Chat now with support
Chat with Support

Safeguard for Sudo 2.0 - Administrators Guide

One Identity Privileged Access Suite for Unix Introducing Privilege Manager for Unix Introducing Privilege Manager for Sudo Planning Deployment Installation and Configuration
Download Privilege Manager for Unix Software Packages Download Privilege Manager for Sudo Software Packages Quick Start and Evaluation Configure a Primary Policy Server Configure a Secondary Policy Server Install PM Agent or Sudo Plugin on a Remote Host Remove Configurations
Upgrading Privilege Manager System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager Variables Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures Privilege Manager Programs Installation Packages Unsupported Sudo Options Sudo Plugin Policy Evaluation About us

Configuration File Examples

The topics that follow walk you through some detailed examples of configuration file policy.

To install the configuration file examples on your machine

  1. Checkout the policy file:
    # pmpolicy checkout -d /tmp/example
  2. Copy example to the checkout directory and rename to pm.conf.
    cp /opt/quest/qpm4u/examples/exampleX.conf /tmp/example/policy_pmpolicy/pm.conf

    where X is 1, 2, 3,...10.

  3. Edit the configuration file and change the user name to a user name on your machine.
    # vi /tmp/example/policy_pmpolicy/pm.conf
  4. Commit the changes and enter a commit log message:
    # pmpolicy commit -d /tmp/example
    ** Validate options                                                       [ OK ]
    ** Commit copy in directory:/tmp/example/policy_pmpolicy                 
    
       ** Check directory                                                     [ OK ]
       ** Perform syntax check                                                [ OK ]
       ** Verify files to commit                                              [ OK ]
       Please enter the commit log message: Changed user name
       ** Commit change from working copy                                     [ OK ]
       ** Committed revision 4
  5. Run a command using pmrun using the user name you specified. For example:
    $ pmrun ls -l /tmp

Example 1: Basics

When you use pmrun to run a command, pmmasterd starts up and looks in the Privilege Manager configuration file for the conditions under which it should accept or reject the request.

The following configuration file fragment allows the Dan user to run programs as root:

if(user=="dan") 
   { runuser="root"; 
   accept; 
}

NOTE: Type this fragment into the /etc/opt/quest/qpm4u/policy/pm.conf file, or copy it from the examples directory in the Privilege Manager distribution directory. Replace "dan" with your own user name in quotes.

The syntax of the configuration language is similar to the C programming language:

  • Each statement ends with a ; (semicolon)
  • = assigns values to variables (single equals)
  • == compares values for equality (double equals)
  • ( ) enclose the conditional expressions in an if statement (parentheses)
  • { } group statements together (braces)
  • " " enclose strings (double quotes)
  • White space, tab stops, or indentation are ignored

In the example above, the braces { } group the two statements that execute if the conditions in the if statement are met. The accept statement causes pmmasterd to accept the request, and asks pmlocald to run whatever command Dan requests as root.

Use the pmcheck program to check the example for errors. pmcheck gives you a line number and brief description for each error found.

NOTE: pmcheck assumes that the configuration file exists in /etc/opt/quest/qpm4u/policy/pm.conf unless you specify otherwise on the command line with a -f filename argument.

For example, if pmcheck finds a syntax error on line 2 of the configuration file, it prints out a message similar to the following:

% pmcheck Version 6.0.0 (003) licensed until Thu Nov 1 06:00:00 2012 Parse error in "/etc/opt/quest/qpm4u/policy/pm.conf", line 1: syntax error near ';' File /etc/opt/quest/qpm4u/policy/pm.conf contains 1 error.

If pmcheck finds no errors, it displays a message similar to this:

% pmcheck 
Version 6.0.0 (003) licensed until Thu Nov 1 06:00:00 2012 

File /etc/opt/quest/qpm4u/policy/pm.conf contains 0 errors.

Try running a few more commands, such as date, hostname, and your favorite shell (such as, csh, sh, or ksh) by preceding the command with pmrun. For example:

# pmrun date

Example 2: Accept or Reject Requests

By default, pmmasterd rejects all requests. It only accepts requests if it reaches an accept statement after the appropriate conditions are met in the configuration file. When pmmasterd rejects a request, it does not run the requested program and it sends the user an explanatory message.

pmmasterd can also reject commands explicitly. The following fragment rejects Dan’s request to run commands outside of regular office hours:

if(user=="dan") {
   # Explicitly disallow commands run outside of
   #regular office hours
   if(dayname=="Sat" || dayname=="Sun" ||
      !timebetween(800,1700))
      reject;
   runuser="root";
   accept;
}

Once it reaches a reject statement, pmmasterd reads no further statements; the request ends as soon as it is rejected. Note that no braces { } enclose the reject statement, since it is the only statement that occurs inside the inner if statement. Note also the use of the || ("or") and ! ("not") operators in the if statement which translates as "if the current day is Saturday or Sunday, or if the current time is not between 8:00 a.m. and 5:00 p.m., then reject the request."

Type this fragment into the /etc/opt/quest/qpm4u/policy/pm.conf file, or copy it from the examples directory in the Privilege Manager distribution directory. Replace "dan" with your own user name in quotes. Check the configuration file for errors with pmcheck. Then try to run commands with pmrun. (For more information about using pmcheck, see Example 1: Basics.)

Try changing the times specified to timebetween, to cause requests to be accepted or rejected.

Example 3: Command Constraints

This configuration file fragment restricts the Dan user to running only certain programs (ls, hostname or kill) as root.

Type this fragment into the /etc/opt/quest/qpm4u/policy/pm.conf file, or copy it from the examples directory in the Privilege Manager distribution directory. Replace "dan" with your own user name in quotes.

if (user=="dan")
   if(command=="ls" || command=="hostname" ||
      command=="kill") {
   { runuser="root";
      accept;
   }

Check the configuration file for errors with pmcheck. (For more information about using pmcheck, see Example 1: Basics.) Try to run one of the programs permitted, then try something that will be rejected, such as:

pmrun mail
Related Documents