Chat now with support
Chat with Support

Privilege Manager for Unix 7.3 - Administration Guide

Introducing Privilege Manager for Unix Planning Deployment Installation and Configuration Upgrade Privilege Manager for Unix System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager for Unix Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager for Unix Variables
Variable names Variable scope Global input variables Global output variables Global event log variables PM settings variables
Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures
Environment functions Hash table functions Input and output functions LDAP functions LDAP API example List functions Miscellaneous functions Password functions Remote access functions String functions User information functions Authentication Services functions
Privilege Manager for Unix programs Installation Packages

Lesson 2 Sample: Conditional privilege

#=================================================================
# Privilege Manager for Unix example configuration file
# One Identity 2013
#
# Example File : example2
#
# This file should have permissions of 600
# (rw-------).
# It must be owned by root.
#=================================================================
print("--------------- LESSON 2 DESCRIPTION ------------------");
printf("Policy file %s/examples/example2.conf\n",PMINST);
print("--------------------------------------------------------");
printf("This policy rejects attempts to run commands outside of normal\n");
printf("office hours for users %s and dan.\n",PMLESSON_USER);
print("Otherwise all commands will be run as root.\n");
print("Try running a few different programs like date, hostname");
print("and even your favourite shell (csh, bash, ksh)");
print("Try these with the time/date set both in and outside office hours");
print("Remember to prefix them with pmrun");
print("--------------------------------------------------------");
i=0;
while (i<argc)
   { printf("%s ",argv[i]); # Redisplay the original command line for clarity
      i=i+1;
   }
printf("\n");
#=================================================================
if (user=="dan" || user==PMLESSON_USER) {
   # Explicitly disallow commands run outside of regular office hours
   if(dayname=="Sat" || dayname=="Sun" || !timebetween(800,1700))
      reject;
   runuser = "root";
   accept;
}
#=================================================================

For details on using this sample policy file, see Lesson 2: Conditional privilege.

Lesson 3 Sample: Specific commands

#=================================================================
# Privilege Manager for Unix example configuration file
# One Identity 2013
#
# Example File : example3
#
# This file should have permissions of 600
# (rw-------).
# It must be owned by root.
#=================================================================
print("------------------ LESSON 3 DESCRIPTION ------------------------");
printf("Policy file %s/examples/example3.conf\n",PMINST);
print("--------------------------------------------------------");
printf("This policy allows users %s and dan to run *some* programs as
root.\n",PMLESSON_USER);
print("Otherwise all other commands will be rejected.\n");
print("The permitted commands are kill, ls and hostname.");
print("Try running a few different programs and see what happens.");
print("Again, remember to prefix them with pmrun.");
print("--------------------------------------------------------");
i=0;
while (i<argc)
   { printf("%s ",argv[i]); # Redisplay the original command line for clarity
      i=i+1;
   }
printf("\n");
#=================================================================
if (user=="dan" || user==PMLESSON_USER)
   if (command == "ls" || command == "hostname" || command == "kill") {
      runuser = "root";
      accept;
   }
#=================================================================

For details on using this sample policy file, see Lesson 3: Specific commands.

Lesson 4 Sample: Policy optimizations with list variables

#===================================================================
# Privilege Manager for Unix example configuration file
# One Identity 2013
#
# Example File : example4
#
# This file should have permissions of 600 (rw-------).
# It must be owned by root.
#=========================================================================
print("------------------- LESSON 4 DESCRIPTION
-------------------------");
printf("Policy file %s/examples/example4.conf\n",PMINST);
print("------------------------------------------------------------------"
);
print("This lesson is identical to Lesson 3, but uses a different policy");
print("construct known as a list variable, making the policy simpler");
print("shorter and clearer to understand.");
print("Look at the policy files for lessons 3 & 4 and note the
differences.\n");
printf("This policy allows users %s, robyn and dan to run *some* programs as
root.\n",PMLESSON_USER);
print("Otherwise all other commands will be rejected.\n");
print("The permitted commands are kill, ls and hostname.");
print("Try running a few different programs and see what happens.");
print("Again, remember to prefix them with pmrun.");
print("------------------------------------------------------------------"
);
i=0;
while (i<argc)
   { printf("%s ",argv[i]); # Redisplay the original command line for clarity
      i=i+1;
   }
printf("\n");

#=========================================================================
adminusers = {"dan", "robyn"};
adminprogs = {"ls", "hostname", "kill"};
if (user in adminusers || user==PMLESSON_USER)
   { if (command in adminprogs)
      { runuser = "root";
         accept;
      }
   }
#=========================================================================

For details on using this sample policy file, see Lesson 4: Policy optimization with list variables.

Lesson 5 Sample: Keystroke logging

#=================================================================
# Privilege Manager for Unix example configuration file
# One Identity 2013
#
# Example File : example5
#
# This file should go in /etc/pm.conf with permissions of 600 (rw-------).
# It must be owned by root.
#=================================================================
print("---------------- LESSON 5 DESCRIPTION ------------------");
printf("Policy file %s/examples/example5.conf\n",PMINST);
print("--------------------------------------------------------");
print("This lesson introduces keystroke logging.");
printf("Users %s, robyn and dan are permitted to run everything as
root,\n",PMLESSON_USER);
print("but commands csh and ksh will be fully keystroke logged.");
print("This means that all I/O during these shell sessions will be logged.");
print("The log file is created with mktmp() and the name is displayed.");
print("The logfile will be something like pm.dan.ksh.a545456\n");
print("Look closely at Lesson 5 to see how logging is enabled.\n");
print("The log files can be replayed with the pmreplay utility.\n");
print("Don't forget to prefix commands with pmrun.");
print("--------------------------------------------------------");
i=0;
while (i<argc)
   { printf("%s ",argv[i]); # Redisplay the original command line for clarity
      i=i+1;
   }
printf("\n");
#=================================================================
adminusers = {"dan", "robyn"};
# Add the provided lesson user so they need not adjust the policy
adminusers = append(adminusers,PMLESSON_USER);
if (user in adminusers)
   { runuser = "root";
     if (command in {"csh", "ksh"})
         { iolog = mktemp("/var/adm/pm." + user + "." + command + ".XXXXXX");
            iolog_opmax=10000
            print("This request will be logged in:", iolog);
         }
      accept;
   }
=================================================================

For details on using this sample policy file, see Lesson 5: Keystroke logging.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating