Command Control 69novdocx (en) 7 January 2010Users: Specify the usernames of the users on your Linux and UNIX hosts that have yourpermission to use the crush command.3e Click Finish.4 Add a crush rule:4a Click Rules > Add Rule.4b Specify a name, then click Finish.4c Select your crush command, then drag it to your crush rule.4d Select your crush user group, then drag it to your crush rule.4e Select your crush script, then drag it to your crush rule.4f Select your crush rule, then click Modify Rule in the task pane.4g Fill in the following fields:Description: Explain the purpose of this rule. Specify something similar to the following:Authorizes the matching of submit users who have /usr/bin/crush as their definedlogin shell. It authorizes their session and enables session capture, when they are stillrunning as their original login ID.Session Capture: Select On.Authorize: Select Yes, then select Stop if authorized and from the drop-down menu. Thesesettings allow subsequent commands to be executed without authorization checkswhenever the user has had one command authorized.4h Click Finish.5.2.4 Using rush for Complete Session ControlYou can change the user’s login shell to the rush client so that no authorization request is sent whenthe user logs on. This provides a method of integration that is invisible to the user.The rush client executes as a normal Korn shell. Functions and aliases that replace normal systemcommands are read from /etc/profile.rush. When the user issues a command that needsprivileges to run, it is authorized through the Framework.1 Use the tool provided in the UNIX or Linux environment to set the users’ shell to/usr/bin/rush2 To ensure that configured commands are authorized at the Framework, add the following lineto either the user’s .profile file or to the central profile.rush file in the /etc directory on theappropriate UNIX or Linux servers:set -o remoteIMPORTANT: The set -o remote option forces all commands that are not built in to theuser’s shell to be authorized at the Framework. Commands for which a defined rule does notexist are not permitted to execute. To prevent all commands in the profile.rush file or.profile file from being passed to the Framework for authorization, add the set -oremote command at the end of the file.3 (Optional) Set the following additional options in the profile file:
