Chatta subito con l'assistenza
Chat con il supporto

Safeguard for Sudo 7.3 - Administration Guide

Introducing Safeguard for Sudo Planning Deployment Installation and Configuration Upgrade Safeguard for Sudo System Administration Managing Security Policy Administering Log and Keystroke Files Supported sudo plugins Troubleshooting Safeguard for Sudo Variables Safeguard for Sudo programs Installation Packages Supported Sudoers directives Unsupported Sudo Options Safeguard for Sudo Policy Evaluation

pmcheck

Syntax
pmcheck [ -z on|off[:<pid>] ] | [ -v ] | 
           [ [ -a <string> ] [ -b ] [ -c ] [ -e <requestuser> ] 
           [ -f <filename> ] [ -g <group> ] [ -h <hostname> ] [ -i ] 
           [ -m <YY[YY]/MM/DD> ] [ -n <HH[:MM]> ] 
           [ -o sudo|pmpolicy ] [ -p <policydir> ] [ -q  ]  [  -r <remotehost> ] 
           [ -s <submithost> ] [ -t ] [ -u <runuser> ] [ command [ args ]]]
Description

Use the pmcheck command to test the policy file. Although the policy server daemon pmmasterd reports configuration file errors to a log file, always use pmcheck to verify the syntax of a policy file before you install it on a live system. You can also use the pmcheck command to simulate running a command to test whether a request will be accepted or rejected.

The pmcheck program exits with a value corresponding to the number of syntax errors found.

Options

pmcheck has the following options.

Table 16: Options: pmcheck
Option Description

-a <string>

Checks if the specified string, entered during the session, matches any alertkeysequence configured.

You can only specify this option if you supply a command.

This option is only relevant when using the pmpolicy type.

-b

Run in batch mode. By default, pmcheck runs in interactive mode, and attempts to emulate the behavior of the pmmasterd when parsing the policy file. The -b option ensures that no user interaction is required if the policy file contains a password or input function; instead, a successful return code is assumed for any password authentication functions.

-c

Runs in batch mode and displays output in csv format. By default pmcheck runs in interactive mode. The -c option ensures that no user interaction is required if the policy file contains a password prompt or input function and no commands that require remote connections are attempted.

-e <requestuser>

Sets the value of requestuser. This option allows you to specify the group name to use when testing the configuration. This emulates running a session using the sudo -u <user> option to request that Safeguard for Sudo runs the command as a particular runuser.

-f <filename>

Sets path to policy filename. Provides an alternative configuration filename to check. If not fully qualified, this path is interpreted as relative to the policydir, rather than to the current directory.

-g <group>

Sets the group name to use. If not specified, then pmcheck looks up the user on the master policy server host to get the group information. This option is useful for checking a user and group that does not exist on the policy server.

-h <hostname>

Specifies execution host used for testing purposes.

-i

Ignores check for root ownership of policy.

-m <YY[YY]/MM/DD>

Checks the policy for a particular date. Enter Date in this format: YY[YY]/MM/DD. Defaults to the current date.

-n <HH[:MM]>

Checks the policy for a particular time. Enter Time in this format: HH[:mm]. Defaults to the current time.

-o <policytype>

Interprets the policy with the specified policy type:

  • sudo

  • pmpolicy

-p policydir

Forces pmcheck to use a different directory to search for policy files included with a relative pathname. The default location to search for policy files is the policydir setting in pm.settings.

-q

Runs in quiet mode, pmcheck does not prompt the user for input, print any errors or prompts, or run any system commands. The exit status of pmcheck indicates the number of syntax errors found (0 = success). This is useful when running scripted applications that require a simple syntax check.

-r remotehost

Sets the value of the clienthost variable within the configuration file, useful for testing purposes.

The clienthost variable is set to the value of the submithost variable.

-s submithost

Sets the value of the submithost variable within the configuration file, useful for testing purposes.

-t

Runs in quiet mode to check whether a command would be accepted or rejected. By default, pmcheck runs in interactive mode. The -t option ensures that no user interaction is required if the policy file contains a password prompt or input function, no output is displayed and no commands that require remote connections are attempted.

Exit Status:

  • 0: Command accepted

  • 11: Password prompt encountered. The command will only be accepted if authentication is successful

  • 12: Command rejected

  • 13: Syntax error encountered

-u <runuser>

Sets the value of the runuser variable within the configuration file, useful for testing purposes.

-v

Displays the version number of Safeguard for Sudo and exits.

-z

Enables or disables debug tracing, and optionally sends SIGHUP to running process.

Before using this option, see Enabling Program-level Tracing.

command [args]

Sets the command name and optional arguments.

You can use pmcheck two ways: to check the syntax of the configuration file, or to test whether a request is accepted or rejected (that is, to simulate running a command).

By default, pmcheck runs the configuration file interactively in the same way as pmmasterd and reports any syntax errors found. If you supply an argument to a command, it reports whether the requested command is accepted or rejected. You can use the -c and -q options to verify the syntax in batch or silent mode, without any user interaction required.

When you run a configuration file using pmcheck, you are allowed to modify the values of the incoming variables. This is useful for testing the configuration file's response to various conditions. When pmmasterd runs a configuration file, the incoming variables are read-only.

Example

To verify whether the sudoer policy file /etc/sudoers, ingoring permissions and ownership, allows user jsmith in the users group to run the passwd root command on host, host1, enter:

pmcheck -f /etc/sudoers -i -o sudo -u jsmith -g users
-h host1 passwd root
Related Topics

pmkey

pmmasterd

pmreplay

pmcheckperms

Syntax
pmcheckperms> [-f] [-v]
pmcheckperms> -z on|off[:<pid>]
Description

The pmcheckperms utility can be used to check the ownership and permissions of Privilege Manager files on the system. It may be run on a plugin host, an agent, or a policy server.

The following directory hierarchies are validated by pmcheckperms:

  • /etc/opt/quest/qpm4u/policy

  • /var/opt/quest/qpm4u/evcache

  • /var/opt/quest/qpm4u/iolog

  • /var/opt/quest/qpm4u/pmclient

  • /var/opt/quest/qpm4u/pmevents.db

  • /var/opt/quest/qpm4u/pmpolicy

  • /var/opt/quest/qpm4u/.qpm4u/.perfdata

  • /var/opt/quest/qpm4u/.qpm4u/.repository

Options

pmcheckperms has the following options.

Table 17: Options: pmcheckperms
Option Description

-f

Fixes detected permission issues.

If pmcheckperms finds an ownership or permission problem, it sets the correct value for the affected file or directory.

-v

Enables verbose output.

The command prints the name of each checked file and directory in the standard output.

Settings

pmcheckperms uses the following entries in the /etc/opt/quest/qpm4u/pm.settings file.

Table 18: Settings: pmcheckperms
Option Description

eventLogQueue <pathname>

Specifies the location of the event log queue, where event data is temporarily queued before being written to the event log database.

Related Topics

pmlog

pmmasterd

pmgit

Syntax
pmgit <subcommand> [arguments]
Description

The pmgit utility is a tool that can mediate version control operations between Subversion (SVN) and Git version control systems.

For more information on the pmgit policy management concept, see Managing policies in Git.

The pmgit utility has several subcommands, each with its own set of options and arguments. For each subcommand, pmgit returns 0 if the operation succeeds or 1 if an error occurred.

For more information on the subcommands, see:

pmgit subcommands

The following topics describe pmgit subcommands and their arguments.

Topics:
Related Documents

The document was helpful.

Seleziona valutazione

I easily found the information I needed.

Seleziona valutazione