지금 지원 담당자와 채팅
지원 담당자와 채팅

Privilege Manager for Unix 7.2.1 - Administration Guide

Introducing Privilege Manager for Unix Planning Deployment Installation and Configuration Upgrade Privilege Manager for Unix System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager for Unix Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager for Unix Variables
Variable names Variable scope Global input variables Global output variables Global event log variables PM settings variables
Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures
Environment functions Hash table functions Input and output functions LDAP functions LDAP API example List functions Miscellaneous functions Password functions Remote access functions String functions User information functions Authentication Services functions
Privilege Manager for Unix programs Installation Packages

Configuring the policy server for the InTrust Plug-in

Run the pmintrust.sh script as the root user.

You might need to edit pmintrust.sh to ensure it can find all relevant event log files.

The script outputs event log data in a format that the InTrust Agent can handle. When the script runs, it creates a separate file for InTrust called /tmp/pm_evlog.intrust containing a plain text version of the events stored in the event log files.

To configure the policy server for the InTrust Plugin

  1. Extract the pmintrust.tgz archive, located in the utilities directory of the Privilege Manager for Unix distribution media, to the /tmp directory.
    # gzip -dc pmintrust.tgz | tar xvf - -C /tmp 
    pmintrust/ 
    pmintrust/pmpolicy.crontab 
    pmintrust/root.crontab 
    pmintrust/pmintrust.profile 
    pmintrust/pmintrust.sh
  2. Copy the pmintrust.sh script to the /opt/quest/sbin directory of your policy server.
    # cp /tmp/pmintrust/pmintrust.sh /opt/quest/sbin
  3. If necessary, edit the pmintrust.sh script and modify the EVDIRS and EVGLOB variables so that the script can locate the necessary event log files. For example, if your policy defines the eventlog variable as:
    eventlog="/var/log/eventlogs/"+year+"/"+month+"/"+day+"/"+user+"_events.db";

    Change the EVDIRS and EVGLOB variables in the pmintrust.sh script to:

    EVDIRS=`find /var/log/eventlogs -type d` 
    EVGLOB="*_events.db"
  4. Configure the system to run the pmintrust.sh script as the root user.

    One Identity recommends that you add a crontab entry as the pmpolicy service user, and configure the cronjob to run pmrun with root user privileges.

    The crontab entry is a file called pmpolicy.crontab in the pmintrust.tgz archive.

    1. The following crontab entry runs pmrun pmintrust.sh at 10:50 pm everyday:

      50 22 * * * /opt/quest/bin/pmrun /opt/quest/sbin/pmintrust.sh

      To add the crontab, login (or su) to the pmpolicy service account and run the following command:

      $ crontab /tmp/pmintrust/pmpolicy.crontab

      Alternatively, you can configure the script to run directly as the root user by creating a root cron job, and skip part b) of this step.

      There is a root.cronjob file in the pmintrust.tgz archive.

    2. If you are using the default profile-based policy, add the pmintrust.profile to your policy to allow the pmpolicy service account to run the pmintrust.sh script as the root user.

      To checkout, add, and commit the changes to the policy, run the following pmpolicy command:

      # /opt/quest/sbin/pmpolicy checkout -d /tmp 
      # cp /tmp/pmintrust/pmintrust.profile /tmp/policy_pmpolicy/profiles/ 
      # chown pmpolicy:pmpolicy /tmp/policy_pmpolicy/profiles/pmintrust.profile 
      # /opt/quest/sbin/pmpolicy add -p profiles/pmintrust.profile -d /tmp 
      # /opt/quest/sbin/pmpolicy commit -d /tmp -l ″add pmintrust profile″
  5. Run a new command with Privilege Manager for Unix to verify the change, such as:
    # pmrun id
  6. Allow the cronjob to run at the scheduled time, then verify the InTrust event log file, /tmp/pm_evlog.intrust, was created and contains your test event.

Installing the InTrust Knowledge Pack

To install the InTrust Knowledge Pack

  1. Using a InTrust for Active Directory Administration account, login to your InTrust for Active Directory server.
  2. Extract the Privilege_Manager_InTrust_<version>.zip file to a temporary folder, such as, d:\temp.
  3. Open a command prompt and change to the following directory:
    <INTRUST_HOME>\Server\ADC\SupportTools\
  4. Import each of the XML files using the InTrustPDOImport.exe command, as following:
    # InTrustPDOImport.exe -import D:\temp\PM_DataSource.xml 
    # InTrustPDOImport.exe -import D:\temp\PM_GatheringJob.xml 
    # InTrustPDOImport.exe -import D:\temp\PM_GatheringJob_igtc.xml 
    # InTrustPDOImport.exe -import D:\temp\PM_GatheringPolicy.xml 
    # InTrustPDOImport.exe -import D:\temp\PM_GatheringTask.xml 
    # InTrustPDOImport.exe -import D:\temp\PM_Site.xml
  5. Verify the Privilege Manager for Unix objects are in the InTrust Manager, under Sites:

InTrust Knowledge Pack objects

Table 24: InTrust Knowledge Pack objects
Object type Objects
Gathering policy Privilege Manager for Unix: Event Log Monitoring’
Job ‘Gather Privilege Manager for Unix Events’
Task Privilege Manager for Unix daily collection of events’
Site Privilege Manager for Unix hosts’
Report

Privilege Manager for Unix All Events’

Privilege Manager for Unix All Events By Result’

Privilege Manager for Unix Elevated Privilege Events’

Privilege Manager for Unix Policy Server By Result’

Privilege Manager for Unix Policy Server Events’

Privilege Manager for Unix Rejected Events’

Privilege Manager for Unix Out Of Band Events’

Data Source

Privilege Manager for Unix Event Log’

Installing the InTrust Reporting Pack

To install the InTrust Reporting Pack

  1. Using an InTrust Administration account, log in to your InTrust server.
  2. Run the MSI file extracted in the previous section from Privilege_Manager_InTrust_<version>.zip
    # d:\temp\QPM4U.1.0.0.006.msi

    To use the MSI installer for the InTrust Reporting Pack, your InTrust Server must use the WindowsSQL Server 2005 as its back-end database.

  3. Follow the instructions in the on-screen Wizard.
  4. Using a web browser, navigate to your InTrust reports and verify that you now have an InTrust for Privilege Manager for Unix section, for example:
    http://<Intrust Server>/Reports

관련 문서

The document was helpful.

평가 결과 선택

I easily found the information I needed.

평가 결과 선택