Configuring alerts
Alerts enable you to specify commands that raise an alert if entered by a user, and the action you want Privilege Manager to take.
Use the alertkeyaction variable to specify the action Privilege Manager is to take when an alert is raised. The default action logs the alert and allows the command to continue.
Enter alertkeysequence in the policy as a list of regular expressions, like this:
alertkeysequence={"^rm.*", "/rm.*", ".*xterm"};
Other valid alert actions are:
- log
- reject
- or any valid string
For example:
if (user=="root")
{
alertkeyaction="ignore";
}
else if (user=="john")
{
alertkeyaction="alert";
}
else if (user=="dave")
{
alertkeyaction="trace";
}
else
{
alertkeyaction="reject";
}
If an event raises an alert, Privilege Manager logs an AlertRaised event log. The alertkeyaction variable is also included in the log as part of the event.
If the alertkeyaction variable is set to reject, Privilege Manager cancels the command, terminates the user’s session, and displays a rejection message.
If the alertkeyaction variable is not set to reject, Privilege Manager allows the command to run and logs it in the event log. The example shown above shows how you can enter different strings for different users. This enables you to use the alertkeyaction variable as a filter to search the event log for these events.
alertkeyaction logging is enabled even if iologging is disabled. If iologging is disabled, a new session is started with pmmasterd for each alertraised event.
By default, alertraised events are not displayed in pmlog. To view the alertraised event, use the -l parameter or the -d parameter. For example:
# pmlog -l
Alert events have the same unique ID as the Privilege Manager session from which they were generated. This enables you to identify alert events raised during a specific session.
Use pmcheck to check a given string against any expression defined in the alertkeypatterns list:
# pmcheck -a"<string>"<command>
For example,
# pmcheck -a "rm /etc/opt/quest/qpm4u/pm.settings" ksh
Configuring Pluggable Authentication Method (PAM)
Use authenticate_pam to define which users you want to authenticate by means of PAM (Pluggable Authentication Method) APIs.
The operating system has configuration files, usually called /etc/pam.conf, that specify which security databases to use to authenticate users, such as LDAP, Windows 2000 Active Directory, and various PKI implementations.
The service parameter identifies the name of the PAM service to use to authenticate users. The service parameter can be any valid service name configured in the PAM system configuration and defaults to "login".
|
|
NOTE: For more information on how to configure PAM with Privilege Manager, consult the documentation for your platform. |
Utilizing PAM authentication
Syntax
authenticate_pam (user,[<service>])
where <service> is the PAM service to use, such as sshd.
Examples
To utilize PAM authentication, add the following function to your policy file:
if ( user=="paul" && basename(command)=="useradd") {
if (!authenticate_pam(user, "sshd")) { reject; }
runuser="root";
accept;
}
This function returns 0 to indicate failure and 1 to indicate success.
Related Function
authenticate_pam_toclient
Related Topics
Authenticate PAM to client
Syntax
authenticate_pam_toclient (user,[<service>])
where <service> is the PAM service to use, such as sshd.
Description
authenticate_pam_toclient causes pmmasterd to send a request to pmrun to perform the authenticate_pam command on the pmrun host.
|
|
NOTE: This function is only available on platforms that have native support for PAM. |
Example
To utilize PAM authentication, add the following function to your policy file:
if ( user=="paul" && basename(command)=="useradd") {
if (!authenticate_pam_toclient(user, "sshd")) { reject; }
runuser="root";
accept;
}
This function returns 0 to indicate failure and 1 to indicate success.
Related Function
authenticate_pam