Anonymous_User Absent Member.
Absent Member.
521 views

How to restrict the kill command in a npum?


Hi All

I am using framework manager 2.3.2 in a linux 6.2 and framework agent is
also in linux.
I have made a rule for to restrict the kill command but it's did'nt work
for me.

Pseudo code:

Begin Rule: Restrict Kill Command
If ((command IN pcksh) AND (user IN Admins))
Then
Set Authorize: yes
Set Session Capture: yes
Set runUser = "root"
Run Script: Rush Illegal
Commands(illegalcmd:^(|/usr/bin/|/bin/)kill(\s+|$))
Stop
End If
End Rule: Restrict Kill Command

And the command in pcksh is (pcksh) . Is this the right command for
pcksh ??
and user in the admins is the user who's login shell is pcksh and also
tried with the user who's login shell was cpcksh but both not worked.

I am unable to restrict kill command
Thanks in advance


Best Regards
Rizwan


--
Rizwan_ahmed
------------------------------------------------------------------------
Rizwan_ahmed's Profile: https://forums.netiq.com/member.php?userid=4224
View this thread: https://forums.netiq.com/showthread.php?t=47125

0 Likes
5 Replies
Anonymous_User Absent Member.
Absent Member.

Re: How to restrict the kill command in a npum?


I didn't take too much time to look at yours, I am using the updated
'Pcksh Illegal Commands' script but here's what works for me (very
simplified):


Here is my pseudocode.

Begin Rule: pcksh
If ((command IN pcksh))
Then
Set Authorize: yes
Set Session Capture: yes
Set runUser = "root"
Run Script: Pcksh Illegal
Commands(illegalcmd:^(|/usr/bin/|/bin/)kill(\s+|$))
Stop
End If
End Rule: pcksh

If you want to download an export of my rules - I've put them here:
ftp://ftp.novell.com/outgoing/illegal_cmd_pcksh_rexec.txt
They will not stay there too long, but the psuedocode is above

Here is an example of me using the rules above. Note: I put an optional
'User Message' to print out the Illegal Commands when I started my pcksh
session.

deni@sd200:~> usrun -u root pcksh
<IllegalCmds>
<Command regex="1" cmd="^(|/usr/bin/|/bin/)kill(\\s+|$)"/>
</IllegalCmds>

# whoami
root
# ps -ef | grep firefox
bergerbr 7643 1 0 Mar13 ? 00:00:00 /bin/sh
/usr/bin/firefox
bergerbr 7658 7643 0 Mar13 ? 01:19:03
/usr/lib64/firefox/firefox-bin
root 18911 18809 0 11:18 pts/2 00:00:00 grep firefox
bergerbr 19167 7658 0 Mar13 ? 00:41:45
/usr/lib64/firefox/plugin-container
/home/bergerbr/.mozilla/plugins/libflashplayer.so -greomni
/usr/lib64/firefox/omni.ja 7658 plugin
# kill -9 7643
pcksh: kill: Permission denied
# /bin/kill -9 7643
pcksh: Permission denied
# whoami
root
#

Hope this helps.

-deni



Rizwan_ahmed;226772 Wrote:
> Hi All
>
> I am using framework manager 2.3.2 in a linux 6.2 and framework agent is
> also in linux.
> I have made a rule for to restrict the kill command but it's did'nt work
> for me.
>
> Pseudo code:
>
> Begin Rule: Restrict Kill Command
> If ((command IN pcksh) AND (user IN Admins))
> Then
> Set Authorize: yes
> Set Session Capture: yes
> Set runUser = "root"
> Run Script: Rush Illegal
> Commands(illegalcmd:^(|/usr/bin/|/bin/)kill(\s+|$))
> Stop
> End If
> End Rule: Restrict Kill Command
>
> And the command in pcksh is (pcksh) . Is this the right command for
> pcksh ??
> and user in the admins is the user who's login shell is pcksh and also
> tried with the user who's login shell was cpcksh but both not worked.
>
> I am unable to restrict kill command
> Thanks in advance
>
>
> Best Regards
> Rizwan



--
deni
------------------------------------------------------------------------
deni's Profile: https://forums.netiq.com/member.php?userid=1793
View this thread: https://forums.netiq.com/showthread.php?t=47125

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: How to restrict the kill command in a npum?


Hi Brett

Thanks for your reply.
As you mention i have tried these rule but the problem persist.
I didn't get the export settings of your rule because that link was
expired.
I write the same rule as you mention in your pseudocode i dont know what
i am doing wrong.
I have emailed you my export rule at you novell id, kindly take a look
of my rule.
It will be great for me.


Thanks in advance.

Best Regards
Rizwan Ahmed


--
Rizwan_ahmed
------------------------------------------------------------------------
Rizwan_ahmed's Profile: https://forums.netiq.com/member.php?userid=4224
View this thread: https://forums.netiq.com/showthread.php?t=47125

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: How to restrict the kill command in a npum?


Problem #1. You had multiple rules with the same matching criteria.(if
command is pcksh). Your "Restrict Kill Command' rule was at the bottom
of your rules, therefore you were never getting down to that rule. Move
it to the top or change the matching criteria. (if command is pcksh and
user is X, or something like that). With rules we start at the top and
go down the list. If we match and the rule says "Stop if Authorized', we
do not continue down the rule structure.

Problem #2 You manually edited the script and it had a typo. Please
delete or renamed your script, then import the latest from Home |
Command Control | Click on Command Control | in the left nav, Import
Samples - then import the "Pcskh Illegal Commands" script from 'Sample
Perl Script'.

#your script ( there are three lowercase L's)
my $i=$t->child('lllegalCmds');

#sample script ( Captial i, then two lowercase L's)
my $i=$t->child('IllegalCmds');

Problem #3 Your 'Restrict Kill Command' rule was misconfigured. You had
'Authorized'= Yes, but nothing telling it to stop, or 'Stop if
Authorized'

Problem #4 User message was typo'ed. Should be
"$<Ticket.IllegalCmds>$"

After fixing the four issues above with your rules, the following
happens:

deni@sd:~> usrun pcksh
<IllegalCmds>
<Command regex="1" cmd="^(|/usr/bin/|/bin/)kill(\\s+|$)"/>
</IllegalCmds>


# exit
deni@sd:~> usrun pcksh
<IllegalCmds>
<Command regex="1" cmd="^(|/usr/bin/|/bin/)kill(\\s+|$)"/>
</IllegalCmds>


# whoami
root
# ps -ef | grep firefox
deni 7593 1 0 Mar21 ? 00:00:00 /bin/sh /usr/bin/firefox
deni 7598 7593 0 Mar21 ? 00:05:25
/usr/lib64/firefox/firefox-bin
deni 8223 7598 0 Mar21 ? 00:05:35
/usr/lib64/firefox/plugin-container
/home/deni/.mozilla/plugins/libflashplayer.so -greomni
/usr/lib64/firefox/omni.ja 7598 plugin
root 27667 27576 0 09:50 pts/4 00:00:00 grep firefox
# kill -9 7593
pcksh: kill: Permission denied


I reposted my working rules, zipped it up this time:
ftp://ftp.novell.com/outgoing/edited_rule.zip

- deni





Rizwan_ahmed;227657 Wrote:
>
>
> Thanks for your reply.
> As you mention i have tried these rule but the problem persist.
> I didn't get the export settings of your rule because that link was
> expired.
> I write the same rule as you mention in your pseudocode i dont know what
> i am doing wrong.
> I have emailed you my export rule at you novell id, kindly take a look
> of my rule.
> It will be great for me.
>
>
> Thanks in advance.
>
> Best Regards
> Rizwan Ahmed



--
deni
------------------------------------------------------------------------
deni's Profile: https://forums.netiq.com/member.php?userid=1793
View this thread: https://forums.netiq.com/showthread.php?t=47125

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: How to restrict the kill command in a npum?


Hi Brett

Thanks for your help . Its helps me a lot.
Yes i did these things wrong, and i also verify with the my rules.
That was the typing mistakes and my rule was misconfigured.

Best Regards
Rizwan


--
Rizwan_ahmed
------------------------------------------------------------------------
Rizwan_ahmed's Profile: https://forums.netiq.com/member.php?userid=4224
View this thread: https://forums.netiq.com/showthread.php?t=47125

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: How to restrict the kill command in a npum?


Glad I could help. Good luck,

-deni


--
deni
------------------------------------------------------------------------
deni's Profile: https://forums.netiq.com/member.php?userid=1793
View this thread: https://forums.netiq.com/showthread.php?t=47125

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.