20.2 Configuring the Security Equivalence Vector Update Frequency

The Security Equivalence Vector (SEV) is used to validate the user against the trustee rights of the directory and file the user is attempting to access. You can use commands in the NSS Console utility (nsscon) on Linux to enable or disable the update, to set the update interval from 5 minutes to 90 days (specified in seconds), and to force an immediate update of security equivalence vectors.

20.2.1 Understanding the SEV

The Security Equivalence Vector (SEV) is calculated for each NSS user based on information in the user’s profile in Novell eDirectory. It is a list of eDirectory GUIDs, for example:

  • the user’s own GUIDs

  • GUIDs of groups that include the user

  • GUIDs of parent containers for the user and his or her groups

  • security equivalent GUIDs

After you boot the Linux server, when a user first attempts to connect to the NSS file system, NSS contacts Novell eDirectory to retrieve the user’s Security Equivalence Vector (SEV). eDirectory calculates the user’s effective rights for the NSS volume, creates the SEV, and passes it to NSS. NSS compares the user’s SEV with file system trustees and trustee rights for the specified file or directory to determine if the user can access the resource.

For NetWare, whenever a user connects to the NSS file system, NetWare retrieves the user’s SEV from eDirectory and maintains it as part of the connection structure for the user’s session. NSS automatically retrieves the user’s SEV from the NetWare connection structure, then deletes it when the session ends.

On Linux, the SEV behavior differs from the NetWare behavior because NSS does not have the same integrated relationship to the connection infrastructure as it does on NetWare. NSS caches the SEV locally in the server memory, where it remains until the server is rebooted or the user is deleted from eDirectory. NSS polls eDirectory at a specified interval for updates to the SEVs that are in cache.

20.2.2 Enabling or Disabling the Background SEV Update

By default, the SEV is updated in the background and whenever the server is rebooted. You can optionally disable the background updating. If it is disabled, the user access can become unsynchronized over time, so that users might have less or more access than you have configured. We recommend that you leave the SEV updating feature enabled, then modify the polling frequency to best meet the security needs of your production environment.

To enable or disable the setting:

  1. Open a terminal console, then log in as the root user.

  2. At the terminal console prompt, start the NSS Console by entering

    nsscon
    
  3. At the nsscon prompt, do one of the following:

    • Enable: This is the default. To enable the background updating of the SEV in addition to the default update at server reboot, enter

      nss /SecurityEquivalenceUpdating
      
    • Disable: To disable the background updating, enter

      nss /NoSecurityEquivalenceUpdating
      

The SEV Update is enabled when you first reboot the server. If you disable SEV updates and want the setting to persist across server reboots, include the /SecurityEquivalenceUpdating option in the /etc/opt/novell/nss/nssstart.cfg file.

20.2.3 Configuring the Background SEV Update Interval

You might want to modify the background SEV update interval to make the polling for eDirectory updates to be more or less frequent. Polling too frequently can impact performance. Polling too infrequently can cause delays in granting or restricting access for certain users. To avoid possible security violations, you can also force an update at any time by using the /ForceSecurityEquivalenceUpdate command. For information, see Section 20.2.4, Forcing a Background SEV Update.

The interval for the background updating of the SEV is the elapsed time between the last update and the next one. At the end of the elapsed time, NSS requires updated SEVs from eDirectory. The default interval is 7200 seconds (2 hours). The valid range is 300 (5 minutes) to 7776000 (90 days).

To set the interval to use until the next server reboot:

  1. Open a terminal console, then log in as the root user.

  2. At the terminal console prompt, start the NSS Console by entering

    nsscon
    
  3. At the nsscon prompt, enter

    nss /UpdateSecurityEquivalenceInterval=value
    

    Replace value with the desired interval.

To make the interval setting persistent across server reboots, include the /UpdateSecurityEquivalenceInterval=value option in the /etc/opt/novell/nss/nssstart.cfg file.

20.2.4 Forcing a Background SEV Update

If you modify user’s access control settings or remove a user from eDirectory in between SEV update intervals, you can to force the SEV to be updated immediately after that to avoid possible security violations. Use the /ForceSecurityEquivalenceUpdate option to force an immediate update for all users in the NSS file system so that your changes can be reflected immediately in the user’s active SEV for this server.

To force an immediate update:

  1. Open a terminal console, then log in as the root user.

  2. At the terminal console prompt, start the NSS Console by entering

    nsscon
    
  3. At the nsscon prompt, enter

    nss /ForceSecurityEquivalenceUpdate