Privilege Manager for Unix 7.1.1 - Administration Guide

TCP/IP configuration Firewalls Hosts database Reserve special user and group names Applications and file availability Policy server daemon hosts Local daemon hosts

Installing the Privilege Manager for Unix packages

Modifying PATH environment variable

Configuring the primary policy server for Privilege Manager for Unix

pmpolicy server configuration settings Verifying the primary policy server configuration Recompile the whatis database

Join hosts to policy group

Joining PM Agent to a Privilege Manager for Unix policy server

Agent configuration settings Swap and install keys

Configure a secondary policy server

Installing secondary servers Configuring a secondary server

Synchronizing policy servers within a group

Install PM Agent on a remote host

Checking PM Agent host for installation readiness Installing a PM Agent on a remote host Joining the PM Agent to the primary policy server Verifying PM Agent configuration Load balancing on the client

Remove configurations

Uninstalling the Privilege Manager for Unix software packages

Upgrade Privilege Manager for Unix

Before you upgrade Upgrading Privilege Manager for Unix packages

Upgrading the server package Upgrading the PM Agent package

Removing Privilege Manager for Unix packages

Removing the server package Removing the PM Agent package

System Administration

Reporting basic policy server configuration information Checking the status of the master policy Checking the policy server Checking policy server status Checking the PM Agent configuration status Installing licenses

Displaying license usage

Listing policy file revisions Viewing differences between revisions Backup and recovery

Managing Security Policy

Security policy types Specifying security policy type pmpolicy type policy Modifying complex policies Viewing the security profile changes

The Privilege Manager for Unix Security Policy

Default profile-based policy (pmpolicy)

Policy profiles Profile-based policy files Profile selection Profile variables

Exploring profiles Customizing the default profile-based policy (pmpolicy)

Customization example - pf_forbidusers list

Policy scripting tutorial

Install the example policy file Create test users Set Lesson number variable Introductory lessons

Lesson 1: Basic policy Lesson 2: Conditional privilege Lesson 3: Specific commands Lesson 4: Policy optimization with list variables Lesson 5: Keystroke logging Lesson 6: Conditional keystroke logging Lesson 7: Policy optimizations

Advanced lessons

Lesson 8: Controlling the execution environment Lesson 9: Flow control Lesson 10: Basic menus

Sample policy files

Main policy configuration file Lesson 1 Sample: Basic policy Lesson 2 Sample: Conditional privilege Lesson 3 Sample: Specific commands Lesson 4 Sample: Policy optimizations with list variables Lesson 5 Sample: Keystroke logging Lesson 6 Sample: Conditional keystroke logging Lesson 7 Sample: Policy optimizations Lesson 8 Sample: Controlling the execution environment Lesson 9 Sample: Flow control Lesson 10 Sample: Basic menus

Advanced Privilege Manager for Unix Configuration

Privilege Manager for Unix shells

Privilege Manager for Unix shell features Forbidden commands Allowed commands Allowed piped commands Check shell built-in commands Read-only variable list Running a shell in restricted mode Additional shell considerations

Configuring Privilege Manager for Unix for policy scripting

Configuration prerequisites Configuration file examples

Example 1: Basics Example 2: Accept or reject requests Example 3: Command constraints Example 4: Lists Example 5: I/O logging, event logging, and replay Example 6: More complex policies Example 7: Use variables to store constraints Example 8: Control the run-time environment Example 9: Switch and case statements Example 10: Menus

Use the while loop Use parallel lists Best practice policy guidelines Multiple configuration files and read-only variables Mail Environmental variables NIS netgroups Specify trusted hosts

Configuring firewalls

Privilege Manager for Unix port usage Restricting port numbers for command responses Configuring pmtunneld Configuring Network Address Translation (NAT)

Configuring Kerberos encryption Configuring certificates

Enable configurable certification

Configuring alerts Configuring Pluggable Authentication Method (PAM)

Utilizing PAM authentication Authenticate PAM to client

Administering Log and Keystroke Files

Controlling logs Local logging

Event logging Keystroke (I/O) logging

Keystroke (I/O) logging policy variables

Central logging with Privilege Manager for Unix Controlling log size with Privilege Manager for Unix Viewing the log files using a web browser Viewing the log files using command line tools Listing event logs Backing up and archiving event and keystroke logs

InTrust Plug-in for Privilege Manager for Unix

InTrust Plug-in requirements Installing InTrust Plug-in components InTrust Plug-in installation prerequisites Configuring the policy server for the InTrust Plug-in Installing the InTrust Knowledge Pack

InTrust Knowledge Pack objects

Installing the InTrust Reporting Pack Configuring the InTrust data collection Viewing InTrust reports Generating reports

Gathering InTrust data

Troubleshooting

Displaying profile-based policy debug information Enabling program-level tracing Load balancing and policy updates Policy servers are failing

Privilege Manager for Unix Policy File Components

Lexical and syntactic productions Data types Operators and expressions

Privilege Manager for Unix Variables

Variable names Variable scope Global input variables

alertkeymatch argc argv bkgd client_parent_pid client_parent_uid client_parent_procname clienthost command cwd date day dayname domainname env false FEATURE_LDAP FEATURE_VAS gid group groups host hour masterhost masterversion minute month nice nodename optarg opterr optind optopt optreset optstrictparameters pid pmclient_type pmclient_type_pmrun pmclient_type_sudo pmshell pmshell_builtin pmshell_cmd pmshell_cmdtype pmshell_exe pmshell_interpreter pmshell_prog pmshell_script pmshell_uniqueid pmversion ptyflags requestlocal requestuser rlimit_as rlimit_core rlimit_cpu rlimit_data rlimit_fsize rlimit_locks rlimit_memlock rlimit_nofile rlimit_nproc rlimit_rss rlimit_stack samaccount selinux status submithost submithostip thishost time true ttyname tzname uid umask unameclient unamemaster uniqueid use_rundir use_rungroup use_rungroups use_runshell user year

Global output variables

alertkeyaction alertkeysequence disable_exec eventlog eventloghost execfailedmsg iolog iolog_encrypt iolog_errmax iolog_opmax iologhost log_passwords logomit logstderr logstdin logstdout notfoundmsg passprompts pmshell_allow pmshell_allowpipe pmshell_checkbuiltins pmshell_forbid pmshell_readonly pmshell_reject pmshell_restricted preserve_clienthost profile_keepenv profile_setenv profile_unsetenv profile_use_runuser rejectmsg runargv runbkgd runchroot runcksum runclienthost runcommand runconfirmuser runcwd runenablerlimits runenv rungroup rungroups runhost runnice runpaths runptyflags runrlimit_as runrlimit_core runrlimit_cpu runrlimit_data runrlimit_fsize runrlimit_locks runrlimit_memlock runrlimit_nofile runrlimit_nproc runrlimit_rss runrlimit_stack runtimeout runumask runuser runutmpuser subprocuser tmplogdir

Global event log variables

alertdate alerttime event exitdate exitstatus exittime

PM settings variables

Privilege Manager for Unix Flow Control Statements

accept, reject break continue do-while for loop for loop function if-else include procedure / function readonly readonlyexcept return switch while

Privilege Manager for Unix Built-in Functions and Procedures

Environment functions

getenv getlistsetting getnumericsetting getstringsetting getyesnosetting keepenv policygetenv policysetenv policyunsetenv setenv unsetenv

Hash table functions

hashtable_add hashtable_create hashtable_enum hashtable_import hashtable_lookup

Input and output functions

fprintf input inputnoecho print printf printnnl printvars readdir readfile sprintf syslog

LDAP functions

ldap_ bind ldap_count_entries ldap_dn2ufn ldap_explode_dn ldap_first_attribute ldap_first_entry ldap_get_attributes ldap_get_dn ldap_get_values ldap_next_attribute ldap_next_entry ldap_open ldap_search ldap_unbind

LDAP API example List functions

append insert join length lsubst range replace search split splitSubst

Miscellaneous functions Password functions

getgrouppasswd getstringpasswd getuserpasswd

Remote access functions

remotefileexists remotegroupinfo remotegrouplist remotesysinfo remoteusergroups remoteuserinfo remoteuserlist

String functions

match pad strindex strlen strsub sub subst substr

User information functions

getfullname getgroup getgroups gethome getshell

Authentication Services functions

vas_auth_user_password vas_host_in_ADgrouplist vas_host_is_member vas_user_get_groups vas_user_in_ADgrouplist vas_user_is_member

Privilege Manager for Unix programs

pmbash pmcheck pmclientd pmclientinfo pmcp pmcsh pmincludecheck pminfo pmjoin pmkey pmksh pmless pmlicense pmlist pmloadcheck pmlocald pmlog pmlogadm pmlogsearch pmlogsrvd pmmasterd pmmg pmpasswd pmpolicy pmpolicyconvert pmpolsrvconfig pmremlog pmreplay

Navigating the log file

pmresolvehost pmrun pmscp pmserviced pmsh pmshellwrapper pmsrvcheck pmsrvconfig pmsrvinfo pmstatus pmsum pmsysid pmtunneld pmumacs pmverifyprofilepolicy pmvi

Installation Packages

Package locations Installed files and directories

vas_user_in_ADgrouplist

Privilege Manager for Unix Built-in Functions and Procedures > Authentication Services functions > vas_user_in_ADgrouplist

Syntax

int vas_user_in_ADgrouplist ( string username, string domain, list ADgrouplist [, boolean verbose] )

Description

The vas_host_in_ADgrouplist function checks membership of the Active Directory group lists.

Returns the index of the matched list item if found, or -1 if not found.

vas_user_is_member

Privilege Manager for Unix Built-in Functions and Procedures > Authentication Services functions > vas_user_is_member

Syntax

int vas_user_is_member (string username, string groupname [, string domain [, boolean verbose]] )

Description

The vas_user_is_member function checks whether a selected user name and selected domain is a member of the selected group. If domain is empty, it defaults to the joined domain. You can specify the group name as <domain>/<group> or <group>@<domain>.

Returns:

0: user not in group
1: user in group
-1: error

Privilege Manager for Unix programs

This section describes each of the Privilege Manager for Unix programs and their options. The following table indicates which Privilege Manager for Unix component installs each program.

Table 48: Privilege Manager programs
Name	Description	Server	Agent	Sudo
pmbash	Is a wrapper for the GNU Bourne Again SHell that provides transparent authorization and auditing for all commands submitted during the shell session.	X	X	-
pmcheck	Verifies the syntax of a policy file.	X	-	X
pmclientd	The Privilege Manager for Unix Client daemon that listens on the configured policy server port and responds to a remote request.	X	X	-
pmclientinfo	Displays configuration information about a client host.	X	X	-
pmcp	Privilege Manager for Unix remote file copy command.	X	X	-
pmcsh	Privilege Manager for Unix C Shell provides transparent authorization and auditing for all commands submitted during the shell session.	X	X	-
pmincludecheck	Used by pmsrvconfig script on the primary server only. When configuring a primary server in pmpolicy type, if you do not have a policy file to import into the repository, then pmincludecheck initializes the policy from the current set of default policy files provided in the installation.	X	-	-
pminfo	Registers the local host with the Privilege Manager for Unix 5.5 policy server. Note that pminfo is obsolete as of version 5.6 and is included for backwards compatibility only.	X	X	-
pmjoin	Configures a Privilege Manager for Unix agent to communicate with the servers in the group.	X	X	-
pmkey	Generates and installs configurable certificates.	X	X	X
pmksh	Privilege Manager for Unix K Shell provides transparent authorization and auditing for all commands submitted during the shell session.	X	X	-
pmless	A terminal pager program that allows you to view (by not modify) the contents of a text file one screen at a time.	X	X	-
pmlicense	Displays current license information and allows you to update a license (an expired one or a temporary one before it expires) or create a new one.	X	-	-
pmlist	Lists the commands that the user is permitted to run.	X	X	-
pmloadcheck	Controls load balancing and failover for connections made from the host to the configured policy servers.	X	X	-
pmlocald	The Privilege Manager for Unix Local daemon which runs programs when instructed to do so by the appropriate policy server daemon.	X	X	-
pmlog	Displays entries in a Privilege Manager for Unix event log.	X	-	-
pmlogadm	Manages encryption options on the event log.	X	-	-
pmlogsearch	Searches all logs in a policy group based on specified criteria.	X	-	-
pmlogsrvd	The Privilege Manager for Unix log access daemon, the service responsible for committing events to the Privilege Manager for Unix event log and managing the database storage used by the event log.	X
pmmasterd	The Privilege Manager for Unix Master daemon which examines each user request and either accepts or rejects it based upon information in the Privilege Manager configuration file. You can have multiple pmmasterd daemons on the network to avoid having a single point of failure.	X	-	X
pmmg	A special version of an emacs text editor to use with Privilege Manager for Unix (gnu-style key bindings).	X	X	-
pmpasswd	Generates an encrypted password which can be used in the configuration file.	X	-	-
pmpolicy	A command-line utility for managing the Privilege Manager for Unix security policy. This utility checks out the current version, checks in an updated version, and reports on the repository.	X	-	-
pmpolicyconvert	Utility that allows you to verify, and if necessary, convert any number of policy files for use with Privilege Manager for Unix V5.5 (or later).	X	-	-
pmpolsrvconfig	Configures (or unconfigures) a primary or secondary policy server. Allows you to grant a user access to a repository.	X	-	-
pmremlog	Provides a wrapper for the pmlog and pmreplay utilities to access the event (audit) and keystroke (I/O) logs on any server in the policy group.	X	-	-
pmreplay	Replays an I/O log file allowing you to review what happened during a previous privileged session.	X	-	-
pmresolvehost	Verifies the host name or IP resolution for the local host or a selected host.	X	X	X
pmrun	Allows a user to run a command from their local machine as root. The policy server daemon, pmmasterd, examines each request from pmrun, and either accepts or rejects it based upon the policies specified in the policy file.	X	X	-
pmscp	Allows Privilege Manager for Unix to launch the remote scp daemons.	X	-	-
pmserviced	The Privilege Manager for Unix Service daemon listens on the configured ports for incoming connections for the Privilege Manager for Unix daemons. pmserviced uses options in pm.settings to determine the daemons to run, the ports to use, and the command line options to use for each daemon.	X	X	X
pmsh	Privilege Manager for Unix Bourne Shell that provides transparent authorization and auditing for all commands submitted during the shell session.	X	X	-
pmshellwrapper	A wrapper for any valid login shell on a host.	X	X	-
pmsrvcheck	Checks the Privilege Manager for Unix policy server configuration to ensure it is setup properly.	X	-	-
pmsrvconfig	Configures a primary or secondary policy server.	X	-	-
pmsrvinfo	Verifies the policy server configuration.	X	-	-
pmstatus	Verifies connectivity between Privilege Manager for Unix and the pmlocald and pmmasterd daemons on the specified hosts.	X	X	-
pmsum	Generates a simple checksum of a binary.	X	-	-
pmsysid	Displays the Privilege Manager for Unix system ID.	X	X	X
pmtunneld	The Privilege Manager for Unix Tunnel daemon that acts as a proxy for pmrun when pmlocald communicates with pmrun through a firewall.	X	X	-
pmumacs	A special version of a microemacs text editor to use with Privilege Manager for Unix (gosling-style key bindings).	X	X	-
pmverifyprofilepolicy	Verifies the syntax and structure of the policy file and checks whether a particular command will be accepted or rejected.	X	-	-
pmvi	Allows users to access a specific file as root but no other root functions.

pmbash

Privilege Manager for Unix programs > pmbash

Syntax

pmbash -c <command>|-i|-l|-r|-s|-B|[-+]O <option>

Description

The Privilege Manager for Unix Bourne Again SHell (pmbash) command is a wrapper program for the GNU Bourne Again SHell (bash), that provides transparent authorization and auditing for all commands submitted during the shell session. pmbash supports the standard options for bash.

Using the appropriate policy file variables, you can configure each command entered during a shell session, to be:

forbidden by the shell without further authorization to the policy server
allowed by the shell without further authorization to the policy server
presented to the policy server for authorization

Once allowed by the shell, or authorized by the policy server, all commands run locally as the user running the shell program.

Unlike the other Privilege Manager for Unix shells, pmbash is not a standalone shell. It is a wrapper that runs the system version of the bash shell while logging keystrokes and authorizing shell commands via Privilege Manager for Unix. Command authorization is limited to external commands: pmbash, cannot authorize shell built-in commands.

Options

pmbash has the following options.

Table 49: Options: pmsh
Option	Description
-B	Allows the shell to run in the background.
-c <command>	Runs the specified command from the next argument.
-i	Runs the shell in interactive mode even when input is not from a terminal.
-l	Acts as a login shell, the shell will read the contents of /etc/profile and $HOME/.profile if they exist.
[+-]O <shopt_option>	Sets or clears one of the shell options accepted by the shopt built-in command.
-r	Runs the shell in restricted mode.
The shell reads commands from standard input even when there are additional non-option arguments.

Additional long options may also be specified, see the bash manual for details.

Please select your product:

To serve you better, please complete the Purpose of your Chat:

Recommended Solutions for Your Problem

Privilege Manager for Unix 7.1.1 - Administration Guide

vas_user_in_ADgrouplist

Syntax

Description

vas_user_is_member

Syntax

Description

Privilege Manager for Unix programs

pmbash

Syntax

Description

Options