Rather than entering individual commands as in Example 3, you can use list variables as shown below. Note the use of the && ("and") operator in the if statement.
This simple fragment allows users Dan and Robyn to run certain commands as root. Type this fragment into the /etc/opt/quest/qpm4u/policy/pm.conf file, or copy it from the examples directory in the Privilege Manager for Unix distribution directory. Replace "dan" and "robyn" with users from your own site.
adminusers={"dan", "robyn"};
adminprogs={"ls", "hostname", "kill"};
if(user in adminusers && command in adminprogs) {
runuser="root";
accept;
}
Check the configuration file for errors with pmcheck. Run different commands with pmrun to see which ones are accepted, and which are rejected. Try logging in as one of the users who is not listed in adminusers. Then, try running a command as that user to see if Privilege Manager for Unix rejects the request. List variables are useful in tidying up policy fragments, especially if the information in a list is used more than once.
The configuration file fragment below permits admin users Dan and Robyn to run certain commands as root. If the user requests csh or ksh, the input and output from these commands is logged. Privilege Manager for Unix also logs events, whether a request was accepted or rejected, and when a job finishes.
In this example, the input/output is logged to a file in /var/adm with a filename such as pm.dan.ksh.a05998, which you can examine later using pmreplay. The name of the I/O log is a unique temporary filename generated by the mktemp function.
Type this fragment into the /etc/opt/quest/qpm4u/policy/pm.conf file, or copy it from the examples directory in the Privilege Manager for Unix distribution directory. Replace "dan" and "robyn" with users from your site.
adminusers = {"dan", "robyn"};
adminprogs = {"ls", "hostname", "kill", "csh", "ksh", "pmreplay"};
if (user in adminusers){
runuser="root";
if (command in {"csh", "ksh"})
{ iolog=mktemp("/var/adm/pm." + user + "."
+ command + ".XXXXXX");
iolog_opmax=10000;
print("This request will be logged in:", iolog);
}
accept;
}
Check the configuration file for errors with pmcheck. For more information about using pmcheck, see Example 1: Basics.
Try running csh or ksh with pmrun, and typing a few commands in the shell. Exit from the shell, find the I/O log file in /var/adm, and replay the session with pmreplay.
Privilege Manager for Unix sets the permissions on the I/O log file so that only root can read the file. That way, no other user can examine the contents of the log files. You must be logged in as root to use pmreplay on these files. Of course, you can use pmrun to run a csh or ksh as root, and then run pmreplay. Or you can add pmreplay to the list of adminprogs, and then use pmrun to run it directly.
Note that pmreplay can detect whether a log file has changed. See pmreplay for more information on running pmreplay interactively and non-interactively.
As root, run pmreplay, giving the name of the log file printed to the screen as an argument. For example, if the log filename is /var/adm/pm.dan.ksh.a05998, enter:
pmreplay /var/adm/pm.dan.ksh.a05998
You will see something similar to this:
================================================================
Log File : ./pm.dan.ksh.a05998
Date : 2008/02/25
Time : 12:00:00
Client : dan@sala.companyname.com
Agent : dan@sala.companyname.com
Command : ksh
Type '?' or 'h' for help
=================================================================
Use these commands to navigate through the log file:
Table 17: Log navigation commands
| g |
Go to start |
| G |
Go to end |
| p |
Pause/resume replay in slide-show mode |
| q |
Quit |
| r |
Redraw from start |
| s |
skip to next time marker |
| t |
Display time stamp |
| u |
undo |
| v |
Dump variables |
| [Space] bar |
Go to next input (usually a single character) |
| [Enter] |
Next new line |
| [Backspace] |
Backup to last position |
| /<re>[Enter] |
Search for a regular expression |
| Repeat last search |
Make your way through the log file by pressing the [Space] bar (next input character), the [Enter] or [Newline] key, or the s character which shows you what happened each time interval. You can backup through the log file by pressing the [Backspace] key. You can quickly go the start or end of the log file with g or G, respectively.
Display the time of an action at any point in the log file with t, redraw the log file with r, and undo your last action with u. You can also display all the Privilege Manager for Unix variables which were in use at the time the log file was created with v. Use q or Q to quit pmreplay.
You must run the pmreplay command as root because the log files created are readable only by root; however, pmreplay is itself a good candidate for a program to run through Privilege Manager for Unix. Note, in the following example, pmreplay is listed as one of the commands that Privilege Manager for Unix accepts.
Event logging is controlled by eventlog, which specifies the name of the file in which events ("accept", "reject", "finish") are logged. The default is /var/opt/quest/qpm4u/pmevents.db. If you do not want to use the default, see Local logging for details.
You can encrypt the contents of the event log. See Event logging for details.
To view the event log, use the pmlog command. Although pmlog prints all entries in the file by default, you can restrict it to print only certain entries. For example, to print only those events which occurred after Feb 5, 2012, enter:
pmlog -c'date=="2012/2/5"'
To print out all the variables stored with each entry, enter:
pmlog -v | more
The above command line pipes the voluminous output using more for easier viewing. You can also specify the output format and set the output for all event types.
The fragment below extends the previous example by rejecting requests from Dan if they are made outside regular office hours, defined as 8:00 a.m. to 5:00 p.m., Monday through Friday. A message explaining the rejection is printed to Dan’s screen if this occurs.
Type the following code fragment into the /etc/opt/quest/qpm4u/policy/pm.conf file, or copy it from the examples directory in the Privilege Manager for Unix distribution directory. Replace "dan" and "robyn" with users from your site (in quotes). Check the configuration file for errors using pmcheck. For more information about using pmcheck, see Example 1: Basics.
adminusers={"dan", "robyn"};
adminprogs={"ls", "hostname", "kill", "csh", "ksh",
"pmreplay"};
if(user in adminusers && command in adminprogs)
{ runuser="root";
if(command in {"csh", "ksh"}) {
{ iolog=mktemp("/var/adm/pm." + user + "."+ command
+".XXXXXX");
print("This command will be logged to:", iolog);
}
if(user=="dan" &&
(!timebetween(800,1700) || dayname in {"Sat", "Sun"}))
{
print("Sorry, you can't use that command outside office hours.");
reject;
}
accept;
}
Try running a few commands with pmrun. Change the parameters for timebetween to exclude the current time, and run one of the permitted commands. Privilege Manager for Unix should reject the request and print the message to your screen. You should only be able to run the permitted commands during the specified time period. Try running pmreplay to replay some of the logged csh or ksh sessions.
Similar to Example 6, the fragment below defines a variable to store a set of constraints (in this case, office hours) which may be used more than once in the configuration file. This saves you from typing the constraints each time you need to refer to them.
In the following example, there are two policies which depend on office hours. The first policy rejects Dan’s requests if they are made outside office hours. The second policy requires Robyn to type in her password if she makes a request outside regular office hours. Note that officehours is set to "true" if the time of the request falls between 8:00 a.m. and 5:00 p.m., Monday to Friday. It is "false" if it is not in that time frame.
officehours = timebetween(800, 1700) &&
dayname !in {"Sat", "Sun"};
adminusers={"dan", "robyn"};
adminprogs={"ls", "hostname", "kill", "csh", "ksh", "pmreplay"};
if(user in adminusers && command in adminprogs)
{ runuser="root";
if(command in {"csh", "ksh"})
{ iolog=mktemp("/var/adm/pm." + user + "."
+ command + ".XXXXXX");
print("The command will be logged in:", iolog);
}
# Note how compact the following fragments are compared to
# example6.conf, referring to the "officehours" variable.
if(user=="dan" && !officehours)
{ print ("Sorry, you can't do that outside office hours.");
reject;
}
if(user=="robyn" && !officehours)
if(!getuserpasswd(user))
reject;
accept;
}
Type this fragment into the /etc/opt/quest/qpm4u/policy/pm.conf file, or copy it from the examples directory in the Privilege Manager for Unix distribution directory. Replace "dan" and "robyn" with users from your site. Check the configuration file for errors with pmcheck. Then try to run commands with pmrun. For more information about using pmcheck, see Example 1: Basics.
