Chat now with support
Chat with Support

Safeguard for Sudo 7.2.3 - Administration Guide

Introducing Safeguard for Sudo Planning Deployment Installation and Configuration Upgrade Safeguard for Sudo System Administration Managing Security Policy Administering Log and Keystroke Files Supported sudo plugins Troubleshooting Safeguard Variables Safeguard programs Installation Packages Supported Sudoers directives Unsupported Sudo Options Safeguard for Sudo Policy Evaluation

pmpolicyplugin

Syntax
pmpolicyplugin [-c] -g | -h | -l | -s | -v 
Description

Use the pmpolicyplugin command to display the revision status of the cached security policy on this host or to request an update from the central repository.

Options

pmpolicyplugin has the following options.

Table 34: Options: pmpolicyplugin
Option Description
-c Displays output in CSV, rather than human-readable format.
-g Exports the latest copy of the policy to the production copy (equivalent to pmpolicy sync on a server).
-h Displays usage information.
-l Reports whether a client is configured on this host.
-s Shows details of the production policy on this host (equivalent to pmpolicy masterstatus on a server).

-v

Displays Safeguard version number.

See Sudo policy is not working properly for an example of using the pmpolicyplugin command.

pmpoljoin_plugin

Syntax
pmpoljoin_plugin -j <primaryserver> [-u <localuser][-b][-p] -d [-f] [-b] -v | -h | -[-z on|off[:<pid>]]
Description

Adjunct program to the pmjoin_plugin script. pmpoljoin_plugin is called by the pmjoin_plugin script when configuring a Sudo Plugin host to setup up the required read-only access to the policy repository, so that the client can operate in off-line mode.

Options

pmpoljoin_plugin has the following options.

Table 35: Options: pmpoljoin_plugin
Option Description
-b

Runs the script in non-interactive mode.

Default: Runs in interactive mode.

-d Unconfigures the client.
-f Does not prompt for confirmation when unconfiguing the client.
-h Shows this usage

-j <primaryserver>

Joins this client to the selected primary server.

Configures a client license on this host if it does not already have a server license; creates a pmclient user and configures read-only access to the repository for this user, using the pmpolicy account on the primary server.

-q Reads pmpolicy user's password from stdin.

-u <localuser>

Specifies the pmclient user account that will manage the production copy. This user will be created if it does not exist.

Default: pmclient

-v

Prints the product version.

pmpolsrvconfig

Syntax
pmpolsrvconfig -p <policygroupname> [-b][-i <path>][-o][-r <dir>] 
                 [-t sudo|pmpolicy] [-u <policyuser][-w <userpasswd>]  
                 [-g <policygroup>][-l <loggroup>] -s <host> [-b][-q] [-q] 
                  -a <user> [-b][-q] [-q] 
                  -d [-f] 
                  -e <host> [-f] 
                  -x [-f] 
                  -v 
                  -h 
Description

The pmpolsrvconfig program is normally run by pmsrvconfig script, not by the user, to configure or un-configure a primary or secondary policy server. But, you can use it to grant a user access to a repository.

Options

pmpolsrvconfig has the following options.

Table 36: Options: pmpolsrvconfig
Option Description

-a <user>

Provides the selected user with access to the existing repository. If the user does not exist, it is created. The host must first have been configured as a policy server.

This user will be added to the pmpolicy group to grant it read/write access to the repository files, and to the pmlog group to grant it read access to the log files.

On a secondary policy server, an ssh key will also be generated to provide access to the pmpolicy user account on the primary policy server. The "join" password is required to copy this ssh key to the primary policy server.

-b

Runs the script in batch mode (that is, no user interaction is possible).

Default: Runs in interactive mode.

-d

Unconfigures the policy server, and deletes the repository if this is a primary server.

If you do not specify the -f option, then it prompts you to confirm the action.

-e <host>

Removes the selected host from the server group.

-f

Forces the unconfigure action (that is, no user interaction required)

Default: Prompt for confirmation for -x option.

-g <policygroup>

Specifies the policy group ownership for the repository. If this group does not exist, it is created.

Default: pmpolicy

-h

Prints help.

-i <path>

Imports the selected policy into the repository. If this is a directory, the entire contents of the directory will be imported.

Default: /etc/sudoers.

-l <loggroup>

Specifies the pmlog group ownership for the keystroke and audit logs

Default: pmlog

-o

Overwrites the repository if it already exists.

Default: Does not overwrite if the repository already exists.

-p <policygroup>

Configures a primary policy server for the selected group name.
-q Reads the pmpolicy user's password from stdin.
-r <dir>

Creates the repository in the selected directory.

Default: /var/opt/quest/qpm4u/.qpm4u/.repository

-s <host> Configures a secondary policy server. You must supply the primary policy server host name. The secondary policy server retrieves the details of the policy group from the primary policy server. It creates the policygroup and loggroup groups to match those on the primary policy server and configures the policyuser user to grant it ssh access to the repository on the primary server. The "join" password is required to copy this ssh key to the primary policy server.
-t sudo|pmpolicy

Specifies the security policy type: sudo or pmpolicy.

Default: sudo policy type

-u <policyuser>

Specifies the policy user account that manages the production copy. If this user does not exist, it is created and added to both the policygroup and loggroup groups. This user owns the repository on the primary policy server and provides remote access to the repository files to the secondary policy servers.

Default: pmpolicy

-v Prints the product version.
-w <userpasswd>

(Optional) Sets new user's password for -a option.

Default: No password is configured.

-x

Unconfigures the policy server. If you do not specify the -f option, you are prompted to confirm the action.

This does not remove the repository.

pmremlog

Syntax
pmremlog -v  
pmremlog -p pmlog|pmreplay|pmlogtxtsearch [-o <outfile>] 
pmremlog [-h <host>] [-b] [-c] -- <program args>
Description

The pmremlog command provides a wrapper for the pmlog and pmreplay utilities to access the event (audit) and keystroke (I/O) logs on any server in the policy group. Anyone in the pmlog group can run this utility on the primary policy server.

Note that pmlogtxtsearch is a command located in /opt/quest/libexec.

Options

pmremlog has the following options.

Table 37: Options: pmremlog
Option Description
-b Disables interactive input and uses batch mode.
-c Displays output in CSV, rather than human-readable format.

-h <host>

Specifies a host in the policy server group to access.

-o <outfile>

Saves the pmlog output to a file.
-p

Specifies program to run:

  • pmlog
  • pmreplay
  • pmlogtxtsearch
-v Displays the Safeguard version number.
Examples

To view the audit log on the primary policy server, enter:

pmremlog -p pmlog -- -f /var/opt/quest/qpm4u/pmevents.db

To view the audit events for user fred on secondary policy server host1, save the pmlog output to a file, and display the result of the pmremlog command in CSV format, enter:

pmremlog -p pmlog -c -o /tmp/events.txt -h host1 -- --user fred

To view the stdout from keystroke log id_host1_x3jfuy, on secondary policy server host1, enter:

pmremlog -p pmreplay -h host1 -- -o -f /var/opt/quest/qpm4u/iologs/id_host1_x3jfuy

To retrieve the contents of keystroke log id_host1_x3jfuy, from secondary policy server host1, formatted for the pmreplay GUI, save the output to a temporary file, and display the result of the pmremlog command in CSV format, enter:

pmremlog -p pmreplay -h host1 -c -o /tmp/replay -- -zz -f /var/opt/quest/qpm4u/iologs/id_host1_x3jfuy
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating