Chat now with support
Chat with Support

Safeguard for Sudo 7.1 - Administration Guide

Introducing Safeguard for Sudo Planning Deployment Installation and Configuration Upgrade Safeguard for Sudo System Administration Managing Security Policy Administering Log and Keystroke Files Troubleshooting Safeguard Variables Safeguard programs Installation Packages Unsupported Sudo Options Safeguard for Sudo Policy Evaluation

pmcheck

Syntax
pmcheck [ -z on|off[:<pid>] ] | [ -v ] | 
           [ [ -a <string> ] [ -b ] [ -c ] [ -e <requestuser> ] 
           [ -f <filename> ] [ -g <group> ] [ -h <hostname> ] [ -i ] 
           [ -m <YY[YY]/MM/DD> ] [ -n <HH[:MM]> ] 
           [ -o sudo|pmpolicy ] [ -p <policydir> ] [ -q  ]  [  -r <remotehost> ] 
           [ -s <submithost> ] [ -t ] [ -u <runuser> ] [ command [ args ]]]
Description

Use the pmcheck command to test the policy file. Although the policy server daemon pmmasterd reports configuration file errors to a log file, always use pmcheck to verify the syntax of a policy file before you install it on a live system. You can also use the pmcheck command to simulate running a command to test whether a request will be accepted or rejected.

The pmcheck program exits with a value corresponding to the number of syntax errors found.

Options

pmcheck has the following options.

Table 15: Options: pmcheck
Option Description

-a <string>

Checks if the specified string, entered during the session, matches any alertkeysequence configured. You can only specify this option if you supply a command.

This option is only relevant when using the pmpolicy type.

-b

Run in batch mode. By default, pmcheck runs in interactive mode, and attempts to emulate the behavior of the pmmasterd when parsing the policy file. The -b option ensures that no user interaction is required if the policy file contains a password or input function; instead, a successful return code is assumed for any password authentication functions.

-c

Runs in batch mode and displays output in csv format. By default pmcheck runs in interactive mode. The -c option ensures that no user interaction is required if the policy file contains a password prompt or input function and no commands that require remote connections are attempted.

-e <requestuser>

Sets the value of requestuser. This option allows you to specify the group name to use when testing the configuration. This emulates running a session using the sudo –u <user> option to request that Safeguard runs the command as a particular runuser.

-f <filename>

Sets path to policy filename. Provides an alternative configuration filename to check. If not fully qualified, this path is interpreted as relative to the policydir, rather than to the current directory.

-g <group>

Sets the group name to use. If not specified, then pmcheck looks up the user on the master policy server host to get the group information. This option is useful for checking a user and group that does not exist on the policy server.

-h <hostname>

Specifies execution host used for testing purposes.

-i

Ignores check for root ownership of policy.

-m <YY[YY]/MM/DD>

Checks the policy for a particular date. Enter Date in this format: YY[YY]/MM/DD. Defaults to the current date.

-n <HH[:MM]>

Checks the policy for a particular time. Enter Time in this format: HH[:mm]. Defaults to the current time.

-o <policytype>

Interprets the policy with the specified policy type:

  • sudo
  • pmpolicy
-p policydir Forces pmcheck to use a different directory to search for policy files included with a relative pathname. The default location to search for policy files is the policydir setting in pm.settings.
-q Runs in quiet mode, pmcheck does not prompt the user for input, print any errors or prompts, or run any system commands. The exit status of pmcheck indicates the number of syntax errors found (0 = success). This is useful when running scripted applications that require a simple syntax check.
-r remotehost

Sets the value of the clienthost variable within the configuration file, useful for testing purposes.

The clienthost variable is set to the value of the submithost variable.

-s submithost Sets the value of the submithost variable within the configuration file, useful for testing purposes.
-t

Runs in quiet mode to check whether a command would be accepted or rejected. By default, pmcheck runs in interactive mode. The –t option ensures that no user interaction is required if the policy file contains a password prompt or input function, no output is displayed and no commands that require remote connections are attempted.

Exit Status:

  • 0: Command accepted
  • 11: Password prompt encountered. The command will only be accepted if authentication is successful
  • 12: Command rejected
  • 13: Syntax error encountered
-u <runuser> Sets the value of the runuser variable within the configuration file, useful for testing purposes.
-v Displays the version number of Safeguard and exits.
-z

Enables or disables debug tracing, and optionally sends SIGHUP to running process.

Refer to Enabling Program-level Tracing before using this option.

Sets the command name and optional arguments.

You can use pmcheck two ways: to check the syntax of the configuration file, or to test whether a request is accepted or rejected (that is, to simulate running a command).

By default, pmcheck runs the configuration file interactively in the same way as pmmasterd and reports any syntax errors found. If you supply an argument to a command, it reports whether the requested command is accepted or rejected. You can use the –c and –q options to verify the syntax in batch or silent mode, without any user interaction required.

When you run a configuration file using pmcheck, you are allowed to modify the values of the incoming variables. This is useful for testing the configuration file's response to various conditions. When pmmasterd runs a configuration file, the incoming variables are read-only.

Example

To verify whether the sudoer policy file /etc/sudoers, ingoring permissions and ownership, allows user jsmith in the users group to run the passwd root command on host, host1, enter:

pmcheck -f /etc/sudoers -i -o sudo –u jsmith –g users 
-h host1 passwd root
Related Topics

pmkey

pmmasterd

pmreplay

pmjoin_plugin

Syntax

pmjoin_plugin -h | --help [-abioqv] 
                [-d <variable>=<value>] [<policy_server_host>] [-bv] –u
                [--accept] [--batch] [--define <variable>=<value>] [--interactive] 
                [--io-plugin-only][--pipestdin][--verbose] <policy_server_host> ... 
                [--batch] [--verbose] –unjoin -N policy_name [--policyname policy_name]

Description

Run the pmjoin_plugin command after installing the Sudo Plugin package (qpm-plugin) on a remote host to allow it to communicate with the servers in the policy group.

Options

pmjoin_plugin has the following options.

Table 16: Options: pmjoin_plugin
Option Description
-a | --accept Accepts the End User License Agreement (EULA), /opt/quest/qpm4u/pqm4u_eula.txt.
-b | --batch Runss in batch mode, does not use colors or require user input.
-d <variable>=<value> | --define <variable>=<value> Specifies a variable for the pm.settings file and its associated value.
-h | --help Displays usage information.
-i | --interactive Runs in interactive mode, prompting for configuration parameters instead of using the default values.
-o | --io-plugin-only Configures only the I/O logging plugin (io_plugin) without the use of the Sudo Plugin (policy_plugin) .
-q | --pipestdin Pipes password to stdin if password is required.
-u | --unjoin Unjoins a Sudo Plugin host from the policy server.

-N policy_name | --policyname policy_name

Use policy_name as the name of the policy instead of the default. This option is used to specify the name of the policy that the server should use when making policy decisions.

Displays verbose output while configuring the host.

Files
  • Directory when pmjoin_plugin logs are stored: /opt/quest/qpm4u/install
  • Sudo Plugin configuration file: /etc/sudo.conf
Related Topics

pmmasterd

pmsrvconfig

pmkey

Syntax
pmkey -v  
         -a <keyfile> 
         [ [-l | -r | -i <keyfile>] 
         [-p <passphrase>] [-f]]
Description

Use the pmkey command to generate and install configurable certificates.

In order for a policy evaluation request to run, keys must be installed on all hosts involved in the request. The keyfile must be owned by root and have permissions set so only root can read or write the keyfile.

Options

pmkey has the following options.

Table 17: Options: pmkey
Option Description
-a <keyfile> Creates an authentication certificate.
-i <keyfile> Installs an authentication certificate.
-l

Creates and installs a local authentication certificate to this file:

/etc/opt/quest/qpm4u/.qpm4u/.keyfiles/key_localhost

This is equivalent to running the following two commands:

  • pmkey -a /etc/opt/quest/qpm4u/.qpm4u/.keyfiles/ key_localhost

    -OR-

  • pmkey -i /etc/opt/quest/qpm4u/.qpm4u/.keyfiles/ key_localhost

-f Forces the operation. For example:
  • Ignore the password check when installing keyfile using -i or -r
  • Overwrite existing keyfile when installing local keyfile using –l
-p <passphrase>

Passes the passphrase on the command line for the -a or -l option.

If not specified, pmkey prompts the user for a passphrase.

-r

Installs all remote keys that have been copied to this directory:

/etc/opt/quest/qpm4u/.qpm4u/.keyfiles/key_<hostname>

This provides a quick way to install multiple remote keys.

-v Displays the Safeguard version and exits.
Examples

The following command generates a new certificate, and puts it into the specified file:

pmkey -a <filename>

The following command installs the newly generated certificate from the specified file:

pmkey -i <filename>
Related Topics

pmcheck

pmmasterd

pmreplay

pmsum

pmlicense

Syntax
pmlicense -h 
            [-c] 
            -v [-c] 
            -v <xmlfile> [-c]  
            -l|-x <xmlfile> [-c] [-f] [-e]
            -u [s|f][-c][-d m|y][-o <outfile>][-s d|h][-t u|p|k]
            -r [e]
Description

The pmlicense command allows you to display current license information, update a license (an expired one or a temporary one before it expires) or create a new one. If you do not supply an option, then pmlicense displays a summary of the combined licenses configured on this host.

Options

pmlicense has the following options.

Table 18: Options: pmlicense
Option Description
-c Displays output in CSV, rather than human-readable format.
–d Filters a license report; restricting the date to either:
  • m: Only report licenses used in the past month.
  • y: Only report licenses used in the past year.
-e Does not forward the license change to the other servers in the group.
-f Does not prompt for confirmation in interactive mode.
-h Displays usage.
-l <xmlfile>

Configures the selected XML license file, and forwards it to the other servers in the policy group.

This option must be run as the root user or a member of the pmpolicy group.

-o <outfile> Sends report output to selected file rather than to the default. For csv output, the default is file: /tmp/pmlicense_report_<uid>.txt; for human-readable output, the default is stdout.
-r Regenerates and configures the default trial license, removing any configured commercial licenses, and forwards this change to the other servers in the policy group.
-s Sort the report data by either:
  • d: date (newest first)
  • h: hostname (lowest first)
-t Filters license report by client type:
  • u: Privilege Manager for Unix client
  • p: sudo policy plugin
  • k: sudo keystroke plugin
-u Displays the current license utilization on the master policy server:
  • s: Show summary of hosts licensed
  • f: Show full details of hosts licensed, with last used times
-v If you do not provide a file argument, it displays the details of the currently configured license. If you provide a file argument, it verifies the selected XML license file and displays the license details.
-x <xmlfile>

Configures the selected XML license file.

This option is deprecated, use the "-l" option instead.

License data is updated periodically by the pmloadcheck daemon. See pmloadcheck for details.

Examples

To display current license status information, enter the following:

# pmlicense

Safeguard displays the current license information, noting the status of the license. The output will be similar to the following:

*** One Identity Safeguard *** 
*** Privilege Manager for Unix VERSION 6.n.n (nnn) *** 
*** CHECKING LICENSE ON HOSTNAME:<host>, IP address: <IP> 
*** SUMMARY OF ALL LICENSES CURRENTLY INSTALLED *** 
*License Type                                  PERMANENT 
*Commercial/Freeware License                   COMMERCIAL 
*Expiration Date                               NEVER 
*Max QPM4U Client Licenses                     1000 
*Max Sudo Policy Plugin Licenses               0 
*Max Sudo Keystroke Plugin Licenses            0 
*Authorization Policy Type permitted           ALL 
*Total QPM4U Client Licenses In Use            2 
*Total Sudo Policy Plugins Licenses in Use     0 
*Total Sudo Keystroke Plugins Licenses in Use  0

*** LICENSE DETAILS FOR PRODUCT:QPM4U 
*License Version                               1.0 
*Licensed to company                           Testing 
*Licensed Product                              QPM4U(1) 
*License Type                                  PERMANENT 
*Commercial/Freeware License                   COMMERCIAL 
*License Status                                VALID
*License Key                                   PSXG-GPRH-PIGF-QDYV 
*License tied to IP Address                    NO 
*License Creation Date                         Tue Feb 08 2012 
*Expiration Date                               NEVER 
*Number of Hosts                               1000

To update or create a new a license, enter the following at the command line:

pmlicense -l <xmldoc>

Safeguard displays the current license information, noting the status of the license, and then validates the information in the selected .xml file, for example:

*** One Identity Safeguard for Sudo *** 
*** Safeguard for Sudo VERSION 7.n.n (nnn) *** 
*** CHECKING LICENSE ON HOSTNAME:<host>, IP address:<IP> *** 
*** SUMMARY OF ALL LICENSES CURRENTLY INSTALLED *** 
*License Type                                  PERMANENT 
*Commercial/Freeware License                   COMMERCIAL 
*Expiration Date                               NEVER 
*Max QPM4U Client Licenses                     1000 
*Max Sudo Policy Plugin Licenses               0 
*Max Sudo Keystroke Plugin Licenses            0 
*Authorization Policy Type permitted           ALL 
*Total QPM4U Client Licenses In Use            2 
*Total Sudo Policy Plugins Licenses in Use     0 
*Total Sudo Keystroke Plugins Licenses in Use  0 
*** Validating license file: <xmldoc> *** 
*** LICENSE DETAILS FOR PRODUCT:QPM4U 
*License Version                               1.0 
*Licensed to company                           Testing 
*Licensed Product                              QPM4U(1) 
*License Type                                  PERMANENT 
*Commercial/Freeware License                   COMMERCIAL 
*License Status                                VALID 
*License Key                                   PNFT-FDIO-YSLX-JBBH 
*License tied to IP Address                    NO 
*License Creation Date                         Tue Feb 08 2012 
*Expiration Date                               NEVER 
*Number of Hosts                               100 
*** The selected license file (<xmldoc>) contains a valid license *** 

Would you like to install the new license? y 
Type y to update the current license. 
Archiving current license… [OK] 
*** Successfully installed new license ***
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating