Tchater maintenant avec le support
Tchattez avec un ingénieur du support

Privilege Manager for Unix 6.1.1 - Administration Guide for Unix

One Identity Privileged Access Suite for Unix Introducing Privilege Manager for Unix Planning Deployment Installation and Configuration Upgrade Privilege Manager for Unix System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager Variables Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures Privilege Manager programs Installation Packages

pmbash

Syntax
pmbash -c <command>|-i|-l|-r|-s|-B|[-+]O <option>
Description

The Privilege Manager Bourne Again SHell (pmbash) command is a wrapper program for the GNU Bourne Again SHell (bash), that provides transparent authorization and auditing for all commands submitted during the shell session. pmbash supports the standard options for bash.

Using the appropriate policy file variables, you can configure each command entered during a shell session, to be:

  • forbidden by the shell without further authorization to the policy server
  • allowed by the shell without further authorization to the policy server
  • presented to the policy server for authorization

Once allowed by the shell, or authorized by the policy server, all commands run locally as the user running the shell program.

Unlike the other Privilege Manager shells, pmbash is not a standalone shell. It is a wrapper that runs the system version of the bash shell while logging keystrokes and authorizing shell commands via Privilege Manager. Command authorization is limited to external commands: pmbash, cannot authorize shell built-in commands.

Options

pmbash has the following options.

Table 48: Options: pmsh
Option Description

-B

Allows the shell to run in the background.

-c <command>

Runs the specified command from the next argument.

-i

Runs the shell in interactive mode even when input is not from a terminal.

-l

Acts as a login shell, the shell will read the contents of /etc/profile and $HOME/.profile if they exist.

[+-]O <shopt_option>

Sets or clears one of the shell options accepted by the shopt built-in command.

-r

Runs the shell in restricted mode.
The shell reads commands from standard input even when there are additional non-option arguments.

Additional long options may also be specified, see the bash manual for details.

pmcheck

Syntax
pmcheck [ -z on|off[:<pid>] ] | [ -v ] | 
           [ [ -a <string> ] [ -b ] [ -c ] [ -e <requestuser> ] 
           [ -f <filename> ] [ -g <group> ] [ -h <hostname> ] [ -i ] 
           [ -l <shellprogram> ] [ -m <YY[YY]/MM/DD> ] [ -n <HH[:MM]> ] 
           [ -o sudo|pmpolicy ] [ -p <policydir> ] [ -q  ]  [  -r <remotehost> ] 
           [ -s <submithost> ] [ -t ] [ -u <runuser> ] [ command [ args ]]]
Description

Use the pmcheck command to test the policy file. Although the policy server daemon pmmasterd reports configuration file errors to a log file, always use pmcheck to verify the syntax of a policy file before you install it on a live system. You can also use the pmcheck command to simulate running a command to test whether a request will be accepted or rejected.

The pmcheck program exits with a value corresponding to the number of syntax errors found.

Options

pmcheck has the following options.

Table 49: Options: pmcheck
Option Description

-a <string>

Checks if the specified string, entered during the session, matches any alertkeysequence configured. You can only specify this option if you supply a command.

This option is only relevant when using the pmpolicy type.

-b

Run in batch mode. By default, pmcheck runs in interactive mode, and attempts to emulate the behavior of the pmmasterd when parsing the policy file. The -b option ensures that no user interaction is required if the policy file contains a password or input function; instead, a successful return code is assumed for any password authentication functions.

-c

Runs in batch mode and displays output in csv format. By default pmcheck runs in interactive mode. The -c option ensures that no user interaction is required if the policy file contains a password prompt or input function and no commands that require remote connections are attempted.

-e <requestuser>

Sets the value of requestuser. This option allows you to specify the group name to use when testing the configuration. This emulates running a session using the pmrun –u <user> option to request that Privilege Manager for Unix runs the command as a particular runuser.

-f <filename>

Sets path to policy filename. Provides an alternative configuration filename to check. If not fully qualified, this path is interpreted as relative to the policydir, rather than to the current directory.

-g <group>

Sets the group name to use. If not specified, then pmcheck looks up the user on the master policy server host to get the group information. This option is useful for checking a user and group that does not exist on the policy server.

-h <hostname>

Specifies execution host used for testing purposes.

-i

Ignores check for root ownership of policy.

-l <shellprogram>

Verifies the command as though it was run from within a Privilege Manager for Unix shell program. This special case of pmcheck verifies the specified shell program first, and if accepted, it verifies the specified command as a normal executable program within this shell to determine whether it would be forbidden, accepted, or rejected.

This option is only relevant when using the pmpolicy type.

-m <YY[YY]/MM/DD>

Checks the policy for a particular date. Enter Date in this format: YY[YY]/MM/DD. Defaults to the current date.

-n <HH[:MM]>

Checks the policy for a particular time. Enter Time in this format: HH[:mm]. Defaults to the current time.

-o <policytype>

Interprets the policy with the specified policy type:

  • sudo
  • pmpolicy
-p policydir Forces pmcheck to use a different directory to search for policy files included with a relative pathname. The default location to search for policy files is the policydir setting in pm.settings.
-q Runs in quiet mode, pmcheck does not prompt the user for input, print any errors or prompts, or run any system commands. The exit status of pmcheck indicates the number of syntax errors found (0 = success). This is useful when running scripted applications that require a simple syntax check.
-r remotehost

Sets the value of the clienthost variable within the configuration file, useful for testing purposes.

If you log in by means of pmksh or pmshellwrapper, the clienthost variable is set to the name of the remote host you used to log in. Otherwise the clienthost variable is set to the value of the submithost variable.

-s submithost Sets the value of the submithost variable within the configuration file, useful for testing purposes.
-t

Runs in quiet mode to check whether a command would be accepted or rejected. By default, pmcheck runs in interactive mode. The –t option ensures that no user interaction is required if the policy file contains a password prompt or input function, no output is displayed and no commands that require remote connections are attempted.

Exit Status:

  • 0: Command accepted
  • 11: Password prompt encountered. The command will only be accepted if authentication is successful
  • 12: Command rejected
  • 13: Syntax error encountered
-u <runuser> Sets the value of the runuser variable within the configuration file, useful for testing purposes.
-v Displays the version number of Privilege Manager and exits.
-z

Enables or disables debug tracing, and optionally sends SIGHUP to running process.

Refer to Enabling program-level tracing before using this option.

Sets the command name and optional arguments.

You can use pmcheck two ways: to check the syntax of the configuration file, or to test whether a request is accepted or rejected (that is, to simulate running a command).

By default, pmcheck runs the configuration file interactively in the same way as pmmasterd and reports any syntax errors found. If you supply an argument to a command, it reports whether the requested command is accepted or rejected. You can use the –c and –q options to verify the syntax in batch or silent mode, without any user interaction required.

When you run a configuration file using pmcheck, you are allowed to modify the values of the incoming variables. This is useful for testing the configuration file's response to various conditions. When pmmasterd runs a configuration file, the incoming variables are read-only.

Example

To verify whether the pmpolicy file /opt/quest/qpm4u/policies/test.conf allows user jsmith in the users group to run the passwd root command on host, host1, enter:

pmcheck -f /opt/quest/qpm4u/policies/test.conf –o pmpolicy –u jsmith –g users 
-h host1 passwd root

pmclientd

Syntax
pmclientd [-v]i|[-z on|off[:<pid>]]
Description

The pmclientd daemon runs on an agent and allows the agent to respond to remote requests sent by a policy server as a result of calling a remote function from the policy file. It is not required on a policy server, as the pmmasterd daemon can serve these requests, if received from another policy server. pmclientd listens on the configured policy server port and responds to a remote request received from any valid policy server or any host listed in the clients setting in pm.settings.

Options

pmclientd has the following options.

Table 50: Options: pmclientd
Option Description
-v Displays the version number of Privilege Manager and exits.

Enables or disables debug tracing, and optionally sends SIGHUP to running process.

Refer to Enabling program-level tracing before using this option.

pmclientinfo

Syntax
pmclientinfo -v | [-z on|off[:<pid>]]] | -c [-h <host>]
Description

The pmclientinfo utility displays configuration information about a client host. This utility provides some information about the policy server group and the license features supported by the policy server group. You can specify a host on the command line to retrieve the details from a specific policy server host. Otherwise, the utility checks each policy server listed in the pm.settings file in turn until it finds one in a policy server group. Any user can run pmclientinfo.

Options

pmclientinfo has the following options.

Table 51: Options: pmclientinfo
Option Description
-c Displays CSV, rather than human-readable output.
-h <host> Specifies policy server host name to interrogate for policy group information.
-v Displays the version number of Privilege Manager and exits.

Enables or disables debug tracing.

Refer to Enabling program-level tracing before using this option.

Examples

Any user on the host can run this utility. It displays the following information, in human readable or CSV format:

- Joined to a policy group                                    : YES 
- Policy group name configured for this policy server group   : adminGroup1 
- Primary policy server hostname                              : adminhost1

Human Readable output from a client:

- Joined to a policy group                                    : YES 
- Name of policy group                                        : adminGroup1 
- Hostname of primary policy server : adminhost1.example.com

CSV output from a client:

PMCLIENTINFO.JOINED,Joined to a policy group,YES 
PMCLIENTINFO.POLICYGROUPNAME,Name of policy group,adminGroup1 
PMCLIENTINFO.PRIMARYPOLICYSERVER,Hostname of primary policy server,adminhost1.example.com
Files
  • Settings file: /etc/opt/quest/qpm4u/pm.settings
Related Topics

pmjoin

Documents connexes