Chat now with support
Chat with Support

Privilege Manager for Unix 7.3 - Administration Guide

Introducing Privilege Manager for Unix Planning Deployment Installation and Configuration Upgrade Privilege Manager for Unix System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager for Unix Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager for Unix Variables
Variable names Variable scope Global input variables Global output variables Global event log variables PM settings variables
Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures
Environment functions Hash table functions Input and output functions LDAP functions LDAP API example List functions Miscellaneous functions Password functions Remote access functions String functions User information functions Authentication Services functions
Privilege Manager for Unix programs Installation Packages

Privilege Manager for Unix programs

This section describes each of the Privilege Manager for Unix programs and their options. The following table indicates which Privilege Manager for Unix component installs each program.

Table 48: Privilege Manager programs
Name Description Server Agent Sudo

pmauditsrv

Verifies that the configured audit servers are accessible and configured properly and exchanges a "hello" message with the server.

If the audit server is not accessible, stores the events and keystroke (IO) logs temporarily offline and sent to the audit server when it is available.

X

N/A

N/A

pmbash

Is a wrapper for the GNU Bourne Again SHell that provides transparent authorization and auditing for all commands submitted during the shell session.

X

X

N/A

pmcheck

Verifies the syntax of a policy file.

X

N/A

X

pmcheckperms

Checks the ownership and permissions of Privilege Manager files on the system.

X

X

X

pmclientd

The Privilege Manager for Unix Client daemon that listens on the configured policy server port and responds to a remote request.

X

X

N/A

pmclientinfo

Displays configuration information about a client host.

X

X

N/A

pmcp

Privilege Manager for Unix remote file copy command.

X

X

N/A

pmcsh

Privilege Manager for Unix C Shell provides transparent authorization and auditing for all commands submitted during the shell session.

X

X

N/A

pmgit

The pmgit utility is used to configure Git policy management for Privilege Manager for Unix.

X

X

N/A

pmincludecheck

Used by pmsrvconfig script on the primary server only. When configuring a primary server in pmpolicy type, if you do not have a policy file to import into the repository, then pmincludecheck initializes the policy from the current set of default policy files provided in the installation.

X

N/A

N/A

pminfo

Registers the local host with the Privilege Manager for Unix 5.5 policy server.

Note that pminfo is obsolete as of version 5.6 and is included for backwards compatibility only.

X

X

N/A

pmjoin

Configures a Privilege Manager for Unix agent to communicate with the servers in the group.

X

X

N/A

pmkey

Generates and installs configurable certificates.

X

X

X

pmksh

Privilege Manager for Unix K Shell provides transparent authorization and auditing for all commands submitted during the shell session.

X

X

N/A

pmless

A terminal pager program that allows you to view (by not modify) the contents of a text file one screen at a time.

X

X

N/A

pmlicense

Displays current license information and allows you to update a license (an expired one or a temporary one before it expires) or create a new one.

X

N/A

N/A

pmlist

Lists the commands that the user is permitted to run.

X

X

N/A

pmloadcheck

Controls load balancing and failover for connections made from the host to the configured policy servers.

X

X

N/A

pmlocald

The Privilege Manager for Unix Local daemon which runs programs when instructed to do so by the appropriate policy server daemon.

X

X

N/A

pmlog

Displays entries in a Privilege Manager for Unix event log.

X

N/A

N/A

pmlogadm

Manages encryption options on the event log.

X

N/A

N/A

pmlogsearch

Searches all logs in a policy group based on specified criteria.

X

N/A

N/A

pmlogsrvd

The Privilege Manager for Unix log access daemon, the service responsible for committing events to the Privilege Manager for Unix event log and managing the database storage used by the event log.

X

 

 

pmmasterd

The Privilege Manager for Unix Master daemon which examines each user request and either accepts or rejects it based upon information in the Privilege Manager configuration file. You can have multiple pmmasterd daemons on the network to avoid having a single point of failure.

X

N/A

X

pmmg

A special version of an emacs text editor to use with Privilege Manager for Unix (gnu-style key bindings).

X

X

N/A

pmpasswd

Generates an encrypted password which can be used in the configuration file.

X

N/A

N/A

pmpolicy

A command-line utility for managing the Privilege Manager for Unix security policy. This utility checks out the current version, checks in an updated version, and reports on the repository.

X

N/A

N/A

pmpolicyconvert

Utility that allows you to verify, and if necessary, convert any number of policy files for use with Privilege Manager for Unix V5.5 (or later).

X

N/A

N/A

pmpolsrvconfig

Configures (or unconfigures) a primary or secondary policy server. Allows you to grant a user access to a repository.

X

N/A

N/A

pmremlog

Provides a wrapper for the pmlog and pmreplay utilities to access the event (audit) and keystroke (I/O) logs on any server in the policy group.

X

N/A

N/A

pmreplay

Replays an I/O log file allowing you to review what happened during a previous privileged session.

X

N/A

N/A

pmresolvehost

Verifies the host name or IP resolution for the local host or a selected host.

X

X

X

pmrun

Allows a user to run a command from their local machine as root. The policy server daemon, pmmasterd, examines each request from pmrun, and either accepts or rejects it based upon the policies specified in the policy file.

X

X

N/A

pmscp

Allows Privilege Manager for Unix to launch the remote scp daemons.

X

N/A

N/A

pmserviced

The Privilege Manager for Unix Service daemon listens on the configured ports for incoming connections for the Privilege Manager for Unix daemons. pmserviced uses options in pm.settings to determine the daemons to run, the ports to use, and the command line options to use for each daemon.

X

X

X

pmsh

Privilege Manager for Unix Bourne Shell that provides transparent authorization and auditing for all commands submitted during the shell session.

X

X

N/A

pmshellwrapper

A wrapper for any valid login shell on a host.

X

X

N/A

pmsrvcheck

Checks the Privilege Manager for Unix policy server configuration to ensure it is setup properly.

X

N/A

N/A

pmsrvconfig

Configures a primary or secondary policy server.

X

N/A

N/A

pmsrvinfo

Verifies the policy server configuration.

X

N/A

N/A

pmstatus

Verifies connectivity between Privilege Manager for Unix and the pmlocald and pmmasterd daemons on the specified hosts.

X

X

N/A

pmsum

Generates a simple checksum of a binary.

X

N/A

N/A

pmsysid

Displays the Privilege Manager for Unix system ID.

X

X

X

pmtunneld

The Privilege Manager for Unix Tunnel daemon that acts as a proxy for pmrun when pmlocald communicates with pmrun through a firewall.

X

X

N/A

pmumacs

A special version of a microemacs text editor to use with Privilege Manager for Unix (gosling-style key bindings).

X

X

N/A

pmverifyprofilepolicy

Verifies the syntax and structure of the policy file and checks whether a particular command will be accepted or rejected.

X

N/A

N/A

pmvi

Allows users to access a specific file as root but no other root functions.

 

 

 

pmauditsrv

Syntax
$ pmauditsrv -h
Usage: pmauditsrv [-h] [-v] [-z on|off]
Usage: pmauditsrv check|send [ -o <serverlist> ] [ -b <ca_bundle_file> ] [ -k <privatekey_file> ] [ -c <certificate_file> ] [ -s ]
Description

Use pmauditsrv for the following:

  • pmauditsrv verifies that the configured audit servers are accessible and configured properly. This includes verifying that certificates and keys are configured properly for TLS communication, if enabled. pmauditsrv exchanges a "hello" message with the server.

  • When the policy server is configured for "not enforced mode" and the audit server is not accessible, pmauditsrv can be used to store the event logs and keystroke (IO) logs temporarily offline. pmauditsrv sends the logs to the audit server once it is available. If the connection to the audit server was broken in the middle of the command run and the log is a partial log, the log will be sent to the same server that received the first part of the message. Logs which are not partial logs are sent to the audit servers according to the actual configuration. Changing the auditserver configurations can solve transferring full but not partial logs.

By default, the pmloadcheck program executes pmauditsrv in every 30 minutes to transfer any audit trail files found in the configured cache directory to the audit server. If the file can not be processed (for example, the file is corrupt), pmauditsrv moves the file into a subdirectory (quarantine).

pmauditsrv can be called manually for troubleshooting an issue.

With command ’check’ .B, pmauditsrv can be also used to check connection to the configured audit servers or the server specified with command line arguments.

Errors logs are stored in /var/log/pmmasterd.log.

Options

pmauditsrv has the following options.

Table 49: Options: pmauditsrv
Option Description

-h

Display a help usage information and exit.

-v

Display the version number of the pmauditsrv program and exit.

-z on | off

Turn debug tracing on or off, then exit.

-o <serverlist>

Specify audit servers.

Format: addr1:port1..addrn:portn where addr is either IP or hostname.

-b <ca_bundle_ file>

Specify CA bundle file for TLS connection.

-k <privatekey_ file>

Specify private key file for TLS connection

-c <certificate_ file>

Specify certificate file for TLS connection

-s

Redirects all error messages to the syslog.

Related Topics

pmloadcheck

pmmasterd

pmsrvconfig

pmbash

Syntax
pmbash -c <command>|-i|-l|-r|-s|-B|[-+]O <option>
Description

The Privilege Manager for Unix Bourne Again SHell (pmbash) command is a wrapper program for the GNU Bourne Again SHell (bash), that provides transparent authorization and auditing for all commands submitted during the shell session. pmbash supports the standard options for bash.

Using the appropriate policy file variables, you can configure each command entered during a shell session, to be:

  • forbidden by the shell without further authorization to the policy server

  • allowed by the shell without further authorization to the policy server

  • presented to the policy server for authorization

Once allowed by the shell, or authorized by the policy server, all commands run locally as the user running the shell program.

Unlike the other Privilege Manager for Unix shells, pmbash is not a standalone shell. It is a wrapper that runs the system version of the bash shell while logging keystrokes and authorizing shell commands via Privilege Manager for Unix. Command authorization is limited to external commands: pmbash, cannot authorize shell built-in commands.

Options

pmbash has the following options.

Table 50: Options: pmsh
Option Description

-B

Allows the shell to run in the background.

-c <command>

Runs the specified command from the next argument.

-i

Runs the shell in interactive mode even when input is not from a terminal.

-l

Acts as a login shell, the shell will read the contents of /etc/profile and $HOME/.profile if they exist.

[+-]O <shopt_option>

Sets or clears one of the shell options accepted by the shopt built-in command.

-r

Runs the shell in restricted mode.

-s

The shell reads commands from standard input even when there are additional non-option arguments.

Additional long options may also be specified, see the bash manual for details.

pmcheck

Syntax
pmcheck [ -z on|off[:<pid>] ] | [ -v ] | 
           [ [ -a <string> ] [ -b ] [ -c ] [ -e <requestuser> ] 
           [ -f <filename> ] [ -g <group> ] [ -h <hostname> ] [ -i ] 
           [ -l <shellprogram> ] [ -m <YY[YY]/MM/DD> ] [ -n <HH[:MM]> ] 
           [ -o sudo|pmpolicy ] [ -p <policydir> ] [ -q  ]  [  -r <remotehost> ] 
           [ -s <submithost> ] [ -t ] [ -u <runuser> ] [ command [ args ]]]
Description

Use the pmcheck command to test the policy file. Although the policy server daemon pmmasterd reports configuration file errors to a log file, always use pmcheck to verify the syntax of a policy file before you install it on a live system. You can also use the pmcheck command to simulate running a command to test whether a request will be accepted or rejected.

The pmcheck program exits with a value corresponding to the number of syntax errors found.

Options

pmcheck has the following options.

Table 51: Options: pmcheck
Option Description

-a <string>

Checks if the specified string, entered during the session, matches any alertkeysequence configured.

You can only specify this option if you supply a command.

This option is only relevant when using the pmpolicy type.

-b

Run in batch mode. By default, pmcheck runs in interactive mode, and attempts to emulate the behavior of the pmmasterd when parsing the policy file. The -b option ensures that no user interaction is required if the policy file contains a password or input function; instead, a successful return code is assumed for any password authentication functions.

-c

Runs in batch mode and displays output in csv format. By default pmcheck runs in interactive mode. The -c option ensures that no user interaction is required if the policy file contains a password prompt or input function and no commands that require remote connections are attempted.

-e <requestuser>

Sets the value of requestuser. This option allows you to specify the group name to use when testing the configuration. This emulates running a session using the pmrun -u <user> option to request that Privilege Manager for Unix runs the command as a particular runuser.

-f <filename>

Sets path to policy filename. Provides an alternative configuration filename to check. If not fully qualified, this path is interpreted as relative to the policydir, rather than to the current directory.

-g <group>

Sets the group name to use. If not specified, then pmcheck looks up the user on the master policy server host to get the group information. This option is useful for checking a user and group that does not exist on the policy server.

-h <hostname>

Specifies execution host used for testing purposes.

-i

Ignores check for root ownership of policy.

-l <shellprogram>

Verifies the command as though it was run from within a Privilege Manager for Unix shell program. This special case of pmcheck verifies the specified shell program first, and if accepted, it verifies the specified command as a normal executable program within this shell to determine whether it would be forbidden, accepted, or rejected.

This option is only relevant when using the pmpolicy type.

-m <YY[YY]/MM/DD>

Checks the policy for a particular date. Enter Date in this format: YY[YY]/MM/DD. Defaults to the current date.

-n <HH[:MM]>

Checks the policy for a particular time. Enter Time in this format: HH[:mm]. Defaults to the current time.

-o <policytype>

Interprets the policy with the specified policy type:

  • sudo

  • pmpolicy

-p policydir

Forces pmcheck to use a different directory to search for policy files included with a relative pathname. The default location to search for policy files is the policydir setting in pm.settings.

-q

Runs in quiet mode, pmcheck does not prompt the user for input, print any errors or prompts, or run any system commands. The exit status of pmcheck indicates the number of syntax errors found (0 = success). This is useful when running scripted applications that require a simple syntax check.

-r remotehost

Sets the value of the clienthost variable within the configuration file, useful for testing purposes.

If you log in by means of pmksh or pmshellwrapper, the clienthost variable is set to the name of the remote host you used to log in. Otherwise the clienthost variable is set to the value of the submithost variable.

-s submithost

Sets the value of the submithost variable within the configuration file, useful for testing purposes.

-t

Runs in quiet mode to check whether a command would be accepted or rejected. By default, pmcheck runs in interactive mode. The -t option ensures that no user interaction is required if the policy file contains a password prompt or input function, no output is displayed and no commands that require remote connections are attempted.

Exit Status:

  • 0: Command accepted

  • 11: Password prompt encountered. The command will only be accepted if authentication is successful

  • 12: Command rejected

  • 13: Syntax error encountered

-u <runuser>

Sets the value of the runuser variable within the configuration file, useful for testing purposes.

-v

Displays the version number of Privilege Manager for Unix and exits.

-z

Enables or disables debug tracing, and optionally sends SIGHUP to running process.

Before using this option, see Enabling program-level tracing.

command [args]

Sets the command name and optional arguments.

You can use pmcheck two ways: to check the syntax of the configuration file, or to test whether a request is accepted or rejected (that is, to simulate running a command).

By default, pmcheck runs the configuration file interactively in the same way as pmmasterd and reports any syntax errors found. If you supply an argument to a command, it reports whether the requested command is accepted or rejected. You can use the -c and -q options to verify the syntax in batch or silent mode, without any user interaction required.

When you run a configuration file using pmcheck, you are allowed to modify the values of the incoming variables. This is useful for testing the configuration file's response to various conditions. When pmmasterd runs a configuration file, the incoming variables are read-only.

Example

To verify whether the pmpolicy file /opt/quest/qpm4u/policies/test.conf allows user jsmith in the users group to run the passwd root command on host, host1, enter:

pmcheck -f /opt/quest/qpm4u/policies/test.conf -o pmpolicy -u jsmith -g users 
-h host1 passwd root
Related Topics

pmkey

pmlocald

pmmasterd

pmpasswd

pmreplay

pmrun

pmsum

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating