지금 지원 담당자와 채팅
지원 담당자와 채팅

Privilege Manager for Unix 7.3 - Administration Guide

Introducing Privilege Manager for Unix Planning Deployment Installation and Configuration Upgrade Privilege Manager for Unix System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager for Unix Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager for Unix Variables
Variable names Variable scope Global input variables Global output variables Global event log variables PM settings variables
Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures
Environment functions Hash table functions Input and output functions LDAP functions LDAP API example List functions Miscellaneous functions Password functions Remote access functions String functions User information functions Authentication Services functions
Privilege Manager for Unix programs Installation Packages

Lesson 3: Specific commands

This lesson narrows the scope of which commands you can run with root privilege. The permitted list of commands is ls, hostname, and kill. Any other attempt to run a privileged command is rejected.

The "command" variable stores the command name issued by pmrun:

if (command == "ls" || command == "hostname" || command == "kill") { 
   runuser = "root"; 
   accept; 
}
# LESSON=3; export LESSON 
# su demo 
$ pmrun shutdown 
Request Rejected by pmmasterd on <UPMhost> 
$ pmrun hostname 
UPMhost 
$ exit

where <UPMhost> is the host name

To see the sample policy used in this lesson, see Lesson 3 Sample: Specific commands.

Lesson 4: Policy optimization with list variables

This lesson improves upon the design of Lesson 3, making the policy easier to read and faster to interpret with the introduction of list variables. List variables represent groups of data, in this case users and commands, which you can use in multiple places as values for test constraints.

adminusers = {"dan", "robyn"}; 
adminprogs = {"ls", "hostname", "kill"}; 

if (user in adminusers || user==PMLESSON_USER) 
   { if (command in adminprogs) 
      { runuser = "root"; 
         accept; 
      } 
   }

The in operator is used to test whether a variable matches a member of a list:

# su demo 
$ pmrun shutdown 
Request Rejected by pmmasterd on UPMhost 
$ pmrun ls /etc/opt/quest/qpm4u 
pm.settings policy

To see the sample policy used in this lesson, see Lesson 4 Sample: Policy optimizations with list variables.

Lesson 5: Keystroke logging

This lesson introduces two new and important elements of policy writing. You can enable keystroke logging (I/O logging) at any point, and you can configure it to be conditional on any required elements.

This example enables keystroke logging when the permitted user runs these two commands, the csh and ksh shells; the user can run all other commands as root but without logging keystrokes.

Setting the "iolog" variable to a filename creates a keystroke log with that filename:

iolog = mktemp("/var/adm/pm." + user + "." + command + ".XXXXXX");

You must choose the filename of the log file carefully. Its location and name are under the complete control of the policy script and in order to ensure that the file is unique, use the mktmp() function.

# LESSON=5; export LESSON 
# su demo 
$ pmrun csh

This request is logged in: /var/adm/pm.demo.csh.wXYeyn

In the example shown above, the log filename is displayed and the csh session is started. Now enter commands to create I/O logging and then exit back to the parent shell.

# date 
# cal 
# hostname 
# whoami 
# exit 
$ exit

The output from these commands has been omitted for clarity.

It is now possible to replay this keystroke log file to display the session as seen by the demo user. Run the following command as root.

# /opt/quest/sbin/pmreplay /var/adm/pm.demo.csh.wXYeyn

Experiment with the controls within pmreplay to move backwards and forwards within the log session, using these commands:

Table 16: Replay controls
Control Description

g

Go to start

G

Go to end

[Space] bar

Go to next input

t

Display time stamp

v

Dump variables

Backspace

Previous position

Ctrl

Next position

q

Quit

To see the sample policy used in this lesson, see Lesson 5 Sample: Keystroke logging.

Lesson 6: Conditional keystroke logging

This lesson extends the logging example from the previous lesson, adding an exclusion to prevent privileged access outside of office hours, effectively combining the functionality you saw in lesson two, and displaying a message to the requesting user in such a situation:

adminusers = {"dan", "robyn"};
adminprogs = {"ls", "hostname", "kill", "csh", "ksh", "pmreplay"};

adminusers=append(adminusers,PMLESSON_USER); #Add the lesson user to list

if (user in adminusers && command in adminprogs) 
   { runuser = "root";
      if (command in {"csh", "ksh"}) 
         { iolog = mktemp("/var/adm/pm." + user + "." + command + ".XXXXXX");
           print("This command will be logged to:", iolog);
         }

      if (user in adminusers && (!timebetween(800,1700) || dayname in {"Sat", "Sun"})) 
         { print ("Sorry, you can't use that command outside office hours.");
           reject;
         }

      accept;
}

The above policy allows several admin programs to run, but only enables keystroke logging for the interactive shells.

# LESSON=6; export LESSON 
# date mmdd1000 
# su demo 
$ pmrun hostname 
UPMhost 
$ exit 
# date mmdd2200
# su demo 
$ pmrun hostname 
Sorry, you can't use that command outside office hours. 
Request Rejected by pmmasterd on UPMhost 
$ exit

where in the date commands, mm and dd refer to the two-digit representations of the month and day respectively.

In this example, you set the date as root before switching to demo, your test user. With the date initially set to a date/time combination which falls within office hours, Privilege Manager for Unix accepts the command.

Privilege Manager for Unix rejected the command and displayed a message when you exited back to the root shell, set the date/time to one outside of office hours, switched back to the test user, demo, and repeated the exercise.

Having reached this point you have established a good repertoire of policy constructs which form the basis of most policy file definitions. The use of list variables to hold constraint information used in combination with conditional tests using the if() construct represents the core function of most policy rules.

You use the print() and printf() functions to display messages and information throughout the policy. To control the keystroke logging, you use the value of the iolog system variable and the mktemp() function.

Remember to reset the correct time on your system by running the date command as the root user.

To see the sample policy used in this lesson, see Lesson 6 Sample: Conditional keystroke logging.

관련 문서

The document was helpful.

평가 결과 선택

I easily found the information I needed.

평가 결과 선택