Chat now with support

Live-Hilfe anfordern
Registrierung abschließen

Anmelden

Preisinformationen anfragen

Vertrieb kontaktieren

Safeguard for Sudo 7.1.1 - Administration Guide

Inhaltsnavigation

Introducing Safeguard for Sudo

Features and benefits of Safeguard for Sudo How Safeguard for Sudo works

Planning Deployment

System requirements

Supported platforms Reserve special user and group names Required privileges

Estimating size requirements Safeguard licensing Deployment scenarios

Single host deployment Medium business deployment Large business deployment

Installation and Configuration

Download Safeguard for Sudo software packages Quick start and evaluation

Installing the Management Console Uninstalling the Management Console

Configure a Primary Policy Server

Checking the server for installation readiness

TCP/IP configuration Firewalls Hosts database Reserve special user and group names Policy server daemon hosts Check Sudo version

Installing the Safeguard packages

Adding directories to PATH environment

Configuring the Safeguard for Sudo Primary Policy Server

Safeguard for Sudo Server Configuration Settings

Join hosts to policy group

Joining Sudo Plugin to Policy Server Swap and install keys

Configure a secondary policy server

Installing secondary servers Configuring a secondary server

Synchronizing policy servers within a group

Install Sudo Plugin on a remote host

Checking Sudo Plugin Host for installation readiness Installing a Sudo Plugin on a remote host Joining a Sudo Plugin to a primary policy server Verifying Sudo Plugin configuration Load balancing on the client

Remove configurations

Uninstalling the Safeguard software packages Uninstalling Safeguard for Sudo on macOS

Upgrade Safeguard for Sudo

Before you upgrade Upgrading Safeguard packages

Upgrading the server package Upgrading the Sudo Plugin package

Removing Safeguard packages

Removing the server package Removing the Sudo Plugin package

System Administration

Reporting basic policy server configuration information Checking the status of the master policy Checking the policy server Checking policy server status Checking the Sudo Plugin configuration status Installing licenses

Displaying license usage

Listing policy file revisions Viewing differences between revisions Backup and recovery

Managing Security Policy

Security policy types Specifying security policy type The sudo type policy Viewing the security profile changes

Administering Log and Keystroke Files

Configuring keystroke logging for Safeguard for Sudo policy

Validating Sudo commands

Event logging Keystroke (I/O) logging

Viewing the log files using a web browser Viewing the log files using command line tools Listing event logs Backing up and archiving event and keystroke logs

Troubleshooting

Enabling sudo policy debug logging Enabling tracing for Sudo Plugin Join fails to generate a SSH key for sudo policy Join to policy group failed on Sudo Plugin Load balancing and policy updates Policy servers are failing Sudo command is rejected by Safeguard for Sudo Sudo policy is not working properly

Safeguard Variables

Global input variables

argc argv client_parent_pid client_parent_uid client_parent_procname clienthost command cwd date day dayname domainname env false gid group groups host hour masterhost masterversion minute month nice nodename optarg opterr optind optopt optreset optstrictparameters pid pmclient_type pmclient_type_pmrun pmclient_type_sudo pmversion ptyflags requestlocal requestuser rlimit_as rlimit_core rlimit_cpu rlimit_data rlimit_fsize rlimit_locks rlimit_memlock rlimit_nofile rlimit_nproc rlimit_rss rlimit_stack samaccount selinux status submithost submithostip thishost time true ttyname tzname uid umask unameclient uniqueid user year

Global output variables Global event log variables

event exitdate exitstatus exittime

PM settings variables

Safeguard programs

pmcheck pmjoin_plugin pmkey pmlicense pmloadcheck pmlog pmlogadm pmlogsearch pmlogsrvd pmlogxfer pmmasterd pmplugininfo pmpluginloadcheck pmpolicy pmpolicyplugin pmpoljoin_plugin pmpolsrvconfig pmremlog pmreplay

Navigating the log file

pmresolvehost pmserviced pmsrvcheck pmsrvconfig pmsrvinfo pmsum pmsysid

Installation Packages

Package locations Installed files and directories

Unsupported Sudo Options

Unsupported command line sudo options Behavioral change Unsupported Sudoers policy options Unsupported Sudoers directives

Safeguard for Sudo Policy Evaluation

pmshell_interpreter

Description

Type integer READONLY

pmshell_interpreter is only defined if the command is running from within a Privilege Manager for Unix shell program. If the shell subcommand is an interpreted script (that is, the first line of the file contains a directive in the format #!<path>) then this variable contains the pathname of the interpreter identified by this directive. Use this variable to detect and reject a user from running an unrestricted shell script from within a restricted shell program.

Example

if (defined pmshell) 
{ 
   printf("Starting %s shell\n", pmshell_prog); 
   accept; 
} 
if ((defined pmshell_cmd) && (pmshell_cmd == true)) 
{ 
   # if running a restricted shell, then don't allow the user to run a shell 
   # script unless it's a Privilege Manager for Unix shell 
   if (pmshell_restricted && (pmshell_cmdtype == pmshell_script)) 
   { 
      if (dirname(pmshell_interpreter) != "/opt/quest/bin") 
      { 
         reject "Restricted shell only permits you to run a shell in the 
					/opt/quest/bin directory"; 
      } 
   }

Related Topics

pmshell_restricted

pmshell_checkbuiltins

pmshell_restricted

Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen

© 2024 One Identity LLC. ALL RIGHTS RESERVED. Feedback Nutzungsbedingungen Datenschutz Cookie Preference Center