Lesson 3 Sample: Specific commands
#=================================================================
# Privilege Manager for Unix example configuration file
# One Identity 2013
#
# Example File : example3
#
# This file should have permissions of 600
# (rw-------).
# It must be owned by root.
#=================================================================
print("------------------ LESSON 3 DESCRIPTION ------------------------");
printf("Policy file %s/examples/example3.conf\n",PMINST);
print("--------------------------------------------------------");
printf("This policy allows users %s and dan to run *some* programs as
root.\n",PMLESSON_USER);
print("Otherwise all other commands will be rejected.\n");
print("The permitted commands are kill, ls and hostname.");
print("Try running a few different programs and see what happens.");
print("Again, remember to prefix them with pmrun.");
print("--------------------------------------------------------");
i=0;
while (i<argc)
{ printf("%s ",argv[i]); # Redisplay the original command line for clarity
i=i+1;
}
printf("\n");
#=================================================================
if (user=="dan" || user==PMLESSON_USER)
if (command == "ls" || command == "hostname" || command == "kill") {
runuser = "root";
accept;
}
#=================================================================
See Lesson 3: Specific commands for details on using this sample policy file.
Lesson 4 Sample: Policy optimizations with list variables
#===================================================================
# Privilege Manager for Unix example configuration file
# One Identity 2013
#
# Example File : example4
#
# This file should have permissions of 600 (rw-------).
# It must be owned by root.
#=========================================================================
print("------------------- LESSON 4 DESCRIPTION
-------------------------");
printf("Policy file %s/examples/example4.conf\n",PMINST);
print("------------------------------------------------------------------"
);
print("This lesson is identical to Lesson 3, but uses a different policy");
print("construct known as a list variable, making the policy simpler");
print("shorter and clearer to understand.");
print("Look at the policy files for lessons 3 & 4 and note the
differences.\n");
printf("This policy allows users %s, robyn and dan to run *some* programs as
root.\n",PMLESSON_USER);
print("Otherwise all other commands will be rejected.\n");
print("The permitted commands are kill, ls and hostname.");
print("Try running a few different programs and see what happens.");
print("Again, remember to prefix them with pmrun.");
print("------------------------------------------------------------------"
);
i=0;
while (i<argc)
{ printf("%s ",argv[i]); # Redisplay the original command line for clarity
i=i+1;
}
printf("\n");
#=========================================================================
adminusers = {"dan", "robyn"};
adminprogs = {"ls", "hostname", "kill"};
if (user in adminusers || user==PMLESSON_USER)
{ if (command in adminprogs)
{ runuser = "root";
accept;
}
}
#=========================================================================
See Lesson 4: Policy optimization with list variables for details on using this sample policy file.
Lesson 5 Sample: Keystroke logging
#=================================================================
# Privilege Manager for Unix example configuration file
# One Identity 2013
#
# Example File : example5
#
# This file should go in /etc/pm.conf with permissions of 600 (rw-------).
# It must be owned by root.
#=================================================================
print("---------------- LESSON 5 DESCRIPTION ------------------");
printf("Policy file %s/examples/example5.conf\n",PMINST);
print("--------------------------------------------------------");
print("This lesson introduces keystroke logging.");
printf("Users %s, robyn and dan are permitted to run everything as
root,\n",PMLESSON_USER);
print("but commands csh and ksh will be fully keystroke logged.");
print("This means that all I/O during these shell sessions will be logged.");
print("The log file is created with mktmp() and the name is displayed.");
print("The logfile will be something like pm.dan.ksh.a545456\n");
print("Look closely at Lesson 5 to see how logging is enabled.\n");
print("The log files can be replayed with the pmreplay utility.\n");
print("Don't forget to prefix commands with pmrun.");
print("--------------------------------------------------------");
i=0;
while (i<argc)
{ printf("%s ",argv[i]); # Redisplay the original command line for clarity
i=i+1;
}
printf("\n");
#=================================================================
adminusers = {"dan", "robyn"};
# Add the provided lesson user so they need not adjust the policy
adminusers = append(adminusers,PMLESSON_USER);
if (user in adminusers)
{ runuser = "root";
if (command in {"csh", "ksh"})
{ iolog = mktemp("/var/adm/pm." + user + "." + command + ".XXXXXX");
iolog_opmax=10000
print("This request will be logged in:", iolog);
}
accept;
}
=================================================================
See Lesson 5: Keystroke logging for details on using this sample policy file.
Lesson 6 Sample: Conditional keystroke logging
#=================================================================
# Privilege Manager for Unix example configuration file
# One Identity 2013
#
# Example File : example6
#
# This file should go in /etc/pm.conf with permissions of 600
# (rw-------).
# It must be owned by root.
#=================================================================
print("-------------- LESSON 6 DESCRIPTION --------------------");
os=osname();
printf("Policy file %s/examples/"+os+"/example6.conf\n",PMINST);
print("--------------------------------------------------------");
print("This lesson extends lesson 5 by adding some statements that cause");
printf("requests by %s, dan and robyn to be rejected if they arrive
outside\n",PMLESSON_USER);
print("of regular office hours (8AM until 5PM Monday to Friday).");
print("A message is printed to the user's screen if this happens.");
print("Once again examine the policy file, noting use of logical not
operator.");
print("Try altering the timebetween() and dayname tests and check the
results");
print("--------------------------------------------------------");
i=0;
while (i<argc)
{ printf("%s ",argv[i]); # Redisplay the original command line for clarity
i=i+1;
}
printf("\n");
#=================================================================
adminusers = {"dan", "robyn"};
adminprogs = {"ls", "hostname", "kill", "csh", "ksh", "pmreplay"};
adminusers=append(adminusers,PMLESSON_USER); #Add the lesson user to list
if (user in adminusers && command in adminprogs)
{ runuser = "root";
if (command in {"csh", "ksh"})
{ iolog = mktemp("/var/adm/pm." + user + "." + command + ".XXXXXX");
print("This command will be logged to:", iolog);
}
if (user in adminusers && (!timebetween(800,1700) || dayname in {"Sat",
"Sun"}))
{ print ("Sorry, you can't use that command outside office hours.");
reject;
}
accept;
}
#=================================================================
See Lesson 6: Conditional keystroke logging for details on using this sample policy file.
