Chat now with support
Chat with Support

Privilege Manager for Unix 6.1 Common Documents - Administration Guide

One Identity Privileged Access Suite for Unix Introducing Privilege Manager for Unix Planning Deployment Installation and Configuration Upgrade Privilege Manager for Unix System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager Variables Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures Privilege Manager programs Installation Packages

Forbidden commands

Use the pmshell_forbid list variable in the policy file to define a list of commands you want the shell to forbid without any further authorization by the policy server. The shell program interprets this list as a list of regular expressions. Privilege Manager checks each command a user enters against this list. If a match is found, it rejects the command without further authorization. These commands do not result in a reject entry in the event log as they are forbidden by the shell. You can also configure the message that is displayed when it issues one of these commands.

Allowed commands

Use the pmshell_allow list variable in the policy file to define a list of commands you want the shell to allow without any further authorization by the policy server. The shell program interprets this list as a list of regular expressions. Privilege Manager checks each command the user enters against this list. If a match is found, it allows the command without further authorization. These commands do not result in an accept entry in the event log as they are allowed by the shell.

Allowed piped commands

Use the pmshell_allowpipe variable in the policy file to configure a list of commands you want the shell to allow without further authorization by the policy server if the input to the command is a pipe. The shell program interprets this list as a list of regular expressions. Privilege Manager checks each command a user enters against this list if the input to the command is a pipe. If a match is found, it allows the command without further authorization. These commands do not result in an accept entry in the event log as they are allowed by the shell. This allows the shell to authorize commands only within a particular context.

For example, if the allowed pipe command list contains grep, as in:

grep "root" /etc/shadow

the shell authorizes the grep command as its input does not come from a pipe.

On the other hand, if you enter:

cat /etc/shadow | grep "root"

the shell only authorizes the cat command. The grep command is allowed without authorization.

Check shell built-in commands

Built-in shell commands are functions defined internally to the shell. You can apply a policy to shell built-in commands by setting pmshell_checkbuiltins=1. The shell does not create a new UNIX process to run a built-in command and does not access or run any program outside the shell to run a built-in command. The shell built-in commands usually include functions like echo and cd. The full list of shell built-in commands depends on the shell you are using; to see the command list for a particular shell, run the shell with the –? argument.

By default, shell built-in commands are not authorized to the policy server or checked against the allow and forbid lists.

You can set a flag to force the shell to treat all shell built-in commands as if they are normal, executable commands. If this flag is set, all built-in commands are compared with the forbid and allow lists, and if no match is found, they are presented to the policy server for authorization.

Related Documents