Chat now with support
Chat with Support

Privilege Manager for Unix 6.1 Common Documents - Administration Guide

One Identity Privileged Access Suite for Unix Introducing Privilege Manager for Unix Planning Deployment Installation and Configuration Upgrade Privilege Manager for Unix System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager Variables Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures Privilege Manager programs Installation Packages



Type integer READONLY

pmshell_script is a constant value that identifies a shell script. Use it for comparison with the value of the pmshell_cmdtype variable.

if (defined pmshell_cmd && (pmshell_cmdtype == pmshell_script)) 
   #forbid any shell scripts unless interpreter is a program in /opt/quest/bin 
   if (dirname (pmshell_interpreter) != "/opt/quest/bin")) 
      reject "You cannot run this script"; 



Type string READONLY

pmshell_uniqueid is only defined if the command is a shell subcommand running from a Privilege Manager shell (pmsh, pmcsh, pmksh, and pmbash). It contains the uniqueid of the session running the shell program. It allows the individual commands running within the shell to be identified as part of the same shell session when viewing the audit log entries.

#shell script example to print out all shell commands for each shell run on 
#15 january 2009 

#constraint to select pmshell programs running on selected date 
constraint="(date=\"2009/01/15\") && (pmshell==1) && (pmshell_cmd==0))" 

#format to display user and shell program name 
userformat="sprintf(\"User:%s, shell:%s\", user, pmshell_prog)" 

#format to display shell subcommand name and time 
shellformat="sprintf(\" Time:%s, ShellCommand:%s\n", time, runcommand)" 

#find the unique IDs for all shell sessions 
allids=`/bin/sh –c "pmlog –p 'sprintf(\"%s\", uniqueid)' –c '${constraint}'"` 

#for each shell session, print out the username and shell program name, 
#and display each shell command run from the shell, with the time it was 
#executed for one in $allids 
   cmd="pmlog –p '${userformat}' –c 'uniqueid==\"${one}\"'" 
   /bin/sh –c "${cmd}" 
   cmd="pmlog –p '${shellformat}' -c 'pmshell_uniqueid==\"${one}\"'" 
   /bin/sh –c "$cmd" 



Type string READONLY

pmversion contains the Privilege Manager version and build number.

print("The current Privilege Manager version is %s", pmversion);



Type string READONLY

ptyflags contains a bitmask indicating the ptyflags set from the submit user's environment. If set, the following bits indicate:

Bit 0: stdin is open 
Bit 1: stdout is open
Bit 2: stderr is open
Bit 3: command was run in pipe mode
Bit 4: stdin is from a socket
Bit 5: command to be run using nohup
if (ptyflags & PTY_IN) 
   #only authenticate if stdin is open and password can be entered 
   if (!authenticate_pam(user, "sshd")) 
      reject "Failed to authenticate user"; 
   reject "Cannot authenticate the user"; }
Related Topics


Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating