Chatta subito con l'assistenza
Chat con il supporto

Privilege Manager for Unix 7.2.2 - Administration Guide

Introducing Privilege Manager for Unix Planning Deployment Installation and Configuration Upgrade Privilege Manager for Unix System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager for Unix Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager for Unix Variables
Variable names Variable scope Global input variables Global output variables Global event log variables PM settings variables
Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures
Environment functions Hash table functions Input and output functions LDAP functions LDAP API example List functions Miscellaneous functions Password functions Remote access functions String functions User information functions Authentication Services functions
Privilege Manager for Unix programs Installation Packages

Backing up and archiving event and keystroke logs

Use the pmlogadm program to perform backup or archive operations on a policy server's event log database. Because Privilege Manager for Unix stores keystroke logs in individual flat files on the policy server, you may use standard Unix commands to back up or archive them. Make sure the keystroke log files are not associated with active sessions prior to backup or archive.

Disabling and enabling services

While pmlogadm can perform the backup and archive operations on a live event log database, for best results we recommend that you follow these steps prior to performing a backup or archive.

  1. Stop the pmserviced and pmlogsrvd services.
    This example shows how to disable services on Redhat Linux systems:
    # service pmserviced stop
    Stopping pmserviced service:     done
    # service pmlogsrvd stop 
    Stopping pmlogsrvd service:     done
  2. Ensure there are no running pmmasterd processes:
    # ps -ef | grep pmmasterd

    A running pmmasterd process indicates that there may be an active Privilege Manager for Unix session.

This procedure also allows you to safely backup or archive any keystroke log files. Once the backup or archive operation has completed, remember to restart the pmserviced and pmlogsrvd services.

This example shows how to restart the services on Redhat Linux systems:

# service pmlogsrvd start
Starting pmlogsrvd service:     done
# service pmserviced start
Starting pmserviced service:     done
Backing up event logs

The pmlogadm backup command creates a clean backup copy of your event log database.

This example performs a backup of the current event log database, placing the copy in the /backup directory:

# pmlogadm backup /var/opt/quest/qpm4u/pmevents.db /backup
5 / 208 pages complete
10 / 208 pages complete
...
205 / 208 pages complete
208 / 208 pages complete
Backing up keystroke logs

Privilege Manager for Unix stores the keystroke logs in individual files and do not require any special commands for processing.

This example uses the unix cp command to recursively copy the keystroke logs to the /backup directory:

# cp -r /var/opt/quest/qpm4u/iolog /backup
Archiving event logs

The pmlogadm archive command creates an archive of old event logs and removes the old event logs from the current database. The following example archives logs for all events that occurred before April 1, 2014 from the current event log database, creating an archive database in the /archive/2014Q1 directory.

If you omit the --no-zip option, pmlogadm also creates a tar-gzip'ed archive of the database files.

# pmlogadm archive /var/opt/quest/qpm4u/pmevents.db 2014Q1 \
  --dest-dir /archive --no-zip --before "2014-04-01 00:00:00"
Archive Job Summary
     Source Log : /var/opt/quest/qpm4u/pmevents.db
   Archive Name : 2014Q1
Destination Dir : /archive
    Zip Archive : No
   Cut off time : 2014/04/01 00:00:00

No pmlogsrvd pid file found, assuming service is not running.
X events will be archived.
Adding events to the archive.
Verifying archive.
Archive verification completed successfully. Removing events from source log.
Archive task complete.
Archiving keystroke logs

You can use the pmlog command with some carefully chosen options to get a list of keystroke logs associated with the event logs you archive. In this example, you process the list generated by pmlog, with the Unix xargs and mv commands to move the keystroke logs into the /archive/2014Q1/iolog directory.

# mkdir /archive/2014Q1/iolog
# pmlog -f /archive/2014Q1/archive.db \
   -c "defined iolog && length(iolog) != 0" -p iolog \
   | xargs -i{} mv {} /archive/2014Q1/iolog

The usage of the xargs command may differ depending on your platform.

InTrust Plug-in for Privilege Manager for Unix

Quest® InTrust for Active Directory provides a centralized auditing point allowing you to collect and report on the audit data from Privilege Manager for Unix as well as many other data sources you may have in your IT infrastructure.

Figure 10: Audting with InTrust Plug-in

InTrust for Active Directory auditing capabilities allow you to collect and report on the audit data from your Privilege Manager for Unix Security system. Featuring a fully automated workflow, InTrust for Active Directory helps you:

  • Gather the Privilege Manager for Unix event logs from the policy servers running on several different platforms
  • Consolidate, store, and analyze the gathered data
  • Create reports on various aspects of your Privilege Manager for Unix security system operation

InTrust for Active Directory provides reports on the following Privilege Manager for Unix System areas:

  • All events
  • Elevated privilege events
  • All events grouped result
  • Out of band events
  • Rejected events

InTrust Plug-in requirements

InTrust for Active Directory supports Privilege Manager for Unix version 5.5 and above.

You can collect data from Privilege Manager for Unix hosts running on any of the UNIX platforms supported by InTrust.

To use the MSI installer for the InTrust Reporting Pack, your InTrust Server must use the WindowsSQL Server 2005 as its back-end database.

Installing InTrust Plug-in components

To configure InTrust for Privilege Manager for Unix you must install and configure several components separately. The diagram below shows the major components for the InTrust for Active Directory Plug-in.

Figure 11: InTrust Plug-in components

To install and configure the InTrust for Active Directory Plug-in components

  1. Install Privilege Manager for Unix and identify which logs you wish to audit.
  2. Install and configure the pmintrust.sh script to run as the root user to extract the relevant data.

    One Identity recommends that you set up a daily cron job to run “pmrun pmintrust.sh” as the pmpolicy service user.

  3. Install an InTrust Agent on the Privilege Manager for Unix Policy Server.
  4. Configure the InTrust Server: Finding, Gathering, and Storing.
  5. Gather Data.
  6. Configure the InTrust Server: Reporting.
Related Documents

The document was helpful.

Seleziona valutazione

I easily found the information I needed.

Seleziona valutazione