How to set up WZSysGuard operation account

When you have WZSysGuard in use for the server, you need an account on the machine to run the scan and when needed, update the registry files.

As the scan and update need root privilege, you can definitely use root account to do the WZSysGuard operation. But normally, this kind of tasks are performed by data/information security officers, and for following least privilege principle, it’s not good to use root account  when you can have a way to minimize the usage of root account.

So, for better security reason, we recommend you to create an account for each data/information security officer, and put these accounts into a common datasec group.

Then you can use CaclMgr to grant the datasec group the permission to use root privilege to run wzsgreg, wzsgchk, wzsgaupd, wzsgcupd, wzsglogp:

# cacl –a @datasec /usr/local/lib/wzsg/wzsgreg

# cacl –a @datasec /usr/local/lib/wzsg/wzsgchk

# cacl –a @datasec /usr/local/lib/wzsg/wzsgaupd

# cacl –a @datasec /usr/local/lib/wzsg/wzsgcupd

# cacl –a @datasec /usr/local/lib/wzsg/wzsglogp

After these, any account in the datasec group will be able to initiate scan, generate new registry file or update some records in the registry files provided the person knows the passphrase for the WZSysGuard  and the password or passphrase for the checksum protection for the registry files.

To try avoid keylogger to steal your password, you should avoid to run any command that requires you to enter password in X-Window terminal, on the Linux/X86 console.