Chat now with support
Chat with Support

Privilege Manager for Unix 7.1.1 - Administration Guide

Introducing Privilege Manager for Unix Planning Deployment Installation and Configuration Upgrade Privilege Manager for Unix System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager for Unix Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager for Unix Variables
Variable names Variable scope Global input variables Global output variables Global event log variables PM settings variables
Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures
Environment functions Hash table functions Input and output functions LDAP functions LDAP API example List functions Miscellaneous functions Password functions Remote access functions String functions User information functions Authentication Services functions
Privilege Manager for Unix programs Installation Packages

Configuring Pluggable Authentication Method (PAM)

Use authenticate_pam to define which users you want to authenticate by means of PAM (Pluggable Authentication Method) APIs.

The operating system has configuration files, usually called /etc/pam.conf, that specify which security databases to use to authenticate users, such as LDAP, Windows 2000 Active Directory, and various PKI implementations.

The service parameter identifies the name of the PAM service to use to authenticate users. The service parameter can be any valid service name configured in the PAM system configuration and defaults to "login".

For more information on how to configure PAM with Privilege Manager for Unix, consult the documentation for your platform.

Utilizing PAM authentication

Syntax
authenticate_pam (user,[<service>])

where <service> is the PAM service to use, such as sshd.

Examples

To utilize PAM authentication, add the following function to your policy file:

if ( user=="paul" && basename(command)=="useradd") { 
   if (!authenticate_pam(user, "sshd")) { reject; } 
   runuser="root"; 
   accept; 
}

This function returns 0 to indicate failure and 1 to indicate success.

Related Function

authenticate_pam_toclient

Related Topics

authenticate_pam

Authenticate PAM to client

Syntax
authenticate_pam_toclient (user,[<service>])

where <service> is the PAM service to use, such as sshd.

Description

authenticate_pam_toclient causes pmmasterd to send a request to pmrun to perform the authenticate_pam command on the pmrun host.

This function is only available on platforms that have native support for PAM.

Example

To utilize PAM authentication, add the following function to your policy file:

if ( user=="paul" && basename(command)=="useradd") { 
if (!authenticate_pam_toclient(user, "sshd")) { reject; } 
   runuser="root"; 
   accept; 
}

This function returns 0 to indicate failure and 1 to indicate success.

Related Function

authenticate_pam

Related Topics

authenticate_pam_toclient

Administering Log and Keystroke Files

Privilege Manager for Unix allows you to control what is logged, as well as when and where it is logged. To help you set up and use these log files, the topics in this section explore enabling and disabling logging, as well as how to specify the log file locations.

Privilege Manager for Unix includes three different types of logging; the first two are helpful for audit purposes:

  • keystroke logging, also referred to as I/O logging

    Keystroke logs record the user’s keystrokes and the terminal output of any sessions granted by Privilege Manager for Unix.

  • event logging

    Event logs record the details of all requests to run privileged commands. The details include what command was requested, who made the request, when the request was sent, what host the request was submitted from, and whether the request was accepted or rejected.

  • error logging

You can configure some aspects of the event and keystroke logging by means of the security policy on the policy servers. What you can configure and how you configure it depends on which type of security policy you are using on your policy server -- pmpolicy or sudo.

Related Topics

Security policy types

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating