Manager for Operating Systems. Tivoli Access Manager for Operating Systems...., POP. audit_permit_actions audit_deny_actions.. audit_permit_actions permission-set audit_deny_actions permission-set Permission-set ACL. Tivoli Access Manager for Operating Systems. [OSSEAL]. audit_permit_actions audit_deny_actions POP. 2 Policy 27

44 audit_permit_actions POP,.. audit_deny_actions POP, Tivoli Access Manager... day-range : time-range [:utc local], day-range anyday, weekday sun, mon, tue, wed, thu, fri sat. anytime. weekday.. time-range anytime. anytime. start_hhmm-end_hhmm, start_hhmm end_hhmm. 24. utc local UTC(Universal Coordinated Time)...,,. 28 IBM Tivoli Access Manager for Operating Systems:

45 policy Tivoli Access Manager for Operating Systems., policy. TCB(Trusted Computing Base) TCB. Tivoli Access Manager for Operating Systems.. v v v v v policy.. v ID.. v TCB. TCB TCB.. Tivoli Access Manager. /OSSEAL/policy-branch/File/filespec filespec... UNIX. 2 Policy 29

46 /OSSEAL/Default/File/etc/passwd /OSSEAL/Default/File/usr/local/*/*.log /OSSEAL/Default/File/usr/sbin/httpd. v (/). Tivoli Access Manager for Operating Systems /OSSEAL/policy-branch/File. ACL (/) ACL. v ( : /*.log /*/tmp)... : Tivoli Access Manager for Operating Systems 9. Tivoli Access Manager ACL. Tivoli Access Manager ACL. (T). ACL ( : /OSSEAL/policybranch/File). Tivoli Access Manager for Operating Systems ( ) ACL. ACL., ACL (/). policy, /OSSEAL/policy-branch/ RootDir policy(acl POP) ACL. 9. Read(r) Write(w) Create(N) Execute(x) Chown(o) IBM Tivoli Access Manager for Operating Systems:

47 9. () Chmod(p) Chdir(D) Rename(R) Delete(d) Utime(U) Kill(K) List(l) UNIX. UNIX ACL. ( ). ( )..... UNIX.. v Kill(K) /OSSEAL/policy-branch/File/unix. v (R).,.,.,, log.1 log.bak, $ mv log.1 log.2 log.1 log.2., $ mv log.1 log.bak log.bak. v (p) UNIX ACL.. v (x). UNIX x. Tivoli Access Manager for Operating Systems (D) (T). : (/) /OSSEAL/policy-branch/RootDir. 2 Policy 31

48 (/) policy, /OSSEAL/policy-branch/ RootDir policy(acl POP). RootDir ACL POP, policy. policy RootDir policy. policy. v RootDir policy. RootDir policy policy., policy ( : /tmp /home). v RootDir. /OSSEAL/policy-branch/RootDir object /var/pdos/log/msg pdosd.log. v, RootDir ACL POP. (/) policy. policy. (any-other) policy. policy admin., /tmp., system. pdadmin> object create /OSSEAL/system/RootDir "root dir" \ ispolicyattachable yes pdadmin> acl create rootdir_acl pdadmin> acl modify rootdir_acl set unauthenticated T[OSSEAL]Dlr pdadmin> acl modify rootdir_acl set any-other T[OSSEAL]Dlr pdadmin> acl modify rootdir_acl set group admin T[OSSEAL]DKNRUdloprwx pdadmin> acl attach /OSSEAL/system/RootDir rootdir_acl pdadmin> object create /OSSEAL/system/File/tmp "tmp dir" 0 \ ispolicyattachable yes pdadmin> acl create tmpdir_acl pdadmin> acl modify tmpdir_acl set unauthenticated T[OSSEAL]DNRUdloprwx pdadmin> acl modify tmpdir_acl set any-other T[OSSEAL]DNRUdloprwx pdadmin> acl attach /OSSEAL/system/File/tmp tmpdir_acl :., Tivoli Access Manager for Operating Systems.. 32 IBM Tivoli Access Manager for Operating Systems:

49 v v v policy Tivoli Access Manager for Operating Systems policy. Tivoli Access Manager for Operating Systems. v. v.. :, policy.. v.,, policy. policy. v.,, policy. v.,.. : policy. 1: ACL. /usr/bin/vi /usr/local/bin/vi. /usr/bin/vi 2 Policy 33

50 vi /usr/bin/vi ACL. ACL /usr/local/bin/vi vi. /usr/local/bin/vi. ACL /usr/bin/vi /usr/local/bin/vi /usr/bin/vi /usr/bin/vi ACL. /usr/local/bin/vi ACL. 2: /home/joe/data. /home/joe/data.link ACL. ACL /tmp/data/joe_data /home/joe/data.. v /home/joe/data, ACL. v, ACL. v ACL /home/joe/data, /home/joe/data ACL. v, ACL ACL. v, policy. 3:.,.,.. 34 IBM Tivoli Access Manager for Operating Systems:

51 /home/joe/data ACL, /tmp/data/joe_data /tmp/data ACL /home/joe/data. v, ACL. v /tmp/data/joe_data, ACL. 4: /home/joe/data /home ACL /tmp/data/joe_data ACL /tmp/data/joe_data /home/joe/data., ACL. policy.., Tivoli Access Manager for Operating Systems policy.. :...,.. v,. v,. v. : policy. 2 Policy 35

52 1: /home/joe/data ACL /home/data ACL /home/data/joe_data /home/joe/data. /home/joe/data /home/joe/data ACL. /home/data/joe_data /home/joe/data ACL. 2: ACL /home/joe/data ACL /home/data/joe_data.1 /home/data/joe_data.2 /home/joe/data. /home/joe/data ACL. /home/data/joe_data.1 /home/data/joe_data.2 ACL. UNIX, Tivoli Access Manager for Operating Systems.. N R r w,. : ( : ).... v,. v,. v,. 36 IBM Tivoli Access Manager for Operating Systems:

53 NFS : Tivoli Access Manager for Operating Systems policy NFS. NFS., NFS NFS /usr/tools/bin /usr/shared/hrtools/bin. payroll NFS /usr/tools/bin/payroll. policy NFS Tivoli Access Manager for Operating Systems., NFS., /usr/shared/hrtools/bin/payroll NFS NFS NFS. NFS NFS NFS., Tivoli Access Manager for Operating Systems policy NFS NFS, NFS., NFS. ( : ). Trusted Computing Base Tivoli Access Manager for Operating Systems Trusted Computing Base. Trusted Computing Base, UNIX,,,.. Tivoli Access Manager for Operating Systems TCB(Trusted Computing Base). Trusted Computing Base,. Tivoli Access Manager for Operating Systems., Tivoli Access Manager for Operating Systems dosobjsig. TCB. 2 Policy 37

54 v Secure-Files v Secure-Programs v Login-Programs v Impersonator-Programs v Immune-Programs v Immune-Surrogate-Programs Trusted Computing Base.. Tivoli Access Manager policy Trusted Computing Base. Tivoli Access Manager for Operating Systems /OSSEAL/policy-branch/TCB policy. Trusted Computing Base., /etc/hosts.equiv Secure-File, pdadmin. 1. hosts.equiv TCB. pdadmin> object create /OSSEAL/Workstations/TCB/Secure-Files/etc/hosts.equiv \ "Host equivalents" 0 ispolicyattachable yes 2. hosts.equiv. pdadmin> acl create hosts-equiv pdadmin> acl modify hosts-equiv set user root T[OSSEAL]NRUdoprw pdadmin> object create /OSSEAL/Workstations/File/etc/hosts.equiv "hosts equiv file" 3 ispolicyattachable yes pdadmin> acl attach /OSSEAL/Workstations/File/etc/hosts.equiv hosts-equiv Access-Restrictions ACL. Trusted Computing Base Trusted Computing Base. Trusted Computing Base.,... v pdadmin object create Trusted Computing Base. v. v. 38 IBM Tivoli Access Manager for Operating Systems:

55 v ( : ). v Trusted Computing Base,. v Trusted Computing Base,. v. pdosobjsig. 286 pdosobjsig Trusted Computing Base. Login-Programs UNIX. Tivoli Access Manager for Operating Systems. Trusted Computing Base Login-Programs. Tivoli Access Manager for Operating Systems Login-Programs., (FTP, RLOGIN, TELNET, REXEC, RSH, SSH) UNIX. Login-Programs, 10 IBM Tivoli Access Manager for Operating Systems., Login-Programs Tivoli Access Manager for Operating Systems.,. 10. IBM Tivoli Access Manager for Operating Systems AIX /usr/dt/bin/dtlogin /usr/sbin/ftpd /usr/sbin/getty /usr/sbin/login /usr/sbin/rexecd /usr/sbin/rlogind /usr/sbin/rshd /usr/sbin/sshd /usr/sbin/telnetd /usr/sbin/tsm 2 Policy 39

56 10. IBM Tivoli Access Manager for Operating Systems () HP-UX /usr/bin/login /usr/bin/tsm /usr/dt/bin/dtlogin /usr/lbin/ftpd /usr/lbin/remshd /usr/lbin/rexecd /usr/lbin/rlogind /opt/ssh/sbin/sshd /usr/lbin/telnetd /usr/sbin/getty /usr/sbin/tsm Solaris /usr/bin/login /usr/dt/bin/dtlogin /usr/lib/saf/ttymon /usr/sbin/in.ftpd /usr/sbin/in.rexecd /usr/sbin/in.rlogind /usr/sbin/in.rshd /usr/local/sbin/sshd (freeware) /usr/lib/ssh/sshd (Solaris) /usr/sbin/in.telnetd Linux /bin/login /sbin/getty /sbin/mingetty /usr/bin/gdm /usr/bin/gdmlogin /usr/bin/kdm /usr/sbin/in.ftpd /usr/sbin/in.rexecd /usr/sbin/in.rlogind /usr/sbin/in.rshd /usr/sbin/sshd /usr/sbin/in.telnetd /usr/sbin/in.tftpd /usr/sbin/in.wuftpd /usr/sbin/wu.ftpd /usr/x11r6/bin/xdm /usr/sbin/vsftpd /opt/gnome2/bin/gdm /opt/kde2/bin/kdm /opt/kde3/bin/kdm 40 IBM Tivoli Access Manager for Operating Systems: sshd Tivoli Access Manager for Operating Systems sshd,. v sshd pdosobjsig sshd.

57 # ln -sf /expected_path/sshd /actual_path/sshd # pdosobjsig -u /expected_path/sshd -s trusted v pdadmin sshd OSSEAL. # pdadmin -a sec_master -p passwd pdadmin> object create \ /OSSEAL/policy_branch/TCB/Login-Programs/actual_path/sshd \ "sshd-daemon" 2iyes Linux, Solaris HP-UX PAM(Pluggable Authentication Modules) sshd PAM. sshd ldd libpam. sshd Tivoli Access Manager for Operating Systems policy. pdosd.conf. policy, pdoscfg. # cat /opt/pdos/etc/pdosd.conf grep login login-policy = off # pdoscfg -login_policy on Secure-Files.. IBM Tivoli Access Manager for Operating Systems Tivoli Access Manager for Operating Systems Secure-Files. Secure-Files. Secure-Programs UNIX UNIX UNIX. ID ID su, mail telnet., UNIX ID, Tivoli Access Manager for Operating Systems., UID.. 62 policy. Trusted Computing Base Secure-Programs UNIX ID policy. UNIX ID, policy. UNIX ID 2 Policy 41

58 policy. Tivoli Access Manager for Operating Systems policy. Tivoli Access Manager for Operating Systems Secure-Program su. policy, TCB Secure-Programs ID GID. 311 pdosuidprog pdosuidprog UID GID. IBM Tivoli Access Manager for Operating Systems Secure-Programs. /opt/pdos/bin/pdosdestroy /opt/pdos/bin/pdoslpadm /opt/pdos/bin/pdosrefresh /opt/pdos/bin/pdossudo /opt/pdos/bin/pdosunauth /opt/pdos/bin/pdoswhoami /opt/pdos/bin/pdoswhois /opt/pdos/sbin/kosserrs /opt/pdos/bin/pdosshowuser /opt/pdos/bin/rc.lpm Immune-Surrogate-Programs Immune-Surrogate-Programs policy. ( UID GID ) (setuid()/setgid() ) policy. Tivoli Access Manager for Operating Systems policy. Immune-Surrogate-Programs Secure-Programs Secure-Programs., UID UNIX ID. Surrogate-to-root policy Surrogate-to-root policy. Secure-Programs UNIX ID policy. Immune-Surrogate-Programs. 42 IBM Tivoli Access Manager for Operating Systems:

59 Impersonator-Programs UNIX ( : cron)., ID. ID Tivoli Access Manager for Operating Systems ID Tivoli Access Manager for Operating Systems. TCB(Trusted Computing Base) Impersonator-Programs Tivoli Access Manager for Operating Systems UNIX ID ID. policy ( : cron),. cron Access-Restrictions. IBM Tivoli Access Manager for Operating Systems Impersonator-Program cron. Immune-Programs, Tivoli Access Manager for Operating Systems policy,. Trusted Computing Base Immune-Programs Tivoli Access Manager for Operating Systems policy. Tivoli Access Manager for Operating Systems policy.... Tivoli Access Manager for Operating Systems policy., ID. 2 Policy 43

60 11. policy Immune-Programs AIX HP-UX Solaris Linux /usr/bin/aixpowermgtdaemon /usr/ccs/bin/shlap /usr/ccs/bin/shlap64 /usr/lib/errdemon /usr/lpp/diagnostics/diagd /usr/sbin/automountd /usr/sbin/biod /usr/sbin/nfsd /usr/sbin/rpc.lockd /usr/sbin/rpc.statd /usr/sbin/syncd /usr/sbin/syslogd /usr/lib/netsvc/fs/autofs/automountd /usr/lib/netsvc/fs/automount/automount /usr/sbin/biod /usr/sbin/nfsd /usr/sbin/pwgrd /usr/sbin/rpc.lockd /usr/sbin/rpc.statd /usr/sbin/syncer /usr/lib/autofs/automountd /usr/lib/nfs/lockd /usr/lib/nfs/nfsd /usr/lib/nfs/statd /usr/sbin/rpcbind /usr/sbin/syslogd /sbin/klogd /sbin/portmap /sbin/rpc.lockd /sbin/rpc.statd /sbin/syslogd /usr/sbin/apmd /usr/sbin/automount /usr/sbin/rpc.quotad /usr/sbin/rpc.mountd /usr/sbin/rpc.nfsd 11 Tivoli Access Manager for Operating Systems Immune-Programs. /opt/pdos/bin/pdosauditd /opt/pdos/bin/pdosaudview /opt/pdos/bin/pdosbkup /opt/pdos/bin/pdoscfg /opt/pdos/bin/pdosctl /opt/pdos/bin/pdosd /opt/pdos/bin/pdosexempt 44 IBM Tivoli Access Manager for Operating Systems:

61 /opt/pdos/bin/pdoslpmd /opt/pdos/bin/pdosobjsig /opt/pdos/bin/pdosrevoke /opt/pdos/bin/pdosteccfg /opt/pdos/bin/pdostecd /opt/pdos/bin/pdostecucfg /opt/pdos/bin/pdoswdd/opt/pdos/bin/pdoslrd /opt/pdos/bin/pdoslrdadm Tivoli Access Manager for Operating Systems Immune-Programs. /opt/pdos/kernel/kossd /opt/pdos/sbin/ossdump.sh /opt/pdos/sbin/kazntrace /opt/pdos/sbin/kossdump.sh /opt/pdos/sbin/kosserrs /opt/pdos/sbin/kossinfo /opt/pdos/kernel/kossctl Immune-Programs, Secure-Programs Immune-Surrogate-Programs. v Immune-Programs, Tivoli Access Manager for Operating Systems policy. Tivoli Access Manager for Operating Systems policy. v Secure-Programs UNIX ID policy. Tivoli Access Manager for Operating Systems policy., policy. v Immune-Surrogate-Programs UNIX ID policy,. Tivoli Access Manager for Operating Systems policy..., Secure-Programs Immune-Surrogate-Programs, policy... 2 Policy 45

62 ., Immune-Surrogate- Programs Secure-Programs.. policy Tivoli Access Manager for Operating Systems. NetOutgoing NetIncoming. Tivoli Access Manager. /OSSEAL/policy-branch/NetIncoming/protocol[/service[/host]] /OSSEAL/policy-branch/NetOutgoing[/hostspec[/protocol[/service]]] /OSSEAL/policy-branch/NetIncoming /OSSEAL/policy-branch/ NetOutgoing. ACL,. -net_acl_limited pdoscfg ( IBM Tivoli Access Manager for Operating Systems 254 pdoscfg, pdoscfg ). (/OSSEAL/policy-branch/File, ),. 12 policy. 12. protocol. TCP/IP 4. tcp. service. NetIncoming,. NetOutgoing,... policy /etc/services. * * policy. 46 IBM Tivoli Access Manager for Operating Systems:

63 12. () host. NetIncoming,. v ip-address[:nbits]. NetOutgoing,. v hostname ip-address nbits hostname IP ( : ) ip-address ip-address[:nbits] nbits 32. IP legal. /OSSEAL/Default/NetIncoming/tcp/80 /OSSEAL/Default/NetIncoming/tcp/telnet/*.dev.company.com /OSSEAL/Default/NetOutgoing/ :24/tcp/23 /OSSEAL/Default/NetOutgoing/ NetIncoming NetOutgoing, ACL Connect(C). 13. Connect(C) Tivoli Access Manager for Operating Systems.., Telnet ( 23) 23,513 *. Tivoli Access Manager for Operating Systems policy. 2 Policy 47

64 . NetIncoming NetOutgoing,.,, NetOutgoing/ NetOutgoing/ http policy. NetIncoming, NetIncoming/tcp/*/server.ibm.net NetIncoming/tcp/ftp/* server.ibm.net ftp policy. NetIncoming NetOutgoing v. v,. v. policy PDOSD policy.. v telnet telnet v v 20-25, , , , IBM Tivoli Access Manager for Operating Systems:

65 v 1-10, ,2,3,4-9,10,telnet, v ip-address[:nbits]. v ip-address ip-address[:nbits] 32 nbits nbits, policy. policy pdosd policy. v (nbits ) ip-address[:nbits]. v v : :24. v IP :32 ip-address[:nbits] policy. v IP :16 ip-address[:nbits]. v Tivoli Access Manager for Operating Systems. ID. NetIncoming?. NetIncoming 2 Policy 49

66 ACL.., NetIncoming ACL. policy Tivoli Access Manager for Operating Systems.. v v Tivoli Access Manager for Operating Systems, policy. Tivoli Policy Director policy.,.. Tivoli Access Manager, policy policy. Tivoli Access Manager Tivoli Access Manager for Operating Systems, osseal-unauth policy policy.. day-range: time-range[:utc local], day-range anyday, weekday sun, mon, tue, wed, thu, fri sat. anyday. weekday.. 50 IBM Tivoli Access Manager for Operating Systems:

67 time-range anytime. anytime. start_hhmm-end_hhmm, start_hhmm end_hhmm. utc local UTC(Universal Coordinated Time)... Tivoli Access Manager pdadmin. policy. v 9:00 5:00. pdadmin> policy set tod-access weekday: :local pdadmin> policy set tod-access anyday:anytime -user root v. pdadmin> policy set tod-access mon: :local -user \ osseal-unauth v. pdadmin> policy set tod-access weekday: :utc pdadmin> policy set tod-access anyday:anytime -user root pdadmin> policy set tod-access mon: :utc -user \ osseal-unauth.. policy... ACL. Login(L). Holiday-Dates,.. YYYY-MM-DD[-hh[:mm[:ss]]][Z], 2 Policy 51

68 YYYY MM DD hh mm ss Z UTC. v 12. v 0(). v,,, 12. v, 0( ). v UTC UTC. : CEO (1 18 ) , pdadmin> object create /OSSEAL/Servers/Login/Holidays/CEO-Birthday-Time "Happy" \ 0 ispolicyattachble yes pdadmin> object modify /OSSEAL/Servers/Login/Holidays/CEO-Birthday-Time \ set attribute Holiday-Dates " :00: :00:00", ACL. pdadmin> acl create ceo-birthday-time-acl pdadmin> acl modify ceo-birthday-time-acl set group sys-admins \ T[OSSEAL]L pdadmin> acl attach /OSSEAL/Servers/Login/Holidays/CEO-Birthday-Time \ ceo-birthday-time-acl policy Tivoli Access Manager : :00. Holiday-Dates. CEO policy IBM Tivoli Access Manager for Operating Systems:

69 pdadmin> object modify /OSSEAL/Servers/Login/Holidays/CEO-Birthday-Time \ set attribute \ Holiday-Dates " :00: :00:00"., policy. v,. v,. v. CEO 1 18, policy. pdadmin> object create/osseal/servers/login/holidays/ceo-birthday \ "VeryHappy" 0 ispolicyattachable yes pdadmin> object modify /OSSEAL/Servers/Login/Holidays/CEO-Birthday \ set attribute \ Holiday-Dates " :00: :00:00" CEO-Birthday CEO-Birthday-Time policy :00, CEO-Birthday-Time :00. CEO-Birthday. Holiday-Dates, pdosd policy.. : Holidays. ACL. ACL, policy.,. /OSSEAL/policy-branch/Login/Holidays/CEO-Birthday/2001 /OSSEAL/policy-branch/Login/Holidays/CEO-Birthday/2002 /OSSEAL/policy-branch/Login/Holidays/CEO-Birthday/2003 Holiday-Dates., CEO ACL Policy 53

70 :.. TCP/IP... /OSSEAL/policy-branch/Login/Terminal/Local/termgroup/device /OSSEAL/policy-branch/Login/Terminal/Remote/termgroup/hostspec termgroup.. device hostspec ( : /dev/console /dev/tty/0), UNIX... v /etc/hosts, DNS. ( : *?).. v IP / (IP_address[nbits]). 32,.. /OSSEAL/policy-branch/Login/Terminal/Local/Modems/dev/tty063 /OSSEAL/policy-branch/Login/Terminal/Remote/Development/*.dev.company.com /OSSEAL/policy-branch/Login/Terminal/Remote/Xterms/ :24 : / Tivoli Access Manager., ACL POP /OSSEAL/policy-branch /Terminal/Remote policy. 54 IBM Tivoli Access Manager for Operating Systems:

71 Login(L) : policy., pdosd. policy.. policy Tivoli Access Manager for Operating Systems policy. policy /OSSEAL/policy-branch/Login. v v v... Tivoli Access Manager for Operating Systems policy policy. Tivoli Access Manager for Operating Systems policy policy policy. policy $HOME/.rhosts /etc/hosts.equiv.., AIX ( : rlogin rsh) Tivoli Access Manager for Operating Systems policy. policy( :, ). Tivoli Access Manager Tivoli Access Manager policy Tivoli Access Manager for Operating Systems policy. 2 Policy 55

72 16. policy Login-MinPasswordDays., 0(). Login-MaxPasswordDays Login-MaxGraceLogins Login-MaxConcurrent Login-MaxInactiveDays., 0( )., grace. Login-MaxGraceLogins 0() grace.., 0(). grace,... IP. policy., 0( )..., 0(). 56 IBM Tivoli Access Manager for Operating Systems:

73 16. policy () Login-MaxFailedLogins. Login-LockMinutes. Login- LoginMunutes. Login-MaxFailedLogins, 0(). Login-LockMinutes Login-LoginMinutes Login-PolicyDisabled Login-MaxFailedLogins. Login-LockMinutes, 0(). Login-MaxFailedLogins. Login-LoginMinutes, 0().. policy. policy. policy : policy. v 30 pdadmin. pdadmin> object modify /OSSEAL/Servers/Login set attribute Login-MaxInactiveDays 30 v 30 pdadmin. 2 Policy 57

74 pdadmin> object modify /OSSEAL/Servers/Login set attribute Login-MaxFailedLogins 3 pdadmin> object modify /OSSEAL/Servers/Login set attribute Login-LockMinutes 30 pdadmin> object modify /OSSEAL/Servers/Login set attribute Login-LoginMinutes 60 v policy.,., Login-MaxFailedLogins 5. pdadmin> object modify /OSSEAL/Servers/Login delete attribute Login-MaxFailedLogins pdadmin> object modify /OSSEAL/Servers/Login set attribute Login-MaxFailedLogins 5 pdoslpadm. 280 pdoslpadm. policy policy policy. policy policy. policy /OSSEAL/policy-branch/Login/UserExceptions/user-name.. 0( ).. policy Tivoli. pdadmin. policy policy-branch Default policy. 1. policy 30 bob policy policy 0(policy ) pdadmin. pdadmin> object modify /OSSEAL/Default/Login set attribute Login-MaxInactiveDays 30 pdadmin > object create /OSSEAL/Default/Login/UserExceptions/bob "" 2 i yes 2. bob 90 pdadmin. 58 IBM Tivoli Access Manager for Operating Systems:

75 pdadmin > object modify /OSSEAL/Default/Login/UserExceptions/bob Login-MaxInactiveDays 90 set attribute 3. bob 70 pdadmin. pdadmin > object modify /OSSEAL/Default/Login/UserExceptions/bob delete attribute Login-MaxInactiveDays pdadmin > object modify /OSSEAL/Default/Login/UserExceptions/bob set attribute Login-MaxInactiveDays 70 policy Tivoli Access Manager for Operating Systems policy. ( : ). policy /OSSEAL/policy-branch/Password,. v v Tivoli Access Manager for Operating Systems policy policy. Tivoli Access Manager for Operating Systems policy policy policy. Tivoli Access Manager for Operating Systems., policy.,, policy. : Tivoli Access Manager for Operating Systems policy $HOME/.rhosts /etc/hosts.equiv. Tivoli Access Manager Tivoli Access Manager policy Tivoli Access Manager for Operating Systems policy. : MinPasswordDays.,, MinPasswordDays. 2 Policy 59

76 17. policy Password-MinPasswordLen., 0(). Password-MinPasswordAlpha Password- MinPasswordAlphaNum Password-MinPasswordNumeric Password-MinPasswordLower Password-MinPasswordUpper Password-MinPasswordSpecial Password-MinPasswordDays Password-MaxPasswordRepeat Password-PasswordNameCheck., 0().., 0().., 0().., 0( ).., 0( ).., 0().., 0().., 0(). ID ID., 0() ID IBM Tivoli Access Manager for Operating Systems:

77 17. policy () Password-PasswordHistory , 0(). Password- PasswordOldPwdCheck Password- PasswordMaxConsPrev Password- PasswordNonNumFirstLast.,., policy policy. v 7, pdadmin. pdadmin> object modify /OSSEAL/Servers/Password set attribute Password-MinPasswordLen 7 v, pdadmin. pdadmin> object modify /OSSEAL/Servers/Password set attribute Password-MaxPasswordRepeat 1 v policy.,., Password-PasswordHistory 5. pdadmin> object modify /OSSEAL/Servers/Password delete attribute Password-PasswordHistory pdadmin> object modify /OSSEAL/Servers/Login set attribute Password-PasswordHistory 5 pdoslpadm. 280 pdoslpadm. policy policy-branch Default policy. 2 Policy 61

78 1. policy 10, bob policy policy 0(policy ) pdadmin. pdadmin> object modify /OSSEAL/Default/Password set attribute Password-MinPasswordLen 10 pdadmin > object create /OSSEAL/Default/Password/UserExceptions/bob "" 2 i yes 2. bob 5 pdadmin. pdadmin > object modify /OSSEAL/Default/Password/UserExceptions/bob attribute Password-MinPasswordLen 5 3. bob 8 pdadmin. set pdadmin > object modify /OSSEAL/Default/Password/UserExceptions/bob attribute Password-MinPasswordLen pdadmin > object modify /OSSEAL/Default/Password/UserExceptions/bob attribute Password-MinPasswordLen 8 delete set policy Tivoli Access Manager for Operating Systems UNIX ID.. ID ID. policy... /OSSEAL/policy-branch/Surrogate/User/user-name /OSSEAL/policy-branch/Surrogate/Group/group-name user-name UNIX. ID. UNIX. ID. group-name UNIX. ID. UNIX. ID.. 62 IBM Tivoli Access Manager for Operating Systems:

79 /OSSEAL/Default/Surrogate/User/root /OSSEAL/Default/Surrogate/User/joe /OSSEAL/Default/Surrogate/Group/admin : /OSSEAL/ policy-branch/surrogate/user, /OSSEAL/ policy-branch/surrogate/group /OSSEAL/policy-branch/Surrogate policy. policy policy.. 19 Surrogate(G). 19. G Surrogate. policy. v ID. v ID ID UNIX ID.. ID ID.. /usr/bin/mail, /usr/bin/telnet /usr/bin/ps. setuid... Tivoli Access Manager for Operating Systems Trusted Computing Base. Trusted Computing Base Secure-Programs ID. 37 Trusted Computing Base., policy. 2 Policy 63

80 /usr/bin/su. ID. UNIX ID UNIX su setuid. su Tivoli Access Manager for Operating Systems Trusted Computing Base Secure-Program,. Secure-Program, Tivoli Access Manager for Operating Systems policy su policy., fred sysop ID. fred su. fred$ su sysop. su setuid. fred sysop su ID sysop. su Secure-Program fred Tivoli Access Manager for Operating Systems sysop. su Secure-Program UNIX. Tivoli Access Manager for Operating Systems policy, Secure-Programs setuid setgid pdosuidprog. 311 pdosuidprog. policy setuid setgid Trusted Computing Base Secure-Programs.. ID, Access-Restrictions. 17 policy. UNIX Tivoli Access Manager for Operating Systems ID. ID. Trusted Computing Base (Impersonator-Programs) UNIX ID IBM Tivoli Access Manager for Operating Systems ID. TCB Impersonator-Programs 37 Trusted Computing Base. 64 IBM Tivoli Access Manager for Operating Systems:

81 Sudo policy policy Tivoli Access Manager ACL., policy Tivoli Access Manager ACL ACL. ACL ( ACL ). Tivoli Access Manager (T) ACL. Sudo. Sudo. Sudo. Sudo UNIX. Sudo Tivoli Access Manager. /OSSEAL/policy-branch/Sudo/sudo-command[/sudo-argclass] Sudo Sudo sudo-command Sudo., UNIX ID.. Sudo sudo-argclass.. Sudo Sudo Sudo. Sudo Policy 65

82 21. Sudo Sudo-Command Sudo. Sudo Tivoli Access Manager for Operating Systems.. UNIX UNIX ( : /usr/bin/ mount), ( : /usr/bin/rm -i).. Sudo-Target-User Sudo-Invoker-Password Sudo-Target-Password Sudo-Command UNIX. UNIX Sudo.... Sudo... Sudo Sudo-Target-User... UNIX.. 22 Sudo (x). 22. Sudo x Execute Sudo Sudo sys-admin /usr/sbin/mount Sudo, pdadmin. pdadmin> object create /OSSEAL/Servers/Sudo/mount "mount" 2 \ ispolicyattachable yes pdadmin> object modify /OSSEAL/Servers/Sudo/mount set attribute \ Sudo-Command /usr/sbin/mount pdadmin> object modify /OSSEAL/Servers/Sudo/mount set attribute \ Sudo-Invoker-Password "required" 66 IBM Tivoli Access Manager for Operating Systems:

83 pdadmin> acl create sudo-mount pdadmin> acl modify sudo-mount set group sys-admin T[OSSEAL]x pdadmin> acl attach /OSSEAL/Servers/Sudo/mount sudo-mount Sudo Sudo. Sudo Sudo Sudo. Sudo Sudo Sudo-Arguments... net-admin NFS sys-admin pdadmin. pdadmin> object create /OSSEAL/Servers/Sudo/mount/remote \ "Remote mount argument patterns" 0 ispolicyattachable yes pdadmin> object modify /OSSEAL/Servers/Sudo/mount/remote set attribute \ Sudo-Arguments "[-]F nfs" pdadmin> acl create sudo-net-mount pdadmin> acl modify sudo-net-mount set group net-admin T[OSSEAL]x pdadmin> acl attach /OSSEAL/Servers/Sudo/mount/remote sudo-net-mount pdadmin> object create /OSSEAL/Servers/Sudo/mount/local \ "Local mount argument patterns" 0 ispolicyattachable yes pdadmin> object modify /OSSEAL/Servers/Sudo/mount/local set \ attribute Sudo-Arguments "[-]F *" pdadmin> acl create sudo-local-mount pdadmin> acl modify sudo-local-mount set group sys-admin T[OSSEAL]x pdadmin> acl attach /OSSEAL/Servers/Sudo/mount/local sudo-local-mount pdadmin> acl modify sudo-mount set group sys-admin "" :. v pdadmin,. [-] (-). v policy. [-]F nfs [-]F *. v /OSSEAL/Servers/Sudo/mount sudo-mount ACL sys-admin. -F mount Sudo. v., -F -t nfs NFS. 2 Policy 67

84 /OSSEAL/Servers/Sudo/mount/remote Sudo-Arguments [-][tf] [Nn][Ff][Ss]. v Sudo Sudo policy pdosd. policy. UNIX.. Sudo. Sudo Sudo-Arguments IBM Tivoli Access Manager for Operating Systems. Sudo-Arguments. v (*).., root. * root root,. v. (\),. v Sudo-Arguments Sudo. v,., * root : show root add root system pdossudo pdossudo Sudo Sudo. 66 Sudo Sudo. $ pdossudo mount -F nfs host:/shared/directory /local 68 IBM Tivoli Access Manager for Operating Systems:

85 Sudo. 1. Sudo, Sudo. 2., ( ). 3. UNIX ID. ID policy.( pdossudo Access-Restrictions.) policy. 4. Sudo. Sudo-Command Access-Restrictions pdossudo. pdadmin Access-Restrictions. pdadmin> object create /OSSEAL/Servers/Surrogate/User/root \ "surrogate root" 14 ispolicyattachable yes pdadmin> acl create root-user pdadmin> acl modify root-user set any-other T[OSSEAL]G pdadmin> acl modify root-user set unauthenticated T[OSSEAL]G pdadmin> acl modify root-user set attribute \ Access-Restrictions any-other:g:/opt/pdos/bin/pdossudo pdadmin> acl modify root-user set attribute \ Access-Restrictions unauthenticated:g:/opt/pdos/bin/pdossudo pdadmin> acl attach /OSSEAL/Servers/Surrogate/User/root root-user pdadmin> object create /OSSEAL/Servers/File/usr/bin/mount \ "mount command" 3 ispolicyattachable yes pdadmin> acl create mount-program pdadmin> acl modify mount-program set any-other T[OSSEAL]x pdadmin> acl modify mount-program set unauthenticated T[OSSEAL]x pdadmin> acl modify mount-program set attribute \ Access-Restrictions any-other:x:/opt/pdos/bin/pdossudo pdadmin> acl modify mount-program set attribute \ Access-Restrictions unauthenticated:x:/opt/pdos/bin/pdossudo pdadmin> acl attach /OSSEAL/Servers/File/usr/bin/mount mount-program policy pdossudo ID,. UNIX Sudo Sudo. PATH Sudo. 2 Policy 69

86 24. Sudo PATH LD_* LD_ _RLD_* _RLD_ SHLIB_PATH HP-UX, LIBPATH AIX, IFS ENV BASH_ENV bash KRB_CONF kerberos 4 KRB5_CONFIG kerberos 5 LOCALDOMAIN /etc/resolv.conf RES_OPTIONS (name resolution) HOSTALIASES pdossudo. /opt/pdos/etc/pdossudo.conf. [environment] ( )., pdossudo.conf. [environment] PATH=/usr/bin:/usr/sbin:/usr/application/bin LD_LIBRARY_PATH=/usr/lib:/usr/application/lib Sudo PATH LD_LIBRARY_PATH pdossudo.conf. pdossudo Sudo PDOS_SUDO_ACCESSOR_NAME PDOS_SUDO_ACCESSOR_ID PDOS_SUDO_INVOKER_NAME Sudo Tivoli Access Manager ID Sudo Tivoli Access Manager ID ID pdossudo UNIX. ID ( : su ). 70 IBM Tivoli Access Manager for Operating Systems:

87 25. Sudo () PDOS_SUDO_INVOKER_ID pdossudo UNIX ID. ID ( : su ). policy Tivoli Access Manager for Operating Systems. policy. Tivoli Access Manager for Operating Systems UNIX Tivoli Access Manager. Tivoli Access Manager UNIX policy. policy policy policy.. AuditAuth Tivoli Access Manager. ACL POP.. /OSSEAL/policy-branch/AuditAuth/Unauth/audit-level /OSSEAL/policy-branch/AuditAuth/User/user-name/audit-level /OSSEAL/policy-branch/AuditAuth/Group/group-name/audit-level 26. user-name UNIX UNIX group-name Tivoli Access Manager Tivoli Access Manager 2 Policy 71

88 26. () audit-level. permit:. deny:. loginpermit:. logindeny:. all: (permit, deny, loginpermit, logindeny). none: Unauth., , policy. 4.,. 72 IBM Tivoli Access Manager for Operating Systems:

89 /OSSEAL/Default/AuditAuth/User/root/all /OSSEAL/Default/AuditAuth/Unauth/all /OSSEAL/Default/AuditAuth/Group/osseal-admin/permit /OSSEAL/Default/AuditAuth/Group/osseal-admin/deny /OSSEAL/Default/AuditAuth/User/admin1/loginpermit osseal-admin policy-branch Servers policy pdadmin. pdadmin> object create /OSSEAL/Servers/AuditAuth/Group/osseal-admin/all "AuditAuth" 11 ispolicyattachable no policy pdadmin. pdadmin> object create /OSSEAL/Servers/AuditAuth/User/root/loginpermit "AuditAuth" 11 ispolicyattachable no pdadmin> object create /OSSEAL/Servers/AuditAuth/User/root/logindeny "AuditAuth" 11 ispolicyattachable no osseal-admin policy pdadmin. pdadmin> object create /OSSEAL/Servers/AuditAuth/Group/osseal-admin/all "AuditAuth" 11 ispolicyattachable no pdadmin> object create /OSSEAL/Servers/AuditAuth/User/root/none"AuditAuth" 11 ispolicyattachable no policy pdadmin. pdoscfg -audit_level permit pdadmin> object create /OSSEAL/Servers/AuditAuth/User/root/deny "AuditAuth" 11 ispolicyattachable no Tivoli Access Manager for Operating Systems UNIX. policy policy policy.. AuditTrace Tivoli Access Manager. ACL POP. /OSSEAL/policy-branch/AuditTrace/User/ user-name/trace-level. 2 Policy 73

90 27. user-name UNIX UNIX trace-level. exec: exec(), Tivoli Access Manager for Operating Systems. exec_l: ID ID ( ), exec(), Tivoli Access Manager for Operating Systems. file:. Tivoli Access Manager for Operating Systems. all: exec, exec_1 file. none: AuditTrace. AuditTrace policy. /OSSEAL/Default/AuditTrace/User/root/exec_l /OSSEAL/Default/AuditTrace/User/admin1/exec /OSSEAL/Default/AuditTrace/User/admin2/exec policybranch ID root exec policy pdadmin. pdadmin> object create /OSSEAL/Servers/AuditTrace/User/root/exec "AuditTrace" 11 ispolicyattachable no ID root ID exec policy pdadmin. pdadmin> object create /OSSEAL/Servers/AuditTrace/User/root/exec_l "AuditTrace" 11 ispolicyattachable no 74 IBM Tivoli Access Manager for Operating Systems:

91 ID root policy pdadmin. pdadmin> object create /OSSEAL/Servers/AuditTrace/User/root/file "AuditTrace" 11 ispolicyattachable no ID admin1, admin2 admin3 exec policy pdadmin. pdadmin> object create /OSSEAL/Servers/AuditTrace/User/admin1/exec "AuditTrace" 11 ispolicyattachable no pdadmin> object create /OSSEAL/Servers/AuditTrace/User/admin2/exec "AuditTrace" 11 ispolicyattachable no pdadmin> object create /OSSEAL/Servers/AuditTrace/User/admin3/exec "AuditTrace" 11 ispolicyattachable no 2 Policy 75

92 76 IBM Tivoli Access Manager for Operating Systems:

93 3 Tivoli Access Manager for Operating Systems.. v 78 pdosd v 87 pdosauditd v 89 pdoswdd v 91 pdostecd Tivoli Enterprise Console v 93 pdoslpmd policy v 93 pdoslrd. v 95 v 97 v 101 policy v 105 Tivoli Access Manager for Operating Systems. pdosd- Trusted Computing Base. pdosauditd- Tivoli Access Manager for Operating Systems. pdoswdd-.. pdostecd- Tivoli Enterprise Console Tivoli Access Manager for Operating Systems Tivoli Enterprise Console. pdoslpmd- policy. pdoslrd-. Copyright IBM Corp. 2000,

94 . UTC,,., Tivoli Access Manager for Operating Systems...,., msg pdosd.log, msg pdosd.log.1 msg pdosd.log. msg_pdosd.log, msg pdosd.log.2., 1., 2, msg pdosd.log msg pdosd.log.1.,,. 0 0,.,.,.. pdoscfg. pdoscfg. Tivoli Access Manager for Operating Systems. pdosctl Tivoli Access Manager for Operating Systems. pdosctl.. v 254 pdoscfg pdoscfg. v 131 pdoscfg. v 269 pdosctl pdosctl. pdosd pdosd. 78 IBM Tivoli Access Manager for Operating Systems:

95 v Tivoli Access Manager for Operating Systems policy v Tivoli Access Manager Tivoli Access Manager UNIX v Trusted Computing Base pdosd. 3 UNIX ID Tivoli Access Manager ID UNIX ID Tivoli Access Manager.. Tivoli Access Manager, LDAP, pdosd. pdosd..... Tivoli Access Manager for Operating Systems LDAP.., Tivoli Access Manager for Operating Systems LDAP. ( ). LDAP... pdosrefresh.,.., pdosd LDAP. 3 79

96 , pdosd. pdosd LDAP. :. v v v Tivoli Access Manager for Operating Systems osseal-admin Tivoli Policy Director osseal UNIX.. v. v. v, pdosd.,.. pdoscfg -critical_cred_group Tivoli Access Manager.. v. v. cred. UNIX. UNIX ID, /opt/pdos/etc/pdosd.conf IBM Tivoli Access Manager for Operating Systems. 80 IBM Tivoli Access Manager for Operating Systems:

97 28. Tivoli Access Manager for Operating Systems [credentials] user-cred-refresh admin-cred-refresh critical-cred-refresh cred-hold critical-cred-group cred-response-wait ( ).... admin..... ( )... cred-hold user-cred-refresh. Tivoli Access Manager.... (Tivoli Access Manager osseal-admin ). pdosd Tivoli Access Manager ( ) Tivoli Access Manager for Operating Systems Tivoli Access Manager,. Tivoli Access Manager for Operating Systems. Tivoli Access Manager for Operating Systems Tivoli Access Manager : Tivoli Access Manager for Operating Systems Tivoli Access Manager. Tivoli Access Manager for Operating Systems Tivoli Access Manager ( : ). Tivoli Access Manager IBM Tivoli Access Manager Base Administration Guide. Tivoli Access Manager for Operating Systems Tivoli Access Manager LDAP. 3 81

98 29 pdosd /opt/pdos/etc/pdosd.conf pdosd [ldap] ldap-server-config ssl-enabled bind-dn bind-pwd Tivoli Access Manager LDAP LDAP SSL. SSL. LDAP pdosd (DN) LDAP pdosd :.. LDAP SSL PDOSD LDAP. Tivoli Access Manager for Operating Systems, LDAP (CA) pdosd LDAP LDAP. pdosd LDAP Tivoli Access Manager,. pdosd LDAP. IBM Tivoli Access Manager for Operating Systems. DN, pdosd LDAP. pdosd, LDAP. : (bind-pwd) pdosd.conf. /opt/pdos/etc/pdosd.conf.obf pdosd.conf. [configuration-database] file = /opt/pdos/etc/pdosd.conf.obf, Tivoli Access Manager for Operating Systems policy Tivoli Access Manager for Operating Systems /opt/pdos/etc osseal-restricted ACL. ACL osseal-admin. 82 IBM Tivoli Access Manager for Operating Systems:

99 pdosd Tivoli Access Manager API. Tivoli Access Manager. pdosd Tivoli Access Manager policy,. policy. Tivoli Access Manager for Operating Systems policy. Tivoli Access Manager policy policy. Tivoli Access Manager policy, policy. policy. policy, Tivoli Access Manager policy.. Tivoli Access Manager policy policy.,. Tivoli Access Manager for Operating Systems. 30 refresh-interval ssl-listening-port pdosd policy Tivoli Access Manager policy. ssl-local-domain. pdosd Tivoli Access Manager. /opt/pdos/etc/pdosd.conf. 30. [policy] refresh-interval Tivoli Access Manager policy ( ). 0. [ssl] ssl-listening-port Tivoli Access Manager policy policy pdosd TCP/IP. 0 policy. ssl-local-domain. pdosd Tivoli Access Manager. Tivoli Access Manager policy, policy. 3 83

100 Tivoli Access Manager, pdosd... v ID. ID, ID UID. Tivoli Access Manager for Operating Systems ID ID. ID ID. v v v v pdosd policy policy. Tivoli Access Manager for Operating Systems. policy branch policy. policy branch Tivoli Access Manager for Operating Systems. 31 policy branch /opt/pdos/etc/osseal.conf.. Tivoli Access Manager for Operating Systems. pdosd policy,.,.,. 31. policy [policy] branch policy TCB Trusted Computing Base 37 Trusted Computing Base.. v Secure-Files v Secure-Programs v Login-Programs v Impersonator-Programs v Immune-Programs 84 IBM Tivoli Access Manager for Operating Systems:

101 v Immune-Surrogate-Programs, Access-Restrictions TCB.. Access-Restrictions TCB ( TCB ( : Secure-Programs) ).. v v v v v v ( :, ) v ( ) pdosd TCB.. TCB,., pdosd /var/pdos/log/msg pdosd.log. TCB pdosd., CRC. -tcb_nocrc_on_exec. pdosd TCB /opt/pdos/etc/ pdosd.conf. 3 85

102 32. pdosd TCB [tcb] monitor-threads interval max-checksum-file-size ignore-ctime tcb_nocrc_on_exec Trusted Computing Base. TCB.. CPU. TCB ( ). TCB,.... TCB. TCB ctime. ctime TCB. TCB CRC. 2 CRC. TCB, Tivoli Access Manager policy.., pdosobjsig. pdosobjsig, Trusted Computing Base. pdosd pdosd /var/pdos/log/msg pdosd.log,.. v UTC(Universal Time Coordinated) v v v 86 IBM Tivoli Access Manager for Operating Systems:

103 pdosd [pdosd] log-entries logs pdosd pdosd. 0 pdosd. log-entries 0 logs 0, pdosd log-entries pdosd. log-entries 0 logs 0, pdosd log-entries pdosd. pdosd pdoswdd. pdosd 0 log-entries 0. pdosd log-entries pdosd. 0 pdosd. pdosauditd pdosauditd Tivoli Access Manager for Operating Systems. pdosobjsig, 2. /var/pdos/audit/audit.log. pdostecd pdoslrd audit.log., audit.log. pdosauditd, audit.log..,,,,.,. /opt/pdos/etc/osseal.conf pdosctl. 3 87

104 34. [audit] level permit_actions permit_actions deny_actions deny_actions pdosauditd /var/pdos/log/msg pdosauditd.log,.. v UTC(Universal Time Coordinated) v v v pdosauditd pdosauditd /opt/pdos/etc/pdosauditd.conf.. v audit-logflush pdosauditd ( )., 5. v audit-logsize. 0. 1,000,000., /var/pdos/audit audit.log audit.log.yyyy-mm-dd-hh-mm-ss. audit.log. pdosauditd. v log-entries. 0,. v logs. log-entries 0, audit.log msg pdosauditd.log pdosauditd. 254 pdoscfg pdoscfg. 88 IBM Tivoli Access Manager for Operating Systems:

105 35. pdosauditd [pdosauditd] audit-logflush audit-logsize log-entries logs pdosauditd ( ) pdosauditd ( ) pdosauditd pdosauditd. 0 pdosauditd. log-entries 0 logs 0, pdosauditd log-entries pdosauditd. log-entries 0 logs 0, pdosauditd log-entries pdosauditd. pdosaditd pdosauditd. pdosauditd 0 log-entries 0. pdosauditd log-entries pdosauditd. 0 pdosauditd. 138 policy pdoswdd pdoswdd pdosd, pdosauditd, pdoslpmd pdoslrd.... Tivoli Access Manager for Operating Systems. : 91 pdostecd Tivoli Enterprise Console pdostecd. Tivoli Access Manager for Operating Systems.,. pdoswdd /var/pdos/log/msg pdoswdd.log,.. v UTC(Universal Time Coordinated) 3 89

106 v v v pdoswdd pdoswdd pdoswdd /opt/pdos/etc/pdoswdd.conf. pdoswdd. v log-entries. 0,. v logs. log-entries 0,. 36 msg pdoswdd.log pdoswdd. 36. pdoswdd [pdoswdd] log-entries logs pdoswdd pdoswdd. 0 pdoswdd. log_entries 0 logs 0, pdoswdd log_entries pdoswdd. log_entries 0 logs 0, pdoswdd log_entries pdoswdd. pdoswdd pdoswdd. pdoswdd 0 log_entries 0. pdoswdd log_entries pdoswdd. 0 pdoswdd.,.. pdosd /var/pdos/log/msg pdosd.log 90 IBM Tivoli Access Manager for Operating Systems:

107 pdosauditd /var/pdos/log/msg pdosauditd.log pdoswdd /var/pdos/log/msg pdoswdd.log pdoslpmd /var/pdos/log/msg pdoslpmd.log pdoslrd /var/pdos/log/msg pdoslrd.log,. pdostecd Tivoli Enterprise Console pdostecd Tivoli Enterprise Console Tivoli Access Manager for Operating Systems. /var/pdos/audit/audit.log /var/pdos/tec/tec.log. Tivoli Enterprise Console. 335 C Tivoli Enterprise Console Tivoli Risk Manager. pdostecd /var/pdos/audit/audit.log,. audit.log. tec.log, /var. 92. pdostecd /var/pdos/pdostecd/msg pdostecd.log,.. v UTC(Universal Time Coordinated) v v v pdostecd pdostecd pdostecd /opt/pdos/etc/pdostecd.conf. 3 91

108 pdostecd. v log-entries. 0,. v logs. log-entries 0,. 37 /var/pdos/pdostecd/msg pdostecd.log pdostecd. 37. pdostecd [pdostecd] log-entries logs pdostecd log-entries 0,. /var/pdos/tec/tec.log. /var. Tivoli UNIX cron.. 1. pdostecd.. /opt/pdos/bin/rc.pdostecd stop 2. Tivoli Enterprise Console tec.log., 5. sleep pdostecd. tec.log. /opt/pdos/bin/rc.pdostecd start. pdostecd.,. pdostecd,. 92 IBM Tivoli Access Manager for Operating Systems:

109 pdoslpmd policy pdoslpmd Tivoli Access Manager for Operating Systems policy. pdoslpmd Tivoli Access Manager for Operating Systems policy. Tivoli Access Manager for Operating Systems, policy. policy, pdoslpmd. Tivoli Access Manager for Operating Systems policy, Tivoli Access Manager for Operating Systems pdoslpmd. 38 /opt/pdos/etc/pdosd.conf. 38. pdoslpmd [pdoscfg] login-policy on off policy. pdoslpmd pdosd. pdoslpmd pdosd, policy. pdoslpmd pdoslpmd. /opt/pdos/etc/lpm.conf Tivoli Access Manager for Operating Systems policy. Tivoli Access Manager for Operating Systems policy policy.. Tivoli Access Manager for Operating Systems policy. pdoslrd pdoslrd Tivoli Access Manager for Operating Systems,,., ( ),,,. pdoslrd audit.log. 3 93

110 , audit.log. pdosauditd, audit.log. pdoslrd pdoslrd.,., pdoslrd. 39. pdoslrd [pdoslrd] state log-entries logs lrd-local-domain lrd-admin-name. pdoslrd.,. pdoslrd pdoslrd. 0 pdoslrd. log_entries 0 logs 0, pdoslrd log_entries pdoslrd. log_entries 0, pdoslrd log_entries pdoslrd. pdoslrd pdoslrd. pdoslrd 0 log_entries 0. pdoslrd log_entries pdoslrd. 0 pdoslrd. pdoslrd Tivoli Access Manager for Operating Systems,. admin pdoslrd. pdoslrd Tivoli Access Manager for Operating Systems, Tivoli Access Manager admin. 94 IBM Tivoli Access Manager for Operating Systems:

111 Tivoli Access Manager for Operating Systems Tivoli Access Manager UNIX. Tivoli Access Manager Tivoli Access Manager for Operating Systems. UNIX Tivoli Access Manager for Operating Systems.. osseal-admin osseal-admin Tivoli Access Manager. UNIX osseal.. v.. v. ( Tivoli Access Manager ).. v, pdosd.,. 78 pdosd. Tivoli Access Manager for Operating Systems osseal-admin (root osseal). osseal ID. osseal osseal UNIX. Tivoli Access Manager osseal-admin. Tivoli Access Manager for Operating Systems setgid /var/pdos UNIX. osseal UNIX ID. osseal ID. osseal-admin osseal Tivoli Access Manager for Operating Systems Tivoli Access Manager for Operating Systems. 3 95

112 osseal osseal Tivoli Access Manager UNIX. Tivoli Access Manager for Operating Systems UNIX. osseal Tivoli Access Manager for Operating Systems ID. root Tivoli Access Manager for Operating Systems root Tivoli Access Manager ID. UNIX, root. root osseal-admin. osseal-admin, root Tivoli Access Manager for Operating Systems. root Tivoli Access Manager Tivoli Access Manager for Operating Systems UNIX. osseal-auditors osseal-auditors Tivoli Access Manager. UNIX ossaudit. Tivoli Access Manager for Operating Systems osseal-auditors (root ossaudit). ossaudit ossaudit UNIX. Tivoli Access Manager osseal-auditors. osseal. osseal-auditors ossaudit Tivoli Access Manager for Operating Systems Tivoli Access Manager for Operating Systems. osseal ID. osseal-unauth osseal-unauth Tivoli Access Manager. UNIX. Tivoli Access Manager. ACL. 96 IBM Tivoli Access Manager for Operating Systems:

113 pdosd-hostname Tivoli Access Manager policy policy. Tivoli Access Manager policy pdosd Tivoli Access Manager. Tivoli Access Manager for Operating Systems, DNS ( : pdosd-hostname ). DNS,. pdosd Tivoli Access Manager policy policy.. critical cred critical cred Tivoli Access Manager. pdoscfg critical_cred_group.. v. v. ( Tivoli Access Manager ). cred. UNIX. UNIX ID,. Tivoli Access Manager for Operating Systems. Tivoli Access Manager for Operating Systems policy. policy. Tivoli Access Manager for Operating Systems. /opt/pdos/bin 2. /opt/pdos/etc. policy, pdosbkup 3 97

114 pdosrstr,.. /opt/pdos/etc/trace Tivoli Access Manager for Operating Systems. osseal.conf pdosd.conf pdosd pdosauditd.conf pdosauditd pdoslrd.conf pdoslrd pdoslrd.xml pdoslrd pdoswdd.conf pdoswdd pdostecd.conf pdostecd pdossudo.conf pdossudo lpm.conf policy /opt/pdos/kernel Tivoli Access Manager for Operating Systems 2. /opt/pdos/lib. /opt/pdos/nls. /opt/pdos/sbin IBM Tivoli Access Manager for Operating Systems:

115 /var/pdos/audit Tivoli Access Manager for Operating Systems /var/pdos/audit/audit.log. /var/pdos/azn authzn_replica.db Tivoli Policy Director policy. /var/pdos/certs Tivoli Access Manager policy LDAP pdosd pdoslrd. /var/pdos/cred Tivoli Access Manager. /var/pdos/ffdc. /var/pdos/hla IP look-aside. /var/pdos/log (pdostecd ),,. /var/pdos/login policy. /var/pdos/lpm policy. /var/pdos/pdosauditd pdosauditd.,. /var/pdos/pdosbkup pdosbkup pdosrstr. pdosbkup.,. 3 99

116 /var/pdos/pdoscfg pdoscfg pdosucfg.,. /var/pdos/pdosd pdosd.,. /var/pdos/pdoslrd pdoslrd. (.lrp). /var/pdos/pdosteccfg pdosteccfg pdostecufg.,. /var/pdos/pdostecd pdostecd.,. pdostecd. /var/pdos/pdoswdd pdoswdd.,. /var/pdos/tcb Trusted Computing Base. /var/pdos/tec Tivoli Enterprise Console. /var/pdos/tracelogs Tivoli Access Manager for Operating Systems. /var/pdos/uid UID GID ( ) IBM Tivoli Access Manager for Operating Systems:

117 /var/pdos/umsg Tivoli Access Manager for Operating Systems. /var/pdos/watch pdosd, pdosauditd, pdoswdd, pdoslrd pdoslpmd. policy Tivoli Access Manager for Operating Systems policy. once-only policy policy. plicy Tivoli Access Manager for Operating Systems, ACL, /OSSEAL. per-machine policy. policy. per-policy policy policy. policy Trusted Computing Base, Tivoli Access Manager for Operating Systems ACL POP. Tivoli Access Manager for Operating Systems policy. policy. policy ACL ACL. policy policy Tivoli Access Manager for Operating Systems (Trusted Computing Base ). Trusted Computing Base 37 Trusted Computing Base. osseal-audit ACL Tivoli Access Manager for Operating Systems /var/pdos/audit. /var/pdos/pdoslrd, 3 101

118 /var/pdos/pdostecd /var/pdos/tec. ACL osseal-auditors. osseal-audit-exec ACL pdosaudview /opt/pdos/bin/pdosaudview. osseal-auditors.. osseal-credentials ACL Tivoli Access Manager for Operating Systems /var/pdos/cred /var/pdos/uuid. ACL, pdosrefresh pdosdestroy. Tivoli Access Manager for Operating Systems,. ACL osseal-admin. osseal-default ACL. ACL Tivoli Access Manager for Operating Systems: /OSSEAL root. ACL Tivoli Access Manager. osseal-default-file ACL, Tivoli Access Manager for Operating Systems ACL Tivoli Access Manager. osseal-default-login ACL policy. ACL. osseal-default-net-incoming ACL NetIncoming policy. ACL. (-net_acl_limited ), NetIncoming ACL osseal-default-file ACL ACL. 102 IBM Tivoli Access Manager for Operating Systems:

119 osseal-default-net-outgoing ACL NetOutgoing policy. ACL. (-net_acl_limited ), NetOutgoing ACL osseal-default-file ACL ACL. osseal-default-sudo ACL Sudo policy. ACL Sudo. osseal-default-surrogate ACL policy. ACL. osseal-exec-open ACL /opt/pdos/lib /opt/pdos/nls, /opt/pdos/bin (pdosdestroy, pdosrefresh, pdossudo pdoswhoami). ACL Tivoli Access Manager for Operating Systems. osseal-exec-root ACL /opt/pdos/bin/pdoslpmd,/opt/pdos/bin/pdostecd, /opt/pdos/bin/pdosshowmsg /opt/pdos/bin/rc.pdostecd. ACL root osseal-admin. osseal-hla ACL Tivoli Access Manager for Operating Systems /var/pdos/hla IP. ACL pdoshla osseal-admin. osseal-kazndrv ACL Tivoli Access Manager for Operating Systems /dev/kazndrv. Tivoli Access Manager for Operating Systems PAM. osseal-admin

120 osseal-logs ACL /var/pdos/log, /var/pdos/ffdc /var/pdos/tracelogs Tivoli Access Manager for Operating Systems. ACL osseal-admin, (o), (p) (U). osseal-open ACL /opt/pdos/etc/lpm.conf /opt/pdos/etc/pdossudo.conf. ACL. osseal-admin ACL. osseal-privileged-user ACL osseal UNIX. pdossudo osseal, osseal-admin. Sudo pdossudo osseal ACL. pdossudo osseal Sudo. osseal-restricted ACL Tivoli Access Manager for Operating Systems. ACL osseal-admin,. ACL /opt/pdos/etc, /opt/pdos/etc/trace, /var/pdos/pdosbkup, /var/pdos/pdoscfg, /var/pdos/pdosteccfg /var/pdos/certs. : /opt/pdos/etc pdossudo.conf osseal-open ACL. osseal-restricted-read ACL Tivoli Access Manager for Operating Systems. ACL osseal-admin (D), (r), (l), Kill(k) (x),. ACL /var/pdos /opt/pdos. 104 IBM Tivoli Access Manager for Operating Systems:

121 osseal-tcb ACL Tivoli Access Manager for Operating Systems /var/pdos/tcb TCB. ACL osseal-admin. osseal-admin pdosobjsig. osseal-umsg ACL Tivoli Access Manager for Operating Systems /var/pdos/umsg. Tivoli Access Manager for Operating Systems. osseal-var-lpm ACL /var/pdos/lpm /var/pdos/login. ACL /var/pdos/lpm. policy. osseal-admin ACL., Tivoli Access Manager for Operating Systems Tivoli Access Manager policy, Tivoli Access Manager (LDAP), UNIX ( : NIS), ( : DNS )., Tivoli Access Manager for Operating Systems... v IBM Tivoli Access Manager for Operating Systems v Tivoli Access Manager policy v Tivoli Access Manager (LDAP) v NIS v DNS Tivoli Access Manager for Operating Systems

122 Tivoli Access Manager policy Tivoli Access Manager for Operating Systems Tivoli Access Manager policy, pdosd policy. Tivoli Access Manager for Operating Systems Tivoli Access Manager policy policy policy Tivoli Access Manager for Operating Systems. pdosd Tivoli Access Manager policy 83. pdosd policy Trusted Computing Base policy. pdosd Tivoli Access Manager policy, policy policy. pdosd Tivoli Access Manager policy policy ( ). Tivoli Access Manager Tivoli Access Manager for Operating Systems Tivoli Access Manager (LDAP), PDOSD Tivoli Access Manager., pdosd,. pdosd 79. pdosd LDAP.. pdosd LDAP. pdosd LDAP,.. pdosd LDAP,. pdosd LDAP LDAP. Tivoli Access Manager LDAP. pdosd 106 IBM Tivoli Access Manager for Operating Systems:

123 . pdosd LDAP. UNIX UNIX ( : NIS).,. Tivoli Access Manager. UNIX ID UNIX NIS NIS+ UNIX UNIX. Tivoli Access Manager 3 UNIX ID Tivoli Access Manager ID. Tivoli Access Manager for Operating Systems,. Tivoli Access Manager for Operating Systems Tivoli Access Manager for Operating Systems UNIX uid/gid /. UNIX uid/gid / pdosd UNIX, pdosd UNIX ID UNIX. UNIX pdosd Tivoli Access Manager (LDAP).., UNIX UNIX uid/gid UNIX /, UNIX uid/gid UNIX /. UNIX, Tivoli Access Manager for Operating Systems uid/gid. pdoscfg -uid on IBM Tivoli Access Manager for Operating Systems. Tivoli Access Manager for Operating Systems (DNS NIS)., IBM Tivoli Access Manager for Operating Systems Tivoli Access Manager policy, Tivoli Access Manager 3 107

124 , UNIX. Tivoli Access Manager for Operating Systems.. IP DNS Tivoli Access Manager for Operating Systems policy. policy pdosd IP DNS. Tivoli Access Manager for Operating Systems IP, pdosd., IP DNS. pdoshla IP DNS.. IP DNS,. pdoscfg -dns off /opt/pdos/etc/osseal.conf [cache] dns off. IBM Tivoli Access Manager for Operating Systems. Tivoli Access Manager for Operating Systems IP..,. Tivoli Access Manager for Operating Systems 6 IP,. IP, pdoshla. 108 IBM Tivoli Access Manager for Operating Systems:

125 4 pdoslrd.. v v v pdoslrd. /opt/pdos/etc/pdoslrd.xml.. pdoslradm. XML 1.0. : pdoslrd.xml UTF-8. UTF-8. UTF-8. en_us ASCII. pdoslrd... gerrywaix Tivoli Access Manager. LRD_ Output. file-admin. <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE Server SYSTEM "opt/pdos/etc/pdoslrd.dtd"> <Server> <Router name="router 1" state="on" <Channel name="input" type="lrd_auditinput" path="var/pdos/audit/audit.log" state="on"/> <Channel name="file-admin" type="lrd_fileoutput" path="var/pdos/pdoslrd/audit.out" format="keyvalue" state="off"/> <Channel name="mail-admin" type="lrd_ output" server="devmail.dev.tivoli.com" port="25" address="admin@myhost.tivoli.com" port="7136" filter="login-deny" state="on"/> Copyright IBM Corp. 2000,

126 <Channel name="netout-admin" type="lrd_netotput" server="gerrywaix.dev.tivoli.com" port="7136" compress="yes" state="on" </Router> <Filters> <Filter name="login-deny"> <Conditional type="include"> <Field name="resource_type" value="login"/> <Field name="view" value="d"/> </Conditional> </Filter> </Filters> </Server> XML. v XML v v v v v v Conditional v Field XML XML.. <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE Server SYSTEM "opt/pdos/etc/pdoslrd.dtd"> Server.. <Server> </Server> 110 IBM Tivoli Access Manager for Operating Systems:

127 completion_action.. rename,.lrd, delete. Router Router. Router. Router. <Router> </Router> name state hi_ water batch_mode ( ).. ( )..., pdoslrd,. batch_mode pdoslradm,. pdoslradm..(.) 285 pdoslradm pdoslradm -b. <Server> <Router name="router1" state="on" hi_water="500"  <Channel name="audlog" type="lrd_auditinput" path="/var/pdos/audit/audit.log" state="on" />  <Channel name="file" type="lrd_fileoutput" path="/home/sysadmin/audit.out" format="concise" state="on"/> </Router> </Server> 4 111

128 Channel Channel... Filter, Filter Conditional. Channel. Channel. <Channel.../> name type state path filter error format max_files rollover_size delimiter server port rebind ( ).. ( : LRD_FileOutput).. ( ).. ( )... ( ). [default=2] (LRD_FileOutput LRD_ Output ). concise, keyvalue verbose. [defaults: LRD_FileOutput=keyvalue; LRD_ Output=verbose] : pdosaudview... 0 (LRD_FileOutput ). [default=0] ( ).. 0 (LRD_FileOutput ). [default=0]. concise keyvalue ( ) (LRD_FileOutput LRD_ Output ). (LRD_ Output LRD_NetOutput ) (LRD_ Output LRD_NetOutput ). [defaults: LRD_ Output=25; LRD_NetOutput=7136]. (LRD_ Output LRD_NetOutput ). [defaults: LRD_ Output=60; LRD_NetOutput=300] 112 IBM Tivoli Access Manager for Operating Systems:

129 compress dn buffer flush_interval queue_size hi_water address ( ) (LRD_NetOutput ).. [default=no] (LRD_NetOutput ) ( ). (LRD_NetOutput ). [default=16384] (LRD_NetOutput ). [0=no limit; default=1000] (LRD_NetOutput ). [0=no limit; default=1000]. (LRD_NetOutput ). [default=2/3 x. 0, default =100] (LRD_ Output ) Filters.  <Channel name="log_input" type="lrd_auditinput" path="/var/pdos/audit/audit.log" state="on" />  <Channel name="fileout1" type="lrd_fileoutput" path="/var/pdos/pdoslrd/audit.out" format="concise" state="on" />  <Channel name="mail1" type=lrd_ output" server="mailserv.tivoli.com" port="25" address=bjxnes@us.ibm.com state="on"/>  <Channel name="netout-admin" type=lrd_netoutput" server="toasty.ibm.com" port="7136" state="on" /> Filter. Filter Filter.. <Filters> </Filters> 4 113

130 Filter Filter. Filter Conditional. Filter Filters. Filter. <Filter> </Filter> name <Filters>  <Filter name="filter1"> <Conditional type="include"> <Field name="resource_type" value="login" /> <Field name="view" value="d" /> </Conditional> </Filter>  <Filter name="filter2"> <Conditional type="exclude"> Field name="view" value="trace" /> </Conditional> </Filter> </Filters> Conditional Conditional Filter. Filter Conditional. True Conditional. include Conditional true,. exclude Conditional true,. Conditional true., Field Field. 114 IBM Tivoli Access Manager for Operating Systems:

131 Filter Conditional true, Filter Conditional. include,. exclude,. <Conditional> </Conditional> type include exclude Field  <Filter name="filter1> <Conditional type="include"> <Field name="resource_type" value="login" /> <Field name= "view" value="d" /> </Conditional> <Conditional type="include"> <Field name="outcome" value="f" /> </Conditional> </Filter> Field.. Field.. <Field.../> Field name value name2 value_list.. name. name name2. ( ). name

132    <Conditional type="include"> <Field name="view" value="d"/> </Conditional>  <Conditional type="exclude"> <Field name="acc_name" name2="acc_eff_name" /> </Conditional>. Field (value name2) Conditional (include exclude). /opt/pdos/etc/pdoslrd.xml.template. : Field value. value="abc*xyz" value="*xyz", value="xyz*" value="*xyz*". Conditional Field value="abc*" value="*xyz" abc*xyz. (?), (*)., value="a?b" "azb", "a1b", "aab". ( : value="a?c?e?"). Field name2. value.  <Filter name="login-deny"> <Conditional type="include"> <Field name="resource_type" value="login"/> <Field name="view" value="d"/> </Conditional> </Filter>  <Filter name="root-login> <Conditional type="include"> <Field name="resource_type" value="login"/> <Field name="acc_name" value="root"/> </Conditional> </Filter>  <Filter name="non-root-login"> <Conditional type="exclude"> <Field name="acc_name" value="root"/> </Conditional 116 IBM Tivoli Access Manager for Operating Systems:

133 <Conditional type="include"> <Field name="resource_type" value="login"/> </Conditional> </Filter>  <Filter name="su"> <Conditional type="exclude"> <Field name="acc_name" name2="acc_eff_name"/> </Conditional> </Filter>  <Filter name="account-locked"> <Conditional type="include"> <Field name="event_id" value="2"/> </Conditional> <Conditional type="include"> <Field name="event_id" value="3"/> </Conditional> </Filter>  <Filter name="etc-file-failures"> <Conditional type="include"> <Field name="resource_type" value="file"/> <Field name="view" value="d"/> <Field name="sys_res_name" value="/etc/*" /> </Conditional> </Filter>  <Filter name="file-untrust" <Conditional type="include"> <Field name="event_id" value="22" /> </Conditional> </Filter>  <Filter name="isolation" <Conditional type="include"> <Field name="event_id" value="12" /> </Conditional> </Filter>  <Filter name="incoming" <Conditional type="include"> <Field name="resource_type" value="netincoming" /> <Field name="view" value="d" /> </Conditional> </Filter>. LRD_AuditInput, LRD_FileOutput, LRD_ Output LRD_NetOutput

134 LRD_AuditInput Tivoli Access Manager for Operating Systems ( /var/pdos/audit/audit.log* ),. LRD_FileOutput,. LRD_ Output,. LRD_NetOutput, pdacld. (/opt/pdos/etc/pdoslrd.xml). LRD_AuditInput. LRD_AuditInput. Tivoli Access Manager for Operating Systems. /var/pdos/audit audit.log*. audit.log, audit.log. audit.log audit.log.yyyy-mm-dd-hh-mm-ss. pdoslrd /var/pdos/pdoslrd input_channel_name.lrp., input_channel_name. input.lrp. pdoslrd uniqifier. input_channel_name.lrp uniqifier /var/pdos/audit audit.log*.,. pdoslrd. input_channel_name.lrp audit.log*. 118 IBM Tivoli Access Manager for Operating Systems:

135 : uniqifier Tivoli Access Manager for Operating Systems.. ( ) 0 uniqifier., 0 uniqifier uniqifier.. LRD_FileOutput.. tail-f ( ). (gauge).. v v v pdoslrd.xml LRD_ Output..,.,,..,. LRD_NetOutput Tivoli Access Manager pdacld.. pdacld.. LRD_AuditInput LRD_NetOutput, Tivoli Access Manager API pdacld. pdacld pdacld 4 119

136 Tivoli Access Manager. /opt/policydirector/etc/ivalcd.conf aznapi. [aznapi-configuration] logcfg = remote.channel_name:file path=/var/policydirector/pdacld/amos_collection, channel_name LRD_NetOutput ( : netout-admin)., pdacld.,. ivalcd.conf. [aznapi-configuration] logcfg = remote.channel_name.hostname1:file \ path=/var/policydirector/pdacld/hostname1/amos_collection logcfg = remote.channel_name.hostname2:file \ path=/var/policydirector/pdacld/hostname2/amos_collection hostname1 hostname2. pdacld, ivalcd.conf aznapi. mode = remote pdacld Tivoli Access Manager.. v v v Tivoli Access Manager for Operating Systems. Tivoli Access Manager for Operating Systems audit.log. keyvalue, concise verbose pdosaudview IBM Tivoli Access Manager for Operating Systems:

137 v pdosaudview concise. keyvalue. (, ) v host_name.. v pdosaudview verbose concise keyvalue., audit_outcome verbose Success Failure, concise keyvalue S F. Concise keyvalue. event_id verbose v Concise (pdosaudview ) v Keyvalue (pdosaudview ) v Verbose (pdosaudview ) v. host_name concise. v. pdosaudview verbose.. v v. Field. v keyvalue. Field. v. C concise( keyvalue). E ( = LRD_ Output). N ( = LRD_NetOutput)

138 Keyvalue --- host_name --- E N local_domain LD E N time_stamp TS C E ID event_id E C E N V C N view_verb --- E R C N reason_verb --- E resource_type RT C E N acc_name AN C E N acc_eff_name AEN C E N A CEN P C N permissions_verb --- E Q CEN policy branch_name PBN C E N prot_obj_name PON C E N sys_res_name SRN C E N sname SN C E N ID net_rem_host_id NRH C E N net_protocol NP C E N net_service NS C E N ID login_location_id LL C E N ID accessor_pid APID C E N * run_prog_prot_name RPPN C E N * run_prog_sys_name RPSN C E N Sudo sudo_cmdargs SC C E N Sudo sudo_user SU C E N Sudo sudo_flags SF C E N param AP C E N TCB chg_attr_flags CDAF C E N Policy Epoch policy_epoch PE C E N Policy policy_version PVN C E N O C N outcome_verb --- E fail_status FS C E N uniqifier UQ C E N * prot_res_spec PRS C E N * acc_res_spec ARS C E N 122 IBM Tivoli Access Manager for Operating Systems:

139 Keyvalue *.. event_id view reason outcome resource_type P-permit D-deny A-admin I-info T-trace W-warning S- F-. Azn Process TCBCred Policy File Login Logout TraceExecTraceFilePassword NetIncoming NetOutgoing Surrogate Sudo 4 123

140 action qualifier Permissions. Check Access Add Delete Change Retrieve Apply Trust Untrust Start Stop Register TraceIsolated Not Isolated Login Logout Enable Disable ( : rwx). r-read w-write x-execute o-change ownership D-change directory p-change permission R-rename N-create d-delete U-utime K-kill L-login C-connect G-surrogate l-readdir T-traverse 124 IBM Tivoli Access Manager for Operating Systems:

141 . v : LRD FileOutput v : LRD Output v : LRD Output - LRD_FileOutput (Channel type= LRD_FileOutput) concise, keyvalue verbose. pdosaudview concise, keyvalue verbose. - LRD_ Output (Channel type=lrd_ output) concise, keyvalue verbose...,.. Subject: audit record notification The following audit record was sent by the log router daemon on host swing in local domain Default: Timestamp Mon 29 Oct :35:45 PM CST Audit Event An authorization decision was made. Audit View Permit Audit Reason Global Audit Audit Resource Type File Accessor Name root Accessor Effective Name root Audit Action Check access Audit Permissions read Audit Qualifier All resource policy checks permitted access. Policy Branch Name bvt Protected Object Name File/opt/pdos Systems Resource Name /usr/lib/liblpm.so Accessor Process ID 1233 Running Program System Resource Name /usr/sbin/in.telnetd Audit Outcome Success Audit Uniqifier 1 - LRD_NetOutput LRD_NetOutput. pdacld.. host_name, local_domain pdosaudview concise. (, pdosaudview concise(keyvalue 4 125

142 verbose).) UTF-8. pdacld..,.,.. pdacld. rollover_size. ( ). LRD_FileOutput. 0. audit.log.,,., auditout auditout max_files... max_files 0.. pdacld ivalcd.conf ( ). logcfg = remote.netout.aushat12:file path = /home/amos/collection,rollover_size= :... LRD_NetOutput. pdacld,.,. 126 IBM Tivoli Access Manager for Operating Systems:

143 5 Tivoli Access Manager for Operating Systems,.. v Tivoli Access Manager v, TCB(Trusted Computing Base), look-aside Tivoli Access Manager for Operating Systems v policy Tivoli Access Manager for Operating Systems Tivoli Access Manager for Operating Systems Tivoli Tivoli. Tivoli Access Manager for Operating Systems. v 128 v 128 v 131 v 133 policy v 134 v 136 policy v 141 Trusted Computing Base v 145 policy v 148 v 150 ID v 152 look-aside v 153 Copyright IBM Corp. 2000,

144 Tivoli Access Manager for Operating Systems.. v Tivoli Access Manager osseal-admin v UNIX osseal Tivoli Access Manager for Operating Systems.. v Tivoli Access Manager osseal-auditors v UNIX ossaudit pdosaudview /var/pdos/audit /var/pdos/tec.. Tivoli Access Manager for Operating Systems Tivoli Access Manager. Tivoli Access Manager for Operating Systems, Tivoli Access Manager LDAP. Tivoli Access Manager for Operating Systems ID Tivoli Access Manager. ID. Tivoli Access Manager. Tivoli Access Manager. ID Tivoli Access Manager for Operating Systems. : Tivoli Access Manager for Operating Systems. Tivoli Access Manager,., Tivoli Access Manager. 3 UNIX ID Tivoli Access Manager ID 128 IBM Tivoli Access Manager for Operating Systems:

145 . pdosrgyimp Tivoli Access Manager..., ACL. policy. IBM Tivoli Access Manager for Operating Systems policy., Tivoli Access Manager UNIX. policy., policy., Tivoli Access Manager.. policy., ( ) Tivoli Access Manager.. 1. Tivoli Access Manager , A maggie Maggie Smith B maggie Maggie Smith. maggie, Tivoli Access Manager.., A riley Riley Smith B riley Riley Jones. riley, Tivoli Access Manager. 3 UNIX ID Tivoli Access Manager ID. UNIX. pdosrgyimp UNIX, UNIX pdosrgyimp. pdosrgyimp 5 129

146 293 pdosrgyimp. pdosrgyimp UNIX UNIX. UNIX.. pdosrgyimp -S o=tivoli -l login-id UNIX,., UNIX UNIX.. pdosrgyimp -S o=tivoli -l login-id -E excludefilename UNIX,., UNIX.. pdosrgyimp -S o=tivoli -l login_id -I includefilename UNIX -u -g..,.,.... pdosrgyimp -S o=tivoli -l login_id -I includefilename -E excludefilename pdosrgyimp. pdosrgyimp.import pdadmin. pdosrgyimp.conflict pdadmin. Tivoli Access Manager. pdosrgyimp.conflict. pdosrgyimp, pdosrgyimp.conflict., pdadmin. pdadmin -a login_id -p password < pdosrgyimp.conflict -n pdosrgyimp pdadmin.. -n pdosrgyimp. pdadmin pdosrgyimp.import. 130 IBM Tivoli Access Manager for Operating Systems:

147 Tivoli Access Manager for Operating Systems pdoscfg. pdoscfg Tivoli Access Manager for Operating Systems.,, ACL, (look-aside) ID. Trusted Computing Base. Tivoli Access Manager for Operating Systems.., LDAP. pdoscfg. policy. pdosucfg Tivoli Access Manager for Operating Systems. 254 pdoscfg pdoscfg. Tivoli Access Manager for Operating Systems. daemon_name.conf. osseal.conf. attribute=value. 40 pdoscfg.,, ACL, (look-aside) ID.,. 40. osseal.conf pdoscfg [audit] level -audit_level permit_actions -audit_permit_actions deny_actions -audit_deny_actions [authorization] warning -warning [cache] dns -dns uid -uid [policy] branch -branch [ffdc] capture -ffdc_capture 41. pdosd.conf pdoscfg [ldap] ssl-certificate -ldap_ssl_cacert 5 131

148 41. pdosd.conf pdoscfg () [pdoscfg] autostart -autostart login-policy -login_policy net-acl-limited -net_acl_limited [pdosd] kmsg-handler-threads -kmsg_hnd_threads log-entries -pdosd_log_entries logs -pdosd_logs init-wait-minutes -pdosd_init_wait [credentials] admin-cred-refresh -admin_cred_refresh cred-hold -cred_hold user-cred-refresh -user_cred_refresh critical-cred-refresh -critical_cred_refresh cred-response-wait -cred_response_wait critical-cred-group -critical_cred_group [policy] refresh-interval -refresh_interval [ssl] ssl-listening-port -ssl_listening_port [tcb] interval -tcb_interval max-checksum-file-size -tcb_max_file_size monitor-threads -tcb_monitor_threads tcb_nocrc_on_exec -tcb_nocrc_on_exec tcb_ignore_ctime -tcb_ignore_ctime 42. pdosauditd.conf pdoscfg [pdosauditd] log-entries -pdosauditd_log_entries audit-logflush -audit_logflush logs -pdosauditd_logs audit-logsize -audit_log_size 43. pdoswdd.conf pdoscfg [pdoswdd] log-entries -pdoswdd_log_entries logs -pdoswdd_logs 44. pdoslrd.conf pdoscfg [pdoslrd] log-entries -pdoslrd_log_entries logs -pdoslrd_logs 132 IBM Tivoli Access Manager for Operating Systems:

149 pdoscfg pdosctl. pdoscfg. Tivoli Access Manager for Operating Systems. pdosctl Tivoli Access Manager for Operating Systems.. pdoscfg pdosctl. policy ACL ACL. OSSEAL ACL., /OSSEAL/policy-branch/File ACL., ACL OSSEAL /OSSEAL/policy-branch/NetIncoming /OSSEAL/policy-branch/NetOutgoing ACL. pdoscfg -net_acl_limited. #pdoscfg -net_acl_limited on. #pdoscfg -net_acl_limited off Tivoli Access Manager for Operating Systems /OSSEAL/policy-branch/NetIncoming /OSSEAL/policy-branch/NetOutgoing ACL., policy /OSSEAL/policy-branch/NetIncoming /OSSEAL/policy-branch/NetOutgoing. policy Tivoli Access Manager for Operating Systems policy branch LDAP. policy policy LDAP

150 pdadmin Tivoli Web Portal Manager Tivoli Access Manager for Operating Systems. policy branch. pdadmin> group show-members pdosd-branch/policy-branch policy. pdadmin> user show-groups pdosd/hostname, pdosd-branch/policy-branch. Tivoli Access Manager for Operating Systems,,. Tivoli Access Manager for Operating Systems Tivoli Access Manager for Operating Systems. policy Tivoli Access Manager for Operating Systems.. pdoscfg -autostart on Tivoli Access Manager for Operating Systems.. pdoscfg -autostart off Tivoli Access Manager for Operating Systems. Tivoli Access Manager for Operating Systems. rc.osseal start : Tivoli Access Manager for Operating Systems,., Tivoli Access Manager for Operating Systems. -autostart off pdoscfg. 134 IBM Tivoli Access Manager for Operating Systems:

151 Tivoli Access Manager for Operating Systems Tivoli Access Manager for Operating Systems.. rc.osseal stop pdosctl., pdosauditid. pdosctl -k., pdosauditid. pdosctl -k pdosauditd pdosauditd shutdown. rc.osseal start. pdosd, pdosauditid, pdoswdd, pdoslpmd, pdoslrd pdosctl. -s. -s. -s. -q -s. -q -s, q pdosctl.. pdosctl -s. pdosd ( ). pdoswdd ( ). pdosauditd ( ). pdoslpmd ( ). pdoslrd ( ). pdosd,. pdosd ( ). policy. pdoswdd ( ). pdosauditd ( ). pdoslpmd ( ). pdoslrd ( ). : pdosctl pdostecd. Tivoli Access Manager for Operating Systems. UTC 5 135

152 , Tivoli Access Manager for Operating Systems,.,,. /var/pdos/log msg pdos-daemon-name.log. ( Tivoli Access Manager for Operating Systems, 4.1..). IBM Tivoli Access Manager for Operating Systems. pdoscfg. (pdosd, pdosauditd, pdoswdd pdoslrd), pdoscfg msg pdosd.log msg pdoswdd.log msg pdosauditd.log msg pdoslpmd.log msg pdoslrd.log -pdosd_log_entries -pdosd_logs -pdoswdd_log_entries -pdoswdd_logs -pdosauditd_log_entries -pdosauditd_logs -pdoslrd_log_entries -pdoslrd_logs : pdostecd pdoscfg. policy policy, policy policy. policy. policy policy policy., policy. policy. policy. 136 IBM Tivoli Access Manager for Operating Systems:

153 :,.,.,. pdosctl -w on. pdosctl -w off Tivoli Access Manager for Operating Systems. pdoscfg -warning on. pdoscfg -warning off -w. pdosctl -w. The global warning mode setting is off,, POP(Protected Object Policy)., POP. POP.,., /OSSEAL/Default/NetIncoming/TCP/telnet/*.company.com. pdadmin> pop create sample_pop pdadmin> pop modify sample_pop set warning yes pdadmin> pop attach /OSSEAL/Default/NetIncoming/TCP/telnet/*.company.com *.company.com Telnet NetIncoming,.., no POP. POP,

154 pdadmin> pop modify sample_pop set warning no. POP POP, POP. pdadmin> pop detach /OSSEAL/Default/NetIncoming/TCP/telnet/*.company.com sample_pop POP. pdadmin> pop show pop_name policy policy.. policy. policy permit, deny, loginpermit logindeny. policy permit deny., OSSEAL ( : ) permit deny pdosaudview. pdosaudview 248 pdosaudview. pdosaudview Tivoli Access Manager for Operating Systems Tivoli Access Manager for Operating Systems. pdoscfg -audit_level level level. policy permit, deny, loginpermit logindeny. pdosctl. -A. -A,. -a. -a 138 IBM Tivoli Access Manager for Operating Systems:

155 . -a -A on off (:). on off, on. all, none, permit, deny, loginpermit, logindeny, admin, verbose, info, trace_exec trace_file.. pdosctl -A level:[on off]. pdosctl -a level:[on off]. pdosctl -A permit:on -A deny:on admin deny. pdosctl -a admin deny:on., -a -A pdosd, pdoslpmd, pdoslrd, pdosauditd pdoswdd.. pdosctl -a. pdosd.(permit, deny, admin) pdoswdd.(permit, deny, admin) pdoslpmd.(permit, deny, admin) pdoslrd.(permit, deny, admin) pdosauditd.(permit, deny, admin), POP POP.. policy. v permit v deny

156 , sample_pop POP /OSSEAL/Default/ NetIncoming/TCP/telnet/*.company.com permit deny. pdadmin> pop modify sample_pop set audit-level permit,deny pdadmin> pop attach /OSSEAL/Default/NetIncoming/TCP/telnet/*.company.com sample_pop *.company.com Telnet NetIncoming.., none POP. POP, none. pdadmin> pop modify sample_pop set audit-level none POP POP, POP. pdadmin> pop detach /OSSEAL/Default/NetIncoming/TCP/telnet/*.company.com POP. pdadmin> pop show pop_name Tivoli Access Manager for Operating Systems, Tivoli Access Manager for Operating Systems policy. pdosunauth. pdosunauth 314 pdosunauth. policy.,. pdosunauth. 1.. psdoswhoami -a. 0 root 2. pdosunauth IBM Tivoli Access Manager for Operating Systems. pdosunauth 3. pdoswhoami. psdoswhoami -a 140 IBM Tivoli Access Manager for Operating Systems:

157 . Unauthenticated Tivoli Access Manager for Operating Systems. policy. : pdosunauth.. Trusted Computing Base TCB(Trusted Computing Base) policy. TCB, ACL. TCB. pdosd Trusted Computing Base. pdosd,. TCB.. TCB. pdosd Trusted Computing Base pdoscfg Trusted Computing Base. tcb_interval Trusted Computing Base ( ). Trusted Computing Base,. tcb_max_file_size. tcb_monitor_threads. tcb_ignore_ctime Trusted Computing Base ctime. ctime Trusted Computing Base

158 tcb_nocrc_on_exec TCB CRC. 2 CRC. Tivoli Access Manager for Operating Systems [tcb] /opt/pdos/etc/pdosd.conf. pdoscfg. IBM Tivoli Access Manager for Operating Systems. pdoscfg 254 pdoscfg. Trusted Computing Base pdosobjsig. -l.,. -n. -g. pdosobjsig Trusted Computing Base. -c -C.. -c. -C. -u -s -S. -u. -S., Trusted Computing Base /usr/local/app/bin/examplebinarya. 1.. pdadmin> object create \ /OSSEAL/<policy-branch>/TCB/Secure-Programs/usr/local/app/bin/examplebinaryA 2. TCB,. TCB,. pdosobjsig -u /usr/local/app/bin/examplebinarya -s trusted example binarya, Tivoli Access Manager for Operating Systems Trusted Computing Base., 142 IBM Tivoli Access Manager for Operating Systems:

159 ., examplebinarya. pdosobjsig -u /usr/local/app/bin/examplebinarya -s trusted Trusted Computing Base Trusted Computing Base., pdosd. pdosobjsig -C.,. pdosobjsig., pdosobjsig -l.,,. -n., pdosobjsig -S. pdosobjsig -u objname -s. 2 Trusted Computing Base pdosobjsig -l untrusted> untrusted.output ,... pdosobjsig -C 4.. pdosobjsig -n -l untrusted > after.upgrade.untrusted.output

160 . pdosobjsig -S trusted Tivoli Access Manager for Operating Systems. Trusted Computing Base policy pdosobjsig -l untrusted 2. Tivoli Access Manager for Operating Systems.. rc.osseal stop policy. PAM Tivoli Access Manager for Operating Systems. login policy. pdoscfg -login_policy off,. pdosd.. pdoscfg -autostart off , Trusted Computing Base. pdosobjsig -C IBM Tivoli Access Manager for Operating Systems:

161 5.. pdosobjsig -n -l untrusted > after.upgrade.untrusted.output pdosobjsig -S trusted 7. 2 policy. pdoscfg -autostart on -login_policy on 8. Tivoli Access Manager for Operating Systems.. policy Tivoli Access Manager for Operating Systems policy. pdoslpadm. policy, policy. pdoslpadm -r. -r. # pdoslpadm -r (uid) <: > gbland(1114) root(0) uduck(1118) -f. gbland uduck ID. # pdoslpadm -r -f gbland uduck id 1114, gbland : : : Sun 02 Dec :53:01 PM CST : 0 : Thu 08 Nov :00:00 AM CST 5 145

162 : (): 0(0) id 1118, uduck : : : Sun 02 Dec :09:25 PM CST : 0 : Thu 04 Oct :00:00 AM CDT : 1: TTY : /dev/pts/4 rhost : bigserv.mycomp.com ruser : pid: 657( ) : Sun 02 Dec :04:22 PM CST (): 0(10) policy. Tivoli Access Manager for Operating Systems pdoslpadm -l. bsmith ID. pdoslpadm -l bsmith policy -u. pdoslpadm -u bsmith policy. UNIX.. HP-UX ( : NIS, NIS+ DCE). Tivoli Access Manager for Operating Systems pdoslpadm -m. ( : (grace login) policy policy) policy. 146 IBM Tivoli Access Manager for Operating Systems:

163 policy policy.. Tivoli Access Manager for Operating Systems policy.,. 1. ( : AIX mkuser, Solaris useradd). 2. policy, pdoslpadm -m., policy MinPasswordDays. policy. policy NIS 146, NIS policy. pdoslpadm -m,. Tivoli Access Manager for Operating Systems NIS NIS. NIS NIS. ID NIS NIS. pdoslpadm -c on -n server NIS passwd. NIS cron passwd passwdchg. NIS NIS passwdchg NIS

164 pdoslpadm -c on -n client NIS NIS -c off. Tivoli Access Manager for Operating Systems, Tivoli Access Manager. pdosd. pdoscfg pdosd. user_cred_refresh ( )... admin_cred_refresh Tivoli Access Manager for Operating Systems.. cred_hold ( )... cred-hold user-cred-refresh. critical_cred_refresh... critical_cred_group Tivoli Access Manager IBM Tivoli Access Manager for Operating Systems:

165 . (Tivoli Access Manager osseal-admin ). cred_response_wait pdosd IBM Tivoli Access Manager ( ) Tivoli Access Manager for Operating Systems [credentials] /opt/pdos/etc/pdosd.conf.,. pdoscfg, Tivoli Access Manager for Operating Systems. pdoscfg 254 pdoscfg. Tivoli Access Manager for Operating Systems Tivoli Access Manager... pdosrefresh,. pdosrefresh. UID.,. -C. sally riley Tivoli Access Manager.. 1. sally riley. pdosrefresh -n sally -n riley 2. sally riley pdosrefresh. 3.. pdosrefresh -C 5 149

166 pdosdestroy. pdosdestroy. UID... pdosdestroy UID 300 sally riley. pdosdestroy -n sally -u 300 ID Tivoli Access Manager for Operating Systems ID. pdoswhoami Tivoli Access Manager for Operating Systems. Tivoli Access Manager for Operating Systems. -n ID. -a ID. -l,,,. pdoswhois ID(PID) Tivoli Access Manager for Operating Systems. PID pdoswhois. PID, ID. -l,,,. pdoswhoami pdoswhois sally Tivoli Access Manager for Operating Systems. sally. pdoswhoami -l. 150 IBM Tivoli Access Manager for Operating Systems:

167 106 sally. osseal-testers osseal-developers Sat Nov 4 14:07: Sun Nov 5 02:07: Sat Nov 4 14:07: Sat Nov 11 14:07: root (, Tivoli Access Manager for Operating Systems ). pdoswhoami -l. 0 root. osseal-admin osseal-auditors Sat Nov 4 11:52: Sat Nov 4 14:12: ID pdoswhois PID. UID = 106, = sally PID. UID = 300, = riley. ID UNIX ID Tivoli Access Manager for Operating Systems ID UNIX ID., su UNIX ID Tivoli Access Manager for Operating Systems ID. setuid setgid UNIX ID Tivoli Access Manager for Operating Systems ID ID., user sally ID /bin/su., Tivoli Access Manager for Operating Systems ID sally UNIX ID. sally. id uid = 106(sally) 5 151

168 pdoswhoami -a 106 sally /bin/su /bin/su. id uid=0(root) pdoswhoami -a 106 sally look-aside IP Tivoli Access Manager for Operating Systems look-aside.. Tivoli Access Manager for Operating Systems. -dns off look-aside pdoscfg. pdoscfg look-aside Tivoli Access Manager for Operating Systems. look-aside. pdoscfg -dns on look-aside. pdoscfg -dns off pdoshla.,. pdoshla,,. -l. all, stale fresh. -a IP. 152 IBM Tivoli Access Manager for Operating Systems:

169 -H,. 6(21600 ). -T. -F. -f. -r. -u. pdoshla pdoshla. 1. IP pdoshla -a pdoshla -l all. # Internet Address Hostname test1.austin.lab.tivoli.com office1.tivoli.com test3.austin.lab.tivoli.com 3.. pdoshla -l stale. # Internet Address Hostname test3.austin.lab.tivoli.com 4.. pdoshla -f 5.. pdoshla -u pdosbkup pdosrstr IBM Tivoli Access Manager for Operating Systems

170 Tivoli Access Manager for Operating Systems. pdosbkup. pdosbkup /opt/pdos/etc/pdosbkuplist. -x /opt/pdos/etc/pdosbkuplistx.., (/var/pdos/pdosbkup/pdosbkupddmmmyyyy.hh_mm_ss.tar)., :34:56. /var/pdos/pdosbkup/pdosbkup19nov _34_56.tar -p. -f. Tivoli Access Manager for Operating Systems Tivoli Access Manager for Operating Systems. 1.. pdosbkup 2.. pdosbkup -x Tivoli Access Manager for Operating Systems pdosrstr pdosbkup Tivoli Access Manager for Operating Systems. -f. Tivoli Access Manager for Operating Systems. 1. pdosbkup25oct _32_41.tar. pdosrstr -f /var/pdos/pdosbkup/pdosbkup25oct _32_41.tar 154 IBM Tivoli Access Manager for Operating Systems:

171 6 Tivoli IBM Tivoli Access Manager for Operating Systems. IBM Tivoli Access Manager for Operating Systems. Tivoli Access Manager for Operating Systems. Tivoli Access Manager for Operating Systems Tivoli Access Manager for Operating Systems PDOS Task Tivoli. Tivoli Tivoli Access Manager for Operating Systems. PDOS Task Policy Director Region policy region. : Tivoli Access Manager for Operating Systems. Tivoli Access Manager for Operating Systems. ID Tivoli Access Manager for Operating Systems. Tivoli Access Manager for Operating Systems,.., Tivoli Management Framework. ( : ).,, Stage.., Tivoli Access Manager for Operating Systems. Tivoli Access Manager for Operating Systems (PDOS) Copyright IBM Corp. 2000,

172 . Subscribe PDOS Endpoints Tivoli Access Manager for Operating Systems PDOS..., Tivoli Access Manager for Operating Systems., Tivoli Management Framework. Tivoli Access Manager for Operating Systems.. : PDOS Policy Director for Operating Systems Tivoli Access Manager for Operating Systems. Tivoli Access Manager for Operating Systems. 46. IBM Tivoli Access Manager for Operating Systems PDOS / / admin PDOS admin user PDOS admin PDOS admin PDOS admin PDOS policy admin PDOS admin PDOS TCB admin PDOS admin user UNIX TCB admin UNIX admin PDOS admin PDOS admin PDOS TCB admin PDOS admin admin PDOS policy admin PDOS admin PDOS TCB admin PDOS admin 156 IBM Tivoli Access Manager for Operating Systems:

173 46. IBM Tivoli Access Manager for Operating Systems () PDOS admin PDOS admin Setup TEC Event Server for PDOS admin, senior, super PDOS admin PDOS / admin PDOS admin PDOS admin PDOS admin PDOS admin PDOS TCB admin TEC admin TEC admin PDOS admin PDOS admin wrunjob wruntask wrunjob wruntask IBM Tivoli Access Manager for Operating Systems, wschedjob. IBM Tivoli Access Manager for Operating Systems wruntask wrunjob.,. wruntask wrunjob, wschedjob Tivoli Management Framework Reference Manual. PDOS / / Tivoli Access Manager for Operating Systems. UNIX osseal Tivoli Access Manager osseal-admin. UNIX ossaudit Tivoli Access Manager osseal-auditors. osseal. ossaudit. osseal-auditors osseal-admin, Tivoli Access Manager for Operating Systems 6 Tivoli 157

. osseal-auditors osseal-admin Tivoli Access Manager. : Tivoli Access Manager for Operating Systems. Tivoli Access Manager for Operating Systems. ID Tivoli Access Manager for Operating Systems.

174 . osseal-auditors osseal-admin Tivoli Access Manager. : Tivoli Access Manager for Operating Systems. Tivoli Access Manager for Operating Systems. ID Tivoli Access Manager for Operating Systems., Tivoli Management Framework. PDOS / /. 2. PDOS / /. 1. osseal-auditors osseal-admin, , IBM Tivoli Access Manager for Operating Systems:

175 wrunjob wruntask wrunjob wruntask. wrunjob Add/Remove PDOS Auditors/Administrators -l PDOS Tasks -a pd_admin_id -a pd_admin_passwd -a account -a action -a ossaudit -a osseal_auditors -a osseal -a osseal_admin wruntask -t Add/Remove PDOS Auditors/Administrators -l PDOS Tasks -a pd_admin_id -a pd_admin_passwd -a account -a action -a ossaudit -a osseal_auditors -a osseal -a osseal_admin -h task_endpoint, pd_admin_id Tivoli Access Manager. osseal_auditors osseal_admin True. pd_admin_passwd. osseal_audits osseal_admin True. account.. action.. ossaudit TRUE UNIX ossaudit. TRUE FALSE. osseal_auditors TRUE Tivoli Access Manager osseal-auditors. TRUE FALSE. osseal TRUE UNIX osseal. TRUE FALSE. osseal_admin TRUE Tivoli Access Manager osseal-admin. TRUE FALSE. 6 Tivoli 159

task_endpoint,.,. PDOS Tivoli Access Manager for Operating Systems.., /var/pdos/pdosbkup. date.., /var/pdos/pdosbkup/pdosbkup%m%d%y.tar., Tivoli Access Manager. Tivoli Access Manager. PDOS. 3.

176 task_endpoint,.,. PDOS Tivoli Access Manager for Operating Systems.., /var/pdos/pdosbkup. date.., /var/pdos/pdosbkup/pdosbkup%m%d%y.tar., Tivoli Access Manager. Tivoli Access Manager. PDOS. 3. PDOS. 1. Tivoli Access Manager for Operating Systems.., /var/pdos/backup. date.., /var/pdos/pdosbkup/pdosbkup%m%d%y.tar. 160 IBM Tivoli Access Manager for Operating Systems:

177 2.,. 3.. wrunjob wruntask wrunjob wruntask. wrunjob Backup PDOS Database -l PDOS Tasks -a file_name -a extended_backup wruntask -t Backup PDOS Database -l PDOS Tasks -a file_name -a extended_backup -h task_endpoint, file_name.,. extended_backup. TRUE FALSE. task_endpoint,.,. Tivoli Access Manager for Operating Systems Tivoli Access Manager Tivoli Access Manager for Operating Systems CA. Tivoli Access Manager for Operating Systems LDAP SSL LDAP SSL Tivoli Access Manager policy CA. Tivoli Access Manager CA policy, policy Tivoli 161

4.. 1. LDAP SSL. TMR(Tivoli Management Region).. 2. Policy. TMR(Tivoli Management Region).. 3... 4.. 5.. wrunjob wruntask wrunjob wruntask.

178 LDAP SSL. TMR(Tivoli Management Region).. 2. Policy. TMR(Tivoli Management Region) wrunjob wruntask wrunjob wruntask. wrunjob Certificate_Transfer -l PDOS Tasks -a ldap_certificate -a pd_certificate -a dest_directory -a dest_system [-a dest_system,...] wruntask -t Certificate_Transfer -l PDOS Tasks -a ldap_certificate -a pd_certificate -a dest_directory -a dest_system [-a dest_system,...] -h task_endpoint 162 IBM Tivoli Access Manager for Operating Systems:

179 : Tivoli Access Manager for Operating Systems,. ( : FTP) Tivoli Access Manager for Operating Systems,., ldap_certificate pd_certificate dest_directory dest_system task_endpoint LDAP SSL. Tivoli Access Manager... system (Endpoint) system(managednode)... PDOS Tivoli Access Manager for Operating Systems..,. Tivoli Access Manager for Operating Systems. PDOS. 6 Tivoli 163

180 5. PDOS Tivoli Access Manager for Operating Systems,., Tivoli Access Manager for Operating Systems. 3.. wrunjob wruntask wrunjob wruntask. wrunjob Configure PDOS Auditing -l PDOS Tasks -a apply_now -a size -a frequency wruntask -t Configure PDOS Auditing -l PDOS Tasks -a apply_now -a size -a frequency -h task_endpoint, apply_now size frequency Tivoli Access Manager for Operating Systems. TRUE FALSE. ( ).,. ( ).,. 164 IBM Tivoli Access Manager for Operating Systems:

181 task_endpoint,.,. PDOS Tivoli Access Manager for Operating Systems.,,,, LDAP,, 8.,. Tivoli Access Manager for Operating Systems. PDOS. 6. PDOS Tivoli 165

182 2. Tivoli Access Manager for Operating Systems IP, IP. 3. Tivoli Access Manager for Operating Systems / / ID, uid/gid. 4. Tivoli Access Manager for Operating Systems,., Tivoli Access Manager for Operating Systems. 5.. wrunjob wruntask wrunjob wruntask. wrunjob Configure PDOS Caching -l PDOS Tasks -a apply_now -a admin_refresh -a user_refresh -a user_cred_hold -a cache_hosts -a cache_users-a crit_cred_group -a crit_cred_refresh -a cred_response_wait wruntask -t Configure PDOS Caching -l PDOS Tasks -a apply_now -a admin_refresh -a user_refresh -a user_cred_hold -a cache_hosts -a cache_users -a crit_cred_group -a crit_cred_refresh-a cred_response_wait -h task endpoint, apply_now Tivoli Access Manager for Operating Systems. TRUE FALSE. admin_refresh ( ).,. user_refresh ( ).,. user_cred_hold ( )..,. cache_hosts. TRUE FALSE. 166 IBM Tivoli Access Manager for Operating Systems:

183 cache_users. TRUE FALSE. crit_cred_group Tivoli Access Manager for Operating Systems. crit_cred_refresh ( ). cred_response_wait LDAP ( ). task_endpoint,.,. PDOS Tivoli Access Manager for Operating Systems. 8. Tivoli Access Manager for Operating Systems daemons, pdosd, pdoswdd, pdosauditd pdoslrd.,. Tivoli Access Manager for Operating Systems. PDOS. 6 Tivoli 167

184 7. PDOS. 1..,. 2. Tivoli Access Manager for Operating Systems,., Tivoli Access Manager for Operating Systems. 3.. wrunjob wruntask wrunjob wruntask. 168 IBM Tivoli Access Manager for Operating Systems:

185 wrunjob Configure PDOS Logging -l PDOS Tasks -a apply_now -a pdosd_logs -a pdosd_entries -a pdoswdd_logs -a pdoswdd_entries -a pdosauditd_logs -a pdosauditd_entries -a pdoslrd_logs -a pdoslrd_entries wruntask -t Configure PDOS Logging -l PDOS Tasks -a apply_now -a pdosd_logs -a pdosd_entries -a pdoswdd_logs -a pdoswdd_entries -a pdosauditd_logs -a pdosauditd_entries -a pdoslrd_logs -a pdoslrd_entries -h task_endpoint, apply_now pdosd_logs pdosd_entries pdoswdd_logs Tivoli Access Manager for Operating Systems. TRUE FALSE. pdosd.,. pdosd.,. pdoswdd.,. pdoswdd_entries pdoswdd.,. pdosauditd_logs pdosauditd.,. pdosauditd_entries pdosauditd.,. pdoslrd_logs pdoslrd.,. pdoslrd_entries pdoslrd.,. task_endpoint,.,. 6 Tivoli 169

186 PDOS policy Tivoli Access Manager for Operating Systems policy. policy. v Tivoli Access Manager for Operating Systems policy.,. v,. PDOS policy. 8. PDOS policy. 1. Tivoli Access Manager for Operating Systems policy IBM Tivoli Access Manager for Operating Systems:

187 wrunjob wruntask wrunjob wruntask. wrunjob Configure PDOS Login and Password Policy -l PDOS Tasks -a enable_login -a account -a action wruntask -t Configure PDOS Login and Password Policy -l PDOS Tasks -a enable_login -a account -a action -h task_endpoint, enable_login Tivoli Access Manager for Operating Systems policy. TRUE FALSE.,. account,. action. DELETE, LOCK, UNLOCK CHANGEDATE. task_endpoint,.,. PDOS Tivoli Access Manager for Operating Systems. 8. v Tivoli Access Manager for Operating Systems policy v policy ( ) v v v LDAP v Tivoli Access Manager for Operating Systems 6 Tivoli 171

188 v Tivoli Access Manager for Operating Systems v Tivoli Access Manager for Operating Systems,. PDOS. 9. PDOS. 1. policy Tivoli Access Manager for Operating Systems. Policy 0 policy.,. Tivoli Access Manager for Operating Systems, IBM Tivoli Access Manager for Operating Systems:

189 , policy Tivoli Access Manager policy Tivoli Access Manager for Operating Systems. Policy, 0 policy.,. 3. Tivoli Access Manager for Operating Systems.,. 4...,. 5. LDAP SSL CA LDAP.,. 6. Tivoli Access Manager for Operating Systems. 7. Tivoli Access Manager for Operating Systems PDOS.,. 8.. Tivoli Access Manager. Tivoli Access Manager. pdosd. 9.. Tivoli Access Manager for Operating Systems. wrunjob wruntask wrunjob wruntask. wrunjob Configure PDOS Server -l PDOS Tasks -a notification_port -a password-a refresh_interval -a login_policy -a threads -a ldap_certificate -a autostart -a password -a first_failure -a lrd_config -a lrd_local_domain -a lrd_admin_name -a lrd_admin_pwd wruntask -t Configure PDOS Server -l PDOS Tasks -a notification_port -a password -a refresh_interval -a login_policy -a threads -a ldap_certificate -a autostart -a password -a first_failure -a lrd_config -a lrd_local_domain -a lrd_admin_name -a lrd_admin_pwd -h task_endpoint 6 Tivoli 173

190 , notification_port refresh_interval login_policy threads password ldap_certificate autostart first_failure lrd_config lrd_local_domain policy. 0 policy.,. password. Tivoli Access Manager policy policy ( ). 0 policy.,. Tivoli Access Manager for Operating Systems. TRUE, FALSE..,.. Tivoli Access Manager for Operating Systems, 4.1. LDAP..,. password. Tivoli Access Manager for Operating Systems. TRUE, FALSE. Tivoli Access Manager for Operating Systems. TRUE FALSE. Tivoli Access Manager for Operating Systems. TRUE, FALSE. Tivoli Access Manager 174 IBM Tivoli Access Manager for Operating Systems:

191 . pdosd. lrd_admin_name lrd_admin_pwd task_endpoint Tivoli Access Manager. Tivoli Access Manager.,.,. PDOS TCB TCB(Trusted Computing Base) Tivoli Access Manager for Operating Systems. 5. v v ( ) v (TCB ) (MB ) v TCB ctime v CRC(Cyclic Redundancy Check),. Tivoli Access Manager for Operating Systems. PDOS TCB. 6 Tivoli 175

10. PDOS TCB. 1..,. 2. Tivoli Access Manager for Operating Systems,., Tivoli Access Manager for Operating Systems. 3.. wrunjob wruntask wrunjob wruntask.

192 10. PDOS TCB. 1..,. 2. Tivoli Access Manager for Operating Systems,., Tivoli Access Manager for Operating Systems. 3.. wrunjob wruntask wrunjob wruntask. wrunjob Configure PDOS TCB -l PDOS Tasks -a apply_now -a threads -a interval -a checksum_max_size -a ignore_ctime -a nocrc_on_exec wruntask -t Configure PDOS TCB -l PDOS Tasks -a apply_now -a threads -a interval -a checksum_max_size -a ignore_ctime -a nocrc_on_exec -h task_endpoint, apply_now Tivoli Access Manager for Operating Systems. TRUE FALSE. 176 IBM Tivoli Access Manager for Operating Systems:

193 threads interval TCB.,. TCB ( ).,. checksum_max_size (TCB ) (MB )..,. ignore_ctime nocrc_on_exec task_endpoint TRUE( ) ctime TCB. ctime TCB. TRUE FALSE. FALSE. TRUE( ) Tivoli Access Manager for Operating Systems TCB CRC. TRUE FALSE. FALSE.,.,. PDOS Tivoli Access Manager for Operating Systems IP /.,. PDOS. 6 Tivoli 177

194 11. PDOS. 1. (, ). 2.. wrunjob wruntask wrunjob wruntask. wrunjob Display PDOS Hostname Cache -l PDOS Tasks -a display_valid -a display_stale wruntask -t Display PDOS Hostname Cache -l PDOS Tasks -a display_valid -a display_stale -h task_endpoint, display_valid display_stale task_endpoint. TRUE FALSE.. TRUE FALSE.,.,. pdoslrd.xml Tivoli Access Manager for Operating Systems pdoslrd. XML 1.0. pdoslrd.xml IBM Tivoli Access Manager for Operating Systems:

. 12.. 1. pdoslrd.xml. TMR(Tivoli Management Region). 2.. 3.. wrunjob wruntask wrunjob wruntask.

195 pdoslrd.xml. TMR(Tivoli Management Region) wrunjob wruntask wrunjob wruntask. wrunjob Distribute_Log_Router_Daemon_Control _File -l PDOS Tasks -a lrd_cont_file -a dest_system [-a dest_system,...] wruntask Distribute_Log_Router_Daemon_Control _File -l PDOS Tasks -a lrd_cont_file -a dest_system [-a dest_system,...] -h task_endpoint, lrd_cont_file dest_system task_endpoint pdoslrd.xml.. system(endpoint) system(managednode)... 6 Tivoli 179

196 UNIX TCB UNIX setuid/setgid TCB(Trusted Computing Base). (Immune-Surrogate-Programs, Secure-Files, Impersonator-Programs Immune-Programs). Secure-Programs..,. policy., policy. TCB., TCB. UNIX TCB. 13. UNIX TCB ,. 180 IBM Tivoli Access Manager for Operating Systems:

197 3. TCB,.,. 4. TCB,.,. 5.. wrunjob wruntask wrunjob wruntask. wrunjob Import UNIX TCB -l PDOS Tasks -a class -a branch -a directories -a excludes -a duplicate_links -a generate_script wruntask -t Import UNIX TCB -l PDOS Tasks -a class -a branch -a directories -a excludes -a duplicate_links -a generate_script -h task_endpoint, class branch directories excludes duplicate_links TCB.. TCB policy., policy. ( ). ( ).. TRUE FALSE. generate_script TCB. TRUE FALSE. task_endpoint,.,. UNIX UNIX Tivoli Access Manager. 6 Tivoli 181

198 UNIX.. /. / /. *. UID/GID /. / LDAP. Tivoli Access Manager. LDAP /. / LDAP, LDAP UNIX.., ( ). ( )., Tivoli Access Manager,. Tivoli Access Manager. UNIX. 182 IBM Tivoli Access Manager for Operating Systems:

14. UNIX Tivoli Access Manager. pdosd.. 1. Access Manager.. 2.. wrunjob wruntask wrunjob wruntask.

199 14. UNIX Tivoli Access Manager. pdosd.. 1. Access Manager wrunjob wruntask wrunjob wruntask. wrunjob Import UNIX Users and Groups -l PDOS Tasks -a admin_id -a admin_pwd -a suffix -a ldap_import -a report_only -a user_list -a user_list_type -a create_disabled -a default_group -a default_passwd -a group_list -a group_list_type -a group_refresh -a local_domain 6 Tivoli 183

200 wruntask -t Import UNIX Users and Groups -l PDOS Tasks -a admin_id -a admin_pwd -a suffix -a ldap_import -a report_only -a user_list -a user_list_type -a create_disabled -a default_group -a default_passwd -a group_list -a group_list_type -a group_refresh -a local_domain -h task_endpoint, admin_id admin_pwd suffix ldap_import report_only user_list user_list_type Tivoli Access Manager.... LDAP.. Tivoli Policy Director, LDAP. TRUE FALSE.. TRUE FALSE. ( ) ( )... create_disabled. TRUE FALSE. default_group, Tivoli Access Manager. default_passwd. group_list ( ). group_list_type.. group_refresh, UNIX. TRUE FALSE. 184 IBM Tivoli Access Manager for Operating Systems:

201 local_domain task_endpoint Tivoli Access Manager. pdosd.,.,. PDOS Tivoli Access Manager for Operating Systems.,.. UID. PDOS. 15. PDOS. 1. UID ( ).. (*). 2. UID ( ) Tivoli 185

202 wrunjob wruntask wrunjob wruntask. wrunjob Manage PDOS Credential Cache -l PDOS Tasks -a refresh_list -a destroy_list wruntask -t Manage PDOS Credential Cache -l PDOS Tasks -a refresh_list -a destroy_list -h task_endpoint, refresh_list destroy_list task_endpoint UID/.. UID/..,.,. PDOS Tivoli Access Manager for Operating Systems. pdosd, pdosauditd, pdoswdd, pdoslpmd pdoslrd,,.. Tivoli Access Manager for Operating Systems.. Tivoli Access Manager for Operating Systems. PDOS. 186 IBM Tivoli Access Manager for Operating Systems:

16. PDOS. 1.. 2.. wrunjob wruntask wrunjob wruntask.

203 16. PDOS wrunjob wruntask wrunjob wruntask. wrunjob Manage PDOS Server State -l PDOS Tasks -a pdosd_state -a pdosauditd_state -a pdoswdd_state -a pdoslpmd -a pdoslrd_state wruntask -t Manage PDOS Server State -l PDOS Tasks -a pdosd_state -a pdosauditd_state -a pdoswdd_state -a pdoslpmd -a pdoslrd_state -h task_endpoint, 6 Tivoli 187

204 pdosd_state pdosd.,,. pdosauditd_state pdosauditd.,,. pdoswdd_state pdoswdd.,,. pdoslpmd_state pdoslpmd.,,. pdoslrd_state task_endpoint pdoslrd.,,.,.,. PDOS TCB Tivoli Access Manager for Operating Systems TCB(Trusted Computing Base). ( ).,..... * TCB. PDOS TCB. 188 IBM Tivoli Access Manager for Operating Systems:

17. PDOS TCB. 1. TCB ( ). * TCB. 2..... 3.. wrunjob wruntask wrunjob wruntask.

205 17. PDOS TCB. 1. TCB ( ). * TCB wrunjob wruntask wrunjob wruntask. wrunjob Manage PDOS TCB -l PDOS Tasks -a operation -a objects wruntask -t Manage PDOS TCB -l PDOS Tasks -a operation -a objects -h task_endpoint, operation objects task_endpoint.,..,.,.,. 6 Tivoli 189

206 PDOS Tivoli Access Manager for Operating Systems IP /.,. IP. *.. PDOS. 18. PDOS. 1. IP / ( ). *. 2.,. 3.. wrunjob wruntask wrunjob wruntask. wrunjob Purge PDOS Hostname Cache -l PDOS Tasks -a remove_entries -a remove_stale wruntask -t Purge PDOS Hostname Cache -l PDOS Tasks -a remove_entries -a remove_stale -h task_endpoint 190 IBM Tivoli Access Manager for Operating Systems:

, remove_entries remove_stale task_endpoint.,.. TRUE FALSE.,.,. Tivoli Access Manager for Operating Systems.. 19.

207 , remove_entries remove_stale task_endpoint.,.. TRUE FALSE.,.,. Tivoli Access Manager for Operating Systems Tivoli Access Manager. 2. Tivoli Access Manager. 3. policy. 4.. wrunjob wruntask wrunjob wruntask. 6 Tivoli 191

208 wrunjob Query Branch Membership -l PDOS Tasks -a pd_admin_id -a pd_admin_passwd -a policy_branch wruntask -t Query Branch Membership -l PDOS Tasks -a pd_admin_id -a pd_admin_passwd -a policy_branch -h task_endpoint, pd_admin_id Tivoli Access Manager for Operating Systems. pd_admin_passwd. policy_branch policy. task_endpoint,.,. PDOS policy Tivoli Access Manager for Operating Systems policy.. v Tivoli Access Manager for Operating Systems. v policy policy. PDOS policy. 192 IBM Tivoli Access Manager for Operating Systems:

20. PDOS policy. 1.. 2. ( ). 3., policy. 4. policy ( ). 5.. wrunjob wruntask wrunjob wruntask.

209 20. PDOS policy ( ). 3., policy. 4. policy ( ). 5.. wrunjob wruntask wrunjob wruntask. wrunjob Query PDOS Login and Password Policy -l PDOS Tasks -a generate_report -a detailed -a enabled -a disabled -a report_users -a display_policy -a policy_users wruntask -t Query PDOS Login and Password Policy -l PDOS Tasks -a generate_report -a detailed -a enabled -a disabled -a report_users -a display_policy -a policy_users -h task_endpoint, 6 Tivoli 193

210 generate_report Tivoli Access Manager for Operating Systems. TRUE FALSE. detailed. TRUE FALSE. enabled TRUE (enabled). TRUE disabled TRUE. disabled TRUE (disabled). TRUE enabled TRUE. report_users ( ).. display_policy Tivoli Access Manager for Operating Systems policy. TRUE FALSE. policy_users ( ). Tivoli Access Manager for Operating Systems policy., Tivoli Access Manager for Operating Systems policy. task_endpoint,.,. PDOS Tivoli Access Manager for Operating Systems. PDOS. 194 IBM Tivoli Access Manager for Operating Systems:

21. PDOS. 1.. 2.. wrunjob wruntask wrunjob wruntask.

211 21. PDOS wrunjob wruntask wrunjob wruntask. wrunjob Query PDOS Server State -l PDOS Tasks -a query_pdosd -a query_pdosauditd -a query_pdoswdd -a query_pdoslpmd -a query_pdoslrd wruntask -t Query PDOS Server State -l PDOS Tasks -a query_pdosd -a query_pdosauditd -a query_pdoswdd -a query_pdoslpmd -a query_pdoslrd -h task_endpoint, query_pdosd pdosd. TRUE FALSE. query_pdosauditd pdosauditd. TRUE FALSE. query_pdoswdd pdoswdd. TRUE FALSE. 6 Tivoli 195

212 query_pdoslpmd pdoslpmd. TRUE FALSE. query_pdoslrd pdoslrd. TRUE FALSE. task_endpoint,.,. PDOS TCB Tivoli Access Manager for Operating Systems TCB(Trusted Computing Base). ( )... * TCB, AnyTrusted TCB, AnyUntrusted TCB. PDOS TCB. 22. PDOS TCB. 1. / IBM Tivoli Access Manager for Operating Systems:

213 wrunjob wruntask wrunjob wruntask. wrunjob Query PDOS TCB -l PDOS Tasks -a query_objects wruntask -t Query PDOS TCB -l PDOS Tasks -a query_objects -h task_endpoint, query_objects task_endpoint.. * TCB, AnyTrusted TCB, AnyUntrusted TCB.,.,. PDOS Tivoli Access Manager for Operating Systems.., /var/pdos/pdosbkup. PDOS. 23. PDOS. 6 Tivoli 197

214 1..., /usr/pdos/pdosbkup 2.. wrunjob wruntask wrunjob wruntask. wrunjob Restore PDOS Database -l PDOS Tasks -a filename wruntask -t Restore PDOS Database -l PDOS Tasks -a filename -h task_endpoint, filename task_endpoint.,.,. PDOS Tivoli Access Manager for Operating Systems.,,,, Tivoli Access Manager for Operating Systems,,,.. Tivoli Access Manager for Operating Systems,..,..... Tivoli Access Manager for Operating Systems. C D 198 IBM Tivoli Access Manager for Operating Systems:

215 G K L N R U d l o p r w x Kill PDOS. 6 Tivoli 199

216 24. PDOS Tivoli Access Manager for Operating Systems policy policy,. 200 IBM Tivoli Access Manager for Operating Systems:

217 3.. Tivoli Access Manager for Operating Systems. Tivoli Access Manager for Operating Systems. Tivoli Access Manager for Operating Systems. 4.. wrunjob wruntask wrunjob wruntask. wrunjob Set PDOS Server Audit Level -l PDOS Tasks -a audit_permit -a audit_permit_c -a audit_permit_d -a audit_permit_g -a audit_permit_k -a audit_permit_l -a audit_permit_n -a audit_permit_r -a audit_permit_u -a audit_permit_d -a audit_permit_l -a audit_permit_o -a audit_permit_p -a audit_permit_r -a audit_permit_w -a audit_permit_x -a audit_deny -a audit_deny_c -a audit_deny_d -a audit_deny_g -a audit_deny_k -a audit_deny_l -a audit_deny_n -a audit_deny_r -a audit_deny_u -a audit_deny_d -a audit_deny_l -a audit_deny_o -a audit_deny_p -a audit_deny_r -a audit_deny_w -a audit_deny_x -a audit_admin -a audit_info -a logpermit -a logdeny -a trace_exec -a trace_file -a warning_mode -a change_type wruntask -t Set PDOS Server Audit Level -l PDOS Tasks -a audit_permit -a audit_permit_c -a audit_permit_d -a audit_permit_g -a audit_permit_k -a audit_permit_l -a audit_permit_n -a audit_permit_r -a audit_permit_u -a audit_permit_d -a audit_permit_l -a audit_permit_o -a audit_permit_p -a audit_permit_r -a audit_permit_w -a audit_permit_x -a audit_deny -a audit_deny_c -a audit_deny_d -a audit_deny_g -a audit_deny_k -a audit_deny_l -a audit_deny_n -a audit_deny_r -a audit_deny_u -a audit_deny_d -a audit_deny_l -a audit_deny_o -a audit_deny_p -a audit_deny_r -a audit_deny_w -a audit_deny_x -a audit_admin -a audit_info -a logpermit -a logdeny -a trace_exec -a trace_file -a warning_mode -a change_type -h task_endpoint, audit_permit. TRUE FALSE. audit_[permit deny] -[C D G K L N R U d l o p r w x]. TRUE FALSE. 6 Tivoli 201

218 audit_deny audit_admin audit_info logpermit logdeny trace_exec trace_file. TRUE FALSE.. TRUE FALSE. Tivoli Access Manager for Operating Systems ( : policy ). TRUE FALSE.. TRUE FALSE.. TRUE FALSE.. TRUE FALSE.. TRUE FALSE. warning_mode Tivoli Access Manager for Operating Systems. TRUE FALSE. change_type task_endpoint.,.,.,. PDOS Tivoli Access Manager for Operating Systems, Tivoli.. PDOS. 202 IBM Tivoli Access Manager for Operating Systems:

25. PDOS. 1.. 2.. wrunjob wruntask wrunjob wruntask.

219 25. PDOS wrunjob wruntask wrunjob wruntask. wrunjob Set PDOS Server Trace Level -l PDOS Tasks -a pdosd_trace -a pdosauditd_trace -a pdoswdd_trace -a pdoslpmd_trace -a pdoslrd_trace wruntask -t Set PDOS Server Trace Level -l PDOS Tasks -a pdosd_trace -a pdosauditd_trace -a pdoswdd_trace -a pdoslpmd_trace -a pdoslrd_trace -h task_endpoint, 6 Tivoli 203

220 pdosd_trace pdosd.,. pdosauditd_trace pdosauditd.,. pdoswdd_trace pdoswdd.,. pdoslpmd_trace pdoslpmd.,. pdoslrd_trace task_endpoint pdoslrd.,.,.,. Setup TEC Event Server for PDOS Setup TEC Event Server for PDOS Tivoli Access Manager for Operating Systems Tivoli Enterprise Console. Tivoli Access Manager for Operating Systems Enterprise Console Integration Tivoli Enterprise Console Server. Tivoli Access Manager for Operating Systems Tivoli Enterprise Console Tivoli Access Manager for Operating Systems Tivoli Enterprise Console. Tivoli Enterprise Console Tivoli Enterprise Console., Tivoli Enterprise Console ( Tivoli Enterprise Console ). Setup TEC Event Server for PDOS. 204 IBM Tivoli Access Manager for Operating Systems:

221 26. Setup TEC Event Server for PDOS Task. 1. Tivoli Access Manager for Operating Systems. Tivoli Enterprise Console Tivoli Risk Manager v,. :.,. PDOS. :. Default. Tivoli Risk Manager, Tivoli Risk Manager. Tivoli Risk Manager. : Tivoli Enterprise Console.. 6 Tivoli 205

222 v,. PDOS Tivoli Access Manager for Operating Systems ( Tivoli Access Manager for Operating Systems ). Tivoli Access Manager for Operating Systems. 4.. wrunjob wruntask wrunjob wruntask. wrunjob Setup TEC Event Server for PDOS -l PDOS Tasks -a IntegrateTEC -a IntegrateRM -a NeworExisting -a ExistingRuleBase -a NewRuleBase -a CloneRuleBase -a RuleBasePath -a EventConsole wruntask -t Setup TEC Event Server for PDOS -l PDOS Tasks -a IntegrateTEC -a IntegrateRM -a NeworExisting -a ExistingRuleBase -a NewRuleBase -a CloneRuleBase -a RuleBasePath -a EventConsole -h task_endpoint, IntegrateTEC IntegrateRM Tivoli Enterprise Console. on(tivoli Enterprise Console ) off( ). Tivoli Risk Manager. on(tivoli Risk Manager ) off( ). NeworExisting. new( ) exist( ). new, NewRuleBase. exist ExistingRuleBase. ExistingRuleBase. exist,. PDOS. NewRuleBase.,. new,. 206 IBM Tivoli Access Manager for Operating Systems:

223 CloneRuleBase. Default. RuleBasePath EventConsole task_endpoint Tivoli Enterprise Console...,.,. : 1. Tivoli Risk Manager, Tivoli Enterprise Console Microsoft Windows NT, pdosrm.baroc $RMADHOME/etc/riskmgr_baroc.lst. Tivoli Enterprise Console pdos.baroc. bash. cp $BINDIR/../generic_unix/TME/PDOSTASKS/pdosrm.baroc \ $RMADHOME/etc/baroc/ cp $BINDIR/../generic_unix/TME/PDOSTASKS/pdos.baroc \ $RMADHOME/etc/baroc/ $RMADHOME/bin/rmcorr_cfg -update 2. Tivoli Access Manager for Operating Systems Risk Manager IBM Tivoli Enterprise Data Warehouse. Data Warehouse IBM Tivoli Risk Manager. PDOS Tivoli Access Manager for Operating Systems.., ( ).. wrunjob wruntask wrunjob wruntask. 6 Tivoli 207

wrunjob Show PDOS Auditing Configuration -l PDOS Tasks wruntask -t Show PDOS Auditing Configuration -l PDOS Tasks -h task_endpoint, task_endpoint,.,. PDOS /.

224 wrunjob Show PDOS Auditing Configuration -l PDOS Tasks wruntask -t Show PDOS Auditing Configuration -l PDOS Tasks -h task_endpoint, task_endpoint,.,. PDOS /. osseal-auditors Tivoli Access Manager ossaudit UNIX. osseal-admin Tivoli Access Manager osseal UNIX. UNIX Tivoli Access Manager. Tivoli Access Manager. PDOS /. 27. PDOS / Tivoli Access Manager for Operating Systems. 208 IBM Tivoli Access Manager for Operating Systems:

225 3.. wrunjob wruntask wrunjob wruntask. wrunjob Show PDOS Auditors/Administrators -l PDOS Tasks -a pd_admin_id -a pd_admin_passwd -a show_auditors -a show_admins wruntask -t Show PDOS Auditors/Administrators -l PDOS Tasks -a pd_admin_id -a pd_admin_passwd -a show_auditors -a show_admins -h task_endpoint, pd_admin_id Tivoli Access Manager.. pd_admin_passwd.. show_auditors TRUE Tivoli Access Manager osseal-auditors UNIX osseal. TRUE FALSE. show_admins TRUE Tivoli Access Manager osseal-admin UNIX ossadmin. TRUE FALSE. task_endpoint,.,. PDOS Tivoli Access Manager for Operating Systems.. ( ), ( ), ( ),, ( ), LDAP ( ), 6 Tivoli 209

226 .. wrunjob wruntask wrunjob wruntask. wrunjob Show PDOS Caching Configuration -l PDOS Tasks wruntask -t Show PDOS Caching Configuration -l PDOS Tasks -h task_endpoint, task_endpoint,.,. PDOS Tivoli Access Manager for Operating Systems, pdosd, pdoswdd, pdosauditd pdoslrd.... wrunjob wruntask wrunjob wruntask. wrunjob Show PDOS Logging Configuration -l PDOS Tasks wruntask -t Show PDOS Logging Configuration -l PDOS Tasks -h task_endpoint, task_endpoint,.,. 210 IBM Tivoli Access Manager for Operating Systems:

227 PDOS Tivoli Access Manager for Operating Systems.. (, ) Tivoli Access Manager for Operating Systems... Tivoli Access Manager for Operating Systems.. wrunjob wruntask wrunjob wruntask. wrunjob Show PDOS Server Audit Level -l PDOS Tasks wruntask -t Show PDOS Server Audit Level -l PDOS Tasks -h task_endpoint, task_endpoint,.,. PDOS Tivoli Access Manager for Operating Systems.... v Tivoli Access Manager for Operating Systems policy v policy ( ) v v v Tivoli Access Manager for Operating Systems v policy v 6 Tivoli 211

228 v pdoslrd wrunjob wruntask wrunjob wruntask. wrunjob Show PDOS Server Configuration -l PDOS Tasks wruntask -t Show PDOS Server Configuration -l PDOS Tasks -h task_endpoint, task_endpoint,.,. PDOS TCB Tivoli Access Manager for Operating Systems TCB.. TCB, TCB ( ) (TCB ) (MB ).. wrunjob wruntask wrunjob wruntask. wrunjob Show PDOS TCB Configuration -l PDOS Tasks wruntask -t Show PDOS TCB Configuration -l PDOS Tasks -h task_endpoint, task_endpoint,.,. 212 IBM Tivoli Access Manager for Operating Systems:

229 PDOS TEC Tivoli Access Manager for Operating Systems Tivoli Enterprise Console Tivoli Enterprise Console.. wrunjob wruntask wrunjob wruntask. wrunjob Start TEC Adapter -l PDOS Tasks wruntask -t Start TEC Adapter -l PDOS Tasks -h task_endpoint, task_endpoint,.,. PDOS TEC Tivoli Access Manager for Operating Systems Tivoli Enterprise Console Tivoli Enterprise Console. wrunjob wruntask wrunjob wruntask. wrunjob Stop TEC Adapter -l PDOS Tasks wruntask -t Stop TEC Adapter -l PDOS Tasks -h task_endpoint, task_endpoint,.,. 6 Tivoli 213

230 PDOS Tivoli Access Manager for Operating Systems. PDOS. wrunjob wruntask wrunjob wruntask. wrunjob Subscribe PDOS Endpoints -l PDOS Tasks wruntask -t Subscribe PDOS Endpoints -l PDOS Tasks -h task_endpoint, task_endpoint,.,. PDOS Tivoli Access Manager for Operating Systems IP /,.. IP.. ( )., IBM Tivoli Access Manager for Operating Systems:

28.. 1. /IP ( ).. 2. ( ). 3.,. 4.. wrunjob wruntask wrunjob wruntask.

231 /IP ( ).. 2. ( ). 3.,. 4.. wrunjob wruntask wrunjob wruntask. wrunjob Update Hostname Cache -l PDOS Tasks -a add_entries -a entry_ttl -a refresh wruntask -t Update Hostname Cache -l PDOS Tasks -a add_entries -a entry_ttl -a refresh -h task_endpoint, add_entries entry_ttl.,. ( ).,. 6 Tivoli 215

IBM Tivoli Access Manager for Operating Systems 5.1 SA

IBM Tivoli Access Manager for Operating Systems 5.1 SA30-1842-01 IBM Tivoli Access Manager for Operating Systems 5.1 SA30-1842-01 ! 319 B IBM. (2003 11 ), IBM Tivoli Access Manager for Operating Systems