Lesson 3: Specific commands
This lesson narrows the scope of which commands you can run with root privilege. The permitted list of commands is ls, hostname, and kill. Any other attempt to run a privileged command is rejected.
The "command" variable stores the command name issued by pmrun:
if (command == "ls" || command == "hostname" || command == "kill") {
runuser = "root";
accept;
}# LESSON=3; export LESSON
# su demo
$ pmrun shutdown
Request Rejected by pmmasterd on <UPMhost>
$ pmrun hostname
UPMhost
$ exit
where <UPMhost> is the host name
Refer to Lesson 3 Sample: Specific commands to see the sample policy used in this lesson.
Lesson 4: Policy optimization with list variables
This lesson improves upon the design of Lesson 3, making the policy easier to read and faster to interpret with the introduction of list variables. List variables represent groups of data, in this case users and commands, which you can use in multiple places as values for test constraints.
adminusers = {"dan", "robyn"};
adminprogs = {"ls", "hostname", "kill"};
if (user in adminusers || user==PMLESSON_USER)
{ if (command in adminprogs)
{ runuser = "root";
accept;
}
}
The "in" operator is used to test whether a variable matches a member of a list:
# su demo
$ pmrun shutdown
Request Rejected by pmmasterd on UPMhost
$ pmrun ls /etc/opt/quest/qpm4u
pm.settings policy
Refer to Lesson 4 Sample: Policy optimizations with list variables to see the sample policy used in this lesson.
Lesson 5: Keystroke logging
This lesson introduces two new and important elements of policy writing. You can enable keystroke logging (I/O logging) at any point, and you can configure it to be conditional on any required elements.
This example enables keystroke logging when the permitted user runs these two commands, the csh and ksh shells; the user can run all other commands as root but without logging keystrokes.
Setting the "iolog" variable to a filename creates a keystroke log with that filename:
iolog = mktemp("/var/adm/pm." + user + "." + command + ".XXXXXX");
You must choose the filename of the log file carefully. Its location and name are under the complete control of the policy script and in order to ensure that the file is unique, use the mktmp() function.
# LESSON=5; export LESSON
# su demo
$ pmrun csh
This request is logged in: /var/adm/pm.demo.csh.wXYeyn
In the example shown above, the log filename is displayed and the csh session is started. Now enter commands to create I/O logging and then exit back to the parent shell.
# date
# cal
# hostname
# whoami
# exit
$ exit
The output from these commands has been omitted for clarity.
It is now possible to replay this keystroke log file to display the session as seen by the demo user. Run the following command as root.
# /opt/quest/sbin/pmreplay /var/adm/pm.demo.csh.wXYeyn
Experiment with the controls within pmreplay to move backwards and forwards within the log session, using these commands:
Table 16: Replay controls
| g |
Go to start |
| G |
Go to end |
| [Space] bar |
Go to next input |
| t |
Display time stamp |
| v |
Dump variables |
| Backspace |
Previous position |
| Ctrl |
Next position |
|
q |
Quit |
Refer to Lesson 5 Sample: Keystroke logging to see the sample policy used in this lesson.
Lesson 6: Conditional keystroke logging
This lesson extends the logging example from the previous lesson, adding an exclusion to prevent privileged access outside of office hours, effectively combining the functionality you saw in lesson two, and displaying a message to the requesting user in such a situation:
adminusers = {"dan", "robyn"};
adminprogs = {"ls", "hostname", "kill", "csh", "ksh", "pmreplay"};
adminusers=append(adminusers,PMLESSON_USER); #Add the lesson user to list
if (user in adminusers && command in adminprogs)
{ runuser = "root";
if (command in {"csh", "ksh"})
{ iolog = mktemp("/var/adm/pm." + user + "." + command + ".XXXXXX");
print("This command will be logged to:", iolog);
}
if (user in adminusers && (!timebetween(800,1700) || dayname in {"Sat", "Sun"}))
{ print ("Sorry, you can't use that command outside office hours.");
reject;
}
accept;
}
The above policy allows several admin programs to run, but only enables keystroke logging for the interactive shells.
# LESSON=6; export LESSON
# date mmdd1000
# su demo
$ pmrun hostname
UPMhost
$ exit
# date mmdd2200
# su demo
$ pmrun hostname
Sorry, you can't use that command outside office hours.
Request Rejected by pmmasterd on UPMhost
$ exit
where in the date commands, mm and dd refer to the two-digit representations of the month and day respectively.
In this example, you set the date as root before switching to demo, your test user. With the date initially set to a date/time combination which falls within office hours, Privilege Manager for Unix accepts the command.
Privilege Manager for Unix rejected the command and displayed a message when you exited back to the root shell, set the date/time to one outside of office hours, switched back to the test user, demo, and repeated the exercise.
Having reached this point you have established a good repertoire of policy constructs which form the basis of most policy file definitions. The use of list variables to hold constraint information used in combination with conditional tests using the if() construct represents the core function of most policy rules.
You use the print() and printf() functions to display messages and information throughout the policy. To control the keystroke logging, you use the value of the iolog system variable and the mktemp() function.
Remember to reset the correct time on your system by running the date command as the root user.
Refer to Lesson 6 Sample: Conditional keystroke logging to see the sample policy used in this lesson.
