One Identity Management Console for Unix 2.5.2 - Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Management Console for Unix Installing Management Console for Unix Preparing Unix hosts Working with host systems Managing local groups Managing local users Active Directory integration Authentication Services integration Privilege Manager integration
Getting started Configure a primary policy server Configure a secondary policy server Install PM agent or Sudo plugin on a remote host Security policy management
Opening a policy file Edit panel commands Editing PM policy files Reviewing the Access and Privileges by User report Reviewing the Access and Privileges by Host report
Event logs and keystroke logging
Reporting Setting preferences
User preferences System preferences
Security Troubleshooting tips
Auto profiling issues Active Directory Issues Auditing and compliance Cannot create a service connection point Check Authentication Services agent status commands not available CSV or PDF reports do not open Database port number is already in use Elevation is not working Hosts do not display Import file lists fakepath Information does not display in the console License information in report is not accurate Out of memory error Post install configuration fails on Unix or Mac Privilege Manager feature issues Profile task never completes questusr account was deleted Readiness check failed Recovering from a failed upgrade Reports are slow Reset the supervisor password Running on a Windows 2008 R2 domain controller Service account login fails Setting custom configuration settings Single Sign-on (SSO) issues JVM memory tuning suggestions Start/stop/restart Management Console for Unix service Toolbar buttons are not enabled UID or GID conflicts
System maintenance Command line utilities Web services Database maintenance About us

Authorized Commands

To authorize commands or shell commands

  1. To enter paths on hosts where members can run all commands, select the override box and click the Edit button.

    The Edit Entries dialog opens which allows you to add one or more paths separated with a comma. For example:

    /usr/bin, /etc/
    • You can leave this box empty if you do not want to restrict the path from which a command is run.
    • If you specify one or more paths, the host will reject commands not run from one of these paths.

    Note: For more information about the Edit Entries dialog, click the help link.

  2. To enter commands permitted by this role, select the override box and click the Edit button.

    The Edit Entries dialog opens which allows you to add one or more commands separated with a comma. For example:

    whoami, /usr/bin/id
    • If you specify a fully qualified path for the command, the user must specify the fully qualified path when running the command.

      For example, if you enter /usr/bin/id in this text box, you can not simply run the id command at the command line.

    • Take care when using wild cards in the path. Because the policy server uses glob pattern matching, a wild card also matches "/".

      For example, /one/*/id matches both /one/a/id and /one/a/b/c/d/id.

    • You can precede a command with an optional NOEXEC flag enclosed in square brackets to ensure that the run command will not use exec to create a new Unix process. For example:
      [NOEXEC] /bin/vi *
      permits you to vi a single file but blocks vi from performing any shell escapes.
      [] /bin/vi *
      permits you to vi a single file and allows shell escapes.
    • To indicate any command with any argument, enter ALL.

    Note: For more information about the Edit Entries dialog, click the help link.

  3. Optionally, select the override box and select the Allow commands to be run from authorized submit hosts on authorized run hosts option.
  4. Click OK to save Authorized Commands settings.

Authorized Commands syntax examples

The Authorized Commands role parameter identifies the list of commands permitted by a role. The following shows you the acceptable command syntax, using the id command as a simple example:

Table 65: Authorized Commands syntax
Authorized Command Syntax Description
"/usr/bin/id"

Allows you to run /usr/bin/id with no arguments. For example:

/usr/bin/id
"id"

Allows you to run the id command from any path with no arguments. For example:

id
/bin/id
/usr/bin/id
"/usr/bin/id **"

Allows you to run /usr/bin/id with zero or more arguments. For example:

/usr/bin/id
/usr/bin/id -n
/usr/bin/id -n -g
/usr/bin/id -n -g -r
"/usr/bin/id *"

Allows you to run /usr/bin/id with one argument. For example:

/usr/bin/id -n
"/usr/bin/id -n *"

Allows you to run /usr/bin/id -n with one argument. For example:

/usr/bin/id -n -g
"/usr/bin/id -n **"

Allows you to run /usr/bin/id -n with zero or more arguments. For example:

/usr/bin/id -n
/usr/bin/id -n -g
/usr/bin/id -n -g -r

NOTE: -n must follow the id command. /usr/bin/id -g -n is not acceptable.

"/usr/bin/**"

Allows you to run any command in the /usr/bin directory or subdirectory with zero or more arguments. For example:

/usr/bin/id
/usr/bin/id -n
/usr/bin/id -n -g
"/usr/bin/*"

Allows you to run any command in the /usr/bin directory with no arguments. For example:

/usr/bin/id
"/usr/bin/* *"

Allows you to run any command in the /usr/bin directory with one argument. For example:

/usr/bin/id -n
"/usr/bin/script.sh -f /etc/*.conf -n *"

Allows you to run /usr/bin/script.sh with the specified arguments. For example:

/usr/bin/script.sh -f /etc/one.conf -n fred
/usr/bin/script.sh -f /etc/two.conf -n fred

Authorize run hosts

You can control the list of hosts from which users can submit commands.

To authorize run hosts

  1. Select the Hosts where members can run authorized commands option and click Edit.

    The Edit Entries dialog opens which allows you to add one or more host names permitted by this role separated with a comma. For example:

    buildhost, devhosts, *.one.two

    Users can only run commands on a host in this list.

    To allow users to run commands on all hosts, enter ALL.

    Note: For more information about the Edit Entries dialog, click the help link.

  2. Click OK to save the Run Hosts settings.

Authorize submit hosts

To authorize submit hosts

  1. Select the Hosts where members can submit commands to run on authorized run hosts option and click Edit.

    The Edit Entries dialog opens which allows you to add one or more host names separated with a comma. For example:

    buildhost, devhosts, *.one.two

    Note: Users can only submit commands to run on hosts in this list.

    To allow users to submit commands to run on all hosts, enter ALL.

    Note: For more information about the Edit Entries dialog, click the help link.

  2. Click OK to save Submit Hosts settings.
Related Documents