You can use Perl scripts to provide additional, customized functionality to your rules. You can also use scripts in rule conditions. Privileged User Manager contains the embedded Perl interpreter version 5.8.9. You can use any of the core Perl modules for your script. It is not recommended that you install any CPAN Perl modules into the embedded Perl interpreter. If you create a script, be aware that any time consuming tasks within the script affect response times.
You can add your own custom attributes for account groups, user groups, host groups, commands, and access times to provide additional parameters for use in your scripts. See Defining Custom Attributes for details.
To add a new script:
Click
on the home page of the console.Click
in the navigation pane.To add a script at the top level, click
in the task pane. To add a script to a category, select the category and click in the task pane.Specify a name for the script.
Click
.To configure the script, continue with Section 5.9.2, Modifying a Script.
Click
on the home page of the console.Click
in the navigation pane.Select the script you want to modify.
Click
in the task pane.Configure the following fields:
Name: Specify a different name for the script.
Conditional script: Select the check box to set the script to be conditional. Scripts defined as conditional can be used in rule conditions. The return codes are limited to 1 for true and 0 for false.
Disabled: Select the check box to disable the script. A disabled script is dimmed.
Description: Describe the purpose of the script.
Script: Specify the text of your script in the text box by typing it or by pasting it from elsewhere. The possible return codes you can use in your script for processing by the Command Control software are shown below this field.
For some sample scripts, see Section 5.9.6, Sample Scripts.
Click
.You can now assign your script to a rule, or you can specify it in rule conditions if you have set the script to be conditional.
Click
on the home page of the console.Click
in the navigation pane.Select the script you want to copy.
To select multiple scripts in the same category, press the Ctrl key and select the required scripts one at a time, or press the Shift key to select a consecutive list of scripts.
To create the copy, press the Ctrl key and drag the selected script to the desired location.
If necessary, use the Modifying a Script.
option to rename or modify the copy. For details, seeClick
on the home page of the console.Click
in the navigation pane.Select the script you want to move.
To select multiple scripts in the same category, press the Ctrl key and select the required scripts one at a time, or press the Shift key to select a consecutive list of scripts.
Drag the selected script to the desired location.
Click
on the home page of the console.Click
in the navigation pane.Select the script you want to delete.
To select multiple scripts in the same category, press the Ctrl key and select the required scripts one at a time, or press the Shift key to select a consecutive list of scripts.
Click
in the task pane. The selected scripts are listed.Click
.Privileged User Manager ships with the following sample scripts that you can import and use:
Display message scripts
Password validation scripts
Alternate validation scripts
Email scripts
Modify environment script
Emulate su script
Secure vi script
Before creating your own Perl script, check out the sample scripts to see if one is available that meets your needs or one that can be modified to meet your needs. To understand what is available, see the sample scripts in the following sections.
To import a sample script, click Command Control > Import Samples > Sample Perl Script.
This script is used to process environment variables. It has a number of script arguments that can add, delete, clear, and keep environment variables.
Argument |
Description |
---|---|
clearenv=1: |
Clears all environment variables (unless specifically kept using keepenv) |
keepenv=VAR: |
Specifically keeps environment variables. As soon as this is set, all other environment variables are deleted. |
setenv=VAR=val: |
Sets up a specific environment variable. |
unsetenv=VAR: |
Deletes a specific environment variable. |
defaultenv=#: |
Sets the default environment: 0: Sets up no default environment variables. 1: Sets up all default environment variables. 2: Sets up default environment variables that do not already exist in the environment. |
my $e=$meta->child("Environment"); return(1) if(! $e); my $n=$e->node_args(); my %env=(); while($n) { $env{$1}=$2 if($n->key() ne "items" && $n->value() =~ /^(.*)=(.*)$/); $n=$n->next(); } my %keepenv=(); my $clearenv=0; for(my $a=$args->node_args();$a;$a=$a->next()) { if($a->key() eq "clearenv" && $a->value() > 0) { $clearenv=1; } elsif($a->key() eq "keepenv" && $a->value() ne "") { $keepenv{$a->value()}=1; } elsif($a->key() eq "defaultenv" && $a->value >= 0) { $meta->child("Job")->arg_int("job_default_env",$a->value()); } } if(scalar %keepenv || $clearenv) { while(my ($key,$val) = each %env) { delete $env{$key} if(! $keepenv{$key}); } } for(my $a=$args->node_args();$a;$a=$a->next()) { if($a->key() eq "unsetenv" && $a->value() ne "") { delete $env{$a->value()}; } elsif($a->key() eq "setenv" && $a->value() =~ /^(.*)\s*=\s*(.*)$/) { $env{$1}=$2; } } $meta->del($e); $e=$meta->add_node("Environment"); my $items=0; while(my ($key,$val) = each(%env)) { $e->arg("arg-$items","$key=$val"); $items++; } $e->arg_int("items","$items"); return(1);
When using the pcksh shell, Command Control has the ability to restrict the commands being run (even as root). This sample script is named illegalcmd, and it restricts the use of the passwd command.
This script does not restrict a user that initiates another shell from within a session. When a user does this, Command Control cannot continue a full audit or control the illegal commands, although the session is still captured
#to set script argument - name=illegalcmd value= kill * my $t=$meta->get_params('Ticket'); if(! $t) { $t=$meta->add_param('Ticket'); } my $i=$t->get_params('IllegalCmds'); if(! $i) { $i=$t->add_param('IllegalCmds'); } my @illegal = $args->arg_values('illegalcmd'); #my @illegal=("echo","ls -l","passwd","/usr/bin/ls -l","ksh","echo date"); foreach my $b (@illegal) { my $c=$i->add_param('Command'); $c->arg("cmd",$b); } return 1;