Use Cases for Access Policies in EPM Linux

  • 3 minute(s) read
Prev Next

Case 1: policy allows only "user" to execute the "top" command

  1. In Segura, hover over the Product Menu in the navigation bar and select EPM.
  2. In the sidebar menu, select Policies > Linux > Policies.
  3. Click Add to be directed to the policy selection screen.
  4. On the Segregation screen, select the policy type, in this case, General.
  5. In the Access Policy Registration form, on the Main tab, fill in the fields:
    • Policy name: choose a name that is easily identifiable.
    • Active: if the Yes option is selected, the policy is considered on target devices.
    • Directive: select the Execute binary option.
    • Verifier: fill in with path="/usr/bin/top".
    • Enable auditing?: mark as Yes if you want to audit the execution of registered rules.
    • Include general denial rule?: check this option so that no user on the Linux workstation can execute anything not allowed by the access policy.
    • Allow or block: set to Allow.
    • Rule text: fill in with task.uid="user".
  6. Click Add.
  7. Click Save.

Case 2: the "ls" command can only be executed through sudo

  1. In Segura, hover over the Product Menu in the navigation bar and select EPM.
  2. In the sidebar menu, select Policies > Linux > Policies.
  3. Click Add to be directed to the policy selection screen.
  4. On the Segregation screen, select the policy type, in this case, General.
  5. In the Access Policy Registration form, on the Main tab, fill in the fields:
    • Policy name: choose a name that is easily identifiable.
    • Active: if the Yes option is selected, the policy is considered on target devices.
    • Directive: select the Execute binary option.
    • Verifier (path or executor): fill in with exec="/usr/bin/ls".
    • Enable auditing?: mark as Yes if you want to audit the execution of registered rules.
    • Include general denial rule?: check this option so that no user on the Linux workstation can execute anything not allowed by the access policy.
    • Allow or block: set to Allow.
    • Rule text: add the executor binary, task.exe="/usr/bin/sudo".
  6. Click Add.
  7. Click Save.

Case 3: prevent user "john" from executing the "df" command and allow all other users in the same group

This policy will allow any user, except user john in the group, to execute the df command to view information about available space on system partitions.

  1. In Segura, hover over the Product Menu in the navigation bar and select EPM.
  2. In the sidebar menu, select Policies > Linux > Policies.
  3. Click Add to be directed to the policy selection screen.
  4. On the Segregation screen, select the policy type, in this case, General.
  5. In the Access Policy Registration form, on the Main tab, fill in the fields:
    • Policy name: choose a name that is easily identifiable.
    • Active: if the Yes option is selected, the policy is considered on target devices.
    • Directive: select the Execute binary option.
    • Verifier (path or executor): fill in with path="/usr/bin/df"
    • Enable auditing?: mark as Yes if you want to audit the execution of registered rules.
    • Include general denial rule?: leave this option unchecked to ensure that all users on the Linux workstation have permission to execute everything, except those blocked by the rule.
    • Allow or block: set to Block.
    • Rule text: fill in with task.uid="john".
  6. Click Add.
    • Allow or block: set to Allow.
    • Rule text: fill in with task.gid="group".
  7. Click Add.
  8. Click Save.

Case 4: prevent user "john" from reading the file and allow all other users in the same group

This policy will allow any user in the group, except user john who is part of the same group, to read the file

  1. In Segura, hover over the Product Menu in the navigation bar and select EPM.
  2. In the sidebar menu, select Policies > Linux > Policies.
  3. Click Add to be directed to the policy selection screen.
  4. On the Segregation screen, select the policy type, in this case, General.
  5. In the Access Policy Registration form, on the Main tab, fill in the fields:
    1. Policy name: choose a name that is easily identifiable.
    2. Active: if the Yes option is selected, the policy is considered on target devices.
    3. Directive: select the Read file option.
    4. Verifier (path or executor): fill in with path="/tmp/arquivo"
    5. Enable auditing?: mark as Yes if you want to audit the execution of registered rules.
    6. Include general denial rule?: leave this option unchecked to ensure that all users on the Linux workstation have permission to execute everything, except those blocked by the rule.
    7. Allow or block: set to Block.
    8. Rule text: task.uid="john"
  6. Click Add.
    1. Allow or block: set to Allow.
    2. Rule text: fill in with task.gid="group"
  7. Click Add.
  8. Click Save.