Chat now with support
Chat with Support

Privilege Manager for Unix 7.3 - Administration Guide

Introducing Privilege Manager for Unix Planning Deployment Installation and Configuration Upgrade Privilege Manager for Unix System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager for Unix Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager for Unix Variables
Variable names Variable scope Global input variables Global output variables Global event log variables PM settings variables
Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures
Environment functions Hash table functions Input and output functions LDAP functions LDAP API example List functions Miscellaneous functions Password functions Remote access functions String functions User information functions Authentication Services functions
Privilege Manager for Unix programs Installation Packages

Security policy types

The security policy lies at the heart of Privilege Manager for Unix. Privilege Manager for Unix guards access to privileged functions on your systems according to rules specified in the security policy. It stipulates which users may access which commands with escalated privileges.

Privilege Manager for Unix supports two security policy types (or modes):

  • sudo policy type: Safeguard for Sudo uses a standard sudoers file as its security policy; that is, the sudo policy is defined by the sudoers file which contains a list of rules that control the behavior of sudo. The sudo command allows users to get elevated access to commands even if they do not have root access.

    Safeguard uses the sudo policy type by default. The sudo policy type is only supported with the One Identity Safeguard for Sudo product.

  • pmpolicy type: Privilege Manager for Unix uses an advanced security policy which employs a high-level scripting language to specify access to commands based on a wide variety of constraints. The Privilege Manager for Unix policy is defined in pm.conf, the default policy configuration file which contains statements and declarations in a language specifically designed to express policies concerning the use of root and other controlled accounts.

    Beginning with release 7.0, both Privilege Manager for Unix and Safeguard for Sudo support the pmpolicy type.

By default, the policy server configuration tool (pmsrvconfig) uses the sudo policy type on new installations; if you want to run Privilege Manager for Unix using the pmpolicy type you must specify that explicitly when using the policy server configuration script.

The pmsrvconfig program is used by both Privilege Manager for Unix and Safeguard for Sudo. Run pmsrvconfig -m sudo or pmsrvconfig -m pmpolicy to specify the policy type. For more information about the pmsrvconfig command options, see pmsrvconfig.

When you join a Sudo Plugin to a policy server, Privilege Manager for Unix adds the following lines to the current local sudoers file, generally found in /etc/sudoers.

## 
## WARNING: Sudoers rules are being managed by Safeguard for Sudo 
## WARNING: Do not edit this file, it is no longer used.
## 
## Run "/opt/quest/sbin/pmpolicy edit" to edit the actual sudoers rules. 
##

When you unjoin the Sudo Plugin, Privilege Manager for Unix removes those lines from the local sudoers file.

If you configure Privilege Manager for Unix using the pmpolicy type, pmsrvconfig creates a profile-based policy. This security policy simplifies setup and maintenance through use of easy-to-manage profile templates. For more information about profile-based policy, see pmpolicy type policy.

Use the pmsrvconfig -f <path> command to override the default and import the initial security policy from the specified location.

Privilege Manager for Unix uses a version control system to manage and maintain the security policy. This allows auditors and system administrators to track changes that have been made to the policy and also allows a single policy to be shared and distributed among several policy servers. The "master" copy of the security policy and all version information is kept in a repository on the primary policy server.

You manage the security policy using the pmpolicy command and a number of pmpolicy subcommands. It is important that you only make changes to the policy using the pmpolicy command. Using pmpolicy ensures that the policy is updated in the repository and across all policy servers in the policy group. You can run the pmpolicy command from any policy server in the policy group.

Do not edit the security policy on a policy server directly. Changes made using vi will eventually be overwritten by the version control system.

The primary policy server uses a local service account, pmpolicy, to own and manage the security policy repository. The pmpolicy service account is set when you configure the primary policy server. At that time you assign the pmpolicy service account a password and set its home directory to /var/opt/quest/qpm4u/pmpolicy. This password is also called the "Join" password because you use it when you add secondary policy servers or join remote hosts to this policy group.

You can manually create the pmpolicy user prior to running the pmsrvconfig script, but if the user account does not exist, the script creates the user and asks you for a password.

When you run the pmsrvconfig command, it attempts to initialize the security policy by reusing an existing policy file on this host. If a security policy does not exist, it generates a default policy.

Specifying security policy type

To configure a Privilege Manager for Unix policy server, you must specify the pmpolicy type.

To specify the security policy type

  1. To specify the pmpolicy type, run:

    # pmsrvconfig -m pmpolicy

    For more information about pmpolicy language, see Privilege Manager for Unix Administration Guide.

Related Topics

pmsrvconfig

pmpolicy type policy

The Privilege Manager for Unix product uses a specialized policy (pmpolicy type policy), which allows for a more advanced security policy than is possible with the sudo policy type. The pmpolicy type uses a powerful scripting language to evaluate whether pmmasterd should allow requests based on a wide variety of criteria of what, where, when, and how users should be permitted to perform various privileged account actions.

By default, the main pmpolicy file is located in /etc/opt/quest/qpm4u/policy/pm.conf, but is not meant to be accessed directly.

pmpolicy type policy code looks like this:

if (user == "root" || "wheel" in getgroups(user)) { 
   runuser = requestuser; 
   accept; 
}

The above pmpolicy type code segment accepts requests from root or any user in the wheel group to run any command as any user.

Modifying complex policies

If your policy consists of several files (the default pmpolicy, for example) or if you want to add files to or remove files from your policy, use a checkout, change, and commit method for implementing the changes. The pmpolicy checkout command creates a working copy of the policy where you can make any necessary changes and then use the pmpolicy commit command to apply the changes back to the repository. You can use the pmpolicy add and pmpolicy remove commands to add or delete files to your working copy, respectively.

Checkout, change, and commit example

The following example modifies the default pmpolicy type profile. For example, say you wanted to create a new backup profile to allow backup operators to run the dump and restore commands. Use one of the existing profiles, helpdesk.profile, as a template. First, checkout a working copy to a temporary directory, like this:

# pmpolicy checkout -d /tmp 
** Checkout to /tmp/policy_pmpolicy 
** Create directory                                                   [ OK ] 
** Check out working copy                                             [ OK ] 
** Copy files                                                         [ OK ] 
** Perform syntax check                                               [ OK ]

As seen in the command output, the working copy is placed in /tmp/policy_pmpolicy.

Next, change to the profiles directory within the working copy, copy helpdesk.profile to backup.profile, and run pmpolicy add to record that a file has been added to the working copy of the policy, as follows:

# cd /tmp/policy_pmpolicy/profiles 
# cp -p helpdesk.profile backup.profile 
# pmpolicy add -p profiles/backup.profile -d /tmp 
   ** Validate options                                                [ OK ] 
   ** Add file: profiles/backup.profile 
   ** Validate arguments                                              [ OK ] 
   ** Check if directory contains a working copy                      [ OK ] 
      - Directory contains an svn working copy:/tmp/policy_pmpolicy 
   ** Check current status of working copy                            [ OK ] 
   ** Check working copy is up to date                                [ OK ] 
   ** Check file status                                               [ OK ] 
   ** Add entry:/tmp/policy_pmpolicy//profiles/backup.profile         [ OK ]

After editing backup.profile to make the necessary changes, use the pmpolicy commit command to apply the changes to the repository, as follows:

# pmpolicy commit -d /tmp -l "added backup.profile" 
** Validate options                                                   [ OK ] 
** Commit copy in directory:/tmp/policy_pmpolicy 
** Check directory                                                    [ OK ] 
** Perform syntax check                                               [ OK ] 
** Verify files to commit                                             [ OK ] 
** Commit change from working copy                                    [ OK ] 
** Committed revision 3
Related Topics

pmpolicy type policy

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating