Purpose
Adds objects to an Oracle ACFS security realm.
Syntax and Description
acfsutil sec realm add -h acfsutil sec realm add realm -m mount_point {[-u user, ...] [-G os_group,...] [-l commandrule:ruleset,commandrule:ruleset, ...] [-e [-a {AES}] [-k {128|192|256}]] [-f [ -r] path ...]}
acfsutil
sec
realm
add
-h
displays help text and exits.
Table 16-59 contains the options available with the acfsutil
sec
realm
add
command.
Table 16-59 Options for the acfsutil sec realm add command
Option | Description |
---|---|
|
Specifies the realm name to add. |
|
Specifies the directory where the file system is mounted. |
|
Specifies user names to add. |
|
Specifies the operating system groups to add. |
|
Specifies the filters to add. The
For a list of command rules, refer to Table 16-60. To display a list of the command rules, use |
|
Enables encryption on the realm. Turning encryption on for the realm causes all files contained in the realm to be encrypted. These files remain encrypted until they are no longer part of an encrypted realm. Files that are encrypted are not re-encrypted to match the new specified encryption parameters. |
|
Specifies the encryption algorithm for the realm. |
|
Specifies the encryption key length. |
|
Adds files specified by If a specified file is not realm secured, the file is encrypted or decrypted to match the encryption status for the realm. |
The acfsutil
sec
realm
add
command adds objects to the specified realm. The objects to be added include users, groups, command rules, rule sets, and files. If the command encounters an error when adding an object, a message is displayed and the command continues processing the remaining objects.
Multiple entries can be added in a comma-delimited list when adding users, operating system groups, or command rules. Do not use spaces in the comma-delimited list. If spaces are added, then enclose the list in quotes.
If the -e
option is specified, then encryption must have been initialized for the cluster and set on the file system. For more information, refer to "acfsutil encr init" and "acfsutil encr set".
If the entire mount point, which includes the .Security
directory, is added to the realm then the security administrator operating system group should be added to the realm to maintain security logging and backing up operations.
The supported command rules are listed in Table 16-60. These command rules restrict or protect against file system operations on realm-secured files and directories.
Rule | Description |
---|---|
|
Protects against all file system operations on files and directories. |
|
Restricts against additions to the end of a file. Restrictions include writes that start within the current file size, but proceed beyond the end of the file. |
|
Protects from changing the group ownership on a file or directory. |
|
Protects from changing the permissions on a file or directory. |
|
Protects from changing the owner information of a file or directory. |
|
Protects from creation of new file in a directory. |
|
Protects from deletion of a file from a directory. |
|
Restricts the extension operation of a file size. A file size may still be modifiable with other operations. |
|
Denies any changes to the files and directories in the realm except changes to extended attributes resulting from commands such as Includes the following protection for a file or directory:
Can be set to archive the files and directories in a security realm. |
|
Restricts the creation of hard links to files. |
|
Protects from the creation of new directory in a directory. |
|
Protects a file from being memory mapped for a read operation using |
|
Protects a file from being memory mapped for a write operation. Setting |
|
Protects from the opening of a file. |
|
Prevents existing content in a file from being overwritten with a If the operations on a file are |
|
Restricts for a directory listing, except for use by the security administrator group. |
|
Protects from reading the contents of a file. |
|
Protects against renaming a file or directory. |
|
Protects against removing a directory. |
|
Restricts the creation of symbolic links in the directories protected by a security realm. When creating symbolic links, it does not matter whether the source file is protected by a security realm. |
|
Restricts the truncation of a file. |
|
Protects a file against the A file may still be modifiable with other file operations. To protect the file from other modifications, also use the |
Only a security administrator can run this command.
Examples
Example 16-52 shows the use of the acfsutil
sec
realm
add
command. The first acfsutil
sec
command adds a user group to a security realm. The second and third commands add the LocalSystem
or SYSTEM
group to the SYSTEM_Antivirus
realm in a Windows environment.