Privilege Manager for Unix 7.1.1 - Administration Guide

TCP/IP configuration Firewalls Hosts database Reserve special user and group names Applications and file availability Policy server daemon hosts Local daemon hosts

Installing the Privilege Manager for Unix packages

Modifying PATH environment variable

Configuring the primary policy server for Privilege Manager for Unix

pmpolicy server configuration settings Verifying the primary policy server configuration Recompile the whatis database

Join hosts to policy group

Joining PM Agent to a Privilege Manager for Unix policy server

Agent configuration settings Swap and install keys

Configure a secondary policy server

Installing secondary servers Configuring a secondary server

Synchronizing policy servers within a group

Install PM Agent on a remote host

Checking PM Agent host for installation readiness Installing a PM Agent on a remote host Joining the PM Agent to the primary policy server Verifying PM Agent configuration Load balancing on the client

Remove configurations

Uninstalling the Privilege Manager for Unix software packages

Upgrade Privilege Manager for Unix

Before you upgrade Upgrading Privilege Manager for Unix packages

Upgrading the server package Upgrading the PM Agent package

Removing Privilege Manager for Unix packages

Removing the server package Removing the PM Agent package

System Administration

Reporting basic policy server configuration information Checking the status of the master policy Checking the policy server Checking policy server status Checking the PM Agent configuration status Installing licenses

Displaying license usage

Listing policy file revisions Viewing differences between revisions Backup and recovery

Managing Security Policy

Security policy types Specifying security policy type pmpolicy type policy Modifying complex policies Viewing the security profile changes

The Privilege Manager for Unix Security Policy

Default profile-based policy (pmpolicy)

Policy profiles Profile-based policy files Profile selection Profile variables

Exploring profiles Customizing the default profile-based policy (pmpolicy)

Customization example - pf_forbidusers list

Policy scripting tutorial

Install the example policy file Create test users Set Lesson number variable Introductory lessons

Lesson 1: Basic policy Lesson 2: Conditional privilege Lesson 3: Specific commands Lesson 4: Policy optimization with list variables Lesson 5: Keystroke logging Lesson 6: Conditional keystroke logging Lesson 7: Policy optimizations

Advanced lessons

Lesson 8: Controlling the execution environment Lesson 9: Flow control Lesson 10: Basic menus

Sample policy files

Main policy configuration file Lesson 1 Sample: Basic policy Lesson 2 Sample: Conditional privilege Lesson 3 Sample: Specific commands Lesson 4 Sample: Policy optimizations with list variables Lesson 5 Sample: Keystroke logging Lesson 6 Sample: Conditional keystroke logging Lesson 7 Sample: Policy optimizations Lesson 8 Sample: Controlling the execution environment Lesson 9 Sample: Flow control Lesson 10 Sample: Basic menus

Advanced Privilege Manager for Unix Configuration

Privilege Manager for Unix shells

Privilege Manager for Unix shell features Forbidden commands Allowed commands Allowed piped commands Check shell built-in commands Read-only variable list Running a shell in restricted mode Additional shell considerations

Configuring Privilege Manager for Unix for policy scripting

Configuration prerequisites Configuration file examples

Example 1: Basics Example 2: Accept or reject requests Example 3: Command constraints Example 4: Lists Example 5: I/O logging, event logging, and replay Example 6: More complex policies Example 7: Use variables to store constraints Example 8: Control the run-time environment Example 9: Switch and case statements Example 10: Menus

Use the while loop Use parallel lists Best practice policy guidelines Multiple configuration files and read-only variables Mail Environmental variables NIS netgroups Specify trusted hosts

Configuring firewalls

Privilege Manager for Unix port usage Restricting port numbers for command responses Configuring pmtunneld Configuring Network Address Translation (NAT)

Configuring Kerberos encryption Configuring certificates

Enable configurable certification

Configuring alerts Configuring Pluggable Authentication Method (PAM)

Utilizing PAM authentication Authenticate PAM to client

Administering Log and Keystroke Files

Controlling logs Local logging

Event logging Keystroke (I/O) logging

Keystroke (I/O) logging policy variables

Central logging with Privilege Manager for Unix Controlling log size with Privilege Manager for Unix Viewing the log files using a web browser Viewing the log files using command line tools Listing event logs Backing up and archiving event and keystroke logs

InTrust Plug-in for Privilege Manager for Unix

InTrust Plug-in requirements Installing InTrust Plug-in components InTrust Plug-in installation prerequisites Configuring the policy server for the InTrust Plug-in Installing the InTrust Knowledge Pack

InTrust Knowledge Pack objects

Installing the InTrust Reporting Pack Configuring the InTrust data collection Viewing InTrust reports Generating reports

Gathering InTrust data

Troubleshooting

Displaying profile-based policy debug information Enabling program-level tracing Load balancing and policy updates Policy servers are failing

Privilege Manager for Unix Policy File Components

Lexical and syntactic productions Data types Operators and expressions

Privilege Manager for Unix Variables

Variable names Variable scope Global input variables

alertkeymatch argc argv bkgd client_parent_pid client_parent_uid client_parent_procname clienthost command cwd date day dayname domainname env false FEATURE_LDAP FEATURE_VAS gid group groups host hour masterhost masterversion minute month nice nodename optarg opterr optind optopt optreset optstrictparameters pid pmclient_type pmclient_type_pmrun pmclient_type_sudo pmshell pmshell_builtin pmshell_cmd pmshell_cmdtype pmshell_exe pmshell_interpreter pmshell_prog pmshell_script pmshell_uniqueid pmversion ptyflags requestlocal requestuser rlimit_as rlimit_core rlimit_cpu rlimit_data rlimit_fsize rlimit_locks rlimit_memlock rlimit_nofile rlimit_nproc rlimit_rss rlimit_stack samaccount selinux status submithost submithostip thishost time true ttyname tzname uid umask unameclient unamemaster uniqueid use_rundir use_rungroup use_rungroups use_runshell user year

Global output variables

alertkeyaction alertkeysequence disable_exec eventlog eventloghost execfailedmsg iolog iolog_encrypt iolog_errmax iolog_opmax iologhost log_passwords logomit logstderr logstdin logstdout notfoundmsg passprompts pmshell_allow pmshell_allowpipe pmshell_checkbuiltins pmshell_forbid pmshell_readonly pmshell_reject pmshell_restricted preserve_clienthost profile_keepenv profile_setenv profile_unsetenv profile_use_runuser rejectmsg runargv runbkgd runchroot runcksum runclienthost runcommand runconfirmuser runcwd runenablerlimits runenv rungroup rungroups runhost runnice runpaths runptyflags runrlimit_as runrlimit_core runrlimit_cpu runrlimit_data runrlimit_fsize runrlimit_locks runrlimit_memlock runrlimit_nofile runrlimit_nproc runrlimit_rss runrlimit_stack runtimeout runumask runuser runutmpuser subprocuser tmplogdir

Global event log variables

alertdate alerttime event exitdate exitstatus exittime

PM settings variables

Privilege Manager for Unix Flow Control Statements

accept, reject break continue do-while for loop for loop function if-else include procedure / function readonly readonlyexcept return switch while

Privilege Manager for Unix Built-in Functions and Procedures

Environment functions

getenv getlistsetting getnumericsetting getstringsetting getyesnosetting keepenv policygetenv policysetenv policyunsetenv setenv unsetenv

Hash table functions

hashtable_add hashtable_create hashtable_enum hashtable_import hashtable_lookup

Input and output functions

fprintf input inputnoecho print printf printnnl printvars readdir readfile sprintf syslog

LDAP functions

ldap_ bind ldap_count_entries ldap_dn2ufn ldap_explode_dn ldap_first_attribute ldap_first_entry ldap_get_attributes ldap_get_dn ldap_get_values ldap_next_attribute ldap_next_entry ldap_open ldap_search ldap_unbind

LDAP API example List functions

append insert join length lsubst range replace search split splitSubst

Miscellaneous functions Password functions

getgrouppasswd getstringpasswd getuserpasswd

Remote access functions

remotefileexists remotegroupinfo remotegrouplist remotesysinfo remoteusergroups remoteuserinfo remoteuserlist

String functions

match pad strindex strlen strsub sub subst substr

User information functions

getfullname getgroup getgroups gethome getshell

Authentication Services functions

vas_auth_user_password vas_host_in_ADgrouplist vas_host_is_member vas_user_get_groups vas_user_in_ADgrouplist vas_user_is_member

Privilege Manager for Unix programs

pmbash pmcheck pmclientd pmclientinfo pmcp pmcsh pmincludecheck pminfo pmjoin pmkey pmksh pmless pmlicense pmlist pmloadcheck pmlocald pmlog pmlogadm pmlogsearch pmlogsrvd pmmasterd pmmg pmpasswd pmpolicy pmpolicyconvert pmpolsrvconfig pmremlog pmreplay

Navigating the log file

pmresolvehost pmrun pmscp pmserviced pmsh pmshellwrapper pmsrvcheck pmsrvconfig pmsrvinfo pmstatus pmsum pmsysid pmtunneld pmumacs pmverifyprofilepolicy pmvi

Installation Packages

Package locations Installed files and directories

pmsh

Privilege Manager for Unix programs > pmsh

Syntax

pmsh -a|-b|-c <file>|-e|-f|-i|-m|-n|-o <option>|-s|-u|-v|-x|-C|-E|-I|-B|-V
     [-U <user>]

Description

The Privilege Manager for Unix Bourne Shell (pmsh) command is a fully featured version of sh, that provides transparent authorization and auditing for all commands submitted during the shell session. pmsh supports the standard options for sh.

Using the appropriate policy file variables, you can configure each command entered during a shell session, to be:

forbidden by the shell without further authorization to the policy server
allowed by the shell without further authorization to the policy server
presented to the policy server for authorization

Once allowed by the shell, or authorized by the policy server, all commands run locally as the user running the shell program.

Options

pmsh has the following options.

Table 83: Options: pmsh
Option	Description
-a	Flags variables for export when assignments are made to them.
-b	Enables asynchronous notification of background job completion. (UNIMPLEMENTED) .
-B	Allows the shell to run in the background.
-c <file>	Reads commands from a file instead of from standard input.
-C	Does not overwrite existing files with `>'.
-e	Exits immediately if any untested command fails in non-interactive mode. The exit status of a command is considered to be explic- itly tested if the command is part of the list used to control an if, elif, while, or until; if the command is the left hand oper- and of an ``&&'' or ``\|\|'' operator; or if the command is a pipe- line preceded by the ! operator. If a shell function runs and its exit status is explicitly tested, all commands of the function are considered to be tested as well.
-E	Enables the built-in emacs(1) command line editor (disables the -V option if it has been set; set automatically when interactive on terminals).
-f	Disables pathname expansion..
-h	A do-nothing option for POSIX compliance.
-i	Forces the shell to behave interactively.
-I	Ignores EOF's from input when in interactive mode.
-m	Turns on job control (set automatically when interactive).
-n	If not interactive, reads commands but do not run them. This is useful for checking the syntax of shell scripts.
-o <option>	Sets the specified shell option. A list of shell options can be displayed using the set -o builtin command.
-s	Reads commands from standard input (set automatically if no file arguments are present). This option has no effect when set after the shell has already started running (i.e., when set with the set command).
-u	Writes a message to standard error when attempting to expand a variable, a positional parameter or the special parameter ! that is not set, and if the shell is not interactive, exit immediately.
-v	The shell writes its input to standard error as it is read. Useful for debugging.
-V	Enables the built-in vi command-line editor (disables -E if it has been set).
-x	Writes each command (preceded by the value of the PS4 variable subjected to parameter expansion and arithmetic expansion) to standard error before it is run. Useful for debugging.

pmsh supports the following builtin commands:

., :, [, alias, bg, break, cd, chdir, command, continue, echo, eval, exec, exit, export, false, fg, getopts, hash, jobs, kill, local, printf, pwd, read, readonly, return, set, shift, test, times, trap, true, type, ulimit, umask, unalias, unset, wait

pmshellwrapper

Privilege Manager for Unix programs > pmshellwrapper

Syntax

pmshellwrapper

Description

Use the pmshellwrapper program as a wrapper for any valid login shell on a host. It provides full keystroke logging for any normal shell, but does not provide authorization of the commands run from the shell.

To use pmshellwrapper, you must create a link for the real shell you want to use. For example:

ln –s /opt/quest/libexec/pmshellwrapper 
/opt/quest/bin/pmshellwrapper_bash

When the user runs pmshell_bash, it transparently converts this to pmrun bash.

pmsrvcheck

Privilege Manager for Unix programs > pmsrvcheck

Syntax

pmsrvcheck --csv [ --verbose ] | --help | --pmpolicy | --primary | --secondary

Description

Use pmsrvcheck to verify that a policy server is setup properly. It produces output in either human-readable or CSV format similar to that produced by the preflight program.

The pmsrvcheck command checks:

that the host is configured as a primary policy server and has a valid repository
has a valid, up-to-date, checked-out copy of the repository
has access to update the repository
has a current valid Privilege Manager for Unix license
pmmasterd is correctly configured
pmmasterd can accept connections

pmsrvcheck produces output in either human-readable or CSV format similar to the pre-flight output.

Options

pmsrvcheck has the following options.

Table 84: Options: pmsrvcheck
Option	Description
--cvs	Displays csv, rather than human-readable output.
--help	Displays usage information.
--pmpolicy	Verifies that Privilege Manager for Unix policy is in use by the policy servers.
--primary	Verifies a primary policy server.
--secondary	Verifies a secondary policy server.
--verbose	Displays verbose output while checking the host.
--version	Displays the Privilege Manager for Unix version number and exits.

Files

Settings file: /etc/opt/quest/qpm4u/pm.settings

pmsrvconfig

Privilege Manager for Unix programs > pmsrvconfig

Syntax

pmsrvconfig -h | --help [-abipqtv] [-d <variable>=<value>] [-f <path>] 
            [-l <license_file>] 
            [-m sudo | pmpolicy] [-n <group_name> | -s <hostname>] 
            [-x [<policy_server_host> ...]] [-bpvx] -u [--accept] [--batch] 
            [--define <variable>=<value>] [--import <path>] [--interactive] 
            [--license <license_file>] 
            [--name <group_name> | --secondary <hostname>] 
            [--pipestdin] [--plugin] [--policymode sudo | pmpolicy] 
         [--selinux] [--tunnel] 
            [--unix [<policy_server_host> ...]]  [--verbose] [--batch]
          [--unix] [-- verbose] --unconfig -N policy_name [--policyname policy_name]

Description

Use the pmsrvconfig command to configure or reconfigure a policy server. You can run it in interactive or batch mode to configure a primary or secondary policy server.

Options

pmsrvconfig has the following options.

Table 85: Options: pmsrvconfig
Option	Description
-a \| --accept	Accepts the End User License Agreement (EULA), /opt/quest/qpm4u/qpm4u_eula.txt.
-b \| --batch	Runs in batch mode; does not use colors or require user input.
-d <variable>=<value> \| --define <variable>=<value>	Specifies a variable for the pm.settings file and its associated value.
-h \| --help	Displays usage information.
-i \| --interactive	Runs in interactive mode; prompts for configuration parameters instead of using the default values.
-f <path> \| --import <path>	Imports policy data from the specified path. Privilege Manager for Unix: The path may be set to either a file or a directory when using the pmpolicy type. Safeguard for Sudo: The path must be set to a file when using the sudo policy type.
-l \| --license <license_file>	Specifies the full pathname of an .xml license file. You can specify this option multiple times with different license files.
-m sudo \| pmpolicy \| --policymode sudo \| pmpolicy	Specifies the type of security policy: sudo pmpolicy Default: sudo
-n \| --name <group_name>	Uses group_name as the policy server group name.
-q \| --pipestdin	Pipes password to stdin if password is required.
-s \| --secondary <hostname>	Configures host to be a secondary policy server where hostname is the primary policy server.
-S \| --selinux	Enable support for SELinux in Privilege Manager for Unix. An SELinux policy module will be installed, which allows the pmlocal daemon to set the security context to that of the run user when executing commands. This requires that the policycoreutils package and either the selinux-policy-devel (RHEL7 and above) or selinux-policy (RHEL6 and below) packages be installed.
-t \| --tunnel	Configures host to allow Privilege Manager for Unix connections through a firewall. This option is only available when using the pmpolicy policy type (Privilege Manager for Unix).
-u \| --unconfig	Unconfigures a Privilege Manager for Unix server.
-v \| --verbose	Displays verbose output while configuring the host.
-x \| --unix [policy_server_host ...]	Configures Privilege Manager for Unix on the local policy server; that is, configures pmlocald and pmrun to run on this host. If you do not specify a policy server host, it uses the local host name. This option is only available when using the pmpolicy policy type (Privilege Manager for Unix).

Examples

The following example accepts the End User License Agreement (EULA) and imports the sudoers file from /root/tmp/sudoers as the initial policy:

# pmsrvconfig –a –f /root/tmp/sudoers

By using the –a option, you are accepting the terms and obligations of the EULA in full.

By default, the primary policy server you configure uses the host name as the policy server group name. To provide your own group name, use the –n command option, like this:

# pmsrvconfig –a –n <MyPolicyGroup>

where <MyPolicyGroup> is the name of your policy group.

See Configuring the primary policy server for Privilege Manager for Unix and Policy servers are failing for other usage examples.

Files

Directory where pmsrvconfig logs are stored: /opt/quest/qpm4u/install

Privilege Manager for Unix 7.1.1 - Administration Guide

pmsh

Syntax

Description

Options

pmshellwrapper

Syntax

Description

pmsrvcheck

Syntax

Description

Options

Files

Related Topics

pmsrvconfig

Syntax

Description

Options

Examples

Files

Related Topics

Bitte w&auml;hlen Sie Ihr Produkt aus:

Damit wir Ihnen besser helfen können, geben Sie den Grund Ihres Chats an:

Empfohlene Lösungen für Ihr Problem

Privilege Manager for Unix 7.1.1 - Administration Guide

pmsh

Syntax

Description

Options

pmshellwrapper

Syntax

Description

pmsrvcheck

Syntax

Description

Options

Files

Related Topics

pmsrvconfig

Syntax

Description

Options

Examples

Files

Related Topics

Bitte wählen Sie Ihr Produkt aus: