How to restrict the kill command in a npum?


Hi All

I am using framework manager 2.3.2 in a linux 6.2 and framework agent is
also in linux.
I have made a rule for to restrict the kill command but it's did'nt work
for me.

Pseudo code:

Begin Rule: Restrict Kill Command
If ((command IN pcksh) AND (user IN Admins))
Then
Set Authorize: yes
Set Session Capture: yes
Set runUser = "root"
Run Script: Rush Illegal
Commands(illegalcmd:^(|/usr/bin/|/bin/)kill(\s |$))
Stop
End If
End Rule: Restrict Kill Command

And the command in pcksh is (pcksh) . Is this the right command for
pcksh ??
and user in the admins is the user who's login shell is pcksh and also
tried with the user who's login shell was cpcksh but both not worked.

I am unable to restrict kill command
Thanks in advance


Best Regards
Rizwan


--
Rizwan_ahmed
------------------------------------------------------------------------
Rizwan_ahmed's Profile: https://forums.netiq.com/member.php?userid=4224
View this thread: https://forums.netiq.com/showthread.php?t=47125


  • I didn't take too much time to look at yours, I am using the updated
    'Pcksh Illegal Commands' script but here's what works for me (very
    simplified):


    Here is my pseudocode.

    Begin Rule: pcksh
    If ((command IN pcksh))
    Then
    Set Authorize: yes
    Set Session Capture: yes
    Set runUser = "root"
    Run Script: Pcksh Illegal
    Commands(illegalcmd:^(|/usr/bin/|/bin/)kill(\s |$))
    Stop
    End If
    End Rule: pcksh

    If you want to download an export of my rules - I've put them here:
    ftp://ftp.novell.com/outgoing/illegal_cmd_pcksh_rexec.txt
    They will not stay there too long, but the psuedocode is above

    Here is an example of me using the rules above. Note: I put an optional
    'User Message' to print out the Illegal Commands when I started my pcksh
    session.

    deni@sd200:~> usrun -u root pcksh
    <IllegalCmds>
    <Command regex="1" cmd="^(|/usr/bin/|/bin/)kill(\\s |$)"/>
    </IllegalCmds>

    # whoami
    root
    # ps -ef | grep firefox
    bergerbr 7643 1 0 Mar13 ? 00:00:00 /bin/sh
    /usr/bin/firefox
    bergerbr 7658 7643 0 Mar13 ? 01:19:03
    /usr/lib64/firefox/firefox-bin
    root 18911 18809 0 11:18 pts/2 00:00:00 grep firefox
    bergerbr 19167 7658 0 Mar13 ? 00:41:45
    /usr/lib64/firefox/plugin-container
    /home/bergerbr/.mozilla/plugins/libflashplayer.so -greomni
    /usr/lib64/firefox/omni.ja 7658 plugin
    # kill -9 7643
    pcksh: kill: Permission denied
    # /bin/kill -9 7643
    pcksh: Permission denied
    # whoami
    root
    #

    Hope this helps.

    -deni



    Rizwan_ahmed;226772 Wrote:
    > Hi All
    >
    > I am using framework manager 2.3.2 in a linux 6.2 and framework agent is
    > also in linux.
    > I have made a rule for to restrict the kill command but it's did'nt work
    > for me.
    >
    > Pseudo code:
    >
    > Begin Rule: Restrict Kill Command
    > If ((command IN pcksh) AND (user IN Admins))
    > Then
    > Set Authorize: yes
    > Set Session Capture: yes
    > Set runUser = "root"
    > Run Script: Rush Illegal
    > Commands(illegalcmd:^(|/usr/bin/|/bin/)kill(\s |$))
    > Stop
    > End If
    > End Rule: Restrict Kill Command
    >
    > And the command in pcksh is (pcksh) . Is this the right command for
    > pcksh ??
    > and user in the admins is the user who's login shell is pcksh and also
    > tried with the user who's login shell was cpcksh but both not worked.
    >
    > I am unable to restrict kill command
    > Thanks in advance
    >
    >
    > Best Regards
    > Rizwan



    --
    deni
    ------------------------------------------------------------------------
    deni's Profile: https://forums.netiq.com/member.php?userid=1793
    View this thread: https://forums.netiq.com/showthread.php?t=47125


  • Hi Brett

    Thanks for your reply.
    As you mention i have tried these rule but the problem persist.
    I didn't get the export settings of your rule because that link was
    expired.
    I write the same rule as you mention in your pseudocode i dont know what
    i am doing wrong.
    I have emailed you my export rule at you novell id, kindly take a look
    of my rule.
    It will be great for me.


    Thanks in advance.

    Best Regards
    Rizwan Ahmed


    --
    Rizwan_ahmed
    ------------------------------------------------------------------------
    Rizwan_ahmed's Profile: https://forums.netiq.com/member.php?userid=4224
    View this thread: https://forums.netiq.com/showthread.php?t=47125


  • Problem #1. You had multiple rules with the same matching criteria.(if
    command is pcksh). Your "Restrict Kill Command' rule was at the bottom
    of your rules, therefore you were never getting down to that rule. Move
    it to the top or change the matching criteria. (if command is pcksh and
    user is X, or something like that). With rules we start at the top and
    go down the list. If we match and the rule says "Stop if Authorized', we
    do not continue down the rule structure.

    Problem #2 You manually edited the script and it had a typo. Please
    delete or renamed your script, then import the latest from Home |
    Command Control | Click on Command Control | in the left nav, Import
    Samples - then import the "Pcskh Illegal Commands" script from 'Sample
    Perl Script'.

    #your script ( there are three lowercase L's)
    my $i=$t->child('lllegalCmds');

    #sample script ( Captial i, then two lowercase L's)
    my $i=$t->child('IllegalCmds');

    Problem #3 Your 'Restrict Kill Command' rule was misconfigured. You had
    'Authorized'= Yes, but nothing telling it to stop, or 'Stop if
    Authorized'

    Problem #4 User message was typo'ed. Should be
    "$<Ticket.IllegalCmds>$"

    After fixing the four issues above with your rules, the following
    happens:

    deni@sd:~> usrun pcksh
    <IllegalCmds>
    <Command regex="1" cmd="^(|/usr/bin/|/bin/)kill(\\s |$)"/>
    </IllegalCmds>


    # exit
    deni@sd:~> usrun pcksh
    <IllegalCmds>
    <Command regex="1" cmd="^(|/usr/bin/|/bin/)kill(\\s |$)"/>
    </IllegalCmds>


    # whoami
    root
    # ps -ef | grep firefox
    deni 7593 1 0 Mar21 ? 00:00:00 /bin/sh /usr/bin/firefox
    deni 7598 7593 0 Mar21 ? 00:05:25
    /usr/lib64/firefox/firefox-bin
    deni 8223 7598 0 Mar21 ? 00:05:35
    /usr/lib64/firefox/plugin-container
    /home/deni/.mozilla/plugins/libflashplayer.so -greomni
    /usr/lib64/firefox/omni.ja 7598 plugin
    root 27667 27576 0 09:50 pts/4 00:00:00 grep firefox
    # kill -9 7593
    pcksh: kill: Permission denied


    I reposted my working rules, zipped it up this time:
    ftp://ftp.novell.com/outgoing/edited_rule.zip

    - deni





    Rizwan_ahmed;227657 Wrote:
    >
    >
    > Thanks for your reply.
    > As you mention i have tried these rule but the problem persist.
    > I didn't get the export settings of your rule because that link was
    > expired.
    > I write the same rule as you mention in your pseudocode i dont know what
    > i am doing wrong.
    > I have emailed you my export rule at you novell id, kindly take a look
    > of my rule.
    > It will be great for me.
    >
    >
    > Thanks in advance.
    >
    > Best Regards
    > Rizwan Ahmed



    --
    deni
    ------------------------------------------------------------------------
    deni's Profile: https://forums.netiq.com/member.php?userid=1793
    View this thread: https://forums.netiq.com/showthread.php?t=47125


  • Hi Brett

    Thanks for your help . Its helps me a lot.
    Yes i did these things wrong, and i also verify with the my rules.
    That was the typing mistakes and my rule was misconfigured.

    Best Regards
    Rizwan


    --
    Rizwan_ahmed
    ------------------------------------------------------------------------
    Rizwan_ahmed's Profile: https://forums.netiq.com/member.php?userid=4224
    View this thread: https://forums.netiq.com/showthread.php?t=47125


  • Glad I could help. Good luck,

    -deni


    --
    deni
    ------------------------------------------------------------------------
    deni's Profile: https://forums.netiq.com/member.php?userid=1793
    View this thread: https://forums.netiq.com/showthread.php?t=47125