Chat now with support
Chat with Support

Privilege Manager for Unix 6.1.1 - Administration Guide for Unix

One Identity Privileged Access Suite for Unix Introducing Privilege Manager for Unix Planning Deployment Installation and Configuration Upgrade Privilege Manager for Unix System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager Variables Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures Privilege Manager programs Installation Packages

Lesson 3: Specific commands

This lesson narrows the scope of which commands you can run with root privilege. The permitted list of commands is ls, hostname, and kill. Any other attempt to run a privileged command is rejected.

The "command" variable stores the command name issued by pmrun:

if (command == "ls" || command == "hostname" || command == "kill") { 
   runuser = "root"; 
   accept; 
}
# LESSON=3; export LESSON 
# su demo 
$ pmrun shutdown 
Request Rejected by pmmasterd on <UPMhost> 
$ pmrun hostname 
UPMhost 
$ exit

where <UPMhost> is the host name

Refer to Lesson 3 Sample: Specific commands to see the sample policy used in this lesson.

Lesson 4: Policy optimization with list variables

This lesson improves upon the design of Lesson 3, making the policy easier to read and faster to interpret with the introduction of list variables. List variables represent groups of data, in this case users and commands, which you can use in multiple places as values for test constraints.

adminusers = {"dan", "robyn"}; 
adminprogs = {"ls", "hostname", "kill"}; 

if (user in adminusers || user==PMLESSON_USER) 
   { if (command in adminprogs) 
      { runuser = "root"; 
         accept; 
      } 
   }

The "in" operator is used to test whether a variable matches a member of a list:

# su demo 
$ pmrun shutdown 
Request Rejected by pmmasterd on UPMhost 
$ pmrun ls /etc/opt/quest/qpm4u 
pm.settings policy

Refer to Lesson 4 Sample: Policy optimizations with list variables to see the sample policy used in this lesson.

Lesson 5: Keystroke logging

This lesson introduces two new and important elements of policy writing. You can enable keystroke logging (I/O logging) at any point, and you can configure it to be conditional on any required elements.

This example enables keystroke logging when the permitted user runs these two commands, the csh and ksh shells; the user can run all other commands as root but without logging keystrokes.

Setting the "iolog" variable to a filename creates a keystroke log with that filename:

iolog = mktemp("/var/adm/pm." + user + "." + command + ".XXXXXX");

You must choose the filename of the log file carefully. Its location and name are under the complete control of the policy script and in order to ensure that the file is unique, use the mktmp() function.

# LESSON=5; export LESSON 
# su demo 
$ pmrun csh

This request is logged in: /var/adm/pm.demo.csh.wXYeyn

In the example shown above, the log filename is displayed and the csh session is started. Now enter commands to create I/O logging and then exit back to the parent shell.

# date 
# cal 
# hostname 
# whoami 
# exit 
$ exit

The output from these commands has been omitted for clarity.

It is now possible to replay this keystroke log file to display the session as seen by the demo user. Run the following command as root.

# /opt/quest/sbin/pmreplay /var/adm/pm.demo.csh.wXYeyn

Experiment with the controls within pmreplay to move backwards and forwards within the log session, using these commands:

Table 15: Replay controls
Control Description
g Go to start
G Go to end
[Space] bar Go to next input
t Display time stamp
v Dump variables
Backspace Previous position
Ctrl Next position
Quit

Refer to Lesson 5 Sample: Keystroke logging to see the sample policy used in this lesson.

Lesson 6: Conditional keystroke logging

This lesson extends the logging example from the previous lesson, adding an exclusion to prevent privileged access outside of office hours, effectively combining the functionality you saw in lesson two, and displaying a message to the requesting user in such a situation:

adminusers = {"dan", "robyn"};
adminprogs = {"ls", "hostname", "kill", "csh", "ksh", "pmreplay"};

adminusers=append(adminusers,PMLESSON_USER); #Add the lesson user to list

if (user in adminusers && command in adminprogs) 
   { runuser = "root";
      if (command in {"csh", "ksh"}) 
         { iolog = mktemp("/var/adm/pm." + user + "." + command + ".XXXXXX");
           print("This command will be logged to:", iolog);
         }

      if (user in adminusers && (!timebetween(800,1700) || dayname in {"Sat", "Sun"})) 
         { print ("Sorry, you can't use that command outside office hours.");
           reject;
         }

      accept;
}

The above policy allows several admin programs to run, but only enables keystroke logging for the interactive shells.

# LESSON=6; export LESSON 
# date mmdd1000 
# su demo 
$ pmrun hostname 
UPMhost 
$ exit 
# date mmdd2200
# su demo 
$ pmrun hostname 
Sorry, you can't use that command outside office hours. 
Request Rejected by pmmasterd on UPMhost 
$ exit

where in the date commands, mm and dd refer to the two-digit representations of the month and day respectively.

In this example, you set the date as root before switching to demo, your test user. With the date initially set to a date/time combination which falls within office hours, Privilege Manager accepts the command.

Privilege Manager rejected the command and displayed a message when you exited back to the root shell, set the date/time to one outside of office hours, switched back to the test user, demo, and repeated the exercise.

Having reached this point you have established a good repertoire of policy constructs which form the basis of most policy file definitions. The use of list variables to hold constraint information used in combination with conditional tests using the if() construct represents the core function of most policy rules.

You use the print() and printf() functions to display messages and information throughout the policy. To control the keystroke logging, you use the value of the iolog system variable and the mktemp() function.

Remember to reset the correct time on your system by running the date command as the root user.

Refer to Lesson 6 Sample: Conditional keystroke logging to see the sample policy used in this lesson.

Related Documents