acfsutil sec realm add

Purpose

Adds objects to an Oracle ACFS security realm.

Syntax and Description

acfsutil sec realm add -h
acfsutil sec realm add realm -m mount_point 
     {[-u user, ...] [-G os_group,...]
     [-l commandrule:ruleset,commandrule:ruleset, ...]
     [-e [-a {AES}] [-k {128|192|256}]]
   [-f [ -r] path ...]}

acfsutil sec realm add -h displays help text and exits.

Table 16-59 contains the options available with the acfsutil sec realm add command.


Table 16-59 Options for the acfsutil sec realm add command

Option Description

realm

Specifies the realm name to add.

-m mount_point

Specifies the directory where the file system is mounted.

-u user

Specifies user names to add.

-G os_group

Specifies the operating system groups to add.

-l commandrule:ruleset

Specifies the filters to add. The commandrule switch is used to add one or more command rules to the realm with a rule set.

ruleset specifies the rule set associated with the command rule for this realm. Only one rule set can be included with each command rule.

For a list of command rules, refer to Table 16-60. To display a list of the command rules, use acfsutil sec info with the -c option. Refer to "acfsutil sec info".

-e

Enables encryption on the realm. Turning encryption on for the realm causes all files contained in the realm to be encrypted. These files remain encrypted until they are no longer part of an encrypted realm.

Files that are encrypted are not re-encrypted to match the new specified encryption parameters.

-a {AES}

Specifies the encryption algorithm for the realm.

-k { 128|192|256}

Specifies the encryption key length.

-f [-r] path ...

Adds files specified by path to the realm. -r specifies a recursive operation. File paths must be separated by spaces and must be placed at the end of the command.

If a specified file is not realm secured, the file is encrypted or decrypted to match the encryption status for the realm.


The acfsutil sec realm add command adds objects to the specified realm. The objects to be added include users, groups, command rules, rule sets, and files. If the command encounters an error when adding an object, a message is displayed and the command continues processing the remaining objects.

Multiple entries can be added in a comma-delimited list when adding users, operating system groups, or command rules. Do not use spaces in the comma-delimited list. If spaces are added, then enclose the list in quotes.

If the -e option is specified, then encryption must have been initialized for the cluster and set on the file system. For more information, refer to "acfsutil encr init" and "acfsutil encr set".

If the entire mount point, which includes the .Security directory, is added to the realm then the security administrator operating system group should be added to the realm to maintain security logging and backing up operations.

The supported command rules are listed in Table 16-60. These command rules restrict or protect against file system operations on realm-secured files and directories.


Table 16-60 Command Rules

Rule Description

ALL

Protects against all file system operations on files and directories.

APPENDFILE

Restricts against additions to the end of a file. Restrictions include writes that start within the current file size, but proceed beyond the end of the file.

CHGRP

Protects from changing the group ownership on a file or directory.

CHMOD

Protects from changing the permissions on a file or directory.

CHOWN

Protects from changing the owner information of a file or directory.

CREATEFILE

Protects from creation of new file in a directory.

DELETEFILE

Protects from deletion of a file from a directory.

EXTEND

Restricts the extension operation of a file size. A file size may still be modifiable with other operations. EXTEND does not protect against a truncate followed by an append operation.

IMMUTABLE

Denies any changes to the files and directories in the realm except changes to extended attributes resulting from commands such as acfsutil tag and acfsutil encr.

Includes the following protection for a file or directory: APPENDFILE, CHGRP, CHMOD, CHOWN, DELETEFILE, EXTEND, OVERWRITE, RENAME, RMDIR, TRUNCATE, and WRITE.

IMMUTABLE does not deny any changes to the atime attribute. The atime attribute changes when a user accesses the file.

Can be set to archive the files and directories in a security realm.

LINKFILE

Restricts the creation of hard links to files.

MKDIR

Protects from the creation of new directory in a directory.

MMAPREAD

Protects a file from being memory mapped for a read operation using mmap() on Linux or using CreateFileMapping followed by MapViewOfFile() on Windows.

MMAPWRITE

Protects a file from being memory mapped for a write operation. Setting MMAPWRITE also protects a file from mapping for read as the operating system maps a file for both read and write.

OPENFILE

Protects from the opening of a file.

OVERWRITE

Prevents existing content in a file from being overwritten with a write operation whose start and end offsets are within the current file size.

If the operations on a file are truncate followed by append, OVERWRITE does not protect the file. To provide additional protection from both append and overwrite operations, use the WRITE command rule.

READDIR

Restricts for a directory listing, except for use by the security administrator group.

READ

Protects from reading the contents of a file. READ also protects against read operations using mmap(2).

RENAME

Protects against renaming a file or directory.

RMDIR

Protects against removing a directory.

SYMLINK

Restricts the creation of symbolic links in the directories protected by a security realm. When creating symbolic links, it does not matter whether the source file is protected by a security realm.

TRUNCATE

Restricts the truncation of a file.

WRITE

Protects a file against the write system call. WRITE also protects against append and overwrite operations, plus write operations using mmap(2).

A file may still be modifiable with other file operations. To protect the file from other modifications, also use the TRUNCATE and DELETEFILE command rules.


Only a security administrator can run this command.

Examples

Example 16-52 shows the use of the acfsutil sec realm add command. The first acfsutil sec command adds a user group to a security realm. The second and third commands add the LocalSystem or SYSTEM group to the SYSTEM_Antivirus realm in a Windows environment.

Example 16-52 Using the acfsutil sec realm add command

$ /sbin/acfsutil sec realm add my_security_realm -m /acfsmounts/acfs1 
     -G my_os_group

C:\> acfsutil sec realm add SYSTEM_Antivirus /m e: /G "NT AUTHORITY\\SYSTEM"

C:\> acfsutil sec realm add SYSTEM_Antivirus /m e: /G "SYSTEM"