지금 지원 담당자와 채팅
지원 담당자와 채팅

Privilege Manager for Unix 6.1 Common Documents - Administration Guide

One Identity Privileged Access Suite for Unix Introducing Privilege Manager for Unix Planning Deployment Installation and Configuration Upgrade Privilege Manager for Unix System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager Variables Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures Privilege Manager programs Installation Packages

pmsrvconfig

Syntax
pmsrvconfig -h | --help [-abipqtv] [-d <variable>=<value>] [-f <path>] 
            [-l <license_file>] [-m sudo | pmpolicy] [-n <group_name> | -s <hostname>] [-x [<policy_server_host> ...]] [-bpvx] -u [--accept] [--batch] [--define <variable>=<value>] [--import <path>] [--interactive] [--license <license_file>]
            [--name <group_name> | --secondary <hostname>] [--pipestdin] [--plugin] [--policymode sudo | pmpolicy]
         [--selinux] [--tunnel] [--unix [<policy_server_host> ...]] [--verbose] [--batch]
         [--unix] [-- verbose] --unconfig
Description

Use the pmsrvconfig command to configure or reconfigure a policy server. You can run it in interactive or batch mode to configure a primary or secondary policy server.

Options

pmsrvconfig has the following options.

Table 84: Options: pmsrvconfig
Option Description

-a | --accept

Accepts the End User License Agreement (EULA), /opt/quest/qpm4u/qpm4u_eula.txt.

-b | --batch

Runs in batch mode; does not use colors or require user input.

-d <variable>=<value> | --define <variable>=<value>

Specifies a variable for the pm.settings file and its associated value.

-h | --help

Displays usage information.

-i | --interactive

Runs in interactive mode; prompts for configuration parameters instead of using the default values.

-f <path> | --import <path>

Imports policy data from the specified path.

  • Privilege Manager for Unix: The path may be set to either a file or a directory when using the pmpolicy type.
  • Privilege Manager for Sudo: The path must be set to a file when using the sudo policy type.

-l | --license <license_file>

Specifies the full pathname of an .xml license file. You can specify this option multiple times with different license files.

-m sudo | pmpolicy | --policymode sudo | pmpolicy

Specifies the type of security policy:

  • sudo
  • pmpolicy

Default: sudo

-n | --name <group_name>

Uses group_name as the policy server group name.

-q | --pipestdin

Pipes password to stdin if password is required.

-s | --secondary <hostname>

Configures host to be a secondary policy server where hostname is the primary policy server.

-S | --selinux

Enable support for SELinux in Privilege Manager.

An SELinux policy module will be installed, which allows the pmlocal daemon to set the security context to that of the run user when executing commands. This requires that the policycoreutils package and either the selinux-policy-devel (RHEL7 and above) or selinux-policy (RHEL6 and below) packages be installed.

-t | --tunnel

Configures host to allow Privilege Manager for Unix connections through a firewall.

NOTE: This option is only available when using the pmpolicy policy type (Privilege Manager for Unix).

-u | --unconfig

Unconfigures a Privilege Manager for Unix server.

-v | --verbose

Displays verbose output while configuring the host.

-x | --unix [<policy_server_host >...]

Configures Privilege Manager for Unix on the local policy server; that is, configures pmlocald and pmrun to run on this host. If you do not specify a policy server host, it uses the local host name.

NOTE: This option is only available when using the pmpolicy policy type (Privilege Manager for Unix).

Examples

The following example accepts the End User License Agreement (EULA) and imports the sudoers file from /root/tmp/sudoers as the initial policy:

# pmsrvconfig –a –f /root/tmp/sudoers

By using the –a option, you are accepting the terms and obligations of the EULA in full.

By default, the primary policy server you configure uses the host name as the policy server group name. To provide your own group name, use the –n command option, like this:

# pmsrvconfig –a –n <MyPolicyGroup>

where <MyPolicyGroup> is the name of your policy group.

See Configuring the primary policy server for Privilege Manager for Unix and Policy servers are failing for other usage examples.

Files

Directory where pmsrvconfig logs are stored: /opt/quest/qpm4u/install

pmsrvinfo

Syntax
pmsrvinfo [--csv] | -v
Description

Use the pmsrvinfo command to display information about the group in either human readable or CSV format. You can run this program on any server in the policy group.

Options

pmsrvinfo has the following options.

Table 85: Options: pmsrvinfo
Option Description
--csv Displays information in .CSV format, instead of human readable output.
-v Displays the Privilege Manager version number and exits.

Examples
# pmsrvinfo
Policy Server Configuration: 
---------------------------- 
Privilege Manager version   : 6.0.0 (nnn) 
Listening port for pmmasterd daemon    : 12345 
Comms failover method                  : random 
Comms timeout(in seconds)              : 10 
Policy type in use                     : pmpolicy 
Group ownership of logs                : pmlog 
Group ownership of policy repository   : pmpolicy 
Policy server type                     : primary 
Primary policy server for this group   : adminhost1 
Group name for this group              : adminGroup1 
Location of the repository             :
file:////var/opt/quest/qpm4u/.qpm4u/.repository/pmpolicy_repos/trunk 
Hosts in the group                     : adminhost1 adminhost2

pmstatus

Syntax
pmstatus [-v] [-p <port>] [-h <hostname>] [-f <hostfile>] [-o <outfile>]
Description

The pmstatus program checks connectivity between Privilege Manager for Unix and pmlocald and pmmasterd on the specified hosts. You must specify at least one host, using either the -h or -f option.

Options

pmstatus has the following options.

Table 86: Options: pmstatus
Option Description
-f <hostfile> Specifies the name of a file containing a list of hosts to check.
-h <hostname> Specifies the name of the host to check. -h supercedes -f if you specify both options.
-o <outfile> Writes status information to the specified file.
-p <port> Specifies an alternative port to use when checking for connectivity with pmmasterd.
-v Displays version information for the pmstatus program.
Examples

The following is an example of the output from pmstatus, if the command is directed at a host that is contactable and that contains Privilege Manager components:

[root@sdfbs02p linux-intel]# ./pmstatus -h sdfbs07p 
Master process on sdfbs07p:12345 responded 
Agent process on sdfbs07p:12346 responded 

The following is an example of the output from pmstatus, if the command is directed at a host that is contactable, but does not contain any Privilege Manager components:

[root@sdfbs02p linux-intel]# ./pmstatus -h sdfbs07p 
pmstatus5.0.2 (006): 3003 Could not connect to a master daemon for sdfbs07p 
No master process responded on sdfbs07p:12345 
pmstatus5.0.2 (006): 3001 Connection to pmlocald on sdfbs07p failed: Connection refused 
No agent process responded on sdfbs07p:12346 

pmsum

Syntax
pmsum /<full_path_name>
Description

Use pmsum to generate a checksum of the named file. The output it produces can be used in a policy with the runcksum variable. If the requested binary/command does not match the checksum, it rejects the command.

Options

pmsum has the following options.

Table 87: Options: pmsum
Option Description
-v Prints the version number of Privilege Manager and exits.
Examples
# pmsum /bin/ls 
5591e026 /bin/ls
Related Topics

runcksum

관련 문서