Chat now with support
Chat with Support

Privilege Manager for Unix 7.1 - Administration Guide

Introducing Privilege Manager for Unix Planning Deployment Installation and Configuration Upgrade Privilege Manager for Unix System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager for Unix Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager for Unix Variables
Variable names Variable scope Global input variables Global output variables Global event log variables PM settings variables
Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures
Environment functions Hash table functions Input and output functions LDAP functions LDAP API example List functions Miscellaneous functions Password functions Remote access functions String functions User information functions Authentication Services functions
Privilege Manager for Unix programs Installation Packages

Verifying the primary policy server configuration

To verify the policy server configuration

  1. From the command line of the primary policy server, run:
    # pmsrvinfo

    The pmsrvinfo command displays the current configuration settings. For example:

    Policy Server Configuration: 
    Privilege Manager for Unix version                     : 6.0.0 
    Listening port for pmmasterd daemon           : 12345 
    Comms failover method                         : random 
    Comms timeout(in seconds)                     : 10 
    Policy type in use                            : pmpolicy 
    Group ownership of logs                       : pmlog 
    Group ownership of policy repository          : pmpolicy 
    Policy server type                            : primary 
    Primary policy server for this group          : <polsrv> 
    Group name for this group                     : <polsrv> 
    Location of the repository
     : file:////var/opt/quest/<polsrv>/.<polsrv>/.repository/pmpolicy_repos/trunk 
    Hosts in the group                            : <polsrv>

    Note the entries for policy type (pmpolicy) and policy server type (primary). See Security policy types for more information about security policy types.

Recompile the whatis database

If you are using the whatis database and you chose to install the man pages, you may wish to recompile the database to allow users to search the documentation using keywords.

Join hosts to policy group

Once you have installed and configured the primary policy server, you are ready to join it to a policy group. When you join a policy server to a policy group, it enables that host to validate security privileges against a single common policy file located on the primary policy server, instead of on the host.

For Unix agents (qpm-agent), you must "join" your policy servers to the policy group using the pmjoin command.

Joining PM Agent to a Privilege Manager for Unix policy server

To join a PM Agent to a policy server

  1. Log on as the root user and change to the directory containing the qpm-agent package for your specific platform. For example, on a 64-bit Red HatLinux, enter:
    # cd agent/linux-x86_64
  2. Run:
    # pmjoin <primary_policy_server>

    where <primary_policy_server> is the hostname of the primary policy server.

    Running pmjoin performs the configuration of the PM Agent, including modifying the pm.settings file The pmjoin command supports many command line options. See pmjoin for details or run pmjoin with the -h option to display the help.

    • When you run pmjoin with no options, the configuration script automatically configures the agent with default settings. See Agent configuration settings for details about the default and alternate agent configuration settings.

      You can modify the /etc/opt/quest/qpm4u/pm.settings file later, if you want to change one of the settings. See PM settings variables for details.

    • When you run pmjoin with the -i (interactive) option, the configuration script gathers information from you by asking you a series of questions. During this interview, you are allowed to either accept a default setting or set an alternate setting.

      Once you have completed the configuration script interview, it configures the agent and joins it to the policy server.

  3. When you run pmjoin for the first time, it asks you to read and accept the End User License Agreement (EULA).

    Once you complete the agent configuration script (by running the pmjoin command), it:

    • Enables the pmlocald service
    • Updates the pm.settings file
    • Adds the Privilege Manager for Unix shells to the system's list of valid shells and creates wrappers for the installed (system) shells. The following shells are provided, based on standard shells:

      • pmksh, a Privilege Manager for Unix enabled version of the Korn shell
      • pmsh, a Privilege Manager for Unix enabled version of the Bourne shell
      • pmcsh, a Privilege Manager for Unix version of c shell
      • pmbash, a Privilege Manager for Unix version of the Bourne Again Shell

      Each shell provides command-control for every command entered by the user during a login session. You can configure each command the user enters to require authorization with the policy server for execution. This includes the shell built-in commands.

    • Updates /etc/shells
    • Reloads the pmserviced configuration
    • Checks the connection to the policy server host
  4. To verify that the agent installation has been successful, as an unprivileged user, run a command that is permitted by the default Privilege Manager for Unix security policy, demo.profile. For example, the default security policy allows any user to run the id command as the root user:
    # pmrun id

    This returns the root user id, not the user’s own id, to show that the command ran as root.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating