Introducing Privilege Manager for Unix
What is Privilege Manager for Unix
Benefits of Privilege Manager for Unix
How Privilege Manager for Unix protects
How Privilege Manager for Unix works
Planning Deployment
System requirements
Estimating size requirements
Privilege Manager for Unix licensing
Deployment scenarios
Installation and Configuration
Downloading Privilege Manager for Unix software packages
Quick start and evaluation
Configure a Primary Policy Server
Upgrade Privilege Manager for Unix
Checking the server for installation readiness
Configure a secondary policy server
Install PM Agent on a remote host
TCP/IP configuration
Firewalls
Hosts database
Reserve special user and group names
Applications and file availability
Policy server daemon hosts
Local daemon hosts
Installing the Privilege Manager for Unix packages
Configuring the primary policy server for Privilege Manager for Unix
pmpolicy server configuration settings
Verifying the primary policy server configuration
Recompile the whatis database
Join hosts to policy group
Checking PM Agent host for installation readiness
Installing a PM Agent on a remote host
Joining the PM Agent to the primary policy server
Verifying PM Agent configuration
Load balancing on the client
Remove configurations
Before you upgrade
Upgrading Privilege Manager for Unix packages
Removing Privilege Manager for Unix packages
System Administration
Reporting basic policy server configuration information
Checking the status of the master policy
Checking the policy server
Checking policy server status
Checking the PM Agent configuration status
Installing licenses
Listing policy file revisions
Viewing differences between revisions
Backup and recovery
Managing Security Policy
Security policy types
Specifying security policy type
pmpolicy type policy
Modifying complex policies
Viewing the security profile changes
The Privilege Manager for Unix Security Policy
Default profile-based policy (pmpolicy)
Exploring profiles
Customizing the default profile-based policy (pmpolicy)
Policy scripting tutorial
Advanced Privilege Manager for Unix Configuration
Install the example policy file
Create test users
Set Lesson number variable
Introductory lessons
Lesson 1: Basic policy
Lesson 2: Conditional privilege
Lesson 3: Specific commands
Lesson 4: Policy optimization with list variables
Lesson 5: Keystroke logging
Lesson 6: Conditional keystroke logging
Lesson 7: Policy optimizations
Advanced lessons
Sample policy files
Main policy configuration file
Lesson 1 Sample: Basic policy
Lesson 2 Sample: Conditional privilege
Lesson 3 Sample: Specific commands
Lesson 4 Sample: Policy optimizations with list variables
Lesson 5 Sample: Keystroke logging
Lesson 6 Sample: Conditional keystroke logging
Lesson 7 Sample: Policy optimizations
Lesson 8 Sample: Controlling the execution environment
Lesson 9 Sample: Flow control
Lesson 10 Sample: Basic menus
Privilege Manager for Unix shells
Administering Log and Keystroke Files
Privilege Manager for Unix shell features
Forbidden commands
Allowed commands
Allowed piped commands
Check shell built-in commands
Read-only variable list
Running a shell in restricted mode
Additional shell considerations
Configuring Privilege Manager for Unix for policy scripting
Configuration prerequisites
Configuration file examples
Configuring firewalls
Example 1: Basics
Example 2: Accept or reject requests
Example 3: Command constraints
Example 4: Lists
Example 5: I/O logging, event logging, and replay
Example 6: More complex policies
Example 7: Use variables to store constraints
Example 8: Control the run-time environment
Example 9: Switch and case statements
Example 10: Menus
Use the while loop
Use parallel lists
Best practice policy guidelines
Multiple configuration files and read-only variables
Mail
Environmental variables
NIS netgroups
Specify trusted hosts
Privilege Manager for Unix port usage
Restricting port numbers for command responses
Configuring pmtunneld
Configuring Network Address Translation (NAT)
Configuring Kerberos encryption
Configuring certificates
Configuring alerts
Configuring Pluggable Authentication Method (PAM)
Controlling logs
Local logging
Central logging with Privilege Manager for Unix
Controlling log size with Privilege Manager for Unix
Viewing the log files using a web browser
Viewing the log files using command line tools
Listing event logs
Backing up and archiving event and keystroke logs
InTrust Plug-in for Privilege Manager for Unix
InTrust Plug-in requirements
Installing InTrust Plug-in components
InTrust Plug-in installation prerequisites
Configuring the policy server for the InTrust Plug-in
Installing the InTrust Knowledge Pack
Installing the InTrust Reporting Pack
Configuring the InTrust data collection
Viewing InTrust reports
Generating reports
Troubleshooting
Displaying profile-based policy debug information
Enabling program-level tracing
Load balancing and policy updates
Policy servers are failing
Privilege Manager for Unix Policy File Components
Privilege Manager for Unix Variables
Variable names
Variable scope
Global input variables
Privilege Manager for Unix Flow Control Statements
alertkeymatch
argc
argv
bkgd
client_parent_pid
client_parent_uid
client_parent_procname
clienthost
command
cwd
date
day
dayname
domainname
env
false
FEATURE_LDAP
FEATURE_VAS
gid
group
groups
host
hour
masterhost
masterversion
minute
month
nice
nodename
optarg
opterr
optind
optopt
optreset
optstrictparameters
pid
pmclient_type
pmclient_type_pmrun
pmclient_type_sudo
pmshell
pmshell_builtin
pmshell_cmd
pmshell_cmdtype
pmshell_exe
pmshell_interpreter
pmshell_prog
pmshell_script
pmshell_uniqueid
pmversion
ptyflags
requestlocal
requestuser
rlimit_as
rlimit_core
rlimit_cpu
rlimit_data
rlimit_fsize
rlimit_locks
rlimit_memlock
rlimit_nofile
rlimit_nproc
rlimit_rss
rlimit_stack
samaccount
selinux
status
submithost
submithostip
thishost
time
true
ttyname
tzname
uid
umask
unameclient
unamemaster
uniqueid
use_rundir
use_rungroup
use_rungroups
use_runshell
user
year
Global output variables
alertkeyaction
alertkeysequence
disable_exec
eventlog
eventloghost
execfailedmsg
iolog
iolog_encrypt
iolog_errmax
iolog_opmax
iologhost
log_passwords
logomit
logstderr
logstdin
logstdout
notfoundmsg
passprompts
pmshell_allow
pmshell_allowpipe
pmshell_checkbuiltins
pmshell_forbid
pmshell_readonly
pmshell_reject
pmshell_restricted
preserve_clienthost
profile_keepenv
profile_setenv
profile_unsetenv
profile_use_runuser
rejectmsg
runargv
runbkgd
runchroot
runcksum
runclienthost
runcommand
runconfirmuser
runcwd
runenablerlimits
runenv
rungroup
rungroups
runhost
runnice
runpaths
runptyflags
runrlimit_as
runrlimit_core
runrlimit_cpu
runrlimit_data
runrlimit_fsize
runrlimit_locks
runrlimit_memlock
runrlimit_nofile
runrlimit_nproc
runrlimit_rss
runrlimit_stack
runtimeout
runumask
runuser
runutmpuser
subprocuser
tmplogdir
Global event log variables
PM settings variables
accept, reject
break
continue
do-while
for loop
for loop
function
if-else
include
procedure / function
readonly
readonlyexcept
return
switch
while
Privilege Manager for Unix Built-in Functions and Procedures
Environment functions
Privilege Manager for Unix programs
getenv
getlistsetting
getnumericsetting
getstringsetting
getyesnosetting
keepenv
policygetenv
policysetenv
policyunsetenv
setenv
unsetenv
Hash table functions
Input and output functions
LDAP functions
ldap_ bind
ldap_count_entries
ldap_dn2ufn
ldap_explode_dn
ldap_first_attribute
ldap_first_entry
ldap_get_attributes
ldap_get_dn
ldap_get_values
ldap_next_attribute
ldap_next_entry
ldap_open
ldap_search
ldap_unbind
LDAP API example
List functions
Miscellaneous functions
atoi
authenticate_pam
authenticate_pam_toclient
basename
comparehosts
datecmp
dirname
feature_enabled
fileexists, access
getopt
getopt_long
getopt_long_only
glob
ingroup
innetgroup
innetuser, inusernetgroup
lineno
mktemp
osname
quote
rand
stat
strftime
system
timebetween
tolower
toupper
uname
Password functions
Remote access functions
remotefileexists
remotegroupinfo
remotegrouplist
remotesysinfo
remoteusergroups
remoteuserinfo
remoteuserlist
String functions
User information functions
Authentication Services functions
pmbash
pmcheck
pmclientd
pmclientinfo
pmcp
pmcsh
pmincludecheck
pminfo
pmjoin
pmkey
pmksh
pmless
pmlicense
pmlist
pmloadcheck
pmlocald
pmlog
pmlogadm
pmlogsearch
pmlogsrvd
pmmasterd
pmmg
pmpasswd
pmpolicy
pmpolicyconvert
pmpolsrvconfig
pmremlog
pmreplay
pmresolvehost
pmrun
pmscp
pmserviced
pmsh
pmshellwrapper
pmsrvcheck
pmsrvconfig
pmsrvinfo
pmstatus
pmsum
pmsysid
pmtunneld
pmumacs
pmverifyprofilepolicy
pmvi
Installation Packages
InTrust Plug-in requirements
InTrust for Active Directory supports Privilege Manager for Unix version 5.5 and above.
You can collect data from Privilege Manager for Unix hosts running on any of the UNIX platforms supported by InTrust.
To use the MSI installer for the InTrust Reporting Pack, your InTrust Server must use the WindowsSQL Server 2005 as its back-end database.
Installing InTrust Plug-in components
To configure InTrust for Privilege Manager for Unix you must install and configure several components separately. The diagram below shows the major components for the InTrust for Active Directory Plug-in.
Figure 11: InTrust Plug-in components
To install and configure the InTrust for Active Directory Plug-in components
- Install Privilege Manager for Unix and identify which logs you wish to audit.
- Install and configure the pmintrust.sh script to run as the root user to extract the relevant data.
One Identity recommends that you set up a daily cron job to run “pmrun pmintrust.sh” as the pmpolicy service user.
- Install an InTrust Agent on the Privilege Manager for Unix Policy Server.
- Configure the InTrust Server: Finding, Gathering, and Storing.
- Gather Data.
- Configure the InTrust Server: Reporting.
InTrust Plug-in installation prerequisites
Before you install the InTrust for Active Directory components:
- Install and register an InTrust agent on the Privilege Manager for Unix policy server machine for the collection of syslog messages.
For more information on this process, refer to the InTrust Preparing for Auditing and Monitoring Linux document.
Configuring the policy server for the InTrust Plug-in
InTrust Plug-in for Privilege Manager for Unix > Configuring the policy server for the InTrust Plug-in
Run the pmintrust.sh script as the root user.
You might need to edit pmintrust.sh to ensure it can find all relevant event log files.
The script outputs event log data in a format that the InTrust Agent can handle. When the script runs, it creates a separate file for InTrust called /tmp/pm_evlog.intrust containing a plain text version of the events stored in the event log files.
To configure the policy server for the InTrust Plugin
- Extract the pmintrust.tgz archive, located in the utilities directory of the Privilege Manager for Unix distribution media, to the /tmp directory.
# gzip –dc pmintrust.tgz | tar xvf - –C /tmp pmintrust/ pmintrust/pmpolicy.crontab pmintrust/root.crontab pmintrust/pmintrust.profile pmintrust/pmintrust.sh
- Copy the pmintrust.sh script to the /opt/quest/sbin directory of your policy server.
# cp /tmp/pmintrust/pmintrust.sh /opt/quest/sbin
- If necessary, edit the pmintrust.sh script and modify the EVDIRS and EVGLOB variables so that the script can locate the necessary event log files. For example, if your policy defines the eventlog variable as:
eventlog="/var/log/eventlogs/"+year+"/"+month+"/"+day+"/"+user+"_events.db";
Change the EVDIRS and EVGLOB variables in the pmintrust.sh script to:
EVDIRS=`find /var/log/eventlogs –type d` EVGLOB="*_events.db"
- Configure the system to run the pmintrust.sh script as the root user.
One Identity recommends that you add a crontab entry as the pmpolicy service user, and configure the cronjob to run pmrun with root user privileges.
The crontab entry is a file called pmpolicy.crontab in the pmintrust.tgz archive.
-
The following crontab entry runs pmrun pmintrust.sh at 10:50 pm everyday:
50 22 * * * /opt/quest/bin/pmrun /opt/quest/sbin/pmintrust.sh
To add the crontab, login (or su) to the pmpolicy service account and run the following command:
$ crontab /tmp/pmintrust/pmpolicy.crontab
Alternatively, you can configure the script to run directly as the root user by creating a root cron job, and skip part b) of this step.
There is a root.cronjob file in the pmintrust.tgz archive.
- If you are using the default profile-based policy, add the pmintrust.profile to your policy to allow the pmpolicy service account to run the pmintrust.sh script as the root user.
To checkout, add, and commit the changes to the policy, run the following pmpolicy command:
# /opt/quest/sbin/pmpolicy checkout –d /tmp # cp /tmp/pmintrust/pmintrust.profile /tmp/policy_pmpolicy/profiles/ # chown pmpolicy:pmpolicy /tmp/policy_pmpolicy/profiles/pmintrust.profile # /opt/quest/sbin/pmpolicy add –p profiles/pmintrust.profile –d /tmp # /opt/quest/sbin/pmpolicy commit –d /tmp –l ″add pmintrust profile″
-
- Run a new command with Privilege Manager for Unix to verify the change, such as:
# pmrun id
- Allow the cronjob to run at the scheduled time, then verify the InTrust event log file, /tmp/pm_evlog.intrust, was created and contains your test event.