5.9 Scripts

You can use Perl scripts to provide additional, customized functionality to your rules. You can also use scripts in rule conditions. Privileged User Manager contains the embedded Perl interpreter version 5.8.9. You can use any of the core Perl modules for your script. It is not recommended that you install any CPAN Perl modules into the embedded Perl interpreter. If you create a script, be aware that any time consuming tasks within the script affect response times.

5.9.1 Adding a Script

You can add your own custom attributes for account groups, user groups, host groups, commands, and access times to provide additional parameters for use in your scripts. See Defining Custom Attributes for details.

To add a new script:

  1. Click Command Control on the home page of the console.

  2. Click Scripts in the navigation pane.

  3. To add a script at the top level, click Add Script in the task pane. To add a script to a category, select the category and click Add Script in the task pane.

  4. Specify a name for the script.

  5. Click Finish.

  6. To configure the script, continue with Section 5.9.2, Modifying a Script.

5.9.2 Modifying a Script

  1. Click Command Control on the home page of the console.

  2. Click Scripts in the navigation pane.

  3. Select the script you want to modify.

  4. Click Modify Script in the task pane.

  5. Configure the following fields:

    Name: Specify a different name for the script.

    Conditional script: Select the check box to set the script to be conditional. Scripts defined as conditional can be used in rule conditions. The return codes are limited to 1 for true and 0 for false.

    Disabled: Select the check box to disable the script. A disabled script is dimmed.

    Description: Describe the purpose of the script.

    Script: Specify the text of your script in the text box by typing it or by pasting it from elsewhere. The possible return codes you can use in your script for processing by the Command Control software are shown below this field.

    For some sample scripts, see Section 5.9.6, Sample Scripts.

  6. Click Finish.

    You can now assign your script to a rule, or you can specify it in rule conditions if you have set the script to be conditional.

5.9.3 Copying a Script

  1. Click Command Control on the home page of the console.

  2. Click Scripts in the navigation pane.

  3. Select the script you want to copy.

    To select multiple scripts in the same category, press the Ctrl key and select the required scripts one at a time, or press the Shift key to select a consecutive list of scripts.

  4. To create the copy, press the Ctrl key and drag the selected script to the desired location.

  5. If necessary, use the Modify Script option to rename or modify the copy. For details, see Modifying a Script.

5.9.4 Moving a Script

  1. Click Command Control on the home page of the console.

  2. Click Scripts in the navigation pane.

  3. Select the script you want to move.

    To select multiple scripts in the same category, press the Ctrl key and select the required scripts one at a time, or press the Shift key to select a consecutive list of scripts.

  4. Drag the selected script to the desired location.

5.9.5 Deleting a Script

  1. Click Command Control on the home page of the console.

  2. Click Scripts in the navigation pane.

  3. Select the script you want to delete.

    To select multiple scripts in the same category, press the Ctrl key and select the required scripts one at a time, or press the Shift key to select a consecutive list of scripts.

  4. Click Delete Script in the task pane. The selected scripts are listed.

  5. Click Finish.

5.9.6 Sample Scripts

Privileged User Manager ships with the following sample scripts that you can import and use:

  • Display message scripts

  • Password validation scripts

  • Alternate validation scripts

  • Email scripts

  • Modify environment script

  • Emulate su script

  • Secure vi script

Before creating your own Perl script, check out the sample scripts to see if one is available that meets your needs or one that can be modified to meet your needs. To understand what is available, see the sample scripts in the following sections.

To import a sample script, click Command Control > Import Samples > Sample Perl Script.

Modify Environment Script

This script is used to process environment variables. It has a number of script arguments that can add, delete, clear, and keep environment variables.

Argument

Description

clearenv=1:

Clears all environment variables (unless specifically kept using keepenv)

keepenv=VAR:

Specifically keeps environment variables. As soon as this is set, all other environment variables are deleted.

setenv=VAR=val:

Sets up a specific environment variable.

unsetenv=VAR:

Deletes a specific environment variable.

defaultenv=#:

Sets the default environment:

0: Sets up no default environment variables.

1: Sets up all default environment variables.

2: Sets up default environment variables that do not already exist in the environment.

Sample Environment Script

my $e=$meta->child("Environment");
return(1) if(! $e);
 
my $n=$e->node_args();
my %env=();
 
while($n) {
    $env{$1}=$2 if($n->key() ne "items" && $n->value() =~ /^(.*)=(.*)$/);
    $n=$n->next();
}
 
my %keepenv=();
my $clearenv=0;
 
for(my $a=$args->node_args();$a;$a=$a->next()) {
    if($a->key() eq "clearenv" && $a->value() > 0) {
        $clearenv=1;
    } elsif($a->key() eq "keepenv" && $a->value() ne "") {
        $keepenv{$a->value()}=1;
    } elsif($a->key() eq "defaultenv" && $a->value >= 0) {
        $meta->child("Job")->arg_int("job_default_env",$a->value());
    }        
}    
 
if(scalar %keepenv || $clearenv) {
    while(my ($key,$val) = each %env) {
        delete $env{$key} if(! $keepenv{$key});
    }        
}
        
for(my $a=$args->node_args();$a;$a=$a->next()) {
    if($a->key() eq "unsetenv" && $a->value() ne "") {
        delete $env{$a->value()};
    } elsif($a->key() eq "setenv" && $a->value() =~ /^(.*)\s*=\s*(.*)$/) {
        $env{$1}=$2;
    }            
} 
 
$meta->del($e);
$e=$meta->add_node("Environment");
 
my $items=0;
 
while(my ($key,$val) = each(%env)) {
    $e->arg("arg-$items","$key=$val");
    $items++;
}    
 
$e->arg_int("items","$items");
 
return(1);

pcksh Illegal Commands Script

When using the pcksh shell, Command Control has the ability to restrict the commands being run (even as root). This sample script is named illegalcmd, and it restricts the use of the passwd command.

This script does not restrict a user that initiates another shell from within a session. When a user does this, Command Control cannot continue a full audit or control the illegal commands, although the session is still captured

#to set script argument - name=illegalcmd value= kill *
my $t=$meta->get_params('Ticket');
if(! $t) {
$t=$meta->add_param('Ticket');
}

my $i=$t->get_params('IllegalCmds');
if(! $i) {
$i=$t->add_param('IllegalCmds');
}

my @illegal = $args->arg_values('illegalcmd');

#my @illegal=("echo","ls -l","passwd","/usr/bin/ls -l","ksh","echo date");
foreach my $b (@illegal) {
my $c=$i->add_param('Command');
$c->arg("cmd",$b);
}
return 1;