Tchater maintenant avec le support
Tchattez avec un ingénieur du support

Privilege Manager for Unix 7.3 - Administration Guide

Introducing Privilege Manager for Unix Planning Deployment Installation and Configuration Upgrade Privilege Manager for Unix System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager for Unix Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager for Unix Variables
Variable names Variable scope Global input variables Global output variables Global event log variables PM settings variables
Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures
Environment functions Hash table functions Input and output functions LDAP functions LDAP API example List functions Miscellaneous functions Password functions Remote access functions String functions User information functions Authentication Services functions
Privilege Manager for Unix programs Installation Packages

pmreplay

Syntax
pmreplay -V 
pmreplay -[t|s|i] -[Th] <filename> 
pmreplay -[e][I][o] -[EhKTv] <filename> 
pmreplay -z on|off[:<pid>]
Description

Use the pmreplay command to replay a log file to review what happened during a specified privileged session. The program can also display the log file in real time.

When using Privilege Manager for Unix, enable keystroke logging by configuring the iolog variable. If you are using the default profile policy, please consult global_variable.conf for details about configuring keystroke logging.

pmreplay can distinguish between old and new log files. If pmreplay detects that a log file has been changed, a message displays to tell you that the integrity of the file cannot be confirmed. This also occurs if you run pmreplay in real time and the Privilege Manager for Unix session that generated the events in the log file is active; that is, the client session has not completed or closed yet. In this case, the message does not necessarily indicate that the file has been tampered with.

The name of the I/O log is a unique filename constructed with the mktemp function using a combination of policy file variables, such as username, command, date, and time.

Privilege Manager for Unix sets the permissions on the I/O log file so that only root and users in the pmlog group can read it. That way, ordinary users cannot examine the contents of the log files. You must be logged in as root or be a member of the pmlog group to use pmreplay on these files. You may want to allow users to use Privilege Manager for Unix to run pmreplay.

By default pmreplay runs in interactive mode. Enter ? to display a list of the interactive commands you can use to navigate through the file.

For example, replay a log file interactively by typing:

pmreplay /var/opt/quest/qpm4u/iolog/demo/dan/id_20130221_0855_gJfeP4

the results will show a header similar to this:

 Log File : /var/opt/quest/qpm4u/iolog/demo/dan/id_20130221_0855_gJfeP4 Date : 2013/02/21 Time : 08:55:17 Client : dan@sala.abc.local Agent : root@sala.abc.local Command : id Type ’?’ or ’h’ for help

Type ? or h at any time while running in interactive mode to display the list of commands that are available.

Options

pmreplay has the following options.

Table 79: Options: pmreplay
Option Description

-e

Dumps the recorded standard error.

-E

Includes vi editing sessions when used with -K.

-h

When used with -o or -I, prints an optional header line. The header is always printed in interactive mode.

-i

Replays the recorded standard input.

-I

Dumps the recorded standard input, but converts carriage returns to new lines in order to improve readability.

-K

When used with -e, -I, and -o, removes all control characters and excludes vi editing sessions. Use with -E to include vi editing sessions.

-o

Dumps the recorded standard output.

-s

Automatically replays the file in slide show mode.

Use + and - keys to vary the speed of play.

-t

Replays the file in tail mode, displaying new activity as it occurs.

-T

Displays command timestamps.

-v

Prints unprintable characters in octal form (\###).

-V

Displays the Privilege Manager for Unix version number.

-z

Enables or disables debug tracing.

Before using this option, see Enabling program-level tracing.

Exit codes

pmreplay returns these codes:

  • 1: File format error – Cannot parse the logfile.

  • 2: File access error – Cannot open the logfile for reading

  • 4: Usage error – Incorrect parameters were passed on the command line

  • 8: Digest error – The contents of the file and the digest in the header do not match

Navigating the log file

Use the following commands to navigate the log file in interactive mode.

Table 80: Log file navigation shortcuts
Command Description

g

Go to start of file.

G

Go to end of file.

p

Pause or resume replay in slide show mode.

q

Quit the replay.

r

Redraw the log file from start.

s

Skip to next time marker. Allows you to see what happened each second.

t

Display time of an action at any point in the log file.

u

Undo your last action.

v

Display all environment variables in use at the time the log file was created.

Space key

Go to next position (usually a single character); that is, step forward through the log file.

Enter key

Go to next line.

Backspace key

Back up to last position; that is, step backwards through the log file.

/<Regular Expression> Enter

 Search for a mode.

/Enter

Repeat last search.

Display the time of an action at any point in the log file with t, redraw the log file with r, and undo your last action with u.

You can also display all the environment variables which were in use at the time the log file was created using v. Use q or Q to quit pmreplay.

Type any key to continue replaying the I/O log.

pmresolvehost

Syntax
pmresolvehost -p|-v|[-h <hostname>] [-q][-s yes|no]
Description

The pmresolvehost command verifies the host name / IP resolution for the local host or for a selected host. If you do not supply arguments, pmresolvehost checks the local host name/IP resolution.

Options

pmresolvehost has the following options.

Table 81: Options: pmresolvehost
Option Description

-h <hostname>

Verifies the selected host name.

-p

Prints the fully qualified local host name.

-q

Runs in silent mode; displays no errors.

-s

Specifies whether to allow short names.

-v

Displays the Privilege Manager for Unix version.

pmrun

Syntax
pmrun -v | -z on|off[<pid>] [-b][-d][-n][-p] [-m <masterhost>] [-h <hostname>] 
        [-u <requestuser>] command [args]
Description

The pmrun command requests that an application is run in a controlled account. Simply add pmrun to the beginning of the command line. For example:

pmrun backup /usr dev/dat

pmrun checks the /etc/opt/quest/pm.settings file to determine which the policy server daemon to send the request. Once it has contacted a policy server daemon, it sends a request to the daemon to run the application specified. As with the ssh command, you can type ~^Z to suspend pmrun, or ~. to terminate it. You must enter these commands at the beginning of a new line.

Options

pmrun has the following options.

Table 82: Options: pmrun
Option Description

-b

Allows the runcommand process to run in the background, permitting you to run other programs or commands from the same window. You can use the -b switch with any application process which does not require output that changes the tty mode. Because of this restriction, you can not use the -b switch with applications that require a password.

-d

The -d option is required if the application you are running uses the nohup command. Include the -d parameter to ensure that the nohup command functions correctly.

-h <hostname>

Allows you to request a particular execution host to run the request. Enter -h <host> before the command you are requesting.

-m <masterhost>

Allows you to select the policy server host to contact, bypassing the usual selection methods. The specified host must be in the masters setting in the pm.settings file.

-n

Redirects the input of pmrun to /dev/null. Use the -n option to avoid unfortunate interactions between pmrun and the shell which invokes it. For example, if you are running pmrun and start a pmrun in the background without redirecting its input away from the terminal, it will block even if no reads are posted by the remote command.

-p

Puts pmrun into pipe mode, in which all interactions with the user's terminal are done without changing any of the terminal parameters. Normally, pmrun puts the terminal into raw mode, so that programs such as text editors, which require raw mode, can run properly under pmrun. Pipe mode is useful when you need to pipe several pmrun commands together. For example:

pmrun -p ls /etc/secure | pmrun -p dbadd listing

-u <requestuser>

Requests to run the command as the specified user. The policy server decides whether to honor this request.

-v

Displays the Privilege Manager for Unix version number and exits.

-z

Enables or disables tracing for this program and optionally for a currently running process.

Before using this option, see Enabling program-level tracing.

Files

File containing Privilege Manager for Unix communication parameters, including the list of valid master hosts:

/etc/opt/quest/qpm4u/pm.settings
Related Topics

pmcheck

pmkey

pmlocald

pmmasterd

pmpasswd

pmreplay

pmsum

Documents connexes

The document was helpful.

Sélectionner une évaluation

I easily found the information I needed.

Sélectionner une évaluation