Chatta subito con l'assistenza
Chat con il supporto

Privilege Manager for Unix 7.3 - Administration Guide

Introducing Privilege Manager for Unix Planning Deployment Installation and Configuration Upgrade Privilege Manager for Unix System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager for Unix Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager for Unix Variables
Variable names Variable scope Global input variables Global output variables Global event log variables PM settings variables
Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures
Environment functions Hash table functions Input and output functions LDAP functions LDAP API example List functions Miscellaneous functions Password functions Remote access functions String functions User information functions Authentication Services functions
Privilege Manager for Unix programs Installation Packages

pminfo

Note that pminfo is obsolete in version 5.6 or higher and is included for backwards compatibility only.

Syntax
pminfo -v | [ -s | -d | -r [ -m <master> ] ]
Description

The pminfo program allows the local host to register with Privilege Manager for Unix. If your Privilege Manager for Unix policy server has a host license, this registration is mandatory; agents cannot communicate successfully with the policy server until registration is completed and the policy server has allocated a license slot for the agent.

During registration, information about the local host configuration is sent to the Privilege Manager for Unix policy server. This includes a list of the agent's IP addresses.

To view the information that will be sent to the Privilege Manager for Unix policy server, run pminfo with the -s option.

The pminfo program located on an agent identifies itself to the policy server using the agent's fully qualified host name and a unique registration data string.

If the host name or IP addresses of the agent are changed, then the agent must re-register with the policy server.

Options

pminfo has the following options.

Table 60: Options: pminfo
Option Description

-d

Unregisters the local host from Privilege Manager for Unix.

-m <master>

Specifies a single policy server host to register with. By default, pminfo attempts to register with all policy servers configured in etc/opt/quest/pm.settings.

-r

Registers the local host with Privilege Manager for Unix.

-s

Dumps the local host registration information to stdout.

-v

Displays the version number of Privilege Manager for Unix and exits.

Files
  • Privilege Manager for Unix configuration file: /etc/opt/quest/qpm4u/policy/pm.conf

  • Privilege Manager for Unix communication parameters: /etc/opt/quest/qpm4u/pm.settings

Related Topics

pmlicense

pmmasterd

pmjoin

Syntax
pmjoin -h | --help [-abitv] [-d <variable>=<value>] [<policy_server_host>] 
         [-bv] -u --unjoin
         [--accept] [--batch] [--define <variable>=<value>] [--interactive]
         [--selinux] [--tunnel] [--verbose] <policy_server_host>
Description

Use the pmjoin command to join a PM Agent to the specified policy server. When you join a policy server to a policy group, it enables that host to validate security privileges against a single common policy file located on the primary policy server, instead of on the host. You must run this configuration script after installing the PM Agent package to allow this agent to communicate with the servers in the group.

Options

pmjoin has the following options.

Table 61: Options: pmjoin
Option Description

-a | --accept

Accepts the End User License Agreement (EULA), /opt/quest/qpm4u/pqm4u_eula.txt.

-b | --batch

Runs in batch mode, will not use colors or require user input under any circumstances.

-d <variable>=<value> | --define <variable>=<value>

Specifies a variable for the pm.settings file and its associated value.

-h | --help

Prints this help message.

-i | --interactive

Runs in interactive mode, prompting for configuration parameters instead of using the default values.

-S | --selinux

Enable support for SELinux in Privilege Manager for Unix.

A SELinux policy module will be installed, which allows the pmlocal daemon to set the security context to that of the run user when executing commands. This requires that the policycoreutils package and either the selinux-policy-devel (RHEL7 and above) or selinux-policy (RHEL6 and below) packages be installed.

-t | --tunnel

Configures host to allow Privilege Manager for Unix connections through a firewall.

-u | --unjoin

Unconfigures a Privilege Manager for Unix agent.

-v | --verbose

Displays verbose output while configuring the host.

Examples

For usage examples, see Joining PM Agent to a Privilege Manager for Unix policy server.

Files
  • Directory when pmjoin logs are stored: /opt/quest/qpm4u/install

Related Topics

pmrun

pmlocald

pmmasterd

pmpolicy

pmsrvconfig

pmkey

Syntax
pmkey -v | [-z on|off[:<pid>]] 
         -a <keyfile> 
         [ [-l | -r | -i <keyfile>] 
         [-p <passphrase>] [-f]]
Description

Use the pmkey command to generate and install configurable certificates.

In order for a policy evaluation request to run, keys must be installed on all hosts involved in the request. The keyfile must be owned by root and have permissions set so only root can read or write the keyfile.

Options

pmkey has the following options.

Table 62: Options: pmkey
Option Description

-a <keyfile>

Creates an authentication certificate.

-i <keyfile>

Installs an authentication certificate.

-l

Creates and installs a local authentication certificate to this file:

/etc/opt/quest/qpm4u/.qpm4u/.keyfiles/key_localhost

This is equivalent to running one of the following commands:

  • pmkey -a /etc/opt/quest/qpm4u/.qpm4u/.keyfiles/key_localhost

  • pmkey -i /etc/opt/quest/qpm4u/.qpm4u/.keyfiles/key_localhost

-f

Forces the operation. For example:

  • Ignore the password check when installing keyfile using -i or -r

  • Overwrite existing keyfile when installing local keyfile using -l

-p <passphrase>

Passes the passphrase on the command line for the -a or -l option.

If not specified, pmkey prompts the user for a passphrase.

-r

Installs all remote keys that have been copied to this directory:

/etc/opt/quest/qpm4u/.qpm4u/.keyfiles/key_<hostname>

This provides a quick way to install multiple remote keys.

-v

Displays the Privilege Manager for Unix version and exits.

-z

Enables or disables debug tracing.

Before using this option, see Enabling program-level tracing.

Examples

The following command generates a new certificate, and puts it into the specified file:

pmkey -a <filename>

The following command installs the newly generated certificate from the specified file:

pmkey -i <filename>
Related Topics

pmcheck

pmlocald

pmmasterd

pmpasswd

pmreplay

pmrun

pmsum

pmksh

Syntax
pmksh
Description

The Privilege Manager for Unix K Shell (pmksh) starts a Korn shell, an interactive command interpreter and a command programming language. The Korn shell carries out commands either interactively from a terminal keyboard or from a file. pmksh is a fully featured version of ksh, that provides transparent authorization and auditing for all commands submitted during the shell session. All standard options for ksh are supported by pmksh.

To see details of the options and the shell built-in commands supported by pmksh, run pmksh -?.

Note that pmksh supports the -B option which allows the entire shell to run in the background when used in conjunction with '&. For example, pmksh -B -c backgroundshellscript.sh & will run the specified shell script in the background using pmksh.

Using the appropriate policy file variables, you can configure each command entered during a shell session, to be:

  • forbidden by the shell without further authorization to the policy server

  • allowed by the shell without further authorization to the policy server

  • presented to the policy server for authorization

Once allowed by the shell, or authorized by the policy server, all commands run locally as the user running the shell program.

Related Documents

The document was helpful.

Seleziona valutazione

I easily found the information I needed.

Seleziona valutazione