#================================================================= # Privilege Manager for Unix example configuration file # One Identity 2013 # # Example File : example3 # # This file should have permissions of 600 # (rw-------). # It must be owned by root. #================================================================= print("------------------ LESSON 3 DESCRIPTION ------------------------"); printf("Policy file %s/examples/example3.conf\n",PMINST); print("--------------------------------------------------------"); printf("This policy allows users %s and dan to run *some* programs as root.\n",PMLESSON_USER); print("Otherwise all other commands will be rejected.\n"); print("The permitted commands are kill, ls and hostname."); print("Try running a few different programs and see what happens."); print("Again, remember to prefix them with pmrun."); print("--------------------------------------------------------"); i=0; while (i<argc) { printf("%s ",argv[i]); # Redisplay the original command line for clarity i=i+1; } printf("\n"); #================================================================= if (user=="dan" || user==PMLESSON_USER) if (command == "ls" || command == "hostname" || command == "kill") { runuser = "root"; accept; } #=================================================================
See Lesson 3: Specific commands for details on using this sample policy file.
#=================================================================== # Privilege Manager for Unix example configuration file # One Identity 2013 # # Example File : example4 # # This file should have permissions of 600 (rw-------). # It must be owned by root. #========================================================================= print("------------------- LESSON 4 DESCRIPTION -------------------------"); printf("Policy file %s/examples/example4.conf\n",PMINST); print("------------------------------------------------------------------" ); print("This lesson is identical to Lesson 3, but uses a different policy"); print("construct known as a list variable, making the policy simpler"); print("shorter and clearer to understand."); print("Look at the policy files for lessons 3 & 4 and note the differences.\n"); printf("This policy allows users %s, robyn and dan to run *some* programs as root.\n",PMLESSON_USER); print("Otherwise all other commands will be rejected.\n"); print("The permitted commands are kill, ls and hostname."); print("Try running a few different programs and see what happens."); print("Again, remember to prefix them with pmrun."); print("------------------------------------------------------------------" ); i=0; while (i<argc) { printf("%s ",argv[i]); # Redisplay the original command line for clarity i=i+1; } printf("\n"); #========================================================================= adminusers = {"dan", "robyn"}; adminprogs = {"ls", "hostname", "kill"}; if (user in adminusers || user==PMLESSON_USER) { if (command in adminprogs) { runuser = "root"; accept; } } #=========================================================================
See Lesson 4: Policy optimization with list variables for details on using this sample policy file.
#================================================================= # Privilege Manager for Unix example configuration file # One Identity 2013 # # Example File : example5 # # This file should go in /etc/pm.conf with permissions of 600 (rw-------). # It must be owned by root. #================================================================= print("---------------- LESSON 5 DESCRIPTION ------------------"); printf("Policy file %s/examples/example5.conf\n",PMINST); print("--------------------------------------------------------"); print("This lesson introduces keystroke logging."); printf("Users %s, robyn and dan are permitted to run everything as root,\n",PMLESSON_USER); print("but commands csh and ksh will be fully keystroke logged."); print("This means that all I/O during these shell sessions will be logged."); print("The log file is created with mktmp() and the name is displayed."); print("The logfile will be something like pm.dan.ksh.a545456\n"); print("Look closely at Lesson 5 to see how logging is enabled.\n"); print("The log files can be replayed with the pmreplay utility.\n"); print("Don't forget to prefix commands with pmrun."); print("--------------------------------------------------------"); i=0; while (i<argc) { printf("%s ",argv[i]); # Redisplay the original command line for clarity i=i+1; } printf("\n"); #================================================================= adminusers = {"dan", "robyn"}; # Add the provided lesson user so they need not adjust the policy adminusers = append(adminusers,PMLESSON_USER); if (user in adminusers) { runuser = "root"; if (command in {"csh", "ksh"}) { iolog = mktemp("/var/adm/pm." + user + "." + command + ".XXXXXX"); iolog_opmax=10000 print("This request will be logged in:", iolog); } accept; } =================================================================
See Lesson 5: Keystroke logging for details on using this sample policy file.
#================================================================= # Privilege Manager for Unix example configuration file # One Identity 2013 # # Example File : example6 # # This file should go in /etc/pm.conf with permissions of 600 # (rw-------). # It must be owned by root. #================================================================= print("-------------- LESSON 6 DESCRIPTION --------------------"); os=osname(); printf("Policy file %s/examples/"+os+"/example6.conf\n",PMINST); print("--------------------------------------------------------"); print("This lesson extends lesson 5 by adding some statements that cause"); printf("requests by %s, dan and robyn to be rejected if they arrive outside\n",PMLESSON_USER); print("of regular office hours (8AM until 5PM Monday to Friday)."); print("A message is printed to the user's screen if this happens."); print("Once again examine the policy file, noting use of logical not operator."); print("Try altering the timebetween() and dayname tests and check the results"); print("--------------------------------------------------------"); i=0; while (i<argc) { printf("%s ",argv[i]); # Redisplay the original command line for clarity i=i+1; } printf("\n"); #================================================================= adminusers = {"dan", "robyn"}; adminprogs = {"ls", "hostname", "kill", "csh", "ksh", "pmreplay"}; adminusers=append(adminusers,PMLESSON_USER); #Add the lesson user to list if (user in adminusers && command in adminprogs) { runuser = "root"; if (command in {"csh", "ksh"}) { iolog = mktemp("/var/adm/pm." + user + "." + command + ".XXXXXX"); print("This command will be logged to:", iolog); } if (user in adminusers && (!timebetween(800,1700) || dayname in {"Sat", "Sun"})) { print ("Sorry, you can't use that command outside office hours."); reject; } accept; } #=================================================================
See Lesson 6: Conditional keystroke logging for details on using this sample policy file.
© ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center
