Alerts enable you to specify commands that raise an alert if entered by a user, and the action you want Privilege Manager for Unix to take.
Use the alertkeyaction variable to specify the action Privilege Manager for Unix is to take when an alert is raised. The default action logs the alert and allows the command to continue.
Enter alertkeysequence in the policy as a list of regular expressions, like this:
alertkeysequence={"^rm.*", "/rm.*", ".*xterm"};
Other valid alert actions are:
-
log
-
reject
-
or any valid string
For example:
if (user=="root") { alertkeyaction="ignore"; } else if (user=="john") { alertkeyaction="alert"; } else if (user=="dave") { alertkeyaction="trace"; } else { alertkeyaction="reject"; }
If an event raises an alert, Privilege Manager for Unix logs an AlertRaised event log. The alertkeyaction variable is also included in the log as part of the event.
If the alertkeyaction variable is set to reject, Privilege Manager for Unix cancels the command, terminates the user’s session, and displays a rejection message.
If the alertkeyaction variable is not set to reject, Privilege Manager for Unix allows the command to run and logs it in the event log. The example shown above shows how you can enter different strings for different users. This enables you to use the alertkeyaction variable as a filter to search the event log for these events.
alertkeyaction logging is enabled even if iologging is disabled. If iologging is disabled, a new session is started with pmmasterd for each alertraised event.
By default, alertraised events are not displayed in pmlog. To view the alertraised event, use the -l parameter or the -d parameter. For example:
# pmlog -l
Alert events have the same unique ID as the Privilege Manager for Unix session from which they were generated. This enables you to identify alert events raised during a specific session.
Use pmcheck to check a given string against any expression defined in the alertkeypatterns list:
# pmcheck -a"<string>"<command>
For example,
# pmcheck -a "rm /etc/opt/quest/qpm4u/pm.settings" ksh