Use cases for sudo rules

  • 2 minute(s) read
Prev Next

Case 1: allow any user to run the “cat” command with sudo

  1. In Segura, in the navigation bar, hover over the Product Menu and select EPM.
  2. In the side menu, select Policies > Linux > Sudo Rules.
  3. Click Add.
  4. On the Segregation screen, choose General.
  5. On the Register sudo rules form, fill in the fields:
  6. On the Registration rules for sudo form, on the Main tab, fill in the fields:
    1. Identification name: define a name to identify the rule.
    2. Active: check Yes.
    3. Commands for applying the rule: the full path must be used. Add the path of the /usr/bin/cat command.
    4. Should be NOPASSWD?: set to Yes so as not to ask the user to enter their password.
    5. Description: add a brief description of this rule.
  7. Click Save.

Case 2: Allow any user to run the “cat” command as sudo on a specific device

  1. In Segura, in the navigation bar, hover over the Product Menu and select EPM.
  2. In the side menu, select Policies > Linux > Sudo Rules.
  3. Click Add.
  4. On the Segregation screen, choose Devices.
  5. In the Registration of sudo rules form, fill in the fields:
  6. On the Registration of sudo rules form, on the Sudo rules tab, fill in the fields:
    1. Identification name: define a name to identify the rule.
    2. Active: check Yes.
    3. Commands for rule application: the full path must be used. Add the command path /usr/bin/cat.
    4. Should be NOPASSWD?: set to Yes so as not to ask the user to enter their password.
    5. Description: add a brief description of this rule.
  7. In the Devices tab, fill in the fields:
    1. Click Add to open the Devices modal.
    2. In the Devices modal, select the devices you want to include in the rule.
    3. Click Add.
  8. Click Continue.
  9. On the Review tab, review the rule registration and click Save.

Case 3: Creating a DAC Permission Access Policy

  1. In Segura, hover over the Product Menu in the navigation bar and select EPM.
  2. In the sidebar menu, select Policies > Linux > Policies.
  3. Click Add to be directed to the policy selection screen.
  4. On the Segregation screen, select the policy type, in this case, General.
  5. In the Access Policy Registration form, fill in:
  6. On the General tab:
    1. Policy name: name for rule identification.
    2. Active: set to Yes.
    3. Directive: select Execute binary.
    4. Verifier (path or executor): write the command path="/bin/(app directory)" path.perm=(execution mask number) path.perm=(user group/user).
    5. Enable auditing?: enables auditing of policy actions. The field is mandatory and is active by default.
    6. Include general negotiation rule?: allows only registered rules and denies what is not in the rule.
    7. Allow or block: fill in whether the registered policy allows or blocks access for the user or group.
    8. Rule text: fill in with a rule in the format of policies in CaitSith. For example, task.gid=(group name) or task.uid=(user name).
    9. Click Add for each rule created.
    10. To add a new rule, click Add and fill in the table fields.
  7. Allow or block: choose whether the registered policy allows or blocks access for the user or group.
  8. Rule text: fill in with a rule in the format of policies in CaitSith. For example, for users: task.uid="user". For groups: task.gid="group". It is necessary to use the user's primary group.
  9. Click Continue.
  10. Select the Review tab.
  11. Review the information about the rule and, if everything is correct, click Save.

The system displays a confirmation message: "Success. Data saved successfully". The created rule will be in the report list accessible at EPM > Policies > Linux > Policies.