8.6 Miscellaneous EVM Topics

8.6 Miscellaneous EVM Topics

8.6.1 EVM Security

The /etc/evm.auth file defines which users and/or groups are authorized to post, subscribe (monitor), or retrieve particular events. The evm.auth file contains two types of entries:

• event_rights

  This entry type defines the rights for a particular event class. Each event_rights entry contains three fields:

   event_rights {               class event_class               post rights_list               access rights_list               } 

  The class field contains the event class (e.g. @SYS_VP@.evm.msg.admin). The event must have a base template. See section 8.4 for more information.

  The post field contains the list of who has permission to post this event class.

  The access field contains the list of who has permission to retrieve or subscribe to this class of event.

  The rights_list is defined in Table 8-6.

  Table 8-6: Event Authorization Rights

  Event Authorization Rights
  + | − [user | group=groupname]
  Attribute	Value
  user	any login username
  groupname	any group
  +	grant access
  −	deny access

  The rights_list must be enclosed in double-quotes ("") if it contains spaces. Multiple users and/or groups in the rights_list must be separated by a comma (,). The root user has implicit rights to all events and services unless explicitly denied.

  For example:

   event_rights {              class @SYS_VP@.binlog          # binary error log events              post    root              access "root, group=adm"              } 

  The root user can post events of type "sys.unix.binlog", and the root user and users in the adm group can retrieve the events. If you are concerned about future portability, you should use the @SYS_VP@ macro to refer to system (sys.unix) events.

• service_rights

  This entry type defines the rights for a particular service to be performed by the daemon for a requesting client. Each service_rights entry contains two fields:

   service_rights {                 service service_name                 execute rights_list                 } 

  The service field contains the particular service. Services must be defined in /etc/evmdaemon.conf. User-defined services are not supported as of this writing.

  The execute field contains the users and/or groups that are authorized to execute this service.

  For example:

   service_rights {                service event_get # event_get service - handles evmget requests                execute +                } 

  All users can execute the event_get service. The event_get service is used by the evmget program.

For additional information, see the Tru64 UNIX System Administration Guide, chapter 13, and the evm.auth(4) reference page.

8.6.2 EVM Remote Access

Remote access is disabled by default. To enable remote access, modify the remote_connection attribute to "true" in /etc/evmdaemon.conf.

As of this writing, there is no authentication for remote users. Remote users are granted the lowest level of access or posting privileges. For additional information, see the Tru64 UNIX System Administration Guide, chapter 13.

8.6.3 EVM API

Writing applications that use EVM falls beyond the scope of this book. However, we would be remiss if we did not mention that there is a full API for EVM that enables you to write programs that can post events or subscribe to events. For additional information, see the Tru64 UNIX Programmer's Guide, chapter 14, as well as the reference pages in section 3 for the EVM API. To find all the "Evm*" calls, try the following command:

 # man –k evm | grep -E '^(Evm)(.*)\(3\)' 

Alternatively, you can use our sman script (see Appendix B for the URL) which is a section-based "man –k" script with formatted output.

 # sman 3 Evm 

There are also program examples in the /usr/examples/evm directory.