One Identity Management Console for Unix 2.5.2 - Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Management Console for Unix Installing Management Console for Unix Preparing Unix hosts Working with host systems Managing local groups Managing local users Active Directory integration Authentication Services integration Privilege Manager integration
Getting started Configure a primary policy server Configure a secondary policy server Install PM agent or Sudo plugin on a remote host Security policy management
Opening a policy file Edit panel commands Editing PM policy files Reviewing the Access and Privileges by User report Reviewing the Access and Privileges by Host report
Event logs and keystroke logging
Reporting Setting preferences
User preferences System preferences
Security Troubleshooting tips
Auto profiling issues Active Directory Issues Auditing and compliance Cannot create a service connection point Check Authentication Services agent status commands not available CSV or PDF reports do not open Database port number is already in use Elevation is not working Hosts do not display Import file lists fakepath Information does not display in the console License information in report is not accurate Out of memory error Post install configuration fails on Unix or Mac Privilege Manager feature issues Profile task never completes questusr account was deleted Readiness check failed Recovering from a failed upgrade Reports are slow Reset the supervisor password Running on a Windows 2008 R2 domain controller Service account login fails Setting custom configuration settings Single Sign-on (SSO) issues JVM memory tuning suggestions Start/stop/restart Management Console for Unix service Toolbar buttons are not enabled UID or GID conflicts
System maintenance Command line utilities Web services Database maintenance About us

Specifying default time restrictions

To specify default time restrictions

  1. Select the Restrict execution of commands option to enable time, date, or Day of Week restrictions.
  2. Specify the By Time restrictions to limit the execution of commands by range of time.

    Time restrictions must be set to valid values. Leave the entry empty to disable the time restrictions.

  3. Specify the By Date restrictions to limit the execution of commands by range of dates.

    Specify start or end dates using the form: yyyy/mm/dd. Date restrictions must be set to valid values. Leave the entry empty to disable the date restrictions.

  4. Specify the By Day of Week restrictions to limit the execution of commands to certain days of the week.

    Select the applicable days of the week.

  5. Click OK to save the default Time Restriction role settings.

Specifying default restricted shell role settings

To specify shell settings

  1. Select the applicable Privilege Manager for Unix shells:
    1. pmksh
    2. pmsh
    3. pmcsh
    4. pmshellwrapper
  2. Select the Run allowed Privilege Manager secure shells in restricted mode option.

    Note: When running shells in restricted mode, the user:

    • cannot change directory
    • cannot change PATH, ENV, or SHELL
    • can only run programs in PATH
    • cannot use absolute or relative paths
    • cannot use I/O redirection with the > or < characters.

    This setting only applies to the pmksh, pmcsh, and pmsh shell programs.

  3. List the environment variables in the Environment variables the user cannot change in the shell text box.

    Note:

    • Separate multiple variables with commas, as in:
      "PATH", "TERM", ENV_VARIABLES
    • In restricted mode, the following variables are always read-only: PATH, ENV, and SHELL.
    • This setting only applies to the pmksh, pmcsh, and pmsh shell programs.

  4. List the directories from which you will execute the shell program in the Shell execution directory text box.

    Separate multiple paths with commas, as in:

    "/bin","var/opt/quest"
  5. List the shell session paths in the Shell session PATH text box.

    Separate multiple paths with commas, as in:

    "/usr/bin","/bin","."

    By default the console sets the standard paths, adds the run user's home directory, and the current directory. This is particularly relevant for shells running in restricted mode where the user cannot change the PATH and can only run commands relative to the configured PATH.

    Note: This setting only applies to the pmksh, pmcsh, and pmsh shell programs.

  6. Click OK to save the default Shell Settings.

Modifying PM policy files with the text editor

When you open a policy from a policy group that is configured to use a pmpolicy rather than a sudo policy type, the mangement console allows you to edit the policy files that pertain to that policy using either a GUI editor or a text editor, however there are certain variables that you can only modify by means of the text editor.

To modify policy files using the text editor

  1. From the Policy tab, navigate to the PM Policy Editor view.

  2. Click the Text Editor button in the top-right corner of the PM Policy Editor view.

  3. From the Open menu, select either:

    1. Current version to open the latest saved version of the policy that is currently in use by the mangement console for a policy group.
    2. Version to open the Open Version dialog from which you select a policy group and a version of a policy and click OK to open the file.

    When you open a policy-based policy file in the text editor, the mangement console lists the policies in the policy group in the left navigation tree:

    • Under the Configuration folder, it lists the .conf files from the policy group and opens the default Privilege Manager policy configuration file, pm.conf.
    • Under the Restricted Shell Roles folder, it lists the .shellprofile files from the policy group.
    • Under the Roles folder, it lists the .profile files from the policy group.

    NoteS:

    • Roles in the mangement console's GUI editor are "profiles" in the policy.
    • You can switch back and forth between the GUI editor and the text editor. To switch back to the GUI editor once in the text editor, click the GUI Editor button in the top-right corner of the PM Policy Editor view.

  4. To open a specific policy in the text editor, either double-click the policy or right-click it and choose Open as text from the context menu.

    When using the text editor:

    1. Boolean values are represented by check boxes in the GUI Editor.

      For example, 'pf_enableprofile = false' is represented as an unchecked check box.

    2. String values are represented by a text field with a field label in the GUI Editor.

      For example, 'pf_profiledescription= "Some Descriptive Text"' is represented as 'Description:[ template ]'.

    3. Arrays or lists are represented as text boxes in the GUI Editor.

      For example, 'pf_authgroups = {"admins", "dbas"}; is represented as a text box where the user can enter multiple values.

  5. Click the Add button in the Policy panel to add a new policy file.

    The Add Policy File dialog opens.

    1. Select the type of policy file you want to add.

      Choose

      • Privilege Manager Configuration File
      • Privilege Manager Role
      • Privilege Manager Restricted Shell Role
    2. Enter a name for the new policy file.

      Note that the file type changes according to the type of policy file you selected.

    3. Optionally, select the Use an existing file as a template option.

      The list of files to choose changes according to the type of policy file you selected.

    4. When you click OK on the Add Policy File dialog, it adds the new file to the left navigation tree.

  6. Click the Save button to save the current policy file; click Save All to save all modified policy files.

  7. Click the Close button in the Policy panel to close all modified policy files. If you have made changes, you are prompted to save them.

    Note: You can also click the (close) icon in the upper-right of the text editor window to close the policy. When you close a modified policy file without saving changes, the policy name in the left-hand navigation panel is italicized. Later, you can click the Save All button to save any changes you have made to that policy.

  8. To delete a policy, click the Delete button in the Policy panel and confirm your request.

  9. To discard you changes, right-click the policy name and choose the Revert option from the context menu. You are prompted to confirm your request to revert the changes to the selected file.

Note: See Edit panel commands for more information about editing the policy in the text editor.

Reviewing the Access and Privileges by User report

The Access and Privileges by User report identifies the hosts where the selected user can login, the commands that user can run on each host, as well as the "runas aliases" information for that user.

To create the Access & Privileges by User report

  1. From the mangement console, navigate to Reporting.
  2. From the Reports view, double-click the Access and Privileges by User report name.

    The report opens a new Access & Privileges by User tab on the Reporting view.

  3. Choose the type of user to include in the report: a local user or Active Directory user.
  4. Click Browse to select the user name.
  5. Select the Show detailed report option.
  6. Open the Export drop-down menu and select the format you want to use for the report: PDF or CVS.

    It launches a new browser or application page and displays the report in the selected format.

Note: When generating multiple reports simultaneously or generating a single report that contains a large amount of data, One Identity recommends that you increase the JVM memory. See JVM memory tuning suggestions for details.

Documents connexes