The System Resource file (.fsys) maps CDS Framework objects to physical files on the system. Some resource definitions for shared resources must be associated with actual files. For example, when creating an entrypoint, the entrypoint must be associated with an executable file.
The System Resources file also specifies local networking information for network resources. For Labeled Networking (ipsec), information about the local network is specified. For IPTables (secmark), information on matching incoming packets is specified.
Each line in the System Resource file contains information for a single resource definition's location. Each resource definition defined within the CDS Framework's graphical policy that has a path(s) or networking information associated with it is defined here. The examples below illustrate how these locations are defined within the System Resource file.
high.r1 { dirFiles { "/etc/high/r1" } }
In this example, high.r1 represents the name of the policy item defined in the Framework's graphical editor and dirFiles represents the resource definition of this item. This stands for directories/files meaning that the policy item defined will represent directories and/or files on the system. Lastly is the directory/file's location. The example above only has one path associated with it. If there are multiple paths, then each path is contained within quotes and separated by a space. Note that the entire resource definition and path is encapsulated within curly braces and nested within these curly braces are the paths associated with this definition. To sum up the parts from the example above, the policy resource, high.r1 represents files and or directories (dirFiles) that are located at /etc/high/r1.
in { secmark { { eth0 } { 192.168.1.5/255.255.255.0 } { 1937 } { eth2 } { 192.168.5.2/255.255.255.0 } { 1937 } { tcp } } }
In the above example, the network resource in uses the secmark rdef. The remainder of the necessary data follows the secmark rdef. First is local information network device, ip number and network mask finally the port(s). Next is remote network information in the same order network device, ip number and network mask followed by port(s). Lastly is the protocol: tcp, udp or all. Almost all entries are optional - only the local ip number or local network device must be specified. However, empty curly brackets must be included as placeholders for omitted options.
guardcom { ipsec { { 192.168.1.2 } { 7623 } } }
In the above example, the network resource guardcom uses the ipsec rdef. Following the rdef is the local ip number (dns) and the port for incoming data. The port is optional.
©2005 - 2009 Tresys Technology, LLC
Patent Pending