Chat now with support
Chat with Support

Safeguard for Sudo 7.2.3 - Administration Guide

Introducing Safeguard for Sudo Planning Deployment Installation and Configuration Upgrade Safeguard for Sudo System Administration Managing Security Policy Administering Log and Keystroke Files Supported sudo plugins Troubleshooting Safeguard Variables Safeguard programs Installation Packages Supported Sudoers directives Unsupported Sudo Options Safeguard for Sudo Policy Evaluation

pmkey

Syntax
pmkey -v  
         -a <keyfile> 
         [ [-l | -r | -i <keyfile>] 
         [-p <passphrase>] [-f]]
Description

Use the pmkey command to generate and install configurable certificates.

In order for a policy evaluation request to run, keys must be installed on all hosts involved in the request. The keyfile must be owned by root and have permissions set so only root can read or write the keyfile.

Options

pmkey has the following options.

Table 18: Options: pmkey
Option Description
-a <keyfile> Creates an authentication certificate.
-i <keyfile> Installs an authentication certificate.
-l

Creates and installs a local authentication certificate to this file:

/etc/opt/quest/qpm4u/.qpm4u/.keyfiles/key_localhost

This is equivalent to running the following two commands:

  • pmkey -a /etc/opt/quest/qpm4u/.qpm4u/.keyfiles/ key_localhost

    -OR-

  • pmkey -i /etc/opt/quest/qpm4u/.qpm4u/.keyfiles/ key_localhost

-f Forces the operation. For example:
  • Ignore the password check when installing keyfile using -i or -r
  • Overwrite existing keyfile when installing local keyfile using -l
-p <passphrase>

Passes the passphrase on the command line for the -a or -l option.

If not specified, pmkey prompts the user for a passphrase.

-r

Installs all remote keys that have been copied to this directory:

/etc/opt/quest/qpm4u/.qpm4u/.keyfiles/key_<hostname>

This provides a quick way to install multiple remote keys.

-v Displays the Safeguard version and exits.
Examples

The following command generates a new certificate, and puts it into the specified file:

pmkey -a <filename>

The following command installs the newly generated certificate from the specified file:

pmkey -i <filename>
Related Topics

pmcheck

pmmasterd

pmreplay

pmsum

pmlicense

Syntax
pmlicense -h 
	   [-c]
	   -v [-c]
	   -v <xmlfile> [-c]
	   -l|-x <xmlfile> [-c] [-f] [-e]
	   -u [s|f][-c][-d m|y][-o <outfile>][-s d|h][-t u|p|k]
	   -r [-e]
	   -R <host> [-c]
	   
Description

The pmlicense command allows you to display current license information, update a license (an expired one or a temporary one before it expires) or create a new one. If you do not supply an option, then pmlicense displays a summary of the combined licenses configured on this host.

Options

pmlicense has the following options.

Table 19: Options: pmlicense
Option Description
-c Displays output in CSV, rather than human-readable format.
-d Filters a license report; restricting the date to either:
  • m: Only report licenses used in the past month.
  • y: Only report licenses used in the past year.
-e Does not forward the license change to the other servers in the group.
-f Does not prompt for confirmation in interactive mode.
-h Displays usage.
-l <xmlfile>

Configures the selected XML license file, and forwards it to the other servers in the policy group.

This option must be run as the root user or a member of the pmpolicy group.

-o <outfile> Sends report output to selected file rather than to the default. For csv output, the default is file: /tmp/pmlicense_report_<uid>.txt; for human-readable output, the default is stdout.
-r Regenerates and configures the default trial license, removing any configured commercial licenses, and forwards this change to the other servers in the policy group.
-R <host> Remove the specified from the local policy server's license database. Normally, the client is removed automatically when it is unjoined from the policy server group. This option can be used to remove a client that has been retired without being explicitly unjoined.
-s Sort the report data by either:
  • d: date (newest first)
  • h: hostname (lowest first)
-t Filters license report by client type:
  • u: Privilege Manager for Unix client
  • p: sudo policy plugin
  • k: sudo keystroke plugin
-u Displays the current license utilization on the master policy server:
  • s: Show summary of hosts licensed
  • f: Show full details of hosts licensed, with last used times
-v If you do not provide a file argument, it displays the details of the currently configured license. If you provide a file argument, it verifies the selected XML license file and displays the license details.
-x <xmlfile>

Configures the selected XML license file.

This option is deprecated, use the "-l" option instead.

License data is updated periodically by the pmloadcheck daemon. See pmloadcheck for details.

Examples

To display current license status information, enter the following:

# pmlicense

Safeguard displays the current license information, noting the status of the license. The output will be similar to the following:

*** One Identity Safeguard *** 
*** Privilege Manager for Unix VERSION 6.n.n (nnn) *** 
*** CHECKING LICENSE ON HOSTNAME:<host>, IP address: <IP> 
*** SUMMARY OF ALL LICENSES CURRENTLY INSTALLED *** 
*License Type                                  PERMANENT 
*Commercial/Freeware License                   COMMERCIAL 
*Expiration Date                               NEVER 
*Max QPM4U Client Licenses                     1000 
*Max Sudo Policy Plugin Licenses               0 
*Max Sudo Keystroke Plugin Licenses            0 
*Authorization Policy Type permitted           ALL 
*Total QPM4U Client Licenses In Use            2 
*Total Sudo Policy Plugins Licenses in Use     0 
*Total Sudo Keystroke Plugins Licenses in Use  0

*** LICENSE DETAILS FOR PRODUCT:QPM4U 
*License Version                               1.0 
*Licensed to company                           Testing 
*Licensed Product                              QPM4U(1) 
*License Type                                  PERMANENT 
*Commercial/Freeware License                   COMMERCIAL 
*License Status                                VALID
*License Key                                   PSXG-GPRH-PIGF-QDYV 
*License tied to IP Address                    NO 
*License Creation Date                         Tue Feb 08 2012 
*Expiration Date                               NEVER 
*Number of Hosts                               1000

To update or create a new a license, enter the following at the command line:

pmlicense -l <xmldoc>

Safeguard displays the current license information, noting the status of the license, and then validates the information in the selected .xml file, for example:

*** One Identity Safeguard for Sudo *** 
*** Safeguard for Sudo VERSION 7.n.n (nnn) *** 
*** CHECKING LICENSE ON HOSTNAME:<host>, IP address:<IP> *** 
*** SUMMARY OF ALL LICENSES CURRENTLY INSTALLED *** 
*License Type                                  PERMANENT 
*Commercial/Freeware License                   COMMERCIAL 
*Expiration Date                               NEVER 
*Max QPM4U Client Licenses                     1000 
*Max Sudo Policy Plugin Licenses               0 
*Max Sudo Keystroke Plugin Licenses            0 
*Authorization Policy Type permitted           ALL 
*Total QPM4U Client Licenses In Use            2 
*Total Sudo Policy Plugins Licenses in Use     0 
*Total Sudo Keystroke Plugins Licenses in Use  0 
*** Validating license file: <xmldoc> *** 
*** LICENSE DETAILS FOR PRODUCT:QPM4U 
*License Version                               1.0 
*Licensed to company                           Testing 
*Licensed Product                              QPM4U(1) 
*License Type                                  PERMANENT 
*Commercial/Freeware License                   COMMERCIAL 
*License Status                                VALID 
*License Key                                   PNFT-FDIO-YSLX-JBBH 
*License tied to IP Address                    NO 
*License Creation Date                         Tue Feb 08 2012 
*Expiration Date                               NEVER 
*Number of Hosts                               100 
*** The selected license file (<xmldoc>) contains a valid license *** 

Would you like to install the new license? y 
Type y to update the current license. 
Archiving current license… [OK] 
*** Successfully installed new license ***

pmloadcheck

Syntax
pmloadcheck -v 
               -s|-p|-i [-e <interval>][-t <sec>] 
               [-c|-f][-b][ -h <master>][-t <sec>] [-a][-r]
Description

The pmloadcheck daemon runs on Safeguard for Sudo policy servers. By default, every 60 minutes the daemon verifies the status of the configured policy servers. It controls load balancing and failover for connections made from the host to the configured policy servers, and on secondary servers, it sends license data to the primary server.

When the pmloadcheck daemon runs, it attempts to establish a connection with the policy servers to determine their current status. If pmloadcheck successfully establishes a session with a policy server, it is marked as online and is made available for normal client sessions. If pmloadcheck does not successfully establish a session with a policy server, it is marked as offline.

Information is gathered from a policy server each time a normal client session connects to the policy server. This information is used to determine which policy server to use the next time a session is requested. If an agent cannot establish a connection to a policy server because, for example, the policy server is offline, then this policy server is marked as offline and no more connections are submitted to this policy server until it is marked available again.

To check the current status of all configured policy servers, and display a brief summary of their status, run pmloadcheck with no options. Add the -f option to show full details of each policy server status.

Options

pmloadcheck has the following options.

Table 20: Options: pmloadcheck
Option Description

-a

Verifies the connection as if certificates were configured.

-b

Runs in batch mode.

-c

Displays output in CSV format.

-e <interval>

Sets the refresh interval (in minutes) to determine how often the pmloadcheck daemon checks the policy server status. Default = 60.

-f

Shows full details of the policy server status when verifying and displaying policy server status.

-h <master>

Selects a policy server to verify.

-i

Starts up the pmloadcheck daemon, or prompt an immediate recheck of the policy server status if it is already running.

-P

Sends SIGNUP to a running daemon.

-p

Pauses (sends SIGUSR1) to a running daemon.

-r

Reports last cached data for selected servers instead of connecting to each one.

-s

Stops the pmloadcheck daemon if it is running.

-t <sec>

Specifies a timeout (in seconds) to use for each connection.

-v

Displays the version string and exits.

pmlog

Syntax
pmlog [-dlvq] [-p|a|e|r|x <printexpr>] [-f <filename>] [[-c] <constraint>] 
         [[-c] <constraint>] [-f <filename>] -h 
         [--user <username>] [--runuser <username>] [--runhost <hostname>] [--reqhost <hostname>] [--masterhost <hostname>][--command <pattern>] [--reqcommand <pattern>] [--runcommand <pattern>][--before "<YYYY/MM/DD hh:mm:ss>"] [--after "<YYYY/MM/DD hh:mm:ss>"][--result Accept|Reject]
Description

Use the pmlog command to selectively choose and display entries in a Privilege Manager for Unix event log. Each time a job is accepted, rejected, or completed by pmmasterd, an entry is appended to the file specified by the eventlog variable in the configuration file. eventlog is sent to /var/opt/quest/qpm4u/pmevents.db on all platforms.

Options

pmlog has the following options.

Table 21: Options: pmlog
Option Description

-a <expression>

Sets the print expression for accept events to the specified expression.

-c <constraint>

Selects particular entries to print; specify constraint as a Boolean expression.

See Examples.

-d

Dumps each entry as it is read without matching 'accept' and 'end' entries. The -d (dump) option forces pmlog to print each entry as it is read from the file. The default output format includes a unique identifier at the start of each record, allowing 'end' events to be matched with 'accept' events.

-e <expression>

Sets the print expression for finish events to the specified expression.

-f <filename>

Reads the event log information from the specified file.

-h

Displays usage information.

-l

Dumps alert log entries only.

-p <expression>

Sets the print expression for all event types to the specified expression.

-q

Runs in quiet mode; no expression errors (for example, undefined variables) are printed.

-r <expression>

Sets the print expression for reject events to the specified expression.

-v

Turns on verbose mode.

-x <expression>

Sets the print expression for alert events to the specified expression.
Quick Search Options

--user <username>

Selects entries in which the requesting user matches username.

--runuser <username>

Selects entries in which runuser matches username.

--runhost <hostname>

Selects entries in which runhost matches hostname.

--reqhost <hostname>

Selects entries in which the requesting host matches hostname.

--masterhost <hostname>

Selects entries in which masterhost matches hostname.

--command <pattern>

Selects entries in which the requested command matches pattern.

--reqcommand <pattern>

Return events where the given text appears anywhere in the requested command line.

--runcommand <pattern>

Selects entries in which the runcommand host matches pattern.
--before "<YYYY/MM/DD hh:mm:ss>" Selects entries occurring before the specified date and time.
--after "<YYYY/MM/DD hh:mm:ss>" Selects entries occurring after the specified date and time.

--result Accept|Reject

Selects entries that were accepted or rejected.

Examples

Without arguments, pmlog reads the default eventlog file and prints all its entries. If you have chosen a different location for the event log, use the -f option to specify the file for pmlog.

By default, pmlog displays one entry for each completed session (either rejected or accepted). You can filter the results to print only entries which satisfy the specified constraint using the -c option. In these examples the -c option is used to specify a constraint as a Boolean expression:

pmlog -c'event=="Reject"' 
pmlog -c'date > "2008/02/11"' 
pmlog -c'user=="dan"'

which prints only rejected entries, entries that occur after February 11, 2008, or requests by user Dan, respectively.

See Safeguard Variables for more information about policy variables.

The following options accept shortcut notations to specify constraints:

  • --user username
  • --runuser username
  • --reqhost hostname
  • --runhost hostname
  • --masterhost hostname
  • --command command
  • --runcommand command
  • --reqcommand command
  • --before "YYYY/MM/DD hh:mm:ss"
  • --after "YYYY/MM/DD hh:mm:ss"
  • --result Accept|Reject

For example, here are equivalent constraints to the previous example specified using shortcuts:

pmlog --result Reject 
pmlog --after "2008/02/11 00:00:00" 
pmlog --user dan 

With shortcuts, you can express user names and host names as patterns containing wild card characters (? and *). For example, to display entries for all requests for user1, user2, and user3, use the following shortcut:

pmlog --user “user?"

Enclose patterns containing wild card characters in quotes to avoid being interpreted by the command shell.

Use the -d and -v options for debugging. Normally, when pmlog finds an 'accept' entry, it refrains from printing until the matching 'end' entry is found; all requested information including exitstatus, exitdate, and exittime is then available to print.

The -d (dump) option forces pmlog to print each entry as it is read from the file. The default output format includes a unique identifier at the start of each record, allowing 'end' events to be matched with 'accept' events.

The -v (verbose) option prints all the variables stored with each entry.

The -t option turns on tail follow mode. The program enters an endless loop, sleeping and printing new event records as they are appended to the end of the log file. The -d flag is implied when using -t.

You can specify the output format for each of the three event types - 'accept', 'reject' or 'finish' - with the -a, -r, and -e options. Use the -p option to set the output for all three event types.

For example, to print only the dates and names of people making requests, enter:

pmlog -p'date + "\t" + user + "\t" + event'

-OR-

pmlog -p 'sprintf("%s %-8s %s", date, user, event)'

See Listing event logs for more examples of using the pmlog command.

Note that if you run pmlog --csv console to obtain CSV output from pmlog, refer to pmlogsearch for a list of the column headings.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating