Chat now with support
Chat with Support

One Identity Management Console for Unix 2.5.2 - Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Management Console for Unix Installing Management Console for Unix Preparing Unix hosts Working with host systems Managing local groups Managing local users Active Directory integration Authentication Services integration Privilege Manager integration
Getting started Configure a primary policy server Configure a secondary policy server Install PM agent or Sudo plugin on a remote host Security policy management
Opening a policy file Edit panel commands Editing PM policy files Reviewing the Access and Privileges by User report Reviewing the Access and Privileges by Host report
Event logs and keystroke logging
Reporting Setting preferences
User preferences System preferences
Security Troubleshooting tips
Auto profiling issues Active Directory Issues Auditing and compliance Cannot create a service connection point Check Authentication Services agent status commands not available CSV or PDF reports do not open Database port number is already in use Elevation is not working Hosts do not display Import file lists fakepath Information does not display in the console License information in report is not accurate Out of memory error Post install configuration fails on Unix or Mac Privilege Manager feature issues Profile task never completes questusr account was deleted Readiness check failed Recovering from a failed upgrade Reports are slow Reset the supervisor password Running on a Windows 2008 R2 domain controller Service account login fails Setting custom configuration settings Single Sign-on (SSO) issues JVM memory tuning suggestions Start/stop/restart Management Console for Unix service Toolbar buttons are not enabled UID or GID conflicts
System maintenance Command line utilities Web services Database maintenance About us

Specifying shell authentication settings

To specify shell authentication settings

  1. Select the Users can be required to authenticate to a PAM service when they run any commands in the role for an added level of security option.

    By default, the console authenticates the submit user on the master host using the sshd service.

  2. Select the Require users to enter their password when running commands option to force the user to authenticate to run all commands.
  3. Select the Authenticate the user on the host where they run the commands option to authenticate users on the client host, rather than on the primary server.
  4. Select the PAM service to use when authentication to PAM is required option and type in PAM service in quotes in the text box.
  5. Select the Command line prompt when authentication is required option and type in the prompt to use with PAM in quotes in the text box.
  6. Select the Allow scp and non-interactive ssh for shell users option.

    Note: This setting only applies to pmksh, pmcsh, pmsh, and pmshellwrapper programs.

  7. Click OK to save the Authentication settings.

Viewing user-defined variables

You view user-defined variable settings or variables that contain errors that can not be resolved by the GUI editor in the User Defined Variables option.

Note: To modify these variables, you must use the text editor. See Modifying PM policy files with the text editor for details.

To view user-defined variable settings

  1. Under General, click the User Defined Variables link.

    The User Defined Variables window lists variables and their values.

  2. Click Cancel to close the GUI Editor.

Authorize shell commands

Shell Command options allow you to manage which commands you can run by means of a shell.

To authorize shell commands

  1. Select the override box and the You can allow all commands... option. Then select one of these options:
    1. Select Accept all option to allow all commands to be accepted.
    2. Select the Only accept the following commands in the shell option, then click Edit.

      The Edit Entries dialog opens which allows you to add one or more commands permitted by this shell role in the Add entries box separated with a comma. For example:

      /usr/bin/id, whoami

      Note:

      • This setting only applies to pmksh, pmcsh, and pmsh shell programs.
      • Separate multiple commands with a comma, as in
        whoami, /usr/bin/id
      • When you run one of these commands it creates an event in the audit log.
      • See Authorized Commands for more information about the command syntax rules.

      Note: For more information about the Edit Entries dialog, click the help link.

    3. Select Reject the following commands in the shell option, then click Edit.

      The Edit Entries dialog opens which allows you to add one or more commands not permitted by this shell role in the Add entries box separated with a comma. For example:

      whoami, /usr/bin/id

      Note:

      • This setting only applies to pmksh, pmcsh, and pmsh shell programs.
      • Separate multiple commands with a comma, as in
        whoami, /usr/bin/id
      • When you run one of these commands it creates an event in the audit log.
      • See Authorized Commands for more information about the command syntax rules.

      Note: For more information about the Edit Entries dialog, click the help link.

  2. Select the override box and the Authorize shell built-ins as if they are commands and check against either list of commands option.
  3. Select the override box and enter a command rejection message in the text box which displays when a user attempts to run a forbidden command.

    Note: This setting only applies to the pmksh, pmcsh, and pmsh shell programs.

  4. Click OK to save Shell Commands settings.

Specifying pre-authorized commands

You can pre-authorize commands so they do not require authorization by the policy server and are not logged as events in the event log.

To specify pre-authorized commands

  1. Select the override box and the Commands allowed by the shell option. Then click Edit.

    The Edit Entries dialog opens which allows you to add one or more commands permitted by this shell roles separated with a comma in the text box. For example:

    (^|/)(exit|pwd|echo)$

    Note:

    • These commands are not recorded as events.
    • This setting only applies to pmksh, pmcsh, and pmsh shell programs.

  2. Select the override box and the Commands allowed by the shell, but only where standard input is from a pipe option. Then click Edit.

    The Edit Entries dialog opens which allows you to list commands you want pre-authorized to receive input from a pipe command separated with a comma in the text box. For example, to pre-authorize the "more" and "grep" commands without further authorization by the master, but only in the case where std input is from a pipe, enter:

    (^|/)(awk|more|grep)$

    Note:

    • Separate multiple commands with a comma.
    • These commands are not recorded as events.
    • This setting only applies to pmksh, pmcsh, and pmsh shell programs.

    Note: For more information about the Edit Entries dialog, click the help link.

  3. Select the override box and the Commands to reject in the shell option. Then click Edit.

    The Edit Entries dialog opens which allows you to list the commands that are not permitted by this shell role separated with a comma in the text box. For example:

    (^|/)(passwd|kill|shutdown)$,(^|/)(a|b|c|k|z)?sh$,(^|/)(bash|tcsh)$,(^|/)nc$

    Note:

    • This setting only applies to pmksh, pmcsh, and pmsh shell programs.
    • Separate multiple commands with a comma, as in
      whoami, /usr/bin/id
    • When you run one of these commands it creates an event in the audit log.
    • See Authorized Commands for more information about the command syntax rules.

    Note: For more information about the Edit Entries dialog, click the help link.

  4. Click OK to save Pre-Authorized Commands settings.
Related Documents