Chat now with support
Chat with Support

Privilege Manager for Unix 7.3 - Administration Guide

Introducing Privilege Manager for Unix Planning Deployment Installation and Configuration Upgrade Privilege Manager for Unix System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager for Unix Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager for Unix Variables
Variable names Variable scope Global input variables Global output variables Global event log variables PM settings variables
Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures
Environment functions Hash table functions Input and output functions LDAP functions LDAP API example List functions Miscellaneous functions Password functions Remote access functions String functions User information functions Authentication Services functions
Privilege Manager for Unix programs Installation Packages

pmlogsrvd

Syntax
pmlogsrvd [-d | --debug] [-h | --help] [--log-level <level>] [--no-detach]
             [--once] [-q | --queue <queue_path>] [--syslog [facility]] 
             [-t | --timeout <delay_seconds>] [-v | --version] [-z on|off [:<pid>]]
Description

pmlogsrvd is the Privilege Manager for Unix log access daemon, the service responsible for committing events to the Privilege Manager for Unix event log, and managing the database storage used by the event log.

When an incoming event is processed by pmmasterd that event must be logged to the event log. pmmasterd commits a record of the log to the event log queue, which is monitored by pmlogsrvd. pmlogsrvd takes each event from the queue and commits that event to the actual event log.

Options

pmlogsrvd has the following options.

Table 72: Options: pmlogsrvd
Option Description

-d | --debug

Enables debug operation. This option prevents pmlogsrvd from running in the background, and enables debug output to both the log and the terminal.

-h | --help

Displays the usage information and exits.

--log-level <level>

Controls the level of log messages included in the log file. By default the logging level logs only error messages. Valid logging levels, in ascending order by volume of messages, are:

  • none

  • error

  • warning

  • info

  • debug

--no-detach

Do not run in the background or create a pid file. By default, pmlogsrvd forks and runs as a background daemon. When you specify the --no-detach option, it stays in the foreground.

--once

Processes the queue once immediately and then exits.

-q | --queue <path>

Specifies the location of the event log queue as path.

--syslog

Enables logging to syslog.

-t | --timeout <delay_seconds>

Specifies the time delay between processing the queue as time seconds. By default pmlogsrvd waits for 120 seconds before waking to scan the event log queue if no other trigger causes it to begin processing. Normally processing is triggered directly by pmmasterd immediately after an event is processed.

-v | --version

Displays the version number of Privilege Manager for Unix and exits.

-z

Enables or disables debug tracing.

Before using this option, see Enabling program-level tracing.

Settings

pmlogsrvd uses the following entries in the /etc/opt/quest/qpm4u/pm.settings file.

Table 73: Settings: pmlogsrvd
Setting Description

eventLogQueue <pathname>

Specifies the location of the event log queue, used by both pmmasterd and pmlogsrvd. This setting is ignored by pmlogsrvd when you use the --queue option on the command line.

pmlogsrvlog <pathname>

Fully qualified path to the pmlogsrvd log file.

syslog yes|no

By default, /pmlogsrvd/fR used this setting to determine whether to send log messages to syslog. When you use the /syslog/fR option on the command line, this setting is ignored.

Files
  • settings file: /etc/opt/quest/qpm4u/pm.settings

  • pid file: /var/opt/quest/qpm4u/evcache/pmlogsrvd.pid

Related Topics

pmlog

pmlogsearch

pmmasterd

pmmasterd

Syntax
pmmasterd [ -z on|off[:<pid>] ] [ -v ]| [ [ -ars ] [ -e <logfile> ] ]
Description

The Privilege Manager for Unix master daemon (pmmasterd) is the policy server decision-maker. pmmasterd receives requests from pmrun or the Sudo Plugin and evaluates them according to the security policy. If the request is accepted, pmmasterd asks pmlocald or the Sudo Plugin to run the request in a controlled account such as root.

A connection is maintained between pmmasterd and the Sudo Plugin for the duration of the session. This also occurs between pmmasterd and pmlocald, if keystroke logging is enabled. When the pmmasterd connection is maintained throughout the session, keystroke and event log data is forwarded on this connection.

If keystroke logging is not enabled, pmlocald reconnects to pmmasterd at the end of the session to write the event log record showing the final completion code for the command run by pmlocald. If pmlocald is unable to reconnect, it writes instead to a holding file, pm.eventhold.hostname. It then attempts to write the pmevents.db record to the host the next time pmmasterd connects to pmlocald. Multiple files can accrue and they will all be delivered to the proper host when the connection is restored.

The policy server master daemon typically resides on a secure machine. You can have more than one policy server master daemon on different hosts for redundancy or to serve multiple networks.

pmmasterd logs all errors in a log file if you specify the -e filename option.

Options

pmmasterd has the following options.

Table 74: Options: pmmasterd
Option Description

-a

Sends job acceptance messages to syslog.

-e <filename>

Logs any policy server master daemon errors in the file specified.

-r

Sends job rejection messages to syslog.

-s

Sends any policy server master daemon errors to syslog.

-v

Displays the version number of pmmasterd and exits.

-z

Enables or disables tracing for this program and optionally for a currently running process.

Before using this option, see Enabling program-level tracing.

Files
  • Privilege Manager for Unix

    policy file (pmpolicy type): /etc/opt/quest/qpm4u/policy/pm.conf

Related Topics

pmcheck

pmkey

pmlocald

pmpasswd

pmreplay

pmrun

pmsum

pmmg

Syntax
pmmg /<full_path_name>
Description

The pmmg text editor is a special version of the mg text editor that you can use securely with Privilege Manager for Unix programs; it is a small version of gnu emacs with gnu-style emacs key bindings. You must specify a full pathname as an argument when starting pmmg. Also, you will not be able to access any files other than the ones you specified at startup time. Nor will you be allowed to spawn any processes.

When you the pmmg program with Privilege Manager for Unix, it allows you to access a specific file as root, but not other root functions.

pmpasswd

Syntax
pmpasswd
Description

The pmpasswd program generates an encrypted password which can be used in a custom configuration script. When you type pmpasswd, it asks you to type the password twice, then prints out the encrypted version. You can use the encrypted version as the first argument to the getstringpasswd function in the configuration file.

Related Topics

getstringpasswd

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating