Chat now with support
Chat mit Support

Safeguard for Sudo 7.3 - Administration Guide

Introducing Safeguard for Sudo Planning Deployment Installation and Configuration Upgrade Safeguard for Sudo System Administration Managing Security Policy Administering Log and Keystroke Files Supported sudo plugins Troubleshooting Safeguard for Sudo Variables Safeguard for Sudo programs Installation Packages Supported Sudoers directives Unsupported Sudo Options Safeguard for Sudo Policy Evaluation

exittime

Description
Type string READONLY

exittime is the time the requested command finished running (HH:MM:SS)

Example
#display all commands that finished after 6pm 
pmlog -c 'exittime > "18:00:00"'
Related Topics

exitstatus

exitdate

PM settings variables

This section describes the settings and parameters used by Safeguard for Sudo. These settings are stored on each host in the /etc/opt/quest/qpm4u/pm.settings file which contains a list of settings, one per line, in the form: settingName value1 [value2 [... valuen]].

You can modify these policy server configuration settings using the configuration script initialized by either the pmsrvconfig or pmjoin_plugin commands; or you can modify the pm.settings file manually. For details about running the configuration script, see Configuring the Safeguard for Sudo Primary Policy Server.

If you manually change the pm.settings file, restart the pmserviced and/or pmloadcheck daemons in order for the changes to take effect.

The following table describes each of the pm.settings variables:

Defaults may differ depending on the platform you are configuring and whether you are configuring a policy server or Sudo Plugin. Many of these settings will not have a default value.

The variables are not case sensitive.

Table 13: Variables: pm.settings
Variable Data type Description

auditsrvCAbundle

string

The path to a certificate authority bundle file, in PEM format, to use instead of the system's default certificate authority database when doing TLS authentication.

Example:

/etc/ssl/sudo/ca.bundle.pem

auditsrvCert

string

The path to the policy server's certificate file, in PEM format. Used for TLS only.

Example:

/etc/ssl/sudo/qpm_qpmdevel1.cert.pem

auditsrvEnabled

boolean

(YES/NO)

Specifies if audit server logging is on or off.

The default is NO.

For more information, see Audit server logging on

auditsrvEnforced

boolean

(YES/NO)

If YES, the audit server connection failures will be fatal.

If NO, the audit log will be collected encrypted on the file system.and sent again to the server if it comes back.

auditsrvHosts

list of host ports of the audit sever

The host:port of the audit server. Host can be an ipv4/ipv6/hostname. Multiple hosts need to be separated by comma.

Example:

qpmdevel1.qpmdomain:30344,127.0.0.1:30344

auditsrvKeepalive

boolean

(YES/NO)

Select whether keepalive is enabled on the connection.

auditsrvLocaliologs

boolean

(YES/NO)

If YES, old pmlog io logs are also written.

if NO, io logs are only stored by the sudo log server.

auditsrvLogdir

string

If auditsrvEnforced is NO, this is the log directory where audit logs get saved temporarily until they can be sent successfully.

Example:

/var/opt/quest/qpm4u/auditserver

auditsrvPkey

string

The path to the private key of the policy server, in PEM format. Used for TLS only.

Example:

/etc/ssl/sudo/qpm_qpmdevel1.key.pem

auditsrvPSpaceMB

boolean

(YES/NO)

The minimum amount of disk space needed before starting to write an audit trail to the temporary storage. This is to prevent disk space filled up. If the disk space is lower, the policy server will reject the connections, just like if it was in "enforced" mode.

auditsrvTimeout

integer

The connection timeout in seconds. 3 seconds is recommended.

auditsrvTLS

boolean

(YES/NO)

If YES, the communication with all the servers will use TLS. Specifying a key is required in this case.

auditsrvTLSCheckpeer

boolean

(YES/NO)

If YES, client certificates will be validated by the server; clients without a valid certificate will be unable to connect.

If NO, no validation of client certificates will be performed.

If true and client certificates are created using a private certificate authority, the tls_cacert setting must be set to a CA bundle that contains the CA certificate used to generate the client certificate.

The default value is NO.

auditsrvTLSVerify

boolean

(YES/NO)

If YES, the server certificate will be verified at startup and clients will authenticate the server by verifying its certificate and identity.

If NO, no verification is performed of the server certificate by the server or the client. When using self-signed certificates without a certificate uthority, this setting should be set to NO.

The default value is YES.

certificates

boolean (YES/NO)

Specifies whether certificates are enabled. To enable configurable certification, add the following statement to the /etc/opt/quest/qpm4u/pm.settings file on each host: certificates yes.

checksumtype

string

Specifies standard or MD5 checksum types for use with pmsum program.

clients

list of hostnames

Identifies hosts for which remote access functions are allowed. Only required if one policy server needs to retrieve remote information from another policy server that does not normally accept requests from it.

For more information, see Central logging with Privilege Manager for Unix.

clientverify

string

Identifies the level of host name verification applied by the policy server host to the submit host name. The verification ensures that the incoming IP address resolves (on the primary policy server) to the same host name as presented by the submit host.

Valid values are:

  • none: No verification performed.

  • yes: If a host name is presented for verification by the runclient it will be verified.

  • All: The policy server will only accept a request from a client if the host name is verified.

Default: NONE

encryption

string

Identifies the encryption type. You must use the same encryption setting on all hosts in your system.

Valid values are:

  • AES

  • DES

  • TripleDES

Default: AES

eventlogqueue

string

Directory used by pmmasterd and pmlogsrvd where event data is temporarily queued prior to being written to the event log database.

Default: /var/opt/quest/qpm4u/evcache

EventQueueFlush

integer

Tells pmlogsrvd how often to reopen the db (in minutes) flushing the data.

Default: 0, in which case pmlogsrvd will keep the db open while the service is running.

EventQueueProcessLimit

integer

Specifies the number of cached events that will be processed at a time; this limits the memory use in pmlogsrvd.

Default: 0, in which case pmlogsrvd will not apply a limit.

facility

string

Sets the SYSLOG facility name to use when logging a message to the syslog file.

Valid values are:

  • LOG_AUTH

  • LOG_CRON

  • LOG_DAEMON

  • LOG_KERN

  • LOG_LOCAL0 through LOG_LOCAL7

  • LOG_LPR

  • LOG_MAIL

  • LOG_NEWS

  • LOG_USER

  • LOG_UUCP

Default: LOG_AUTH, if the platform defines LOG_AUTH; otherwise the default is 0 (zero).

failovertimeout

integer

Sets the timeout in seconds before a connection attempt to a policy server is abandoned and the client fails over to the next policy server in the list.

This setting also affects the timeout for the client and agent.

Default: 10 seconds. If omitted from pm.settings, default is 180 seconds.

fwexternalhosts

list

Identifies a list of hosts to use a different range of source ports, identified by the openreservedport and opennonreserved port settings.

getpasswordfromrun

boolean (YES/NO)

Determines whether authentication is performed on the policy server or the client when a getuserpasswd() or getgrouppasswd() function is called from the policy file. If set to yes, the authentication is performed on the client.

This variable also affects the user information functions: getfullname(), getgroup(), getgroups(), gethome(), and getshell(). If set to yes in the policy server's pm.settings file, these functions retrieve user information from the client host.

Default: NO

handshake

boolean (YES/NO)

Enables the encryption negotiation handshake. This allows a policy server to support clients running different levels of encryption.

Default: NO

kerberos

boolean (YES/NO)

Enables or disables Kerberos.

Default: NO

keytab

string

Sets the path to the Kerberos keytab file.

Default: /etc/opt/quest/vas/host.keytab

krb5rcache

string

Sets the path to the Kerberos cache.

Default: /var/tmp

krbconf

string

Sets the path to the Kerberos configuration file.

Default: /etc/opt/quest/vas/vas.conf

libldap

string

Specifies the pathname to use for the LDAP library.

No default value.

localport

integer

Sets the TCP/IP port to use for pmlocald.

Default: 12346

logFormat

string

Specifies the format used for syslog and local file logging. The valid values are:

  • CEF for logging in Common Event Format.

  • default for human-readable logs.

lprincipal

string

Sets the service principal name to use for the agent.

Default: pmlocald

masterport

integer

Specifies the TCP/IP port to use for pmmasterd.

Default: 12345

masters

list

Identifies a list of policy server hosts to which a client can submit requests for authorization, and from which an agent can accept authorized requests. This can contain host names or netgroups.

No default value.

maxofflinelogs

integer

Sets the maximum number of offline keystroke or event logs that can be transferred to a policy server in a single transaction. If defined on the policy server, pmmasterd on the server only accepts that number of offline logs from a client in a single request. If configured on a plugin, the plugin only tries to send that number of logs at a time.

No default value.

mprincipal

string

Sets the Kerberos service principal name to use for the policy server.

Default: host

nicevalue

integer

Sets the execution priority level for Safeguard for Sudo processes.

Default: 0

offlinetimeout

integer

Sets the timeout in milliseconds before an off-line policy evaluation occurs on a Sudo Plugin host.

Default: 1500 (1.5 seconds)

Setting offlineTimeout to 0 in the pm.settings file, forces the cache service to always perform offline (local-only) policy evaluation for sudo requests.

opennonreserveportrange

integer integer

Specifies a range of non-reserved ports to use as source ports when connecting to a host in the fwexternalhosts list.

No default value.

openreserveportrange

integer integer

Specifies a range of reserved ports to use as source ports when connecting to a host in the fwexternalhosts list.

No default value.

pmclientdenabled

boolean (YES/NO)

Flag that enables the pmclientd daemon.

pmclientdopts

string

Sets the options for the pmclientd daemon.

pmloadcheckInterval

integer

Sets the refresh interval (in minutes) to determine how often the pmloadcheck daemon checks the policy server status. To override the interval, use pmloadcheck -e.

The default value is 60.

pmlocaldenabled

boolean (YES/NO)

Flag that enables the pmlocald daemon.

pmlocaldlog

string

Sets the path for the agent error log.

Default: /var/adm/pmlocald.log or /var/log/pmlocald.log depending on the platform.

For more information, see Local logging..

pmlocaldopts

string

Sets the options for the pmlocald daemon.

pmloggroup

string

Specifies the group ownership for iolog and eventlogs.

Default: pmlog

pmlogsrvlog

string

Identifies the log used by the pmlogsrvd daemon.

pmmasterdenabled

boolean (YES/NO)

Flag that enables the pmmasterd daemon.

Default: YES

pmmasterdlog

string

Sets the path for the master error log.

Default: /var/adm/pmmasterd.log or /var/log/pmmasterd.log depending on the platform.

For more information, see Local logging..

pmmasterdopts

string

Sets the options for the pmmasterd daemon.

Default: -ar

pmrunlog

string

Sets the path for the client error log.

Default: /var/adm/pmrun.log or /var/log/pmrun.log depending on platform.

For more information, see Local logging..

pmservicedlog

string

Identifies the log used by the pmserviced daemon.

Default: /var/log/pmserviced.log

pmtunneldenabled

boolean (YES/NO)

Flag that enables the pmtunneld daemon.

pmtunneldopts

string

Sets the options for the pmtunneld daemon.

policydir

string

Sets the directory in which to search for policy files

Default: /etc/opt/quest/qpm4u/policy

policyfile

string

Sets the main policy filename.

Default: pm.conf

policymode

string

Specifies the type of security policy to use, pmpolicy or Sudo.

Default: sudo

reconnectagent

boolean (YES/NO)

Allows backwards compatibility with older agents on a policy server. Settings on policy server and agents must match.

Default: NO

reconnectclient

boolean (YES/NO)

Allows backwards compatibility with older clients on a policy server. Settings on policy server and client must match.

Default: NO

selecthostrandom

boolean (YES/NO)

Set to yes to attempt connections to the list of policy servers in random order.

Set to no to attempt connections to the list of policy servers in the order listed in pm.settings.

Default: YES

setnonreserveportrange

integer integer

Specifies a range of non-reserved ports to use as source ports by the client and agent.

  • Minimum non-reserved port is 1024.

  • Maximum non-reserved port is 31024.

The full range for non-reserved ports is 1024 to 65535.

setreserveportrange

integer integer

Specifies a range of reserved ports to use as source ports by the client when making a connection to the policy server.

  • Minimum reserved port is 600.

  • Maximum reserved port is 1023.

The full range for reserved ports is 600 to 1023.

setutmp

boolean (YES/NO)

Specifies whether pmpluginadds a utmp entry for the request.

Default: YES

shortnames

boolean (YES/NO)

Enables or disables short names usage. Setting shortnames to yes allows the use of short (non-fully qualified) host names. If set to no, then the Safeguard for Sudo components will attempt to resolve all host names to a fully qualified host name.

Default: YES

sshKeyTypes

string

Specifies the SSH key types that will be used to access the policy and log files.

Valid values are:

  • rsa

  • ecdsa

  • ed25519

Default:

  • rsa

  • ecdsa

sudoersfile

string

Sets the path to the sudoers policy file, if using the Sudo policy type.

Default: /etc/opt/quest/qpm4u/policy/sudoers

sudoersgid

integer

Sets the group ownership of the Sudoers policy, if using the Sudo policy type.

Default: 0

sudoersmode

integer

Sets the UNIX file permissions of the Sudoers policy, if using the sudo policy type. Specify it as a four-digit octal number (containing only digits 0-7) to determine the user's file access rights (read, write, execute).

Default: 0400

sudoersuid

integer

Sets the user ownership of the Sudoers policy.

Default: 0

syslog

boolean (YES/NO)

Set to yes to send error messages to the syslog file as well as to the Safeguard for Sudo error log.

Default: YES

For more information, see Local logging..

thishost

string

Sets the client's host name to use for verification. Specifying a thishost setting causes the Privilege Manager components to bind network requests to the specified host name or IP address. If you set thishost to the underscore character ( _ ), requests bind to the host's primary host name.

No default value.

tunnelport

integer

Sets the TCP/IP port to use for the pmtunneld daemon.

Default: 12347

For more information, see Configuring pmtunneld.

tunnelrunhosts

list

Identifies the hosts on the other side of a firewall.

No default value.

For full details of how to configure your system across a firewall, see Configuring Firewalls.

utmpuser

string

Specifies which user name pmplugin logs to the utmp entry.

Valid values are:

  • submituser

  • runuser

To log an entry to utmp, specify "setutmp yes".

These settings only take effect if the sudoers policy allocates a pty.

A pseudo-tty is allocated by sudo when the log_input, log_output or use_pty flags are enabled in sudoers policy.

Default: submituser

validmasters

list

Identifies a list of policy servers that can be identified using the pmrun -m <master> option, but that will not be used when you run a normal pmrun command. This is useful for testing connections to a policy server before bringing it on line.

No default value.

Safeguard for Sudo programs

This section describes each of the Safeguard for Sudo programs and their options. The following table indicates which Safeguard for Sudo component installs each program.

Table 14: Privilege Manager programs
Name Description Server Agent Sudo

pmauditsrv

Verifies that the configured audit servers are accessible and configured properly and exchanges a "hello" message with the server.

If the audit server is not accessible, stores the events and keystroke (IO) logs temporarily offline and sent to the audit server when it is available.

X

N/A

N/A

pmcheck

Verifies the syntax of a policy file.

X

N/A

X

pmcheckperms

Checks the ownership and permissions of Privilege Manager files on the system.

X

X

X

pmgit

The pmgit utility is used to configure Git policy management for Privilege Manager for Unix.

X

X

N/A

pmjoin_plugin

Joins a Sudo Plugin to the specified policy server. Joining configures the remote host to communicate with the servers in the group.

X

N/A

X

pmkey

Generates and installs configurable certificates.

X

X

X

pmlicense

Displays current license information and allows you to update a license (an expired one or a temporary one before it expires) or create a new one.

X

N/A

N/A

pmloadcheck (or pmpluginloadcheck)

Controls load balancing and failover for connections made from the host to the configured policy servers.

X

X

N/A

pmlog

Displays entries in a Privilege Manager for Unix event log.

X

N/A

N/A

pmlogadm

Manages encryption options on the event log.

X

N/A

N/A

pmlogsearch

Searches all logs in a policy group based on specified criteria.

X

N/A

N/A

pmlogsrvd

The Privilege Manager for Unix log access daemon, the service responsible for committing events to the Privilege Manager for Unix event log and managing the database storage used by the event log.

X

 

 

pmlogxfer

Transfers event logs and I/O logs after an off-line policy evaluation has occurred. pmlogxfer is initiated by pmloadcheck when there are log files queued for transfer from a Sudo Plugin host to the server.

N/A

N/A

X

pmmasterd

The Privilege Manager for Unix Master daemon which examines each user request and either accepts or rejects it based upon information in the Privilege Manager configuration file. You can have multiple pmmasterd daemons on the network to avoid having a single point of failure.

X

N/A

X

pmplugininfo

Displays information about the policy server group that the Sudo Plugin host has joined.

X

N/A

X

pmpluginloadcheck

A daemon that runs on each Sudo Plugin host and controls load balancing and failover for connections made from the host to the configured policy servers.

X

N/A

X

pmpolicy

A command-line utility for managing the Privilege Manager for Unix security policy. This utility checks out the current version, checks in an updated version, and reports on the repository.

X

N/A

N/A

pmpolicyplugin

Displays the revision status of the cached security policy on a Sudo Plugin host; allows you to request an update from the central repository.

N/A

N/A

X

pmpoljoin_plugin

Adjunct program to the pmjoin_plugin script. pmpoljoin_plugin is called by the pmjoin_plugin script when configuring a Sudo Plugin host to setup up the required read-only access to the policy repository, so that the client can operate in off-line mode.

N/A

N/A

X

pmpolsrvconfig

Configures (or unconfigures) a primary or secondary policy server. Allows you to grant a user access to a repository.

X

N/A

N/A

pmremlog

Provides a wrapper for the pmlog and pmreplay utilities to access the event (audit) and keystroke (I/O) logs on any server in the policy group.

X

N/A

N/A

pmreplay

Replays an I/O log file allowing you to review what happened during a previous privileged session.

X

N/A

N/A

pmresolvehost

Verifies the host name or IP resolution for the local host or a selected host.

X

X

X

pmserviced

The Privilege Manager for Unix Service daemon listens on the configured ports for incoming connections for the Privilege Manager for Unix daemons. pmserviced uses options in pm.settings to determine the daemons to run, the ports to use, and the command line options to use for each daemon.

X

X

X

pmsrvcheck

Checks the Privilege Manager for Unix policy server configuration to ensure it is setup properly.

X

N/A

N/A

pmsrvconfig

Configures a primary or secondary policy server.

X

N/A

N/A

pmsrvinfo

Verifies the policy server configuration.

X

N/A

N/A

pmsum

Generates a simple checksum of a binary.

X

N/A

N/A

pmsysid

Displays the Privilege Manager for Unix system ID.

X

X

X

pmauditsrv

Syntax
$ pmauditsrv -h
Usage: pmauditsrv [-h] [-v] [-z on|off]
Usage: pmauditsrv check|send [ -o <serverlist> ] [ -b <ca_bundle_file> ] [ -k <privatekey_file> ] [ -c <certificate_file> ] [ -s ]
Description

Use pmauditsrv for the following:

  • pmauditsrv verifies that the configured audit servers are accessible and configured properly. This includes verifying that certificates and keys are configured properly for TLS communication, if enabled. pmauditsrv exchanges a "hello" message with the server.

  • When the policy server is configured for "not enforced mode" and the audit server is not accessible, pmauditsrv can be used to store the event logs and keystroke (IO) logs temporarily offline. pmauditsrv sends the logs to the audit server once it is available. If the connection to the audit server was broken in the middle of the command run and the log is a partial log, the log will be sent to the same server that received the first part of the message. Logs which are not partial logs are sent to the audit servers according to the actual configuration. Changing the auditserver configurations can solve transferring full but not partial logs.

By default, the pmloadcheck program executes pmauditsrv in every 30 minutes to transfer any audit trail files found in the configured cache directory to the audit server. If the file can not be processed (for example, the file is corrupt), pmauditsrv moves the file into a subdirectory (quarantine).

pmauditsrv can be called manually for troubleshooting an issue.

With command ’check’ .B, pmauditsrv can be also used to check connection to the configured audit servers or the server specified with command line arguments.

Errors logs are stored in /var/log/pmmasterd.log.

Options

pmauditsrv has the following options.

Table 15: Options: pmauditsrv
Option Description

-h

Display a help usage information and exit.

-v

Display the version number of the pmauditsrv program and exit.

-z on | off

Turn debug tracing on or off, then exit.

-o <serverlist>

Specify audit servers.

Format: addr1:port1..addrn:portn where addr is either IP or hostname.

-b <ca_bundle_ file>

Specify CA bundle file for TLS connection.

-k <privatekey_ file>

Specify private key file for TLS connection

-c <certificate_ file>

Specify certificate file for TLS connection

-s

Redirects all error messages to the syslog.

Related Topics

pmloadcheck (or pmpluginloadcheck)

pmmasterd

pmsrvconfig

Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen