Introduction

SLAF is a framework that allows mimicking commonly used Linux commands by implementing simple plugins. It allows admins to white list selected files to enable certain users, such as developers, to perform operations like 'grep' and 'less' on files which normally do not have user read permissions.

SLAF plugins are Ruby scripts conforming to a specific structure as well as a symbolic link, linking to runslaf.rb, which shares the name of the plugin, for example slafless, that is used to execute the plugin.

SLAF also allows plugins to log access events directly to syslog.

Usage

SLAF commands are commonly run under 'sudo'.

>sudo slafcommand [args] [file]

Example 1 - Executing slafless on /var/log/foo.log

>sudo slafless /var/log/foo.log

Configuration

Custom configurations can be done by editing /etc/slaf/slaf.cfg.

Example 1

1 whitelist.file = /var/log/foo.log
2 plugin.slafless.whitelist.file = /var/log/**
3 plugin.slafless.whitelist.file = /var/foo.log
4 path = /usr/bin:/bin

Currently three options can be set in the config file:

White list a file/directory for all plugins.
White list a file/directory for a specific plugin.
Change the value of the $PATH environment variable at runtime.

In the example slaf.cfg line 1 is an example of white listing a file globally, i.e. for all installed plugins.

In line 2 all files are recursively white listed for the plugin 'slafless' (simple plugin for the Linux 'less' command), starting from /var/log/.

In line 4 the environment variable, $PATH, is set. This is done by following the standard Linux conventions of separating paths with a colon. (SLAF does not currently allow you to set other environment variables.)

Please note that when you wish to have multiple files white listed globally, or for a specific plugin, that each declaration must be on a separate line.

Example 2

1 whitelist.file = /var/log/foo.log
2 whitelist.file = /var/log/bar.log
3 plugin.slafless.whitelist.file = /var/log/**
4 plugin.slafless.whitelist.file = /var/foo.log
5 path = /usr/bin:/bin

Note

Since SLAF commands normally target files which the user may not have read rights on, it is recommended that you include SLAF users to your sudoers list.

Creating SLAF plugins.

SLAF commands consist of two parts.

ruby script.
symbolic link to runslaf.rb.

Ruby Script

SLAF plugins are built by using the following convention:

1 newcommand(:name => "slafpluginname", :allow_arguments => bool) do |file, args|
2     SLAF.log("slafpluginname", file) //optional
3     exec(string)
4 end

The :allow_arguments parameter is set to true if you intend to allow users to set command flags.

Example 1 - allow_arguments = true

>sudo slafless -M /var/log/foo.log

Setting this to false will disallow flags.

Example 2 - allow_arguments = false

>sudo slafless -M /var/log/foo.log 
-M not added to arugments list. - arguments are disabled for slafless

The variables file and arguments are the target file and additional arguments respectively.

Although logging the event is considered optional in die plugin structure it is highly recommend that you do.

Example 3 - exec call

exec("nice -n 19 cat #{args} #{file}")

In this example, taken from the default slafcat plugin, the exec call executes 'cat' with args on file with niceness level set to 19.

Note that these scripts reside in /etc/slaf.

Example 4 - /etc/slaf/slafless_command.rb

1 #Basic less plugin
2 
3 newcommand(:name => "slafless") do |file, args|
4     ENV["LESSSECURE"] = "1"
5     SLAF.log("slaless", file)
6     exec("nice -n 19 /usr/bin/less #{args.join(" ")} #{file}")
7 end

Symbolic Link

Each plugin script has a corresponding symbolic link that resides in /usr/bin. This link is created with:

>cd /usr/bin
>ln -s slafpath/runslaf.rb slafcommandname

Note

Please ensure that symbolic links are named slafcommandname and that the ruby script is named slafcommandname_command.rb