Chat now with support
지원 담당자와 채팅

Privilege Manager for Sudo 6.1 Common Documents - Administration Guide

One Identity Privileged Access Suite for Unix Introducing Privilege Manager for Sudo Planning Deployment Installation and Configuration Upgrade Privilege Manager for Sudo System Administration Managing Security Policy Administering Log and Keystroke Files Troubleshooting Privilege Manager Variables Privilege Manager programs Installation Packages Unsupported Sudo Options Privilege Manager for Sudo Policy Evaluation

pmserviced

Syntax

pmserviced [-d] [-n] [-s] [-v] 

Description

The Privilege Manager service daemon, (pmserviced) is a persistent process that spawns the configured Privilege Manager services on demand. The pmserviced daemon is responsible for listening on the configured ports for incoming connections for the Privilege Manager for Sudo daemons. It is capable of running the pmmasterd service.

Options

pmserviced has the following options.

Table 39: Options: pmserviced
Option Description
-d Logs debugging information such as connection received, signal receipt and service execution.

By default, pmserviced only logs errors.

-n Does not run in the background or create a pid file. By default, pmserviced forks and runs as a background daemon, storing its pid in /var/opt/quest/qpm4u/pmserviced.pid. When you specify the -n option, it stays in the foreground. If you also specify the -d option, error and debug messages are logged to the standard error in addition to the log file or syslog.
-s Connects to the running pmserviced and displays the status of the services, then exits.
-v Displays the version number of Privilege Manager and exits.

pmserviced Settings

pmserviced uses the following options in /etc/opt/quest/qpm4u/pm.settings to determine the daemons to run, the ports to use, and the command line options to use for each daemon.

Table 40: Options: pmserviced
Daemon Name Flag to enable daemon Listen on port Command line options
pmmasterd pmmasterdEnabled masterport pmmasterdOpts

Table 41: Settings: pmserviced
Setting Description
pmservicedLog pathname | syslog Fully qualified path to the pmserviced log file or syslog.
pmmasterdEnabled YES | NO When set to YES, pmserviced runs pmmasterd on demand.
masterport number

The TCP/IP port pmmasterd uses to listen.

pmmasterdOpts options Any command line options passed to pmmasterd.

Files
  • settings file: /etc/opt/quest/qpm4u/pm.settings
  • pid file: /var/opt/quest/qpm4u/pmserviced.pid
Related Topics

pmmasterd

pmsrvcheck

Syntax
pmsrvcheck --csv [ --verbose ] | --help | --pmpolicy | --primary | --secondary
Description

Use pmsrvcheck to verify that a policy server is setup properly. It produces output in either human-readable or CSV format similar to that produced by the preflight program.

The pmsrvcheck command checks:

  • that the host is configured as a primary policy server and has a valid repository
  • has a valid, up-to-date, checked-out copy of the repository
  • has access to update the repository
  • has a current valid Privilege Manager license
  • pmmasterd is correctly configured
  • pmmasterd can accept connections

pmsrvcheck produces output in either human-readable or CSV format similar to the pre-flight output.

Options

pmsrvcheck has the following options.

Table 42: Options: pmsrvcheck
Option Description
--cvs Displays csv, rather than human-readable output.
--help Displays usage information.
--pmpolicy Verifies that Privilege Manager policy is in use by the policy servers.
--primary Verifies a primary policy server.
--secondary Verifies a secondary policy server.
--verbose Displays verbose output while checking the host.
--version Displays the Privilege Manager version number and exits.

Files
  • Settings file: /etc/opt/quest/qpm4u/pm.settings
Related Topics

pmmasterd

pmsrvconfig

pmsrvconfig

Syntax
pmsrvconfig -h | --help [-abipqtv] [-d <variable>=<value>] [-f <path>] 
            [-l <license_file>] [-m sudo | pmpolicy] [-n <group_name> | -s <hostname>] [-bpvx] -u [--accept] [--batch] [--define <variable>=<value>] [--import <path>] [--interactive] [--license <license_file>]
            [--name <group_name> | --secondary <hostname>] [--pipestdin] [--plugin] [--policymode sudo | pmpolicy]
[--unix [<policy_server_host> ...]] [--verbose] [--batch]
         [--plugin] [--unix] [-- verbose] --unconfig
Description

Use the pmsrvconfig command to configure or reconfigure a policy server. You can run it in interactive or batch mode to configure a primary or secondary policy server.

Options

pmsrvconfig has the following options.

Table 43: Options: pmsrvconfig
Option Description

-a | --accept

Accepts the End User License Agreement (EULA), /opt/quest/qpm4u/qpm4u_eula.txt.

-b | --batch

Runs in batch mode; does not use colors or require user input.

-d <variable>=<value> | --define <variable>=<value>

Specifies a variable for the pm.settings file and its associated value.

-h | --help

Displays usage information.

-i | --interactive

Runs in interactive mode; prompts for configuration parameters instead of using the default values.

-f <path> | --import <path>

Imports policy data from the specified path.

  • Privilege Manager for Unix: The path may be set to either a file or a directory when using the pmpolicy type.
  • Privilege Manager for Sudo: The path must be set to a file when using the sudo policy type.

-l | --license <license_file>

Specifies the full pathname of an .xml license file. You can specify this option multiple times with different license files.

-m sudo | pmpolicy | --policymode sudo | pmpolicy

Specifies the type of security policy:

  • sudo
  • pmpolicy

Default: sudo

-n | --name <group_name>

Uses group_name as the policy server group name.

-p | --plugin

Configures the Sudo Plugin.

NOTE: This option is only available when using the sudo policy type (Privilege Manager for Sudo).

-q | --pipestdin

Pipes password to stdin if password is required.

-s | --secondary <hostname>

Configures host to be a secondary policy server where hostname is the primary policy server.

-u | --unconfig

Unconfigures a Privilege Manager for Sudo server.

-v | --verbose

Displays verbose output while configuring the host.

Examples

The following example accepts the End User License Agreement (EULA) and imports the sudoers file from /root/tmp/sudoers as the initial policy:

# pmsrvconfig –a –f /root/tmp/sudoers

By using the –a option, you are accepting the terms and obligations of the EULA in full.

By default, the primary policy server you configure uses the host name as the policy server group name. To provide your own group name, use the –n command option, like this:

# pmsrvconfig –a –n <MyPolicyGroup>

where <MyPolicyGroup> is the name of your policy group.

Files

Directory where pmsrvconfig logs are stored: /opt/quest/qpm4u/install

pmsrvinfo

Syntax
pmsrvinfo [--csv] | -v
Description

Use the pmsrvinfo command to display information about the group in either human readable or CSV format. You can run this program on any server in the policy group.

Options

pmsrvinfo has the following options.

Table 44: Options: pmsrvinfo
Option Description
--csv Displays information in .CSV format, instead of human readable output.
-v Displays the Privilege Manager version number and exits.

Examples
# pmsrvinfo
Policy Server Configuration: 
---------------------------- 
Privilege Manager version   : 6.0.0 (nnn) 
Listening port for pmmasterd daemon    : 12345 
Comms failover method                  : random 
Comms timeout(in seconds)              : 10 
Policy type in use                     : sudo 
Group ownership of logs                : pmlog 
Group ownership of policy repository   : pmpolicy 
Policy server type                     : primary 
Primary policy server for this group   : adminhost1 
Group name for this group              : adminGroup1 
Location of the repository             :
file:////var/opt/quest/qpm4u/.qpm4u/.repository/sudo_repos/trunk 
Hosts in the group                     : adminhost1 adminhost2
관련 문서