Syntax
pmserviced [-d] [-n] [-s] [-v]
Description
The Safeguard for Sudo service daemon, (pmserviced) is a persistent process that spawns the configured Safeguard for Sudo services on demand. The pmserviced daemon is responsible for listening on the configured ports for incoming connections for the Safeguard for Sudo daemons.It is capable of running the pmmasterd service.
Only one of pmmasterd and pmclientd may be enabled as they use the same TCP/IP port. For more information about these daemon settings, see the individual topics in PM settings variables.
Options
pmserviced has the following options.
Table 43: Options: pmserviced
|
-d |
Logs debugging information such as connection received, signal receipt and service execution.
By default, pmserviced only logs errors. |
|
-n |
Does not run in the background or create a pid file. By default, pmserviced forks and runs as a background daemon, storing its pid in /var/opt/quest/qpm4u/pmserviced.pid. When you specify the -n option, it stays in the foreground. If you also specify the -d option, error and debug messages are logged to the standard error in addition to the log file or syslog. |
|
-s |
Connects to the running pmserviced and displays the status of the services, then exits. |
|
-v |
Displays the version number of Safeguard for Sudo and exits. |
pmserviced Settings
pmserviced uses the following options in /etc/opt/quest/qpm4u/pm.settings to determine the daemons to run, the ports to use, and the command line options to use for each daemon.
Table 44: Options: pmserviced
|
pmmasterd |
pmmasterdEnabled |
masterport |
pmmasterdOpts |
Table 45: Settings: pmserviced
|
pmservicedLog pathname | syslog |
Fully qualified path to the pmserviced log file or syslog. |
|
pmmasterdEnabled YES | NO |
When set to YES, pmserviced runs pmmasterd on demand. |
|
masterport number |
The TCP/IP port pmmasterd uses to listen. |
|
pmmasterdOpts options |
Any command line options passed to pmmasterd. |
Syntax
pmsrvcheck --csv [ --verbose ] | --help | --pmpolicy | --primary | --secondary
Description
Use pmsrvcheck to verify that a policy server is setup properly. It produces output in either human-readable or CSV format similar to that produced by the preflight program.
The pmsrvcheck command checks:
-
that the host is configured as a primary policy server and has a valid repository
-
has a valid, up-to-date, checked-out copy of the repository
-
has access to update the repository
-
has a current valid Safeguard for Sudo license
-
pmmasterd is correctly configured
-
pmmasterd can accept connections
pmsrvcheck produces output in either human-readable or CSV format similar to the pre-flight output.
Options
pmsrvcheck has the following options.
Table 46: Options: pmsrvcheck
|
--cvs |
Displays csv, rather than human-readable output. |
|
--help |
Displays usage information. |
|
--pmpolicy |
Verifies that Safeguard for Sudo policy is in use by the policy servers. |
|
--primary |
Verifies a primary policy server. |
|
--secondary |
Verifies a secondary policy server. |
|
--verbose |
Displays verbose output while checking the host. |
|
--version |
Displays the Safeguard for Sudo version number and exits. |
Syntax
pmsrvconfig -h | --help [-abipqtv] [-d <variable>=<value>] [-f <path>]
[-l <license_file>]
[-m sudo | pmpolicy] [-n <group_name> | -s <hostname>]
[-bpvx] -u [--accept] [--batch]
[--define <variable>=<value>] [--import <path>] [--interactive]
[--license <license_file>]
[--name <group_name> | --secondary <hostname>]
[--pipestdin] [--plugin] [--policymode sudo | pmpolicy]
[--unix [<policy_server_host> ...]] [--verbose] [--batch]
[--plugin] [--unix] [-- verbose] --unconfig -N policy_name [--policyname policy_name]
Description
Use the pmsrvconfig command to configure or reconfigure a policy server. You can run it in interactive or batch mode to configure a primary or secondary policy server.
Options
pmsrvconfig has the following options.
Table 47: Options: pmsrvconfig
|
-a | --accept |
Accepts the End User License Agreement (EULA), /opt/quest/qpm4u/qpm4u_eula.txt. |
|
-b | --batch |
Runs in batch mode; does not use colors or require user input. |
|
-d <variable>=<value> | --define <variable>=<value> |
Specifies a variable for the pm.settings file and its associated value. |
|
-h | --help |
Displays usage information. |
|
-i | --interactive |
Runs in interactive mode; prompts for configuration parameters instead of using the default values. |
|
-f <path> | --import <path> |
Imports policy data from the specified path.
|
|
-l | --license <license_file> |
Specifies the full pathname of an .xml license file. You can specify this option multiple times with different license files. |
|
-m sudo | pmpolicy | --policymode sudo | pmpolicy |
Specifies the type of security policy:
Default: sudo |
|
-n | --name <group_name> |
Uses group_name as the policy server group name. |
|
-p | --plugin |
Configures the Sudo Plugin.
This option is only available when using the sudo policy type (Safeguard for Sudo). |
|
-q | --pipestdin |
Pipes password to stdin if password is required. |
|
-s | --secondary <hostname> |
Configures host to be a secondary policy server where hostname is the primary policy server. |
|
-u | --unconfig |
Unconfigures a Privilege Manager for Unix server. |
|
-v | --verbose |
Displays verbose output while configuring the host. |
|
-N policy_name | --policyname policy_name |
When configuring the plugin, use policy_name as the name of the policy instead of the default. This option is used to specify the name of the policy that the server should use when making policy decisions. |
Examples
The following example accepts the End User License Agreement (EULA) and imports the sudoers file from /root/tmp/sudoers as the initial policy:
# pmsrvconfig -a -f /root/tmp/sudoers
By using the -a option, you are accepting the terms and obligations of the EULA in full.
By default, the primary policy server you configure uses the host name as the policy server group name. To provide your own group name, use the -n command option, like this:
# pmsrvconfig -a -n <MyPolicyGroup>
where <MyPolicyGroup> is the name of your policy group.
Files
Directory where pmsrvconfig logs are stored: /opt/quest/qpm4u/install
Syntax
pmsrvinfo [--csv] | -v
Description
Use the pmsrvinfo command to display information about the group in either human readable or CSV format. You can run this program on any server in the policy group.
Options
pmsrvinfo has the following options.
Table 48: Options: pmsrvinfo
|
-c |
Displays information in .CSV format, instead of human readable output. |
|
-l |
By using this option, you can detect which client uses which sudo policy on the policy server. This option lists the following client information from the policy server:
This option can be used together with the "-c" option. |
|
-v |
Displays the Safeguard for Sudo version number and exits. |
Examples
# pmsrvinfo
Policy Server Configuration:
----------------------------
Safeguard version : 6.0.0 (nnn)
Listening port for pmmasterd daemon : 12345
Comms failover method : random
Comms timeout(in seconds) : 10
Policy type in use : sudo
Group ownership of logs : pmlog
Group ownership of policy repository : pmpolicy
Policy server type : primary
Primary policy server for this group : adminhost1
Group name for this group : adminGroup1
Location of the repository :
file:////var/opt/quest/qpm4u/.qpm4u/.repository/sudo_repos/trunk
Hosts in the group : adminhost1 adminhost2
