Chat now with support
Chat with Support

Privilege Manager for Unix 6.1 Common Documents - Administration Guide

One Identity Privileged Access Suite for Unix Introducing Privilege Manager for Unix Planning Deployment Installation and Configuration Upgrade Privilege Manager for Unix System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager Variables Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures Privilege Manager programs Installation Packages

Policy servers are failing

The primary and secondary policy servers must be able to communicate with each other and the remote hosts must be able to communicate with the policy servers in the policy group.

For example, if you run the pmloadcheck command on a policy server or PM Agent to determine that it can communicate with other policy servers in the policy group, you may get output similar to the following:

++ Checking host:myhost.example.com (10.10.181.87) ... [FAIL]

There are several possible reasons for failure:

  • Policy server host is down
  • Network outage
  • Service not running on policy server host

These are some ways to verify that the Privilege Manager for Unix service is running properly on the policy server host:

  1. To verify the policy server configuration, run
    # pmsrvinfo
  2. To verify that the service is running, enter
    # ps –ef | grep pmserviced
  3. To verify that the pmmasterd port is in a listening state on the primary policy server, enter
    # netstat –na | grep 12345
  4. To verify the service is enabled, look for the following in the Privilege Manager configuration file (/etc/opt/quest/qpm4u/pm.settings)
    pmmasterdEnabled YES
  5. To restart the service (on a Linux host), enter
    # /etc/init.d/pmserviced restart

    -Or-

    pmserviced -s
  6. Check for other communication issues, such as with your firewall, name resolution, dead network interface, and so forth.

Privilege Manager for Unix Policy File Components

This appendix provides detailed information about the components that you use to construct the Privilege Manager for Unix security policy file.

Lexical and syntactic productions

One Identity uses the following language standards to define the grammar of the policy scripting language used in Privilege Manager for Unix.

Table 24: Lexical productions
Production Description
<identifier>  ::= [A-Za-z][A-Za-z0-9_]*
<number> ::= [0-9]+
<octalnumber> ::= 0[0-7]+
<hexnumber> ::= 0x[a-fA-F0-9]+
<realnumber> ::= <number> '.' <number>
<string> ::= \" <non-double-quote | backslashed-double-quote >* \"

| ' <non-single-quote | backslashed-single-quote >* '

<non-double-quote> ::= [^\"]
<backslashed-double-quote> ::= \\\"
<non-single-quote> ::= [^']
<backslashed-single-quote> ::= \\'
<comment> ::= <shell-style-comment> | <c-style-comment> | <cplusplus-style-comment>
<shell-style-comment> ::= '#' [^\n]*
<c-style-comment> ::= /\* [^\*/]* \*/
<cplusplus-style-comment> ::= // [^\n]*
Table 25: Syntactic productions
Production Description
Policy ::= { Statement | Procedure }
Procedure ::= ( 'procedure' | 'function' ) <identifier> '(' [Parameters] ')' BlockStatement
Parameters ::= Parameter {',' Parameter }
Parameter ::= <identifier> ['=' Expression]
Statements ::= Statement { Statement }
Statement

::= IfStatement | ForStatement | DoWhileStatement | WhileStatement | SwitchStatement | BreakStatement | ContinueStatement | ReturnStatement | AcceptStatement | RejectStatement | IncludeStatement | ReadOnlyStatement | ReadOnlyExceptStatement | ExpressionStatement | BlockStatement

IfStatement ::= 'if' '(' Expression ')' Statement [ 'else' Statement ]
WhileStatement ::= 'while' '(' Expression ')' Statement
DoWhileStatement ::= 'do' BlockStatement 'while' '(' Expression ')' ';'
ForStatement

::= 'for' '(' Expressions ';' Expression ';' [Expression] ')' Statement | 'for' '(' <identifier> 'in' Expression ')' Statement

SwitchStatement ::= 'switch' '(' Expression ')' '{' [Cases][Default] '}'
Cases ::= Case { Case }
Case ::= 'case' Expression ':' Statements
Default ::= 'default' Statements
BreakStatement ::= 'break' ';'
ContinueStatement ::= 'continue' ';'
ReturnStatement ::= 'return' [ Expression ] ';'
IncludeStatement ::= 'include' Expression ';'
AcceptStatement ::= 'accept' ';'
RejectStatement ::= 'reject' [ Expression ] ';'
ReadOnlyStatement ::= 'readonly' Expression ';'
ReadOnlyExceptStatement ::= 'readonlyexcept' Expression ';'
ExpressionStatement ::= Expression ';'
BlockStatement ::= '{' Statements '}'
Expressions ::= Expression {',' Expressions }
Expression ::= AssignmentExpression | ConditionalExpression
AssignmentExpression ::= PrimaryExpression { AssignmentOp Expression }
AssignmentOp ::= '=' | '+=' | '-=' | '*=' | '/='
ConditionalExpression ::= LogicalOrExpression [ '?' Expression ':' Expression ]
LogicalOrExpression ::= LogicalAndExpression { '||' LogicalAndExpression }
LogicalAndExpression ::= BitwiseOrExpression { '&&' BitwiseOrExpression }
BitwiseOrExpression ::= BitwiseAndExpression { '|' BitwiseAndExpression }
BitwiseAndExpression ::= EqualityExpression { '&' EqualityExpression }
EqualityExpression ::= RelationalExpression { EqualityOp RelationalExpression }
EqualityOp ::= '==' | '!=
RelationalExpression ::= AdditiveExpression { RelationalOp AdditiveExpression }
RelationalOp ::= '<' | '>' | '<=' | '>=' | 'in'
AdditiveExpression ::= MultiplicativeExpression { AdditiveOp MultiplicativeExpression }
AdditiveOp ::= '+' | '-'
MultiplicativeExpression ::= PrimaryExpression { MultiplicativeOp PrimaryExpression }
MultiplicativeOp ::= '*' | '/' | '%'
PrimaryExpression

::= PrefixAssignmentExpression | DesignatorExpression | LiteralExpression | '-' Expression | '!' Expression | 'typeof' Expression | 'defined' <identifier> | '(' Expression ')'

PrefixAssignmentExpression ::= PrefixOp <identifier>
PrefixOp ::= '++' | '--'
DesignatorExpression

::= <identifier> | <identifier> PostfixOp | <identifier> Arguments | <identifier> ListAccess { ListAccess }

PostfixOp ::= '++' | '--'
Arguments ::= '(' [Expressions]  ')'
ListAccess ::= '[' Expression ']'
LiteralExpression ::= <string> | <number> | <hexnumber> | <octalnumber> | <realnumber> | ListLiteral
ListLiteral ::= '{' [Expressions] '}'

Data types

The following data types are available for use in the policy scripting language.

Table 26: Data types
Type Description Example
array A multi-dimensional array that can contain any mixture of types.

Users={"fred", "jen", "sally"}; Ids={1, 9, 10}; Usermap={ Users, Ids}; print(umap[0][2] + " -> " + umap[1][2]);

boolean The values true and false. x = true;
double A number with a fractional component.

x=2.5; y=4.3; print(x+y); #prints 6.8

int

The type integer includes the set of integers (…, -2, -1, 0, 1, 2, …).

The constants true and false are defined to have the values 1 and 0, respectively.

Specify hexadecimal numbers with the prefix 0x.

count=0; x=y=1;

You can specify an octal number by preceding it with a leading zero. For example, when specifying a umask value runumask=022

ldapid Special type to support LDAP functions.  
ldapsearchresult Special type to support LDAP functions.  
list An ordered group of strings separated by commas and surrounded by curly braces.

List elements are accessed by post-fixing them with square brackets [ ] containing the index of the desired element. Indices start at 0.

mylist = {"string zero", "string one", "string two"}; print( {"a", "b", "c"}[1] ); # prints "b"

string A sequence of zero or more characters within single or double quotes.

Mystr="this is a string"; Str1="user: " + user;

Undefined A variable is assigned a type when it is assigned a value of that type.

A variable that is referenced but has not been assigned a value is set to the type undefined.

if (typeof(myvar) == "undefined") { myvar=user;}

Related Documents