Symantec Privileged Access Management

 View Only
  • 1.  Restrict all commands and allow on specific directory

    Posted Apr 10, 2015 12:26 AM

    Dear Folkes,

     

    I would like to know if there is any way in ControlMinder to
    make a user execute “rm” command only on a specific directory?

     

    The user should only be able to execute the rm command on
    /tmp directory and if rm command is executed anywhere else it should be denied.

     

    I can make the user restrict “rm” command completely by
    creating a program rule but not sure whether it can be allowed to execute only
    for a specific directory.



  • 2.  Re: Restrict all commands and allow on specific directory
    Best Answer

    Posted Apr 10, 2015 06:36 AM

    Hi Binish,

     

    Good Day!!

     

    Here is one way on how you can achieve it.

    Define a PROGRAM rule for sesudo => newres program /opt/CA/AccessControl/bin/sesudo defacc(none)

    Define a AUTH for SESUDO                   => authorize program /opt/CA/AccessControl/bin/sesudo uid(test_user) access(a)

    Define a FILE rule "rm" => nr FILE /bin/rm onwer(nobody) defaccess(None) audit(a)

    Define a SUDO => nr SUDO rm data(rm;;/tmp/*)  audit(a)

    Define a AUTH for SUDO => auth SUDO rm UID(test_user) access(a)

    Define a AUTH FOR FILE /bin/rm => auth FILE /bin/rm uid(test_user) via(pgm( /opt/CA/AccessControl/bin/sesudo)) access(a)

     

    This will allow the user "test_user" to delete the files in the /tmp only

     

    to delete

     

    /opt/CA/AccessControl/bin/sesudo rm /tmp/FILENAME

     

    Thank You

     

    --@

    Vinay Reddy

     

    musmo02

    hargo01



  • 3.  Re: Restrict all commands and allow on specific directory

    Posted Apr 10, 2015 10:34 AM

    Thanks a lot Vinay for your help.