Guarding non-system-sensitive sub-directories

This topic discusses guarding non-system-sensitive sub directories inside /etc.

Guarding sub directories under /etc

By default, CTE does not allow guarding the /etc directory, because it contains critical system configuration files. However, user may guard certain sub-directories under /etc, provided those subdirectories are not associated with system-specific configuration files.

CTE maintains a block list of directories that must never be guarded. If a user attempts to guard any of these directories, guarding fails. The current block list of restricted directories are:

    /etc/sudoers.d
    /etc/pam.d
    /etc/security
    /etc/ssh
    /etc/ssl
    /etc/systemd
    /etc/init.d
    /etc/rc.d
    /etc/cron.d
    /etc/network
    /etc/methods
    /etc/objrepos
    /etc/default
    /etc/vormetric
    /etc/selinux
    /etc/kernel

Users can guard any other sub-directory under /etc except for those mentioned above.