Converse agora com nosso suporte
Chat com o suporte

Privilege Manager for Unix 7.2.3 - Administration Guide

Introducing Privilege Manager for Unix Planning Deployment Installation and Configuration Upgrade Privilege Manager for Unix System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager for Unix Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager for Unix Variables
Variable names Variable scope Global input variables Global output variables Global event log variables PM settings variables
Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures
Environment functions Hash table functions Input and output functions LDAP functions LDAP API example List functions Miscellaneous functions Password functions Remote access functions String functions User information functions Authentication Services functions
Privilege Manager for Unix programs Installation Packages

passprompts

Description

Type list READ/WRITE

passprompts contains a list of strings that should be interpreted as password prompts when attempting to exclude passwords from iolog.

Example
passprompts={"Password=", "Enter password"};

pmshell_allow

Description

Type list READ/WRITE

pmshell_allow contains a list of regular expressions identifying Privilege Manager for Unix shell subcommands that are pre-authorized. The list may contain regular expressions.

This variable is applicable to pmsh, pmcsh, pmksh, and pmbash.

On startup, the Privilege Manager for Unix shell programs load this list. Any shell subcommand entered by the user that matches one of these expressions is pre-authorized, that is, it will be allowed to run locally without any further authorization by pmmasterd, and will not be logged as an event. By default, the list is empty.

Example
pmshell_allow = {"ls","grep"};

pmshell_allowpipe

Description

Type list READ/WRITE

pmshell_allowpipe identifies the list of Privilege Manager for Unix shell subcommands that are pre-authorized if the input to the command is from a pipe. The list may contain regular expressions.

This variable is applicable to pmsh, pmcsh, pmksh, and pmbash.

On startup, the Privilege Manager for Unix shells load this list. For any shell subcommand entered by the user that takes its input from a pipe, if the command matches one of these expressions, it will be allowed to run locally without any further authorization by the pmmasterd, and will not be logged as an event. By default, the list is empty.

For example, if this list contains the string "more", the "more" command will be pre-authorized in the context of the command ls | more but will require authorization in the context of the command more /tmp/file.

Example
pmshell_allow = {"grep","cat", "more"};

pmshell_checkbuiltins

Description

Type integer READ/WRITE

If pmshell_checkbuiltins is set to true, the Privilege Manager for Unix shell program will check all shell builtin commands as if they were not built-ins. That is, it will match each one against the forbidden list, then the allowed list, and if no match is found, then the command will be authorized with pmmasterd. To see a full list of the builtin commands for a particular shell program, run the shell program with the -? option. The default value for this variable is false.

This variable is applicable to the pmsh, pmksh, and pmcsh programs.

Example
if (defined pmshell_cmd){ 
   if (user !in safe_shell_list) 
   { 
      #check builtins 
      pmshell_checkbuiltins=true; 
   } 
}
Documentos relacionados

The document was helpful.

Selecione a classificação

I easily found the information I needed.

Selecione a classificação