Can access to our virtual switches be controlled by VM:Secure?

Document ID : KB000011840
Last Modified Date : 14/02/2018
Show Technical Document Details
Question:

Can access to our virtual switches be controlled by VM:Secure?

 

 

Environment:
A new COUPLE rule to control access to network LAN and VSWITCH devices was added to VM:Secure r2.9.A related thought...?A "couple rule" will stop a privileged cp user (class B, I believe) from dynamically creating/coupling to a virtual switch viacommands like the following:? ?cp define nic 800 type qdio devices 3 ? ?? ?cp set vswitch vsw1 grant linux1 vlan 99 ? ?? ?cp couple 800 to system vsw1?The above makes sense; now consider the following:?A user's directory statement contains:? ? NICDEF 0900 TYPE QDIO DEVICES 3 LAN SYSTEM VSW1?AUTOLOG2's PROFILE EXEC contains:? ?cp define vswitch vsw1 rdev 9160 vlan 499 ??? ?cp set vswitch vsw1 grant TCPIP vlan 389Given the above, no "couple rule" is required for TCPIP to "couple / use" the virtual switch.This may be the intent of CA's implementation. If the intent was to force an ID to have a "couple rule" to use a virtual?switch, consider the above.
Answer:

VM:Secure intercepts the COUPLE ACIEVENT when CP sends it through the ACI system. So, like LINKs, even if they are in your directory entry, the ESM is asked about them when they occur. So, we would assume that CP would pass the COUPLE through to the ESM to check on, regardless of how the COUPLE is done. However, these new rules will adhere to the NORULE setting so if you have NORULE ACCEPT, that would get you around this. If you are set up with NORULE REJECT, then yes, you would need to put a rule in for the TCPIP COUPLE to be covered. You could also put an ACCEPT in the VMXRPI CONFIG for TCPIP so that it could do COUPLE, whether VM:Secure is available or not.