NetIQ Documentation: NetIQ Privileged User Manager 2.3.3 Administration Guide

5.6 Rules

Rules provide the means by which you can control commands. Commands can be authorized to run, or not authorized to run, by setting rule conditions based on different criteria:

The command being submitted
The user and host submitting the command
The user and host assigned to run the command
The time the command is submitted
The contents of Perl scripts you have defined.

See Setting Conditions for a Rule for details.

If a rule’s conditions are met, there are a number of options you can set to determine how the rule processes the command. You can configure a rule to:

Display a message to the user submitting the command
Capture the user session for reporting and auditing purposes
Authorize or not authorize the command to be run
Specify what further rule processing to do. The rule can specify that the processing of additional rules ends by using the stop conditions (Stop, Stop if authorized, Stop if unauthorized).

When the Framework Manager receives a command request, the evaluation starts at the top of the rule tree. Even when a request matches a rule, the evaluation continues until a rule has a stop condition or the rule tree has been processed.

You can also:

Specify the user and host to run the command
Set a risk level for use with keystroke reports
Assign an audit group to the rule for use with the Compliance Auditor.

See Modifying a Rule for details.

You can also create and assign Perl scripts to the rule to provide additional functionality. See Adding a Script and Assigning a Script to a Rule for details.

NOTE:If you are using a different user (run user) to run an authorized command than the user who submitted the command (submit user), by default the submit user’s environment variables are used for the run user. If you want to use the environment variables associated with the run user, you can add a script to your rule containing the following text:

$meta->get_params("Job")->arg("job_default_env",0);
return 1;

5.6.1 Adding a Rule

Click Command Control on the home page of the console.
Click Rules in the navigation pane.
To add a rule at the top level, click Add Rule in the task pane. To add a rule as a child of another rule, select the rule and click Add Rule in the task pane.
Specify a name for the rule.
Click Finish. The new rule is added.
To configure the rule, select the rule, then click Modify Rule in the task pane.

For configuration information, see Section 5.6.2, Modifying a Rule.
Move the rule to the correct position according to the order in which you want to process your rules.

When a user issues a command under Command Control, the following rule processing takes place:
- The conditions set for the first rule in the hierarchy are checked.
- If there is a match, the rule is processed. Depending on how the rule is configured, processing of additional rules takes place or stops. If rule processing is not stopped, the next rule for which conditions are checked is the child of this rule. Rule checking and processing continues until it is stopped by a rule, or until all appropriate rules have been processed.
- If there is no match, the conditions for the next rule at the same hierarchical level as the first rule are checked, and this continues until a match is found. Rule processing then takes place as described above.
You can change the default order of rule processing on the Modify Rule screen, or by using scripts. See Modifying a Script.

5.6.2 Modifying a Rule

Click Command Control on the home page of the console.
Click Rules in the navigation pane.
Select the rule you want to modify.
Click Modify Rule in the task pane.
Make the changes you want:

Name: Change the name of the rule.

Disabled: To disable the rule, select the Disabled box. A disabled rule is dimmed.

Description: Specify a description of the rule.

User Message: Specify a user message to be displayed to the user when this rule is processed, before any commands are run.

Session Capture: Select either On or Off. Setting Session Capture to On allows the Audit Manager to perform keystroke logging for the rule. To view a captured session from a Command Control report, an Auditing Manager and the Reporting Console must be installed.

Authorize: Select either Yes or No, depending on whether you want the command protected by the rule to be authorized or not authorized if the rule conditions are met.

Define what happens next by using the drop-down list as follows:
- Blank: The next rule in the hierarchy is checked.
- Stop: No more rules are checked for the command.
- Return: The next rule to be checked is up one level in the hierarchy from the current rule.
- Stop if authorized: If Authorize is set to Yes, no more rules are checked for the command.
- Stop if unauthorized: If Authorize is set to No, no more rules are checked for the command.
Run User: Define a run user by selecting the name of the user you want to run this command (this overrides any username defined through a set command).

Credentials: From the drop-down list select the required account domain. The Run User gets automatically populated with the domain user provided in the account domain.

Run Host: Define a run host by selecting the name of the host on which you want to run this command (this overrides any hostname defined through a set command).

Risk Level: Set a Risk Level of 0 to 99. This option allows you to set a value representing the relative risk of a rule when using the pcksh or cpcksh clients with the session auditing option (see Section 5.2, Integrating Command Control into User Environments). When viewing a Command Control Keystroke Report, you see commands controlled by rules with different risk values represented in different colors.

Audit Group: Define an Audit Group. This setting is for use in Compliance Auditor reports.
Click Finish. The settings you have defined for the rule are displayed in the console.

5.6.3 Setting Conditions for a Rule

You can set a number of conditions for a rule to determine whether the rule is processed or not. For example, you can set a particular command as a condition, and only process the rule if a user enters that command.

There are two ways of setting conditions for a rule:

Dragging an entity onto the rule.
Using the Edit Condition option, as described in the steps below.

NOTE:When you drag an entity onto a rule, you might need to edit the condition to ensure that the condition logic is what you want. If you want to use a script in rule conditions, you must set it to Conditional first (see Modifying a Script).

To set conditions by using the Edit Condition option:

Click Command Control on the home page of the console.
Click Rules in the navigation pane.
Select the rule for which you want to set conditions.
Select the currently defined condition in the right pane. If you have not yet defined a condition, this is Match All.
Select Edit Condition in the task pane.
In the Add Condition drop-down list, select the type of condition you want. The condition is displayed on the screen.
Set the condition to the value and logic you want. For example, if you set a condition to match a run user to a user group:
1. Change user (submit user) to run user.
2. Leave the logic setting as IN.
3. Select the user group you require from the user group drop-down list.
Repeat Step 6 and Step 7 for any other conditions you want. Set the condition logic as necessary.

You can use parentheses to group conditions according to the necessary logic by selecting the parentheses ( ) entry from the Add Condition drop-down list. The opening and closing parentheses are displayed.
1. Select the opening parenthesis.
2. Select the condition type you want to place inside the parentheses and set it as necessary.
3. Select the opening parenthesis again.
4. Select another condition type to place inside the parentheses and set it as necessary.
5. If necessary, change OR to AND.
6. Repeat Step 8.d through Step 8.f for any other conditions you require inside this set of parentheses. You can also place parentheses within parentheses.
Click Finish.

5.6.4 Removing Conditions for a Rule

You can remove all the conditions for a rule, or you can remove individual conditions.

Click Command Control on the home page of the console.
Click Rules in the navigation pane.
Use the arrow to display the rules and select the rule for which you want to remove conditions.
Select the currently defined condition in the right pane.
To remove all conditions, click Remove Conditions in the task pane, then click Yes.

The rule condition is returned to Match All.
To remove individual conditions, click Edit Condition in the task pane, select the condition to remove, then click Finish.

5.6.5 Configuring Script Arguments and Entities for a Rule

You can configure script arguments and entities for the scripts assigned to a rule before or after assigning the scripts. You can define only one set of arguments and entities, which applies to all scripts assigned to a rule.

Click Command Control on the home page of the console.
Click Rules in the navigation pane.
Select the rule for which you want to add script arguments.
Click Script Arguments in the task pane.
Click Add.
In the Name field, specify a name for the argument.
In the Value field, specify a value for the argument.
To add more arguments, repeat Step 5 through Step 7.
When you finish adding arguments, click Finish, or continue with Step 10 to add script entities.
Click the arrow under Add Script Entity to display the list of available entities, then select the type of entity you want.

A drop-down list of entities is displayed in the Script Entities table.
Select the entity you want from the drop-down list.
To add more entities, repeat Step 10 and Step 11.
Click Finish.

5.6.6 Assigning a Script to a Rule

You can use Perl scripts to provide additional, customized functionality to your rules (see Adding a Script). To assign a script to a rule, use drag and drop as described in the following procedure.

NOTE:If you drag a script that has been set to Conditional, the script is added to the rule conditions.

Click Command Control on the home page of the console.
Click Rules in the navigation pane.
Click the arrow to display the list of rules.
Click Scripts in the navigation pane.
Select the script you want to assign to the rule.

To select multiple scripts in the same category, press the Ctrl key and select the required scripts one at a time, or press the Shift key to select a consecutive list of scripts.
Drag the selected scripts to your rule.
Configure script arguments and entities for the scripts if necessary. For more information, see Configuring Script Arguments and Entities for a Rule.

5.6.7 Removing Script Arguments and Entities

To remove a script argument, select the argument, then click Remove.
To remove a script entity, select the icon next to the name of the entity, then click Remove.

5.6.8 Removing a Script from a Rule

Click Command Control on the home page of the console.
Click Rules in the navigation pane.
Use the arrow to display the list of rules, then select the rule from which you want to remove a script.
Select the script you want to remove in the right pane.

To select multiple scripts, press the Ctrl key and select the required scripts one at a time, or press the Shift key to select a consecutive list of scripts.
Click Remove Script in the task pane.
Click Yes to confirm the removal. The scripts are removed from the rule.

5.6.9 Finding a Rule

Click Command Control on the home page of the console.
Click Rules in the navigation pane.
To find a rule from the entire list of rules, click Find Rule in the task pane.

or

To find a rule in a set of rules, select the parent rule, then click Find Rule.
In the Rule Filter field, specify the name of the rule you are looking for, then select Find.

You can use wildcard characters * and ?. For example, rul* finds the first rule beginning with “rul”. This field is case sensitive.
If the rule name you are looking for is displayed, double-click it to return to the navigation pane with the rule selected, or click Close to return to the navigation pane without a rule selected.

5.6.10 Moving a Rule

Click Command Control on the home page of the console.
Click Rules in the navigation pane.
Select the rule you want to move.

To select multiple rules in the same group, make sure the rules are displayed in the right pane of the navigation pane, then press the Ctrl key and select the required rules one at a time, or press the Shift key to select a consecutive list of rules.
Drag the selected rule to the location you want.

5.6.11 Copying a Rule

You can create a copy of an existing rule in your rule hierarchy, so you can use the same rule in more than one place in the hierarchy, or so you can create a new rule based on your existing rule.

NOTE:If you want to use the same rule in more than one place and you want any changes you make to the rule to be reflected in the other copy or copies, you should link the rule instead. See Linking a Rule for details.

Click Command Control on the home page of the console.
Click Rules in the navigation pane.
Select the rule you want to copy.

To select multiple rules in the same group, make sure the rules are displayed in the right hand pane of the navigation pane, then press the Ctrl key and select the required rules one at a time, or press the Shift key to select a consecutive list of rules.
To create the copy, press the Ctrl key and drag the selected rule to the desired location
(Optional) Use the Modify Rule option to rename or modify the copy.
Move the rule to the correct position according to the order in which you want to process your rules. See Adding a Rule for details.

5.6.12 Linking a Rule

If you want a specific rule to be used in different places in your rules hierarchy, you can create a linked rule. Any changes you make to the linked rule are reflected in all the instances of the rule in your hierarchy. If you simply copy the rule, any changes made to the original rule or to one of its copies are not reflected in the other copies.

Changes to sub-rules of a linked rule are not linked. For example if you add or modify a rule under a linked rule, the change is not reflected in other instances of the linked rule.

Click Command Control on the home page of the console.
Click Rules in the navigation pane.
Select the rule you want to link.

To select multiple rules in the same group, make sure the rules are displayed in the right pane of the navigation pane, then press the Ctrl key and select the required rules one at a time, or press the Shift key to select a consecutive list of rules.
To create the links, press the Ctrl key and the Shift key at the same time, then drag the selected rule to the location you want.

A linked rule is displayed with an arrow .

5.6.13 Deleting a Rule

Click Command Control on the home page of the console.
Click Rules in the navigation pane.
Select the rule you want to delete.

To select multiple rules in the same group, make sure the rules are displayed in the right pane of the navigation pane, then press the Ctrl key and select the required rules one at a time, or press the Shift key to select a consecutive list of rules.
Click Delete Rules in the task pane.
Click Finish to delete the rule and all rule children.

5.6.14 Viewing Pseudocode

The pseudocode for a rule provides a simplified representation of the actual code that is processed when the rule is activated. For complex rules, this can assist you with understanding what happens in different situations.

To view the pseudocode for a rule:

Click Command Control on the home page of the console.
Click Rules in the navigation pane.
Select the rule for which you want to view the pseudocode.
Click Pseudocode in the task pane.

You can copy the pseudocode by using Ctrl+A or Ctrl+C, then paste it into a document for printing.
Click Close.