Description
Type string READ/WRITE
If runcksum is defined, pmlocald verifies the value of this variable against the checksum of the runcommand and rejects the request if it does not match. Set this variable to the value produced by running the pmsum command on the agent with the full pathname of the runcommand.
You can use this method to detect a program that has been changed without authorization, and a program that a user is attempting to run from an unauthorized path.
Example
# Generate a checksum value for the program "/usr/bin/passwd" on the agent:host1
# for use in the policy file on the policy server.
pmsum /usr/bin/passwd
# The pmsum command displays the output:
fbc9cf01 /usr/bin/passwd
# Update the security policy using this checksum:
if (( basename(runcommand) == "passwd" ) && (host == "host1"))
{
runcksum="fbc9cf01";
}
Description
Type string READ/WRITE
runclienthost is a modifiable copy of the clienthost input variable.
Example
# reject commands being issued from unknown workstations
workstations = {"sun34","sun35","sun36"};
if (!(clienthost in workstations))
reject;
Description
Type string READ/WRITE
runcommand is a modifiable copy of the command input variable. It specifies the pathname of the program that pmlocald will run.
Example
Setting the runcomand can be a useful way of using a pseudonym for a command that an
auditor wants to disguise:
if ( command == "passcmd")
{
runcommand="/usr/bin/passwd"
runargv[0]="passwd";
runargv=replace(runargv,1,length(runargv));
}
Description
Type string READ/WRITE
Set runconfirmuser to a user name to direct pmlocald to request the runuser to authenticate as this user before running the runcommand. If authentication fails, then pmlocald rejects the session.
Example
if ( (user in appl_users) && (command in appl_cmds) )
{
runconfirmuser=runuser;
}
Related Topics
runuser