Chat now with support
Chat with Support

Safeguard for Sudo 2.0 - Administrators Guide

One Identity Privileged Access Suite for Unix Introducing Privilege Manager for Unix Introducing Privilege Manager for Sudo Planning Deployment Installation and Configuration
Download Privilege Manager for Unix Software Packages Download Privilege Manager for Sudo Software Packages Quick Start and Evaluation Configure a Primary Policy Server Configure a Secondary Policy Server Install PM Agent or Sudo Plugin on a Remote Host Remove Configurations
Upgrading Privilege Manager System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager Variables Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures Privilege Manager Programs Installation Packages Unsupported Sudo Options Sudo Plugin Policy Evaluation About us

Lesson 3 Sample: Specific Commands

#=================================================================
# Privilege Manager example configuration file
# Quest 2013
#
# Example File : example3
#
# This file should have permissions of 600
# (rw-------).
# It must be owned by root.
#=================================================================
print("------------------ LESSON 3 DESCRIPTION ------------------------");
printf("Policy file %s/examples/example3.conf\n",PMINST);
print("--------------------------------------------------------");
printf("This policy allows users %s and dan to run *some* programs as
root.\n",PMLESSON_USER);
print("Otherwise all other commands will be rejected.\n");
print("The permitted commands are kill, ls and hostname.");
print("Try running a few different programs and see what happens.");
print("Again, remember to prefix them with pmrun.");
print("--------------------------------------------------------");
i=0;
while (i<argc)
   { printf("%s ",argv[i]); # Redisplay the original command line for clarity
      i=i+1;
   }
printf("\n");
#=================================================================
if (user=="dan" || user==PMLESSON_USER)
   if (command == "ls" || command == "hostname" || command == "kill") {
      runuser = "root";
      accept;
   }
#=================================================================

See Lesson 3: Specific Commands for details on using this sample policy file.

Lesson 4 Sample: Policy Optimizations with List Variables

The Privilege Manager for Unix Security Policy > Policy Scripting Tutorial > Sample Policy Files > Lesson 4 Sample: Policy Optimizations with List Variables
#===================================================================
# Privilege Manager example configuration file
# Quest 2013
#
# Example File : example4
#
# This file should have permissions of 600 (rw-------).
# It must be owned by root.
#=========================================================================
print("------------------- LESSON 4 DESCRIPTION
-------------------------");
printf("Policy file %s/examples/example4.conf\n",PMINST);
print("------------------------------------------------------------------"
);
print("This lesson is identical to Lesson 3, but uses a different policy");
print("construct known as a list variable, making the policy simpler");
print("shorter and clearer to understand.");
print("Look at the policy files for lessons 3 & 4 and note the
differences.\n");
printf("This policy allows users %s, robyn and dan to run *some* programs as
root.\n",PMLESSON_USER);
print("Otherwise all other commands will be rejected.\n");
print("The permitted commands are kill, ls and hostname.");
print("Try running a few different programs and see what happens.");
print("Again, remember to prefix them with pmrun.");
print("------------------------------------------------------------------"
);
i=0;
while (i<argc)
   { printf("%s ",argv[i]); # Redisplay the original command line for clarity
      i=i+1;
   }
printf("\n");

#=========================================================================
adminusers = {"dan", "robyn"};
adminprogs = {"ls", "hostname", "kill"};
if (user in adminusers || user==PMLESSON_USER)
   { if (command in adminprogs)
      { runuser = "root";
         accept;
      }
   }
#=========================================================================

See Lesson 4: Policy Optimization with List Variables for details on using this sample policy file.

Lesson 5 Sample: Keystroke Logging

#=================================================================
# Privilege Manager example configuration file
# Quest 2013
#
# Example File : example5
#
# This file should go in /etc/pm.conf with permissions of 600 (rw-------).
# It must be owned by root.
#=================================================================
print("---------------- LESSON 5 DESCRIPTION ------------------");
printf("Policy file %s/examples/example5.conf\n",PMINST);
print("--------------------------------------------------------");
print("This lesson introduces keystroke logging.");
printf("Users %s, robyn and dan are permitted to run everything as
root,\n",PMLESSON_USER);
print("but commands csh and ksh will be fully keystroke logged.");
print("This means that all I/O during these shell sessions will be logged.");
print("The log file is created with mktmp() and the name is displayed.");
print("The logfile will be something like pm.dan.ksh.a545456\n");
print("Look closely at Lesson 5 to see how logging is enabled.\n");
print("The log files can be replayed with the pmreplay utility.\n");
print("Don't forget to prefix commands with pmrun.");
print("--------------------------------------------------------");
i=0;
while (i<argc)
   { printf("%s ",argv[i]); # Redisplay the original command line for clarity
      i=i+1;
   }
printf("\n");
#=================================================================
adminusers = {"dan", "robyn"};
# Add the provided lesson user so they need not adjust the policy
adminusers = append(adminusers,PMLESSON_USER);
if (user in adminusers)
   { runuser = "root";
     if (command in {"csh", "ksh"})
         { iolog = mktemp("/usr/adm/pm." + user + "." + command + ".XXXXXX");
            iolog_opmax=10000
            print("This request will be logged in:", iolog);
         }
      accept;
   }
=================================================================

See Lesson 5: Keystroke Logging for details on using this sample policy file.

Lesson 6 Sample: Conditional Keystroke Logging

#=================================================================
# Privilege Manager example configuration file
# Quest 2013
#
# Example File : example6
#
# This file should go in /etc/pm.conf with permissions of 600
# (rw-------).
# It must be owned by root.
#=================================================================
print("-------------- LESSON 6 DESCRIPTION --------------------");
os=osname();
printf("Policy file %s/examples/"+os+"/example6.conf\n",PMINST);
print("--------------------------------------------------------");
print("This lesson extends lesson 5 by adding some statements that cause");
printf("requests by %s, dan and robyn to be rejected if they arrive
outside\n",PMLESSON_USER);
print("of regular office hours (8AM until 5PM Monday to Friday).");
print("A message is printed to the user's screen if this happens.");
print("Once again examine the policy file, noting use of logical not
operator.");
print("Try altering the timebetween() and dayname tests and check the
results");
print("--------------------------------------------------------");
i=0;
while (i<argc)
   { printf("%s ",argv[i]); # Redisplay the original command line for clarity
      i=i+1;
   }
printf("\n");
#=================================================================
adminusers = {"dan", "robyn"};
adminprogs = {"ls", "hostname", "kill", "csh", "ksh", "pmreplay"};
adminusers=append(adminusers,PMLESSON_USER); #Add the lesson user to list
if (user in adminusers && command in adminprogs)
   { runuser = "root";
      if (command in {"csh", "ksh"})
         { iolog = mktemp("/usr/adm/pm." + user + "." + command + ".XXXXXX");
            print("This command will be logged to:", iolog);
         }
      if (user in adminusers && (!timebetween(800,1700) || dayname in {"Sat",
"Sun"}))
         { print ("Sorry, you can't use that command outside office hours.");
            reject;
         }
         accept;
}
#=================================================================

See Lesson 6: Conditional Keystroke Logging for details on using this sample policy file.

Related Documents