- 2 minutes to read
- Print
- DarkLight
- PDF
How to create an access policy for DAC permission
- 2 minutes to read
- Print
- DarkLight
- PDF
This article will guide you through a step-by-step process on how to create a DAC permission type at the Go Linux.
Requirements
- Be an admin user.
Create the permission
- At the senhasegura platform, in the upper left corner, click on the Grid Menu ⁝⁝⁝ and select GO Endpoint Manager.
- Select Policies ➔ Linux ➔ Access policies.
- In the upper right corner, click on the View Actions icon, represented by the three vertical dots ⁝ and select + New rule.
- This action will open a pop-up windows called Access policy register.
In the Main tab fill in the information:
- Policy name: the new rule identification name.
- Enable: check Yes.
- Guideline: select Binary Run.
- Checker (path or executor): type this command line:
path="/bin/(diretório do app)" path.perm=(número da máscara de execução) path.perm=(grupo de usuário/usuário)
For example: path="/bin/passwd" path.perm=07777 path.perm=senhasegura.
The mask execution values are listed in the DAC Permission document.
If the admin doesn’t want to give access to a specific group or user, it must use the exclamation point ! before the equal sign. For example: path.perm!=senhasegura
. This way, the rule will be applied to all the users, except the group or user specified.
Typing incorrectly or leaving the field empty leads to the total unusable of the device. Follow CaitSith's syntax to complete this field correctly.
- Enable audit?: the field is required and enabled by default. Leave it enabled if you want to audit the policy actions.
- Include general denial rule?: check it to allow only the registered rules and deny the binary not included.
- Allow or lock: select whether the registered policy allows or denies access to the user or group.
- Rule text: fill in a rule in the format of policies in CaitSith. For example:
task.gid=(nome do grupo)
ortask.uid=(nome do usuário)
The first rule added takes precedence over rules added later. If you create a rule that allows the execution of the binary and then add another rule to block the execution of the same binary, the access policy will only consider the first rule, leaving the second rule unconsidered.
- Click Add for each rule.
The created rules will be listed on the list, below the fields, to remove any rule click on the trash bin icon, from the selected rule
- Click Save.
The platform will display a confirmation notice: “Success. Data saved successfully!” The permission will be display at the report at the Access Policies homepage.
Do you still have questions? Reach out to the senhasegura Community.