Anonymous_User Absent Member.
Absent Member.
1039 views

Restrict Root user to Shutdown or kill a process


I need to restrict root user to shutdown their operating system. i have
made a rule

Begin Rule: Shutdown Rule
If ((user IN shutdown and kill group) AND (command IN shutdown command
with any argument))
Then
Set Authorize: yes
Set Session Capture: yes
Set runUser = "root"
Stop if authorized
End If
End Rule: Shutdown Rule

and added root user to the group but it is not accomplished.

Any help would be appreciated.

Regards,
Asim


--
asimkhalid
------------------------------------------------------------------------
asimkhalid's Profile: https://forums.netiq.com/member.php?userid=3169
View this thread: https://forums.netiq.com/showthread.php?t=46239

0 Likes
9 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Restrict Root user to Shutdown or kill a process


I have created new rules and new scripts. I know a little about perl
scrips this is what i made.

Begin Rule: Passwd Rule
If (user IN Password Group AND command IN Password cmd)
Then
Set Authorize: yes
Set Session Capture: yes
Set runUser = "root"
Stop if authorized
Begin Rule: remove restrict
If ((user IN Submit User))
Then
Set Authorize: no
Set Session Capture: yes
Run Script: passwd script()
Stop if unauthorized
End If
End Rule: remove restrict

End If
End Rule: Passwd Rule

and the script

#to set script argument - name=illegalcmd value= kill *
#to set script argument using regular expression - name=illegalcmd
value= ^(|/usr/bin/|/bin)passwd(\s+|$)
my $t=$meta->child('Ticket');
$t=$meta->add_param('Ticket') if(! $t);

my $i=$t->child('IllegalCmds');
$i=$t->add_param('IllegalCmds') if(! $i);

my @illegal = $args->arg_values('illegalcmd');

I have tried changing the command in

value= ^(|/usr/bin/|/bin)passwd(\s+|$)
to
value= ^(|/usr/bin/|/bin)rm(\s+|$)
or
value= ^(|/usr/bin/|/bin)kill(\s+|$)

But the required Taks is not completed.

I want to restrict user to kill a process , shutdown their system or
delete a file on their system.

Can this be acheived.
Please help me acheive this...

Regards,
Asim Khalid


--
asimkhalid
------------------------------------------------------------------------
asimkhalid's Profile: https://forums.netiq.com/member.php?userid=3169
View this thread: https://forums.netiq.com/showthread.php?t=46239

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Restrict Root user to Shutdown or kill a process


Asim,

Sorry for the delay.

First of all, we don't control the root user by default, nor do we
recommend to change the root users shell to any NPUM shell. The idea
behind NPUM is that no one logins as the root user (change the root
password and don't let anyone login as root), but rather they login as
themselves (non-privileged users) and then rules are created to allow
them to do specific things.

One thing you could do is allow a non-privileged user to login as them
self. Then create a rule that allows them to "become" root by starting
a pcksh shell and run it as root (usrun -u root pcksh), then use the
Illegal command script to limit certain commands based on the rule that
matches the 'usrun -u root pcksh' command)

Pseudo code:

Begin Rule: pcksh
If ((command IN pcksh) AND (user IN Admins))
Then
Set Authorize: yes
Set Session Capture: yes
Set runUser = "root"
Run Script: Rush Illegal
Commands(illegalcmd:^(|/usr/bin/|/bin/)kill(\s+|$))
Stop
End If
End Rule: pcksh

Example:
usrun -u root pcksh
# whoami
root
# ps -ef |grep firefox
brett 24290 1 0 Nov15 ? 00:16:31
/usr/lib64/firefox/firefox-bin
root 32661 32253 0 13:15 pts/6 00:00:00 grep firefox
# kill -9 24290
pcksh: kill: Permission denied


One other thing that I'll note to help troubleshoot this issue. Within
the rule, you can add the following to the User Message and it will
print out the commands that are illegal when the usrun command is run.

$<Ticket.IllegalCmds>$



With the above in the User message of the rule, when I run the usrun
command, it shows me what my illegal commands are.

brett@sd200:~> usrun -u root pcksh
<IllegalCmds>
<Command regex="1" cmd="^(|/usr/bin/|/bin/)kill(\\s+|$)"/>
</IllegalCmds>

#


--
deni
------------------------------------------------------------------------
deni's Profile: https://forums.netiq.com/member.php?userid=1793
View this thread: https://forums.netiq.com/showthread.php?t=46239

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Restrict Root user to Shutdown or kill a process


deni;222794 Wrote:
> Asim,
>
> Sorry for the delay.
>
> First of all, we don't control the root user by default, nor do we
> recommend to change the root users shell to any NPUM shell. The idea
> behind NPUM is that no one logins as the root user (change the root
> password and don't let anyone login as root), but rather they login as
> themselves (non-privileged users) and then rules are created to allow
> them to do specific things.
>
> One thing you could do is allow a non-privileged user to login as them
> self. Then create a rule that allows them to "become" root by starting
> a pcksh shell and run it as root (usrun -u root pcksh), then use the
> Illegal command script to limit certain commands based on the rule that
> matches the 'usrun -u root pcksh' command)
>
> Pseudo code:
>
> Begin Rule: pcksh
> If ((command IN pcksh) AND (user IN Admins))
> Then
> Set Authorize: yes
> Set Session Capture: yes
> Set runUser = "root"
> Run Script: Rush Illegal
> Commands(illegalcmd:^(|/usr/bin/|/bin/)kill(\s+|$))
> Stop
> End If
> End Rule: pcksh
>
> Example:
> usrun -u root pcksh
> # whoami
> root
> # ps -ef |grep firefox
> brett 24290 1 0 Nov15 ? 00:16:31
> /usr/lib64/firefox/firefox-bin
> root 32661 32253 0 13:15 pts/6 00:00:00 grep firefox
> # kill -9 24290
> pcksh: kill: Permission denied
>
>
> One other thing that I'll note to help troubleshoot this issue. Within
> the rule, you can add the following to the User Message and it will
> print out the commands that are illegal when the usrun command is run.
>
> $<Ticket.IllegalCmds>$
>
>
>
> With the above in the User message of the rule, when I run the usrun
> command, it shows me what my illegal commands are.
>
> brett@sd200:~> usrun -u root pcksh
> <IllegalCmds>
> <Command regex="1" cmd="^(|/usr/bin/|/bin/)kill(\\s+|$)"/>
> </IllegalCmds>
>
> #



Thankyou deni for the reply,
im still having trouble using the kill command the rules are created
according to the pseudo code given but i guess the problem with the
scripting as i know less of perl scripting.

the command runs according to the example given above and custom user
message is shown but firefox closes anyway.. more over the command does
not show any custom message without using usrun with the kill command
given in the example.
please help me with the script if you can give the settings to the
solution above maybe it would help.
i have tried using EAC script but i am having problem adding the
argument to the script.
looking forward for your reply.
Regards


--
asimkhalid
------------------------------------------------------------------------
asimkhalid's Profile: https://forums.netiq.com/member.php?userid=3169
View this thread: https://forums.netiq.com/showthread.php?t=46239

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Restrict Root user to Shutdown or kill a process


Export your rules by doing the following:

Home | Command Control | Export Settings (in the left Nav) | Copy and
paste the text into a text document. Then email the export to brett at
novell dot com and I'll review that there isn't a syntax issue.

- Brett


--
deni
------------------------------------------------------------------------
deni's Profile: https://forums.netiq.com/member.php?userid=1793
View this thread: https://forums.netiq.com/showthread.php?t=46239

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Restrict Root user to Shutdown or kill a process


Had another quick idea.

Copy and paste the single line below this into the User Message of the
rule that you think you are matching and it should print out the illegal
commands when you start your shell.

$<Ticket.IllegalCmds>$


Then when you login, you will see something like this:

brett@sd200:~> usrun pcksh
<IllegalCmds>
<Command cmd="/bin/kill*"/>
<Command cmd="kill*"/>
</IllegalCmds>

(this will show that 1. you have the script arguments set up correctly
and 2. that we are matching and applying illegalcmd script to your
session.)

# ps -ef | grep firefox
bergerbr 18958 1 0 Dec04 ? 00:00:00 /bin/sh
/usr/bin/firefox
bergerbr 18963 18958 1 Dec04 ? 02:59:59
/usr/lib64/firefox/firefox-bin
root 26792 26689 0 09:06 pts/3 00:00:00 grep firefox
# kill -9 18958
pcksh: kill: Permission denied


--
deni
------------------------------------------------------------------------
deni's Profile: https://forums.netiq.com/member.php?userid=1793
View this thread: https://forums.netiq.com/showthread.php?t=46239

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Restrict Root user to Shutdown or kill a process


Thankyou Sir for your precious time and effort you gave to correct the
errors in my script.

Sir i want to implement EAC rule without using command prompt. i have
tried giving the user pcksh shell and then tried to restrict user to
stop deleting or using "rm" or the use of "mv or move to trash command "
but i am able to restrict only via cmd. Can i stop user to stop deleting
files via gui (right click move to trash) etc.


--
asimkhalid
------------------------------------------------------------------------
asimkhalid's Profile: https://forums.netiq.com/member.php?userid=3169
View this thread: https://forums.netiq.com/showthread.php?t=46239

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Restrict Root user to Shutdown or kill a process


Please if anybody would help,

I want to implement EAC such that the folder defined in the script
argument is not accessed by anyone. Basically the scenario is to
implement the product in such a way that the admins should not be able
to bring a change in the operating system files. They can be allowed to
read the files but not write or delete the OS files.
The EAC rule that has been implemented restricts the user to open the
files in a folder via command terminal but when the user opens the
folder by clicking on that folder, the files are shown. The root user
can even change the files. There should be restriction that no one could
change or delete the OS files.
Any help would be appreciated.

Best Regards,
Asim


--
asimkhalid
------------------------------------------------------------------------
asimkhalid's Profile: https://forums.netiq.com/member.php?userid=3169
View this thread: https://forums.netiq.com/showthread.php?t=46239

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Restrict Root user to Shutdown or kill a process


Asim,

It's best to start a new thread when asking a new question. As your new
question on this thread has nothing to do with 'Restrict Root user to
Shutdown or kill a process' which was solved for you on 14-Dec-2012.

-deni


--
deni
------------------------------------------------------------------------
deni's Profile: https://forums.netiq.com/member.php?userid=1793
View this thread: https://forums.netiq.com/showthread.php?t=46239

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Restrict Root user to Shutdown or kill a process

asimkhalid,

It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.

Has your issue been resolved? If not, you might try one of the following options:

- Visit http://www.netiq.com/support and search the knowledgebase and/or check all
the other support options available.
- You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://forums.netiq.com)

Be sure to read the forum FAQ about what to expect in the way of responses:
http://forums.netiq.com/faq.php

If this is a reply to a duplicate posting, please ignore and accept our apologies
and rest assured we will issue a stern reprimand to our posting bot.

Good luck!

Your NetIQ Forums Team
http://forums.netiq.com


0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.