Tchater maintenant avec le support
Tchattez avec un ingénieur du support

Privilege Manager for Unix 6.1 Common Documents - Administration Guide

One Identity Privileged Access Suite for Unix Introducing Privilege Manager for Unix Planning Deployment Installation and Configuration Upgrade Privilege Manager for Unix System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager Variables Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures Privilege Manager programs Installation Packages

Lesson 10 Sample: Basic menus

#=================================================================
# Privilege Manager example configuration file
# One Identity 2013
#
# Example File : example10
#
# This file should have permissions of 600
# (rw-------).
# It must be owned by root.
#=================================================================
#=================================================================
# This example shows how to implement a menu system with 4 choices.
# Also, if the "adduser" program is to be run, a password must be
# entered correctly.
# For experimental purposes, replace "dan", "cory", and "robyn" with
# user names from your own site.
if(command=="adminmenu") {
   print("========= Admin Menu =========");
   print("1) Add users");
   print("2) Start a backup");
   print("3) Change ownership of a file");
   print("4) Fix line printer queues");
   choice = input("Please choose one: ");
   switch(choice) {
   case "1":
      # Reject the request if the password "123456" is not entered
      # correctly. The user gets only 2 chances to type in the
      # password. The encrypted version of the password seen here
      # was generated using pmpasswd. If you store encrypted
      # passwords in your config file, make sure you turn off read
      # permission on the file so that people cannot use password
      # cracking programs to guess them.
      if(!getstringpasswd("m9xxg7B4.v8Ck", "Type in the adduser password: ",2))
         reject;
      runcommand = "/usr/local/bin/adduser";
      runuser = "root";
      break;
   case "2":
      runcommand = "/usr/local/bin/dobackup";
      runuser = "backup";
      break;
   case "3":
      runcommand = "/usr/bin/chown";
      runuser = "root";
      break;
   case "4":
      runcommand = "/usr/lib/lpadmin";
      runuser = "root";
      break;
   default:
      printf("\"%s\" was not a valid choice. Sorry.\n", choice);
      reject;
}
if (choice == "3") {
   file_name=input("Please enter the new owner's name then file name: ");
   arguments = split(file_name);
   runargv = insert(arguments, 0, "Spacer");
}
   print("** Command to be run :", runcommand);
   print("** User to run command as :", runuser);
   accept;
}
#=================================================================

See Lesson 10: Basic menus for details on using this sample policy file.

Advanced Privilege Manager for Unix Configuration

This section provides advanced information on how to configure and implement Privilege Manager for Unix:

Privilege Manager shells

Privilege Manager shells provide a means of auditing and controlling a user’s login session in a way that is transparent to the user, without the user having to preface commands with pmrun.

Privilege Manager provides enabled versions of these standard shells: pmksh, pmsh, pmcsh, and pmbash. Each shell uses the same policy file variables to control the behavior of the shell.

By default, all built-in shell commands are allowed to run without any further authorization by the shell; however, you must authorize all non-built-in shell commands. Once authorized, all commands are run locally by the shell with the authority of the user running the shell.

You can configure the level of control required for commands running from a shell in the policy file by configuring the policy file to either forbid commands or allow them to be run by the shell program without any further authorization to the policy server. You can also configure the policy file to authorize them as they are presented to the policy server for audit logging. Furthermore, you can configure keystroke logging for the shell session to be logged to a single I/O log file.

Privilege Manager shell features

Use a Privilege Manager shell to control or log Privilege Manager sessions, regardless of how you are logged in (for example, telnet, ssh, rsh, rexec).

You can use one of these Privilege Manager-enabled shells to create a fully featured shell environment for a user:

  • pmksh: a Privilege Manager-enabled version of Korn Shell
  • pmsh: a Privilege Manager-enabled version of Bourne Shell
  • pmcsh: a Privilege Manager version of C Shell
  • pmbash: a Privilege Manager version of Bourne Again Shell

Each shell provides command control for every command entered by a user during a login session. You can configure each command the user enters to be authorized with the policy server before it runs. This includes the shell built-in commands.

You can configure keystroke logging for the entire login session and login to a single file.

Alternatively, you can use pmshellwrapper to act as a Privilege Manager wrapper for any valid shell program on a host, or create a custom Privilege Manager shell by means of a shell script. In these cases, however, the individual commands run during the login session are not controlled by Privilege Manager.

To use pmshellwrapper, create a link using the name of the system shell you want to run. For example, to create a wrapper for bash, enter:

ln -s /opt/quest/libexe/pmshellwrapper/opt/quest/libexe/pmshellwrapper_bash

When you run the pmshellwrapper_bash program, it transparently runs pmrun bash instead.

For example, to create a custom Privilege Manager shell (a shell script that runs the actual shell using pmrun), run:

#!/bin/ksh
tty 2>/dev/null 1>/dev/null
x=$?
if [ $x -ne 0 ]
then
exec /opt/quest/bin/pmrun ksh "$@"
else
exec /opt/quest/bin/pmrun -c -ksh "$@"
fi

NOTE: Add the full pathname of the shell program to the /etc/shells file if you are using pmksh, pmsh, pmcsh, pmbash, or pmshellwrapper on your system.

Documents connexes