Anonymous_User Absent Member.
Absent Member.
883 views

Manage Internal command on Linux\Unix environment via PUM


Greetings for the Day!!

We have configured PUM with /usr/bin/cpcksh shell for login in server.
We are able to do every possible configuration but for some command, PUM
is not able to authorize or denying. After some research on the same, we
figured-out that these commands are internal commands of the shell as
pwd, cd, echo.

How could we restrict these commands from cpcksh shell or via PUM?

Regards,
RK


--
rajeshemailto
------------------------------------------------------------------------
rajeshemailto's Profile: https://forums.netiq.com/member.php?userid=196
View this thread: https://forums.netiq.com/showthread.php?t=42626

0 Likes
5 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Manage Internal command on Linux\Unix environment via PUM


Hello -

The commands you mentioned (cd, ls) are built-in commands and are never
sent to the framework manager for authorization, meaning with cpcksh or
pcksh you can NOT limit these commands.

With PUM there are two ways of granting someone rights to do things.
First is to give someone a full shell (cpcksh, pcksh, etc) The other is
to only grant them rights to do the exact privileged command. So
instead of giving them a shell and then restricting things, have them
login with their normal shell and then create rules to allow them run
privileged commands via usrun.

Why do you want to block them from using cd?

If you have to give them a pum shell, one option is to setup Enhanced
Access Control (EAC) to further limit rights to specific filesystem
directories, regardless of the user logged in (even root).

You can take a look at EAC in the documentation here:
http://tinyurl.com/8jwkvym


- Brett



rajeshemailto;201836 Wrote:
> Greetings for the Day!!
>
> We have configured PUM with /usr/bin/cpcksh shell for login in server.
> We are able to do every possible configuration but for some command, PUM
> is not able to authorize or denying. After some research on the same, we
> figured-out that these commands are internal commands of the shell as
> pwd, cd, echo.
>
> How could we restrict these commands from cpcksh shell or via PUM?
>
> Regards,
> RK



--
deni
------------------------------------------------------------------------
deni's Profile: https://forums.netiq.com/member.php?userid=1793
View this thread: https://forums.netiq.com/showthread.php?t=42626

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Manage Internal command on Linux\Unix environment via PUM


Brett,

> Why do you want to block them from using cd?


We got use case from client stating that they have few servers where
information is available in the form of files. These files are stored in
specific location in server. Now they want when user logs-in, he\she
should not move anywhere except few locations in server, say,
/usr/shareddoc.

As you mentioned, we configured EAC but still facing issue. EAC works
fine for commands like 'ls' or 'mkdir' but not behaving for 'cd'
command. Also, I tried to user PUM shell "/usr/bin/rpcksh" but session
capture is not happening. Tried to look into logs but found no event for
session start or end.

Regards,
RK


--
rajeshemailto
------------------------------------------------------------------------
rajeshemailto's Profile: https://forums.netiq.com/member.php?userid=196
View this thread: https://forums.netiq.com/showthread.php?t=42626

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Manage Internal command on Linux\Unix environment via PUM


You should be able to use Enhanced Access Control Policy Script to
accomplish what you are wanting to do.

Let's assume I have a directory called /data/private that I don't want
users to have access to. I can setup a PUM rule to allow them to have a
privileged pcksh shell as root, but block them from accessing
/data/private, even though they are root.

The sample rule would look something like this.

Begin Rule: EAC block directory
If ((command IN pcksh) AND (user IN linux admins))
Then
Set Authorize: yes
Set Session Capture: yes
Run Script: Enhanced Access Control Policy(policy:path default
all:logpath /data/private/** !all:log=9)
End If
End Rule: test




brett@sd200:~> usrun -u root pcksh
# whoami
root
# cd /data
# ls -al
/bin/ls: cannot access private: Permission denied
total 80
drwxr-xr-x 18 bergerbr users 4096 May 24 15:11 .
drwxr-xr-x 27 root root 4096 Oct 3 14:42 ..
drwx------ 2 root root 16384 May 13 2009 lost+found
d????????? ? ? ? ? ? private
drwxr-xr-x 13 root root 4096 Sep 5 12:10 shared
drwxr-xr-x 6 bergerbr users 4096 Apr 28 2009 tools
drwx------ 5 bergerbr users 4096 Dec 2 2010 .Trash-1000
# cd private
pcksh: cd: /data/private - Permission denied


Notice that I can see the private directory, but no information
regarding it, nor can I 'cd' into the directory. The Enhanced Access
Control (EAC) policy is what stopped me from accessing this, even though
I am root.

Add the 'Enhanced Access Control Policy' script to the rule, and then
add a Script Argument of
Name:policy
Value: path default all:log
path /data/private/** !all:log=9


That should do it. Good luck

-Brett


--
deni
------------------------------------------------------------------------
deni's Profile: https://forums.netiq.com/member.php?userid=1793
View this thread: https://forums.netiq.com/showthread.php?t=42626

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Manage Internal command on Linux\Unix environment via PUM


Hi Brett,

Operating System Linux 6.2 64 bit
I have a same problem to block access for specific directory like
private directory in your sample rule.
I have created a rule for private directory in data directory like
/data/private

My rule is look like

Begin Rule: EAC rule
If ((user IN linux admins) AND (command IN pcksh))
Then
Set Authorize: yes
Set Session Capture: yes
Run Script: Enhanced Access Control Policy(policy:path default
all:logpath /data/private/** !all:log=9)
End If
End Rule: EAC rule

In linux admin group i have a user name rizwan and login shell of this
user is pcksh
And (Command in pcksh) is pcksh is it correct command ?

But this rule not solve my problem
For example
[root@Prum Desktop]# su - rizwan
$ usrun -u root pcksh
# whoami
root
# cd /data
# ls -al
total 12
drwxr-xr-x 3 root root 4096 Feb 7 19:05 .
dr-xr-xr-x. 28 root root 4096 Feb 7 19:05 ..
drwxr-xr-x 2 root root 4096 Feb 7 19:05 private
# cd private
# cd /data/private
# ls
a b

The user is not restricted to the private directory.
Please Help me.

Regards
Rizwan Ahmed


--
Rizwan_ahmed
------------------------------------------------------------------------
Rizwan_ahmed's Profile: https://forums.netiq.com/member.php?userid=4224
View this thread: https://forums.netiq.com/showthread.php?t=42626

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Manage Internal command on Linux\Unix environment via PUM


Rizwan, I answered this on the new thread you started.


Name: policy
Value: path default all:log
path /data/private/** !all:log=9

Here is what the proper pseudocode would look like:

Begin Rule: cpcksh
If ((command IN Cpcksh shell login))
Then
Set Authorize: yes
Set Session Capture: yes
Run Script: Enhanced Access Control Policy(policy:path default
all:logpath /data/private/** !all:log=9)
Stop if authorized
End If
End Rule: cpcksh

-deni


--
deni
------------------------------------------------------------------------
deni's Profile: https://forums.netiq.com/member.php?userid=1793
View this thread: https://forums.netiq.com/showthread.php?t=42626

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.