Use authenticate_pam to define which users you want to authenticate by means of PAM (Pluggable Authentication Method) APIs.
The operating system has configuration files, usually called /etc/pam.conf, that specify which security databases to use to authenticate users, such as LDAP, Windows 2000 Active Directory, and various PKI implementations.
The service parameter identifies the name of the PAM service to use to authenticate users. The service parameter can be any valid service name configured in the PAM system configuration and defaults to "login".
For more information on how to configure PAM with Privilege Manager for Unix, consult the documentation for your platform.
Syntax
authenticate_pam (user,[<service>])
where <service> is the PAM service to use, such as sshd.
Examples
To utilize PAM authentication, add the following function to your policy file:
if ( user=="paul" && basename(command)=="useradd") {
if (!authenticate_pam(user, "sshd")) { reject; }
runuser="root";
accept;
}
This function returns 0 to indicate failure and 1 to indicate success.
Related Function
authenticate_pam_toclient
Syntax
authenticate_pam_toclient (user,[<service>])
where <service> is the PAM service to use, such as sshd.
Description
authenticate_pam_toclient causes pmmasterd to send a request to pmrun to perform the authenticate_pam command on the pmrun host.
This function is only available on platforms that have native support for PAM.
Example
To utilize PAM authentication, add the following function to your policy file:
if ( user=="paul" && basename(command)=="useradd") {
if (!authenticate_pam_toclient(user, "sshd")) { reject; }
runuser="root";
accept;
}
This function returns 0 to indicate failure and 1 to indicate success.
Related Function
authenticate_pam
Privilege Manager for Unix allows you to control what is logged, as well as when and where it is logged. To help you set up and use these log files, the topics in this section explore enabling and disabling logging, as well as how to specify the log file locations.
Privilege Manager for Unix includes three different types of logging; the first two are helpful for audit purposes:
- keystroke logging, also referred to as I/O logging
Keystroke logs record the user’s keystrokes and the terminal output of any sessions granted by Privilege Manager for Unix.
- event logging
Event logs record the details of all requests to run privileged commands. The details include what command was requested, who made the request, when the request was sent, what host the request was submitted from, and whether the request was accepted or rejected.
- error logging
You can configure some aspects of the event and keystroke logging by means of the security policy on the policy servers. What you can configure and how you configure it depends on which type of security policy you are using on your policy server -- pmpolicy or sudo.
Related Topics
Security policy types