Changing permissions on the xcom.log and xcomd.it files for XCOM for Linux and UNIX

book

Article ID: 197883

calendar_today

Updated On:

Products

CA XCOM Data Transport CA XCOM Data Transport - Linux PC XCOM - SUPPORT

Issue/Introduction

Reducing CA XCOM for Unix/Linux xcom.log and /tmp/xcomd.it file permissions from 666 (rw-rw-rw-) to 664 (rw-rw-r--)

Based on required AIX OS hardening, there should be no files with permissions 666(rw-rw-rw-) i.e. no files with write access for Other.


Under CA XCOM for AIX install there are 2 files with 666 permission set.
/tmp/xcomd.it
/opt/CA/XCOM/xcom.log
If revoke write permission for Other i.e. change to 664 (rw-rw-r--), will that have any negative impact on CA XCOM?

Environment

Release : 11.6
Component : CA XCOM Data Transport for Linux, UNIX

Resolution

1. File /tmp/xcomd.it:
Changing the permissions of file /tmp/xcomd.it from 666 (rw-rw-rw-) to 664 (rw-rw-r--) should have no negative impact.
That file is only created if xcomd is started with a "-dtracelevel*" option and the file does not get updated again after the startup.
This KB article includes that information.
What are the .it files created by CA XCOM? What are they for and when should they be deleted?

2. File /opt/CA/XCOM/xcom.log*:
Changing the permissions of file /opt/CA/XCOM/xcom.log from 666 (rw-rw-rw-) to 664 (rw-rw-r--) is possible.
By default the ownership of that file for user root and group xcomadm.

If remove the write permission for Other i.e. change to 664, it will impact the logging of xcom transfer messages to the file unless the user is root or is in the xcomadm group. For a locally initiated transfer it will not log those "local" messages but it will log messages for the "remote" side of the transfer. NOTE: the change won't prevent a successful transfer, it will only impact the logging of all messages.

So after making the change, to ensure all transfer messages are logged in the xcom.log file all non-root users executing the transfer should either be in the xcomadm group or the alternative is to setup up an Access Control List (ACL) for /opt/CA/XCOM/xcom.log with required users/groups who are executing transfers and need the write permission.