Chat now with support
Chat with Support

Safeguard for Sudo 2.0 - Administrators Guide

One Identity Privileged Access Suite for Unix Introducing Privilege Manager for Unix Introducing Privilege Manager for Sudo Planning Deployment Installation and Configuration
Download Privilege Manager for Unix Software Packages Download Privilege Manager for Sudo Software Packages Quick Start and Evaluation Configure a Primary Policy Server Configure a Secondary Policy Server Install PM Agent or Sudo Plugin on a Remote Host Remove Configurations
Upgrading Privilege Manager System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager Variables Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures Privilege Manager Programs Installation Packages Unsupported Sudo Options Sudo Plugin Policy Evaluation About us

Policy Scripting Tutorial

This section introduces you to the basics of policy scripting through a series of seven semi-interactive lessons. However, before you begin, please note: Quest assumes you:

  • have Privilege Manager for Unix installed successfully
  • are running Privilege Manager with the pmpolicy type

    (See Security Policy Types for more information about the pmpolicy type.)

The first seven lessons introduce you to some of the simpler constructs and capabilities of Privilege Manager's policies. Each lesson is designed to allow you to run the policy files on your own test system, with minimal changes, enabling you to learn the basics of policy scripting quickly.

Following the seven basic lessons are three advanced lessons designed to extend your knowledge and understanding of creating policies.

Getting Started

Before you start the lessons

  1. Install the example policy file
  2. Create test users
  3. Set the Lesson Number variable

Install the Example Policy File

Before you start the lessons, you must install the example policy file. This procedure instructs you to create a temporary directory and then use the pmpolicy command with a checkout sub-command to "checkout" the current policy into the temporary directory you just created.

To install the main example policy file

  1. Create a temporary directory:
    # mkdir /tmp/policy
  2. Checkout the current policy:
    # /opt/quest/sbin/pmpolicy checkout -d /tmp/policy
    ** Validate options                                [ OK ] 
    ** Checkout to /tmp/policy/policy_pmpolicy 
    ** Create directory                                [ OK ] 
    ** Check out working copy                          [ OK ] 
    ** Copy files                                      [ OK ] 
    ** Perform syntax check                            [ OK ]
  3. Change to the temporary directory:
    # cd /tmp/policy/policy_pmpolicy
  4. Run the pmpolicy masterstatus command and note the current revision number.
    #pmpolicy masterstatus 
    ** Validate options                                [ OK ] 
    ** Report details of production copy 
    ** Check out working copy (HEAD revision)          [ OK ] 
    ** Check if directory contains a working copy      [ OK ] 
       - Directory contains an svn working copy:/var/opt/quest/qpm4u/pmpolicy/.scratch/._29076 
    ** Check current status of working copy            [ OK ] 
    ** Report details of production copy               [ OK ] 
       - Production Policy File                  : /etc/opt/quest/qpm4u/policy/pm.conf 
       - Checked out at                          : 2012-11-30 16:23 
       - Current Revision                        : 1 
       - Latest Trunk Revision                   : 1 
       - Locally modified                        : NO 
  5. Copy the main example policy into place:

    # cp /opt/quest/qpm4u/examples/pm.conf pm.conf 
    cp: overwrite `pm.conf'? y

    NOTE: This is the main policy file that Privilege Manager uses to drive through the lessons.

    The other sample policy files for the lessons are also in the examples directory:

    /opt/quest/qpm4u/examples/example1.conf 
    /opt/quest/qpm4u/examples/example2.conf 
    /opt/quest/qpm4u/examples/example3.conf 
    /opt/quest/qpm4u/examples/example4.conf 
    /opt/quest/qpm4u/examples/example5.conf 
    /opt/quest/qpm4u/examples/example6.conf 
    /opt/quest/qpm4u/examples/example7.conf 
    /opt/quest/qpm4u/examples/example8.conf 
    /opt/quest/qpm4u/examples/example9.conf 
    /opt/quest/qpm4u/examples/example10.conf
  6. Use the commit sub-command to start using the policy:
    # pmpolicy commit -d /tmp/policy
    ** Validate options                                               [ OK ] 
    ** Commit copy in directory:/tmp/policy/policy_pmpolicy 
    ** Check directory                                                [ OK ] 
    ** Perform syntax check                                           [ OK ] 
    ** Verify files to commit                                         [ OK ] 
    Please enter the commit log message:                  example pm.conf 
    ** Commit change form working copy                                [ OK ] 
    ** Committed revision 2
  7. When you are finished with the examples, revert the original main policy file, as follows:
    # pmpolicy revert -r 1 
    ** Validate options                                               [ OK ] 
    ** Revert to revision:1 
    ** Check out working copy (trunk revision)                        [ OK ] 
    ** Check out working copy (revision 1)                            [ OK ] 
    ** Check required revision                                        [ OK ] 
    ** Get file list for trunk                                        [ OK ] 
    ** Get file list for selected revision                            [ OK ] 
    ** Copy file:pm.conf                                              [ OK ] 
    ** Perform syntax check                                           [ OK ] 
    ** Verify files to commit                                         [ OK ] 
    Please enter the commit log message: revert to original 
    ** Commit change from working copy                                [ OK ] 
    ** Committed revision 3

See Main Policy Configuration File to see the example policy file used in these lessons.

Create Test Users

For each lesson in this hands-on tutorial, you are required to log on as root and then switch to a test user. Then, at the conclusion of each lesson, switch back to root to get ready to start the next lesson.

To work through these lessons, you need to create users called demo, dan and robyn on your test system, as the policy file is based around these default users.

To create the test users

  1. Log in to your test system as the root user.
  2. Create the demo, dan and robyn test users to use during the lessons.

Set Lesson Number Variable

Lessons 1-10 are controlled by an environment variable called LESSON. Set this to a number in the range 1 through 6, using the following command:

LESSON=1; export LESSON

The main policy file, pm.conf, reads the LESSON and LESSON_USER environment variables and assigns their values to the PMLESSON and PMLESSON_USER policy variables, respectively.

The following example instructs you to execute a fictitious command, fred, under Lesson 1.

You use the pmrun command to submit commands to Privilege Manager. Try entering fred using pmrun.

To enter a fictitious command

  1. At the command line, run:
    # su demo 
    $ pmrun fred
    Lesson 1 is selected 
    -------------LESSON 1 DESCRIPTION--------------------------- 
    Policy file /opt/quest/pm4u/examples/linux-intel/example1.conf 
    ------------------------------------------------------------ 
    This basic lesson uses a policy allowing users dan and demo 
    the rights to run any command as root. 
    For example, to test this, enter the command pmrun whoami 
    which will return the value root as the logged in user. 
    ----------------------------------------------------------- 
    fred 
    3201.063 Exec of fred failed: Command not found

As you can see, the policy informs you which lesson is selected and also provides the path to the associated policy file which contains this lesson fragment.

The policy files are reproduced in Sample Policy Files for your reference, but you are encouraged to look at the digital copies of these files and experiment with the constructs that they contain once you have completed the lessons.

Related Documents