지금 지원 담당자와 채팅
지원 담당자와 채팅

Privilege Manager for Unix 6.1 Common Documents - Administration Guide

One Identity Privileged Access Suite for Unix Introducing Privilege Manager for Unix Planning Deployment Installation and Configuration Upgrade Privilege Manager for Unix System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager Variables Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures Privilege Manager programs Installation Packages

Configuring alerts

Alerts enable you to specify commands that raise an alert if entered by a user, and the action you want Privilege Manager to take.

Use the alertkeyaction variable to specify the action Privilege Manager is to take when an alert is raised. The default action logs the alert and allows the command to continue.

Enter alertkeysequence in the policy as a list of regular expressions, like this:

alertkeysequence={"^rm.*", "/rm.*", ".*xterm"};

Other valid alert actions are:

  • log
  • reject
  • or any valid string

For example:

if (user=="root") 
{ 
   alertkeyaction="ignore"; 
} 
   else if (user=="john") 
{ 
   alertkeyaction="alert"; 
} 
   else if (user=="dave") 
{ 
   alertkeyaction="trace"; 
} 
   else 
{ 
   alertkeyaction="reject"; 
}

If an event raises an alert, Privilege Manager logs an AlertRaised event log. The alertkeyaction variable is also included in the log as part of the event.

If the alertkeyaction variable is set to reject, Privilege Manager cancels the command, terminates the user’s session, and displays a rejection message.

If the alertkeyaction variable is not set to reject, Privilege Manager allows the command to run and logs it in the event log. The example shown above shows how you can enter different strings for different users. This enables you to use the alertkeyaction variable as a filter to search the event log for these events.

alertkeyaction logging is enabled even if iologging is disabled. If iologging is disabled, a new session is started with pmmasterd for each alertraised event.

By default, alertraised events are not displayed in pmlog. To view the alertraised event, use the -l parameter or the -d parameter. For example:

# pmlog -l

Alert events have the same unique ID as the Privilege Manager session from which they were generated. This enables you to identify alert events raised during a specific session.

Use pmcheck to check a given string against any expression defined in the alertkeypatterns list:

# pmcheck -a"<string>"<command>

For example,

# pmcheck -a "rm /etc/opt/quest/qpm4u/pm.settings" ksh

Configuring Pluggable Authentication Method (PAM)

Use authenticate_pam to define which users you want to authenticate by means of PAM (Pluggable Authentication Method) APIs.

The operating system has configuration files, usually called /etc/pam.conf, that specify which security databases to use to authenticate users, such as LDAP, Windows 2000 Active Directory, and various PKI implementations.

The service parameter identifies the name of the PAM service to use to authenticate users. The service parameter can be any valid service name configured in the PAM system configuration and defaults to "login".

NOTE: For more information on how to configure PAM with Privilege Manager, consult the documentation for your platform.

Utilizing PAM authentication

Syntax
authenticate_pam (user,[<service>])

where <service> is the PAM service to use, such as sshd.

Examples

To utilize PAM authentication, add the following function to your policy file:

if ( user=="paul" && basename(command)=="useradd") { 
   if (!authenticate_pam(user, "sshd")) { reject; } 
   runuser="root"; 
   accept; 
}

This function returns 0 to indicate failure and 1 to indicate success.

Related Function

authenticate_pam_toclient

Related Topics

authenticate_pam

Authenticate PAM to client

Syntax
authenticate_pam_toclient (user,[<service>])

where <service> is the PAM service to use, such as sshd.

Description

authenticate_pam_toclient causes pmmasterd to send a request to pmrun to perform the authenticate_pam command on the pmrun host.

NOTE: This function is only available on platforms that have native support for PAM.

Example

To utilize PAM authentication, add the following function to your policy file:

if ( user=="paul" && basename(command)=="useradd") { 
if (!authenticate_pam_toclient(user, "sshd")) { reject; } 
   runuser="root"; 
   accept; 
}

This function returns 0 to indicate failure and 1 to indicate success.

Related Function

authenticate_pam

Related Topics

authenticate_pam_toclient

관련 문서