yogesh09021983;12420 Wrote: > Hi, > > I have created a rule in the Command control. The pseudocode for the > same is: > > > Begin Rule: Passwd Rule > If ((user IN Password Group) AND (command IN Password cmd)) > Then > Set Authorize: yes > Set Session Capture: yes > Set runUser = "root" > Stop > End If > End Rule: Passwd Rule > > > In my Password Group i have the following users: > netiq > net > > Now when i login into my linux machine, and login with the user "netiq" > using the following command: > > su netiq; > > Then i execute my command passwd as follows: > > >usrun passwd; > > i am getting the following error: > > /usr/bin/usrun:Permission denied > > Also, i have created many rules, and when executing any of them , i am > getting the same "Permission denied" error. > > Please help. > > I am using the following linux version: > > CentOS release 5.7 (Final)
Can you create any rule and have it work? Does this rule work in other environments? I do not have an NPUM system nearby for testing but I would start by narrowing down the rule to make it simple and functional, then add bits until it breaks.
Good luck. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
ab;12503 Wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Can you create any rule and have it work? Does this rule work in > other > environments? I do not have an NPUM system nearby for testing but I > would start by narrowing down the rule to make it simple and > functional, > then add bits until it breaks. > > Good luck. > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.19 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ > > iQIcBAEBAgAGBQJQSIT2AAoJEF XTK08PnB5qA0QAIwV/tp5EWu7vF2dgSExuovS > 1fySyQNU8qgRLtIZRifo3XX3p6b2VcbLeaVr JX56vCz9l9ZT96CasnCzC9RqbS1 > QaVFWFCN8WM0T7Y1za2LLoqKWnroXjnSVOeGEeMm5EMIkWmZO3XsYBPON6Rwhkdv > BeGZ0eyORtvu9UkU4oECL0tjOt cJnLk6P141V58GckElma6xFV5kEzt7JZL6SMu > rfuksa zIgpf EJMoD xTPGTsvfR2VnvqrtmjrdgprasUYRDB4nENqIH2upT4mtA > ukWbW2AkBfVaIM4esCKVI3Jq93yP X3GNFkM8ugACJrSHybWg44CtFV0xyEVMKPA > wLhG60Ub2VXtW0Cg1ccmBlXrQ4QgLz8lcq8zMHxeb1mjmbCwqDW4fsNgOUKejI4l > a3FedutCuscnviG81o6YTW3znz5lHx/s0kAkfmpSYt0CrTWEVlrR2BMUKpjFQVv2 > vqq3CskqZHVHSNXC7VZClA89IO6Nwkv2OLr/ueY4UOSomZreHmcGF0ojpcEPPlMO > 2mXk4Zn6OkZceMlb9CYiYqnQK9qt6rlXMy3ZyM7Vd2zXLl5nt1QLqm6vZ1aSaNHu > VroJK61h323Dxq Yrq0Ju/Noft LCkRD5i3rPjOv5F/XRbhYuYEwvX3FRd2eT2Ij > uxD I1Cz0HmJvse563re > =UucQ > -----END PGP SIGNATURE-----
I have created many rule, but none of them is working. I have one linux machine (having Cent OS) on which i have installed the PUM agent, and i am executing my commands on the same machine.
Also in the reports,the commands for the user are coming to be not authorised.
With Command Control rules, we start at the top of the ruleset and run down through them until we match and/or are told to what do to. For example the options given when creating a rule are 'authorize, return, stop if authorized, stop if unauthorized'. In your example you said to "stop". Meaning if this is the first rule in your ruleset, nothing will EVER continue past this rule as you've told Command Control to never continue past this rule. We start at the top and head down the 'rule tree" until we are told what to do.
Begin Rule: Passwd Rule If ((user IN Password Group) AND (command IN Password cmd)) Then Set Authorize: yes Set Session Capture: yes Set runUser = "root" STOP End If End Rule: Passwd Rule
Typically I'd choose the option of "stop if authorized" (instead of Stop). That way if we match on this rule, we authorize the rule, allow the command to run and stop searching through the rules for a match. If we don't match, then it allows the submitted command to run down through the rest of the rules you have created in an attempt to match.
Looking over your passwd rule I'm not sure it's going to do what you think it will.
If you typed 'usrun passwd' it's going match on your rule, run the command as root and attempt to change root's password (which would be the same as logging in as root and then typing passwd.
With that being said, with a few changes I think you can have it do what you are wanting to do.
I created a rule that allows you to run 'usrun passwd <user>'
#without npum yogesh@host1:~> passwd jim You cannot change the shadow data for `jim'.
#with pum - using the rules below yogesh@host1:~> usrun passwd jim Changing password for jim. New Password: Reenter New Password: Password changed.
I've created a very simple rule set that you can import and play with. Please do the following: Framework GUI | Command Control | from the left nav, select Backup and Restore. Type in a name for your backup and then click 'Backup. (this will backup your existing rules).
Next from the Command Control console, from the left nav, select 'Import Settings', then copy and paste the below export. The export includes a single rule that allows the user 'yogesh' that is part of the "Password Group" to run the passwd command as root.
I've also created a test suite that can be used to validate your rules. In this case I created 3 test cases. See the documentation for more info on the test suite.
However here is how you access and use it Home | Command Control | from left nav, Test Suites |
There is one Test Suite called 'Passwd' which contains 3 test cases. These test cases are run against the current rules to see if they match. All three should run, however the 3rd test case should not authorize, because the submit user 'Deni' is not part of the "Password Group". The test will say it succeed, however it's because I said I expected the 'Deni' test case to fail. The Test suite is a great way to validate the rules you are creating and allows you to test them and validate they are matching the rule you think they should be.
yogesh09021983;12561 Wrote: > Hi, > > I have created many rule, but none of them is working. I have one linux > machine (having Cent OS) on which i have installed the PUM agent, and i > am executing my commands on the same machine. > > Also in the reports,the commands for the user are coming to be not > authorised. > > Regards,