SENTRY The Integrated Security System Release 4 User Guide Fitzgerald & Long 12341 E.
NOTICE The information contained in this guide is subject to change without notice. Fitzgerald & Long, Inc. shall not be liable for technical or editorial omissions made herein; nor for incidental or consequential damages resulting from the furnishing, performance, or use of this material. This guide contains information protected by copyright. No part of this guide may be photocopied or reproduced in any form without prior written consent from Fitzgerald & Long, Inc.
Table Of Contents USING THIS GUIDE---------------------------------------------------------------------------------------- Intro - 1 USING THE SCREENS ------------------------------------------------------------------------------------ Intro - 3 INSTALLING SENTRY ------------------------------------------------------------------------------------ Intro - 5 GETTING STARTED--------------------------------------------------------------------------------------- Intro - 8 INTRODUCING THE MAIN MENU --------------
SENTRY User’s Guide Introduction - 1 USING THIS GUIDE The SENTRY User's Guide is comprehensive in its descriptions of all of SENTRY's menus, data entry screens and reports. The Guide follows the same structure as the SENTRY menu system. There are four major sections in SENTRY. These are: 1. 2. 3. 4. Database Creation and Validation Database Maintenance Reports Utilities Additionally, there is an introductory section and a number of appendices.
Introduction - 2 SENTRY User’s Guide PI/open the command prompt is indicated by a colon “:” while for uniVerse the prompt is a greater-than sign “>”.
SENTRY User’s Guide Introduction - 3 USING THE SCREENS SENTRY data entry screens feature some very helpful functions. These include "repaint", "backup", "escape" (exit without update), “execute” and "help". The following paragraphs describe each function. Repaint ^^ Enter a caret twice, followed by . The caret key is generally located on the same key as the "6" (SHIFT 6). This is a total of three key strokes.
Introduction - 4 SENTRY User’s Guide Data Entry Conventions Underscore/underline When awaiting data, the cursor is positioned at the beginning of the field. The field is delineated by underscores. A sentence describing the field is displayed at the bottom of the screen. No data appearing on the underscore is an indication that the field in the database is currently null. Field numbers Each data entry screen and menu uses sequential numbers which appear at the left of the field descriptions.
SENTRY User’s Guide Introduction - 5 INSTALLING SENTRY Installing the SENTRY software is very simple! Just follow these easy steps. If you encounter problems at any point, please call us for additional assistance. Before you begin, check your system to see if there is a possible conflict with the accounts we will be loading. Do you have an account or user name called "sentry" or "sentry.practice"? If you have an account or user ID which uses either of these names, DO NOT INSTALL SENTRY.
Introduction - 6 SENTRY User’s Guide 6. Notice a file named "install". This is a script which will perform the steps necessary to install the SENTRY software. Execute the script by entering: ./install 7. Next type the command to enter your database environment (uv, udt, piopen). You should now see the TCL prompt ">" or “:”. If you see the UNIX message “… :not found” when you enter the command, it means that your PATH variable is not setup to contain the path to the command directory of your database.
SENTRY User’s Guide SENTRY Introduction - 7 Main Menu 07 AUG 2000 1. Database Creation and Validation Menu 2. Database Maintenance Menu 3. Reports Menu 4. Utilities Menu Please select one of the above: Figure 1 - Main Menu 11. At this point you are ready to begin loading your data into the SENTRY database. This procedure is described in the following section “Getting Started”.
Introduction - 8 SENTRY User’s Guide GETTING STARTED This section describes how to invoke the SENTRY Main Menu. It also describes the copyright and the validation screen which will be displayed as you enter SENTRY. Additionally, the first three steps for loading the SENTRY database are presented. < < S E N T R Y - Serial Number 00.08.70100 > > This version of SENTRY has been prepared expressly for Fitzgerald & Long, Inc.
SENTRY User’s Guide Introduction - 9 Our recommendation is that you create a userid called sentry with the UID of 0 (zero). This user will have “sentry” as its “home” directory and will invoke the database on login. Suggestion: use SENTRY to create this user while “getting started” with SENTRY. At TCL, enter: SENTRY The SENTRY copyright screen (Figure 2) will be displayed.
Introduction - 10 SENTRY User’s Guide This is a safety precaution. SENTRY is a very powerful tool and should only be used by the System Administrator or his designee. SENTRY is designed to be a single user utility. Therefore, only one user at a time is allowed into SENTRY. The third SENTRY screen (Figure 3) informs you that SENTRY is validating that your user ID has a UID of 0 (zero).
SENTRY User’s Guide Introduction - 11 wish to send the report to a specific printer, form or destination use the SETPTR command to set your printer parameters before executing this selection. After performing these steps your SENTRY database reflects the actual state of your system. You may now use the Database Maintenance Menu to fix the inconsistencies reported by the validation program or to modify users, groups and file permissions. You may also begin to protect database commands.
Introduction - 12 SENTRY User’s Guide INTRODUCING THE MAIN MENU SENTRY'S Main Menu follows the copyright screen and the System Administrator validation screen. It is the entry point into the four submenus. The four submenus are presented as selections 1 through 4 (Figure 4). SENTRY Main Menu 07 AUG 2000 1. Database Creation and Validation Menu 2. Database Maintenance Menu 3. Reports Menu 4.
SENTRY User’s Guide Introduction - 13 The first selection, Database Creation and Validation Menu offers access to programs which upload the information in the UNIX passwd and group files into SENTRY's database. Another program transverses the disks, reading the permissions, owner and group for each file and directory and loading cross reference information into SENTRY's database. Once the data are loaded, you should test the consistency of the data by executing the validation program.
SENTRY User’s Guide Section 1 - 1 1. INTRODUCING THE DATABASE CREATION AND VALIDATION MENU The first selection of SENTRY's Main Menu is Database Creation and Validation. This menu provides access to programs which will build SENTRY’s database from your existing user, group and file system data. SENTRY Main Menu 07 AUG 2000 1. Database Creation and Validation Menu 2. Database Maintenance Menu 3. Reports Menu 4.
Section 1 - 2 SENTRY User’s Guide 1.0 DATABASE CREATION AND VALUDATION MENU This is the first submenu accessible from SENTRY's Main Menu. It is also the first selection you will make after installing SENTRY. Through this menu, you will execute programs which load all the UNIX passwd and group information on your system into SENTRY's database. SENTRY Database Creation and Validation Menu 07 AUG 2000 1. Upload User and Group Profiles from UNIX 2. Create Database from File System 3.
SENTRY User’s Guide Section 1 - 3 Fitzgerald & Long
Section 1 - 4 SENTRY User’s Guide 1.1 UPLOAD USER AND GROUP PROFILES FROM UNIX This program loads the data from the UNIX passwd and group files into the SENTRY database. Existing data in the SENTRY database is checked and compared to that in these two files. The SENTRY database is updated to reflect the same configuration as these files. DB.LOAD SENTRY Data Base Load 08/08/00 Enter "OK" to start the loading process or "" to exit : OK Loading user profiles. Loading group information.
SENTRY User’s Guide Section 1 - 5 We recommend: Upload the passwd and group files into the SENTRY databases on a regular basis to INSURE that SENTRY reflects an accurate view of your system. Because of the numerous file system changes which occur daily in the normal course of operations, we recommend that you execute the program which creates the file system view on a regular basis as well. These programs should be scheduled as “over night” jobs at least once a week on systems with “normal” activity.
Section 1 - 6 SENTRY User’s Guide 1.2 CREATE DATABASE FROM FILE SYSTEM This section describes the program which create the B-trees to index your file system directories, files, file owners and groups. On a system with a very large number of files, this process may take a number of hours. This is a “read only” process. If does NOT interfere with your normal processing. FILE.
SENTRY User’s Guide Section 1 - 7 1.3 VALIDATE THE USER PROFILE DATABASE This program is used to check the consistency of the users, groups and permissions which have been loaded into the SENTRY database via the first two programs described in this section. user IDs, groups, and their usage in the file system are analyzed and inconsistencies are reported. For example, the validation report might point out a file whose owner is not registered or a home pathname which does not exist on the system.
Section 1 - 8 SENTRY User’s Guide This program will generate a printed report, using whatever printer setup is in effect at the time the program is run. To modify the printer, destination or form, use the SETPTR command at the TCL prior to running the program. Alternatively, the SENTRY XEQ function may be used to execute the SETPTR command. To execute this program, select 1. Database Creation and Validation Menu from the SENTRY Main Menu. Next, select 3.
SENTRY User’s Guide Section 1 - 9 3. “Password for User XXXXX is less than N characters.” - The user “XXXXX” has a password which is shorter than the minimum password length specified in the SENTRY System Profile screen, which is N. This user’s password should be updated to conform to the minimum length restrictions you have instituted. 4. “User XXXXX has no home directory.” - The user “XXXXX” has no home directory specified.
Section 1 - 10 SENTRY User’s Guide 5. “Group (GID) XXXXX on /ZZZZZ does not exist.” - The group number “XXXXX” is the registered group for a disk object whose path is “/ZZZZZ”. However, the group does not exist in SENTRY. Possibly, the group once existed but has been deleted. The group for this disk object should be replaced with a valid group on the system. Alternatively, a new or existing group could be assigned the same group number (GID). 6. “Command /VVVVV does not have any groups or users assigned.
SENTRY User’s Guide Section 1 - 11 Fitzgerald & Long
SENTRY User’s Guide Section 2 - 1 2. INTRODUCING THE DATABASE MAINTENANCE MENU The second selection on SENTRY's Main Menu is 2. Database Maintenance Menu. Through this selection you may access data entry screens to create, delete and modify the system profile, user profiles, groups, permissions, file ownership and Protection Command. SENTRY Main Menu 07 AUG 2000 1. Database Creation and Validation Menu 2. Database Maintenance Menu 3. Reports Menu 4.
Section 2 - 2 SENTRY User’s Guide 2.0 DATABASE MAINTENANCE This is the second sub-menu accessible from SENTRY’s Main Menu. It is the menu you will use to make changes to the SENTRY database. You may create or modify users, groups and permissions through this menu. SENTRY Maintenance Menu 07 AUG 2000 1. System Profile 2. User Profiles 3. Groups 4. File System 5. Database Commands 6.
SENTRY User’s Guide Section 2 - 3 4. File System. This entry allows you to scroll through your UNIX tree structure much like you do in Window’s File Manager. From this selection you may request “file detail” information which is read from the UNIX I-node. Included in this information is the last time the file was accessed and/or modified. In this screen you may change the owner, the group and the permissions. 5. Database Commands.
Section 2 - 4 SENTRY User’s Guide 2.1 SYSTEM PROFILE MAINTENANCE This data entry program is used to display and change the system profile parameters. A number of these parameters are system specific and must be set to reflect YOUR system’s limits. These parameters include maximums and minimums for password length, user ID length, and group name length. During installation, these parameters should be set appropriately for the limitations of your version of UNIX.
SENTRY User’s Guide Section 2 - 5 1. Null Passwords Allowed - The default of this field is “N”. When set to “N”o, each user must have a password. If this field is set to “Y”es, you may create a user with a null password. For good security, passwords should be mandatory. This field controls the data entry program for creating new users.
Section 2 - 6 SENTRY User’s Guide • Each password must contain at least two alphabetic characters and at least one numeric or special character. • Each password must differ from the user name and from any reverse or circular shift of that name. However, the System Administrator, (UID is zero) may create or change any password and those passwords created by the superuser do not have to comply with password construction requirements. 6.
SENTRY User’s Guide Section 2 - 7 However, we recommend using UIDs smaller than 5 digits simply to make them easier to read. The default and recommended value for this field is 1000. 13. Maximum GID Number - This field defines the largest number which may be used as a GID. This maximum is a UNIX parameter. On some UNIX systems this number may be as large as 60,000. However, we recommend using GIDs smaller than 5 digits simply to make them easier to read.
Section 2 - 8 SENTRY User’s Guide Note that the indexing occurs at the time that the “Create Database from File System” program is run from the Database Creation and Validation Menu. If the punctuation characters used are changed, the program must be rerun to put the new indexing into effect. Enter field number to modify, “C”ustom, “F”ile record or ““ to exit: - This is the primary modifications prompt for this screen.
SENTRY User’s Guide Section 2 - 9 1. Minimum password change (days): Enter the number of days before a user is allowed to change his existing password. For example, if UNIX has just expired a users password and the user enters a new one, you can use this parameter to prevent the user from resetting his password to the old one for the number of days you specify. The idea is that if the user is forced to keep the new password for several days, he will not change it back to the older one.
Section 2 - 10 SENTRY User’s Guide 2.2 USER MAINTENANCE This data entry program is used to display, change, and delete user IDs, including documentation for the user, UID, GID, home directory, and initial startup command. Additionally, all supplementary groups are displayed in this screen. Supplementary groups may be added and deleted from the user’s profile. Cross referencing is available to list existing users and their UIDs, existing groups and their GIDs, and home directories in use. USER.
SENTRY User’s Guide Section 2 - 11 SENTRY database using the user’s name, enter “@” followed by the first or last name of the user. For example, if you wanted to search for user IDs for Peggy Long, you could enter “@long”. If there were more than one “long” or if Peggy had more than one ID, a list would be displayed from which you could choose the appropriate user.
Section 2 - 12 SENTRY User’s Guide configured (through the System Profile screen) to generate alphanumeric passwords, which will contain at least 1 numeric character. If the System Profile is set to allow null passwords to be optional, you may past this prompt leaving it null. We do not recommend null passwords. Every user should have a unique user ID and passwords should be changed on a regular basis. 5. UID - This field defines the UID number for the user.
SENTRY User’s Guide Section 2 - 13 8. Command - This field normally defines the startup UNIX shell the user invokes. The System Profile provides a “default”. If you wish to use the default you need only press . Otherwise, enter the path to the UNIX shell you wish this user to invoke at startup. 9. Groups - This field is multi-valued and lists the user’s supplementary groups. The GID for each group is displayed along with the group name in parentheses.
Section 2 - 14 SENTRY User’s Guide new password for 90 days before he was forced by UNIX to enter a new password. This is 90 calendar days. 3. Password change warning (days): Enter the number of days before a new password is required that you would like UNIX to warn the user that his password is about to expire. We recommend 5 days. 4. Maximum inactive time (days): This field is used to protect inactive logins.
SENTRY User’s Guide Section 2 - 15 To exit you must save your changes by entering “F”. If you make no changes or wish to cancel your session without saving changes, enter ““. The User Maintenance screen will be redisplayed sans data. To delete a user enter “DEL” at this prompt. You will be prompted: Are you sure you want to delete the entire record(YES/NO)? Entering “YES” will cause the deletion to proceed. Entering “NO” will cause the program to return to the primary User Maintenance screen. USER.
Section 2 - 16 SENTRY User’s Guide /jaf Enter "" to quit : Figure 17 - This is an example of the list of files owned by the user being deleted - Selection A. B) Continue to delete the user / leave files as they are. This option deletes the user from the passwd and group files but leaves the UID as the owner of the files. Enter “B” to select this option. C) Change ownership of these files to another user. This selection will prompt for a new owner.
SENTRY User’s Guide Section 2 - 17 D) Do not delete this user. This option allows the user to return to the main User Maintenance menu without altering the user ID or the file system. No changes are made. To select this option enter “D”. You will be returned to the User Maintenance screen. In summary, the User Maintenance screen allows you to create new users, modify existing users and delete users. Remember that file ownership is linked to users via the UID.
Section 2 - 18 SENTRY User’s Guide 2.3 GROUP MAINTENANCE Through this data entry program you may add and delete groups from the system, add a descriptive text field to document a group and assign the group’s GID. GROUP.MAINT Group Maintenance 08/07/00 Group : adm 1. Description : HP system group 2. GID : 4 Enter field number, "F"ile, "DIS"play users, "DEL"ete or "" to exit : Figure 20 - This is an example of the “Group Maintenance” data entry screen.
SENTRY User’s Guide Section 2 - 19 2. GID - This is the number assigned to this group name. You may use “@” for a list of all groups and their associated GID’s. You may assign a number or enter “N” and SENTRY will assign the next available number. Enter field number, “F”ile, “DIS”play users, “DEL”ete or to exit. The is the standard modifications prompt for the Group Maintenance program. To access any selection on the screen, enter the number associated with that selection.
Section 2 - 20 SENTRY User’s Guide In UNIX every file has an owner and a group. The references to owners and groups are the UID and the GID for each. The actual names are NOT stored, only the number. The numbers are translated by various UNIX utilities through a “lookup” process in the passwd and group files. If a group is deleted which is the group for files, the GID will continue to be the file group.
SENTRY User’s Guide GROUP.MAINT Section 2 - 21 Group Maintenance 08/14/00 Files owned by group 140 (devel) /jaf Enter "" to quit : Figure 23 - This is an example of the list of files owned by the group “devel”. Selection A displays this list. B) Continue to delete the group/leave files as they are. This option deletes the group from the group file but leaves the GID as the file group. If there are users with this group as their GID in the passwd file, these references are not deleted.
Section 2 - 22 SENTRY User’s Guide D) Do not delete this group. This option allows the user to return to the main Group Maintenance menu without altering the group or the file system. No changes are made. To select this option enter “D”. You will be returned to the Group Maintenance screen.
SENTRY User’s Guide Section 2 - 23 2.4 FILE SYSTEM With this program you may change owners, groups and the permissions for any file or directory in your file system. With Sentry’s extensive B-tree system of cross references, you may use this program to locate the path to any object on your system. FILE.MANAGER General File Utility 12:02:32 08 AUG 2000 Path : / top... --> --> (32 entries.
Section 2 - 24 SENTRY User’s Guide FILE.MANAGER General File Utility 16:24:02 07 AUG 2000 CURSOR.MAIN ========================================================================= HELP for "Cursor Control and Commands" There are twenty commands which may be entered at any position on the screen. None of the commands require a carriage return -- simply type the keystrokes for the command. UP DOWN PAGE.UP PAGE.
SENTRY User’s Guide Section 2 - 25 One of the most valuable functions of this program is the ability to find files and directories without knowing the full path or the full name in some cases. To use the cross reference enter “@”. You will be prompted: Enter name for cross reference: In our following example, we used “peggy” as input. Note that all of the files and directories contain the word “peggy” in the pathname. FILE.
Section 2 - 26 SENTRY User’s Guide FILE.MAINT Detailed File View 08/08/00 File Pathname : /.elm/last_read_mail File Type : normal file Inode : 11470 No of Links : 1 Size (Bytes) : 1129 Last Access : Wed Feb 1 10:11:35 2000 Last Modify : Wed Feb 1 10:11:35 2000 Last Change : Sat Aug 6 00:01:27 2000 1. Owner : 0 (peggy,root) 2. Group : 6 (mail) 3.
SENTRY User’s Guide Section 2 - 27 In the lower half of the screen the file owner, group and permissions are displayed. You may use this screen to modify any of these three fields. 1. Owner - SENTRY displays the UID of the file owner plus the user ID (may be more than one) for the displayed UID. To change the owner, enter “1” followed by . You will be prompted “Enter the user to be the file owner”. You may choose from a “pick” list by entering “@”. 2.
Section 2 - 28 SENTRY User’s Guide ACLs Maintenance Access Control Lists (ACLs) are an extension the standard UNIX file permissions. If you have attempted to provide database protection through the use of UNIX file permissions you will have experienced the limitation that each file may have only one owner and one owning group with all other users receiving what is called the “other” category of access rights. UNIX provides three “permissions” with regard to a file.
SENTRY User’s Guide Section 2 - 29 This is an example of the “ACL Maintenance Screen”. Not all UNIX systems support ACLs. Additionally, you may elect not to use them. If your copy of SENTRY displays this screen you may create and change ACLs with this program. When this screen is displayed, the pathname of the selected file will appear in the first data field “File pathname”. In our example the pathname is “/usr/sentry/VOC”. You cannot modify this pathname in this screen.
Section 2 - 30 SENTRY User’s Guide Fitzgerald & Long
SENTRY User’s Guide Section 2 - 31 The next field “3. Permissions” consists of three sets of three permissions. In our example they are “rwx rwx ---”. The first three, left most characters are the rights assigned to the Owner. The second set of characters are rights assigned to the Owning Group and the third set “---“ are the rights assigned to every one else, generally called “other”. In our example, the three dashes indicate that “other” has no privileges to read, write or execute.
Section 2 - 32 SENTRY User’s Guide the user is not the owner and not a member of the group associated with a file, the permissions displayed for the user will be that of “other”. The benefit of this feature is that you may browse through your file system, viewing access rights without having to know if a user is in a particular group or not. This saves time! FILE.MANAGER General File Utility Path : / Access shown for user bee (201) top...
SENTRY User’s Guide Section 2 - 33 FILE.MANAGER General File Utility Path : / Access shown for group piadm (9) top... --> drwx-----root mail -r--r--r-bin bin -r--r--r-bin bin -rw------root sys -rw-rw-rwroot sys -rw-rw-rwroot sys -r--r--r-root sys -rw-rw---root sys -rw-rw---root sys drwx-----root mail -rwxr-xr-x root root drwxr-xr-x root other drwxr-xr-x root other drwxr-xr-x root other drwxr-xr-x root other -rwxr-xr-x root sys -rwx-----x root adm 14:39:56 18 AUG 2000 (32 entries.
Section 2 - 34 SENTRY User’s Guide 2.5 COMMAND MAINTENANCE This program is used to update protection of VOC items in uniVerse, PI/open and UniData accounts. It is also a convenient means of reviewing the existing protection (created by SENTRY) which may be in effect. COMMAND.MAINT Command Maintenance Account Name : /usr/sentry.dev VOC Command : PROC.TEST 08/08/00 PROC 1. Description : Test program 2. Subroutine : *SENTRY.COMMAND.CONTROL 3.
SENTRY User’s Guide Section 2 - 35 To execute this program, select 2. Database Maintenance Menu from SENTRY's Main Menu; then, select 5. Database Commands from the Database Maintenance Menu. The Command Maintenance program will be invoked. A detailed description of the data entry screen (Figure 33) and prompts follows. On first entering this program, no data will be displayed on the screen. You will be prompted to enter the name of a database account then the name of the VOC item you wish to protect.
Section 2 - 36 X UX ALL NONE SENTRY User’s Guide - Execute from inside a program only - Both use at database prompt and from within a program - Unlimited use - No use The default protection is “NONE”. 4. Users - Enter the user ID for which you wish to define protection rights. The user ID must already exist on the SENTRY database. Type “@ name” for a listing of all user IDs having “name” in their user name. Type "@" for a listing of all user IDs on the system.
SENTRY User’s Guide Section 2 - 37 Enter Field Number, "F"ile, "DEL"ete or to Exit: - This is the main modifications prompt for this data entry screen. If you wish to change any of the information, enter the number associated with the entry field, 1 through 7. The cursor will move to the selected input field and allow you to modify the current information.
Section 2 - 38 SENTRY User’s Guide 2.6 USER ITEM PROTECTION MAINTENANCE This is a special SENTRY feature which allows you to define SENTRY security objects. These objects may be accessed through subroutine calls to solve unique security problems which may not be met through permissions and VOC item security facilities. For example, you may have a personnel inquiry screen in which you would like to limit the display of the salary field to only a certain group.
SENTRY User’s Guide Section 2 - 39 To execute this program, select 2. Database Maintenance Menu from SENTRY's Main Menu; then, select 6. User Defined Items from the Database Maintenance Menu. The User Item Protection Maintenance program will be invoked. A detailed description of the data entry screen (Figure 34) and prompts follows. On first entering this program, no data will be displayed on the screen.
Section 2 - 40 SENTRY User’s Guide 5. Groups - This is a input window used to enter the groups associated with this User Item. Enter the name of a group. The groups entered must already exist in the SENTRY database. A list of groups may be viewed by entering "@" at this input prompt. A group may be entered only once. An error message will be displayed should you enter a duplicate name into the list. To remove or replace a group currently in the list, enter the line number associated with that group.
SENTRY User’s Guide Section 2 - 41 To save changes you have made to the User Items, enter "F" to file. After filing or deleting a User Item, the screen will be repainted and you will be prompted for a User Item name. To enter another Account Name press . Enter at the Account Name prompt to exit this program.
Section 2 - 42 SENTRY User’s Guide Enter Line # of Groups (or Users) (1-N), "A"dd, "F"orward or "B"ack Page: - When using the Groups or Users windows, you will see the prompt "Enter line # of Groups (or Users) (1-n) or "A"dd. If there are more than five entries in a window, "F"orward page or "B"ack page will be appended to this prompt. These commands scroll the window to the next set of five entries or to the previous set.
SENTRY User’s Guide Section 3 - 1 3. INTRODUCING THE REPORTS MENU The third selection on SENTRY's Main Menu is 3. Reports Menu. Through this selection you may print reports documenting the system environment, user details, group details, and VOC item protection. SENTRY Main Menu 07 AUG 2000 1. Database Creation and Validation Menu 2. Database Maintenance Menu 3. Reports Menu 4.
Section 3 - 2 SENTRY User’s Guide 3.0 REPORTS MENU This is the third submenu accessible from SENTRY's Main Menu. All reports are printed from this menu. You may select any of six reports. Set your default printer parameters BEFORE entering SENTRY. SENTRY Reports Menu 07 AUG 2000 1. System Profile 2. User Profiles 3. Groups 4. Account Protection 5. Command Protection 6.
SENTRY User’s Guide Section 3 - 3 Selection five Command Protection, is the same information as selection four except the report is sorted by the name of the command which is protected. A list of accounts where that command is protected is displayed. Choosing selection six, Access Violations, prints the SENTRY Violations Log. Entries are printed in chronological order. Each record includes date, time, port number, USER ID, pathname and the protected command which was executed creating the violation.
Section 3 - 4 SENTRY User’s Guide 3.1 SYSTEM PROFILE REPORT Selection one, System Profile, generates a report detailing the contents of SENTRY’s system limits record. These parameters are used by SENTRY to enforce password, user ID and group name lengths in keeping with the limitations of your version of UNIX and standards set by the System Administrator for your site. SENTRY.SYSTEM.LIMITS.REPORT SENTRY System Profile as of 13:39:22 08-16-00 Null Passwords Allowed.............
SENTRY User’s Guide Section 3 - 5 Minimum Password Length - This is a UNIX defined parameter as well as one used by SENTRY when new users are created. Passwords may be 0 (zero) to “your maximum value” in length. However, most UNIX systems do not recognize more than 8 (eight) characters. More than 8 are ignored. The recommended and default value for this field is 6.
Section 3 - 6 SENTRY User’s Guide embedded numeric. The default and recommended value is ALPHA which will generate a string of alphabetic characters, the length defined by the Minimum Password Length field. If the minimum length field is 0 or null, a password of 6 characters will be used unless otherwise specified when the “G”enerate command is used in the password field of the User Profile data entry screen.
SENTRY User’s Guide Section 3 - 7 Maximum user ID Length - This field contains a number defining the maximum number of characters allowed for a user ID. Most UNIX systems allow up to 8 alphanumeric characters. This field is used by the User Profile data entry screen to limit the length of user IDs created through SENTRY’s data entry screen. The recommended and default value is 8. Maximum Group Name Length - This value is used by the program to limit the number of characters in group names.
Section 3 - 8 SENTRY User’s Guide Punct for File Indexing - SENTRY builds B-trees to provide rapid cross referencing into the file system. For example, let’s imagine that you are looking for a file called “payroll.something”. You can’t remember the “something”. In the File System screen you may enter “payroll” and SENTRY will search the B-trees for all references to “payroll”. A list of pathnames to all files and directories whose name contains the string “payroll” will be displayed.
SENTRY User’s Guide Section 3 - 9 3.2 USER PROFILES The SENTRY User Profile Report displays all parameters in effect for each user registered in your system. Additionally such information as the users name, department and telephone may be added to the system data. SENTRY.USERS.
Section 3 - 10 SENTRY User’s Guide UID - UNIX maintains a relationship between users and files by assigning ownership via the UID, the user’s number. To maintain the translation of UIDs to user IDs (used by the file system), the Administrator should take care when creating or changing this relationship. GID Name - When a user login ID is created, UNIX allows the user to be assigned to a group. Here again, the name of the group is not held in the passwd file, only the group’s number or GID.
SENTRY User’s Guide Section 3 - 11 3.3 GROUPS REPORT The SENTRY Groups Report displays, in a very concise format, all data related to groups on your system. Along with the name and description of each group are all user IDs associated with the group. The user’s relationship with each group (GID or supplementary) is reported also. SENTRY.GROUPS.
Section 3 - 12 SENTRY User’s Guide GID for Users - The users listed in this field are assigned this group in the passwd file. It is commonly referred to as their GID group or primary group. Description - This is a free form text field to be used by the System Administrator to document the usage of groups on your UNIX system. This report is produced by the database reporting language on your system. The paragraph can be found in VOCLIB/SENTRY.GROUPS.REPORT. The database file is SENTRY.GROUPS.
SENTRY User’s Guide Section 3 - 13 3.4 ACCOUNT PROTECTION REPORT This is a report of all protected commands on your system. It is sorted by account such that there is one page per account printed. Note that the account pathname appears in the title of the report. SENTRY.ACCOUNTS.
Section 3 - 14 SENTRY User’s Guide Description - The description field is used for documentation and may be entered through the Database Maintenance program for Database Commands. Group Name & Rights - This field displays the names of groups (if any) used to define the access to this command and the rights given to these groups. The names of the groups MUST be registered UNIX group names. This field may be multi-valued.
SENTRY User’s Guide Section 3 - 15 3.5 COMMAND PROTECTION REPORT The SENTRY Command Protection Report presents an alphabetical listing of all commands protected through SENTRY's Database Commands program. SENTRY.COMMANDS.REPORT Commands: Verbs, Sent, Menu, PA or PQ ============== DELETE Type ==== V Command Protection as of 12:16:37 08-08-00 Description ================= Verb to DELETE records from a FILE Pathname ============== /usr/sentry.
Section 3 - 16 SENTRY User’s Guide Group Name & Rights - This field displays the names of groups (if any) used to define the access to this command and the rights given to these groups. The names of the groups MUST be registered UNIX group names. This field may be multi-valued. User Name & Rights - Displayed in this field is a list of all users who have rights to this command. Their rights are listed to the right of the user ID. This may be a multi-valued field.
SENTRY User’s Guide Section 3 - 17 3.6 ACCESS VIOLATIONS REPORT The SENTRY Access Violations Report is an audit report of violations logged by SENTRY for Database Commands and for User Defined Items. Each attempt to use a restricted command by an unauthorized user is reported here. SENTRY.VIOLATION.
Section 3 - 18 SENTRY User’s Guide Pathname - This is the pathname to the account containing the protected VOC item which was used by an unauthorized user. Violation Item - This field provides documentation on which Command was used. Messages beginning with "Command Executed" indicate that the command was used within a paragraph, sentence or program. Messages beginning with "PERFORM Command" indicate that use of the Protected Command occurred at the database prompt.
SENTRY User’s Guide Section 4 - 1 4. INTRODUCING THE UTILITIES MENU The Utilities Menu is executed through selection four on the SENTRY Main Menu. The programs provided in this selection are ancillary to the job of providing sound, well documented system security. These utility programs offer conveniences such as duplicating the protection from one account to another, purging the Violations Log, and generating new passwords. SENTRY Main Menu 07 AUG 2000 1. Database Creation and Validation Menu 2.
Section 4 - 2 SENTRY User’s Guide 4.0 UTILITIES MENU This menu provides access to five utility programs designed to save the System Administrator data entry effort and time in performing global tasks such as generating and protecting an account "like" another account, purging the Violations Log on a selective basis, and changing passwords in SENTRY's database. SENTRY Utilities Menu 16 AUG 2000 1. Protect a Database Account Like an Account Already Protected 2. Purge the Violation Log 3.
SENTRY User’s Guide Section 4 - 3 Selection four, Rebuild SENTRY Cross Reference Files. Sentry maintains a number of traditional inverted lists which are used for cross referencing. When you use the “@” function you are accessing one of these lists. Should you encounter a list where an item appears as “NOT FOUND” or isn’t shown when it should be, you should rebuild these lists through this program. Selection five, Update Protected Commands to Account VOC Files.
Section 4 - 4 SENTRY User’s Guide 4.1 VOC PROTECTION SETUP This program provides the convenience of being able to copy the protection set on VOC items in one account to a second account. For a system with numerous accounts needing the same or similar protection, this program provides an automated process of creating VOC protection without the necessity of entering each item in a number of accounts.
SENTRY User’s Guide Section 4 - 5 4.2 PUGING THE VIOLATIONS LOG This program provides a convenient method of selectively purging the SENTRY Violations Log. You may purge by record key, dates, ports, USER ID, or account name. To invoke this program enter 4, Utilities Menu, from the SENTRY Main Menu; then select 3, Purge the Violations Log. On entering this program, you will be prompted: 1. 2. 3. 4. 5. 6. Violation Keys Beginning Date Ending Date Computer Port user IDs Account Pathname 1.
Section 4 - 6 SENTRY User’s Guide This program is constructing a query sentence to SELECT the items to be purged. When entering your criteria, think of it as though you were completing the phrase "WITH field.name EQ (or LT, GT)" to the items you enter.
SENTRY User’s Guide Section 4 - 7 4.3 PASSWORD CREATION This program provides a convenient utility to assist you in creating new passwords for a number of users. You may select users to be changed based upon IDs, department, project, group, and user name. Through this utility you may change all passwords on a regular basis if needed. To invoke this program enter 4, Utilities Menu, from the SENTRY Main Menu; then, select 3, Password Creation. Password Generation 1. 2. 3. 4. 5. 6.
Section 4 - 8 SENTRY User’s Guide MM/DD/YY. Sentry will select all users whose password update date is earlier than this date. If there is no date in this field, the record will not be selected.
SENTRY User’s Guide Section 4 - 9 4. Department - If you have entered data into the “department” field of the SENTRY.USERS file, you may use this field in your selection criteria for generating new passwords. Enter the department names separated by spaces. There is no validation on this field. Please check your entries against the Sentry Users Report to insure that your selection criteria are spelled correctly. 5. Groups - You may select users by their group membership for password change.
Section 4 - 10 SENTRY User’s Guide 4.4 REBUILD CROSS REFERENCE FILES SENTRY maintains a number of traditional inverted lists which are used for cross referencing. When you use the “@” function you are accessing one of these lists. Should you encounter a list where an item appears as “NOT FOUND” or an item doesn’t appear which should, you should rebuild these lists through this program. This message indicates that a reference to an item exists but the item itself is missing.
SENTRY User’s Guide Section 4 - 11 4.5 UPDATE PROTECTED COMMANDS UPDATE.VOC Command Update 09/18/00 Account Name : _____________________________________________________ Enter the pathname to an account or ‘ALL’for all accounts. Figure 46 - This is an example of the screen used to re-load the VOC protection for one or more accounts. SENTRY command protection uses the database file SENTRY.COMMANDS to store data about protected commands.
SENTRY User’s Guide Appendix 1 - 1 APPENDIX 1 SENTRY INTERNAL SUBROUTINES NOTICE The subroutines documented in this appendix are provided as a convenience to the user on a "USE AT YOUR OWN RISK" basis. If you wish to use these programs and need assistance we are willing to help. However, because we cannot prevent misuse or "accidents" which might cause data corruption we must remind you that you are fully responsible! Be careful . . . . practice safe computing.
Appendix 1 - 2 SENTRY User’s Guide This is the result of the encryption. If the data string is already encrypted and the encryption key is the same as was used to encrypt the data, the result will be the decrypted data. ENCRYPTION.KEY (Input) This is a character string between 10 and 100 characters long that is to be used as the seed for the encryption routine. Do not use a variable key. Use only a constant, hard coded in your program.
SENTRY User’s Guide Appendix 1 - 3 WRITE CRYPT.DATA ON FILE.VAR, REC.KEY DISPLAY.DECRYPTED SENTRY.ENCRYPT = "*SENTRY.ENCRYPT" READ THE.RECORD FROM FILE.VAR, REC.KEY ELSE ... THE.KEY = "Fudge Tastes Good!" CALL @SENTRY.ENCRYPT(THE.RECORD, OUT.DATA, THE.KEY) PRINT OUT.DATA It is critical that the encryption key be a constant. Without the key, decryption of encrypted data is not possible.
Appendix 1 - 4 SENTRY User’s Guide ERROR.TEXT = “””” CALL @SENTRY.USER.ITEM.CONTROL(USER.ITEM, ITEM. FOUND, ACCESS.RIGHTS, ERROR.TEXT) Parameters: USER.ITEM (Input) This is the name of the item that was defined with the SENTRY User Item Maintenance screen. ITEM.FOUND (Output) The item requested is searched for in two steps. STEP 1: The SENTRY.USER.ITEMS file is searched in the current account for the item. If the local SENTRY.USER.
SENTRY User’s Guide Appendix 1 - 5 If an error was encountered by the subroutine, an error message will be returned. If no error occurred ERROR.TEXT will be null.
Appendix 1 - 6 SENTRY User’s Guide Subroutine: SENTRY.VIOLATION.STAMP SENTRY.VIOLATION.STAMP is used to log access violations of user items. Sample : SENTRY.VIOLATION.STAMP = "*SENTRY.VIOLATION.STAMP" CALL @SENTRY.VIOLATION.STAMP(USER.ITEM, COMMENT) Parameters: USER.ITEM (Input) The user-defined item for which the violation occurred. This reference was created through the SENTRY User Item Maintenance screen. COMMENT (Input) Free format text description of the violation.
SENTRY User’s Guide Appendix 1 - 7 Fitzgerald & Long
SENTRY User’s Guide Appendix 2 - 1 APPENDIX 2 SENTRY KEY BINDINGS A record called "KEY.BINDINGS" in the SENTRY.CONTROL file is used to control the keystrokes used to activate special functions within the SENTRY data entry screens. For example, the "normal" way to exit from a data entry screen is by entering the character followed by . This may create a conflict for sites using certain communications packages. By modifying the KEY.
Appendix 2 - 2 SENTRY User’s Guide environment and reenter SENTRY in order for the changes to take effect because these variables are read into named COMMON. NOTE: DO NOT enter the quote marks.
SENTRY User’s Guide Appendix 2 - 3 Fitzgerald & Long