This article lists all system files replaced, modified or updated by BoKS 7.2 on different platforms. For most files that are modified by BoKS, there is also a more detailed description of the nature of the changes made.
The OS versions covered in this article are only those for which there is a generally released BoKS Manager MRC (Master, Replica, Server Agent) package or BoKS Client (Server Agent) port.
Most changes to system files take place during the various installation/configuration steps:
When the install program is executed

When the setup program is executed

When sysreplace is used to activate or deactivate BoKS

On some platforms, SELinux also has an impact

Once the BoKS system is installed and up and running, the only system files that are touched by BoKS are the passwd, shadow, group file(s), root crontabs and login record(s) in utmp/wtmp.
The following tables list the changes made by each of the programs install, setup, and sysreplace, as well as files updated by a running BoKS system. Only files and directories outside of the install directories are listed. The install directories default to /opt/boksm (or $BOKS_DIR) for program files, /etc/opt/boksm (or $BOKS_etc) for configuration files and /var/opt/boksm (or $BOKS_var) for files that vary, including the database, the log and errlog files. If alternative directories are specified during installation, a symbolic link /etc/boksmconfig is created on all platforms to the file ${BOKS_etc}/ENV.
Note that the setup script is normally started by the install script as the second phase of the installation, but may also be postponed and executed separately. The ${BOKS_etc}/sysreplace.conf file allows some services to be configurable to be activated or deactivated on demand. The system service changes caused by sysreplace described in this section refer to sysreplace with default settings in sysreplace.conf. For further information, see the man page for sysreplace.conf and Advanced BoKS Protection Configuration.
Exceptions
As mentioned above, the link /etc/boksmconfig is created on all platforms when non-default installation directories are used.
The directory for BoKS Unix domain sockets ${BOKS_var}/unipc may be created in its default location /var/opt/boksm/unipc instead of under $BOKS_var if the $BOKS_var path is more than 70 characters long. This is because Unix domain IPC socket path has a max path length of about 100 characters.
This article covers the base installation of BoKS Manager. If additional add on modules are installed more system files may be modified.

Root files - Files added/modified/removed outside of BoKS install directories


Use the links to navigate to information on specific operating systems:


AIX 7

Install
/usr/lib/security/pam_boks.so.1 A  
/etc/boksmconfig.poi -> $BOKS_etc/ENV.poi A If not installed in default location
Setup
/var/empty A Directory created if not exist. Used by boks_sshd
/etc/rc.boks A  
/etc/inittab M  
/etc/boksmconfig.poi -> $BOKS_etc/ENV.poi R If not installed in default location
/etc/boksmconfig -> $BOKS_etc/ENV A If not installed in default location
Sysreplace
/etc/pam.conf..ssm A Created from template
/etc/pam.conf M Original file renamed pam.conf..org and link /etc/pam.conf -> /etc/pam.conf..ssm added
/etc/security/login.cfg M Set auth_type to PAM_AUTH
/etc/security/user M For each stanza in the file; remove any 'auth1', 'auth2', 'rlogin', 'login' and 'ttys' attributes. Then modify the 'default' stanza by setting attributes in the following way: auth1=SYSTEM auth2=NONE rlogin=true login=true ttys=ALL
/etc/security/ouser M Old user file saved as ouser
/etc/inetd.conf M Modified if sysreplace activate/deactivate services function is used, see sysreplace(1)
/etc/inetd.conf:ssm-inst A Backup of inetd.conf
/etc/inetd.conf:ssm-un A Backup of inetd.conf
/etc/security/.ids M  
/etc/security/.ids..org A  
Operation
/etc/passwd M  
/etc/group M  
/etc/security/passwd M  
/etc/security/user M  
/etc/security/group M  
/etc/security/limits M  
/etc/security/lastlog M  
/etc/utmp M  
/var/adm/wtmp M  
/var/spool/cron/crontabs/root M  
/etc/krb5/krb5.conf M  
/etc/krb5/krb5.keytab M  
/etc/krb5/krb5.conf.adj_org A  

Debian 8 & 9

Install
/etc/init.d/boksm A  
/etc/pam.d/boks_sshd A  
/etc/pam.d/suexec A  
/lib/x86_64-linux-gnu/security/pam_boks.so.1 A  
/lib/x86_64-linux-gnu/security/pam_boks_select.so A  
/etc/boksmconfig.poi -> $BOKS_etc/ENV.poi A If not installed in default location
Setup
/var/empty A Directory created if not exist. Used by boks_sshd
/etc/gshadow R Removed by grpunconv if exist.
/etc/rc0.d/K(n)boksm -> ../init.d/boksm A Added by insserv
/etc/rc1.d/K(n)boksm -> ../init.d/boksm A Added by insserv
/etc/rc2.d/S(n)boksm -> ../init.d/boksm A Added by insserv
/etc/rc3.d/S(n)boksm -> ../init.d/boksm A Added by insserv
/etc/rc4.d/S(n)boksm -> ../init.d/boksm A Added by insserv
/etc/rc5.d/S(n)boksm -> ../init.d/boksm A Added by insserv
/etc/rc6.d/K(n)boksm -> ../init.d/boksm A Added by insserv
/etc/boksmconfig.poi -> $BOKS_etc/ENV.poi R If not installed in default location
/etc/boksmconfig -> $BOKS_etc/ENV A If not installed in default location
Sysreplace
/etc/pam.d M Directory renamed pam.d..org and link /etc/pam.d -> $BOKS_etc/pam.d added
/etc/inetd.conf M Modified if sysreplace activate/deactivate services function is used, see sysreplace(1)
/etc/inetd.conf:ssm-inst A Backup of inetd.conf
/etc/inetd.conf:ssm-un A Backup of inetd.conf
/etc/rc1.d/K01vsftpd -> ../init.d/vsftpd A/R If sysreplace activate/deactivate services function is used, see sysreplace(1)
/etc/rc2.d/S17vsftpd -> ../init.d/vsftpd A/R If sysreplace activate/deactivate services function is used
/etc/rc3.d/S17vsftpd -> ../init.d/vsftpd A/R If sysreplace activate/deactivate services function is used
/etc/rc4.d/S17vsftpd -> ../init.d/vsftpd A/R If sysreplace activate/deactivate services function is used
/etc/rc5.d/S17vsftpd -> ../init.d/vsftpd A/R If sysreplace activate/deactivate services function is used
Operation
/etc/passwd M  
/etc/shadow M  
/etc/group M  
/var/spool/cron/crontabs/root M  
/run/utmp M  
/var/log/wtmp M  
/var/log/lastlog M  
/etc/krb5.conf M  
/etc/krb5.keytab M  
/etc/krb5.conf.adj_org A  

HP-UX 11v3

Install
/sbin/init.d/boksm A  
/sbin/rc0.d/K99boksm -> ../init.d/boksm A  
/sbin/rc2.d/S99boksm -> ../init.d/boksm A  
/usr/lib/security/pam_boks.so.1 A  
/etc/boksmconfig.poi -> $BOKS_etc/ENV.poi A If not installed in default location
Setup
/var/empty A Directory created if not exist. Used by boks_sshd
/etc/boksmconfig.poi -> $BOKS_etc/ENV.poi R If not installed in default location
/etc/boksmconfig -> $BOKS_etc/ENV A If not installed in default location
Sysreplace
/etc/pam.conf..ssm A Created from template
/etc/pam.conf M Original file renamed pam.conf..org and link /etc/pam.conf -> /etc/pam.conf..ssm added
/etc/inetd.conf M  
/etc/inetd.conf:ssm-inst A Backup of inetd.conf
/etc/inetd.conf:ssm-un A Backup of inetd.conf
Operation
/etc/passwd M  
/etc/shadow M If "shadow password" mode
/etc/group M  
/var/spool/cron/crontabs/root M  
/tcb/files/auth/* M If "trusted" mode
/etc/utmp M  
/etc/utmpx M  
/var/adm/wtmp M  
/var/adm/wtmps M  
/var/adm/sulog M  
/etc/krb5.conf M  
/etc/krb5.keytab M  
/etc/krb5.conf.adj_org A  

RedHat-EL 6

Install
/etc/pam.d/boks_sshd A  
/etc/pam.d/suexec A  
/etc/rc.d/init.d/boksm A  
/etc/rc.d/rc0.d/K99boksm -> ../init.d/boksm A  
/etc/rc.d/rc1.d/K99boksm -> ../init.d/boksm A  
/etc/rc.d/rc2.d/S99boksm -> ../init.d/boksm A  
/etc/rc.d/rc3.d/S99boksm -> ../init.d/boksm A  
/etc/rc.d/rc5.d/S99boksm -> ../init.d/boksm A  
/etc/rc.d/rc6.d/K99boksm -> ../init.d/boksm A  
/lib64/security/pam_boks_select.so A  
/lib64/security/pam_boks.so.1 A  
/etc/boksmconfig.poi -> $BOKS_etc/ENV.poi A If not installed in default location
Setup
/var/empty A Directory created if not exist. Used by boks_sshd
/etc/gshadow R Removed by grpunconv if exist.
/etc/boksmconfig.poi -> $BOKS_etc/ENV.poi R If not installed in default location
/etc/boksmconfig -> $BOKS_etc/ENV A If not installed in default location
Sysreplace
/etc/pam.d M Directory renamed pam.d..org and link /etc/pam.d -> $BOKS_etc/pam.d added
/etc/xinetd.d/rexec M Modified to use BoKS in.rexecd
/etc/xinetd.d/(ftp,rsh,rlogin,telnet) M If sysreplace activate/deactivate services is used
Operation
/etc/passwd M  
/etc/shadow M  
/etc/group M  
/var/spool/cron/crontabs/root M  
/run/utmp M  
/var/log/wtmp M  
/var/log/lastlog M  
/etc/krb5.conf M  
/etc/krb5.keytab M  
/etc/krb5.conf.adj_org A  
BoKS SELinux module
/etc/selinux/targeted/modules/active/file_contexts M  
/etc/selinux/targeted/modules/active/file_contexts.template M  
/etc/selinux/targeted/modules/active/policy.kern M  
/etc/selinux/targeted/modules/active/commit_num M  
/etc/selinux/targeted/modules/active/modules/boks.pp A  
/etc/selinux/targeted/modules/active/modules/boks_clntd.pp A  
/etc/selinux/targeted/modules/active/modules/boks_kslog.pp A  
/etc/selinux/targeted/modules/active/modules/boks_suexec.pp A  
/etc/selinux/targeted/policy/policy.(num) A  

RedHat-EL 7

Install
/etc/pam.d/boks_sshd A  
/etc/pam.d/suexec A  
/etc/rc.d/init.d/boksm A  
/etc/rc.d/rc0.d/K99boksm -> ../init.d/boksm A  
/etc/rc.d/rc1.d/K99boksm -> ../init.d/boksm A  
/etc/rc.d/rc2.d/S99boksm -> ../init.d/boksm A  
/etc/rc.d/rc3.d/S99boksm -> ../init.d/boksm A  
/etc/rc.d/rc5.d/S99boksm -> ../init.d/boksm A  
/etc/rc.d/rc6.d/K99boksm -> ../init.d/boksm A  
/lib64/security/pam_boks_select.so A  
/lib64/security/pam_boks.so.1 A  
/etc/boksmconfig.poi -> $BOKS_etc/ENV.poi A If not installed in default location
Setup
/var/empty A Directory created if not exist. Used by boks_sshd
/etc/gshadow R Removed by grpunconv if exist.
/etc/boksmconfig.poi -> $BOKS_etc/ENV.poi R If not installed in default location
/etc/boksmconfig -> $BOKS_etc/ENV A If not installed in default location
Sysreplace
/etc/pam.d M Directory renamed pam.d..org and link /etc/pam.d -> $BOKS_etc/pam.d added
/etc/inetd.conf M Modified if sysreplace activate/deactivate services function is used, see sysreplace(1)
Operation
/etc/passwd M  
/etc/shadow M  
/etc/group M  
/var/spool/cron/crontabs/root M  
/run/utmp M  
/var/log/wtmp M  
/var/log/lastlog M  
/etc/krb5.conf M  
/etc/krb5.keytab M  
/etc/krb5.conf.adj_org A  
BoKS SELinux module
/etc/selinux/targeted/modules/active/file_contexts M  
/etc/selinux/targeted/modules/active/file_contexts.bin M  
/etc/selinux/targeted/modules/active/policy.kern M  
/etc/selinux/targeted/modules/active/commit_num M  
/etc/selinux/targeted/modules/active/modules/boks.pp A  
/etc/selinux/targeted/modules/active/modules/boks_clntd.pp A  
/etc/selinux/targeted/modules/active/modules/boks_kslog.pp A  
/etc/selinux/targeted/modules/active/modules/boks_suexec.pp A  
/etc/selinux/targeted/policy/policy.(num) A  

Solaris 10 & 11

Install
/etc/init.d/boksm A  
/etc/rc0.d/K99boksm -> ../init.d/boksm A  
/etc/rc2.d/S99boksm -> ../init.d/boksm A  
/usr/kernel/drv/{sparcv9|amd64}/tlock A  
/usr/kernel/drv/tlock.conf A  
/usr/kernel/strmod/{sparcv9|amd64}/tlock A  
/etc/boksmconfig.poi -> $BOKS_etc/ENV.poi A If not installed in default location
Setup
/var/empty A Directory created if not exist. Used by boks_sshd
/etc/boksmconfig.poi -> $BOKS_etc/ENV.poi R If not installed in default location
/etc/boksmconfig -> $BOKS_etc/ENV A If not installed in default location
Sysreplace
/etc/pam.conf..ssm A Created from template
/etc/pam.conf M Original file renamed pam.conf..org and link /etc/pam.conf -> /etc/pam.conf..ssm added
/etc/svc/repository.db M If sysreplace activate/deactivate services function is used
Operations
/etc/passwd M  
/etc/shadow M  
/etc/group M  
/var/adm/utmpx M  
/var/adm/wtmpx M  
/etc/krb5/krb5.conf M  
/etc/krb5/krb5.keytab M  
/etc/krb5/krb5.conf.adj_org A  

SuSE 11 & 12

Install
/etc/init.d/boksm A  
/etc/pam.d/boks_sshd A  
/etc/pam.d/suexec A  
/lib64/security/pam_boks_select.so A  
/lib64/security/pam_boks.so.1 A  
/etc/boksmconfig.poi -> $BOKS_etc/ENV.poi A If not installed in default location
Setup
/var/empty A Directory created if not exist. Used by boks_sshd
/etc/gshadow R Removed by grpunconv if exist.
/etc/init.d/rc2.d/Kboksm -> ../boksm A Added by insserv
/etc/init.d/rc2.d/Sboksm -> ../boksm A Added by insserv
/etc/init.d/rc3.d/Kboksm -> ../boksm A Added by insserv
/etc/init.d/rc3.d/Sboksm -> ../boksm A Added by insserv
/etc/init.d/rc5.d/Kboksm -> ../boksm A Added by insserv
/etc/init.d/rc5.d/Sboksm -> ../boksm A Added by insserv
/etc/boksmconfig.poi -> $BOKS_etc/ENV.poi R If not installed in default location
/etc/boksmconfig -> $BOKS_etc/ENV A If not installed in default location
Sysreplace
/etc/pam.d M Directory renamed pam.d..org and link /etc/pam.d -> $BOKS_etc/pam.d added
/etc/xinetd.d/rexec M Modified to use BoKS in.rexecd
/etc/xinetd.d/(ftp,rsh,rlogin,telnet) M If sysreplace activate/deactivate services is used
Operation
/etc/passwd M  
/etc/shadow M  
/etc/group M  
/var/spool/cron/crontabs/root M  
/var/run/utmp M SuSE 11
/run/utmp M SuSE 12
/var/log/wtmp M  
/var/log/lastlog M  
/etc/krb5.conf M  
/etc/krb5.keytab M  
/etc/krb5.conf.adj_org A  

Ubuntu 14

Install
/etc/init.d/boksm A  
/etc/pam.d/boks_sshd A  
/etc/pam.d/suexec A  
/lib/x86_64-linux-gnu/security/pam_boks.so.1 A  
/lib/x86_64-linux-gnu/security/pam_boks_select.so A  
/etc/boksmconfig.poi -> $BOKS_etc/ENV.poi A If not installed in default location
Setup
/var/empty A Directory created if not exist. Used by boks_sshd
/etc/gshadow R Removed by grpunconv if exist.
/etc/rc0.d/K(n)boksm -> ../init.d/boksm A Added by insserv
/etc/rc1.d/K(n)boksm -> ../init.d/boksm A Added by insserv
/etc/rc2.d/S(n)boksm -> ../init.d/boksm A Added by insserv
/etc/rc3.d/S(n)boksm -> ../init.d/boksm A Added by insserv
/etc/rc4.d/S(n)boksm -> ../init.d/boksm A Added by insserv
/etc/rc5.d/S(n)boksm -> ../init.d/boksm A Added by insserv
/etc/rc6.d/K(n)boksm -> ../init.d/boksm A Added by insserv
/etc/boksmconfig.poi -> $BOKS_etc/ENV.poi R If not installed in default location
/etc/boksmconfig -> $BOKS_etc/ENV A If not installed in default location
Sysreplace
/etc/pam.d M Directory renamed pam.d..org and link /etc/pam.d -> $BOKS_etc/pam.d added
/etc/inetd.conf M Modified if sysreplace activate/deactivate services function is used, see sysreplace(1)
/etc/inetd.conf:ssm-inst A Backup of inetd.conf
/etc/inetd.conf:ssm-un A Backup of inetd.conf
Operation
/etc/passwd M  
/etc/shadow M  
/etc/group M  
/var/spool/cron/crontabs/root M  
/run/utmp M  
/var/log/wtmp M  
/var/log/lastlog M  
/etc/krb5.conf M  
/etc/krb5.keytab M  
/etc/krb5.conf.adj_org A  

Ubuntu 16

Install
/etc/init.d/boksm A  
/etc/pam.d/boks_sshd A  
/etc/pam.d/suexec A  
/lib/x86_64-linux-gnu/security/pam_boks.so.1 A  
/lib/x86_64-linux-gnu/security/pam_boks_select.so A  
/etc/boksmconfig.poi -> $BOKS_etc/ENV.poi A If not installed in default location
Setup
/var/empty A Directory created if not exist. Used by boks_sshd
/etc/gshadow R Removed by grpunconv if exist.
/etc/rc0.d/K(n)boksm -> ../init.d/boksm A Added by insserv
/etc/rc1.d/K(n)boksm -> ../init.d/boksm A Added by insserv
/etc/rc2.d/S(n)boksm -> ../init.d/boksm A Added by insserv
/etc/rc3.d/S(n)boksm -> ../init.d/boksm A Added by insserv
/etc/rc4.d/S(n)boksm -> ../init.d/boksm A Added by insserv
/etc/rc5.d/S(n)boksm -> ../init.d/boksm A Added by insserv
/etc/rc6.d/K(n)boksm -> ../init.d/boksm A Added by insserv
/etc/boksmconfig.poi -> $BOKS_etc/ENV.poi R If not installed in default location
/etc/boksmconfig -> $BOKS_etc/ENV A If not installed in default location
Sysreplace
/etc/pam.d M Directory renamed pam.d..org and link /etc/pam.d -> $BOKS_etc/pam.d added
/etc/inetd.conf M Modified if sysreplace activate/deactivate services function is used, see sysreplace(1)
/etc/inetd.conf:ssm-inst A Backup of inetd.conf
/etc/inetd.conf:ssm-un A Backup of inetd.conf
/etc/rc0.d/K01vsftpd -> ../init.d/vsftpd A/R If sysreplace activate/deactivate services function is used, see sysreplace(1)
/etc/rc1.d/K01vsftpd -> ../init.d/vsftpd A/R If sysreplace activate/deactivate services function is used
/etc/rc2.d/S17vsftpd -> ../init.d/vsftpd A/R If sysreplace activate/deactivate services function is used
/etc/rc3.d/S17vsftpd -> ../init.d/vsftpd A/R If sysreplace activate/deactivate services function is used
/etc/rc4.d/S17vsftpd -> ../init.d/vsftpd A/R If sysreplace activate/deactivate services function is used
/etc/rc5.d/S17vsftpd -> ../init.d/vsftpd A/R If sysreplace activate/deactivate services function is used
/etc/rc6.d/K01vsftpd -> ../init.d/vsftpd A/R If sysreplace activate/deactivate services function is used
Operation
/etc/passwd M  
/etc/shadow M  
/etc/group M  
/var/spool/cron/crontabs/root M  
/run/utmp M  
/var/log/wtmp M  
/var/log/lastlog M  
/etc/krb5.conf M  
/etc/krb5.keytab M  
/etc/krb5.conf.adj_org A  

A = Added, M = Modified, R = Removed


Still have questions? We can help. Submit a case to Technical Support.

Last Modified On: August 28, 2019