Security considerations for UNIX and Linux systems

The Client daemon defines the access permissions to the client trace and log files. These files are created in the /var/cicscli directory.

Client daemon administration

To restrict Client daemon administration to the root user modify the permissions on the <install_path>/bin/cicscli executable. Use a command such as:
chmod 700 /opt/ibm/cicstg/bin/cicscli
After restricting access to the cicscli command, users will still be able to start the Client daemon with ECI v1 and EPI programs or when they start a terminal.

Log and trace files

The /var/cicscli directory is created by the installer with permissions 777 this allows all users write access to the /var/cicscli directory. A user with write access to the /var/cicscli directory can delete files from that directory regardless of the permissions on the files. If you do not want users to have the ability to delete trace and log files remove their write access to the /var/cicscli directory. For example, a command such as:
chmod 755 /var/cicscli
allows users to see files in /var/cicscli directory but not to create, delete, or move them. After restricting access to /var/cicscli, users will only be able to start the Client daemon if the Client daemon log and trace files already exist.
To stop users having read access to the files in /var/cicscli use a command such as:
chmod 711 /var/cicscli

The Client daemon defines the access permissions to the client trace file, permissions vary with the type of trace being processed. When processing memory mapped trace the Client daemon defines trace file permissions as 666, all users have read and write access. Memory mapped trace is started with the -b option. (See Starting client tracing). When processing basic trace the Client daemon defines trace file permissions as 622, all users have write access and only the owner can read it for formatting.

The Client daemon prevents you from starting tracing if an unauthorized user has deleted and recreated the Client daemon trace file.


Information Information

Feedback


Timestamp icon Last updated: Tuesday, 19 November 2013


https://ut-ilnx-r4.hursley.ibm.com/tg_latest/help/topic/com.ibm.cics.tg.doc//ctgunx/secontrace.html