Syntax
pmjoin -h | --help [-abitv] [-d <variable>=<value>] [<policy_server_host>]
[-bv] -u --unjoin
[--accept] [--batch] [--define <variable>=<value>] [--interactive]
[--selinux] [--tunnel] [--verbose] <policy_server_host>
Description
Use the pmjoin command to join a PM Agent to the specified policy server. When you join a policy server to a policy group, it enables that host to validate security privileges against a single common policy file located on the primary policy server, instead of on the host. You must run this configuration script after installing the PM Agent package to allow this agent to communicate with the servers in the group.
Options
pmjoin has the following options.
Table 59: Options: pmjoin
-a | --accept |
Accepts the End User License Agreement (EULA), /opt/quest/qpm4u/pqm4u_eula.txt. |
-b | --batch |
Runs in batch mode, will not use colors or require user input under any circumstances. |
-d <variable>=<value> | --define <variable>=<value> |
Specifies a variable for the pm.settings file and its associated value. |
-h | --help |
Prints this help message. |
-i | --interactive |
Runs in interactive mode, prompting for configuration parameters instead of using the default values. |
-S | --selinux |
Enable support for SELinux in Privilege Manager for Unix.
A SELinux policy module will be installed, which allows the pmlocal daemon to set the security context to that of the run user when executing commands. This requires that the policycoreutils package and either the selinux-policy-devel (RHEL7 and above) or selinux-policy (RHEL6 and below) packages be installed. |
-t | --tunnel |
Configures host to allow Privilege Manager for Unix connections through a firewall. |
-u | --unjoin |
Unconfigures a Privilege Manager for Unix agent. |
-v | --verbose |
Displays verbose output while configuring the host. |
Files
- Directory when pmjoin logs are stored: /opt/quest/qpm4u/install
Syntax
pmkey -v | [-z on|off[:<pid>]]
-a <keyfile>
[ [-l | -r | -i <keyfile>]
[-p <passphrase>] [-f]]
Description
Use the pmkey command to generate and install configurable certificates.
In order for a policy evaluation request to run, keys must be installed on all hosts involved in the request. The keyfile must be owned by root and have permissions set so only root can read or write the keyfile.
Options
pmkey has the following options.
Table 60: Options: pmkey
-a <keyfile> |
Creates an authentication certificate. |
-i <keyfile> |
Installs an authentication certificate. |
-l |
Creates and installs a local authentication certificate to this file:
/etc/opt/quest/qpm4u/.qpm4u/.keyfiles/key_localhost
This is equivalent to running the following two commands:
|
-f |
Forces the operation. For example:
- Ignore the password check when installing keyfile using -i or -r
- Overwrite existing keyfile when installing local keyfile using -l
|
-p <passphrase> |
Passes the passphrase on the command line for the -a or -l option.
If not specified, pmkey prompts the user for a passphrase. |
-r |
Installs all remote keys that have been copied to this directory:
/etc/opt/quest/qpm4u/.qpm4u/.keyfiles/key_<hostname>
This provides a quick way to install multiple remote keys. |
-v |
Displays the Privilege Manager for Unix version and exits. |
-z |
Enables or disables debug tracing.
Refer to Enabling program-level tracing before using this option. |
Examples
The following command generates a new certificate, and puts it into the specified file:
pmkey -a <filename>
The following command installs the newly generated certificate from the specified file:
pmkey -i <filename>
Description
The Privilege Manager for Unix K Shell (pmksh) starts a Korn shell, an interactive command interpreter and a command programming language. The Korn shell carries out commands either interactively from a terminal keyboard or from a file. pmksh is a fully featured version of ksh, that provides transparent authorization and auditing for all commands submitted during the shell session. All standard options for ksh are supported by pmksh.
To see details of the options and the shell built-in commands supported by pmksh, run pmksh -?.
Note that pmksh supports the -B option which allows the entire shell to run in the background when used in conjunction with '&. For example, pmksh -B -c backgroundshellscript.sh & will run the specified shell script in the background using pmksh.
Using the appropriate policy file variables, you can configure each command entered during a shell session, to be:
- forbidden by the shell without further authorization to the policy server
- allowed by the shell without further authorization to the policy server
- presented to the policy server for authorization
Once allowed by the shell, or authorized by the policy server, all commands run locally as the user running the shell program.
Syntax
pmless /<full_path_name>
Description
The pmless pager is similar to the less pager. It has been modified so that you can use it securely with the Privilege Manager for Unix programs. Because of this, you must specify a full pathname as a command line argument to pmless. Also, you will not be able to access any files other than the ones you specify at startup time. Nor will you be allowed to spawn any processes.
Using this program in conjunction with Privilege Manager for Unix allows you to access a specific file as root but not other root functions.