Type string READONLY
exitstatus contains the exit status of the runcommand. This variable is not available for use in the policy file.
#Display all sh commands that failed to complete successfully pmlog –c 'runcommand == "sh" && exitstatus != "Command finished with exit status 0"'
Type string READONLY
exittime is the time the requested command finished running (HH:MM:SS)
#display all commands that finished after 6pm pmlog –c 'exittime > "18:00:00"'
This section describes the settings and parameters used by Safeguard. These settings are stored on each host in the /etc/opt/quest/qpm4u/pm.settings file which contains a list of settings, one per line, in the form: settingName value1 [value2 [... valuen]].
You can modify these policy server configuration settings using the configuration script initialized by either the pmsrvconfig or pmjoin_plugin commands; or you can modify the pm.settings file manually. See Configuring the Safeguard for Sudo Primary Policy Server for details about running the configuration script.
If you manually change the pm.settings file, restart the pmserviced and/or pmloadcheck daemons in order for the changes to take effect.
The following table describes each of the pm.settings variables:
Defaults may differ depending on the platform you are configuring and whether you are configuring a policy server or Sudo Plugin. Many of these settings will not have a default value.
The variables are not case sensitive.
| Variable | Data type | Description |
|---|---|---|
| certificates | boolean (YES/NO) |
Specifies whether certificates are enabled. To enable configurable certification, add the following statement to the /etc/opt/quest/qpm4u/pm.settings file on each host: certificates yes. |
| checksumtype | string | Specifies standard or MD5 checksum types for use with pmsum program. |
| clients | list of hostnames |
Identifies hosts for which remote access functions are allowed. Only required if one policy server needs to retrieve remote information from another policy server that does not normally accept requests from it. For more information, see Central logging with Privilege Manager for Unix. |
| clientverify | string |
Identifies the level of host name verification applied by the policy server host to the submit host name. The verification ensures that the incoming IP address resolves (on the primary policy server) to the same host name as presented by the submit host. Valid values are:
Default: NONE |
| encryption | string |
Identifies the encryption type. You must use the same encryption setting on all hosts in your system. Valid values are:
Default: AES |
| eventlogqueue | string |
Directory used by pmmasterd and pmlogsrvd where event data is temporarily queued prior to being written to the event log database. Default: /var/opt/quest/qpm4u/evcache |
| EventQueueFlush | integer |
Tells pmlogadm how often to reopen the db (in minutes) flushing the data. Default: 0, in which case pmlogsrvd will keep the db open while the service is running. |
| EventQueueProcessLimit | integer |
Specifies the number of cached events that will be processed at a time; this limits the memory use in pmlogadm. Default: 0, in which case pmlogsrvd will not apply a limit. |
| facility | string | Sets the SYSLOG facility name to use when logging a message to the syslog file.
Valid values are:
Default: LOG_AUTH, if the platform defines LOG_AUTH; otherwise the default is 0 (zero). |
| failovertimeout | integer |
Sets the timeout in seconds before a connection attempt to a policy server is abandoned and the client fails over to the next policy server in the list. This setting also affects the timeout for the client and agent. Default: 10 seconds. If omitted from pm.settings, default is 180 seconds. |
| fwexternalhosts | list | Identifies a list of hosts to use a different range of source ports, identified by the openreservedport and opennonreserved port settings. |
| getpasswordfromrun | boolean (YES/NO) |
Determines whether authentication is performed on the policy server or the client when a getuserpasswd() or getgrouppasswd() function is called from the policy file. If set to yes, the authentication is performed on the client. This variable also affects the user information functions: getfullname(), getgroup(), getgroups(), gethome(), and getshell(). If set to yes in the policy server's pm.settings file, these functions retrieve user information from the client host. Default: NO |
| handshake | boolean (YES/NO) |
Enables the encryption negotiation handshake. This allows a policy server to support clients running different levels of encryption. Default: NO |
| kerberos | boolean (YES/NO) |
Enables or disables Kerberos. Default: NO |
| keytab | string |
Sets the path to the Kerberos keytab file. Default: /etc/opt/quest/vas/host.keytab |
| krb5rcache | string |
Sets the path to the Kerberos cache. Default: /var/tmp |
| krbconf | string |
Sets the path to the Kerberos configuration file. Default: /etc/opt/quest/vas/vas.conf |
| libldap | string |
Specifies the pathname to use for the LDAP library. No default value. |
| localport | integer |
Sets the TCP/IP port to use for pmlocald. Default: 12346 |
| lprincipal | string |
Sets the service principal name to use for the agent. Default: pmlocald |
| masterport | integer |
Specifies the TCP/IP port to use for pmmasterd. Default: 12345 |
| masters | list |
Identifies a list of policy server hosts to which a client can submit requests for authorization, and from which an agent can accept authorized requests. This can contain host names or netgroups. No default value. |
| maxofflinelogs | integer |
Sets the maximum number of offline keystroke or event logs that can be transferred to a policy server in a single transaction. If defined on the policy server, pmmasterd on the server only accepts that number of offline logs from a client in a single request. If configured on a plugin, the plugin only tries to send that number of logs at a time. No default value. |
| mprincipal | string |
Sets the Kerberos service principal name to use for the policy server. Default: host |
| nicevalue | integer |
Sets the execution priority level for Safeguard processes. Default: 0 |
| offlinetimeout | integer |
Sets the timeout in milliseconds before an off-line policy evaluation occurs on a Sudo Plugin host. Default: 1500 (1.5 seconds) Setting offlineTimeout to 0 in the pm.settings file, forces the cache service to always perform offline (local-only) policy evaluation for sudo requests. |
| opennonreserveportrange | integer integer |
Specifies a range of non-reserved ports to use as source ports when connecting to a host in the fwexternalhosts list. No default value. |
| openreserveportrange | integer integer |
Specifies a range of reserved ports to use as source ports when connecting to a host in the fwexternalhosts list. No default value. |
| pmclientdenabled | boolean (YES/NO) |
Flag that enables the pmclientd daemon. |
| pmclientdopts | string |
Sets the options for the pmclientd daemon. |
| pmlocaldenabled | boolean (YES/NO) |
Flag that enables the pmlocald daemon. |
| pmlocaldlog | string |
Sets the path for the agent error log. Default: /var/adm/pmlocald.log or /var/log/pmlocald.log depending on the platform. |
| pmlocaldopts | string |
Sets the options for the pmlocald daemon. |
| pmloggroup | string |
Specifies the group ownership for iolog and eventlogs. Default: pmlog |
| pmlogsrvlog | string | Identifies the log used by the pmlogsrvd daemon. |
| pmmasterdenabled | boolean (YES/NO) |
Flag that enables the pmmasterd daemon. Default: YES |
| pmmasterdlog | string |
Sets the path for the master error log. Default: /var/adm/pmmasterd.log or /var/log/pmmasterd.log depending on the platform. |
| pmmasterdopts | string |
Sets the options for the pmmasterd daemon. Default: -ar |
| pmrunlog | string |
Sets the path for the client error log. Default: /var/adm/pmrun.log or /var/log/pmrun.log depending on platform. |
| pmservicedlog | string |
Identifies the log used by the pmserviced daemon. Default: /var/log/pmserviced.log |
| pmtunneldenabled | boolean (YES/NO) |
Flag that enables the pmtunneld daemon. |
| pmtunneldopts | string |
Sets the options for the pmtunneld daemon. |
| policydir | string |
Sets the directory in which to search for policy files Default: /etc/opt/quest/qpm4u/policy |
| policyfile | string |
Sets the main policy filename. Default: pm.conf |
| policymode | string |
Specifies the type of security policy to use, pmpolicy or Sudo. Default: sudo |
| reconnectagent | boolean (YES/NO) |
Allows backwards compatibility with older agents on a policy server. Settings on policy server and agents must match. Default: NO |
| reconnectclient | boolean (YES/NO) |
Allows backwards compatibility with older clients on a policy server. Settings on policy server and client must match. Default: NO |
| selecthostrandom | boolean (YES/NO) |
Set to yes to attempt connections to the list of policy servers in random order. Set to no to attempt connections to the list of policy servers in the order listed in pm.settings. Default: YES |
| setnonreserveportrange | integer integer |
Specifies a range of non-reserved ports to use as source ports by the client and agent.
The full range for non-reserved ports is 1024 to 65535. |
| setreserveportrange | integer integer |
Specifies a range of reserved ports to use as source ports by the client when making a connection to the policy server.
The full range for reserved ports is 600 to 1023. |
| setutmp | boolean (YES/NO) |
Default: YES |
| shortnames | boolean (YES/NO) |
Enables or disables short names usage. Setting shortnames to yes allows the use of short (non-fully qualified) host names. If set to no, then the Safeguard components will attempt to resolve all host names to a fully qualified host name. Default: YES |
| sudoersfile | string |
Sets the path to the sudoers policy file, if using the Sudo policy type. Default: /etc/opt/quest/qpm4u/policy/sudoers |
| sudoersgid | integer |
Sets the group ownership of the Sudoers policy, if using the Sudo policy type. Default: 0 |
| sudoersmode | integer |
Sets the UNIX file permissions of the Sudoers policy, if using the sudo policy type. Specify it as a four-digit octal number (containing only digits 0-7) to determine the user's file access rights (read, write, execute). Default: 0400 |
| sudoersuid | integer |
Sets the user ownership of the Sudoers policy. Default: 0 |
| syslog | boolean (YES/NO) |
Set to yes to send error messages to the syslog file as well as to the Safeguard error log. Default: YES |
| thishost | string |
Sets the client's host name to use for verification. Specifying a thishost setting causes the Privilege Manager components to bind network requests to the specified host name or IP address. If you set thishost to the underscore character ( _ ), requests bind to the host's primary host name. No default value. |
| tunnelport | integer |
Sets the TCP/IP port to use for the pmtunneld daemon. Default: 12347 For more information, see Configuring pmtunneld. |
| tunnelrunhosts | list | Identifies the hosts on the other side of a firewall.
No default value. For full details of how to configure your system across a firewall, see Configuring Firewalls. |
| utmpuser | string |
Specifies which user name pmplugin logs to the utmp entry. Valid values are:
To log an entry to utmp, specify "setutmp yes". These settings only take effect if the sudoers policy allocates a pty. A pseudo-tty is allocated by sudo when the log_input, log_output or use_pty flags are enabled in sudoers policy. Default: submituser |
|
validmasters |
list |
Identifies a list of policy servers that can be identified using the pmrun –m <master> option, but that will not be used when you run a normal pmrun command. This is useful for testing connections to a policy server before bringing it on line. No default value. |
This section describes each of the Safeguard programs and their options. The following table indicates which Safeguard component installs each program.
| Name | Description | Server | Agent | Sudo |
|---|---|---|---|---|
| pmcheck |
Verifies the syntax of a policy file. |
X | - | X |
| pmjoin_plugin |
Joins a Sudo Plugin to the specified policy server. Joining configures the remote host to communicate with the servers in the group. |
X | - | X |
| pmkey |
Generates and installs configurable certificates. |
X | X | X |
| pmlicense |
Displays current license information and allows you to update a license (an expired one or a temporary one before it expires) or create a new one. |
X | - | - |
| pmloadcheck |
Controls load balancing and failover for connections made from the host to the configured policy servers. |
X | X | - |
| pmlog |
Displays entries in a Privilege Manager for Sudo event log. |
X | - | - |
| pmlogadm |
Manages encryption options on the event log. |
X | - | - |
| pmlogsearch |
Searches all logs in a policy group based on specified criteria. |
X | - | - |
|
The Privilege Manager for Sudo log access daemon, the service responsible for committing events to the Privilege Manager for Sudo event log and managing the database storage used by the event log. |
X |
|
| |
| pmlogxfer |
Transfers event logs and I/O logs after an off-line policy evaluation has occurred. pmlogxfer is initiated by pmloadcheck when there are log files queued for transfer from a Sudo Plugin host to the server. |
- | - | X |
| pmmasterd |
The Privilege Manager for Sudo Master daemon which examines each user request and either accepts or rejects it based upon information in the Privilege Manager configuration file. You can have multiple pmmasterd daemons on the network to avoid having a single point of failure. |
X | - | X |
| pmplugininfo |
Displays information about the policy server group that the Sudo Plugin host has joined. |
X | - | X |
| pmpluginloadcheck |
A daemon that runs on each Sudo Plugin host and controls load balancing and failover for connections made from the host to the configured policy servers. |
X | - | X |
| pmpolicy |
A command-line utility for managing the Privilege Manager for Sudo security policy. This utility checks out the current version, checks in an updated version, and reports on the repository. |
X | - | - |
| pmpolicyplugin |
Displays the revision status of the cached security policy on a Sudo Plugin host; allows you to request an update from the central repository. |
- | - | X |
| pmpoljoin_plugin |
Adjunct program to the pmjoin_plugin script. pmpoljoin_plugin is called by the pmjoin_plugin script when configuring a Sudo Plugin host to setup up the required read-only access to the policy repository, so that the client can operate in off-line mode. |
- | - | X |
| pmpolsrvconfig |
Configures (or unconfigures) a primary or secondary policy server. Allows you to grant a user access to a repository. |
X | - | - |
| pmremlog |
Provides a wrapper for the pmlog and pmreplay utilities to access the event (audit) and keystroke (I/O) logs on any server in the policy group. |
X | - | - |
| pmreplay |
Replays an I/O log file allowing you to review what happened during a previous privileged session. |
X | - | - |
| pmresolvehost |
Verifies the host name or IP resolution for the local host or a selected host. |
X | X | X |
| pmserviced |
The Privilege Manager for Sudo Service daemon listens on the configured ports for incoming connections for the Privilege Manager for Sudo daemons. pmserviced uses options in pm.settings to determine the daemons to run, the ports to use, and the command line options to use for each daemon. |
X | X | X |
| pmsrvcheck |
Checks the Privilege Manager for Sudo policy server configuration to ensure it is setup properly. |
X | - | - |
| pmsrvconfig |
Configures a primary or secondary policy server. |
X | - | - |
| pmsrvinfo | Verifies the policy server configuration. | X | - | - |
| pmsum |
Generates a simple checksum of a binary. |
X | - | - |
| pmsysid |
Displays the Privilege Manager for Sudo system ID. |
X | X | X |
© ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center
