5.7 Command Control Groups

Command Control has three types of groups:

User Groups: Contain users with similar responsibilities. This allows you to use the group as a condition for a rule, which either allows or denies the users the rights to run commands.

Host Groups: Contains hosts with similar content. This allows you to use the group as a condition for a rule that either allows or denies the rights to run the command on a host.

Account Groups: Combine host groups and user groups to be used together in setting rule conditions. Account groups can also contain other account groups. You can also use account groups as script entities.

For example, you could create a Web Account Group, and to this group you could add a user group that contains all the Web server managers and a host group that contains all the host that are Web servers. You could then use the Web Account Group as a condition when creating rules for Web server management.

The following sections explain how to manage these groups:

5.7.1 User Groups

User groups contain users who are allowed, or not allowed, to submit or run commands controlled by your rules. You can add user groups to your rule conditions to control whether the rule is processed, depending on the user who is submitting a command or the user who is specified to run a command. You can also use user groups as script entities.

Command Control has two default user groups. Do not modify these groups.

Everyone: Use this group to match against any user who has a local account on the hosts where Privileged User Manager is installed.

Submit User: Use this group to match against the user that submitted the privileged request. This is useful if you want to ensure that a rule only authorizes access to the account that submitted the request. For example when adding a crush login shell, you should add a clause to the rule that ensures that the run user is in the Submit User group. This ensures that a user cannot use the -u option in usrun to gain access to other accounts.

You can search for a specific user in a user group by using suitable regular expressions, strings, or wild cards in the command. For example, the wildcards that you can use in the command could be vi * or /usr/bin/vi *.

To add a regular expression term to the list, prefix the regular expression with =~. For example,

=~/^vi .*$/

=~/^user*/

The following sections explain how to manage user groups:

Adding a User Group

  1. Click Command Control on the home page of the console.

  2. Click Account Groups, then expand the list.

  3. Click User Groups.

  4. To add a user group at the top level, click Add User Group in the task pane. To add a user group to a category, select the category and click Add User Group in the task pane.

  5. Specify a name for the user group.

  6. Click Finish.

    User groups are represented by the icon.

  7. To configure the user group, continue with Modifying a User Group.

Modifying a User Group

  1. Click Command Control on the home page of the console.

  2. Click Account Groups, then click User Groups in the navigation pane.

  3. Select the user group you want to modify.

  4. Click Modify User Group in the task pane, then configure the following fields:

    Name: Specify a name for the group.

    Disabled: Select this check box to disable the group. A disabled user group is dimmed.

    Description: Describe the purpose of this user group.

    Manager Name, Manager Tel., Manager Email: Specify the name, telephone number, and e-mail address of the manager of this user group. The manager details can be used in the Compliance Auditor.

    If these details have been entered in the manager’s Framework user account details (see Modify User: Account Details), they can be entered automatically by selecting the manager’s username from the drop-down list. This option is only available if you belong to a Framework user group with the read role defined for the auth module (see Section 4.2.4, Configuring Roles).

    Users: Add or change the users you want to include in this group. You can type the user names, one on each line, or paste them from elsewhere. You can use the Sort button to sort the list of users into alphabetical order.

    User Groups: From the list of groups you have already defined, select the user groups you want to include as subgroups of this user group. You can also add subgroups to a user group by dragging the groups to the target user group in the navigation pane.

  5. Click Finish.

    You can now use this user group in rule conditions or as a script entity.

Deleting a User Group

  1. Click Command Control on the home page of the console.

  2. Click Account Groups, then click User Groups in the navigation pane.

  3. Select the required user group.

    To select multiple user groups, press the Ctrl key and select the required user groups one at a time, or press the Shift key to select a consecutive list of user groups.

  4. Click Delete User Group in the task pane. The selected user groups are listed.

  5. Click Finish.

    The user groups are deleted, and are also removed from any account group, rule conditions, and script entities where they have been defined.

5.7.2 Host Groups

Host groups contain hosts that are allowed, or not allowed, to submit or run commands controlled by your rules. You can add host groups to your rule conditions to control whether the rule is processed, depending on the host that is submitting a command or the host specified to run a command. You can also use host groups as script entities.

Command Control has two default host groups. Do not modify these groups.

All Hosts: Use this group to match against any host that have been registered with the Framework. Use the Hosts console to view the hosts that are included has matches for this group.

Submit Host: Use this group to match against the host from which the privileged request was made. This is useful if you want to ensure that a rule only authorizes access to the host from which the privileged request was made. This ensures that a user cannot use the -h option in usrun to gain access to other hosts.

You can search for a specific host in a host group by using suitable regular expressions, strings, or wild cards in the command. For example, the wildcards that you can use in the command could be vi * or /usr/bin/vi *.

To add a regular expression term to the list, prefix the regular expression with =~. For example,

=~/^vi .*$/

=~\w+\.novell\.com

The following sections explain how to manage host groups:

Adding a Host Group

  1. Click Command Control on the home page of the console.

  2. Click Account Groups, then click Host Groups in the navigation pane.

  3. To add a host group at the top level, click Add Host Group in the task pane. To add a host group to a category, select the category and click Add Host Group in the task pane.

  4. Specify a name for the host group.

  5. Click Finish.

    Host groups are represented by the icon.

  6. To configure the host group, continues with Modifying a Host Group.

Modifying a Host Group

  1. Click Command Control on the home page of the console.

  2. Click Account Groups, then click Host Groups in the navigation pane.

  3. Select the host group you want to modify.

  4. Click Modify Host Group in the task pane, then configure the following fields:

    Name: Specify a name for the group.

    Disabled: Select this check box to disable the group. A disabled host group is dimmed.

    Description: Describe the purpose of this host group.

    Hosts: Add or change the hosts you want to include in this group. You can type the host names, one on each line, or paste them from elsewhere. You can use the Sort button to sort the list of hosts into alphabetical order.

    Host Groups: From the list of groups you have already defined, select the host groups you want to include as subgroups of this host group. You can also add subgroups to a host group by dragging the groups to the host group in the navigation pane.

  5. Click Finish. You can now use this host group in rule conditions or as a script entity.

Deleting a Host Group

  1. Click Command Control on the home page of the console.

  2. Click Account Groups, then click Host Groups in the navigation pane.

  3. Select the host group you want to delete.

    To select multiple host groups, press the Ctrl key and select the required host groups one at a time, or press the Shift key to select a consecutive list of host groups.

  4. Click Delete Host Group in the task pane. The selected host groups are listed.

  5. Click Finish.

    The host groups are deleted, and are also removed from any account group, rule conditions, and script entities in which they have been defined.

5.7.3 Adding an Account Group

To add a new account group:

  1. Click Command Control on the home page of the console.

  2. Click Account Groups in the navigation pane.

  3. To add an account group at the top level, click Add Account Group in the task pane. To add an account group to a category, select the category and click Add Account Group in the task pane.

    For information about categories, see Section 5.5.6, Adding a Category.

  4. Specify a name for the account group.

  5. Click Finish.

    Account groups are represented by the icon.

  6. To configure the group, continue with Modifying an Account Group.

5.7.4 Modifying an Account Group

  1. Click Command Control on the home page of the console.

  2. Click Account Groups in the navigation pane.

  3. Select the account group you want to modify.

  4. Click Modify Account Group in the task pane, then modify the following fields:

    Name: Change the name of the group.

    Disabled: To disable the account group, click Disabled. A disabled account group is dimmed.

    Description: Add or change the description.

    Manager Name, Manager Tel., Manager Email: Specify the name, phone number, and e-mail address of the manager of the users in this account group.

    If these details have been entered in the manager’s Framework user account details (see Modify User: Account Details), they can be entered automatically by selecting the manager’s username from the drop-down list. This option is only available if you belong to a Framework user group with the read role defined for the auth module (see Section 4.2.4, Configuring Roles).

    The manager details can be used in the Compliance Auditor.

    User Groups, Host Groups, Account Groups: From the lists of groups you have already defined, select or remove the user groups, host groups, and account groups. You can also add groups to an account group by dragging the groups to the target account group in the navigation pane.

  5. Click Finish. You can now use this account group in rule conditions or as a script entity.

5.7.5 Deleting an Account Group

  1. Click Command Control on the home page of the console.

  2. Click Account Groups in the navigation pane.

  3. Select the account group you want to delete.

    To select multiple account groups, display the groups in the right pane, press the Ctrl key and select the required account groups one at a time, or press the Shift key to select a consecutive list of account groups.

  4. Click Delete Account Group in the task pane. The selected account groups are listed.

  5. Click Finish.

    The account groups are deleted, and are also removed from any other account groups, rule conditions, and script entities where they have been defined.

5.7.6 Copying a Group

  1. Click Command Control on the home page of the console.

  2. Click the category of the group you are copying such as Account Groups, Host Groups, or User Groups.

  3. Select the group you want to copy.

    To select multiple groups in the same category or group, make sure the groups are displayed in the right pane of the navigation pane, then press the Ctrl key and select the required groups one at a time, or press the Shift key to select a consecutive list of groups.

  4. To create the copy, press the Ctrl key and drag the selected group to the desired location

  5. If necessary, use the appropriate Modify Group option to rename or modify the copy.

5.7.7 Moving a Group

  1. Click Command Control on the home page of the console.

  2. Click the category of the group you are copying such as Account Groups, Host Groups, or User Groups.

  3. Select the group you want to move.

    To select multiple groups in the same category or group, make sure the groups are displayed in the right pane of the navigation pane, then press the Ctrl key and select the required groups one at a time, or press the Shift key to select a consecutive list of groups.

  4. Drag the selected group to the desired location.

You can also drag account groups, user groups, and host groups into an account group. This does not delete the groups from their original location.

5.7.8 Enhanced Access Control

Command Control policies give you additional options to control the execution of commands. For example, you can use a policy to restrict the rights and roles of a command so that the command works only for one particular directory, file, network address, or system call.

Configuring a Command Control Policy

A command control policy is defined by using the policy script arguments. A policy script argument specifies the access rights of the applications based on the path, network, and capability.

  1. Click Command Control on the home page of the console.

  2. From the Command Control Sample Scripts, add the Enhanced Access Control Policy script.

  3. Drag the Enhanced Access Control Policy script from Scripts to Authorizing Rule.

  4. Click the Authorizing Rule and access the Script Arguments.

  5. Create a script argument with a name policy and add that policy to the Value field.

Configuring a Path Policy

A Path policy is a type of command control policy that restricts an application from accessing a specific directory based on the path.

The syntax of a Path policy is as follows:

path [owner] <path><capability:capability:!capability>

owner specifies the file or directory ownership that should match with the current user ID.

path specifies a particular directory based on the path. Replace path with any of the following options:

Table 5-5 Path Options

Option

Description

/dir/file

Specifies the file that the application can access in the /dir/directory.

/dir/

Specifies the directory that the application can access.

/dir/f*

Specifies a file that begins with f in the /dir/directory that the application can access.

/dir/*

Specifies that the application can access all the files in the /dir/ directory.

/dir/**

Specifies that the application can access all the files and the subdirectories within the /dir/directory.

/dir/**/

Specifies that the application can access all subdirectories that are recursively searched for in the /dir/directory.

/dir/**/*

Specifies that the application can access all the files that are recursively searched for in any subdirectory within the /dir/directory.

capability specifies the rights of the application. You can use the ! symbol in the syntax to denote a logical not. For example, all:!write grants all the rights except the write role.

Replace capability with any of the following options:

Table 5-6 Capability Options

Option

Description

privperms

Enables the application with the read, write, and ownership permissions for the specified directory or file.

perms

Enables the application to assign the permissions of a specified directory or file.

read

Enables the application to assign the read permission for a specified directory or file.

write

Gives the application the create and write permissions for the specified directory or file.

unlink

Gives the application the deletion rights for the specified directory or file.

mknod

Enables the application to create system files in the specified directory.

exec

Enables the application to execute the shared files and files for which the application does not have read and write permission.

unsafe

Enables the application to execute any file that does not inherit the policy.

link

Enables the application to create a symbolic link or hard link to another file.

log[=<0-9>]

Enables the application to audit system calls, with an optional risk value of 0-9.

all

Enables the application to have all permissions.

You can use wildcards, regular expressions, and strings in the Path policy. For example, using the word default in the following example specifies the default policy.

path default all:log 
path /opt/oracle/private/** !all:log=9