Chat now with support
Chat with Support

Safeguard for Sudo 2.0 - Administrators Guide

One Identity Privileged Access Suite for Unix Introducing Privilege Manager for Unix Introducing Privilege Manager for Sudo Planning Deployment Installation and Configuration
Download Privilege Manager for Unix Software Packages Download Privilege Manager for Sudo Software Packages Quick Start and Evaluation Configure a Primary Policy Server Configure a Secondary Policy Server Install PM Agent or Sudo Plugin on a Remote Host Remove Configurations
Upgrading Privilege Manager System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager Variables Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures Privilege Manager Programs Installation Packages Unsupported Sudo Options Sudo Plugin Policy Evaluation About us

Sample Policy Files

Electronic copies of the policy file samples used in each lesson are located in the /opt/quest/qpm4u/examples directory and they are reproduced for you in this section.

Main Policy Configuration File

##########################################################################
# Privilege Manager example configuration file
# Quest 2013
# Example File : pm.conf
#
# Establish which Lesson has been selected and include the appropriate file
# accordingly
##########################################################################
PMINST=getenv("INSTBASE","/opt/quest/qpm4u");
PMLESSON=atoi(getenv("LESSON","1"));
EXAMPLEDIR=PMINST + "/examples";
if (PMLESSON<1 || PMLESSON>11)
   { printf("Invalid lesson %i selected, resetting to Lesson 1\n",PMLESSON);
      PMLESSON=1;
   }
system("clear");
printf("Lesson %i is selected\n",PMLESSON);
# The lessons take a user from the environment so that
# none of the scripts require modification before use
# this is taken from the environment variable LESSON_USER
# Make sure that you have set this a valid user which will
# be used for the purposes of this series of lessons.
PMLESSON_USER=getenv("LESSON_USER","demo");
if (PMLESSON_USER=="")
   { print("No user has been specified, user 'demo' will be assumed\n");
   }
if (user!=PMLESSON_USER)
   { print("------------------------ WARNING ---------------------------");
     printf("Your currently logged in as %s\n",user);
     printf("Your selected user for the lessons is %s\n",PMLESSON_USER);
     printf("This may not be what you intended, try 'su %s'\n",PMLESSON_USER);
     print("-----------------------------------------------------------\n");
   }
PML=sprintf("%i",PMLESSON);
switch (PML)
   {
      case "1":
         { include EXAMPLEDIR + "/example1.conf";
           break;
         }
      case "2":
         { include EXAMPLEDIR + "/example2.conf";
           break;
         }
      case "3":
         { include EXAMPLEDIR + "/example3.conf";
           break;
         }
      case "4":
         { include EXAMPLEDIR + "/example4.conf";
           break;
         }
      case "5":
         { include EXAMPLEDIR + "/example5.conf";
           break;
         }
      case "6":
         { include EXAMPLEDIR + "/example6.conf";
           break;
         }
      case "7":
         { include EXAMPLEDIR + "/example7.conf";
           break;
         }
      case "8":
         { include EXAMPLEDIR + "/example8.conf";
           break;
         }
      case "9":
         { include EXAMPLEDIR + "/example9.conf";
           break;
         }
      case "10":
         { include EXAMPLEDIR + "/example10.conf";
           break;
         }
}

reject;

See Install the Example Policy File for details on installing the example policy file.

Lesson 1 Sample: Basic Policy

#=================================================================
# Privilege Manager example configuration file
# Quest 2013
#
# Example File : example1
#
# This file to have permissions of 600 (rw-------), and be owned by
# root.
#=================================================================
#=================================================================
print("-------------LESSON 1 DESCRIPTION---------------------------");
printf("Policy file %s/examples/example1.conf\n",PMINST);
print("-----------------------------------------------------------");
printf("This basic lesson uses a policy allowing users %s and
dan\n",PMLESSON_USER);
print("the rights to run any command as root.\n");
print("For example, to test this enter the command pmrun whoami");
print("which will return the value root as the logged in user.");
print("-----------------------------------------------------------");
i=0;
while (i<argc)
   { printf("%s ",argv[i]); # Redisplay the original command line for clarity
      i=i+1;
   }
printf("\n");
if (user=="dan" || user==PMLESSON_USER) {
   runuser="root";
   accept;
}
#=================================================================

See Lesson 1: Basic Policy for details on using this sample policy file.

Lesson 2 Sample: Conditional Privilege

#=================================================================
# Privilege Manager example configuration file
# Quest 2013
#
# Example File : example2
#
# This file should have permissions of 600
# (rw-------).
# It must be owned by root.
#=================================================================
print("--------------- LESSON 2 DESCRIPTION ------------------");
printf("Policy file %s/examples/example2.conf\n",PMINST);
print("--------------------------------------------------------");
printf("This policy rejects attempts to run commands outside of normal\n");
printf("office hours for users %s and dan.\n",PMLESSON_USER);
print("Otherwise all commands will be run as root.\n");
print("Try running a few different programs like date, hostname");
print("and even your favourite shell (csh, bash, ksh)");
print("Try these with the time/date set both in and outside office hours");
print("Remember to prefix them with pmrun");
print("--------------------------------------------------------");
i=0;
while (i<argc)
   { printf("%s ",argv[i]); # Redisplay the original command line for clarity
      i=i+1;
   }
printf("\n");
#=================================================================
if (user=="dan" || user==PMLESSON_USER) {
   # Explicitly disallow commands run outside of regular office hours
   if(dayname=="Sat" || dayname=="Sun" || !timebetween(800,1700))
      reject;
   runuser = "root";
   accept;
}
#=================================================================

See Lesson 2: Conditional Privilege for details on using this sample policy file.

Related Documents