This lesson improves upon the design of Lesson 3, making the policy easier to read and faster to interpret with the introduction of list variables. List variables represent groups of data, in this case users and commands, which you can use in multiple places as values for test constraints.
adminusers = {"dan", "robyn"}; adminprogs = {"ls", "hostname", "kill"}; if (user in adminusers || user==PMLESSON_USER) { if (command in adminprogs) { runuser = "root"; accept; } }
The "in" operator is used to test whether a variable matches a member of a list:
# su demo $ pmrun shutdown Request Rejected by pmmasterd on UPMhost $ pmrun ls /etc/opt/quest/qpm4u pm.settings policy
Refer to Lesson 4 Sample: Policy optimizations with list variables to see the sample policy used in this lesson.
This lesson introduces two new and important elements of policy writing. You can enable keystroke logging (I/O logging) at any point, and you can configure it to be conditional on any required elements.
This example enables keystroke logging when the permitted user runs these two commands, the csh and ksh shells; the user can run all other commands as root but without logging keystrokes.
Setting the "iolog" variable to a filename creates a keystroke log with that filename:
iolog = mktemp("/var/adm/pm." + user + "." + command + ".XXXXXX");
You must choose the filename of the log file carefully. Its location and name are under the complete control of the policy script and in order to ensure that the file is unique, use the mktmp() function.
# LESSON=5; export LESSON # su demo $ pmrun csh
This request is logged in: /var/adm/pm.demo.csh.wXYeyn
In the example shown above, the log filename is displayed and the csh session is started. Now enter commands to create I/O logging and then exit back to the parent shell.
# date # cal # hostname # whoami # exit $ exit
The output from these commands has been omitted for clarity.
It is now possible to replay this keystroke log file to display the session as seen by the demo user. Run the following command as root.
# /opt/quest/sbin/pmreplay /var/adm/pm.demo.csh.wXYeyn
Experiment with the controls within pmreplay to move backwards and forwards within the log session, using these commands:
Control | Description |
---|---|
g | Go to start |
G | Go to end |
[Space] bar | Go to next input |
t | Display time stamp |
v | Dump variables |
Backspace | Previous position |
Ctrl | Next position |
Quit |
Refer to Lesson 5 Sample: Keystroke logging to see the sample policy used in this lesson.
This lesson extends the logging example from the previous lesson, adding an exclusion to prevent privileged access outside of office hours, effectively combining the functionality you saw in lesson two, and displaying a message to the requesting user in such a situation:
adminusers = {"dan", "robyn"}; adminprogs = {"ls", "hostname", "kill", "csh", "ksh", "pmreplay"}; adminusers=append(adminusers,PMLESSON_USER); #Add the lesson user to list if (user in adminusers && command in adminprogs) { runuser = "root"; if (command in {"csh", "ksh"}) { iolog = mktemp("/var/adm/pm." + user + "." + command + ".XXXXXX"); print("This command will be logged to:", iolog); } if (user in adminusers && (!timebetween(800,1700) || dayname in {"Sat", "Sun"})) { print ("Sorry, you can't use that command outside office hours."); reject; } accept; }
The above policy allows several admin programs to run, but only enables keystroke logging for the interactive shells.
# LESSON=6; export LESSON # date mmdd1000 # su demo $ pmrun hostname UPMhost $ exit # date mmdd2200 # su demo $ pmrun hostname Sorry, you can't use that command outside office hours. Request Rejected by pmmasterd on UPMhost $ exit
where in the date commands, mm and dd refer to the two-digit representations of the month and day respectively.
In this example, you set the date as root before switching to demo, your test user. With the date initially set to a date/time combination which falls within office hours, Privilege Manager for Unix accepts the command.
Privilege Manager for Unix rejected the command and displayed a message when you exited back to the root shell, set the date/time to one outside of office hours, switched back to the test user, demo, and repeated the exercise.
Having reached this point you have established a good repertoire of policy constructs which form the basis of most policy file definitions. The use of list variables to hold constraint information used in combination with conditional tests using the if() construct represents the core function of most policy rules.
You use the print() and printf() functions to display messages and information throughout the policy. To control the keystroke logging, you use the value of the iolog system variable and the mktemp() function.
Remember to reset the correct time on your system by running the date command as the root user.
Refer to Lesson 6 Sample: Conditional keystroke logging to see the sample policy used in this lesson.
In this final interactive lesson, you will look at methods you can use to optimize your policy using all of the constructions we have covered so far:
Additionally, you are introduced to the concept of requesting a password as confirmation before a certain command can be run.
One Identity recommends that you examine the policy and make any necessary modifications to establish the password validation test performs as expected.
# LESSON=7; export LESSON # date mmdd2200 # su dan $ pmrun hostname Sorry, you can't use that command outside office hours. Request Rejected by pmmasterd on UPMhost $ exit # su robyn $ pmrun hostname $ Password: <type in Robyn's password> UPMhost
Remember to reset the correct time on your system by running the date command as the root user.
This lesson expands on the example in lesson 6. First, you forbid dan from running admin commands outside normal office hours. Then, because you saved the boolean value "officehours" earlier, you can check it again, this time to request for Robyn's password if they attempt to run a command outside office hours.
officehours = timebetween(800, 1700) && dayname !in {"Sat", "Sun"}; adminusers = {"dan", "robyn"}; adminprogs = {"ls", "hostname", "kill", "csh", "ksh"}; if (user in adminusers && command in adminprogs) { runuser = "root"; if (user == "dan" && !officehours) { print("Sorry, you can't use that command outside office hours."); reject; } if (user == "robyn" && !officehours) { if (!getuserpasswd(user)) reject; } accept; }
Refer to Lesson 7 Sample: Policy optimizations to see the sample policy used in this lesson.
© 2025 One Identity LLC. ALL RIGHTS RESERVED. Conditions d’utilisation Confidentialité Cookie Preference Center