Manage EPM-UL Script-Based Policies

Script-based policy management will be disabled on hosts configured to use role-based policy. For more information, please see Role-Based vs. Script-Based Policies.

To manage script-based policies:

An image of the Script Policy Files section in BeyondInsight for Unix & Linux.

  1. Go to the Policy Management page.
  2. In the Hostname list, select a server entry, and then at the far right, click the vertical ellipsis menu icon and select PMUL Policy.
  3. Select an existing script file to open it in the editor. Alternatively, click Create New Script and provide a Filename to create a script-based policy.
  4. After you edit the script, select the Validate button from the toolbar. This will verify script syntax is correct. If an error is found, a notification displays in red stating the file syntax is invalid.

When Validate is selected, only the syntax is verified. This does not verify the policy definition or included policies.

Script-based policies can reside in either the file system under the folder defined as the policydir in Endpoint Privilege Management for Unix and Linux settings or as objects in the change management database. Files that are in the database support version control. Files that are not in the database can be added by choosing the Import to Database option under the Script Editor.

The Script Policy editor uses the code editor to assist the user managing the policy. Discard will revert the document to its original state. Save will write the file changes to either the file system or the database.

Advanced Control and Audit

The Advanced Control and Audit (ACA) editor allows users to configure an ACA statement. It is available on the code editor toolbar.

An image of the Advanced Control and Audit section in BeyondInsight for Unix & Linux.

  1. Select the ACA button in the script editor. This will open the ACA editor.
  2. Define the following: 
    • Target: The target contains the files and folders the ACA policy rules will apply to.
    • Log Message: The provided value will be inserted into logs to facilitate easier searching.
    • Default Log Level: Assign a number for the log level to use as a default.
    • Session History: If either Audit command History or Continue On Error are enabled, Enable Session History is added to the ACA statement.
    • File System Operations: Check the box for the file system operation you want to audit. Selecting an operation allows you to set whether the operation is allowed or blocked. Additionally, a log level can be configured for an operation. System operations that are not assigned a log level are automatically assigned the default log level.

File operations that are not selected are not audited.

After configuring your ACA policy, click the Insert Statement button under the ACA policy preview to add the statement to the policy.

For more information on ACA, please see the Endpoint Privilege Management for Unix and Linux Policy Language Guide, .