Chat now with support
Chat with Support

Privilege Manager for Unix 6.1.1 - Administration Guide for Unix

One Identity Privileged Access Suite for Unix Introducing Privilege Manager for Unix Planning Deployment Installation and Configuration Upgrade Privilege Manager for Unix System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager Variables Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures Privilege Manager programs Installation Packages

Specifying security policy type

To configure a Privilege Manager for Unix policy server, you must specify the pmpolicy type.

To specify the security policy type

  1. To specify the pmpolicy type, run:
    # pmsrvconfig -m pmpolicy
Related Topics

pmsrvconfig

pmpolicy type policy

The Privilege Manager for Unix product uses a specialized policy (pmpolicy type policy), which allows for a more advanced security policy than is possible with the sudo policy type. The pmpolicy type uses a powerful scripting language to evaluate whether pmmasterd should allow requests based on a wide variety of criteria of what, where, when, and how users should be permitted to perform various privileged account actions.

By default, the main pmpolicy file is located in /etc/opt/quest/qpm4u/policy/pm.conf, but is not meant to be accessed directly.

pmpolicy type policy code looks like this:

if (user == "root" || "wheel" in getgroups(user)) { 
   runuser = requestuser; 
   accept; 
}

The above pmpolicy type code segment accepts requests from root or any user in the wheel group to run any command as any user.

Modifying complex policies

If your policy consists of several files (the default pmpolicy, for example) or if you want to add files to or remove files from your policy, use a checkout, change, and commit method for implementing the changes. The pmpolicy checkout command creates a working copy of the policy where you can make any necessary changes and then use the pmpolicy commit command to apply the changes back to the repository. You can use the pmpolicy add and pmpolicy remove commands to add or delete files to your working copy, respectively.

Checkout, change, and commit example

The following example modifies the default pmpolicy type profile. For example, say you wanted to create a new backup profile to allow backup operators to run the dump and restore commands. Use one of the existing profiles, helpdesk.profile, as a template. First, checkout a working copy to a temporary directory, like this:

# pmpolicy checkout -d /tmp 
** Checkout to /tmp/policy_pmpolicy 
** Create directory                                                   [ OK ] 
** Check out working copy                                             [ OK ] 
** Copy files                                                         [ OK ] 
** Perform syntax check                                               [ OK ]

As seen in the command output, the working copy is placed in /tmp/policy_pmpolicy.

Next, change to the profiles directory within the working copy, copy helpdesk.profile to backup.profile, and run pmpolicy add to record that a file has been added to the working copy of the policy, as follows:

# cd /tmp/policy_pmpolicy/profiles 
# cp -p helpdesk.profile backup.profile 
# pmpolicy add -p profiles/backup.profile -d /tmp 
   ** Validate options                                                [ OK ] 
   ** Add file: profiles/backup.profile 
   ** Validate arguments                                              [ OK ] 
   ** Check if directory contains a working copy                      [ OK ] 
      - Directory contains an svn working copy:/tmp/policy_pmpolicy 
   ** Check current status of working copy                            [ OK ] 
   ** Check working copy is up to date                                [ OK ] 
   ** Check file status                                               [ OK ] 
   ** Add entry:/tmp/policy_pmpolicy//profiles/backup.profile         [ OK ]

After editing backup.profile to make the necessary changes, use the pmpolicy commit command to apply the changes to the repository, as follows:

# pmpolicy commit -d /tmp -l "added backup.profile" 
** Validate options                                                   [ OK ] 
** Commit copy in directory:/tmp/policy_pmpolicy 
** Check directory                                                    [ OK ] 
** Perform syntax check                                               [ OK ] 
** Verify files to commit                                             [ OK ] 
** Commit change from working copy                                    [ OK ] 
** Committed revision 3
Related Topics

pmpolicy type policy

Viewing the security profile changes

To view a summary of the changes you made to your security policy

  1. At the command line, run:
    # pmpolicy log
    ** Validate options          [ OK ] 
    ** Check out working copy    [ OK ] 
    ** Retrieve revision details [ OK ] 
    version="3",user="pmpolicy",date=2012-07-11,time=15:43:30,msg="add helpdesk.shellprofile " 
    version="2",user="pmpolicy",date=2012-07-11,time=15:38:21,msg="add shellProfile to helpdesk " 
    version="1",user="pmpolicy",date=2012-07-11,time=15:35:19,msg="First import"
  2. To examine the differences between two versions, run:
    # pmpolicy diff –r1:2
    ** Validate options                                          [ OK ] 
    ** Check out working copy (trunk revision)                   [ OK ] 
    ** Check differences                                         [ OK ] 
    ** Report differences between selected revisions             [ OK ] 
       - Differences were detected between the selected versions 
    Details: 
    Index: profiles/helpdesk.profile 
    =================================================================== 
    --- profiles/helpdesk.profile (revision 1) 
    +++ profiles/helpdesk.profile (revision 2) 
    @@ -18,6 +18,7 @@ 
    enableRemoteCmds = false;   # Should remote cmds be allowed for privilege cmds ? 
                                # - ie should it allow cmds if: submithost != runhost 
                                # 
    +shellProfile = "helpdesk"; 
    authUser = "root";          # runuser to use when running the authCommands 
                                # Set to 1 of the following:

The output shows the helpdesk.profile file from line 18. The line that was added in the change between version 1 and version 2 is marked with a preceding “+”.

Related Documents