How can i restrict to edit the text (.txt) file


Hi All,

I am the new one in npum, I need a help please guide me how can i
restrict the text (.txt) file to edit.
And I have one more question for the intials which operating system is
best for agent ??

Thanks in Advance.
Any help would be appriciated.


--
Rizwan_ahmed
------------------------------------------------------------------------
Rizwan_ahmed's Profile: https://forums.netiq.com/member.php?userid=4224
View this thread: https://forums.netiq.com/showthread.php?t=46722

  • Bonus of being at BrainShare: I asked a developer to confirm my belief.

    Privileged User Manager (PUM) has a feature called (as I recall) EAC which
    lets you setup granular policies controlling PUM as a whole. The docs
    talk about this, but if cannot use those to get it working then let us
    know what you try with it and what happens and we can try to help with
    specifics.

    Good luck.

  • Hi Novell

    Thanks for your reply.
    Sorry my question is lil bit change, I want also to not open the text
    file in a specific directory.
    I have created a rule for restrict the user to open the directory which
    i have text file .

    My EAC rule look like this .

    Begin Rule: EAC Rule
    If ((command IN cpcksh))
    Then
    Set Authorize: yes
    Set Session Capture: yes
    Run Script: Enhanced Access Control Policy(policyath default
    log:allpath /data/private/** !all:log=9)
    Stop if authorized
    End If
    End Rule: EAC Rule

    Lets say i dont want any user see private directory
    but this rule didnt work for me
    When i open the private folder, it cant stop user to open the private
    directory
    Please Help me out
    I would be great for us .
    Thanks in advance


    --
    Rizwan_ahmed
    ------------------------------------------------------------------------
    Rizwan_ahmed's Profile: https://forums.netiq.com/member.php?userid=4224
    View this thread: https://forums.netiq.com/showthread.php?t=46722


  • Hi Novell

    Please its urgent

    Thanks .


    --
    Rizwan_ahmed
    ------------------------------------------------------------------------
    Rizwan_ahmed's Profile: https://forums.netiq.com/member.php?userid=4224
    View this thread: https://forums.netiq.com/showthread.php?t=46722


  • I'd suggest if you are needing urgent help, to contact Technical
    Support. Remember, we're all volunteers here. :)

    With that being said, here is my answer:

    It looks like you have a syntax issue with your script argument.

    Edit the script argument and make the changes below:

    Name: policy
    Value: path default all:log
    path /data/private/** !all:log=9

    Here is what the proper pseudocode would look like:

    Begin Rule: cpcksh
    If ((command IN Cpcksh shell login))
    Then
    Set Authorize: yes
    Set Session Capture: yes
    Run Script: Enhanced Access Control Policy(policy:path default
    all:logpath /data/private/** !all:log=9)
    Stop if authorized
    End If
    End Rule: cpcksh

    Testing rule:

    I login with 'jim' who's shell is '/usr/bin/cpcksh' in /etc/passwd

    ssh jim@sd200
    Password:
    Last login: Fri Feb 8 08:46:37 2013 from sd.site
    $ whoami
    jim
    $ pwd
    /home/jim
    $ cd /data
    $ pwd
    /data
    $ ls -hal
    ls: cannot access private: Permission denied
    total 92K
    drwxr-xr-x 21 root root 4.0K Feb 8 08:51 .
    drwxr-xr-x 28 root root 4.0K Jan 10 15:56 ..
    d????????? ? ? ? ? ? private
    drwxr-xr-x 2 jim users 4.0K Feb 8 08:51 public
    $ cd private
    pcksh: cd: /data/private - Permission denied


    Hope this helps.

    -deni


    --
    deni
    ------------------------------------------------------------------------
    deni's Profile: https://forums.netiq.com/member.php?userid=1793
    View this thread: https://forums.netiq.com/showthread.php?t=46722


  • Hi Brett

    Thanks for your precious time.
    I have tried the rule which you have mentioned.
    Like
    Begin Rule: cpcksh
    If ((command IN Cpcksh shell login))
    Then
    Set Authorize: yes
    Set Session Capture: yes
    Run Script: Enhanced Access Control Policy(policy:path default
    all:logpath /data/private/** !all:log=9)
    Stop if authorized
    End If
    End Rule: cpcksh

    And i login with riz who's shell is '/usr/bin/cpcksh' in etc/passwd
    riz:x:504:504:rizwan:/home/riz:/usr/bin/cpcksh i take this from passwd
    file located in etc/passwd

    when i logged in with user riz
    testing :
    [root@Prum Desktop]# su - riz
    $ whoami
    riz
    $ pwd
    /home/riz
    $ cd /data
    $ pwd
    /data
    $ ls -hal
    total 12K
    drwxr-xr-x 3 riz riz 4.0K Feb 7 19:05 .
    dr-xr-xr-x. 29 root root 4.0K Feb 11 14:19 ..
    drwxr-xr-x 2 root root 4.0K Feb 8 18:09 private
    $ ls
    private
    $

    But i am unable to restrict the private directory
    Kindly help me out
    Again Thanks for your help

    Regards
    Rizwan


    --
    Rizwan_ahmed
    ------------------------------------------------------------------------
    Rizwan_ahmed's Profile: https://forums.netiq.com/member.php?userid=4224
    View this thread: https://forums.netiq.com/showthread.php?t=46722


  • Rizwan,

    What version of NPUM is installed and on what platform? I'd recommend
    to use NPUM 2.3.2 (available here:
    http://download.novell.com/Download?buildid=_FbnqCDhPvs~ ) There were
    numerous updates to Enhanced Access Control in NPUM 2.3.2.

    Also, add the following ${Options.policy}$ to the 'User Message' of the
    rule.

    After adding the above to the user message - each time the user logs in,
    it should display the policy.

    For example:

    ssh jim@sd200
    Password:
    Last login: Mon Feb 11 08:53:26 2013 from sd.site
    path default all:log
    path /data/private/** !all:log=9


    Also, after logging in. Do the following

    env | grep ccpreload*

    In my environment, I see the following:

    $ env | grep ccpreload*
    LD_PRELOAD=ccpreload-elf64.so



    - deni


    --
    deni
    ------------------------------------------------------------------------
    deni's Profile: https://forums.netiq.com/member.php?userid=1793
    View this thread: https://forums.netiq.com/showthread.php?t=46722


  • Hello Brett

    I am using NPUM 2.3.2 on Linux 6.2 64 bit.
    I have two agent one is installed on the same machine where i have
    framework manager and other is on different machine.
    I am trying all these thing with the agent which i have installed on the
    machine where i have framework manager and also on the another agent.

    I have noticed this things as you mentioned to check
    Like add ${Options.policy}$ in user messege
    I have add this but when i logged in it didnt show me the policy.

    when i execute this command env | grep ccpreload* it shows me nothing.

    I have also noticed when i login with user riz who's shell is
    '/usr/bin/cpcksh' using terminal in linux, i have seen following lines
    in log file unifid.log.
    [root@prum Desktop]su - riz
    Tue Feb 12 11:49:11 2013, 72, 2853697280, 13783, Info, auth renew
    client:localhost rc:0 status:0 (2ms)
    Tue Feb 12 11:49:14 2013, 146, 2861065984, 13783, Info, cmdctrl request
    accepted for '-cpcksh' from riz@prum as riz@prum
    Tue Feb 12 11:49:14 2013, 147, 2861065984, 13783, Info, cmdctrl
    checkAuth client:prum rc:0 status:0 (2ms)
    Tue Feb 12 11:49:14 2013, 156, 2866390784, 13783, Info, rexec
    executeCommand client:prum rc:0 status:0() (7ms)

    But when i login from System-->Log Out root-->Switch user
    i have seen these lines in unifid.log file
    Tue Feb 12 11:48:34 2013, 46, 2861065984, 13783, Info, cmdctrl request
    denied for 'cpcksh -c gnome-session' from riz@prum
    Tue Feb 12 11:48:34 2013, 58, 2861065984, 13783, Info, cmdctrl checkAuth
    client:prum rc:0 status:0 (14ms)

    I dont know what i am doing wrong .
    I have tried every possibility to help me out according to my
    knowledge.
    But i am unable to resolve
    Brett Bundle of thanks for your kind help.

    Regards
    Rizwan


    --
    Rizwan_ahmed
    ------------------------------------------------------------------------
    Rizwan_ahmed's Profile: https://forums.netiq.com/member.php?userid=4224
    View this thread: https://forums.netiq.com/showthread.php?t=46722


  • Hello Brett

    I am using NPUM 2.3.2 on Linux 6.2 64 bit.
    I have two agent one is installed on the same machine where i have
    framework manager and other is on different machine.
    I am trying all these thing with the agent which i have installed on the
    machine where i have framework manager and also on the another agent.

    I have noticed this things as you mentioned to check
    Like add ${Options.policy}$ in user messege
    I have add this but when i logged in it didnt show me the policy.

    when i execute this command env | grep ccpreload* it shows me nothing.

    I have also noticed when i login with user riz who's shell is
    '/usr/bin/cpcksh' using terminal in linux, i have seen following lines
    in log file unifid.log.
    [root@prum Desktop]su - riz
    Tue Feb 12 11:49:11 2013, 72, 2853697280, 13783, Info, auth renew
    client:localhost rc:0 status:0 (2ms)
    Tue Feb 12 11:49:14 2013, 146, 2861065984, 13783, Info, cmdctrl request
    accepted for '-cpcksh' from riz@prum as riz@prum
    Tue Feb 12 11:49:14 2013, 147, 2861065984, 13783, Info, cmdctrl
    checkAuth client:prum rc:0 status:0 (2ms)
    Tue Feb 12 11:49:14 2013, 156, 2866390784, 13783, Info, rexec
    executeCommand client:prum rc:0 status:0() (7ms)

    But when i login from System-->Log Out root-->Switch user
    i have seen these lines in unifid.log file
    Tue Feb 12 11:48:34 2013, 46, 2861065984, 13783, Info, cmdctrl request
    denied for 'cpcksh -c gnome-session' from riz@prum
    Tue Feb 12 11:48:34 2013, 58, 2861065984, 13783, Info, cmdctrl checkAuth
    client:prum rc:0 status:0 (14ms)

    I dont know what i am doing wrong .
    I have tried every possibility to help me out according to my
    knowledge.
    But i am unable to resolve
    Brett Bundle of thanks for your kind help.

    Regards
    Rizwan


    --
    Rizwan_ahmed
    ------------------------------------------------------------------------
    Rizwan_ahmed's Profile: https://forums.netiq.com/member.php?userid=4224
    View this thread: https://forums.netiq.com/showthread.php?t=46722


  • Rizwan,

    I'm trying to duplicate your issue but can't. It appeared you were
    logged in as root, then 'su - <username>' which I did below.

    ssh root@sd200
    Password:
    Last login: Tue Feb 12 08:32:19 2013 from sd.site
    sd200:~ # su - jim
    path default all:log
    path /data/private/** !all:log=9

    Directory: /home/jim
    Tue Feb 12 08:34:11 MST 2013
    $


    <snippet of log files>
    Tue Feb 12 08:34:11 2013, 584, 1127331584, 8750, Info, cmdctrl request
    accepted for '-cpcksh' from jim@sd200 as jim@sd200
    Tue Feb 12 08:34:11 2013, 585, 1127331584, 8750, Info, cmdctrl checkAuth
    client:sd200 rc:0 status:0 (7ms)
    Tue Feb 12 08:34:11 2013, 590, 1127331584, 8750, Info, rexec
    executeCommand client:sd200 rc:0 status:0() (3ms)

    This may be a policy issue. Can you export your policy via Home |
    Command Control | Export Settings | Copy and paste the exported policy
    into a txt file and email it to me brett at novell dot com.

    Thanks,

    -deni


    --
    deni
    ------------------------------------------------------------------------
    deni's Profile: https://forums.netiq.com/member.php?userid=1793
    View this thread: https://forums.netiq.com/showthread.php?t=46722


  • Hello Brett

    I have mailed you the policy. Subject of mail is Policy Of Restrict The
    Directory Access.
    Firstly i have logged in as a root then su - riz who's login shell is
    '/usr/bin/cpcksh'.
    I have a make a rule for cpcksh shell and its work fine. I dont know why
    i am unable to restrict the directory access.


    Thanks for your precious time

    Best Regards
    Rizwan


    --
    Rizwan_ahmed
    ------------------------------------------------------------------------
    Rizwan_ahmed's Profile: https://forums.netiq.com/member.php?userid=4224
    View this thread: https://forums.netiq.com/showthread.php?t=46722