Adding a custom rule to a PowerSC profile

You can add a rule of your own design to a custom version of an existing PowerSC profile. You might choose this procedure if the PowerSC profile has one or more rules that you require, but you also want to add your own rule and script.

For the most seamless PowerSC integration, the custom rule should follow PowerSC conventions, such as returning an error with a message, returning success, and undoing the operation when needed.

The following list summarizes the high-level steps you must perform to add a custom rule to a PowerSC profile:
  1. Copy an existing rule script to create your new rule.
  2. Modify the script to perform your new functionality.
  3. Make sure to verify all use cases (enforce, check, undo).
  4. Make sure to return proper success and error codes.
  5. Make a custom version of the PowerSC profile. Do not modify the original PowerSC profile.
  6. Use the PowerSC GUI to edit the profile and add your custom rule.
  7. Use the PowerSC GUI to copy the custom profile to a group of endpoints
  8. Use the PowerSC GUI to verify that all use cases work properly.
  1. Examine the PowerSC rule scripts and use one or more as templates for your rule script. The PowerSC rule scripts use the bash shell, but you don't have to follow this convention.
    • The PowerSC Linux rules are in /etc/security/pscxpert/bin.
    • The PowerSC AIX rules are in /etc/security/pscexpert/bin.
  2. For example, consider the cisv2_gnome_automount rule in the Linux_CISv2_Lev1_RHEL9 profile. This rule uses the relatively straightforward /etc/security/pscxpert/bin/gnome_automount script, which is instructive without being overly complex.
    Note: The cisv2_gnome_automount rule first calls the /etc/security/pscxpert/bin/adapter script to do some needed configuration and check the arguments. /etc/security/pscxpert/bin/adapter then invokes /etc/security/pscxpert/bin/gnome_automount.
    #!/usr/bin/bash
#
#       COMPONENT_NAME: (PSCXPERT)gnome_automount
#       FUNCTIONS:
#
#       Syntax:
#              gnome_automount  -{c|e} [v] <local_args> <value>
#
# ROCKET_PROLOG_BEGIN_TAG
# //* Copyright Rocket Software, Inc. or its affiliates 2023 *
# //* All Rights Reserved.                                            *
# ROCKET_PROLOG_END_TAG


source ${BIN_DIR}/linux-ice-common a 

if [[ $PSCXPERT_UNDO == "1" ]]; then b 
    rm -f /etc/dconf/db/local.d/00-media-automount
    dconf update
    exit 0
fi

case $1 in
    "$LINUX_ICE_ENFORCE" | "$LINUX_ICE_ENFORCE_VERBOSE") c 
        undo="NA"
        if [ "$1" == "$LINUX_ICE_ENFORCE_VERBOSE" ]; then
                set -x
        fi

        setting=$(gsettings get org.gnome.desktop.media-handling automount)
        if [[ $setting != "false" ]]; then
            echo "[org/gnome/desktop/media-handling]" >> /etc/dconf/db/local.d/00-media-automount
            echo "automount=false" >> /etc/dconf/db/local.d/00-media-automount
            echo "automount-open=false" >> /etc/dconf/db/local.d/00-media-automount
            dconf update

            undoparm=""
            generate_undo_metadata "${PSCXPERT_NAME}" "Undo" "${PSCXPERT_DESC}" "No prereq"  \
                "${PSCXPERT_COMMAND}" "${undoparm}" "Group not supported yet"
        fi

        ;;

 "$LINUX_ICE_CHECK" | "$LINUX_ICE_CHECK_VERBOSE") c 
        if [ "$1" == "$LINUX_ICE_CHECK_VERBOSE" ]; then
            set -x
        fi

        setting=$(gsettings get org.gnome.desktop.media-handling automount)
        if [[ $setting != "false" ]]; then
            echo "%$ICE_STATUS_NON_COMPLIANT%"$(msg "Gnome automount is not disabled.")
            exit 1
        fi
        ;;
    *)
        echo "%$ICE_STATUS_EINVAL%"$(msg "Usage: %s -{c|e}[v] <local_args> <value>" "$(basename ${BASH_SOURCE[0]})") d 
        exit 1
        ;;
esac

echo "%$ICE_STATUS_OK%" e 
exit 0
    Callout Notes:
    1. PowerSC rules use two operating-system specific scripts to provide some initial setup and establish variables. For example, all of the Linux *ICE* constructs used elsewhere in this script are defined here. You may find that these scripts provide useful functions to your custom rule. Review these scripts for the operating system type of the endpoints to which you want to apply your custom rule. Do not modify these scripts.
      • AIX: /etc/security/pscexpert/bin/initialize_variables
      • Linux: /etc/security/pscxpert/bin/linux-ice-common
    2. By PowerSC convention, your custom rule must be able to undo any operations it performs. An undo operation calls your custom rule like an enforce operation, except that it sets a variable called PSCXPERT_UNDO to the value of 1.
    3. Select the operation to perform, such as enforcing a change or checking a status. 
      case $1 in
"$LINUX_ICE_ENFORCE" | "$LINUX_ICE_ENFORCE_VERBOSE")
   some_enforcement_operation

;;
"$LINUX_ICE_CHECK" | "$LINUX_ICE_CHECK_VERBOSE")
   some_check_operation
;;
esac
    4. Return an error with a message. 
      echo "%$ICE_STATUS_EINVAL%$(basename ${BASH_SOURCE[0]}):" $(msg "Missing arguments.")
	exit 1
    5. Return success. 
      echo "true%$ICE_STATUS_OK%"
exit 0
  3. Copy and modify your chosen template script to perform your new functionality.
  4. Test your script from outside of PowerSC. PowerSC does not validate the script.
  5. Make a custom version of the PowerSC profile, as described in Creating a custom profile. At the last step, click Save. You do not copy the profile at this time.
  6. Use the PowerSC GUI to add your new rule to the custom profile:
    1. From the main page, select the Profile Editor tab.
      The Profile Editor page opens.
    2. Click the downward arrow to open the list of profiles. The drop-down menu lists the Built-in Profiles and Custom Profiles that are available.
    3. Expand the Custom Profiles list.
    4. Select the profile that you created.
    5. Click the Edit Profile icon. Your custom profile opens in edit mode.
    6. Click the Add Rule icon.
    7. Enter the name of the new rule. The name must contain only numbers, letters, or underscores. By convention, the name should begin with custom_.
    8. Enter the file specification for the shell script. The script must be in the following location:
      • AIX: /etc/security/pscexpert/bin/
      • Linux: /etc/security/pscxpert/bin/
  7. Click Save.
  8. Use the PowerSC GUI to view your custom profile and ensure that it is correct:
    1. From the main page, select the Profile Editor tab.
      The Profile Editor page opens.
    2. Click the downward arrow to open the list of profiles. The drop-down menu lists the Built-in Profiles and Custom Profiles that are available.
    3. Expand the Custom Profiles list.
    4. Select the profile that you created.
    5. Click the Edit Profile icon. Your custom profile opens in edit mode.
    6. Verify that the profile is correct.
  9. Manually copy your script file to the following location on each required uiAgent:
    • Linux uiAgents: /etc/security/pscxpert/bin
    • AIX uiAgents: /etc/security/pscexpert/bin
  10. Copy the custom profile to your chosen group of endpoints, as described in Copying a custom profile to a group of endpoints.
  11. Simulate or apply the custom profile to your chosen group of endpoints, as described in Simulating compliance levels and profiles and Applying compliance levels and profiles, respectively.
  12. If you need to undo the profile, follow the steps described in Undoing compliance levels. The undo action from your script is invoked by the Undo action on the Compliance page using the following undo action rules.
    • For AIX, the undo action rules are written to the /etc/security/aixpert/core/undo.xml file.
    • For Linux, the undo action rules are written to the /etc/security/pscxpert/core/undo.xml file.