Subject: v24i024: Scripts for setting site policies Newsgroups: comp.sources.unix Approved: rsalz@uunet.UU.NET X-Checksum-Snefru: 4bd55220 d00136f4 2c211cec 00fdfbc3 Submitted-by: Bud Hovell Posting-number: Volume 24, Issue 24 Archive-name: policy [ This is a rather interesting submission. Should I have posted it? Send me email. --r$ ] The need for more-formal policy definition seems to be gaining increasing recognition as a real problem at many sites, and this little package is an attempt to give SAs a leg up on addressing that concern by providing them some basic tools and suggestions. Rob Kolstad has made reference to this package on two occasions in his column, and Bjorn Satdeva at Sysadmin, Inc., has mentioned it also in the sysadmin subscriber list. Consequently, I have had a number of requests for it - and it may be time to make this info more-generally accessible. Let me say, though, that if you feel it is *not* an appropriate addition, then it isn't going to hurt my feelings if you reject it. :-) This is the latest version, which is a *vast* improvement over some of the earlier scripts. Hopefully, it will run on all common machines, but I am not certain, since my limited experience is only with sysv. Suggestions are welecome. Bud Hovell #! /bin/sh # This is a shell archive. Remove anything before this line, then unpack # it by saving it into a file and typing "sh file". To overwrite existing # files, type "sh file -c". You can also feed this as standard input via # unshar, or by typing "sh '1stlogin.ann' <<'END_OF_FILE' X# $Id: 1stlogin.ann,v 1.10 91/02/07 09:55:17 bbh Rel $ X# Tell the new user what the rules are: X X# Give him a temp terminal for this script, which is run from /etc/profile: XTERM=vt100 Xexport TERM X Xdone= Xuntil [ "$done" = "yes" ];do X # Clear the screen X tput clear X cat << "END_PAGE_1" X X WELCOME!!! X XFirst, you should invoke 'menu' from the command line, then select 'policy' Xto review the basic policies which govern the operation of this system and Xwho is responsible for what. X XIf a policy has provisions with which you do not agree, please notify the Xadministrator AT ONCE voicing your concerns/suggestions. Absent such notice, Xyou are assumed to have reviewed, understood, and agreed to conform to all Xwritten policy prevailing during any period you have authorized access to Xthis host, as evidenced by your continuing to log in. X XIf policies are significantly changed at any time, you will be sent email Xto inform you that a change has been effected, *or* there will be an announce- Xment in the system 'news' that will show up when you log in. X X[ You are responsible for reading all system 'news' messages containing the Xword "policy", since these will contain information effecting specific policy Xchanges, which should occur rarely. ] X XEND_PAGE_1 X echo " (Touch 'RETURN' to continue)" X read nothing X cat << "END_PAGE_2" X XAn initial .profile and .kshrc are provided for your convenience. If you Xwant to see the special (read "usenet") features available on this machine, Xmost of them have man pages, and 'manlist' will give you a brief list of Xwhat non-AT&T commands are available. Detail, of course, can be gotten Xby reading the man pages themselves. X XAgain, welcome to 'mtek' - if we can assist you in any way, please let us Xknow! X XEND_PAGE_2 X X echo "Do you wish to re-read this message? [y]/n > \c" X read done X case $done in X y*|Y*|"") # No -wants to see it again X : X ;; X *) # He's done X done="yes" X break X ;; X esac Xdone X X# Make a permanent record that this user has seen this announcement Xrecord="$HOME/..." Xecho "Announcement presented to this user, '$LOGNAME.'" > $record Xchmod 440 $record Xchgrp root $record Xchown root $record X X# Clear the screen Xtput clear X X# Take away the temp terminal (user's .profile will supply the real one X# hereafter): XTERM= Xexport TERM X X# end of file END_OF_FILE if test 2394 -ne `wc -c <'1stlogin.ann'`; then echo shar: \"'1stlogin.ann'\" unpacked with wrong size! fi # end of '1stlogin.ann' fi if test -f 'MANIFEST' -a "${1}" != "-c" ; then echo shar: Will not clobber existing file \"'MANIFEST'\" else echo shar: Extracting \"'MANIFEST'\" \(527 characters\) sed "s/^X//" >'MANIFEST' <<'END_OF_FILE' X File Name Archive # Description X----------------------------------------------------------- X 1stlogin.ann 1 1st notice for new login users X MANIFEST 1 This shipping list X README 1 Information on the use of this stuff X gen 1 Example: general policy X logins 1 Example: specific user responsibilities X policy 1 Executable: policy shell script X usenet 1 Example: policy regarding new hookups END_OF_FILE if test 527 -ne `wc -c <'MANIFEST'`; then echo shar: \"'MANIFEST'\" unpacked with wrong size! fi # end of 'MANIFEST' fi if test -f 'README' -a "${1}" != "-c" ; then echo shar: Will not clobber existing file \"'README'\" else echo shar: Extracting \"'README'\" \(2844 characters\) sed "s/^X//" >'README' <<'END_OF_FILE' X$Id: README,v 1.8 91/03/01 22:39:36 bbh Rel $ X XWhat is in this package and how to use it: X^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ XThe file '1stlogin.ann' (first-login annnouncement) is something we call Xfrom /etc/profile by adding this entry: X X if [ -r /usr/local/etc/1stlogin.ann -a ! -f $HOME/... ] X then . /usr/local/etc/1stlogin.ann X fi X X...which tests to see if the '...' file exists in the user's home Xdirectory, and presents him with the announcement if it does not. This Xassures that every new user, on first login, gets the instructions Xregarding his responsibility to read, understand, and comply with local Xpolicy. It directs him to the use of the 'policy' command to become Xand stay current on in-house policy. You may choose to use it or not. XIf you do, this file should be set to 444 to make it read-only. X XAll other files listed in the MANIFEST relate to the 'policy' script Xitself, or to the example policy text files it might call: X XMuch of the 'gen' file was outright lifted directly from the text of a Xsimilar file used in one of the Canadian universities - have since for- Xgotten who/where was responsible (sorry). We have made a number of Xchanges for local circumstances. You may wish to start with this as a Xtemplate for your own general policy statement. X XA few other text files are provided simply as examples of supplementary Xpolicy descriptions. Because I tend to be a hard-ass, they probably won't Xbe appropriate at your site, but the subjects may be some you wish to cover. X XThe executable file, 'policy', should be useful to you even if you decide Xto drop-kick the use of our example policy files, since it provides an easy Xway to manage a full screen of policy-file listings for selection by the Xuser. If you make improvements on this script, I'd sure like to see them Xso they can be incorporated into future revisions, with proper credit to Xyou for the contribution. Since I don't claim to know about all the various Xunixen out there (remember, I'm a 'suit', not a 'tech' :-), this script Xmay need minor modification for some non-sysV machines. So far, though, I Xhaven't gotten any complaints, so it must be working with most of them. X XInstallation: you must create the policy directory, by default named 'Policy', Xand within that directory an empty menu file, by default named 'polmenu', Xwhich must be set mode 666 (read and write for everyone). The directory also Xwill contain the individual policy text files that you create - see the Xinstructions in the 'policy' script for more info, if needed. X XOnce set up, the script automatically updates the menu any time a new text Xfile is added. NOTE: in those instances that you may choose to *remove* Xa named text file, just empty the menu file and allow the script to rebuild Xa new menu of entries. X XHope this is useful to your purposes...bud@mtek.com END_OF_FILE if test 2844 -ne `wc -c <'README'`; then echo shar: \"'README'\" unpacked with wrong size! fi # end of 'README' fi if test -f 'gen' -a "${1}" != "-c" ; then echo shar: Will not clobber existing file \"'gen'\" else echo shar: Extracting \"'gen'\" \(4492 characters\) sed "s/^X//" >'gen' <<'END_OF_FILE' Xgen - general overview $Revision: 1.10 $ $Date: 91/02/06 12:48:51 $ X^^^^^^^^^^^^^^^^^^^^^^^^^^ X X USE OF MTEK COMPUTING FACILITIES X XThis host is privately owned and operated in support of a business. Business Xpriorities will thus be served first, if there is a conflict for time of the Xadministrator. We will be as helpful as conditions allow. X XWe run alot of usenet software on this host. So if you wonder if a desired Xcommand is in your PATH, type in 'which '. X XTo find information about other users, use 'finger'. (Do 'man finger', if Xyou want to read the man page describing the use of 'finger'). X XPlease furnish your office telephone number and extension so that we can enter Xit into the password file, available for 'finger' to find you. If you like, Xyou may also furnish your home number to be included, as well. X XBelow are presented the main elements of local policy, which apply to all Xusers: X X * * * * * * * * * * * * * * * X * Computer Resources Policy * X * * * * * * * * * * * * * * * X1. General X XComputing facilities are provided by MTEK International, Inc. (the "company") Xfor use by local and remote users. It is expected that all users will make Xuse of local computing resources in a manner which is ethical, legal, and not Xcontrary to the interests of others, including the company. X XThe basic guidelines are that any use must be legal and not such as to Xinterfere with use by other authorized users, nor compromise the confiden- Xtiality of the company's internal business practices or records. X X2. Notice X XIf any policy has provisions with which you do not agree, please notify the Xadministrator describing your concerns/suggestions. Absent such notice, it is Xassumed you have reviewed and understood, and fully agree to conform to, all Xprevailing published policies governing the use of this system. X X2. Disclaimer X X* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * X* * X* The company accepts NO RESPONSIBILITY for any damage to or loss of * X* data arising directly or indirectly from the use of these or other * X* facilities or for any consequential loss or damage. It makes NO * X* WARRANTY, express or implied, regarding the computing services * X* offered, or their fitness for any particular purpose. * X* * X* The company's liability in the event of any loss or damage shall * X* be LIMITED TO THE FEES AND CHARGES, IF ANY, PAID TO THE COMPANY * X* for use of the computing facilities which resulted in said loss * X* or damage. * X* * X* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * X X3. Failure to abide by the policies described below and in related docu- Xments may result in denial of access to computing facilities: X X A. You may only use those facilities which have been authorized X for your use. If access is protected by a password, you are not X to make this password available to others. You may not use any X account set up for another user, nor may you attempt to find out X the password of another user. X X B. You may only use authorized facilities for authorized purposes. X X C. You must be aware of the law of copyright as it affects computer X software. Software must not be copied except with the express X permission of the copyright owner (which may be expressed in the X copyright notice contained within the software). Note that a X formal copyright need not be in evidence in order for copyright X protection to be in force. X X D. You may not attempt to copy information belonging to other users X without their express permission. X X E. You may not attempt to interfere with the operation of computing X facilities. X X F. You may not attempt to subvert the security of any of the company's X computing facilities. X X G. You may not use the company's computing facilities to send messages X which are obscene or otherwise harassing in their intent. X X H. You may disagree with one or more of these policies, publically or X privately, in accordance with your First Amendment rights, but you X may not violate any of these policies for any reason or purpose. END_OF_FILE if test 4492 -ne `wc -c <'gen'`; then echo shar: \"'gen'\" unpacked with wrong size! fi # end of 'gen' fi if test -f 'logins' -a "${1}" != "-c" ; then echo shar: Will not clobber existing file \"'logins'\" else echo shar: Extracting \"'logins'\" \(1711 characters\) sed "s/^X//" >'logins' <<'END_OF_FILE' Xlogins - responsibilities of users $Revision: 1.4 $ $Date: 90/12/18 19:43:56 $ X^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ XThis section should be considered as an extension of the 'gen' file which X contains the general policies governing local computer usage. X XWhile it is not the intent of local policy to restrict unduly the exercise X of free and unbounded communication, it is to be likewise clearly X understood that no one having login privileges on this host has any X "right of free speech" whatsoever as it relates to exercise of that X privilege. X XBecause any login user has actual (or potential) access to usenet, the X administrator reserves the absolute and unfettered right to terminate, X with or without stated cause, any login which may have been granted X on this host at any time. X XThis policy exists primarily to provide recourse to the administrator in the X event a login user creates traffic onto the usenet which is considered X *by the administrator* to be of such character as to create a negative X reputation for this site and/or its management. Such actions will not X be tolerated. X XReceipt of messages from other *system administrators* (not users) register- X ing complaints about a local user will be considered compelling X evidence that the login should be withdrawn. Except.... X XIt is true that it is relatively simple (if one has root privilege on a host) X to create 'bogus' mail. Any login user who believes that someone has X sent bogus mail under his name and this site name should notify the X administrator immediately. These events, while rare, do happen, and X are a recognized risk faced by everyone. A plea of "I didn't DO it" X will usually prove to be a fully adequate defense....:-) END_OF_FILE if test 1711 -ne `wc -c <'logins'`; then echo shar: \"'logins'\" unpacked with wrong size! fi # end of 'logins' fi if test -f 'policy' -a "${1}" != "-c" ; then echo shar: Will not clobber existing file \"'policy'\" else echo shar: Extracting \"'policy'\" \(2837 characters\) sed "s/^X//" >'policy' <<'END_OF_FILE' X# $Id: policy,v 1.19 91/01/16 10:55:28 bbh Rel $ X# X# Author: Bud Hovell X# MTEK International, Inc. X# 311 B Avenue - Suite 200 X# Lake Oswego, OR 97034 X# X################################# edit these ################################ Xpoldir=/usr/local/adm/Policy # Where named policy files live. Xpager=/usr/local/bin/less # Your favorite pager. Xmyname="uuname -l" # How to get local host name[ Xtmp=/tmp # Preferred tmp directory X################################ edit no more ############################### X# Note: any policy file must be named identically to the first word of the X# first line in the file itself. Consider the file "logins", with X# this as line one (or the last line if you must use 'tail', see X# above) : X# X# logins - responsibilities of users X# X# .....where the word "logins" begins at character one of line X# one of the file named "logins". This first line will then be X# extracted to the ad-hoc menu file to provide the menu id for X# the user to select the "logins" policy file. X X# Some variables: Xhost=`$myname | tr [a-z] [A-Z]` Xmenu=$poldir/polmenu X X# Do we have a "clear" function? Xif [ -x /bin/clear -o -x /usr/bin/clear ] Xthen clear=`clear` X# ....or curses? Xelif [ -x /usr/bin/tput ] Xthen clear=`tput clear` Xelse clear= Xfi X# WORK X# Any files newer than menu? Xcd $poldir Xnew=`find . -newer $menu -print` X X# If so, menu needs to be updated: Xif [ "$new" != "" ] Xthen echo "\nOoops...hold on while I build a new menu for '$0'...\n" X > $menu X filelist=`ls | sed -e 's/polmenu//g' \ X -e 's/^[ ]$//g' \ X -e 's/$//g'; echo "\n"` X for file in $filelist X do X echo " \c" >> $menu X # This will read out all of line 1 into the user menu, X # except for any trailing Id or Header stuff for RCS X # (if you show your revision info on line one): X cat $file | sed -n '1p' | cut -d"$" -f1 >> $menu X done Xfi X X# WORK X X# Re-run the menu until 'quit' from user: Xi=x Xuntil [ $i = "q|Q" ]; do X Xecho $clear X Xecho "\n DIRECTORY OF LOCAL POLICY FOR HOST '$host'\n" Xcat $menu Xecho "\n .....or 'q'uit" Xecho "\n To review a policy, type in subject: > \c" Xread i Xcase $i in Xq|Q) # Wants to quit X echo "\n Policy review concluded. Thanks for your interest.\n" X break ;; X"") # No entry X i=x X echo "\n You must provide a name or 'q'uit.\007" X sleep 2 X continue ;; X*) # Wants another X if [ -r $poldir/$i ] X then $pager $poldir/$i X i=x X else echo "\n You must provide a name or 'q'uit.\007" X sleep 2 X i=x X fi X continue ;; Xesac Xdone END_OF_FILE if test 2837 -ne `wc -c <'policy'`; then echo shar: \"'policy'\" unpacked with wrong size! fi chmod +x 'policy' # end of 'policy' fi if test -f 'usenet' -a "${1}" != "-c" ; then echo shar: Will not clobber existing file \"'usenet'\" else echo shar: Extracting \"'usenet'\" \(698 characters\) sed "s/^X//" >'usenet' <<'END_OF_FILE' Xusenet - requests for connection $Revision: 1.5 $ $Date: 91/03/01 21:51:15 $ X^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ X XUsenet connections to this host may be granted on a case-by-case basis, X and shall not be considered unless the requesting system adminis- X trator agrees to timely maintain a current usenet map for his/her X host. Failure to fulfill this requirement will *certainly* result X in termination of uucp connection. X XIf a new host login is granted, the administrator will bend every effort X to assist in getting the connection working properly and, if it X is necessary, filing a properly-documented uucp map. X XAny request for uucp connection should be mailed to postmaster@mtek.com. X X X X X X X X X END_OF_FILE if test 698 -ne `wc -c <'usenet'`; then echo shar: \"'usenet'\" unpacked with wrong size! fi # end of 'usenet' fi echo shar: End of archive 1 \(of 1\). cp /dev/null ark1isdone MISSING="" for I in 1 ; do if test ! -f ark${I}isdone ; then MISSING="${MISSING} ${I}" fi done if test "${MISSING}" = "" ; then echo You have the archive. rm -f ark[1-9]isdone else echo You still need to unpack the following archives: echo " " ${MISSING} fi ## End of shell archive. exit 0 exit 0 # Just in case...