遵从性和最佳实践策略脚本

每个策略都是一个 selang 脚本，包括的注释说明了该策略的用途及其包含的规则：

备注
示例策略带有注释以便帮助您了解示例策略各个部分的设置以便逐一实现。
变量
遵从性和最佳实践策略独立于操作系统。但是，资源组会随着系统的变化而有所不同。为了克服该问题，资源表使用变量，而 ACL 在策略中使用变量。当端点连接到企业管理服务器时，它会根据操作系统自动添加到匹配的主机组，策略即被部署到端点。
角色
为了简化用户管理，示例策略将 ACL 应用于角色。每个角色都使用您可以增加实际用户的 CA ControlMinder 用户组。

策略角色使用以下约定：ROL_role_name。例如，示例策略将 ROL_SYSTEM 组用于内置系统用户（如 adm 和 lp）。许多策略为这些用户分配广泛的权限（用于适当的系统操作），但也会让权限到期，这样用户就无法用其进行登录。

示例：遵从性和最佳实践策略注释

来自 PCI_DSS_7.1.1 遵从性策略的以下片段展示了遵从性和最佳实践策略的注释方式。使用 selang 语法规则并以哈希符号 (#) 开头的行是注释。

#
# * 2. Protect <!USER_OS_ADMIN> Logon and Access Control Administration *
# ***********************************************************************
#
# This section uses the TERMINAL class to restrict administrator users from
# logging in directly (read access). Access Control administration is blocked as
# well (write access).
#
# To separate security administration from system administration, the policy
# sets READ access only to these special terminals.
#
editres   TERMINAL ("<!HOSTNAME>") audit(ALL) warning
authorize TERMINAL ("<!HOSTNAME>") uid("<!USER_OS_ADMIN>") deniedaccess(READ)
# The following line is commented because the warning mode in UNIX is not
# applicable for write access to class TERMINAL.
#authorize TERMINAL ("<!HOSTNAME>") uid("<!USER_OS_ADMIN>") deniedaccess(WRITE)

示例：遵从性和最佳实践策略角色

来自 PCI_DSS_7.1.1 遵从性策略的以下片段展示了策略将 ACL 应用于角色的方式。

#
# * 1. Role Definitions *
# ***********************
#
# The rules in this section define the roles that the policy uses.
# 
#  * Define built-in OS users with the logical property. This prevents users
#    from logging in to the system.
#  * Create the user +nobody in CA Access Control only. CA Access Control
#    sets this user as the owner of many resources (to disable ownership
#    bypass). You cannot create this user in the native OS.
#  * Create at least one user in ROL_AC_ADMIN. Without this user you cannot
#    login into CA Access Control.
#    Note: By default, the rules add the superuser account to ROL_AC_ADMIN.
#          We recommend that you remove this user and add security
#          administrators to this group. 
# Roles:
#     ROL_SYSTEM        : built-in OS users
#     ROL_SYSADMIN      : system administrators
#     ROL_RESTRICTED    : restricted users with permissions for specific tasks
#     ROL_AC_ADMIN      : CA Access Control administrators
#     ROL_AC_AUDITOR    : CA Access Control auditors
#     ROL_AC_OPERATOR   : CA Access Control operators
#     ROL_AC_SERVICE    : CA Access Control service managers
#     ROL_AC_PWMANAGER  : CA Access Control password managers
#

editgrp (ROL_SYSTEM ROL_SYSADMIN ROL_RESTRICTED ROL_AC_ADMIN ROL_AC_AUDITOR ROL_AC_OPERATOR ROL_AC_SERVICE ROL_AC_PWMANAGER)
chgrp (ROL_SYSADMIN ROL_AC_ADMIN) audit(LOGINSUCCESS LOGINFAILURE FAILURE)
editusr (+nobody) comment("AC OOTB - Resource owner used for disabling ownership bypass")
chusr (+nobody) owner(+nobody)
join ("<!USER_OS_ADMIN>") group(ROL_SYSTEM)
join ("<!USER_OS_ADMIN>") group(ROL_AC_ADMIN)