Chatta subito con l'assistenza
Chat con il supporto

Privilege Manager for Unix 7.1 - Administration Guide

Introducing Privilege Manager for Unix Planning Deployment Installation and Configuration Upgrade Privilege Manager for Unix System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager for Unix Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager for Unix Variables
Variable names Variable scope Global input variables Global output variables Global event log variables PM settings variables
Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures
Environment functions Hash table functions Input and output functions LDAP functions LDAP API example List functions Miscellaneous functions Password functions Remote access functions String functions User information functions Authentication Services functions
Privilege Manager for Unix programs Installation Packages

pmcsh

Syntax
pmcsh
Description

The Privilege Manager for Unix C Shell (pmcsh) command starts a C shell, an interactive command interpreter and a command programming language that uses syntax similar to the C programming language. The C shell carries out commands either interactively from a terminal keyboard or from a file. pmcsh is a fully featured version of csh, that provides transparent authorization and auditing for all commands submitted during the shell session. All standard options for csh are supported by pmcsh.

To see details of the options and the shell built-in commands supported by pmcsh, run pmcsh -?

Using the appropriate policy file variables, you can configure each command entered during a shell session, to be:

  • forbidden by the shell without further authorization to the policy server
  • allowed by the shell without further authorization to the policy server
  • presented to the policy server for authorization

Once allowed by the shell, or authorized by the policy server, all commands run locally as the user running the shell program.

Options

pmcsh has the following options.

Table 55: Options: pmcsh
Option Description
-b <file> Runs in batch mode. Reads and runs commands from specified file.
-B Allows the shell to run in the background.
-c <command> Runs specified command from next argument.
-d Loads directory stack from ~/.cshdirs.
-Dname[=value] Defines environment variable name as specified value (DomainOS only).
-e Exits on any error.
-f Starts faster by ignoring the start-up file.
-F Uses fork() instead of vfork() when spawning (ConvexOS only).
-i Runs in interactive mode, even when input is not from a terminal.
-l Acts as a login shell, must be the only option specified.
-m Loads the start-up file, whether or not owned by effective user.
-n <file> Runs in no execute mode, just checks syntax of the specified file.
-q Accepts SIGQUIT for running under a debugger.
-s Reads commands from standard input.
-t Reads one line from standard input.
-v Echos commands after history substitution.
-V Like -v but including commands read from the start up file.
-x Echos commands immediately before execution.
-X Like -x but including commands read from the start up file.
--help | ? Prints this message and exits.

--version

Prints the version shell variable and exits.

pmcsh supports the following built-in functions:

:, @, alias, alloc, bg, bindkey, break, breaksw, builtins, case, cd, chdir, complete, continue, default, dirs, echo, echotc, else, end, endif, endsw, eval, exec, exit, fg, filetest, foreach, glob, goto, hashstat, history, hup, if, jobs, kill, limit, log, login, logout, ls-F, nice, nohup, notify, onintr, popd, printenv, pushd, rehash, repeat, sched, set, setenv, settc, setty, shift, source, stop, suspend, switch, telltc, termname, time, umask, unalias, uncomplete, unhash, unlimit, unset, unsetenv, wait, where, which, while

pmincludecheck

Syntax
pmincludecheck [-v][-p <path>][-f][-o]
Description

pmincludecheck is used by the pmsrvconfig script on the primary server only. When configuring a primary server in pmpolicy mode, if you do not have a policy file to import into the repository, then pmincludecheck initializes the policy from the current set of default policy files provided in the installation.

Options

pmincludecheck has the following options.

Table 56: Options: pmincludecheck
Option Description

-v

 Displays the version number of Privilege Manager for Unix and exits.

-p <path>

 Sets policyDir to the specified path.

-f

 Sets policyDir to the specified file.

-o

Forces rewrite of the current policy file, which archives and replaces the current policy file.

pminfo

Note that pminfo is obsolete in version 5.6 or higher and is included for backwards compatibility only.

Syntax
pminfo -v | [ -s | -d | -r [ -m <master> ] ]
Description

The pminfo program allows the local host to register with Privilege Manager for Unix. If your Privilege Manager for Unix policy server has a host license, this registration is mandatory; agents cannot communicate successfully with the policy server until registration is completed and the policy server has allocated a license slot for the agent.

During registration, information about the local host configuration is sent to the Privilege Manager for Unix policy server. This includes a list of the agent's IP addresses.

To view the information that will be sent to the Privilege Manager for Unix policy server, run pminfo with the -s option.

The pminfo program located on an agent identifies itself to the policy server using the agent's fully qualified host name and a unique registration data string.

If the host name or IP addresses of the agent are changed, then the agent must re-register with the policy server.

Options

pminfo has the following options.

Table 57: Options: pminfo
Option Description

-d

 Unregisters the local host from Privilege Manager for Unix.

-m <master>

 Specifies a single policy server host to register with. By default, pminfo attempts to register with all policy servers configured in etc/opt/quest/pm.settings.

-r

 Registers the local host with Privilege Manager for Unix.

-s

 Dumps the local host registration information to stdout.

-v

Displays the version number of Privilege Manager for Unix and exits.

Files
  • Privilege Manager for Unix configuration file: /etc/opt/quest/qpm4u/policy/pm.conf
  • Privilege Manager for Unix communication parameters: /etc/opt/quest/qpm4u/pm.settings
Related Topics

pmlicense

pmmasterd

pmjoin

Syntax
pmjoin –h | --help [-abitv] [-d <variable>=<value>] [<policy_server_host>] 
         [-bv] -u --unjoin
         [--accept] [--batch] [--define <variable>=<value>] [--interactive] 
         [--selinux] [--tunnel] [--verbose] <policy_server_host>
Description

Use the pmjoin command to join a PM Agent to the specified policy server. When you join a policy server to a policy group, it enables that host to validate security privileges against a single common policy file located on the primary policy server, instead of on the host. You must run this configuration script after installing the PM Agent package to allow this agent to communicate with the servers in the group.

Options

pmjoin has the following options.

Table 58: Options: pmjoin
Option Description
-a | --accept Accepts the End User License Agreement (EULA), /opt/quest/qpm4u/pqm4u_eula.txt.
-b | --batch Runs in batch mode, will not use colors or require user input under any circumstances.
-d <variable>=<value> | --define <variable>=<value> Specifies a variable for the pm.settings file and its associated value.
-h | --help Prints this help message.
-i | --interactive Runs in interactive mode, prompting for configuration parameters instead of using the default values.

-S | --selinux

Enable support for SELinux in Privilege Manager for Unix.

A SELinux policy module will be installed, which allows the pmlocal daemon to set the security context to that of the run user when executing commands. This requires that the policycoreutils package and either the selinux-policy-devel (RHEL7 and above) or selinux-policy (RHEL6 and below) packages be installed.

-t | --tunnel Configures host to allow Privilege Manager for Unix connections through a firewall.
-u | --unjoin Unconfigures a Privilege Manager for Unix agent.

-v | --verbose

Displays verbose output while configuring the host.

Examples

See Joining PM Agent to a Privilege Manager for Unix policy server for usage examples.

Files
  • Directory when pmjoin logs are stored: /opt/quest/qpm4u/install
Related Topics

pmrun

pmlocald

pmmasterd

pmpolicy

pmsrvconfig

Related Documents

The document was helpful.

Seleziona valutazione

I easily found the information I needed.

Seleziona valutazione