The Critical Value Reset (CVR) channel allows you to flag an attribute in eDirectory with a reset policy. If the value of that specific attribute is changed, the CVR channel resets the value as per the policy defined in the CVR Channel object.
The CVR channel can be used to maintain critical system settings or enforce organizational policies. For example, if your organization has a policy prohibiting security equivalence, you can create a CVR Channel object that automatically resets the Security Equals attribute to a null value.
It can also be used to provide an added measure of system security. In the event of a security breach, the CVR channel can be configured to maintain your critical system settings.
The CVR channel must be used in conjunction with a notification filter. To optimize event processing, the notification filter should be configured to filter only those events that the CVR channel can act on. For information on configuring Notification Filters, see Section 7.0, Configuring Filters and Event Notifications.
The CVR driver is lgdcvr.
When the CVR channel driver receives an event, it looks at the event’s Text2 field to determine if the logged attribute matches the attribute defined in the CVR object. If the CVR driver does not find a matching attribute in the event’s Text2 field, it then looks in the Text1 field.
If the contents of the or field match the attribute defined in the CVR object, the driver looks in the remaining Text field to find the object to which the attribute belongs. It then locates the object in eDirectory and applies the Reset Value defined in the CVR object.
NOTE:All eDirectory events store the event’s attribute in the field and the object in the field.
The reset process is very fast. Typically, an attribute is reset the instant it is saved. In fact, in iManager, it simply appears that the change cannot be saved.
The CVR Channel object stores the policy and attribute information the CVR driver needs to reset a given value.
The following table provides a description of each Channel object attribute.
IMPORTANT:You must restart the logging server to effect any changes in Channel object configuration. For more information, see Section H.3, Secure Logging Server Startup Commands.
Table 6-2 CVR Channel Object Attributes
|
Attribute |
Description |
|---|---|
|
Configuration |
Configuration information for the CVR Channel object. |
|
|
The User object with rights to the CVR Channel object. IMPORTANT:The User object must have directory rights to the attribute that the CVR Channel object is configured to reset. |
|
|
The user account password. |
|
|
The type of data the CVR channel can expect as a Reset Value for the attribute designated in the Attribute field. The data type must match the Attribute Syntax defined in the directory schema. Currently, the only supported types are Distinguished Name and String. The Distinguished Name type supports only Distinguished Name syntax (.cn.ou.ou.o). For example, .admin.sim.mycorp. The String type, on the other hand, supports multiple Attribute Syntax options. They include:
NOTE:The Attribute Syntax for a given attribute can be viewed in the eDirectory schema using a directory editing tool such as NDS® Snoop, ConsoleOne®, or iManager. |
|
|
The name of the attribute the CVR driver resets. You must specify the attribute name exactly as it appears in the eDirectory schema. NOTE:You can view the eDirectory schema using a directory editing tool such as NDS Snoop, ConsoleOne, or iManager. The CVR driver scans events’ and fields for matching attributes. When it finds a match, the CVR driver applies the reset policy. For more information on this process, see CVR Channel Driver. |
|
|
The value the CVR Channel driver maintains for a given attribute. IMPORTANT:The CVR Channel driver does not validate the reset value syntax. Therefore, you must ensure the reset value follows the required attribute syntax. For example, if the Attribute Syntax is Telephone Number, the reset value must be a telephone number. |
|
Operators |
Click the plus sign (+) to add a new line. Click the minus sign (-) to remove a line. Each line defines a separate reset policy. The policies are not accumulative; the CVR driver applies each policy independently. There is no programmed limit to the number of policies that can be added to a CVR object. |
|
Status |
Allows you to enable or disable the Channel object. By default, all Channel objects are enabled. This means that the logging server loads the Channel object’s configuration in memory at startup. IMPORTANT:The Channel object must be located in a supported Channel container for the logging server to use it. For more information on the logging server’s Channel Container property, see Logging Server Object Attributes . If you select the option, you must restart the Secure Logging Server for the setting to become effective. Thereafter, the logging server cannot load the object’s configuration until you select . For information on unloading the logging server, see Section H.3, Secure Logging Server Startup Commands. |