Chat now with support
Chat with Support

Privilege Manager for Unix 7.1.1 - Administration Guide

Introducing Privilege Manager for Unix Planning Deployment Installation and Configuration Upgrade Privilege Manager for Unix System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager for Unix Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager for Unix Variables
Variable names Variable scope Global input variables Global output variables Global event log variables PM settings variables
Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures
Environment functions Hash table functions Input and output functions LDAP functions LDAP API example List functions Miscellaneous functions Password functions Remote access functions String functions User information functions Authentication Services functions
Privilege Manager for Unix programs Installation Packages

Default profile-based policy (pmpolicy)

The default configuration for the pmpolicy type is a profile-based security policy, which consists of several files. The main policy code resides in the global_profile.conf and profileBasedPolicy.conf files. One Identity recommends that you do not enter customized code in these files because it will impact the effectiveness and accuracy of the reports produced by Management Console for Unix. Instead, One Identity recommends that you use the profiles to affect changes in policy.

Best practice suggestion: Create custom code in profile_customer_policy.conf.

Related Topics

Policy scripting tutorial

Policy profiles

If you configure Privilege Manager for Unix using the pmpolicy type, pmsrvconfig creates a group of default profile-based policy files that you can customize to define which commands you want to allow your users to run. This provides a convenient way to experience the benefits of Privilege Manager for Unix while familiarizing yourself with the basics of policy scripting. The default security policy is made up of four sample profiles (admin, demo, helpdesk, webadmin) and three shell profiles (root, restricted, qpm4u_login).

Profiles

These profiles are enabled by default:

  • admin.profile allows its members to run any command as the root user with full keystroke logging. You can add users to this profile by adding either their user ID or primary group ID to the pf_authusers or pf_authgroups variables, respectively. By default, the only member is the root user.
  • demo.profile allows its members to run the id command as the root user to demonstrate how rights are delegated to non-privileged users. By default, all users are members of this profile.

These profiles are disabled by default:

  • helpdesk.profile allows simple helpdesk functions.
  • webadmin.profile allows for web server administration commands.

These profiles provide additional examples of how to create and configure profiles. They are disabled by default to prevent the granting of unwanted access.

Shell profiles

In addition, available shell profiles are also included in the /profiles/shellprofiles directory that permit the users to run specified shell programs.

These shell profiles are enabled by default:

  • root.shellprofile allows the root user unrestricted access to any of the pmshells (pmksh, pmcsh, pmsh, and pmbash) as the root user.
  • qpm4u_login.shellprofile allows any user unrestricted access to any of the pmshellwrapper wrapped shells that are configured on your system. See Privilege Manager for Unix shell features.

This shell profile is disabled by default:

  • restricted.shellprofile allows any user to restrict access to any of the pmshells (pmksh, pmcsh, pmsh, and pmbash) as the root user with access to programs in /opt/quest/bin and /sbin only.

Profile-based policy files

The profiles and shell profiles allow for easy management of your policy, but the core of the policy is included in other policy files. The following table briefly describes the files that are used in the profile-based policy.

Table 8: Profile-based policy files
File Description
pm.conf Main policy file.

includes: global_profile.conf, profileBasedPolicy.conf

included by: NONE

Do not put custom code in this policy file.

global_profile.conf Defines default global variables. Also includes extensive comments documenting the variables.

includes: NONE

included by: pm.conf

Do not put custom code in this policy file; however, you may change the default settings.

profileBasedPolicy.conf

Primary decision making policy file for the profile-based policy. (Not meant to be edited by customers.)

includes: profile_customer_policy.conf, *.profile, *.shellprofile

included by: pm.conf

Special hook functions defined in profile_customer_policy.conf are called from this policy file.

profile_customer_policy.conf Custom policy file for customer-defined global variables and policy code. You can modify special hook functions to run custom policy code at certain points in the profile evaluation:
  • fn_log_and_accept_custom
  • fn_custom_profile_init
  • pr_custom_profile_reset fn_customer_init

includes: NONE

included by: profileBasedPolicy.conf

You can create custom policies in this file. However, custom policies may affect the accuracy of the reports generated in Management Console for Unix. See The Privilege Manager for Unix Security Policy.

*.profile in profiles directory

Profile configuration file for allowing certain commands to be run by pmrun.

includes: NONE

included by: profileBasedPolicy.conf

Do not put custom code in this policy file.

*.shellprofile in profiles directory

Profile configuration file for interactive Privilege Manager for Unix shells (including wrapped shells).

includes: NONE

included by: profileBasedPolicy.conf

Profiles and shell profiles only contain variable assignments that are used in the policy decision making.

Profile selection

When evaluating the profile-based policy, the policy server must first determine which of the profiles match the incoming request. The policy uses the Who, What, Where, and When criteria specified in the profiles to determine a match. Note that the filename used for the profile is significant. The policy checks each of the profiles sequentially, in lexical order until a match is found. Once the a profile is selected, the remaining profiles are not evaluated.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating