Enterprise Administration Guide › Deploying Sample and Best Practice Policies › Sample Policy Scripts

Sample Policy Scripts

Each policy is a selang script that includes comments that explain the policy's purpose and the rules it contains. Sample policy scripts are written to demonstrate best practices:

• Comments

  Sample policies are annotated to help you understand what each section of the sample policy is set to achieve.

• Containers

  Sample policies group related resources into a single container resource. Using this method, a common policy is applied to all the related resources once. Policy rules (ACLs) do not need to be applied to individual resources. For example, a policy can use a container to group all of the system's configuration files.

  Policy containers use the following naming convention: POL_container_name. You can think of these containers as sub-policies. For example, OS sample policies use the POL_SYS_CONF container to protect OS configuration files.

• Roles

  To simplify user management, sample policies apply ACLs to roles. Each role uses a CA ControlMinder group of users that you can add real users to.

  Policy roles use the following convention: ROL_role_name. For example, sample policies use the ROL_SYSTEM group for built-in system users like adm and lp. Many policies assign these users with wide-ranging permissions (for proper system operation) but also expire them so that users cannot use them to log in.

• Variables

  So that you have to apply minimum changes when you deploy them, sample policies make use of CA ControlMinder variables. Sample policies use built-in variables to protect local system resources, for example, a terminal rule for the local host. Sample policies also use user-defined variables to simplify policy changes. For example, a user-defined variable can contain the home directory of the administrative user. If the administrative user uses a different home directory, you only need to change it once for all affected rules to automatically change.

Example: Policy Script Comments

The following snippet from the Solaris SPARC 9 sample policy illustrates how sample policies are annotated. Using selang syntax rules, the lines that begin with a hash symbol (#) are comments.

#
# * Home Directories Protection Policy *
# **************************************
#
# This policy uses the FILE class to protect the home
# directories of sensitive users so that only the owner
# of each directory can access it.
#
# Prerequisites:
#     None
#
# Roles:
#     None
#
# Containers:
#     POL_HOME_DIR      - home directories of sensitive users
#
# define container POL_HOME_DIR
# Protect home directories
editres   CONTAINER POL_HOME_DIR audit(<!POLICY_AUDIT_MODE>) owner(+nobody) comment("AC Sample - Protect home directories")
authorize CONTAINER POL_HOME_DIR uid(* _undefined)   access(NONE)
editres ACVAR ("HOME_OS_ADMIN") value("/root") type(static)
editusr (<!USER_OS_ADMIN>)
# define specific FILE resources and connect them with POL_HOME_DIR
editres FILE ("<!HOME_OS_ADMIN>/*") audit(<!POLICY_AUDIT_MODE>) owner(+nobody) defaccess(NONE) <!POLICY_WARNING_MODE>  comment("AC Sample")
authorize FILE ("<!HOME_OS_ADMIN>/*") uid(<!USER_OS_ADMIN>) access(ALL)
chres CONTAINER POL_HOME_DIR mem+("<!HOME_OS_ADMIN>/*") of_class(FILE)

Example: Containers in Sample Policies

The following selang output shows the properties of the POL_SYS_FILES. An AIX sample policy contains this sub-policy that protects system files.

AC> sr container POL_SYS_FILES
Data for CONTAINER 'POL_SYS_FILES'
------------------------------------------------------------------------
ACLs              :
    Accessor                Access
    ROL_SYSADMIN  (GROUP  ) All
    ROL_SYSTEM    (GROUP  ) All
    *             (USER   ) R, Chdir
    _undefined    (USER   ) R, Chdir
Members           :
    /boot/*       (FILE  )
    /dev/kmem     (FILE  )
    /dev/mem      (FILE  )
    /dev/port     (FILE  )
Audit mode        : Failure
Owner             : +nobody       (USER  )
Create time       : 10-Dec-2008 10:32
Update time       : 10-Dec-2008 10:35
Updated by        : root          (USER  )
Comment           : AC Sample - Protect OS system files

Example: Variables in Sample Policies

The following snippet from the Red Hat Enterprise Linux 5 sample policy illustrates how sample policies use variables. In this snippet, the sample policy defines possible names for the local host and the home directory of the administrative user root.

#
# * AC Variables Definitions *
# ****************************
#
# The rules in this section define variables that policies use.
# Variables:
#     LOCALHOST             : list of possible names for local host
#     POLICY_AUDIT_MODE     : set policies audit mode
#     POLICY_DEFACCESS      : set defaccess of policies` resources
#
editres ACVAR ("LOCALHOST") value("localhost") type(static)
editres ACVAR ("LOCALHOST") value+("127.0.0.1")
editres ACVAR ("LOCALHOST") value+("0.0.0.0")
editres ACVAR ("POLICY_AUDIT_MODE")   value("FAILURE") type(static)
editres ACVAR ("POLICY_DEFACCESS")    value("ALL")     type(static)

More information:

User-Defined Variables

Built-In Variables

Guidelines for Using Variables

How an Endpoint Resolves Variables