189 lines
11 KiB
HTML
189 lines
11 KiB
HTML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE html
|
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
|
<html lang="en-us" xml:lang="en-us">
|
|
<head>
|
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
|
<meta name="security" content="public" />
|
|
<meta name="Robots" content="index,follow" />
|
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
|
<meta name="DC.Type" content="concept" />
|
|
<meta name="DC.Title" content="Scan file system control" />
|
|
<meta name="abstract" content="The scan file systems control system value controls the integrated file system scanning that is enabled when exit programs are registered with any of the integrated file system scan-related exit points." />
|
|
<meta name="description" content="The scan file systems control system value controls the integrated file system scanning that is enabled when exit programs are registered with any of the integrated file system scan-related exit points." />
|
|
<meta name="DC.Relation" scheme="URI" content="rzamvgensecsysval.htm" />
|
|
<meta name="copyright" content="(C) Copyright IBM Corporation 2006" />
|
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2006" />
|
|
<meta name="DC.Format" content="XHTML" />
|
|
<meta name="DC.Identifier" content="qscanfsctl" />
|
|
<meta name="DC.Language" content="en-us" />
|
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
|
<!-- US Government Users Restricted Rights -->
|
|
<!-- Use, duplication or disclosure restricted by -->
|
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
|
<title>Scan file system control</title>
|
|
</head>
|
|
<body id="qscanfsctl"><a name="qscanfsctl"><!-- --></a>
|
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
|
<h1 class="topictitle1">Scan file system control</h1>
|
|
<div><p>The scan file systems control system value controls the integrated
|
|
file system scanning that is enabled when exit programs are registered with
|
|
any of the integrated file system scan-related exit points.</p>
|
|
<div class="p">This system value works with the scan file systems system value to provide
|
|
granular controls on how and what is scanned in the integrated file system.
|
|
You can choose the different scanning options and you can select to use default
|
|
scan options which provide the following scan controls:<ul><li>Perform write access upgrades </li>
|
|
<li>Fail close request if scan fails during close </li>
|
|
<li>Scan on next access after object has been restored</li>
|
|
</ul>
|
|
</div>
|
|
<p>See <a href="#qscanfsctl__quickref">Table 2</a> for details
|
|
on this system value.</p>
|
|
<p>Optionally you can select several scan options which control how and what
|
|
the registered exit programs will scan. These options are described in following
|
|
table:</p>
|
|
<div class="p">
|
|
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="border" border="1" rules="all"><caption>Table 1. Possible values for the scan file system control
|
|
system value</caption><thead align="left"><tr valign="bottom"><th valign="bottom" id="d0e38">iSeries™ Navigator </th>
|
|
<th valign="bottom" id="d0e42">Character-based interface</th>
|
|
<th valign="bottom" id="d0e44">Description</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr><td valign="top" headers="d0e38 ">No selections</td>
|
|
<td valign="top" headers="d0e42 ">*NONE</td>
|
|
<td valign="top" headers="d0e44 ">No controls are being specified for the integrated file
|
|
system scan-related exit points.</td>
|
|
</tr>
|
|
<tr><td valign="top" headers="d0e38 ">Scan accesses through file servers only</td>
|
|
<td valign="top" headers="d0e42 ">*FSVRONLY</td>
|
|
<td valign="top" headers="d0e44 ">Only accesses through the file servers to the system
|
|
will be scanned. However, native or direct connections to the system are not
|
|
scanned. If this option is not selected, all accesses will be scanned no matter
|
|
if you connect directly to the system or through a file server.</td>
|
|
</tr>
|
|
<tr><td valign="top" headers="d0e38 ">Fail request if exit program fails</td>
|
|
<td valign="top" headers="d0e42 ">*ERRFAIL</td>
|
|
<td valign="top" headers="d0e44 ">This option specifies the request or operation that
|
|
started the exit program will fail if there are errors when the exit program
|
|
is called. If this happens, the requested operation receives an indication
|
|
that the scan fail on that object. If you do not select this option, the system
|
|
will skip the failing exit program and treat the object as if it was not scanned
|
|
by this exit program.</td>
|
|
</tr>
|
|
<tr><td valign="top" headers="d0e38 ">Perform write access upgrades (selected) <sup>1</sup></td>
|
|
<td valign="top" headers="d0e42 ">NA </td>
|
|
<td valign="top" headers="d0e44 ">This option allows the system to upgrade the access
|
|
for the scan descriptor passed to the exit program to include write access,
|
|
if possible. Use this option if you want the exit program to be able to fix
|
|
or modify objects even though they were originally opened with read-only access. </td>
|
|
</tr>
|
|
<tr><td valign="top" headers="d0e38 ">Perform write access upgrades (deselected)</td>
|
|
<td valign="top" headers="d0e42 ">*NOWRTUPG</td>
|
|
<td valign="top" headers="d0e44 ">This option specifies that the system will not upgrade
|
|
the access to include write access.</td>
|
|
</tr>
|
|
<tr><td valign="top" headers="d0e38 ">Use <span class="uicontrol">only when objects have changed</span> attribute
|
|
to control scan</td>
|
|
<td valign="top" headers="d0e42 ">*USEOCOATR</td>
|
|
<td valign="top" headers="d0e44 ">With this option, the system specifies the 'object change
|
|
only' attribute to scan the object if it has been changed. </td>
|
|
</tr>
|
|
<tr><td valign="top" headers="d0e38 ">Fail close request if scan fails during close</td>
|
|
<td valign="top" headers="d0e42 ">*NOFAILCLO</td>
|
|
<td valign="top" headers="d0e44 ">This option specifies that the system will fail the
|
|
close request if an object failed a scan during close processing. This option
|
|
only applies to close requests. If the <span class="uicontrol">Fail request if exit program
|
|
fails</span> option is selected and this option is not selected, the
|
|
system will not send a failure indication even though an object failed a scan
|
|
during close processing. But, the object will be marked as failing a scan.</td>
|
|
</tr>
|
|
<tr><td valign="top" headers="d0e38 ">Scan on next access after object has been restored</td>
|
|
<td valign="top" headers="d0e42 ">*NOPOSTRST</td>
|
|
<td valign="top" headers="d0e44 ">This option indicates that regardless of how an object
|
|
is defined with its scan attribute, the object will be scanned after it is
|
|
restored. If the object scan attribute indicates that the object will not
|
|
be scanned, this option forces a scan after the object is restored. If the
|
|
object scan attribute indicates that the object will be scanned if it has
|
|
been changed since the last scan, then the object will be scanned after a
|
|
restore since the restore operation is considered a change to the object.</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
</div>
|
|
</div>
|
|
<p><strong>Relationship to security policy</strong></p>
|
|
<p>Scanning control options provide granular control to using scan-related
|
|
exit programs for the integrated file system. For security purposes, you can
|
|
use these options to enhance detection of computer viruses and suspicious
|
|
programs that may be in your integrated file system when the exit programs
|
|
are designed to detect viruses.</p>
|
|
<div class="p">
|
|
<div class="tablenoborder"><a name="qscanfsctl__quickref"><!-- --></a><table cellpadding="4" cellspacing="0" summary="" id="qscanfsctl__quickref" frame="border" border="1" rules="all"><caption>Table 2. Quick reference. Provides details
|
|
for the scan file system control system value.</caption><thead align="left"><tr valign="bottom"><th valign="bottom" id="d0e127">iSeries Navigator name</th>
|
|
<th valign="bottom" id="d0e131">Scan control</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr><td valign="top" headers="d0e127 ">Character-based interface name</td>
|
|
<td valign="top" headers="d0e131 ">QSCANFSCTL</td>
|
|
</tr>
|
|
<tr><td valign="top" headers="d0e127 ">Authority</td>
|
|
<td valign="top" headers="d0e131 "><p>*ALLOBJ<br />
|
|
*SECADM</p>
|
|
<div class="note"><span class="notetitle">Note:</span> The QSECOFR user profile is shipped with these authorities. </div>
|
|
</td>
|
|
</tr>
|
|
<tr><td valign="top" headers="d0e127 ">How to access</td>
|
|
<td valign="top" headers="d0e131 "><div class="p"><strong>iSeries Navigator</strong><ol><li>Expand <span class="menucascade"><span class="uicontrol">Security</span> > <span class="uicontrol">Policies</span></span>.</li>
|
|
<li>Right click <span class="uicontrol">Security Policy</span> and select <strong>Properties</strong>.</li>
|
|
<li>On the <span class="uicontrol">Scan</span> page, you will find the options for
|
|
scan control.</li>
|
|
</ol>
|
|
</div>
|
|
<div class="p"><span class="uicontrol">Character-based interface</span><ol><li>In the character-based interface, type <samp class="codeph">WRKSYSVAL QSCANFSCTL</samp>.</li>
|
|
</ol>
|
|
</div>
|
|
</td>
|
|
</tr>
|
|
<tr><td valign="top" headers="d0e127 ">Changes take effect</td>
|
|
<td valign="top" headers="d0e131 ">Immediately</td>
|
|
</tr>
|
|
<tr><td valign="top" headers="d0e127 ">Default value</td>
|
|
<td valign="top" headers="d0e131 ">Use default scan control options</td>
|
|
</tr>
|
|
<tr><td valign="top" headers="d0e127 ">Recommended values</td>
|
|
<td valign="top" headers="d0e131 "><dl><dt class="dlterm">For strict security environments</dt>
|
|
<dd>Select the <span class="uicontrol">Fail request if exit program fails</span> option
|
|
and ensure that the <span class="uicontrol">Perform write access upgrades</span> is
|
|
deselected. These options provide that any failures from the scan exit programs
|
|
will prevent associated operations or the scan exit program from gaining additional
|
|
access levels. </dd>
|
|
<dt class="dlterm">For less strict security environments</dt>
|
|
<dd>For most environments, you can choose not to select these options or simply
|
|
use the default options.</dd>
|
|
</dl>
|
|
</td>
|
|
</tr>
|
|
<tr><td valign="top" headers="d0e127 "><a href="rzamvlockdown.htm">Lockable</a></td>
|
|
<td valign="top" headers="d0e131 ">Yes</td>
|
|
</tr>
|
|
<tr><td valign="top" headers="d0e127 ">Special considerations </td>
|
|
<td valign="top" headers="d0e131 "> When installing code that is shipped from a trusted
|
|
source, it is recommended that you specify <span class="uicontrol">Scan on next access
|
|
after object has been restored</span> during the installation.</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
</div>
|
|
</div>
|
|
<p>For more detailed information about this security value, see Chapter 3,
|
|
"Security System Values" in <a href="../books/sc415302.pdf" target="_blank">Security Reference</a>.</p>
|
|
</div>
|
|
<div>
|
|
<div class="familylinks">
|
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzamvgensecsysval.htm" title="General security system values provide the cornerstone for your security policy.">General security system values</a></div>
|
|
</div>
|
|
</div>
|
|
</body>
|
|
</html> |