Type integer READONLY
pmshell_script is a constant value that identifies a shell script. Use it for comparison with the value of the pmshell_cmdtype variable.
if (defined pmshell_cmd && (pmshell_cmdtype == pmshell_script))
{
#forbid any shell scripts unless interpreter is a program in /opt/quest/bin
if (dirname (pmshell_interpreter) != "/opt/quest/bin"))
{
reject "You cannot run this script";
}
}Type string READONLY
pmshell_uniqueid is only defined if the command is a shell subcommand running from a Privilege Manager for Unix shell (pmsh, pmcsh, pmksh, and pmbash). It contains the uniqueid of the session running the shell program. It allows the individual commands running within the shell to be identified as part of the same shell session when viewing the audit log entries.
#shell script example to print out all shell commands for each shell run on
#15 january 2009
#constraint to select pmshell programs running on selected date
constraint="(date=\"2009/01/15\") && (pmshell==1) && (pmshell_cmd==0))"
#format to display user and shell program name
userformat="sprintf(\"User:%s, shell:%s\", user, pmshell_prog)"
#format to display shell subcommand name and time
shellformat="sprintf(\" Time:%s, ShellCommand:%s\n", time, runcommand)"
#find the unique IDs for all shell sessions
allids=`/bin/sh -c "pmlog -p 'sprintf(\"%s\", uniqueid)' -c '${constraint}'"`
#for each shell session, print out the username and shell program name,
#and display each shell command run from the shell, with the time it was
#executed for one in $allids
do
cmd="pmlog -p '${userformat}' -c 'uniqueid==\"${one}\"'"
/bin/sh -c "${cmd}"
cmd="pmlog -p '${shellformat}' -c 'pmshell_uniqueid==\"${one}\"'"
/bin/sh -c "$cmd"
doneType string READONLY
pmversion contains the Privilege Manager for Unix version and build number.
print("The current Privilege Manager for Unix version is %s", pmversion);Type string READONLY
ptyflags contains a bitmask indicating the ptyflags set from the submit user's environment. If set, the following bits indicate:
Bit 0: stdin is open Bit 1: stdout is open Bit 2: stderr is open Bit 3: command was run in pipe mode Bit 4: stdin is from a socket Bit 5: command to be run using nohup
PTY_IN=0x1;
if (ptyflags & PTY_IN)
{
#only authenticate if stdin is open and password can be entered
if (!authenticate_pam(user, "sshd"))
{
reject "Failed to authenticate user";
}
}
else
{
reject "Cannot authenticate the user"; }© 2024 One Identity LLC. ALL RIGHTS RESERVED. 利用規約 プライバシー Cookie Preference Center