Chat now with support
Chat with Support

Privilege Manager for Unix 7.1 - Administration Guide

Introducing Privilege Manager for Unix Planning Deployment Installation and Configuration Upgrade Privilege Manager for Unix System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager for Unix Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager for Unix Variables
Variable names Variable scope Global input variables Global output variables Global event log variables PM settings variables
Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures
Environment functions Hash table functions Input and output functions LDAP functions LDAP API example List functions Miscellaneous functions Password functions Remote access functions String functions User information functions Authentication Services functions
Privilege Manager for Unix programs Installation Packages

Advanced Privilege Manager for Unix Configuration

This section provides advanced information on how to configure and implement Privilege Manager for Unix:

Privilege Manager for Unix shells

Privilege Manager for Unix shells provide a means of auditing and controlling a user’s login session in a way that is transparent to the user, without the user having to preface commands with pmrun.

Privilege Manager for Unix provides enabled versions of these standard shells: pmksh, pmsh, pmcsh, and pmbash. Each shell uses the same policy file variables to control the behavior of the shell.

By default, all built-in shell commands are allowed to run without any further authorization by the shell; however, you must authorize all non-built-in shell commands. Once authorized, all commands are run locally by the shell with the authority of the user running the shell.

You can configure the level of control required for commands running from a shell in the policy file by configuring the policy file to either forbid commands or allow them to be run by the shell program without any further authorization to the policy server. You can also configure the policy file to authorize them as they are presented to the policy server for audit logging. Furthermore, you can configure keystroke logging for the shell session to be logged to a single I/O log file.

Privilege Manager for Unix shell features

Use a Privilege Manager for Unix shell to control or log Privilege Manager for Unix sessions, regardless of how you are logged in (for example, telnet, ssh, rsh, rexec).

You can use one of these Privilege Manager for Unix-enabled shells to create a fully featured shell environment for a user:

  • pmksh: a Privilege Manager for Unix-enabled version of Korn Shell
  • pmsh: a Privilege Manager for Unix-enabled version of Bourne Shell
  • pmcsh: a Privilege Manager for Unix version of C Shell
  • pmbash: a Privilege Manager for Unix version of Bourne Again Shell

Each shell provides command control for every command entered by a user during a login session. You can configure each command the user enters to be authorized with the policy server before it runs. This includes the shell built-in commands.

You can configure keystroke logging for the entire login session and login to a single file.

Alternatively, you can use pmshellwrapper to act as a Privilege Manager for Unix wrapper for any valid shell program on a host, or create a custom Privilege Manager for Unix shell by means of a shell script. In these cases, however, the individual commands run during the login session are not controlled by Privilege Manager for Unix.

To use pmshellwrapper, create a link using the name of the system shell you want to run. For example, to create a wrapper for bash, enter:

ln -s /opt/quest/libexe/pmshellwrapper/opt/quest/libexe/pmshellwrapper_bash

When you run the pmshellwrapper_bash program, it transparently runs pmrun bash instead.

For example, to create a custom Privilege Manager for Unix shell (a shell script that runs the actual shell using pmrun), run:

#!/bin/ksh
tty 2>/dev/null 1>/dev/null
x=$?
if [ $x -ne 0 ]
then
exec /opt/quest/bin/pmrun ksh "$@"
else
exec /opt/quest/bin/pmrun -c -ksh "$@"
fi

Add the full pathname of the shell program to the /etc/shells file if you are using pmksh, pmsh, pmcsh, pmbash, or pmshellwrapper on your system.

Forbidden commands

Use the pmshell_forbid list variable in the policy file to define a list of commands you want the shell to forbid without any further authorization by the policy server. The shell program interprets this list as a list of regular expressions. Privilege Manager for Unix checks each command a user enters against this list. If a match is found, it rejects the command without further authorization. These commands do not result in a reject entry in the event log as they are forbidden by the shell. You can also configure the message that is displayed when it issues one of these commands.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating