Use authenticate_pam to define which users you want to authenticate by means of PAM (Pluggable Authentication Method) APIs.
The operating system has configuration files, usually called /etc/pam.conf, that specify which security databases to use to authenticate users, such as LDAP, Windows 2000 Active Directory, and various PKI implementations.
The service parameter identifies the name of the PAM service to use to authenticate users. The service parameter can be any valid service name configured in the PAM system configuration and defaults to "login".
For more information on how to configure PAM with Privilege Manager for Unix, consult the documentation for your platform.
authenticate_pam (user,[<service>])
where <service> is the PAM service to use, such as sshd.
To utilize PAM authentication, add the following function to your policy file:
if ( user=="paul" && basename(command)=="useradd") {
if (!authenticate_pam(user, "sshd")) { reject; }
runuser="root";
accept;
}
This function returns 0 to indicate failure and 1 to indicate success.
authenticate_pam_toclient
authenticate_pam_toclient (user,[<service>])
where <service> is the PAM service to use, such as sshd.
authenticate_pam_toclient causes pmmasterd to send a request to pmrun to perform the authenticate_pam command on the pmrun host.
This function is only available on platforms that have native support for PAM.
To utilize PAM authentication, add the following function to your policy file:
if ( user=="paul" && basename(command)=="useradd") {
if (!authenticate_pam_toclient(user, "sshd")) { reject; }
runuser="root";
accept;
}
This function returns 0 to indicate failure and 1 to indicate success.
authenticate_pam
Privilege Manager for Unix allows you to control what is logged, as well as when and where it is logged. To help you set up and use these log files, the topics in this section explore enabling and disabling logging, as well as how to specify the log file locations.
Privilege Manager for Unix includes three different types of logging; the first two are helpful for audit purposes:
Keystroke logs record the user’s keystrokes and the terminal output of any sessions granted by Privilege Manager for Unix.
Event logs record the details of all requests to run privileged commands. The details include what command was requested, who made the request, when the request was sent, what host the request was submitted from, and whether the request was accepted or rejected.
You can configure some aspects of the event and keystroke logging by means of the security policy on the policy servers. What you can configure and how you configure it depends on which type of security policy you are using on your policy server -- pmpolicy or sudo.
© 2024 One Identity LLC. ALL RIGHTS RESERVED. 이용 약관 개인정보 보호정책 Cookie Preference Center