Chat now with support
Chat with Support

Privilege Manager for Unix 7.0 - Administration Guide

Introducing Privilege Manager for Unix Planning Deployment Installation and Configuration Upgrade Privilege Manager for Unix System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager for Unix Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager for Unix Variables
Variable names Variable scope Global input variables Global output variables Global event log variables PM settings variables
Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures
Environment functions Hash table functions Input and output functions LDAP functions LDAP API example List functions Miscellaneous functions Password functions Remote access functions String functions User information functions Authentication Services functions
Privilege Manager for Unix programs Installation Packages

Lesson 4: Policy optimization with list variables

This lesson improves upon the design of Lesson 3, making the policy easier to read and faster to interpret with the introduction of list variables. List variables represent groups of data, in this case users and commands, which you can use in multiple places as values for test constraints.

adminusers = {"dan", "robyn"}; 
adminprogs = {"ls", "hostname", "kill"}; 

if (user in adminusers || user==PMLESSON_USER) 
   { if (command in adminprogs) 
      { runuser = "root"; 
         accept; 
      } 
   }

The "in" operator is used to test whether a variable matches a member of a list:

# su demo 
$ pmrun shutdown 
Request Rejected by pmmasterd on UPMhost 
$ pmrun ls /etc/opt/quest/qpm4u 
pm.settings policy

Refer to Lesson 4 Sample: Policy optimizations with list variables to see the sample policy used in this lesson.

Lesson 5: Keystroke logging

This lesson introduces two new and important elements of policy writing. You can enable keystroke logging (I/O logging) at any point, and you can configure it to be conditional on any required elements.

This example enables keystroke logging when the permitted user runs these two commands, the csh and ksh shells; the user can run all other commands as root but without logging keystrokes.

Setting the "iolog" variable to a filename creates a keystroke log with that filename:

iolog = mktemp("/var/adm/pm." + user + "." + command + ".XXXXXX");

You must choose the filename of the log file carefully. Its location and name are under the complete control of the policy script and in order to ensure that the file is unique, use the mktmp() function.

# LESSON=5; export LESSON 
# su demo 
$ pmrun csh

This request is logged in: /var/adm/pm.demo.csh.wXYeyn

In the example shown above, the log filename is displayed and the csh session is started. Now enter commands to create I/O logging and then exit back to the parent shell.

# date 
# cal 
# hostname 
# whoami 
# exit 
$ exit

The output from these commands has been omitted for clarity.

It is now possible to replay this keystroke log file to display the session as seen by the demo user. Run the following command as root.

# /opt/quest/sbin/pmreplay /var/adm/pm.demo.csh.wXYeyn

Experiment with the controls within pmreplay to move backwards and forwards within the log session, using these commands:

Table 16: Replay controls
Control Description
g Go to start
G Go to end
[Space] bar Go to next input
t Display time stamp
v Dump variables
Backspace Previous position
Ctrl Next position
Quit

Refer to Lesson 5 Sample: Keystroke logging to see the sample policy used in this lesson.

Lesson 6: Conditional keystroke logging

This lesson extends the logging example from the previous lesson, adding an exclusion to prevent privileged access outside of office hours, effectively combining the functionality you saw in lesson two, and displaying a message to the requesting user in such a situation:

adminusers = {"dan", "robyn"};
adminprogs = {"ls", "hostname", "kill", "csh", "ksh", "pmreplay"};

adminusers=append(adminusers,PMLESSON_USER); #Add the lesson user to list

if (user in adminusers && command in adminprogs) 
   { runuser = "root";
      if (command in {"csh", "ksh"}) 
         { iolog = mktemp("/var/adm/pm." + user + "." + command + ".XXXXXX");
           print("This command will be logged to:", iolog);
         }

      if (user in adminusers && (!timebetween(800,1700) || dayname in {"Sat", "Sun"})) 
         { print ("Sorry, you can't use that command outside office hours.");
           reject;
         }

      accept;
}

The above policy allows several admin programs to run, but only enables keystroke logging for the interactive shells.

# LESSON=6; export LESSON 
# date mmdd1000 
# su demo 
$ pmrun hostname 
UPMhost 
$ exit 
# date mmdd2200
# su demo 
$ pmrun hostname 
Sorry, you can't use that command outside office hours. 
Request Rejected by pmmasterd on UPMhost 
$ exit

where in the date commands, mm and dd refer to the two-digit representations of the month and day respectively.

In this example, you set the date as root before switching to demo, your test user. With the date initially set to a date/time combination which falls within office hours, Privilege Manager for Unix accepts the command.

Privilege Manager for Unix rejected the command and displayed a message when you exited back to the root shell, set the date/time to one outside of office hours, switched back to the test user, demo, and repeated the exercise.

Having reached this point you have established a good repertoire of policy constructs which form the basis of most policy file definitions. The use of list variables to hold constraint information used in combination with conditional tests using the if() construct represents the core function of most policy rules.

You use the print() and printf() functions to display messages and information throughout the policy. To control the keystroke logging, you use the value of the iolog system variable and the mktemp() function.

Remember to reset the correct time on your system by running the date command as the root user.

Refer to Lesson 6 Sample: Conditional keystroke logging to see the sample policy used in this lesson.

Lesson 7: Policy optimizations

In this final interactive lesson, you will look at methods you can use to optimize your policy using all of the constructions we have covered so far:

  • list variables
  • constraint tests
  • I/O logging
  • message display

Additionally, you are introduced to the concept of requesting a password as confirmation before a certain command can be run.

One Identity recommends that you examine the policy and make any necessary modifications to establish the password validation test performs as expected.

# LESSON=7; export LESSON 
# date mmdd2200 
# su dan 
$ pmrun hostname 
Sorry, you can't use that command outside office hours. 
Request Rejected by pmmasterd on UPMhost 
$ exit 
# su robyn 
$ pmrun hostname 
$ Password: <type in Robyn's password> 
UPMhost

Remember to reset the correct time on your system by running the date command as the root user.

This lesson expands on the example in lesson 6. First, you forbid dan from running admin commands outside normal office hours. Then, because you saved the boolean value "officehours" earlier, you can check it again, this time to request for Robyn's password if they attempt to run a command outside office hours.

officehours = timebetween(800, 1700) && dayname !in {"Sat", "Sun"}; 
adminusers = {"dan", "robyn"}; 
adminprogs = {"ls", "hostname", "kill", "csh", "ksh"}; 
if (user in adminusers && command in adminprogs) { 
runuser = "root"; 
if (user == "dan" && !officehours) { 
print("Sorry, you can't use that command outside office hours."); 
reject; 
} 
if (user == "robyn" && !officehours) { 
if (!getuserpasswd(user)) reject; 
} 
accept; 
}

Refer to Lesson 7 Sample: Policy optimizations to see the sample policy used in this lesson.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating