Anonymous_User Absent Member.
Absent Member.
823 views

How can i restrict to edit the text (.txt) file


Hi All,

I am the new one in npum, I need a help please guide me how can i
restrict the text (.txt) file to edit.
And I have one more question for the intials which operating system is
best for agent ??

Thanks in Advance.
Any help would be appriciated.


--
Rizwan_ahmed
------------------------------------------------------------------------
Rizwan_ahmed's Profile: https://forums.netiq.com/member.php?userid=4224
View this thread: https://forums.netiq.com/showthread.php?t=46722

0 Likes
11 Replies
Anonymous_User Absent Member.
Absent Member.

Re: How can i restrict to edit the text (.txt) file

Bonus of being at BrainShare: I asked a developer to confirm my belief.

Privileged User Manager (PUM) has a feature called (as I recall) EAC which
lets you setup granular policies controlling PUM as a whole. The docs
talk about this, but if cannot use those to get it working then let us
know what you try with it and what happens and we can try to help with
specifics.

Good luck.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: How can i restrict to edit the text (.txt) file


Hi Novell

Thanks for your reply.
Sorry my question is lil bit change, I want also to not open the text
file in a specific directory.
I have created a rule for restrict the user to open the directory which
i have text file .

My EAC rule look like this .

Begin Rule: EAC Rule
If ((command IN cpcksh))
Then
Set Authorize: yes
Set Session Capture: yes
Run Script: Enhanced Access Control Policy(policyath default
log:allpath /data/private/** !all:log=9)
Stop if authorized
End If
End Rule: EAC Rule

Lets say i dont want any user see private directory
but this rule didnt work for me
When i open the private folder, it cant stop user to open the private
directory
Please Help me out
I would be great for us .
Thanks in advance


--
Rizwan_ahmed
------------------------------------------------------------------------
Rizwan_ahmed's Profile: https://forums.netiq.com/member.php?userid=4224
View this thread: https://forums.netiq.com/showthread.php?t=46722

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: How can i restrict to edit the text (.txt) file


Hi Novell

Please its urgent

Thanks .


--
Rizwan_ahmed
------------------------------------------------------------------------
Rizwan_ahmed's Profile: https://forums.netiq.com/member.php?userid=4224
View this thread: https://forums.netiq.com/showthread.php?t=46722

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: How can i restrict to edit the text (.txt) file


I'd suggest if you are needing urgent help, to contact Technical
Support. Remember, we're all volunteers here. 🙂

With that being said, here is my answer:

It looks like you have a syntax issue with your script argument.

Edit the script argument and make the changes below:

Name: policy
Value: path default all:log
path /data/private/** !all:log=9

Here is what the proper pseudocode would look like:

Begin Rule: cpcksh
If ((command IN Cpcksh shell login))
Then
Set Authorize: yes
Set Session Capture: yes
Run Script: Enhanced Access Control Policy(policy:path default
all:logpath /data/private/** !all:log=9)
Stop if authorized
End If
End Rule: cpcksh

Testing rule:

I login with 'jim' who's shell is '/usr/bin/cpcksh' in /etc/passwd

ssh jim@sd200
Password:
Last login: Fri Feb 8 08:46:37 2013 from sd.site
$ whoami
jim
$ pwd
/home/jim
$ cd /data
$ pwd
/data
$ ls -hal
ls: cannot access private: Permission denied
total 92K
drwxr-xr-x 21 root root 4.0K Feb 8 08:51 .
drwxr-xr-x 28 root root 4.0K Jan 10 15:56 ..
d????????? ? ? ? ? ? private
drwxr-xr-x 2 jim users 4.0K Feb 8 08:51 public
$ cd private
pcksh: cd: /data/private - Permission denied


Hope this helps.

-deni


--
deni
------------------------------------------------------------------------
deni's Profile: https://forums.netiq.com/member.php?userid=1793
View this thread: https://forums.netiq.com/showthread.php?t=46722

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: How can i restrict to edit the text (.txt) file


Hi Brett

Thanks for your precious time.
I have tried the rule which you have mentioned.
Like
Begin Rule: cpcksh
If ((command IN Cpcksh shell login))
Then
Set Authorize: yes
Set Session Capture: yes
Run Script: Enhanced Access Control Policy(policy:path default
all:logpath /data/private/** !all:log=9)
Stop if authorized
End If
End Rule: cpcksh

And i login with riz who's shell is '/usr/bin/cpcksh' in etc/passwd
riz:x:504:504:rizwan:/home/riz:/usr/bin/cpcksh i take this from passwd
file located in etc/passwd

when i logged in with user riz
testing :
[root@Prum Desktop]# su - riz
$ whoami
riz
$ pwd
/home/riz
$ cd /data
$ pwd
/data
$ ls -hal
total 12K
drwxr-xr-x 3 riz riz 4.0K Feb 7 19:05 .
dr-xr-xr-x. 29 root root 4.0K Feb 11 14:19 ..
drwxr-xr-x 2 root root 4.0K Feb 8 18:09 private
$ ls
private
$

But i am unable to restrict the private directory
Kindly help me out
Again Thanks for your help

Regards
Rizwan


--
Rizwan_ahmed
------------------------------------------------------------------------
Rizwan_ahmed's Profile: https://forums.netiq.com/member.php?userid=4224
View this thread: https://forums.netiq.com/showthread.php?t=46722

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: How can i restrict to edit the text (.txt) file


Rizwan,

What version of NPUM is installed and on what platform? I'd recommend
to use NPUM 2.3.2 (available here:
http://download.novell.com/Download?buildid=_FbnqCDhPvs~ ) There were
numerous updates to Enhanced Access Control in NPUM 2.3.2.

Also, add the following ${Options.policy}$ to the 'User Message' of the
rule.

After adding the above to the user message - each time the user logs in,
it should display the policy.

For example:

ssh jim@sd200
Password:
Last login: Mon Feb 11 08:53:26 2013 from sd.site
path default all:log
path /data/private/** !all:log=9


Also, after logging in. Do the following

env | grep ccpreload*

In my environment, I see the following:

$ env | grep ccpreload*
LD_PRELOAD=ccpreload-elf64.so



- deni


--
deni
------------------------------------------------------------------------
deni's Profile: https://forums.netiq.com/member.php?userid=1793
View this thread: https://forums.netiq.com/showthread.php?t=46722

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: How can i restrict to edit the text (.txt) file


Hello Brett

I am using NPUM 2.3.2 on Linux 6.2 64 bit.
I have two agent one is installed on the same machine where i have
framework manager and other is on different machine.
I am trying all these thing with the agent which i have installed on the
machine where i have framework manager and also on the another agent.

I have noticed this things as you mentioned to check
Like add ${Options.policy}$ in user messege
I have add this but when i logged in it didnt show me the policy.

when i execute this command env | grep ccpreload* it shows me nothing.

I have also noticed when i login with user riz who's shell is
'/usr/bin/cpcksh' using terminal in linux, i have seen following lines
in log file unifid.log.
[root@prum Desktop]su - riz
Tue Feb 12 11:49:11 2013, 72, 2853697280, 13783, Info, auth renew
client:localhost rc:0 status:0 (2ms)
Tue Feb 12 11:49:14 2013, 146, 2861065984, 13783, Info, cmdctrl request
accepted for '-cpcksh' from riz@prum as riz@prum
Tue Feb 12 11:49:14 2013, 147, 2861065984, 13783, Info, cmdctrl
checkAuth client:prum rc:0 status:0 (2ms)
Tue Feb 12 11:49:14 2013, 156, 2866390784, 13783, Info, rexec
executeCommand client:prum rc:0 status:0() (7ms)

But when i login from System-->Log Out root-->Switch user
i have seen these lines in unifid.log file
Tue Feb 12 11:48:34 2013, 46, 2861065984, 13783, Info, cmdctrl request
denied for 'cpcksh -c gnome-session' from riz@prum
Tue Feb 12 11:48:34 2013, 58, 2861065984, 13783, Info, cmdctrl checkAuth
client:prum rc:0 status:0 (14ms)

I dont know what i am doing wrong .
I have tried every possibility to help me out according to my
knowledge.
But i am unable to resolve
Brett Bundle of thanks for your kind help.

Regards
Rizwan


--
Rizwan_ahmed
------------------------------------------------------------------------
Rizwan_ahmed's Profile: https://forums.netiq.com/member.php?userid=4224
View this thread: https://forums.netiq.com/showthread.php?t=46722

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: How can i restrict to edit the text (.txt) file


Rizwan,

I'm trying to duplicate your issue but can't. It appeared you were
logged in as root, then 'su - <username>' which I did below.

ssh root@sd200
Password:
Last login: Tue Feb 12 08:32:19 2013 from sd.site
sd200:~ # su - jim
path default all:log
path /data/private/** !all:log=9

Directory: /home/jim
Tue Feb 12 08:34:11 MST 2013
$


<snippet of log files>
Tue Feb 12 08:34:11 2013, 584, 1127331584, 8750, Info, cmdctrl request
accepted for '-cpcksh' from jim@sd200 as jim@sd200
Tue Feb 12 08:34:11 2013, 585, 1127331584, 8750, Info, cmdctrl checkAuth
client:sd200 rc:0 status:0 (7ms)
Tue Feb 12 08:34:11 2013, 590, 1127331584, 8750, Info, rexec
executeCommand client:sd200 rc:0 status:0() (3ms)

This may be a policy issue. Can you export your policy via Home |
Command Control | Export Settings | Copy and paste the exported policy
into a txt file and email it to me brett at novell dot com.

Thanks,

-deni


--
deni
------------------------------------------------------------------------
deni's Profile: https://forums.netiq.com/member.php?userid=1793
View this thread: https://forums.netiq.com/showthread.php?t=46722

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: How can i restrict to edit the text (.txt) file


Hello Brett

I have mailed you the policy. Subject of mail is Policy Of Restrict The
Directory Access.
Firstly i have logged in as a root then su - riz who's login shell is
'/usr/bin/cpcksh'.
I have a make a rule for cpcksh shell and its work fine. I dont know why
i am unable to restrict the directory access.


Thanks for your precious time

Best Regards
Rizwan


--
Rizwan_ahmed
------------------------------------------------------------------------
Rizwan_ahmed's Profile: https://forums.netiq.com/member.php?userid=4224
View this thread: https://forums.netiq.com/showthread.php?t=46722

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: How can i restrict to edit the text (.txt) file


Thank you for the policy. Long story short, the issue was in your
policy.

It appears you had added Run users group and attempted to remove it. It
was left with "Run users=undefined". (I'm not sure how it got into this
state, but I'd like to know.)

This caused the first problem.

Here is what I did to resolve this issue.

1. Modify Rule 'cpcksh' | Add 'Run User' of 'root' | Finish
2. Modify Rule 'cpcksh' | Remove 'Run User' of 'root' | Finish

This removed the 'Undefined' Run Users. After fixing this.

I logged in and saw this.

ssh jim@sd200
Password:
Last login: Wed Feb 13 09:27:21 2013 from sd.site
path default all:logpath /data/private/** !all:log=9

Syntax error in policy, line 1

3. Modify Rule 'cpcksh' | Script Arguments | change 'path default
all:logpath /data/private/** !all:log=9' to

path default all:log
path /data/private/** !all:log=9

(Note, each path should be on a separate line) | Finish.

After fixing this.

I logged in and it worked.


ssh jim@sd200
Password:
Last login: Wed Feb 13 10:04:00 2013 from sd.site
path default all:log
path /data/private/** !all:log=9

$ whoami
jim
$ cd /data
$ ls -hal
ls: cannot access private: Permission denied
total 92K
drwxr-xr-x 21 root root 4.0K Feb 8 08:51 .
drwxr-xr-x 28 root root 4.0K Jan 10 15:56 ..
d????????? ? ? ? ? ? private
drwxr-xr-x 2 jim users 4.0K Feb 8 08:51 public

$ ls -hal /data/private
ls: cannot access /data/private: Permission denied


--
deni
------------------------------------------------------------------------
deni's Profile: https://forums.netiq.com/member.php?userid=1793
View this thread: https://forums.netiq.com/showthread.php?t=46722

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: How can i restrict to edit the text (.txt) file


Thank you brett

I have solved my issue .
Issue was with my policy . As u said

In value field, i write these two path lines separatly.
path default all:log
path /data/private/** !all:log=9

and logged in from the user who's login shell is cpcksh
and restrict the access of private directory.

Lot of thanks for your effort and your precious time
Best regards
Rizwan


--
Rizwan_ahmed
------------------------------------------------------------------------
Rizwan_ahmed's Profile: https://forums.netiq.com/member.php?userid=4224
View this thread: https://forums.netiq.com/showthread.php?t=46722

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.