whitelist.conf reference

The whitelist.conf file enables you to control access to log files and directories in the cluster.

Location

The whitelist.conf file (with parameters commented out) is installed with IBM® Spectrum Conductor at $EGO_CONFDIR. Without an allowlist configuration, users can retrieve all files and directories on the host; access to files through soft links is also allowed.

Note: The whitelist.conf file must be available on management and compute hosts in your cluster. After you update this file on the primary host, run the rsdeploy command to deploy the file to all hosts in your cluster. See Restricting log retrieval.

Parameters

EGO_RFA_ALLOW_SOFTLINK

Optional. Whether to allow access to files that are referenced by soft links. Valid values are y or Y to allow access and n or N to deny access. If the parameter is not defined or its value is not valid, access through soft links is allowed.

Note: If EGO_RFA_ALLOW_SOFTLINK=n and a soft link is added to the allowlist in the WHITELIST parameter, the contents of the file referenced by the soft link cannot be retrieved.

Default: Access through soft links is allowed.

WHITELIST

Optional. Specifies an allowlist of directories, separated by semi-colons, from which log files can be retrieved. Valid values are absolute paths to one or more directories, each of which is specified as a regular expression, up to a maximum of 1014 characters. Do not specify relative paths. Take care also to define any user-specified directories. If the directory is not listed, users cannot retrieve files from that directory. You can also include system environment variables in your expression.

The following regular expressions are supported:

Regular expression	Description
Character classes
`\s`	Blank space
`\S`	Not blank space
`\d`	Digit
`\D`	Not digit
`\w`	Word
`\W`	Not word
`\x`	Hexadecimal digit
`\O`	Octal digit
Special characters
`\n`	New line
`\r`	Carriage return
`\t`	Tab
`.`	Any character except line break
Anchors
`^`	Start of string, or start of line in multi-line pattern
`$`	End of string, or end of line in multi-line pattern
Quantifiers
`+`	One or more
`*`	Zero or more times
`{n}`	Exactly `n` times
`?`	Once or none
Group and Ranges
`(a\|b)`	`a` or `b`
`(….)`	Group
`[abc]`	Range (`a` or `b` or `c`)
`[^abc]`	Not (`a` or `b` or `c`)

Here are some examples of how you can use a regular expression in the WHITELIST parameter:

To allow access to all files and subdirectories under $EGO_TOP, use:
```
(${EGO_TOP}/.*)
```
When you specify multiple directories, use a semi-colon (;) to separate the directories and enclose each entry in parentheses (()), for example, (${EGO_TOP}/kernel/log/.*);(${EGO_TOP}/ascd/logs/.+).
To deny access to subdirectories relative to the top-level installation directory (such as $EGO_TOP/../forbidden), use:
```
(${EGO_TOP}/(?!.*\.\./).*)
```
To allow access to any file under a directory named log or logs under $EGO_TOP, use:
```
(${EGO_TOP}/.*/(log|logs)/.+)
```
To allow access to files under $EGO_LOGDIR with .log as the file extension or in the file name, use:
```
(${EGO_TOP}/kernel/log/.+\.log.*)
```
To allow access to files with .log. in the file name followed by a string (such as the host name) which might end with one or two digits, use:
```
(${EGO_TOP}/kernel/log/.+\.log\..+[0-9]??)
```

Take care to ensure that your expression is valid and matches the directories you want to allow access to. If the WHITELIST parameter is not defined, users can retrieve all files and directories on the host.

Default: Access to all files and directories on the host is allowed.

Example

EGO_RFA_ALLOW_SOFTLINK=n
WHITELIST=(${EGO_TOP}/kernel/log/.+\.log\..+[1-9]??);(${EGO_TOP}/kernel/log/*);(${EGO_TOP}/kernel/log/vemkd\.log*)