Syntax
pmsrvcheck --csv [ --verbose ] | --help | --pmpolicy | --primary | --secondary
Description
Use pmsrvcheck to verify that a policy server is setup properly. It produces output in either human-readable or CSV format similar to that produced by the preflight program.
The pmsrvcheck command checks:
-
that the host is configured as a primary policy server and has a valid repository
-
has a valid, up-to-date, checked-out copy of the repository
-
has access to update the repository
-
has a current valid Privilege Manager for Unix license
-
pmmasterd is correctly configured
-
pmmasterd can accept connections
pmsrvcheck produces output in either human-readable or CSV format similar to the pre-flight output.
Options
pmsrvcheck has the following options.
Table 87: Options: pmsrvcheck
--cvs |
Displays csv, rather than human-readable output. |
--help |
Displays usage information. |
--pmpolicy |
Verifies that Privilege Manager for Unix policy is in use by the policy servers. |
--primary |
Verifies a primary policy server. |
--secondary |
Verifies a secondary policy server. |
--verbose |
Displays verbose output while checking the host. |
--version |
Displays the Privilege Manager for Unix version number and exits. |
Syntax
pmsrvconfig -h | --help [-abipqtv] [-d <variable>=<value>] [-f <path>]
[-l <license_file>]
[-m sudo | pmpolicy] [-n <group_name> | -s <hostname>]
[-x [<policy_server_host> ...]] [-bpvx] -u [--accept] [--batch]
[--define <variable>=<value>] [--import <path>] [--interactive]
[--license <license_file>]
[--name <group_name> | --secondary <hostname>]
[--pipestdin] [--plugin] [--policymode sudo | pmpolicy]
[--selinux] [--tunnel]
[--unix [<policy_server_host> ...]] [--verbose] [--batch]
[--unix] [-- verbose] --unconfig -N policy_name [--policyname policy_name]
Description
Use the pmsrvconfig command to configure or reconfigure a policy server. You can run it in interactive or batch mode to configure a primary or secondary policy server.
Options
pmsrvconfig has the following options.
Table 88: Options: pmsrvconfig
-a | --accept |
Accepts the End User License Agreement (EULA), /opt/quest/qpm4u/qpm4u_eula.txt. |
-b | --batch |
Runs in batch mode; does not use colors or require user input. |
-d <variable>=<value> | --define <variable>=<value> |
Specifies a variable for the pm.settings file and its associated value. |
-h | --help |
Displays usage information. |
-i | --interactive |
Runs in interactive mode; prompts for configuration parameters instead of using the default values. |
-f <path> | --import <path> |
Imports policy data from the specified path.
|
-l | --license <license_file> |
Specifies the full pathname of an .xml license file. You can specify this option multiple times with different license files. |
-m sudo | pmpolicy | --policymode sudo | pmpolicy |
Specifies the type of security policy:
Default: sudo |
-n | --name <group_name> |
Uses group_name as the policy server group name. |
-q | --pipestdin |
Pipes password to stdin if password is required. |
-s | --secondary <hostname> |
Configures host to be a secondary policy server where hostname is the primary policy server. |
-S | --selinux |
Enable support for SELinux in Privilege Manager for Unix.
An SELinux policy module will be installed, which allows the pmlocal daemon to set the security context to that of the run user when executing commands. This requires that the policycoreutils package and either the selinux-policy-devel (RHEL7 and above) or selinux-policy (RHEL6 and below) packages be installed. |
-t | --tunnel |
Configures host to allow Privilege Manager for Unix connections through a firewall.
This option is only available when using the pmpolicy policy type (Privilege Manager for Unix). |
-u | --unconfig |
Unconfigures a Privilege Manager for Unix server. |
-v | --verbose |
Displays verbose output while configuring the host. |
-x | --unix [policy_server_host ...] |
Configures Privilege Manager for Unix on the local policy server; that is, configures pmlocald and pmrun to run on this host. If you do not specify a policy server host, it uses the local host name.
This option is only available when using the pmpolicy policy type (Privilege Manager for Unix). |
Examples
The following example accepts the End User License Agreement (EULA) and imports the sudoers file from /root/tmp/sudoers as the initial policy:
# pmsrvconfig -a -f /root/tmp/sudoers
By using the -a option, you are accepting the terms and obligations of the EULA in full.
By default, the primary policy server you configure uses the host name as the policy server group name. To provide your own group name, use the -n command option, like this:
# pmsrvconfig -a -n <MyPolicyGroup>
where <MyPolicyGroup> is the name of your policy group.
For other usage examples, see Configuring the primary policy server for Privilege Manager for Unix and Policy servers are failing .
Files
Directory where pmsrvconfig logs are stored: /opt/quest/qpm4u/install
Syntax
pmsrvinfo [--csv] | -v
Description
Use the pmsrvinfo command to display information about the group in either human readable or CSV format. You can run this program on any server in the policy group.
Options
pmsrvinfo has the following options.
Table 89: Options: pmsrvinfo
-c |
Displays information in .CSV format, instead of human readable output. |
-v |
Displays the Privilege Manager for Unix version number and exits. |
Examples
# pmsrvinfo
Policy Server Configuration:
----------------------------
Privilege Manager for Unix version : 6.0.0 (nnn)
Listening port for pmmasterd daemon : 12345
Comms failover method : random
Comms timeout(in seconds) : 10
Policy type in use : pmpolicy
Group ownership of logs : pmlog
Group ownership of policy repository : pmpolicy
Policy server type : primary
Primary policy server for this group : adminhost1
Group name for this group : adminGroup1
Location of the repository :
file:////var/opt/quest/qpm4u/.qpm4u/.repository/pmpolicy_repos/trunk
Hosts in the group : adminhost1 adminhost2
Syntax
pmstatus [-v] [-p <port>] [-h <hostname>] [-f <hostfile>] [-o <outfile>]
Description
The pmstatus program checks connectivity between Privilege Manager for Unix and pmlocald and pmmasterd on the specified hosts. You must specify at least one host, using either the -h or -f option.
Options
pmstatus has the following options.
Table 90: Options: pmstatus
-f <hostfile> |
Specifies the name of a file containing a list of hosts to check. |
-h <hostname> |
Specifies the name of the host to check. -h supercedes -f if you specify both options. |
-o <outfile> |
Writes status information to the specified file. |
-p <port> |
Specifies an alternative port to use when checking for connectivity with pmmasterd. |
-v |
Displays version information for the pmstatus program. |
Examples
The following is an example of the output from pmstatus, if the command is directed at a host that is contactable and that contains Privilege Manager for Unix components:
[root@sdfbs02p linux-intel]# ./pmstatus -h sdfbs07p
Master process on sdfbs07p:12345 responded
Agent process on sdfbs07p:12346 responded
The following is an example of the output from pmstatus, if the command is directed at a host that is contactable, but does not contain any Privilege Manager for Unix components:
[root@sdfbs02p linux-intel]# ./pmstatus -h sdfbs07p
pmstatus5.0.2 (006): 3003 Could not connect to a master daemon for sdfbs07p
No master process responded on sdfbs07p:12345
pmstatus5.0.2 (006): 3001 Connection to pmlocald on sdfbs07p failed: Connection refused
No agent process responded on sdfbs07p:12346