Lesson 2 Sample: Conditional privilege
#=================================================================
# Privilege Manager for Unix example configuration file
# One Identity 2013
#
# Example File : example2
#
# This file should have permissions of 600
# (rw-------).
# It must be owned by root.
#=================================================================
print("--------------- LESSON 2 DESCRIPTION ------------------");
printf("Policy file %s/examples/example2.conf\n",PMINST);
print("--------------------------------------------------------");
printf("This policy rejects attempts to run commands outside of normal\n");
printf("office hours for users %s and dan.\n",PMLESSON_USER);
print("Otherwise all commands will be run as root.\n");
print("Try running a few different programs like date, hostname");
print("and even your favourite shell (csh, bash, ksh)");
print("Try these with the time/date set both in and outside office hours");
print("Remember to prefix them with pmrun");
print("--------------------------------------------------------");
i=0;
while (i<argc)
{ printf("%s ",argv[i]); # Redisplay the original command line for clarity
i=i+1;
}
printf("\n");
#=================================================================
if (user=="dan" || user==PMLESSON_USER) {
# Explicitly disallow commands run outside of regular office hours
if(dayname=="Sat" || dayname=="Sun" || !timebetween(800,1700))
reject;
runuser = "root";
accept;
}
#=================================================================
See Lesson 2: Conditional privilege for details on using this sample policy file.
Lesson 3 Sample: Specific commands
#=================================================================
# Privilege Manager for Unix example configuration file
# One Identity 2013
#
# Example File : example3
#
# This file should have permissions of 600
# (rw-------).
# It must be owned by root.
#=================================================================
print("------------------ LESSON 3 DESCRIPTION ------------------------");
printf("Policy file %s/examples/example3.conf\n",PMINST);
print("--------------------------------------------------------");
printf("This policy allows users %s and dan to run *some* programs as
root.\n",PMLESSON_USER);
print("Otherwise all other commands will be rejected.\n");
print("The permitted commands are kill, ls and hostname.");
print("Try running a few different programs and see what happens.");
print("Again, remember to prefix them with pmrun.");
print("--------------------------------------------------------");
i=0;
while (i<argc)
{ printf("%s ",argv[i]); # Redisplay the original command line for clarity
i=i+1;
}
printf("\n");
#=================================================================
if (user=="dan" || user==PMLESSON_USER)
if (command == "ls" || command == "hostname" || command == "kill") {
runuser = "root";
accept;
}
#=================================================================
See Lesson 3: Specific commands for details on using this sample policy file.
Lesson 4 Sample: Policy optimizations with list variables
#===================================================================
# Privilege Manager for Unix example configuration file
# One Identity 2013
#
# Example File : example4
#
# This file should have permissions of 600 (rw-------).
# It must be owned by root.
#=========================================================================
print("------------------- LESSON 4 DESCRIPTION
-------------------------");
printf("Policy file %s/examples/example4.conf\n",PMINST);
print("------------------------------------------------------------------"
);
print("This lesson is identical to Lesson 3, but uses a different policy");
print("construct known as a list variable, making the policy simpler");
print("shorter and clearer to understand.");
print("Look at the policy files for lessons 3 & 4 and note the
differences.\n");
printf("This policy allows users %s, robyn and dan to run *some* programs as
root.\n",PMLESSON_USER);
print("Otherwise all other commands will be rejected.\n");
print("The permitted commands are kill, ls and hostname.");
print("Try running a few different programs and see what happens.");
print("Again, remember to prefix them with pmrun.");
print("------------------------------------------------------------------"
);
i=0;
while (i<argc)
{ printf("%s ",argv[i]); # Redisplay the original command line for clarity
i=i+1;
}
printf("\n");
#=========================================================================
adminusers = {"dan", "robyn"};
adminprogs = {"ls", "hostname", "kill"};
if (user in adminusers || user==PMLESSON_USER)
{ if (command in adminprogs)
{ runuser = "root";
accept;
}
}
#=========================================================================
See Lesson 4: Policy optimization with list variables for details on using this sample policy file.
Lesson 5 Sample: Keystroke logging
#=================================================================
# Privilege Manager for Unix example configuration file
# One Identity 2013
#
# Example File : example5
#
# This file should go in /etc/pm.conf with permissions of 600 (rw-------).
# It must be owned by root.
#=================================================================
print("---------------- LESSON 5 DESCRIPTION ------------------");
printf("Policy file %s/examples/example5.conf\n",PMINST);
print("--------------------------------------------------------");
print("This lesson introduces keystroke logging.");
printf("Users %s, robyn and dan are permitted to run everything as
root,\n",PMLESSON_USER);
print("but commands csh and ksh will be fully keystroke logged.");
print("This means that all I/O during these shell sessions will be logged.");
print("The log file is created with mktmp() and the name is displayed.");
print("The logfile will be something like pm.dan.ksh.a545456\n");
print("Look closely at Lesson 5 to see how logging is enabled.\n");
print("The log files can be replayed with the pmreplay utility.\n");
print("Don't forget to prefix commands with pmrun.");
print("--------------------------------------------------------");
i=0;
while (i<argc)
{ printf("%s ",argv[i]); # Redisplay the original command line for clarity
i=i+1;
}
printf("\n");
#=================================================================
adminusers = {"dan", "robyn"};
# Add the provided lesson user so they need not adjust the policy
adminusers = append(adminusers,PMLESSON_USER);
if (user in adminusers)
{ runuser = "root";
if (command in {"csh", "ksh"})
{ iolog = mktemp("/var/adm/pm." + user + "." + command + ".XXXXXX");
iolog_opmax=10000
print("This request will be logged in:", iolog);
}
accept;
}
=================================================================
See Lesson 5: Keystroke logging for details on using this sample policy file.
