Restrict Root user to Shutdown or kill a process


I need to restrict root user to shutdown their operating system. i have
made a rule

Begin Rule: Shutdown Rule
If ((user IN shutdown and kill group) AND (command IN shutdown command
with any argument))
Then
Set Authorize: yes
Set Session Capture: yes
Set runUser = "root"
Stop if authorized
End If
End Rule: Shutdown Rule

and added root user to the group but it is not accomplished.

Any help would be appreciated.

Regards,
Asim


--
asimkhalid
------------------------------------------------------------------------
asimkhalid's Profile: https://forums.netiq.com/member.php?userid=3169
View this thread: https://forums.netiq.com/showthread.php?t=46239


  • I have created new rules and new scripts. I know a little about perl
    scrips this is what i made.

    Begin Rule: Passwd Rule
    If (user IN Password Group AND command IN Password cmd)
    Then
    Set Authorize: yes
    Set Session Capture: yes
    Set runUser = "root"
    Stop if authorized
    Begin Rule: remove restrict
    If ((user IN Submit User))
    Then
    Set Authorize: no
    Set Session Capture: yes
    Run Script: passwd script()
    Stop if unauthorized
    End If
    End Rule: remove restrict

    End If
    End Rule: Passwd Rule

    and the script

    #to set script argument - name=illegalcmd value= kill *
    #to set script argument using regular expression - name=illegalcmd
    value= ^(|/usr/bin/|/bin)passwd(\s |$)
    my $t=$meta->child('Ticket');
    $t=$meta->add_param('Ticket') if(! $t);

    my $i=$t->child('IllegalCmds');
    $i=$t->add_param('IllegalCmds') if(! $i);

    my @illegal = $args->arg_values('illegalcmd');

    I have tried changing the command in

    value= ^(|/usr/bin/|/bin)passwd(\s |$)
    to
    value= ^(|/usr/bin/|/bin)rm(\s |$)
    or
    value= ^(|/usr/bin/|/bin)kill(\s |$)

    But the required Taks is not completed.

    I want to restrict user to kill a process , shutdown their system or
    delete a file on their system.

    Can this be acheived.
    Please help me acheive this...

    Regards,
    Asim Khalid


    --
    asimkhalid
    ------------------------------------------------------------------------
    asimkhalid's Profile: https://forums.netiq.com/member.php?userid=3169
    View this thread: https://forums.netiq.com/showthread.php?t=46239

  • asimkhalid,

    It appears that in the past few days you have not received a response to your
    posting. That concerns us, and has triggered this automated reply.

    Has your issue been resolved? If not, you might try one of the following options:

    - Visit http://www.netiq.com/support and search the knowledgebase and/or check all
    the other support options available.
    - You could also try posting your message again. Make sure it is posted in the
    correct newsgroup. (http://forums.netiq.com)

    Be sure to read the forum FAQ about what to expect in the way of responses:
    http://forums.netiq.com/faq.php

    If this is a reply to a duplicate posting, please ignore and accept our apologies
    and rest assured we will issue a stern reprimand to our posting bot.

    Good luck!

    Your NetIQ Forums Team
    http://forums.netiq.com



  • Asim,

    Sorry for the delay.

    First of all, we don't control the root user by default, nor do we
    recommend to change the root users shell to any NPUM shell. The idea
    behind NPUM is that no one logins as the root user (change the root
    password and don't let anyone login as root), but rather they login as
    themselves (non-privileged users) and then rules are created to allow
    them to do specific things.

    One thing you could do is allow a non-privileged user to login as them
    self. Then create a rule that allows them to "become" root by starting
    a pcksh shell and run it as root (usrun -u root pcksh), then use the
    Illegal command script to limit certain commands based on the rule that
    matches the 'usrun -u root pcksh' command)

    Pseudo code:

    Begin Rule: pcksh
    If ((command IN pcksh) AND (user IN Admins))
    Then
    Set Authorize: yes
    Set Session Capture: yes
    Set runUser = "root"
    Run Script: Rush Illegal
    Commands(illegalcmd:^(|/usr/bin/|/bin/)kill(\s |$))
    Stop
    End If
    End Rule: pcksh

    Example:
    usrun -u root pcksh
    # whoami
    root
    # ps -ef |grep firefox
    brett 24290 1 0 Nov15 ? 00:16:31
    /usr/lib64/firefox/firefox-bin
    root 32661 32253 0 13:15 pts/6 00:00:00 grep firefox
    # kill -9 24290
    pcksh: kill: Permission denied


    One other thing that I'll note to help troubleshoot this issue. Within
    the rule, you can add the following to the User Message and it will
    print out the commands that are illegal when the usrun command is run.

    $<Ticket.IllegalCmds>$



    With the above in the User message of the rule, when I run the usrun
    command, it shows me what my illegal commands are.

    brett@sd200:~> usrun -u root pcksh
    <IllegalCmds>
    <Command regex="1" cmd="^(|/usr/bin/|/bin/)kill(\\s |$)"/>
    </IllegalCmds>

    #


    --
    deni
    ------------------------------------------------------------------------
    deni's Profile: https://forums.netiq.com/member.php?userid=1793
    View this thread: https://forums.netiq.com/showthread.php?t=46239


  • deni;222794 Wrote:
    > Asim,
    >
    > Sorry for the delay.
    >
    > First of all, we don't control the root user by default, nor do we
    > recommend to change the root users shell to any NPUM shell. The idea
    > behind NPUM is that no one logins as the root user (change the root
    > password and don't let anyone login as root), but rather they login as
    > themselves (non-privileged users) and then rules are created to allow
    > them to do specific things.
    >
    > One thing you could do is allow a non-privileged user to login as them
    > self. Then create a rule that allows them to "become" root by starting
    > a pcksh shell and run it as root (usrun -u root pcksh), then use the
    > Illegal command script to limit certain commands based on the rule that
    > matches the 'usrun -u root pcksh' command)
    >
    > Pseudo code:
    >
    > Begin Rule: pcksh
    > If ((command IN pcksh) AND (user IN Admins))
    > Then
    > Set Authorize: yes
    > Set Session Capture: yes
    > Set runUser = "root"
    > Run Script: Rush Illegal
    > Commands(illegalcmd:^(|/usr/bin/|/bin/)kill(\s |$))
    > Stop
    > End If
    > End Rule: pcksh
    >
    > Example:
    > usrun -u root pcksh
    > # whoami
    > root
    > # ps -ef |grep firefox
    > brett 24290 1 0 Nov15 ? 00:16:31
    > /usr/lib64/firefox/firefox-bin
    > root 32661 32253 0 13:15 pts/6 00:00:00 grep firefox
    > # kill -9 24290
    > pcksh: kill: Permission denied
    >
    >
    > One other thing that I'll note to help troubleshoot this issue. Within
    > the rule, you can add the following to the User Message and it will
    > print out the commands that are illegal when the usrun command is run.
    >
    > $<Ticket.IllegalCmds>$
    >
    >
    >
    > With the above in the User message of the rule, when I run the usrun
    > command, it shows me what my illegal commands are.
    >
    > brett@sd200:~> usrun -u root pcksh
    > <IllegalCmds>
    > <Command regex="1" cmd="^(|/usr/bin/|/bin/)kill(\\s |$)"/>
    > </IllegalCmds>
    >
    > #



    Thankyou deni for the reply,
    im still having trouble using the kill command the rules are created
    according to the pseudo code given but i guess the problem with the
    scripting as i know less of perl scripting.

    the command runs according to the example given above and custom user
    message is shown but firefox closes anyway.. more over the command does
    not show any custom message without using usrun with the kill command
    given in the example.
    please help me with the script if you can give the settings to the
    solution above maybe it would help.
    i have tried using EAC script but i am having problem adding the
    argument to the script.
    looking forward for your reply.
    Regards


    --
    asimkhalid
    ------------------------------------------------------------------------
    asimkhalid's Profile: https://forums.netiq.com/member.php?userid=3169
    View this thread: https://forums.netiq.com/showthread.php?t=46239


  • Export your rules by doing the following:

    Home | Command Control | Export Settings (in the left Nav) | Copy and
    paste the text into a text document. Then email the export to brett at
    novell dot com and I'll review that there isn't a syntax issue.

    - Brett


    --
    deni
    ------------------------------------------------------------------------
    deni's Profile: https://forums.netiq.com/member.php?userid=1793
    View this thread: https://forums.netiq.com/showthread.php?t=46239


  • Had another quick idea.

    Copy and paste the single line below this into the User Message of the
    rule that you think you are matching and it should print out the illegal
    commands when you start your shell.

    $<Ticket.IllegalCmds>$


    Then when you login, you will see something like this:

    brett@sd200:~> usrun pcksh
    <IllegalCmds>
    <Command cmd="/bin/kill*"/>
    <Command cmd="kill*"/>
    </IllegalCmds>

    (this will show that 1. you have the script arguments set up correctly
    and 2. that we are matching and applying illegalcmd script to your
    session.)

    # ps -ef | grep firefox
    bergerbr 18958 1 0 Dec04 ? 00:00:00 /bin/sh
    /usr/bin/firefox
    bergerbr 18963 18958 1 Dec04 ? 02:59:59
    /usr/lib64/firefox/firefox-bin
    root 26792 26689 0 09:06 pts/3 00:00:00 grep firefox
    # kill -9 18958
    pcksh: kill: Permission denied


    --
    deni
    ------------------------------------------------------------------------
    deni's Profile: https://forums.netiq.com/member.php?userid=1793
    View this thread: https://forums.netiq.com/showthread.php?t=46239


  • Thankyou Sir for your precious time and effort you gave to correct the
    errors in my script.

    Sir i want to implement EAC rule without using command prompt. i have
    tried giving the user pcksh shell and then tried to restrict user to
    stop deleting or using "rm" or the use of "mv or move to trash command "
    but i am able to restrict only via cmd. Can i stop user to stop deleting
    files via gui (right click move to trash) etc.


    --
    asimkhalid
    ------------------------------------------------------------------------
    asimkhalid's Profile: https://forums.netiq.com/member.php?userid=3169
    View this thread: https://forums.netiq.com/showthread.php?t=46239


  • Please if anybody would help,

    I want to implement EAC such that the folder defined in the script
    argument is not accessed by anyone. Basically the scenario is to
    implement the product in such a way that the admins should not be able
    to bring a change in the operating system files. They can be allowed to
    read the files but not write or delete the OS files.
    The EAC rule that has been implemented restricts the user to open the
    files in a folder via command terminal but when the user opens the
    folder by clicking on that folder, the files are shown. The root user
    can even change the files. There should be restriction that no one could
    change or delete the OS files.
    Any help would be appreciated.

    Best Regards,
    Asim


    --
    asimkhalid
    ------------------------------------------------------------------------
    asimkhalid's Profile: https://forums.netiq.com/member.php?userid=3169
    View this thread: https://forums.netiq.com/showthread.php?t=46239


  • Asim,

    It's best to start a new thread when asking a new question. As your new
    question on this thread has nothing to do with 'Restrict Root user to
    Shutdown or kill a process' which was solved for you on 14-Dec-2012.

    -deni


    --
    deni
    ------------------------------------------------------------------------
    deni's Profile: https://forums.netiq.com/member.php?userid=1793
    View this thread: https://forums.netiq.com/showthread.php?t=46239