Command Control has three types of groups:
User Groups: Contain users with similar responsibilities. This allows you to use the group as a condition for a rule, which either allows or denies the users the rights to run commands.
Host Groups: Contains hosts with similar content. This allows you to use the group as a condition for a rule that either allows or denies the rights to run the command on a host.
Account Groups: Combine host groups and user groups to be used together in setting rule conditions. Account groups can also contain other account groups. You can also use account groups as script entities.
For example, you could create a Web Account Group, and to this group you could add a user group that contains all the Web server managers and a host group that contains all the host that are Web servers. You could then use the Web Account Group as a condition when creating rules for Web server management.
The following sections explain how to manage these groups:
User groups contain users who are allowed, or not allowed, to submit or run commands controlled by your rules. You can add user groups to your rule conditions to control whether the rule is processed, depending on the user who is submitting a command or the user who is specified to run a command. You can also use user groups as script entities.
Command Control has two default user groups. Do not modify these groups.
Everyone: Use this group to match against any user who has a local account on the hosts where Privileged User Manager is installed.
Submit User: Use this group to match against the user that submitted the privileged request. This is useful if you want to ensure that a rule only authorizes access to the account that submitted the request. For example when adding a crush login shell, you should add a clause to the rule that ensures that the run user is in the Submit User group. This ensures that a user cannot use the -u option in usrun to gain access to other accounts.
You can search for a specific user in a user group by using suitable regular expressions, strings, or wild cards in the command. For example, the wildcards that you can use in the command could be vi * or /usr/bin/vi *.
To add a regular expression term to the list, prefix the regular expression with =~. For example,
=~/^vi .*$/
=~/^user*/
The following sections explain how to manage user groups:
Click
on the home page of the console.Click
, then expand the list.Click
.To add a user group at the top level, click
in the task pane. To add a user group to a category, select the category and click in the task pane.Specify a name for the user group.
Click
.User groups are represented by the icon.
To configure the user group, continue with Modifying a User Group.
Click
on the home page of the console.Click
, then click in the navigation pane.Select the user group you want to modify.
Click
in the task pane, then configure the following fields:Name: Specify a name for the group.
Disabled: Select this check box to disable the group. A disabled user group is dimmed.
Description: Describe the purpose of this user group.
Manager Name, Manager Tel., Manager Email: Specify the name, telephone number, and e-mail address of the manager of this user group. The manager details can be used in the Compliance Auditor.
If these details have been entered in the manager’s Framework user account details (see Modify User: Account Details), they can be entered automatically by selecting the manager’s username from the drop-down list. This option is only available if you belong to a Framework user group with the read role defined for the auth module (see Section 4.2.4, Configuring Roles).
Users: Add or change the users you want to include in this group. You can type the user names, one on each line, or paste them from elsewhere. You can use the
button to sort the list of users into alphabetical order.User Groups: From the list of groups you have already defined, select the user groups you want to include as subgroups of this user group. You can also add subgroups to a user group by dragging the groups to the target user group in the navigation pane.
Click
.You can now use this user group in rule conditions or as a script entity.
Click
on the home page of the console.Click
, then click in the navigation pane.Select the required user group.
To select multiple user groups, press the Ctrl key and select the required user groups one at a time, or press the Shift key to select a consecutive list of user groups.
Click
in the task pane. The selected user groups are listed.Click
.The user groups are deleted, and are also removed from any account group, rule conditions, and script entities where they have been defined.
Host groups contain hosts that are allowed, or not allowed, to submit or run commands controlled by your rules. You can add host groups to your rule conditions to control whether the rule is processed, depending on the host that is submitting a command or the host specified to run a command. You can also use host groups as script entities.
Command Control has two default host groups. Do not modify these groups.
All Hosts: Use this group to match against any host that have been registered with the Framework. Use the Hosts console to view the hosts that are included has matches for this group.
Submit Host: Use this group to match against the host from which the privileged request was made. This is useful if you want to ensure that a rule only authorizes access to the host from which the privileged request was made. This ensures that a user cannot use the -h option in usrun to gain access to other hosts.
You can search for a specific host in a host group by using suitable regular expressions, strings, or wild cards in the command. For example, the wildcards that you can use in the command could be vi * or /usr/bin/vi *.
To add a regular expression term to the list, prefix the regular expression with =~. For example,
=~/^vi .*$/
=~\w+\.novell\.com
The following sections explain how to manage host groups:
Click
on the home page of the console.Click
, then click in the navigation pane.To add a host group at the top level, click
in the task pane. To add a host group to a category, select the category and click in the task pane.Specify a name for the host group.
Click
.Host groups are represented by the icon.
To configure the host group, continues with Modifying a Host Group.
Click
on the home page of the console.Click
, then click in the navigation pane.Select the host group you want to modify.
Click
in the task pane, then configure the following fields:Name: Specify a name for the group.
Disabled: Select this check box to disable the group. A disabled host group is dimmed.
Description: Describe the purpose of this host group.
Hosts: Add or change the hosts you want to include in this group. You can type the host names, one on each line, or paste them from elsewhere. You can use the
button to sort the list of hosts into alphabetical order.Host Groups: From the list of groups you have already defined, select the host groups you want to include as subgroups of this host group. You can also add subgroups to a host group by dragging the groups to the host group in the navigation pane.
Click
. You can now use this host group in rule conditions or as a script entity.Click
on the home page of the console.Click
, then click in the navigation pane.Select the host group you want to delete.
To select multiple host groups, press the Ctrl key and select the required host groups one at a time, or press the Shift key to select a consecutive list of host groups.
Click
in the task pane. The selected host groups are listed.Click
.The host groups are deleted, and are also removed from any account group, rule conditions, and script entities in which they have been defined.
To add a new account group:
Click
on the home page of the console.Click
in the navigation pane.To add an account group at the top level, click
in the task pane. To add an account group to a category, select the category and click in the task pane.For information about categories, see Section 5.5.6, Adding a Category.
Specify a name for the account group.
Click
.Account groups are represented by the icon.
To configure the group, continue with Modifying an Account Group.
Click
on the home page of the console.Click
in the navigation pane.Select the account group you want to modify.
Click
in the task pane, then modify the following fields:Name: Change the name of the group.
Disabled: To disable the account group, click
. A disabled account group is dimmed.Description: Add or change the description.
Manager Name, Manager Tel., Manager Email: Specify the name, phone number, and e-mail address of the manager of the users in this account group.
If these details have been entered in the manager’s Framework user account details (see Modify User: Account Details), they can be entered automatically by selecting the manager’s username from the drop-down list. This option is only available if you belong to a Framework user group with the read role defined for the auth module (see Section 4.2.4, Configuring Roles).
The manager details can be used in the Compliance Auditor.
User Groups, Host Groups, Account Groups: From the lists of groups you have already defined, select or remove the user groups, host groups, and account groups. You can also add groups to an account group by dragging the groups to the target account group in the navigation pane.
Click
. You can now use this account group in rule conditions or as a script entity.Click
on the home page of the console.Click
in the navigation pane.Select the account group you want to delete.
To select multiple account groups, display the groups in the right pane, press the Ctrl key and select the required account groups one at a time, or press the Shift key to select a consecutive list of account groups.
Click
in the task pane. The selected account groups are listed.Click
.The account groups are deleted, and are also removed from any other account groups, rule conditions, and script entities where they have been defined.
Click
on the home page of the console.Click the category of the group you are copying such as
, , or .Select the group you want to copy.
To select multiple groups in the same category or group, make sure the groups are displayed in the right pane of the navigation pane, then press the Ctrl key and select the required groups one at a time, or press the Shift key to select a consecutive list of groups.
To create the copy, press the Ctrl key and drag the selected group to the desired location
If necessary, use the appropriate
option to rename or modify the copy.Click
on the home page of the console.Click the category of the group you are copying such as
, , or .Select the group you want to move.
To select multiple groups in the same category or group, make sure the groups are displayed in the right pane of the navigation pane, then press the Ctrl key and select the required groups one at a time, or press the Shift key to select a consecutive list of groups.
Drag the selected group to the desired location.
You can also drag account groups, user groups, and host groups into an account group. This does not delete the groups from their original location.
Command Control policies give you additional options to control the execution of commands. For example, you can use a policy to restrict the rights and roles of a command so that the command works only for one particular directory, file, network address, or system call.
A command control policy is defined by using the policy script arguments. A policy script argument specifies the access rights of the applications based on the path, network, and capability.
Click
on the home page of the console.From the
, add the script.Drag the
script from to .Click the
and access the .Create a script argument with a name policy and add that policy to the field.
A Path policy is a type of command control policy that restricts an application from accessing a specific directory based on the path.
The syntax of a Path policy is as follows:
path [owner] <path><capability:capability:!capability>
owner specifies the file or directory ownership that should match with the current user ID.
path specifies a particular directory based on the path. Replace path with any of the following options:
Table 5-5 Path Options
capability specifies the rights of the application. You can use the ! symbol in the syntax to denote a logical not. For example, all:!write grants all the rights except the write role.
Replace capability with any of the following options:
Table 5-6 Capability Options
You can use wildcards, regular expressions, and strings in the Path policy. For example, using the word default in the following example specifies the default policy.
path default all:log path /opt/oracle/private/** !all:log=9