Chat now with support
Chat mit Support

Safeguard for Sudo 7.3 - Administration Guide

Introducing Safeguard for Sudo Planning Deployment Installation and Configuration Upgrade Safeguard for Sudo System Administration Managing Security Policy Administering Log and Keystroke Files Supported sudo plugins Troubleshooting Safeguard for Sudo Variables Safeguard for Sudo programs Installation Packages Supported Sudoers directives Unsupported Sudo Options Safeguard for Sudo Policy Evaluation

pmjoin_plugin

Syntax
pmjoin_plugin -h | --help [-abioqv] 
                [-d <variable>=<value>] [<policy_server_host>] [-bv] -u
                [--accept] [--batch] [--define <variable>=<value>] [--interactive] 
                [--io-plugin-only][--pipestdin][--verbose] <policy_server_host> ... 
                [--batch] [--verbose] -unjoin -N policy_name [--policyname policy_name]
Description

Run the pmjoin_plugin command after installing the Sudo Plugin package (qpm-plugin) on a remote host to allow it to communicate with the servers in the policy group.

Options

pmjoin_plugin has the following options.

Table 19: Options: pmjoin_plugin
Option Description

-a | --accept

Accepts the End User License Agreement (EULA), /opt/quest/qpm4u/pqm4u_eula.txt.

-b | --batch

Runss in batch mode, does not use colors or require user input.

-d <variable>=<value> | --define <variable>=<value>

Specifies a variable for the pm.settings file and its associated value.

-h | --help

Displays usage information.

-i | --interactive

Runs in interactive mode, prompting for configuration parameters instead of using the default values.

-o | --io-plugin-only

Configures only the I/O logging plugin (io_plugin) without the use of the Sudo Plugin (policy_plugin) .

-q | --pipestdin

Pipes password to stdin if password is required.

-u | --unjoin

Unjoins a Sudo Plugin host from the policy server.

-N policy_name | --policyname policy_name

Use policy_name as the name of the policy instead of the default. This option is used to specify the name of the policy that the server should use when making policy decisions.

-v | --verbose

Displays verbose output while configuring the host.

Files
  • Directory when pmjoin_plugin logs are stored: /opt/quest/qpm4u/install

  • Sudo Plugin configuration file: /etc/sudo.conf

Related Topics

pmmasterd

pmsrvconfig

pmkey

Syntax
pmkey -v  
         -a <keyfile> 
         [ [-l | -r | -i <keyfile>] 
         [-p <passphrase>] [-f]]
Description

Use the pmkey command to generate and install configurable certificates.

In order for a policy evaluation request to run, keys must be installed on all hosts involved in the request. The keyfile must be owned by root and have permissions set so only root can read or write the keyfile.

Options

pmkey has the following options.

Table 20: Options: pmkey
Option Description

-a <keyfile>

Creates an authentication certificate.

-i <keyfile>

Installs an authentication certificate.

-l

Creates and installs a local authentication certificate to this file:

/etc/opt/quest/qpm4u/.qpm4u/.keyfiles/key_localhost

This is equivalent to running one of the following commands:

  • pmkey -a /etc/opt/quest/qpm4u/.qpm4u/.keyfiles/key_localhost

  • pmkey -i /etc/opt/quest/qpm4u/.qpm4u/.keyfiles/key_localhost

-f

Forces the operation. For example:

  • Ignore the password check when installing keyfile using -i or -r

  • Overwrite existing keyfile when installing local keyfile using -l

-p <passphrase>

Passes the passphrase on the command line for the -a or -l option.

If not specified, pmkey prompts the user for a passphrase.

-r

Installs all remote keys that have been copied to this directory:

/etc/opt/quest/qpm4u/.qpm4u/.keyfiles/key_<hostname>

This provides a quick way to install multiple remote keys.

-v

Displays the Safeguard for Sudo version and exits.

Examples

The following command generates a new certificate, and puts it into the specified file:

pmkey -a <filename>

The following command installs the newly generated certificate from the specified file:

pmkey -i <filename>
Related Topics

pmcheck

pmmasterd

pmreplay

pmsum

pmlicense

Syntax
pmlicense -h 
	   [-c]
	   -v [-c]
	   -v <xmlfile> [-c]
	   -l|-x <xmlfile> [-c] [-f] [-e]
	   -u [s|f][-c][-d m|y][-o <outfile>][-s d|h][-t u|p|k]
	   -r [-e]
	   -R <host> [-c]
	   
Description

The pmlicense command allows you to display current license information, update a license (an expired one or a temporary one before it expires) or create a new one. If you do not supply an option, then pmlicense displays a summary of the combined licenses configured on this host.

Options

pmlicense has the following options.

Table 21: Options: pmlicense
Option Description

-c

Displays output in CSV, rather than human-readable format.

-d

Filters a license report; restricting the date to either:

  • m: Only report licenses used in the past month.

  • y: Only report licenses used in the past year.

-e

Does not forward the license change to the other servers in the group.

-f

Does not prompt for confirmation in interactive mode.

-h

Displays usage.

-l <xmlfile>

Configures the selected XML license file, and forwards it to the other servers in the policy group.

This option must be run as the root user or a member of the pmpolicy group.

-o <outfile>

Sends report output to selected file rather than to the default. For csv output, the default is file: /tmp/pmlicense_report_<uid>.txt; for human-readable output, the default is stdout.

-r

Regenerates and configures the default trial license, removing any configured commercial licenses, and forwards this change to the other servers in the policy group.

-R <host>

Remove the specified from the local policy server's license database. Normally, the client is removed automatically when it is unjoined from the policy server group. This option can be used to remove a client that has been retired without being explicitly unjoined.

-s

Sort the report data by either:

  • d: date (newest first)

  • h: hostname (lowest first)

-t

Filters license report by client type:

  • u: Privilege Manager for Unix client

  • p: sudo policy plugin

  • k: sudo keystroke plugin

-u

Displays the current license utilization on the master policy server:

  • s: Show summary of hosts licensed

  • f: Show full details of hosts licensed, with last used times

-v

If you do not provide a file argument, it displays the details of the currently configured license. If you provide a file argument, it verifies the selected XML license file and displays the license details.

-x <xmlfile>

Configures the selected XML license file.

This option is deprecated, use the "-l" option instead.

License data is updated periodically by the pmloadcheck daemon. For more details, see pmloadcheck (or pmpluginloadcheck).

Examples

To display current license status information, enter the following:

# pmlicense

Safeguard for Sudo displays the current license information, noting the status of the license. The output will be similar to the following:

*** One Identity Safeguard *** 
*** Privilege Manager for Unix VERSION 6.n.n (nnn) *** 
*** CHECKING LICENSE ON HOSTNAME:<host>, IP address: <IP> 
*** SUMMARY OF ALL LICENSES CURRENTLY INSTALLED *** 
*License Type                                  PERMANENT 
*Commercial/Freeware License                   COMMERCIAL 
*Expiration Date                               NEVER 
*Max QPM4U Client Licenses                     1000 
*Max Sudo Policy Plugin Licenses               0 
*Max Sudo Keystroke Plugin Licenses            0 
*Authorization Policy Type permitted           ALL 
*Total QPM4U Client Licenses In Use            2 
*Total Sudo Policy Plugins Licenses in Use     0 
*Total Sudo Keystroke Plugins Licenses in Use  0

*** LICENSE DETAILS FOR PRODUCT:QPM4U 
*License Version                               1.0 
*Licensed to company                           Testing 
*Licensed Product                              QPM4U(1) 
*License Type                                  PERMANENT 
*Commercial/Freeware License                   COMMERCIAL 
*License Status                                VALID
*License Key                                   PSXG-GPRH-PIGF-QDYV 
*License tied to IP Address                    NO 
*License Creation Date                         Tue Feb 08 2012 
*Expiration Date                               NEVER 
*Number of Hosts                               1000

To update or create a new a license, enter the following at the command line:

pmlicense -l <xmldoc>

Safeguard for Sudo displays the current license information, noting the status of the license, and then validates the information in the selected .xml file, for example:

*** One Identity Safeguard for Sudo *** 
*** Safeguard for Sudo VERSION 7.n.n (nnn) *** 
*** CHECKING LICENSE ON HOSTNAME:<host>, IP address:<IP> *** 
*** SUMMARY OF ALL LICENSES CURRENTLY INSTALLED *** 
*License Type                                  PERMANENT 
*Commercial/Freeware License                   COMMERCIAL 
*Expiration Date                               NEVER 
*Max QPM4U Client Licenses                     1000 
*Max Sudo Policy Plugin Licenses               0 
*Max Sudo Keystroke Plugin Licenses            0 
*Authorization Policy Type permitted           ALL 
*Total QPM4U Client Licenses In Use            2 
*Total Sudo Policy Plugins Licenses in Use     0 
*Total Sudo Keystroke Plugins Licenses in Use  0 
*** Validating license file: <xmldoc> *** 
*** LICENSE DETAILS FOR PRODUCT:QPM4U 
*License Version                               1.0 
*Licensed to company                           Testing 
*Licensed Product                              QPM4U(1) 
*License Type                                  PERMANENT 
*Commercial/Freeware License                   COMMERCIAL 
*License Status                                VALID 
*License Key                                   PNFT-FDIO-YSLX-JBBH 
*License tied to IP Address                    NO 
*License Creation Date                         Tue Feb 08 2012 
*Expiration Date                               NEVER 
*Number of Hosts                               100 
*** The selected license file (<xmldoc>) contains a valid license *** 

Would you like to install the new license? y 
Type y to update the current license. 
Archiving current license… [OK] 
*** Successfully installed new license ***
Related Topics

pmmasterd

Installing licenses

Displaying license usage

pmloadcheck (or pmpluginloadcheck)

Syntax
pmloadcheck -v 
               -s|-p|-i [-e <interval>][-t <sec>] 
               [-c|-f][-b][ -h <master>][-t <sec>] [-a][-r]
Description

The pmloadcheck (or pmpluginloadcheck) daemon runs on the Safeguard for Sudo policy servers. By default, the daemon verifies the status of the configured policy servers every 60 minutes. It controls load balancing and failover for connections made from the host to the configured policy servers, and on secondary servers, it sends license data to the primary server.

When the pmloadcheck (or pmpluginloadcheck) daemon runs, it attempts to establish a connection with the policy servers to determine their current status. If pmloadcheck (or pmpluginloadcheck) successfully establishes a session with a policy server, it is marked online and is made available for normal client sessions. If pmloadcheck (or pmpluginloadcheck) does not successfully establish a session with a policy server, it is marked offline.

Information is gathered from a policy server each time a normal client session connects to the policy server. This information is used to determine which policy server to use the next time a session is requested. If an agent cannot establish a connection to a policy server because, for example, the policy server is offline, then this policy server is marked as offline and no more connections are submitted to this policy server until it is marked available again.

To check the current status of all configured policy servers, and display a brief summary of their status, run pmloadcheck (or pmpluginloadcheck) with no options. To show the full details of each policy server status, add the -f option.

Options

pmloadcheck (or pmpluginloadcheck) has the following options.

Table 22: Options: pmloadcheck (or pmpluginloadcheck)
Option Description

-a

Verifies the connection as if certificates were configured.

-b

Runs in batch mode.

-c

Displays output in CSV format.

-e <interval>

Sets the refresh interval (in minutes) to determine how often the pmloadcheck (or pmpluginloadcheck) daemon checks the policy server status. The default value is 60.

-f

Shows full details of the policy server status when verifying and displaying policy server status.

-h <master>

Selects a policy server to verify.

-i

Starts up the pmloadcheck (or pmpluginloadcheck) daemon, or prompts an immediate recheck of the policy server status if it is already running.

-P

Sends SIGNUP to a running daemon.

-p

Pauses a running daemon by sending SIGUSR1.

-r

Reports last cached data for selected servers instead of connecting to each one.

-s

Stops the pmloadcheck (or pmpluginloadcheck) daemon if it is running.

-t <sec>

Specifies a timeout (in seconds) to use for each connection.

-v

Displays the version string and exits.

Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen