The Privilege Manager for Unix Security Policy
The Privilege Manager for Unix Security Policy
Privilege Manager for Unix uses a feature full, high-level scripting language as its security policy. This is also known as the pmpolicy or legacy type security policy. As an alternative to learning the policy scripting language and developing a security policy from scratch, the default configuration installs a "ready to use" profile-based security policy and a number of pre-defined profiles.
This section examines the profile-based policy and provides specific examples of how to modify the profiles and add custom code to adapt the policy to your needs.
Default profile-based policy (pmpolicy)
The default configuration for the pmpolicy type is a profile-based security policy, which consists of several files. The main policy code resides in the global_profile.conf and profileBasedPolicy.conf files. One Identity recommends that you use the profiles to affect changes in policy.
Best practice suggestion: Create custom code in profile_customer_policy.conf.
Related Topics
Policy scripting tutorial
Policy profiles
If you configure Privilege Manager for Unix using the pmpolicy type, pmsrvconfig creates a group of default profile-based policy files that you can customize to define which commands you want to allow your users to run. This provides a convenient way to experience the benefits of Privilege Manager for Unix while familiarizing yourself with the basics of policy scripting. The default security policy is made up of four sample profiles (admin, demo, helpdesk, webadmin) and three shell profiles (root, restricted, qpm4u_login).
Profiles
These profiles are enabled by default:
- admin.profile allows its members to run any command as the root user with full keystroke logging. You can add users to this profile by adding either their user ID or primary group ID to the pf_authusers or pf_authgroups variables, respectively. By default, the only member is the root user.
- demo.profile allows its members to run the id command as the root user to demonstrate how rights are delegated to non-privileged users. By default, all users are members of this profile.
These profiles are disabled by default:
- helpdesk.profile allows simple helpdesk functions.
- webadmin.profile allows for web server administration commands.
These profiles provide additional examples of how to create and configure profiles. They are disabled by default to prevent the granting of unwanted access.
Shell profiles
In addition, available shell profiles are also included in the /profiles/shellprofiles directory that permit the users to run specified shell programs.
These shell profiles are enabled by default:
- root.shellprofile allows the root user unrestricted access to any of the pmshells (pmksh, pmcsh, pmsh, and pmbash) as the root user.
- qpm4u_login.shellprofile allows any user unrestricted access to any of the pmshellwrapper wrapped shells that are configured on your system. See Privilege Manager for Unix shell features.
This shell profile is disabled by default:
- restricted.shellprofile allows any user to restrict access to any of the pmshells (pmksh, pmcsh, pmsh, and pmbash) as the root user with access to programs in /opt/quest/bin and /sbin only.
Profile-based policy files
The profiles and shell profiles allow for easy management of your policy, but the core of the policy is included in other policy files. The following table briefly describes the files that are used in the profile-based policy.
Table 8: Profile-based policy files
pm.conf |
Main policy file.
includes: global_profile.conf, profileBasedPolicy.conf
included by: NONE
Do not put custom code in this policy file. |
global_profile.conf |
Defines default global variables. Also includes extensive comments documenting the variables.
includes: NONE
included by: pm.conf
Do not put custom code in this policy file; however, you may change the default settings. |
profileBasedPolicy.conf |
Primary decision making policy file for the profile-based policy. (Not meant to be edited by customers.)
includes: profile_customer_policy.conf, *.profile, *.shellprofile
included by: pm.conf
Special hook functions defined in profile_customer_policy.conf are called from this policy file. |
profile_customer_policy.conf |
Custom policy file for customer-defined global variables and policy code. You can modify special hook functions to run custom policy code at certain points in the profile evaluation:
- fn_log_and_accept_custom
- fn_custom_profile_init
- pr_custom_profile_reset fn_customer_init
includes: NONE
included by: profileBasedPolicy.conf
You can create custom policies in this file. |
*.profile in profiles directory |
Profile configuration file for allowing certain commands to be run by pmrun.
includes: NONE
included by: profileBasedPolicy.conf
Do not put custom code in this policy file. |
*.shellprofile in profiles directory |
Profile configuration file for interactive Privilege Manager for Unix shells (including wrapped shells).
includes: NONE
included by: profileBasedPolicy.conf |
Profiles and shell profiles only contain variable assignments that are used in the policy decision making.