1. Security Guide
  2. Secure Installation
  3. Installing and Configuring ACSLS

Installing and Configuring ACSLS

This section explains how to securely install ACSLS.

Perform a Standard ACSLS Installation

Performing a standard ACSLS installation ensures that you will have all necessary components.

If you are migrating to a latter ACSLS release from a previous ACSLS release, review your settings for dynamic and static variables to see if you want to use more secure options, especially regarding the Firewall Secure Option.

Use Strong Passwords for the ACSLS User IDs

ACSLS requires the ACSLS user IDs: acsss, acssa, postgres and acsdb. Choose strong passwords for these IDs, and change the passwords on a regular basis.

Restrict Access to ACSLS Files

ACSLS generally restricts access to the ACSLS files to only acsls group, which includes the acsss, acssa, acsdb, and root user IDs. Some database and diagnostic files are only accessible by a single acsls user ID. During DB install user ID postgres and group ID postgres are used. ACSLS runs with a umask setting of 027.

ACSLS files should not be made world readable or writable. However, restricting access beyond the installation defaults may cause ACSLS functions to fail.

Set ‘root’ as the Effective User ID for Three ACSLS Files

The installation script advises customers that the effective user id of 'root' must be set (setuid) in three executable files in the /export/home/ACSSS file system:
  • acsss  (This binary must be run with 'root' privileges because it is used to start and stop system services required by the ACSLS application.)
  • db_command  (This binary starts and stops the PostgreSQL database engine that controls and maintains the ACSLS database.)
  • get_diags  (This binary is invoked by a customer to collect comprehensive system diagnostic information that may be needed in the context of a service support call.)

During the installation of ACSLS with pkgadd, customers are prompted:

Do you want to install these as setuid/setgid files?

By answering y to the prompt, you allow these three commands to be run by users in the acsls group, even though the utilities perform certain system operations that require root privileges.

Review Settings for ACSLS Static and Dynamic Variables

The ACSLS static and dynamic variables control the behavior of many ACSLS functions. Set these variables using the acsss_config utility. Secure settings for many of these variables are discussed in this document. When the options for a variable are presented by acsss_config, replying with a question mark (?) will cause a detailed explanation of the variable to be displayed. This information is also available in the “Setting Variables that Control ACSLS Behavior” chapter of the ACSLS Administrator’s Guide.