サポートと今すぐチャット
サポートとのチャット

Privilege Manager for Unix 7.3 - Administration Guide

Introducing Privilege Manager for Unix Planning Deployment Installation and Configuration Upgrade Privilege Manager for Unix System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager for Unix Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager for Unix Variables
Variable names Variable scope Global input variables Global output variables Global event log variables PM settings variables
Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures
Environment functions Hash table functions Input and output functions LDAP functions LDAP API example List functions Miscellaneous functions Password functions Remote access functions String functions User information functions Authentication Services functions
Privilege Manager for Unix programs Installation Packages

pmlocald

Syntax
pmlocald - v | [-s] [-e <filename>] [-m <polserverspec>] | -z on|off [:<pid>]
Description

The Privilege Manager for Unix local daemon (pmlocald) runs programs when instructed to do so by the appropriate policy server daemon. pmlocald is started from pmserviced.

Unless the -m option is used, it first checks the /etc/opt/quest/qpm4u/pm.settings file to determine the policy server daemons from which it is allowed to accept requests. If the request is legitimate, it then runs and manages the program.

Options

pmlocald has the following options.

Table 65: Options: pmlocald
Option Description

-e <filename>

Sends any errors to the specified file; applies only to local daemon errors.

-m <polserverspec>

Specifies the policy server daemon from which requests are accepted. polserverspec is either a host name, or a netgroup name preceded by a + or a - (+ includes the netgroup, - excludes it). You can specify polserverspec more than once.

If you use the -m option, it does not consult masterhost setting in the /etc/opt/quest/qpm4u/pm.settings file.

-s

Sends any errors generated to syslog.

-v

Displays the version number of Privilege Manager for Unix and exits.

-z

Enables or disables tracing for this program and optionally for a currently running process.

Before using this option, see Enabling program-level tracing.

Files

File containing Privilege Manager for Unix communication parameters, including the list of valid master hosts:

/etc/opt/quest/qpm4u/pm.settings
Related Topics

pmcheck

pmkey

pmmasterd

pmpasswd

pmreplay

pmrun

pmsum

pmlog

Syntax
pmlog [-dlvq] [-p|a|e|r|x <printexpr>] [-f <filename>] [[-c] <constraint>] 
         [[-c] <constraint>] [-f <filename>] -h [-z on|off[:<pid>]] 
         [--user <username>] 
         [--runuser <username>] [--runhost <hostname>] [--reqhost <hostname>]  
         [--masterhost <hostname>][--command <pattern>] [--reqcommand <pattern>]  
         [--runcommand <pattern>][--before "<YYYY/MM/DD hh:mm:ss>"]  
         [--after "<YYYY/MM/DD hh:mm:ss>"][--result Accept|Reject]
Description

Use the pmlog command to selectively choose and display entries in a Privilege Manager for Unix event log. Each time a job is accepted, rejected, or completed by pmmasterd, an entry is appended to the file specified by the eventlog variable in the configuration file. eventlog is sent to /var/opt/quest/qpm4u/pmevents.db on all platforms.

Options

pmlog has the following options.

Table 66: Options: pmlog
Option Description

-a <expression>

Sets the print expression for accept events to the specified expression.

-c <constraint>

Selects particular entries to print; specify constraint as a Boolean expression.

For more information, see Examples.

-d

Dumps each entry as it is read without matching 'accept' and 'end' entries. The -d (dump) option forces pmlog to print each entry as it is read from the file. The default output format includes a unique identifier at the start of each record, allowing 'end' events to be matched with 'accept' events.

-e <expression>

Sets the print expression for finish events to the specified expression.

-f <filename>

Reads the event log information from the specified file.

-h

Displays usage information.

-l

Dumps alert log entries only.

-p <expression>

Sets the print expression for all event types to the specified expression.

-q

Runs in quiet mode; no expression errors (for example, undefined variables) are printed.

-r <expression>

Sets the print expression for reject events to the specified expression.

-v

Turns on verbose mode.

-x <expression>

Sets the print expression for alert events to the specified expression.

-z

Enables or disables debug tracing.

Before using this option, see Enabling program-level tracing.

Quick Search Options

--user <username>

Selects entries in which the requesting user matches username.

--runuser <username>

Selects entries in which runuser matches username.

--runhost <hostname>

Selects entries in which runhost matches hostname.

--reqhost <hostname>

Selects entries in which the requesting host matches hostname.

--masterhost <hostname>

Selects entries in which masterhost matches hostname.

--command <pattern>

Selects entries in which the requested command matches pattern.

--reqcommand <pattern>

Return events where the given text appears anywhere in the requested command line.

--runcommand <pattern>

Selects entries in which the runcommand host matches pattern.

--before "<YYYY/MM/DD hh:mm:ss>"

Selects entries occurring before the specified date and time.

--after "<YYYY/MM/DD hh:mm:ss>"

Selects entries occurring after the specified date and time.

--result Accept|Reject

Selects entries that were accepted or rejected.

Examples

Without arguments, pmlog reads the default eventlog file and prints all its entries. If you have chosen a different location for the event log, use the -f option to specify the file for pmlog.

By default, pmlog displays one entry for each completed session (either rejected or accepted). You can filter the results to print only entries which satisfy the specified constraint using the -c option. In these examples the -c option is used to specify a constraint as a Boolean expression:

pmlog -c'event=="Reject"'
pmlog -c'date > "2008/02/11"'
pmlog -c'user=="dan"'

Which prints only rejected entries, entries that occur after February 11, 2008, or requests by user Dan, respectively.

For more information about policy variables, see Privilege Manager for Unix Variables.

The following options accept shortcut notations to specify constraints:

  • --user username

  • --runuser username

  • --reqhost hostname

  • --runhost hostname

  • --masterhost hostname

  • --command command

  • --runcommand command

  • --reqcommand command

  • --before "YYYY/MM/DD hh:mm:ss"

  • --after "YYYY/MM/DD hh:mm:ss"

  • --result Accept|Reject

For example, here are equivalent constraints to the previous example specified using shortcuts:

pmlog --result Reject
pmlog --after "2008/02/11 00:00:00"
pmlog --user dan

With shortcuts, you can express user names and host names as patterns containing wild card characters (? and *). For example, to display entries for all requests for user1, user2, and user3, use the following shortcut:

pmlog --user “user?"

Enclose patterns containing wild card characters in quotes to avoid being interpreted by the command shell.

Use the -d and -v options for debugging. Normally, when pmlog finds an 'accept' entry, it refrains from printing until the matching 'end' entry is found; all requested information including exitstatus, exitdate, and exittime is then available to print.

The -d (dump) option forces pmlog to print each entry as it is read from the file. The default output format includes a unique identifier at the start of each record, allowing 'end' events to be matched with 'accept' events.

The -v (verbose) option prints all the variables stored with each entry.

The -t option turns on tail follow mode. The program enters an endless loop, sleeping and printing new event records as they are appended to the end of the log file. The -d flag is implied when using -t.

You can specify the output format for each of the three event types - 'accept', 'reject' or 'finish' - with the -a, -r, and -e options. Use the -p option to set the output for all three event types.

For example, to print only the dates and names of people making requests, enter one of the following:

pmlog -p'date + "\t" + user + "\t" + event'
pmlog -p 'sprintf("%s %-8s %s", date, user, event)'

For more examples of using the pmlog command, see Listing event logs.

NOTE If you run pmlog --csv console to obtain CSV output from pmlog. For a list of the column headings, see pmlogsearch.

pmlogadm

Syntax
pmlogadmin> archive <event_log_path> <archive_path> --before <YYYY-MM-DD>
           [--clean-source] [--dest-dir <destination_path>] [--no-zip]
pmlogadmin> archive <event_log_path> <archive_path> --older-than <days>
           [--clean-source] [--dest-dir <destination_path>] [--no-zip]
pmlogadmin> backup <event_log_path> <backup_path>
pmlogadmin> create <new_event_log_path>
pmlogadmin> encrypt enable|disable|rekey <event_log_path>
pmlogadmin> help [<command>]
pmlogadmin> import [-y|-n] <source_event_log> <dest_event_log>
pmlogadmin> info <event_log_path>
pmlogadmin> --help|-h
pmlogadmin> --version|-v
pmlogadmin> -z on|off[:<pid>]
Description

Privilege Manager event log administration utility. Use pmlogadm to manage encryption options on the event log.

Options

pmlogadm has the following options.

Table 67: Options: pmlogadm
Option Description

-h, --help

Displays usage information.

help [<command>]

By default the help command displays the general usage output. When you specify a command, it displays a usage summary for that command.

-v, --version

Displays the version number of Privilege Manager for Unix and exits.

-z

Enables or disables debug tracing, and optionally sends SIGHUP to running process.

Before using this option, see Enabling program-level tracing.

Table 68: Global options: pmlogadm
Option Description

--verbose

Enables verbose output.

--silent

Disables all output to stdout. Errors are output to stderr.

Table 69: Valid commands: pmlogadm
Option Description

archive

Moves old events to an archive.

archive <event_log_path> <archive_name> --before <YYYY-MM-DD> [--cleansource] [--dest-dir <destination_path>] [--no-zip]

-OR-

archive <event_log_path> <archive_name> --older-than <days> [--cleansource] [--dest-dir <destination_path>] [--no-zip]

Moves events that occurred before the indicated date (YYYY-MM-DD) to an archive-named archive_name. If you use the second form, specify the date as days before the current date.

The archive is created in the current working directory unless you specify a destination path using the --dest-dir option. By default, the archive is compressed using tar and gzip, but you can skip this using the --no-zip option, in which case the resulting archive is a directory containing the new log with the archived events.

All files in that directory are required to access the archive. To access the archive, use pmlog. Moving events to an archive may not reduce the actual file size of the event log. To reduce the file size, the source log must be cleaned. To clean the source log, add the --clean-source option.

When a large number of events are present in the source log this option can increase the archive process time and use a large amount of disk space while the process runs. Once started, do not interrupt the process.

backup

Creates a backup of the source log (event_log_path), in location backup_log.

create

Creates new empty audit files for that log.

create <new_event_log_path>

This may include a keyfile which has the -kf suffix, a journal file with the -wal suffix, and a -shm system file. It is critical that the group of files that make up an event log remain together at all times. Removal of any one of these files may result in permanent loss of access to the event log.

encrypt

Enables or disables encryption of an event log.

encrypt enable|disable|rekey <event_log_path>

By default all event logs created by Privilege Manager for Unix are encrypted using the AES-256 standard. The encryption key is stored in the keyfile which is in the same path as the event log and has the same file name, and the -kf suffix. It is critical that this file remain in the same path as the main event log file.

You can decrypt the whole log file using the encrypt disable command, passing the path of the main event log file as an argument. Enable encryption using encrypt enable. The encrypt rekey command generates a new encryption key and re-encrypt all data in the event log using that new key data. The key file is automatically updated with the new key data if the operation succeeds.

import

Imports events.

import [-y|-n] <source_event_log> <dest_event_log>

Import events from source_event_log, adding them to dest_event_log.

info

Displays information about the event log.

info <event_log_path>

Displays information about the event_log_path. The information reported includes the current encryption status of the event log, the size of the file and the number of events contained in the log.

Settings

The following entries in the /etc/opt/quest/qpm4u/pm.settings file are used by pmlogadm

Table 70: Settings: pmlogadm
Option Description

eventLogQueue <pathname>

Specify the location of the event log queue, used by both pmmasterd and pmlogsrvd. This option is only used to determine whether the pmlogsrvd service is currently running.

For more usage information for a specific command, run:

pmlogadm help <command>

Files

The default Privilege Manager event log file is located at:

/var/opt/quest/qpm4u/pmevents.db

Other files that may be used by pmlogadm are:

  • settings file: /etc/opt/quest/qpm4u/pm.settings

  • pid file: /var/opt/quest/qpm4u/evcache/pmlogsrvd.pid

Related Topics

pmlog

pmlogsrvd

pmmasterd

pmlogsearch

Syntax
pmlogsearch [--csv] [--no-sort] 
               [--before "<YYYY/MM/DD hh:mm:ss>"] [--after "<YYYY/MM/DD hh:mm:ss>"] 
               [--user <username>] [--host <hostname>] [--result accept|reject] 
               [--text <keyword>]
               -h | --help  
               -v | --version
Description

Use the pmlogsearch command to perform a search on all logs in this policy group based on specified criteria.

You must specify at least one search condition; you can combine conditions.

Options

pmlogsearch has the following options.

Table 71: Options: pmlogsearch
Option Description

--csv

Outputs the search results in CSV format, suitable for consumption by Privilege Manager for Unix. If this option is not present, the output is human-readable.

One or more of the search criteria must be present, and any combination of the criteria is accepted. When multiple criteria are present they must all be matched (that is, the query criteria are combined using AND logic) for a log to be included in the results.

--after

--before

Returns logs generated for sessions initiated after or before the specified time and date. For example:

# pmlogsearch --after “2012/01/04 00:00:00”

returns all logs for sessions since January 4, 2012.

# pmlogsearch --after “2012/01/01 00:00:00” --before “2012/12/31 23:59”

returns all logs generated during 2012.

--user <username>

Searches for logs generated by sessions requested by the specified user name. username is case sensitive.

For example:

# pmlogsearch --user harry

returns the locations of all keystrokelogs for sessions requested by the user named "harry".

The pattern may include the following wild card symbols:

  • * = match any string

  • ? = match any single character

--host <hostname>

Searches for logs generated by sessions that ran on hosts matching the given pattern. The pattern may include the following wild card symbols:

  • * = match any string

  • ? = match any single character

For example:

# pmlogsearch --host “myhost?.mydomain.com”

matches logs for sessions that ran on myhost1.mydomain.com or myhost2.mydomain.com, but not myhost1 or myhost10.mydomain.com.

# pmlogsearch --host “myhost*”

matches logs for sessions that ran on myhost1.mydomain.com, myhost2.mydomain.com, myhost1 or myhost10.mydomain.com, but will not match anotherhost.mydomain.com.

# pmlogsearch --host myhost11.mydomain.com

only matches logs for sessions that ran on host myhost11.mydomain.com.

--result

Returns only events with the indicated result.

--text “<keyword>”

Searches for events where the specified text occurs in the command line or events with keystroke logs that contain the specified text.

You must enter the keyword or phrase as one argument. If the phrase contains a space, enclose the whole phrase in quotes. For example:

# pmlogsearch --text “my phrase”

Matches any log containing the string "my phrase".

# pmlogsearch --text phone

Matches logs containing any word with the substring phone (such as, telephone, headphones, phones), or the complete word phone.

--no-sort

Does not sort the results.

-v | --version

Displays the version number of Privilege Manager for Unix and exits.

-h | --help

Displays usage information and exits.

Output

You can output the search results in either human-readable or CSV format.

Human-Readable Output

The following is an example of the human-readable output of a search:

# pmlogsearch --user sheldon --text Linux 
Search matches 5 events 
2012/01/19 18:12:25 : Accept : sheldon@host1.example.com 
   Request: sheldon@host1.example.com : uname -a 
Executed: root@host1.example.com : uname -a 
   IO Log: pmsrv1.example.com: opt/quest/qpm4u/iologs/sheldon/root/uname-20120119-181225.OiaiBr 
2012/01/19 18:11:56 : Accept : sheldon@host1.example.com 
   Request: sheldon@host1.example.com : uname -a 
Executed: root@host1.example.com : uname -a 
   IO Log: pmsrv2.example.com: opt/quest/qpm4u/iologs/sheldon/root/uname-20120119-181156.x46qJP 
2012/01/19 17:59:09 : Accept : sheldon@host2.example.com 
   Request: sheldon@host2.example.com : uname -a 
Executed: root@host2.example.com : uname -a 
   IO Log: pmsrv2.example.com: opt/quest/qpm4u/iologs/sheldon/root/uname-20120119-175909.1H0P5n 
2012/01/19 17:58:42 : Accept : sheldon@host2.example.com 
   Request: sheldon@host2.example.com : uname -a 
Executed: root@host2.example.com : uname -a 
   IO Log: pmsrv2.example.com: opt/quest/qpm4u/iologs/sheldon/root/uname-20120119-175842.ZvfrMv 
2012/01/19 17:58:14 : Accept : sheldon@host2.example.com 
   Request: sheldon@host2.example.com : uname -a 
Executed: root@host2.example.com : uname -a 
   IO Log: pmsrv1.example.com: opt/quest/qpm4u/iologs/sheldon/root/uname-20120119-175814.
CVS output

The results are output in CSV format, without field headings. The columns are listed in order below:

  1. Session date/time

  2. Session Unique ID

  3. Master host

  4. Submit host (host from which the session was requested)

  5. Submit user (the user that requested the session)

  6. Requested host

  7. Requested user account

  8. Requested command line

  9. Result (Accept/Reject)

  10. Run host (the host on which the command was run)

  11. Run user (the user account used to run the command)

  12. Command line that ran

  13. The exit return code if the command ran successfully, or "NO_EXIT" if the event was rejected or the command failed to run

  14. Keystroke log host. This column is blank, if it is the same as #3 Master host.

  15. Keystroke log file path

The following is an example of CSV output:

# pmlogsearch --csv --user penny --text "Linux" 
"2012/01/19 18:10:40", "4d3729207eec", "pmsrv1.example.com", "host1.example.com", "penny", "uname", "Accept", "host1.example.com", "penny", "uname", "pmsrv1.example.com", "opt/quest/qpm4u/iologs/host1.example.com/penny/uname-20120119-181040.hLqZFY" 
"2012/01/19 18:10:13", "4d3729057e5f", "pmsrv1.example.com", "host1.example.com", "penny", "uname", "Accept", "host1.example.com", "penny", "uname", "pmsrv1.example.com", "opt/quest/qpm4u/iologs/host1.example.com/penny/uname-20120119-181013.yG1m41" 
"2012/01/19 18:00:14", "4d3726ae1ec0", "pmsrv2.example.com", "host1.example.com", "penny", "uname", "Accept", "host1.example.com", "penny", "uname", "pmsrv2.example.com", "opt/quest/qpm4u/iologs/host1.example.com/penny/uname-20120119-180015.Z42heZ" 
"2012/01/19 18:00:47", "4d3726cf1f9d", "pmsrv1.example.com", "host1.example.com", "penny", "uname", "Accept", "host1.example.com", "penny", "uname", "pmsrv1.example.com", "opt/quest/qpm4u/iologs/host1.example.com/penny/uname-20120119-180047.GUtrRt"
Related Topics

Viewing the log files using command line tools

関連ドキュメント

The document was helpful.

評価を選択

I easily found the information I needed.

評価を選択