acfsutil sec realm add

Purpose

Adds objects to an Oracle ACFS security realm.

Syntax and Description

acfsutil sec realm add -h
acfsutil sec realm add realm -m mount_point 
     {[-u user, ...] [-G os_group,...]
     [-l commandrule:ruleset,commandrule:ruleset, ...]
     [-e [-a {AES}] [-k {128|192|256}]]
   [-f [ -r] path ...]}

acfsutil sec realm add -h displays help text and exits.

Table 16-59 contains the options available with the acfsutil sec realm add command.

Table 16-59 Options for the acfsutil sec realm add command

Option	Description
`realm`	Specifies the realm name to add.
`-m` `mount_point`	Specifies the directory where the file system is mounted.
`-u` `user`	Specifies user names to add.
`-G` `os_group`	Specifies the operating system groups to add.
`-l` `commandrule`:`ruleset`	Specifies the filters to add. The `commandrule` switch is used to add one or more command rules to the realm with a rule set. `ruleset` specifies the rule set associated with the command rule for this realm. Only one rule set can be included with each command rule. For a list of command rules, refer to Table 16-60. To display a list of the command rules, use `acfsutil` `sec` `info` with the `-c` option. Refer to "acfsutil sec info".
`-e`	Enables encryption on the realm. Turning encryption on for the realm causes all files contained in the realm to be encrypted. These files remain encrypted until they are no longer part of an encrypted realm. Files that are encrypted are not re-encrypted to match the new specified encryption parameters.
`-a` {`AES`}	Specifies the encryption algorithm for the realm.
`-k` { `128`\|`192`\|`256`}	Specifies the encryption key length.
`-f` [`-r`] `path` `...`	Adds files specified by `path` to the realm. `-r` specifies a recursive operation. File paths must be separated by spaces and must be placed at the end of the command. If a specified file is not realm secured, the file is encrypted or decrypted to match the encryption status for the realm.

The acfsutil sec realm add command adds objects to the specified realm. The objects to be added include users, groups, command rules, rule sets, and files. If the command encounters an error when adding an object, a message is displayed and the command continues processing the remaining objects.

Multiple entries can be added in a comma-delimited list when adding users, operating system groups, or command rules. Do not use spaces in the comma-delimited list. If spaces are added, then enclose the list in quotes.

If the -e option is specified, then encryption must have been initialized for the cluster and set on the file system. For more information, refer to "acfsutil encr init" and "acfsutil encr set".

If the entire mount point, which includes the .Security directory, is added to the realm then the security administrator operating system group should be added to the realm to maintain security logging and backing up operations.

The supported command rules are listed in Table 16-60. These command rules restrict or protect against file system operations on realm-secured files and directories.

Table 16-60 Command Rules

Rule	Description
`ALL`	Protects against all file system operations on files and directories.
`APPENDFILE`	Restricts against additions to the end of a file. Restrictions include writes that start within the current file size, but proceed beyond the end of the file.
`CHGRP`	Protects from changing the group ownership on a file or directory.
`CHMOD`	Protects from changing the permissions on a file or directory.
`CHOWN`	Protects from changing the owner information of a file or directory.
`CREATEFILE`	Protects from creation of new file in a directory.
`DELETEFILE`	Protects from deletion of a file from a directory.
`EXTEND`	Restricts the extension operation of a file size. A file size may still be modifiable with other operations. `EXTEND` does not protect against a `truncate` followed by an `append` operation.
`IMMUTABLE`	Denies any changes to the files and directories in the realm except changes to extended attributes resulting from commands such as `acfsutil` `tag` and `acfsutil` `encr`. Includes the following protection for a file or directory: `APPENDFILE`, `CHGRP`, `CHMOD`, `CHOWN`, `DELETEFILE`, `EXTEND`, `OVERWRITE`, `RENAME`, `RMDIR`, `TRUNCATE`, and `WRITE`. `IMMUTABLE` does not deny any changes to the `atime` attribute. The `atime` attribute changes when a user accesses the file. Can be set to archive the files and directories in a security realm.
`LINKFILE`	Restricts the creation of hard links to files.
`MKDIR`	Protects from the creation of new directory in a directory.
`MMAPREAD`	Protects a file from being memory mapped for a read operation using `mmap()` on Linux or using `CreateFileMapping` followed by `MapViewOfFile()` on Windows.
`MMAPWRITE`	Protects a file from being memory mapped for a write operation. Setting `MMAPWRITE` also protects a file from mapping for read as the operating system maps a file for both read and write.
`OPENFILE`	Protects from the opening of a file.
`OVERWRITE`	Prevents existing content in a file from being overwritten with a `write` operation whose start and end offsets are within the current file size. If the operations on a file are `truncate` followed by `append`, `OVERWRITE` does not protect the file. To provide additional protection from both `append` and `overwrite` operations, use the `WRITE` command rule.
`READDIR`	Restricts for a directory listing, except for use by the security administrator group.
`READ`	Protects from reading the contents of a file. `READ` also protects against `read` operations using `mmap(2)`.
`RENAME`	Protects against renaming a file or directory.
`RMDIR`	Protects against removing a directory.
`SYMLINK`	Restricts the creation of symbolic links in the directories protected by a security realm. When creating symbolic links, it does not matter whether the source file is protected by a security realm.
`TRUNCATE`	Restricts the truncation of a file.
`WRITE`	Protects a file against the `write` system call. `WRITE` also protects against `append` and `overwrite` operations, plus `write` operations using `mmap(2)`. A file may still be modifiable with other file operations. To protect the file from other modifications, also use the `TRUNCATE` and `DELETEFILE` command rules.

Only a security administrator can run this command.

Examples

Example 16-52 shows the use of the acfsutil sec realm add command. The first acfsutil sec command adds a user group to a security realm. The second and third commands add the LocalSystem or SYSTEM group to the SYSTEM_Antivirus realm in a Windows environment.

Example 16-52 Using the acfsutil sec realm add command

$ /sbin/acfsutil sec realm add my_security_realm -m /acfsmounts/acfs1 
     -G my_os_group

C:\> acfsutil sec realm add SYSTEM_Antivirus /m e: /G "NT AUTHORITY\\SYSTEM"

C:\> acfsutil sec realm add SYSTEM_Antivirus /m e: /G "SYSTEM"