Chat now with support
Chat with Support

Safeguard for Sudo 7.2.3 - Administration Guide

Introducing Safeguard for Sudo Planning Deployment Installation and Configuration Upgrade Safeguard for Sudo System Administration Managing Security Policy Administering Log and Keystroke Files Supported sudo plugins Troubleshooting Safeguard Variables Safeguard programs Installation Packages Supported Sudoers directives Unsupported Sudo Options Safeguard for Sudo Policy Evaluation

pmreplay

Syntax
pmreplay -V 
pmreplay -[t|s|i] -[Th] <filename> 
pmreplay -[e][I][o] -[EhKTv] <filename> 
Description

Use the pmreplay command to replay a log file to review what happened during a specified privileged session. The program can also display the log file in real time.

When using Safeguard for Sudo, enable keystroke logging by configuring the log_input and log_output variables. Please consult your sudoers manual for more information about configuring keystroke logging.

pmreplay can distinguish between old and new log files. If pmreplay detects that a log file has been changed, a message displays to tell you that the integrity of the file cannot be confirmed. This also occurs if you run pmreplay in real time and the Safeguard session that generated the events in the log file is active; that is, the client session has not completed or closed yet. In this case, the message does not necessarily indicate that the file has been tampered with.

The name of the I/O log is a unique filename constructed with the mktemp function using a combination of policy file variables, such as username, command, date, and time.

Safeguard sets the permissions on the I/O log file so that only root and users in the pmlog group can read it. That way, ordinary users cannot examine the contents of the log files. You must be logged in as root or be a member of the pmlog group to use pmreplay on these files. You may want to allow users to use Safeguard to run pmreplay.

By default pmreplay runs in interactive mode. Enter ? to display a list of the interactive commands you can use to navigate through the file.

For example, replay a log file interactively by typing:

pmreplay /var/opt/quest/qpm4u/iolog/demo/dan/id_20130221_0855_gJfeP4 

the results will show a header similar to this:

 Log File : /var/opt/quest/qpm4u/iolog/demo/dan/id_20130221_0855_gJfeP4 Date : 2013/02/21 Time : 08:55:17 Client : dan@sala.abc.local Agent : root@sala.abc.local Command : id Type ’?’ or ’h’ for help

Type ? or h at any time while running in interactive mode to display the list of commands that are available.

Options

pmreplay has the following options.

Table 38: Options: pmreplay
Option Description
-e Dumps the recorded standard error.
-E Includes vi editing sessions when used with -K.
-h When used with -o or -I, prints an optional header line. The header is always printed in interactive mode.
-i Replays the recorded standard input.
-I Dumps the recorded standard input, but converts carriage returns to new lines in order to improve readability.
-K When used with -e, -I, and -o, removes all control characters and excludes vi editing sessions. Use with -E to include vi editing sessions.
-o Dumps the recorded standard output.
-s

Automatically replays the file in slide show mode.

Use + and - keys to vary the speed of play.

-t Replays the file in tail mode, displaying new activity as it occurs.
-T Displays command timestamps.
-v Prints unprintable characters in octal form (\###)
-V Displays the Safeguard version number.
Exit codes

pmreplay returns these codes:

  • 1: File format error – Cannot parse the logfile.
  • 2: File access error – Cannot open the logfile for reading
  • 4: Usage error – Incorrect parameters were passed on the command line
  • 8: Digest error – The contents of the file and the digest in the header do not match

Navigating the log file

Use the following commands to navigate the log file in interactive mode.

Table 39: Log file navigation shortcuts
Command Description
g Go to start of file.
G Go to end of file.
p Pause or resume replay in slide show mode.
q Quit the replay.
r Redraw the log file from start.
s Skip to next time marker. Allows you to see what happened each second.
t Display time of an action at any point in the log file.
u Undo your last action.
v Display all environment variables in use at the time the log file was created.
Space key Go to next position (usually a single character); that is, step forward through the log file.
Enter key Go to next line.
Backspace key Back up to last position; that is, step backwards through the log file.

/<Regular Expression> Enter

Search for a regular expression while in interactive mode.

/Enter

Repeat last search.

Display the time of an action at any point in the log file with t, redraw the log file with r, and undo your last action with u.

You can also display all the environment variables which were in use at the time the log file was created using v. Use q or Q to quit pmreplay.

Type any key to continue replaying the I/O log.

pmresolvehost

Syntax
pmresolvehost -p|-v|[-h <hostname>] [-q][-s yes|no]
Description

The pmresolvehost command verifies the host name / IP resolution for the local host or for a selected host. If you do not supply arguments, pmresolvehost checks the local host name/IP resolution.

Options

pmresolvehost has the following options.

Table 40: Options: pmresolvehost
Option Description

-h <hostname>

Verifies the selected host name.

-p

Prints the fully qualified local host name.

-q

Runs in silent mode; displays no errors.

-s

Specifies whether to allow short names.

-v

Displays the Safeguard version.

pmserviced

Syntax

pmserviced [-d] [-n] [-s] [-v] 

Description

The Safeguard service daemon, (pmserviced) is a persistent process that spawns the configured Safeguard services on demand. The pmserviced daemon is responsible for listening on the configured ports for incoming connections for the Safeguard daemons.It is capable of running the pmmasterd service.

Only one of pmmasterd and pmclientd may be enabled as they use the same TCP/IP port. See the individual topics in PM settings variables for more information about these daemon settings.

Options

pmserviced has the following options.

Table 41: Options: pmserviced
Option Description
-d Logs debugging information such as connection received, signal receipt and service execution.

By default, pmserviced only logs errors.

-n Does not run in the background or create a pid file. By default, pmserviced forks and runs as a background daemon, storing its pid in /var/opt/quest/qpm4u/pmserviced.pid. When you specify the -n option, it stays in the foreground. If you also specify the -d option, error and debug messages are logged to the standard error in addition to the log file or syslog.
-s Connects to the running pmserviced and displays the status of the services, then exits.
-v Displays the version number of Safeguard and exits.
pmserviced Settings

pmserviced uses the following options in /etc/opt/quest/qpm4u/pm.settings to determine the daemons to run, the ports to use, and the command line options to use for each daemon.

Table 42: Options: pmserviced
Daemon Name Flag to enable daemon Listen on port Command line options
pmmasterd pmmasterdEnabled masterport pmmasterdOpts
Table 43: Settings: pmserviced
Setting Description
pmservicedLog pathname | syslog Fully qualified path to the pmserviced log file or syslog.
pmmasterdEnabled YES | NO When set to YES, pmserviced runs pmmasterd on demand.
masterport number

The TCP/IP port pmmasterd uses to listen.

pmmasterdOpts options Any command line options passed to pmmasterd.
Files
  • settings file: /etc/opt/quest/qpm4u/pm.settings
  • pid file: /var/opt/quest/qpm4u/pmserviced.pid
Related Topics

pmmasterd

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating