background image

SENTRY User’s Guide

 

Section 1 - 7 

 
 

 
 

Fitzgerald & Long

 

1.3  VALIDATE THE USER PROFILE DATABASE 

 
This program is used to check the consistency of the users, groups and permissions which have been loaded 
into the SENTRY database via the first two programs described in this section.  user IDs, groups, and their 
usage in the file system are analyzed and inconsistencies are reported.  For example, the validation report 
might point out a file whose owner is not registered or a home pathname which does not exist on the 
system. 
 

VALIDATION                    SENTRY Database Validation               08/16/00 

 
 
 

Enter "OK" to start the validation or "<ESC>" to exit : OK 

 
 

Do you want to print missing password messages? (Y/N) or <ESC> to exit:  N 

 
 

Validating user profiles 

 
 

Validating groups 

 
 

Validating file owners & groups 

 
 

Validating COMMANDs 

 
 

*** Problems found during validation *** 

 

See Validation Report for Details 

 
 

------------------------------ Database Invalid ------------------------------ 

 
 
 

Press <RETURN> to continue :                                                       

 

Figure 9 -

 

This is an example of the messages displayed to the user during the execution of the validation 

program. 

 
Validating the data you have loaded from your passwd and group files and from the file system is the third 
step which should be performed when you are first building the SENTRY database.  Using this program 
you will be able to locate and correct any inconsistencies in your user profiles and groups.  Use this 
program any time you wish to test for consistency of usage of user IDs, groups and file system protection.  
We encourage you to use it EVERY TIME you upload data from the passwd and group files and when you 
rebuild the B-tree files (which should be done on a regular basis). 
 

Summary of Contents for Sentry

Page 1: ...SENTRY The Integrated Security System Release 4 User Guide Fitzgerald Long 12341 E Cornell Avenue 18 Aurora Colorado 80014 3323 USA Phone 303 755 1102 FAX 303 755 1703 ...

Page 2: ...opyright 2000 by Fitzgerald Long Inc 12341 E Cornell Avenue 18 Aurora Colorado 80014 3323 303 755 1102 All rights are reserved The software described in this document is furnished under a license agreement The software may be used or copied only in accordance with the terms of the agreement The software and this documentation are entirely the property of Fitzgerald Long Inc It is against the law t...

Page 3: ...ger Views 2 31 2 5 COMMAND MAINTENANCE 2 34 2 6 USER ITEM PROTECTION MAINTENANCE 2 38 3 INTRODUCING THE REPORTS MENU 3 1 3 0 REPORTS MENU 3 2 3 1 SYSTEM PROFILE REPORT 3 4 3 2 USER PROFILES 3 9 3 3 GROUPS REPORT 3 11 3 4 ACCOUNT PROTECTION REPORT 3 13 3 5 COMMAND PROTECTION REPORT 3 15 3 6 ACCESS VIOLATIONS REPORT 3 17 4 INTRODUCING THE UTILITIES MENU 4 1 4 0 UTILITIES MENU 4 2 4 1 VOC PROTECTION ...

Page 4: ......

Page 5: ...nces the second program User Maintenance in the second section Database Maintenance The Guide uses several notation conventions for the sake of easy reading and conciseness These include RETURN This figure indicates that the return key sometimes called NEW LINE or ENTER should be pressed This is one key stroke ESC This figure is used to indicate the escape key Most keyboards have a key labeled ESC...

Page 6: ...Introduction 2 SENTRY User s Guide Fitzgerald Long PI open the command prompt is indicated by a colon while for uniVerse the prompt is a greater than sign ...

Page 7: ...p one prompt in the data entry screen Escape ESC RETURN Press the escape key followed by the return key 2 key strokes This feature allows you to exit any data entry program at any prompt No data will be changed Use this key to exit data entry screens when you have made changes and wish to cancel your changes To save changes you must enter F to file those changes XEQ You may use TCL Terminal Contro...

Page 8: ...ss a particular field enter the number associated with that field Change a field Having addressed the desired field via the field number an underscore will appear to the right of the current data and the cursor will be positioned on the leftmost character of the data field Type over the existing data to change it DO NOT space over existing data to delete characters which your new entry does not co...

Page 9: ...p or start the system during installation and your users may continue to use the computer while you are installing SENTRY 1 Login to your system as the super user usually the user root Change directories cd to the directory where you wish to place the SENTRY account We suggest placing SENTRY in a top level directory for example the u1 or usr directory SENTRY may be placed on any local file system ...

Page 10: ... of these uniVerse uv bin implies that the actual path varies UniData udt bin according to where your database PI open isys bin account was installed The PATH variable may be set permanently by modifying the profile file in your home directory to include the appropriate path in the PATH assignment The problem may be resolved temporarily until you logout by entering these Bourne shell commands at t...

Page 11: ... Creation and Validation Menu 2 Database Maintenance Menu 3 Reports Menu 4 Utilities Menu Please select one of the above Figure 1 Main Menu 11 At this point you are ready to begin loading your data into the SENTRY database This procedure is described in the following section Getting Started ...

Page 12: ... an example of the SENTRY copyright screen Having restored SENTRY from tape and installed the software you are ready to proceed with this section SENTRY is installed as a directory named sentry this directory is also setup as a standard database account To access SENTRY you must be in the sentry account that is sentry must be your present working directory To reach sentry from the UNIX prompt use ...

Page 13: ... no circumstances may you use the SENTRY software for any other company and or computer system than the one for which this copy of SENTRY was prepared without the written permission of Fitzgerald Long Inc The copyright screen awaits a RETURN Validating System Administrator authority You must be super user to use SENTRY Press RETURN to continue Figure 3 This screen is displayed immediately after th...

Page 14: ...ou first entered 1 from the Main Menu and then entered 2 from the next menu In the User Guide you will find documentation about this selection in section 1 2 Read the appropriate section of the User Guide for each of the three selections in the Database Creation and Validation Menu and then execute each one in turn They perform the following tasks to setup your SENTRY database 1 Upload User and Gr...

Page 15: ...y now use the Database Maintenance Menu to fix the inconsistencies reported by the validation program or to modify users groups and file permissions You may also begin to protect database commands The Reports Menu will print a variety of useful reports which will allow you to view the data you have collected The Utilities Menu contains a number of tools which will occasionally be useful Complete d...

Page 16: ...e four logical divisions of SENTRY Each division is a collection of programs which perform related tasks The documentation mirrors this organization There are four major sections Each section is introduced via a figure of the Main Menu and a short description of the processes which may be performed from that particular menu selection Note that the section topic appears in bold print to amplify the...

Page 17: ...files groups the file system SENTRY s Command Protection and SENTRY s User Defined Item Protection The third selection on SENTRY s Main Menu invokes the Reports Menu This submenu provides access to reports These reports describe all aspects of the SENTRY database from the perspectives of system users groups permissions access violations and SENTRY protected database commands The fourth selection o...

Page 18: ......

Page 19: ...on is the first selection on the Main Menu These programs provide a quick and easy way to document your existing system Because all of the data are loaded into SENTRY s database comprehensive reports are available Additionally These programs simplify most of the data entry tasks usually associated with setting up a new security system Complimentary to the programs which build the SENTRY database i...

Page 20: ...he SENTRY database uploading file system information and validating the SENTRY database The first selection 1 Upload User and Group profiles from UNIX reads your existing UNIX passwd and group files and writes the information into SENTRY s database This is the first program you will execute after SENTRY is installed The second selection 2 Create Database from the File System transverses your local...

Page 21: ...SENTRY User s Guide Section 1 3 Fitzgerald Long ...

Page 22: ...onsistent with your UNIX files To invoke this program enter 1 Database Creation and Validation Menu on SENTRY s Main Menu Then enter 1 Upload User and Group Profiles from UNIX from the submenu This program will be invoked On first entering this program only the prompt Enter OK to start the loading process is displayed Enter OK to begin or ESC to exit the program The loading process is performed in...

Page 23: ...nce a week on systems with normal activity Because every site is unique please discuss your system requirements with us if you are undecided about the frequency with which you should be uploading recreating the SENTRY database The program that loads the UNIX passwd and group data into SENTRY can be run outside SENTRY s menu system in batch mode The program can be run at TCL either directly or usin...

Page 24: ...dices Through the use of B trees which are ordered cross reference files we are able to index your entire file system offering you a file manager style window to view your file structure permissions file owners and groups in a very efficient manner conserving not only CPU cycles but disk storage space as well On entering OK to start execution of this program the old B trees if any are cleared Two ...

Page 25: ...ing user profiles Validating groups Validating file owners groups Validating COMMANDs Problems found during validation See Validation Report for Details Database Invalid Press RETURN to continue Figure 9 This is an example of the messages displayed to the user during the execution of the validation program Validating the data you have loaded from your passwd and group files and from the file syste...

Page 26: ...ofile data entry screen which are encrypted by SENTRY can be decrypted by SENTRY Some system administrators choose to setup and track all user passwords through SENTRY Others choose to have users manage their own passwords and not to maintain them in SENTRY If you are not tracking user passwords the missing password messages will be of little use to you We suggest that you answer N o don t print t...

Page 27: ...ne of SENTRY s database files is damaged and should be rebuilt Errors beginning with the word Warning are informational not serious database issues but situations you should be aware of The following is a list of those warnings 1 User XXXXX will default to other protection on all objects and commands The user XXXXX is not specifically mentioned either by user ID or group membership in the permissi...

Page 28: ...ser who is assigned this user ID number Possibly there once was a user but he has been deleted The user in this command s protection should be replaced with a valid user on the system Alternatively a new or existing user could be assigned the same user ID number UID 8 Group GID XXXXX on command VVVVV does not exist The group number XXXXX is referenced in the protection for a database command whose...

Page 29: ...SENTRY User s Guide Section 1 11 Fitzgerald Long ...

Page 30: ......

Page 31: ...nce is the second selection from SENTRY s Main Menu Through using SENTRY to perform these tasks you will enjoy data entry programs which validate parameters such as home path and group names Cross reference lists for groups and users will assist you in creating just the users and groups you need without an inadvertent duplication These SENTRY maintenance programs assist you in cleaning up obsolete...

Page 32: ...se Command Protection and User Defined Item Protection Notice that we have used the word Database here Depending upon which database system you are using INFORMATION uniVerse or UniData your actual SENTRY menu will replace the word Database with the name of the database which is in use on your system 1 System Profile This selection provides a data entry screen with which you may review or modify t...

Page 33: ... still make it available should your application software need to execute it from within a program 6 User Defined Items This is a special SENTRY feature which allows you to define SENTRY security objects These objects may be accessed through subroutine calls to solve unique security problems which may not be met through permissions and VOC item security facilities For example a personnel report is...

Page 34: ...roup Name Length 8 12 Maximum UID Number 1000 13 Maximum GID Number 1000 14 Default Startup Command bin sh 15 Maximum Command Length 44 16 Maximum Startup Path Length 50 17 wtmp Valid Days Old 30 18 Punct for File Indexing _ Enter field number to modify C ustom F ile record or ESC to exit Figure 12 This is an example of the SENTRY Profile Maintenance Data Entry Screen The displayed data are consid...

Page 35: ...butes Because the various flavors of UNIX offer different options for controlling passwords and login ids Sentry manages these options via the Custom User Attributes interface When your version of Sentry was installed this parameter was set to Y if your system offered additional options which most every system does 5 Password Format Mask This field is used by the User Profile data entry screen if ...

Page 36: ...e case used when entering the name For example if a user name of TEST is entered in the User Profile screen the case will be changed to test if this field is set to LC This parameter is intended to assist System Administrators who wish to be consistent in their usage of case when creating users and groups If you do not want SENTRY to alter the case for users and groups set this field to LIT litera...

Page 37: ...owed in the pathname commonly referenced as the home directory It is the directory into which UNIX attaches the user at login The default value for this field is 50 characters The recommended value for this field is the maximum number allowed by your version of UNIX 17 wtmp Valid Days Old SENTRY determines users last login date and time by using a UNIX accounting file called wtmp which contains a ...

Page 38: ... change them on a per user basis To save time and provide consistency in setting parameters for users we recommend you set the defaults to those most commonly used If you have made changes to the data in this screen remember to enter F to file or your changes will be discarded To leave this screen without filing any changes enter ESC followed by RETURN Custom User Default Maintenance SUN The SUN o...

Page 39: ...For example if a user did not use his login id for a specified number of days such as 21 UNIX would automatically expire the password At that time the system administrator will have to re instate the password to allow logins for that user id Enter the number of days the login can remain active before it is expired We chose 21 because we expect vacations and sick leave to be less than three weeks A...

Page 40: ...ate delete and modify a user s profile It is also a very handy utility to use to review the supplementary groups in use by a particular user Additionally you may access this data by entering the user s ID or the user s name through the cross reference facility For large systems the user s name department and telephone number aids in monitoring computer usage For example if you observe that a user ...

Page 41: ...to a specific user such as payroll you may wish to enter a descriptive phrase such as Special ID for check runs This field provides cross referencing for the user ID field 2 Department Enter the department name or some meaningful descriptor such as floor or building location This is a free form optional text field used for reporting only Use some scheme which will be valuable in your environment 3...

Page 42: ...e next available number You may edit this record and start it at your preferred starting number The largest UID number is defined by the System Profile program and should be set no higher than your system s limit 6 GID This field defines the GID number for the user This number specifies the user s primary group membership Although the user may belong to supplementary groups this field defines the ...

Page 43: ...prompt SUN Custom User Data Maintenance 08 16 00 User peggy 1 Minimum password change days 5 2 Maximum password change days 90 3 Password change warning days 5 4 Maximum inactive time days 21 5 Expiration date MM DD YY 12 31 00 Enter field number F ile or ESC to exit Figure 15 This is an example of the Custom User Data Maintenance data entry screen To execute this program enter 2 User Maintenance ...

Page 44: ...ups are the UID and the GID for each The actual names are NOT stored only the number The numbers are translated to names by various UNIX utilities through a lookup process in the passwd and group files If a user is deleted who owns files his UID will continue to be the owner Because this relationship between user IDs UIDs and file ownership is only a logical link it is common to find files with UI...

Page 45: ...s in question B Continue to delete the user leave files as they are C Change ownership of these files to another user D Do not delete this user Please enter your choice of methods to resolve this conflict Figure 16 This is a sample of the FILE OWNERSHIP CONFLICT screen The user is offered four choices Enter the letter to the left of your choice to execute The four choices provided through this scr...

Page 46: ...nge some of the old owner s files to one user and some to another user you must make your changes through the File System maintenance screen To select this global change option enter C SENTRY will display the file pathname and it s progress through the list of files Here is a sample of the screen SENTRY displays when this choice is invoked Figure 19 USER MAINT User Maintenance 08 14 00 Changing fi...

Page 47: ... the file system No changes are made To select this option enter D You will be returned to the User Maintenance screen In summary the User Maintenance screen allows you to create new users modify existing users and delete users Remember that file ownership is linked to users via the UID SENTRY will advise you when deleting a user will cause a file to have an unregistered owner ...

Page 48: ...u This program will be invoked A detailed description of the Group Maintenance screen Figure 21 and prompts follow Examples of the Users using group screen and the FILE GROUP CONFLICT screens are also included in this chapter When first invoked no data will be displayed in this screen You will be prompted to enter the name of a group For a listing of all groups defined for the system enter You may...

Page 49: ...e SENTRY will display the following screen Users using group adm 2 Users user ID GID Groups adm Yes Yes root Yes F orward page B ackward page or RETURN Figure 21 This is a sample of the Users using group screen Note that the header contains the name of the group and the number of users who are members of this group The left most column is the alphabetized list of user IDs The next column labeled G...

Page 50: ... of four choices Here is an example of this screen GROUP MAINT Group Maintenance 08 14 00 FILE GROUP CONFLICT The group you are about to delete owns 1 file on the system If you delete the group without changing the ownership of the files there will be no registered group for these files on your system You have several choices A View the list of files in question B Continue to delete the group leav...

Page 51: ...ied new group If you wish to change some of the old group s files to one group and others to another group you must make your changes through the File System maintenance screen To select this global change option enter C SENTRY will display the file pathnames and its progress through the list of files Here is a sample of the screen SENTRY displays when this choice is invoked Figure 25 GROUP MAINT ...

Page 52: ... D Do not delete this group This option allows the user to return to the main Group Maintenance menu without altering the group or the file system No changes are made To select this option enter D You will be returned to the Group Maintenance screen ...

Page 53: ...wxr xr x root other etc drwxr xr x root other exl_usr rwxr xr x root sys 2691072 hp ux rw rw rw root sys 233 jaf Figure 26 This is an example of the General File Utility screen You may scroll through directories and files displaying their owner group permissions and size Although you may make few changes to the permissions on your system once they are set you will find that this screen offers you ...

Page 54: ...st set of 6 key strokes described in the Help screen are key strokes used to move around in the display of the file system These are very simple to remember U p and D own moves the cursor one line U p and D own scrolls the screen up one page or down one page just like Page UP and Page Down in a word processor Note that the caret before a letter means to hold down the control key when pressing the ...

Page 55: ...oss reference list SENTRY provides through the General File Utility screen To invoke the cross reference function enter From the cross reference display you may choose many of the standard commands For example to go to the directory containing one of the displayed files position to that line and enter I implode To view the contents of a displayed directory use EXP explode If your system uses ACLs ...

Page 56: ...pes are socket symbolic link normal block mode special directory character mode special and pipe If the file is not a standard UNIX type SENTRY will report it as Unknown File Type In the right top half of the screen SENTRY displays the I node number and the number of links plus three date time stamps The following paragraphs are quoted from UNIX documentation for these three dates Check YOUR syste...

Page 57: ...ons Enter the new set of characters you wish to assign to this owner For example to give the owner read and write permissions enter rw To deny all permissions enter If you do not want to change the owner s permissions simply enter RETURN SENTRY will position the cursor at the Group permissions field Make any changes you would like then RETURN SENTRY will position the cursor at the Other permission...

Page 58: ...rd UNIX file permissions by allowing more than one owner and more than one owning group With ACLs you can create a list of users and a list of groups in addition to the owner and the owning group i e UID and GID for each file and directory Each user and each group is assigned file permissions to allow or deny read write and execute privileges ACLs are unique to the file for which they were created...

Page 59: ...nce symbol A listing of all users will be displayed You may select the desired name by the associated number of simply ENTER to return to this screen and type the UID number or user name You may not enter a name or UID which does not exist To create a new user enter the Maintenance Menu User Profiles The next field is 2 Owning Group or GID All members of this group receive the same privileges indi...

Page 60: ...Section 2 30 SENTRY User s Guide Fitzgerald Long ...

Page 61: ...t If he were not added to the list he would fall into the other designation and would have no rights To add change or delete Additional Users select 4 at the Enter field number prompt To change or delete user fred enter the line number to the left of that line In our example the number is 1 To delete the user press SPACE and then ENTER The line and the associated permissions to the right will be r...

Page 62: ...e r r r bin bin r profile orig rw root sys rhosts rw rw rw root sys rw sh_history rw rw rw root sys rw ustk_root r r r root sys r uvhome rw rw root sys IDMERROR console rw rw root sys IDMERROR pty ttyp3 drwx root mail Mail rwxr xr x root root r x SYSBCKUP drwxr xr x root other r x bin drwxr xr x root other r x dev drwxr xr x root other r x etc drwxr xr x root other r x exl_usr rwxr xr x root sys r...

Page 63: ...onsole rw rw root sys IDMERROR pty ttyp3 drwx root mail Mail rwxr xr x root root r x SYSBCKUP drwxr xr x root other r x bin drwxr xr x root other r x dev drwxr xr x root other r x etc drwxr xr x root other r x exl_usr rwxr xr x root sys r x hp ux rwx x root adm x jaf Enter the group name or GID to view for X ref piadm Figure 31 This is an example of the permissions in force for group piadm To chec...

Page 64: ... on verbs paragraphs sentences PROCs and menus Selection 5 on the Database Maintenance Menu invokes this program Through the use of permissions protection for directories and files may be satisfactorily implemented However there are processes which also need to be protected It is usually appropriate for users to execute programs in their application software which updates files This type of update...

Page 65: ...ragraphs This field may not be deleted or changed through this program It is read from the first field of the VOC item To protect a VOC item enter the name of the item You will then be prompted for a description 1 Description This is a text field used for reporting and documentation You are encouraged to use a descriptive phrase appropriate for the item You may also use the SENTRY LIKE function at...

Page 66: ...e access rights for the user The possible choices are U Use at database prompt only X Execute from inside a program only UX Both use at database prompt and from within a program ALL Unlimited use NONE No use The default protection is ALL 6 Groups Enter the names of the groups who are allowed to use this VOC item The group s must already exist on the SENTRY database Enter for a list of all defined ...

Page 67: ... in its standard form To save changes you have made enter F to file You will then be asked if you wish to update the disk Answering Y es will cause the changes to become effective After filing or deleting the screen will be repainted and you will be prompted for another VOC item If you wish to make changes in another account a second RETURN will position you at the Account Name prompt A RETURN at ...

Page 68: ...rograms as well as in the database reporting language You may also call our violations logging subroutine to log program or report use USER ITEM MAINT User Item Protection Maintenance 08 07 00 Account Name usr sentry User Item Name PAYROLL 1 Description Protect the Payroll file from LIST 2 Other Rights NONE 3 Users 4 Rights 01 201 bee ALL 5 Groups 6 Rights 01 9 piadm ALL Enter field number F ile D...

Page 69: ...create a file in the desired account called SENTRY USER ITEMS SENTRY will search this file first if it exists for your User Item Please refer to appendices for documentation on the subroutine SENTRY USER ITEM CONTROL User Item Name This is the name you will use in your call to the SENTRY subroutine SENTRY USER ITEM CONTROL to check access rights for the group or user executing the program or repor...

Page 70: ...show all IDs associated with users by that name To search on a name enter name e g LONG To remove an ID from the list enter the line number associated with that ID SENTRY will position the cursor at that ID Enter a space to clear the value The rights will be removed automatically To replace the ID simply type over the existing entry 4 User Rights If you enter a new user ID which is not in the curr...

Page 71: ...s you have made to the User Items enter F to file After filing or deleting a User Item the screen will be repainted and you will be prompted for a User Item name To enter another Account Name press RETURN Enter RETURN at the Account Name prompt to exit this program ...

Page 72: ...the prompt Enter line of Groups or Users 1 n or A dd If there are more than five entries in a window F orward page or B ack page will be appended to this prompt These commands scroll the window to the next set of five entries or to the previous set You may exit this program and cancel all changes not filed by pressing the ESC key followed by RETURN at any prompt ...

Page 73: ...of the above 3 Figure 34 Using the third selection on the Main Menu you may invoke the Reports Menu Through this selection SENTRY provides extensive reporting capability integrating user and group details These reports also provide excellent system documentation of users groups and the objects protected through SENTRY Command and User Item protection Although system wide reports for users groups a...

Page 74: ...s report menu Through these selections you may print comprehensive reports describing your system s users groups and their relationships plus the SENTRY Command Protection reports selections 4 and 5 The first selection is System Profile This report displays the system parameters for SENTRY password attributes and SENTRY configuration parameters Selection two Users Profiles reports user name depart...

Page 75: ...tected A list of accounts where that command is protected is displayed Choosing selection six Access Violations prints the SENTRY Violations Log Entries are printed in chronological order Each record includes date time port number USER ID pathname and the protected command which was executed creating the violation In the following sections each report is described and an example is provided ...

Page 76: ...um Number for GID 1000 Default Startup Command bin sh Maximum Command Length 44 Maximum Path Length 50 wtmp Valid days old 30 days old Punct for File Indexing _ One record listed Figure 36 This is an example of the System Profile Report which displays various UNIX and SENTRY configuration parameters The following paragraphs describe each field on this report Null Passwords Allowed The default for ...

Page 77: ...lt This field is also used by the program through which you create new users if password aging is enabled through the previous field If your version on UNIX supports this functionality you may set a minimum and maximum number of weeks for the password life The minimum is the number of weeks before which the user CANNOT change his password and the maximum is the number of weeks until the user is FO...

Page 78: ...earrange existing users to be ordered group File Order This field is used much the same as the passwd File Order field above It is used by the program which creates and modifies groups If the value of this field is Y es the names of the groups are alphabetized in the UNIX group file If you wish to maintain the current order of the group file this field should be set to N o The default and recommen...

Page 79: ...rtup command field will assign this value The default value for this field is bin sh The recommended value for this field is the normal startup command for your average user Maximum Command Length This field is a UNIX parameter and is generally documented in the Administrator s Guide for adding a user ID The value of this field should be consistent with your version of UNIX On our system this maxi...

Page 80: ...payroll will be displayed The cross referencing on the word payroll is dependent upon the characters defined in this field Special characters such as and or _ are used in file or directory names to make a compound name more readable SENTRY s B trees will use the set of characters defined here to break out the components of a compound name such as payroll ledger This file would be indexed on the wo...

Page 81: ...iore bin 2 bin bin bin sh bin daemon 1 daemon daemon bin sh lewis 203 users users bin sh users fl_data Lewis Eckhoff lewis1 203 users bin sh users fast practice lp 9 lp lp bin sh usr spool lp peggy 0 users users bin sh users peggy Peggy Long Office 123 1102 root 0 sys root bin sh other bin users sys adm daemon mail lp piadm 9 records listed Figure 37 This is an example of the User Profiles Report ...

Page 82: ...ality Department This is another text field used for documentation and display only We recommend that you consider your reporting needs and use this field for whatever purpose seems of most benefit in your environment Telephone Here again is another text field used for documentation and display only Telephone numbers may be of importance to the System Administrator However if there are other types...

Page 83: ...n 2 bin bin System group root daemon 5 daemon daemon Phantom group root lp 7 lp lp Printer group root users 20 bee bee Application group lewis lewis peggy lewis1 root peggy 5 records listed Figure 38 This is an example of the Groups Report The following paragraphs describe the fields displayed on the example report Group Name The leftmost column on this report displays the name of the group These ...

Page 84: ...ly referred to as their GID group or primary group Description This is a free form text field to be used by the System Administrator to document the usage of groups on your UNIX system This report is produced by the database reporting language on your system The paragraph can be found in VOCLIB SENTRY GROUPS REPORT The database file is SENTRY GROUPS ...

Page 85: ...nvoke the users U peggy ALL NONE Pi open editor root ALL adm ALL lewis U lewis1 U piadm ALL MODIFY V Verb to invoke the piadm ALL peggy ALL NONE cursor control dependent data entry processor root ALL 3 records listed Figure 39 This is an example of the Account Protection Report Each account is listed on a separate page All protected commands for an account are presented in alphabetical order The f...

Page 86: ...d in this field is a list of all users who have rights to this command Their rights are listed to the right of the user ID This may be a multi valued field Other Rights Should a user NOT be mentioned by name and NOT be a member of one of the groups assigned rights to this command the user s rights default to those displayed in this field NONE is the system default but may be changed by the System ...

Page 87: ...ke the usr sentry practice piadm ALL peggy ALL NONE cursor control dependent data entry processor root ALL 3 records listed Figure 40 This is an example of the Command Protection Report displaying protected commands The following paragraphs describe the seven fields displayed on this report Please refer to the sample report for an example of each field Commands This is the name of the command as i...

Page 88: ...d to the right of the user ID This may be a multi valued field Other Rights Should a user NOT be mentioned by name and NOT be a member of one of the groups assigned rights to this command the user s rights default to those displayed in this field NONE is the system default but may be changed by the System Administrator in the data entry screen for Command Maintenance This report is written in the ...

Page 89: ...e if desired The report of security violations show the date and time of occurrence the port the user ID the specific account where the violation occurred and the full command which was attempted Applications using SENTRY s User Defined Items may also create violation records which will contain the user item being protected and a user specified comment in addition to the standard information The S...

Page 90: ...nce or program Messages beginning with PERFORM Command indicate that use of the Protected Command occurred at the database prompt In addition to the standard SENTRY reports we encourage you to use the database reporting language to create custom reports or to perform inquiries e g LIST SENTRY VIOLATIONS WITH DATE AFTER 01 01 95 AND WITH COMMAND LIKE PAYROLL to show all violations related to the PA...

Page 91: ... programs offered in the Utilities Menu you may make a number of global changes with little effort These programs are provided as a convenience for the System Administrator who frequently needs to perform certain tasks on a system wide basis One program provides you with the convenience of duplicating all of the Database Command security from one account to another saving data entry time You may u...

Page 92: ...s to five utility programs for performing global changes quickly Each menu selection is described briefly in the following paragraphs for quick reference Greater details are provided in the following sections for each program Selection one Protect a Database Account Like an Account Already Protected is a time saving utility if you wish to copy the Command Protection of one account to another Frequ...

Page 93: ... a list where an item appears as NOT FOUND or isn t shown when it should be you should rebuild these lists through this program Selection five Update Protected Commands to Account VOC Files It is possible that through the use of the editor or upgrading to a new release that Sentry s Command Protection could be overwritten To re install the Command Protection into the VOC of an account use this pro...

Page 94: ... of the account from which you wish to copy the VOC item protection This account must be a valid account using SENTRY s VOC protection ACCOUNT TO BE PROTECTED This is the second prompt Enter the absolute pathname of a valid database account which you want to have identical VOC protection to the first account For convenience a list of the protected verbs which will be copied may be reviewed by ente...

Page 95: ... DATE This selection allows you to set a beginning date from which to select entries This date must be earlier than the ending date The format is MM DD YY 3 ENDING DATE This date is the last date for which records should be purged Using BEGINNING DATE and ENDING DATE you may specify a range to purge from one date to another date This date must be after the BEGINNING DATE The format is MM DD YY 4 C...

Page 96: ...ide Fitzgerald Long This program is constructing a query sentence to SELECT the items to be purged When entering your criteria think of it as though you were completing the phrase WITH field name EQ or LT GT to the items you enter ...

Page 97: ...ength The generated passwords will be no less than the minimum number of characters specified in the System Profile and at least four characters If the number specified here is larger than that in the system profile it will be used instead Each generated password will begin with a consonant and alternate with a vowel consonant vowel pattern to fill the required length This technique produces prono...

Page 98: ...ection 4 8 SENTRY User s Guide Fitzgerald Long MM DD YY Sentry will select all users whose password update date is earlier than this date If there is no date in this field the record will not be selected ...

Page 99: ...l departments use spaces to separate the entries No validation is performed on your selection criteria The passwords will be encrypted and written to the SENTRY database This program produces the same style passwords as the password generator in the User Profiles program The value of this utility is that a number of passwords may be changed quickly Do you wish to update passwords immediately The p...

Page 100: ...essage indicates that a reference to an item exists but the item itself is missing When a process is interrupted through a program error machine failure or killing the process the result may be that the cross reference files are not updated properly Therefore we have provided this cleanup program just in case one of these events should occur REBUILD INVERTS SENTRY Cross Reference Rebuild 09 18 00 ...

Page 101: ...f the editor or upgrading to a new release that the protected VOC records could be overwritten This program will re load the VOC protection from the SENTRY COMMAND file To re install the command protection into the VOC of an account enter the account name at this prompt You must use the fully qualified UNIX pathname here To re load all protected accounts enter ALL SENTRY will report the number of ...

Page 102: ......

Page 103: ...ully responsible Be careful practice safe computing All subroutines are catalogued globally as SENTRY We recommend the following example of BASIC syntax as the preferred technique for calling the SENTRY Subroutines SENTRY USER ITEM CONTROL SENTRY USER ITEM CONTROL CALL SENTRY USER ITEM CONTROL Subroutine SENTRY ENCRYPT This subroutine is used to encrypt and decrypt data strings based on a user def...

Page 104: ...tine is SENTRY ENCRYPT The subroutine has three arguments DATA STRING RETURN STRING and ENCRYPTION KEY The ENCRYPTION KEY may be any string between 10 and 100 characters long The key is used to uniquely muddle up the bits in DATA STRING The result is placed into RETURN STRING As an example suppose the key is OLDSMOBILE and the input data in DATA STRING is SENTRY works great The encrypted string in...

Page 105: ...SENTRY ENCRYPT MUDDLED DATA GARBLED DATA KEYC To decrypt GARBLED DATA we d have to call SENTRY ENCRYPT three times as follows CALL SENTRY ENCRYPT GARBLED DATA TEMP DATA KEYC CALL SENTRY ENCRYPT TEMP DATA TEMP DATA2 KEYB CALL SENTRY ENCRYPT TEMP DATA2 ORIG DATA KEYA NOTICE Be extremely careful when you use encryption Test thoroughly and on a comprehensive set of data Once data are encrypted using y...

Page 106: ...inue with step 2 STEP 2 The SENTRY USER ITEMS file in the SENTRY account is searched for the item A file pointer in the local VOC should be called SENTRY GLOBAL USER ITEMS It should look like this F sentry SENTRY USER ITEMS sentry D_SENTRY USER ITEMS Where sentry is replaced by the absolute pathname to the sentry directory On our machine the path is usr sentry SENTRY USER ITEMS If the item is foun...

Page 107: ...SENTRY User s Guide Appendix 1 5 Fitzgerald Long If an error was encountered by the subroutine an error message will be returned If no error occurred ERROR TEXT will be null ...

Page 108: ...t The user defined item for which the violation occurred This reference was created through the SENTRY User Item Maintenance screen COMMENT Input Free format text description of the violation This is a routine similar to the one which logs violations to the SENTRY Violations Log when a user with insufficient rights attempts to use a SENTRY protected command It will create a new entry in the SENTRY...

Page 109: ...SENTRY User s Guide Appendix 1 7 Fitzgerald Long ...

Page 110: ......

Page 111: ...expected Field two is the series of characters to be entered to activate the corresponding function note that it is assumed that a RETURN will be entered and the RETURN does not have to appear within the series of characters Field three of the record contains the text which is used to describe the keystrokes e g ESC for the escape key The default KEY BINDINGS record is shown below FUNCTION NAME KE...

Page 112: ...ppendix 2 2 SENTRY User s Guide Fitzgerald Long environment and reenter SENTRY in order for the changes to take effect because these variables are read into named COMMON NOTE DO NOT enter the quote marks ...

Page 113: ...SENTRY User s Guide Appendix 2 3 Fitzgerald Long ...

Reviews: