One Identity Management Console for Unix 2.5.2 - Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Management Console for Unix Installing Management Console for Unix Preparing Unix hosts Working with host systems Managing local groups Managing local users Active Directory integration Authentication Services integration Privilege Manager integration
Getting started Configure a primary policy server Configure a secondary policy server Install PM agent or Sudo plugin on a remote host Security policy management
Opening a policy file Edit panel commands Editing PM policy files Reviewing the Access and Privileges by User report Reviewing the Access and Privileges by Host report
Event logs and keystroke logging
Reporting Setting preferences
User preferences System preferences
Security Troubleshooting tips
Auto profiling issues Active Directory Issues Auditing and compliance Cannot create a service connection point Check Authentication Services agent status commands not available CSV or PDF reports do not open Database port number is already in use Elevation is not working Hosts do not display Import file lists fakepath Information does not display in the console License information in report is not accurate Out of memory error Post install configuration fails on Unix or Mac Privilege Manager feature issues Profile task never completes questusr account was deleted Readiness check failed Recovering from a failed upgrade Reports are slow Reset the supervisor password Running on a Windows 2008 R2 domain controller Service account login fails Setting custom configuration settings Single Sign-on (SSO) issues JVM memory tuning suggestions Start/stop/restart Management Console for Unix service Toolbar buttons are not enabled UID or GID conflicts
System maintenance Command line utilities Web services Database maintenance About us

Specifying general default role settings

Provide general information about the Privilege Manager role.

To specify general default role settings

  1. Choose a Trace level:
       1: Show reason for reject
       2: Verbose output
       3: Show debug trace
  2. Under Keystroke Logging:
    1. Clear the Enable keystroke logging option to disable keystroke logging by default.
    2. Modify the Keystroke log path on the policy server in the text box to configure a different directory in which to store the I/O logs.

      If keystroke logging is enabled, Privilege Manager for Unix creates a unique log file in this directory for each session in the form:

      <ProfileName>/<User>/<RunCommand>_YYYYMMDD_HHMM_XXXXXX

      where XXXXXX is a generated unique ID.

    3. Select the Disable password logging option to disable password logging by default.

      When you deselect Disable password logging, the console writes passwords to the keystroke log.

    4. Modify the list of password prompts in the text box, if desired.

      Note: Separate multiple prompts with commas.

  3. Click OK to save the General role defaults.

Specifying default authentication settings

To specify default authentication settings

  1. Select the Require users to enter their password when running commands option to force the user to authenticate to run all commands.
  2. Select the Authenticate the user on the host where they run the commands option to authenticate users on the client host, rather than on the primary server.
  3. Enter the PAM service in quotes in the text box.
  4. Enter the command line prompt to use with PAM in quotes in the text box.
  5. Select the Allow scp and non-interactive ssh for shell users option.

    Note: This setting only applies to pmksh, pmcsh, pmsh, and pmshellwrapper programs.

  6. Click OK to save the default Authentication role settings.

Viewing default user-defined variables

Note: User Defined Variables is a read-only view. To modify these variables, you must use the text editor. See Modifying PM policy files with the text editor for details.

To view default user-defined variable settings

  1. Under General, click the User Defined Variables link.

    The User Defined Variables window lists variables and their values.

  2. Click Cancel to close the GUI editor.

Specifying default pre-authorized commands

Note: These settings only apply to pmksh, pmcsh, and pmsh shell programs.

To specify default pre-authorized commands

  1. Click the Edit button next to the text box listing the type of command you want to pre-authorize:
    1. Commands allowed by the shell.

      These are commands you want to pre-authorize so they do not require authorization by the policy server.

      Note: These commands are not logged as events in the event log.

    2. Commands allowed by the shell, but only where standard input is from a pipe.

      These are commands you want pre-authorized to receive input from a pipe command. For example, to pre-authorize the more and grep commands without further authorization by the master, but only in the case where standard input is from a pipe, enter:

      "(^|/)(awk|more|grep)$"

      Note: These commands are not logged as events in the event log.

    3. Commands to reject in the shell.

      These are commands that are not permitted by this shell role.

      Note: These commands are logged as events in the audit log.

    The Edit Entries dialog displays which allows you to add one or more commands separated with a comma. For example,

    "(^|/)(passwd|kill|shutdown)$","(^|/)(a|b|c|k|z)?sh$","(^|/)(bash|tcsh)$","(^|/)nc$"

    Note: For more information about the Edit Entries dialog, click the help link.

  2. Once you have a list of one or more commands to add, click OK to save default Pre-Authorized Commands role settings.

    Note: See Authorized Commands for more information about the command syntax rules.

Related Documents