Rules provide the means by which you can control commands. Commands can be authorized to run, or not authorized to run, by setting rule conditions based on different criteria:
The command being submitted
The user and host submitting the command
The user and host assigned to run the command
The time the command is submitted
The contents of Perl scripts you have defined.
See Setting Conditions for a Rule for details.
If a rule’s conditions are met, there are a number of options you can set to determine how the rule processes the command. You can configure a rule to:
Display a message to the user submitting the command
Capture the user session for reporting and auditing purposes
Authorize or not authorize the command to be run
Specify what further rule processing to do. The rule can specify that the processing of additional rules ends by using the stop conditions (
, , ).When the Framework Manager receives a command request, the evaluation starts at the top of the rule tree. Even when a request matches a rule, the evaluation continues until a rule has a stop condition or the rule tree has been processed.
You can also:
Specify the user and host to run the command
Set a risk level for use with keystroke reports
Assign an audit group to the rule for use with the Compliance Auditor.
See Modifying a Rule for details.
You can also create and assign Perl scripts to the rule to provide additional functionality. See Adding a Script and Assigning a Script to a Rule for details.
NOTE:If you are using a different user (run user) to run an authorized command than the user who submitted the command (submit user), by default the submit user’s environment variables are used for the run user. If you want to use the environment variables associated with the run user, you can add a script to your rule containing the following text:
$meta->get_params("Job")->arg("job_default_env",0); return 1;
Click
on the home page of the console.Click
in the navigation pane.To add a rule at the top level, click
in the task pane. To add a rule as a child of another rule, select the rule and click in the task pane.Specify a name for the rule.
Click
. The new rule is added.To configure the rule, select the rule, then click
in the task pane.For configuration information, see Section 5.6.2, Modifying a Rule.
Move the rule to the correct position according to the order in which you want to process your rules.
When a user issues a command under Command Control, the following rule processing takes place:
The conditions set for the first rule in the hierarchy are checked.
If there is a match, the rule is processed. Depending on how the rule is configured, processing of additional rules takes place or stops. If rule processing is not stopped, the next rule for which conditions are checked is the child of this rule. Rule checking and processing continues until it is stopped by a rule, or until all appropriate rules have been processed.
If there is no match, the conditions for the next rule at the same hierarchical level as the first rule are checked, and this continues until a match is found. Rule processing then takes place as described above.
You can change the default order of rule processing on the Modifying a Script.
screen, or by using scripts. SeeClick
on the home page of the console.Click
in the navigation pane.Select the rule you want to modify.
Click
in the task pane.Make the changes you want:
Name: Change the name of the rule.
Disabled: To disable the rule, select the
box. A disabled rule is dimmed.Description: Specify a description of the rule.
User Message: Specify a user message to be displayed to the user when this rule is processed, before any commands are run.
Session Capture: Select either
or . Setting to allows the Audit Manager to perform keystroke logging for the rule. To view a captured session from a Command Control report, an Auditing Manager and the Reporting Console must be installed.Authorize: Select either
or , depending on whether you want the command protected by the rule to be authorized or not authorized if the rule conditions are met.Define what happens next by using the drop-down list as follows:
Blank: The next rule in the hierarchy is checked.
Stop: No more rules are checked for the command.
Return: The next rule to be checked is up one level in the hierarchy from the current rule.
Stop if authorized: If
is set to , no more rules are checked for the command.Stop if unauthorized: If
is set to , no more rules are checked for the command.Run User: Define a run user by selecting the name of the user you want to run this command (this overrides any username defined through a set command).
Run Host: Define a run host by selecting the name of the host on which you want to run this command (this overrides any hostname defined through a set command).
Risk Level: Set a Section 5.2, Integrating Command Control into User Environments). When viewing a Command Control Keystroke Report, you see commands controlled by rules with different risk values represented in different colors.
of 0 to 99. This option allows you to set a value representing the relative risk of a rule when using the rush or crush clients with the session auditing option (seeAudit Group: Define an
. This setting is for use in Compliance Auditor reports.Click
. The settings you have defined for the rule are displayed in the console.You can set a number of conditions for a rule to determine whether the rule is processed or not. For example, you can set a particular command as a condition, and only process the rule if a user enters that command.
There are two ways of setting conditions for a rule:
Dragging an entity onto the rule.
Using the
option, as described in the steps below.NOTE:When you drag an entity onto a rule, you might need to edit the condition to ensure that the condition logic is what you want. If you want to use a script in rule conditions, you must set it to Conditional first (see Modifying a Script).
To set conditions by using the
option:Click
on the home page of the console.Click
in the navigation pane.Select the rule for which you want to set conditions.
Select the currently defined condition in the right pane. If you have not yet defined a condition, this is
.Select
in the task pane.In the
drop-down list, select the type of condition you want. The condition is displayed on the screen.Set the condition to the value and logic you want. For example, if you set a condition to match a run user to a user group:
Change
(submit user) to .Leave the logic setting as
.Select the user group you require from the user group drop-down list.
Repeat Step 6 and Step 7 for any other conditions you want. Set the condition logic as necessary.
You can use parentheses to group conditions according to the necessary logic by selecting the parentheses ( ) entry from the
drop-down list. The opening and closing parentheses are displayed.Select the opening parenthesis.
Select the condition type you want to place inside the parentheses and set it as necessary.
Select the opening parenthesis again.
Select another condition type to place inside the parentheses and set it as necessary.
If necessary, change OR to AND.
Repeat Step 8.d through Step 8.f for any other conditions you require inside this set of parentheses. You can also place parentheses within parentheses.
Click
.You can remove all the conditions for a rule, or you can remove individual conditions.
Click
on the home page of the console.Click
in the navigation pane.Use the arrow to display the rules and select the rule for which you want to remove conditions.
Select the currently defined condition in the right pane.
To remove all conditions, click
in the task pane, then click .The rule condition is returned to
To remove individual conditions, click
in the task pane, select the condition to remove, then click .You can configure script arguments and entities for the scripts assigned to a rule before or after assigning the scripts. You can define only one set of arguments and entities, which applies to all scripts assigned to a rule.
Click
on the home page of the console.Click
in the navigation pane.Select the rule for which you want to add script arguments.
Click
in the task pane.Click
.In the
field, specify a name for the argument.In the
field, specify a value for the argument.When you finish adding arguments, click Step 10 to add script entities.
, or continue withClick the arrow under
to display the list of available entities, then select the type of entity you want.A drop-down list of entities is displayed in the
table.Select the entity you want from the drop-down list.
Click
.You can use Perl scripts to provide additional, customized functionality to your rules (see Adding a Script). To assign a script to a rule, use drag and drop as described in the following procedure.
NOTE:If you drag a script that has been set to Conditional, the script is added to the rule conditions.
Click
on the home page of the console.Click
in the navigation pane.Click the arrow to display the list of rules.
Click
in the navigation pane.Select the script you want to assign to the rule.
To select multiple scripts in the same category, press the Ctrl key and select the required scripts one at a time, or press the Shift key to select a consecutive list of scripts.
Drag the selected scripts to your rule.
Configure script arguments and entities for the scripts if necessary. For more information, see Configuring Script Arguments and Entities for a Rule.
To remove a script argument, select the argument, then click
.To remove a script entity, select the icon next to the name of the entity, then click
.Click
on the home page of the console.Click
in the navigation pane.Use the arrow to display the list of rules, then select the rule from which you want to remove a script.
Select the script you want to remove in the right pane.
To select multiple scripts, press the Ctrl key and select the required scripts one at a time, or press the Shift key to select a consecutive list of scripts.
Click
in the task pane.Click
to confirm the removal. The scripts are removed from the rule.Command Control policies give you additional options to control the execution of commands. For example, you can use a policy to restrict the rights and roles of a command so that the command works only for one particular directory, file, network address, or system call.
A command control policy is defined by using the policy script arguments. A policy script argument specifies the access rights of the applications based on the path, network, and capability.
Click
on the home page of the console.From the
, add the script.Drag the
script from to .Click the
and access the .Create a script argument with a name policy and add that policy to the field.
A Path policy is a type of command control policy that restricts an application from accessing a specific directory based on the path.
The syntax of a Path policy is as follows:
path [owner] <path><capability:capability:!capability>
owner specifies the file or directory ownership that should match with the current user ID.
path specifies a particular directory based on the path. Replace path with any of the following options:
Table 5-3 Path Options
capability specifies the rights of the application. You can use the ! symbol in the syntax to denote a logical not. For example, all:!write grants all the rights except the write role.
Replace capability with any of the following options:
Table 5-4 Capability Options
You can use wildcards, regular expressions, and strings in the Path policy. For example, using the word default in the following example specifies the default policy.
path default all:log path /opt/oracle/private/** !all:log=9
Click
on the home page of the console.Click
in the navigation pane.To find a rule from the entire list of rules, click
in the task pane.or
To find a rule in a set of rules, select the parent rule, then click
.In the
field, specify the name of the rule you are looking for, then select .You can use wildcard characters * and ?. For example, rul* finds the first rule beginning with “rul”. This field is case sensitive.
If the rule name you are looking for is displayed, double-click it to return to the navigation pane with the rule selected, or click
to return to the navigation pane without a rule selected.Click
on the home page of the console.Click
in the navigation pane.Select the rule you want to move.
To select multiple rules in the same group, make sure the rules are displayed in the right pane of the navigation pane, then press the Ctrl key and select the required rules one at a time, or press the Shift key to select a consecutive list of rules.
Drag the selected rule to the location you want.
You can create a copy of an existing rule in your rule hierarchy, so you can use the same rule in more than one place in the hierarchy, or so you can create a new rule based on your existing rule.
NOTE:If you want to use the same rule in more than one place and you want any changes you make to the rule to be reflected in the other copy or copies, you should link the rule instead. See Linking a Rule for details.
Click
on the home page of the console.Click
in the navigation pane.Select the rule you want to copy.
To select multiple rules in the same group, make sure the rules are displayed in the right hand pane of the navigation pane, then press the Ctrl key and select the required rules one at a time, or press the Shift key to select a consecutive list of rules.
To create the copy, press the Ctrl key and drag the selected rule to the desired location
(Optional) Use the
option to rename or modify the copy.Move the rule to the correct position according to the order in which you want to process your rules. See Adding a Rule for details.
If you want a specific rule to be used in different places in your rules hierarchy, you can create a linked rule. Any changes you make to the linked rule are reflected in all the instances of the rule in your hierarchy. If you simply copy the rule, any changes made to the original rule or to one of its copies are not reflected in the other copies.
Changes to sub-rules of a linked rule are not linked. For example if you add or modify a rule under a linked rule, the change is not reflected in other instances of the linked rule.
Click
on the home page of the console.Click
in the navigation pane.Select the rule you want to link.
To select multiple rules in the same group, make sure the rules are displayed in the right pane of the navigation pane, then press the Ctrl key and select the required rules one at a time, or press the Shift key to select a consecutive list of rules.
To create the links, press the Ctrl key and the Shift key at the same time, then drag the selected rule to the location you want.
A linked rule is displayed with an arrow .
Click
on the home page of the console.Click
in the navigation pane.Select the rule you want to delete.
To select multiple rules in the same group, make sure the rules are displayed in the right pane of the navigation pane, then press the Ctrl key and select the required rules one at a time, or press the Shift key to select a consecutive list of rules.
Click
in the task pane.Click
to delete the rule and all rule children.The pseudocode for a rule provides a simplified representation of the actual code that is processed when the rule is activated. For complex rules, this can assist you with understanding what happens in different situations.
To view the pseudocode for a rule:
Click
on the home page of the console.Click
in the navigation pane.Select the rule for which you want to view the pseudocode.
Click
in the task pane.You can copy the pseudocode by using Ctrl+A or Ctrl+C, then paste it into a document for printing.
Click
.