Chat now with support
Tchattez avec un ingénieur du support

One Identity Management Console for Unix 2.5.2 - Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Management Console for Unix Installing Management Console for Unix Preparing Unix hosts Working with host systems Managing local groups Managing local users Active Directory integration Authentication Services integration Privilege Manager integration
Getting started Configure a primary policy server Configure a secondary policy server Install PM agent or Sudo plugin on a remote host Security policy management
Opening a policy file Edit panel commands Editing PM policy files Reviewing the Access and Privileges by User report Reviewing the Access and Privileges by Host report
Event logs and keystroke logging
Reporting Setting preferences
User preferences System preferences
Security Troubleshooting tips
Auto profiling issues Active Directory Issues Auditing and compliance Cannot create a service connection point Check Authentication Services agent status commands not available CSV or PDF reports do not open Database port number is already in use Elevation is not working Hosts do not display Import file lists fakepath Information does not display in the console License information in report is not accurate Out of memory error Post install configuration fails on Unix or Mac Privilege Manager feature issues Profile task never completes questusr account was deleted Readiness check failed Recovering from a failed upgrade Reports are slow Reset the supervisor password Running on a Windows 2008 R2 domain controller Service account login fails Setting custom configuration settings Single Sign-on (SSO) issues JVM memory tuning suggestions Start/stop/restart Management Console for Unix service Toolbar buttons are not enabled UID or GID conflicts
System maintenance Command line utilities Web services Database maintenance About us

Privilege Manager system settings

You can configure the mangement console to communicate with one or more Privilege Manager policy groups which allows you to centrally manage security policy, remotely configure the Privilege Manager hosts, and view keystroke logs generated by the policy. The Privilege Manager settings in System Settings allows you to activate previously configured service accounts on policy servers. This enables you to view and edit the policy, view keystroke logs, and run policy reports.

Use the Privilege Manager settings to configure the service account and activate the policy groups that you want to use for checking policy and keystroke logging.

Before you can use the Privilege Manager features, you must install and configure a Privilege Manager primary policy server. See Installing the Privilege Manager packages for details.

Configuring a service account

Configuring a service account activates the policy group and allows the console to access both pmpolicy or sudoers policy files, view events and keystroke logs for a policy group.

To configure service account

  1. Log in as supervisor or an Active Directory account with rights to change System Settings; that is, an account in the Console Administration role.

  2. From the top-level Settings menu, navigate to System settings | Privilege Manager.

  3. Click Configure service account next to the primary policy server listed.

    Note: If your policy group is not listed, make sure you have added and profiled the host where Privilege Manager software is installed as the primary policy server to the mangement console; then re-profile the host.

  4. On the Configure Service Account dialog, enter credentials to log onto the primary policy server and click OK.

    Note: This task requires elevated credentials.

  5. Verify that the Active box is checked and click OK.

When you configure the service account, the mangement console,

  1. Creates "questusr", (the user service account), if it does not already exist, and a corresponding "questgrp" group on the host.

    Note: The questusr account is a user service account used by Management Console for Unix to manage Privilege Manager policy and search event logs. It is a non-privileged account (that is, it does not require root-level permissions) used by the console to gather information about existing policy servers and commit policy changes. questgrp is the primary group (gid) for questusr.

  2. Adds questusr to the pmpolicy and pmlog Privilege Manager configuration groups, and as an implicit member of questgrp.

    Note: questusr, pmpolicy, and pmclient are all non-privileged service accounts (that is, they do not require root-level permissions). The pmpolicy and pmclient users are used to sync the security policy on policy servers and on Sudo Plugin hosts (offline policy cache), respectively.

    The pmlog and pmpolicy groups are used to control access to log files and the security policy, respectively.

  3. Adds the policy group SSH key to questusr's authorized_keys, /var/opt/quest/home/questusr/.ssh/authorized_keys.
  4. Verifies the user service account can login to the host.

    Note: If you receive an error message saying you could not log in with the user service account, refer to Service account login fails to troubleshooting this issue.

If questusr is inadvertently deleted from the console,

  1. Re-profile the host.
  2. Unconfigure the service account. See Unconfiguring a service account for details.
  3. Reconfigure the service account.

Unconfiguring a service account

Unconfiguring a service account deactivates the policy group in the mangement console and disables console access to the policy file and keystroke logs on the primary policy server.

To unconfigure service account

  1. Log in as supervisor or an Active Directory account with rights to change System Settings; that is, an account in the Console Administration role.
  2. From the top-level Settings menu, navigate to System settings | Privilege Manager.
  3. Click Unconfigure service account next to the primary policy server listed.
  4. On the Unconfigure Service Account dialog, enter credentials to log onto the primary policy server and click OK.

    Note: This task requires elevated credentials.

  5. Verify that the Active box is not checked.

Note: When you unconfigure a service account, the mangement console,

  1. leaves the "questusr" and the corresponding "questgrp" account on the host.
  2. removes questusr from the pmpolicy and pmlog groups.
  3. leaves questusr as an implicit member of questgrp.
  4. removes the policy group SSH key from questusr's authorized_keys, /var/opt/quest/home/questusr/.ssh/authorized_keys.

Activating policy groups

To centrally manage a policy, view events, or reply keystroke logs for a policy group, you must activate it.

Note: You can only activate an inactive policy group if it has been previously configured. See Configuring a service account for details.

To activate policy groups

  1. Log in as supervisor or an Active Directory account with rights to change System Settings; that is, as an Active Directory account in the Console Administration role.
  2. From the top-level Settings menu, navigate to System settings | Privilege Manager.
  3. Select the Active box next to the policy groups you wish to activate and click OK to save the change and return to the mangement console.

    Note: If your policy group is not listed, make sure you have added and profiled the host where Privilege Manager software is installed as the primary policy server to the mangement console; then re-profile the host.

Documents connexes