Command Control policies give you additional options to control the execution of commands. For example, you can use a policy to restrict the rights and roles of a command so that the command works only for one particular directory, file, network address, or system call.
Prerequisite
For using Enhanced Access control, you must install 32bit glibc library in 64 bit RHEL agent and manager.
A command control policy is defined by using the policy script arguments. A policy script argument specifies the access rights of the applications based on the path, network, and capability.
On the home page of the console, click Command Control.
From the Command Control Sample Scripts, add the Enhanced Access Control Policy script.
Drag and drop the Enhanced Access Control Policy script from Scripts to Authorizing Rule.
Click the Authorizing Rule and access the Script Arguments.
Create a script argument with a name policy and add that policy to the Value field.
A Path policy is a type of command control policy that restricts an application from accessing a specific directory based on the path.
The syntax of a Path policy is as follows:
path [owner] <path> <capability:capability:!capability>
owner specifies the file or directory ownership that should match with the current user ID.
path specifies a particular directory based on the path. Replace path with any of the following options:
Table 15-1 Path Options
Option |
Description |
---|---|
/dir/file |
Specifies the file that the application can access in the /dir/directory. |
/dir/ |
Specifies the directory that the application can access. |
/dir/f* |
Specifies a file that begins with f in the /dir/directory that the application can access. |
/dir/* |
Specifies that the application can access all the files in the /dir/ directory. |
/dir/** |
Specifies that the application can access all the files and the subdirectories within the /dir/directory. |
/dir/**/ |
Specifies that the application can access all subdirectories that are recursively searched for in the /dir/directory. |
/dir/**/* |
Specifies that the application can access all the files that are recursively searched for in any subdirectory within the /dir/directory. |
capability specifies the rights of the application. You can use the ! symbol in the syntax to denote a logical not. For example, all:!write grants all the rights except the write role.
Replace capability with any of the following options:
Table 15-2 Capability Options
Option |
Description |
---|---|
privperms |
Enables the application with the read, write, and ownership permissions for the specified directory or file. The privperms command limits two areas of functionality:
|
perms |
Enables the application to assign the permissions of a specified directory or file. |
read |
Enables the application to assign the read permission for a specified directory or file. |
write |
Gives the application the create and write permissions for the specified directory or file. |
unlink |
Gives the application the deletion rights for the specified directory or file. |
mknod |
Enables the application to create system files in the specified directory. |
exec |
Enables the application to execute the shared files and files for which the application does not have read and write permission. |
unsafe |
Enables the application to execute any file that does not inherit the policy. |
link |
Enables the application to create a symbolic link or hard link to another file. |
log[=<0-9>] |
Enables the application to audit system calls, with an optional risk value of 0-9. |
all |
Enables the application to have all permissions. |
You can use wildcards, regular expressions, and strings in the Path policy. For example, using the word default in the following example specifies the default policy.
path default all:log path /opt/oracle/private/** !all:log=9
When administering EAC policy, do not restrict the following permissions to the listed folders:
Read / Write Permission |
Read Permission |
---|---|
/tmp/ |
/etc/resolv.conf |
/dev/zero |
/etc/hosts |
/dev/null |
/etc/passwd |
/dev/tty |
/etc/groups |
/devices/** |
/dev/random |
/proc/<pid>/** |
/dev/urandom |
/tmp/** |
/etc/utmp |
/var/tmp/** |
/etc/utmpx |
|
/usr/share/** |
|
/usr/lib/** |
|
/lib/** |
|
/usr/lib64/** |
|
/lib64/** |
NOTE:Solaris 9/sbin/sh is a static binary and therefore cannot enforce EAC.