|SENTRY for UNIX|
|Summary||Features||Performance||Maintenance||Reports||Utilities||Ask ??||User's Guide|
SENTRY is a security management utility for the UNIX-based uniVerse, PI/open, and UniData database management systems. With a design emphasis on "management", SENTRY provides a user-friendly interface to UNIX security which makes administration simple. SENTRY provides extensive reporting and data entry screens for creating and changing users, groups, files and permissions (ACLs, too). SENTRY then extends the logic of using permissions, group membership and ownership to protect database commands, allowing the system administrator to control the use of verbs, menus, paragraphs, sentences, programs and PROCs. User-defined constructs (we call them "User Items") can be used to protect data fields and files from being accessed by the query language when something more than an "all or nothing" approach is needed. Attempts to use prohibited database commands and objects are recorded in a protected violations log.
UniVerse, PI/Open and UniData are noted for flexibility, ease of use, and powerful database management capabilities. However, very little protection against accidental or deliberate "snooping", data manipulation and misuse of commands is provided. What little security is available comes from UNIX and offers none of the user-friendliness, flexibility or power we would like to have.
When applications are not adequately protected by permissions, you need more than UNIX permissions to protect the sensitive data. SENTRY allows you to restrict access to dangerous verbs such as ED, DELETE, CLEAR.FILE, and DELETE.FILE without removing these items from the VOC. If you strip these items from the VOC, they wonít be there when YOU need them plus your software application may need to execute one of these commands. If you remove them, your application may not work.
UNIX security assumes that a file has permissions for an owner, a group and "other" (i.e. everyone else). UNIX allows users and groups to be deleted from the system even though they "own" files. Because only the UID and GID are preserved in the I-NODE of each file, the relationship between files, owners and groups can easily become inconsistent. There is no database reporting capability provided through UNIX for users, groups and permissions. UNIX utilities can be cleverly used to print sorted lists from the group and password files but these are not the sort of easy-to-use, easy-to-read reports we expect and receive from our database query language.
SENTRY provides the reporting capabilities you expect from a good database system. Our standard reports bring together users, groups, permissions and other descriptive elements for an integrated view of your system. Additionally, the standard query language may be used to provide ad hoc queries and custom reports which may save you numerous hours during an MIS/security audit.
The uniVerse, PI/Open and UniData COMMANDS are provided on an "all or none" basis. If the verb ED is present in the VOC file of an account, anyone who can access the account can use the editor. If the verb is removed from the VOC, no one can use it. Certain verbs, such as ED, are needed for maintenance tasks. This "all or none" situation leads to an unmanageable system with the administrator continually creating and deleting sensitive verbs (or renaming them and trying to remember the names!).
SENTRY protects selected verbs (you choose which ones) so that you can allow or deny access via permissions either given or withheld from users and groups. Only users and groups who are authorized may use the verb. SENTRY will allow use of restricted verbs from within your application software, if you desire, while still prohibiting use from the database prompt (TCL). When restricted users attempt to use the verb, their attempt is logged in SENTRY for audit by the system administrator. This protection may be applied to any sentence, verb, paragraph, menu, PROC or program defined in the VOC file of any account on your system.
The three main components of SENTRY are the password and group files interface, the permissions interface and the command protection.
Database Creation and Validation
offers a program which uploads the information in the UNIX password and
group files into SENTRY's database.
Another program transverses the disks, reading the permissions, owner
and group for each file and directory and loads cross reference information
into SENTRY's database.
is the menu for all data entry programs.
You may create, delete, and modify users, groups and file
permissions. SENTRY supports
Access Control Lists, too. You may also
protect commands, peruse files and directories and modify SENTRY
system parameters. These are
programs to maintain the system profile, user profiles, groups, the file
system, SENTRY's Command Protection and SENTRY's
User Defined Item Protection.
includes a variety which describe all aspects of the SENTRY
database from the perspectives of system, users, groups, permissions, access
violations and SENTRY protected database commands.
Utilities is a collection of programs which perform such tasks as duplicating Command Protection in one account similar to that in another account, purging the Violations Log, and rebuilding the cross reference files. There is a tool which will generate new passwords for all or selected users. Yet another utility will update the VOC of a protected account with the command protection setup through SENTRY, insuring consistency.
SENTRY creates B-trees (which are ordered cross reference files) to index your file system, files, file owners and groups. Through the use of B-trees we are able to index your entire file system offering you a "file manager" style window to view your file structure, permissions, file owners and groups in a very efficient manner conserving not only CPU cycles but disk storage space as well.
SENTRY checks the consistency of the users, groups and permissions which have been loaded into the SENTRY database. User IDs, groups, and their usage in the file system are analyzed and inconsistencies are reported.
There are six data entry programs used to update the SENTRY database, file system permissions, the UNIX password and group files as well as SENTRYís Database Command Protection and User Defined Item Protection.
- allows you to review or modify the system parameters.
These parameters include password requirements, minimum and maximum
lengths for user IDs, group names, pathnames and commands.
(user Ids) - may be created, deleted and modified.
User profiles include the userís name, department, telephone,
password life, UID, GID, home directory, supplementary groups and login
offer you the ability to display the group GID, and the users associated
with the group plus you may add a description to the record to document your
File System -
allows you to scroll through your UNIX tree structure much like you do in
Windowís File Manager. From
this selection you may request "file detail" information which is
read from the UNIX I-node. Included
in this information is the last time the file was accessed and/or modified.
You may change the owner, the group and the permissions. Do you
use Access Control Lists (ACLs)? SENTRY's ACL Maintenance data
entry screen can be used to create, delete, and change ACLs. No more
struggles with the UNIX commands.
You may create, delete, modify
and review the special permission-like protection SENTRY
offers for verbs, paragraphs, sentences, menus, and PROCs. Users and groups may be given rights to execute an item only
from within a program and/or from the database prompt. For example, this selection gives you the facility to
restrict the use of "DELETE" at the database prompt, but still
make it available should your application software need to execute it from
within a program.
User Defined Items - is a special SENTRY feature which allows you to define SENTRY security objects. These objects may be accessed through subroutine calls to solve unique security problems which may not be met through permissions and VOC item protection. For example, a personnel report is needed by a secretary who is completing a group insurance report. This report also displays salary information. A User Defined Item could be created so that the salary field displayed only asterisks (*). The User Defined Item could discriminate by user ID or by group to determine when to print the salary field. This would eliminate the need for ANOTHER report (which would increase the software support burden for the MIS staff).
Comprehensive reports describing your system's users, groups, and their relationships, plus the SENTRY Command Protection reports are easily available through the Reports Menu.
Five utility programs are provided which are designed to save the System Administrator data entry effort and time in performing global tasks such as generating and protecting an account "like" another account, purging the Violations Log on a selective basis, and changing passwords in SENTRY's database.
Protect a Database Account Like an Account
Already Protected, is a time saving
utility if you wish to copy the Command Protection from one account to
another. Frequently this is the case.
A great deal of data entry may be skipped through the use of this
Purge the Violations Log,
allows you to delete entries from the Violations Log on a selective basis,
by user ID, date, port, etc.
Generate New Passwords for Users,
will generate and change all passwords on the system if you would like.
For the System Administrator who wishes to change all passwords
frequently, this is a real time saver.
A report is also generated which may be used to notify each user of
their new password.
Rebuild SENTRY Cross Reference Files.
SENTRY maintains a number of traditional inverted
lists which are used for cross referencing.
When you use the "@" function you are accessing one of
these lists. Should you
encounter a list where an item appears as "NOT FOUND" or isnít
shown when it should be, you should rebuild these lists through this
Update Protected Commands to Account VOC Files. It is possible that through the use of the editor or upgrading to a new database release that SENTRYís Command Protection could be overwritten. To re-install the Command Protection into the VOC of an account, use this program.
Download a Complete Technical Overview
Would you like more detailed information about SENTRY in a format that you can review at your leisure? We suggest that you download our Technical Overview. It is a 26 page Adobe Acrobat document which describes SENTRY in detail, showing pictures of the various screens and describing each of the processes and reports. This overview covers SENTRY's functionality in uniVerse on UNIX, PI/open on UNIX, UniData on UNIX, and Prime INFORMATION.
& Long, Inc.
Copyright © 2001. All rights reserved.
Information in this document is subject to change without notice.
Other products and companies referred to herein are trademarks or registered trademarks
of their respective companies or mark holders.