Security Policy Scripting Language Definition

The Security Policy Scripting Language is an interpreted programming language. Its syntax is similar to the C language. Like C, it is case-sensitive. This chapter contains detailed information about using the Privilege Management for Unix and Linux Security Policy Scripting Language.

Variables and Data Types

A variety of variables and data types are available in the Privilege Management for Unix and Linux Security Policy Scripting Language. These are described in the following sections.

Variables

Privilege Management for Unix and Linux uses predefined system variables to store both system and task-specific information. These variables are a valuable resource to the Security Administrator because they can be accessed and manipulated from within security policy files with the Security Policy Scripting Language. The information in these variables can play a critical role in determining whether a task request should be accepted or rejected. System variables can also be used to set runtime properties, including logging options, for a specific task request.

In addition to predefined system variables, the Security Administrator can create and manipulate user-defined variables to assist with security policy file processing. User-defined variables are implicitly defined, meaning the interpreter automatically allocates storage for a user-defined variable the first time that variable is referenced. In the Privilege Management for Unix and Linux Security Policy Scripting Language, there is no need to formally declare a variable before using it. Consequently, the language does not provide a mechanism for explicitly defining a variable type. A variable’s type is implicitly defined by the information that is stored in that variable. After a variable has stored a specific type of information, it cannot store information of a different data type.

Observe the following rules when creating user-defined variables:

  • Variable names can be any length.
  • The first character of a variable name must be a letter or an underscore character. The remaining characters can be letters, numerals, or underscores.
  • Variable names are case sensitive. For example, the variable names currentuser and CurrentUser represent two different and unique variables.
MyVariable = "123"; # Create a user-defined variable.
LoopCounter = 1; # Create a user-defined variable.
_CurrentUser = "Tom"; # Create a user-defined variable.
runuser = "SysAdm"; # Set a predefined system variable.

Variable Scope

With the exception of function parameters, all Privilege Management for Unix and Linux variables are global in scope. (In this context, the function name inside a function behaves like a function parameter.) This means that if a user-defined variable is implicitly defined in a security policy file and referenced in another security policy file, both files access the same variable.

Function parameters, also called function arguments, do not work differently from other variables. Function argument storage for a specific security policy function is deleted when that security policy function completes execution.

Variable Data Types

The data type, or type of information that is stored in a variable, determines the type of operations you can perform on the variable. Privilege Management for Unix and Linux supports the following data types:

  • Character strings
  • Integers
  • LDAP connections
  • LDAP messages
  • List of character strings

The character string, or string, data type is a sequence of zero or more characters, enclosed by single or doublequotation marks. It is important to note that arithmetic functions cannot be performed on character strings. For instance, the character string "123" cannot be used in an arithmetic operation although it contains numeric characters. As another example, the character string "12" is not the same as the number "12". A value that is enclosed in quotation marks is always stored as a character string. In other words, the Security Policy Scripting Language interpreter treats numeric values and numeric character strings differently. They are not interchangeable.

The following table lists character string examples and how they are interpreted.

Example Interpreted As
"abc" Character string
"" Empty character string
"0123456789" Numeric character string
'abc' Character string

Integers are numeric values used to perform arithmetic operations. It is important to note that the value 12, which is a numeric value, is not the same as the value "12", which is a character string. The Security Policy Scripting Language interpreter treats numeric values and numeric character strings differently. They are not interchangeable.

The integer data type can store any integer value (that is, the set of both positive and negative whole numbers). An octal number (base 8) is specified by prefixing the octal value with a leading zero (for example, 022). A hexadecimal number (base 16) is specified by preceding the hexadecimal value with "0x" (for example, 0x5A).

The following table lists the valid integer characters.

Basic

Valid Characters

Octal 0, 1, 2, 3, 4, 5, 6, 7
Decimal 0, 1, 2, 3, 4, 5, 6, 7, 8, 9
Hexadecimal 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, A, B, C, D, E, F

The policy language does not support fractional (or floating-point) values. Integer values cannot include characters such as commas, dollar signs, or decimal points.

The integer values 0 and 1 have special meaning within the Security Policy Scripting Language. The integer value of 0 represents the Boolean false value. The integer value of 1 is represents the Boolean true value.

The following table provides several examples on the use of integer variables.

Example

Result

RejectCount = 0; Sets RejectCount to 0
UserLimit = 10; Sets UserLimit to 10
OctNumber = 022; Sets an octal variable to 18
HexNumber = 0x7a; Sets an integer to a hexadecimal value of 122

For more information on Boolean values, please see Boolean True and False Variables.

The LDAP connection is a special data type that is used solely for passing parameters to and from the Privilege Management for Unix and Linux LDAP functions.

For more information on Privilege Management for Unix and Linux LDAP functions, please see LDAP Functions.

The LDAP message is a special data type. It is used only to pass parameters to and from the Privilege Management for Unix and Linux LDAP functions.

For more information on Privilege Management for Unix and Linux LDAP functions, please see LDAP Functions.

A list of character strings, also called a list, is an ordered group of character strings, separated by commas and surrounded by curly braces {}. It has the syntax:

{ string-one, string-two, …}
An empty list is represented as { }
Assignment to a list has the syntax:
name = { string-one, string-two, …}
Assignment to an element of a list can be done by: 
name[1] = "string-three"

Think of a list as a one-dimensional array consisting of zero or more elements (refer to the example). A list can contain only character string data (that is, a list cannot contain integer values, LDAP related types, or other lists).

Individual list elements are accessed using an index number. Square brackets enclose the index number and postfix the list name (see the following example).

Index numbering starts at 0. This means that the first element in a list has an index of 0, the second element has an index of 1, and so on. For example, the fifth element in a list has an index number of 4.

UserList = {"JWhite", "BSmith", "CDent"};

results in the following:

UserList[0] is "JWhite"
UserList[1] is "BSmith"
UserList[2] is "CDent"
Assume the following:
TrustedUsers = {"JWhite", "BSmith");
User1 = TrustedUsers [0];
User2 = TrustedUsers [1];
MyString = { "a", "b", "c" }[1];

In this list,

User1 = TrustedUsers [0]; sets User1 to "JWhite"
User2 = TrustedUsers [1]; sets User2 to "BSmith"
MyString = { "a", "b", "c" }[1]; sets MyString = "b"