Chat now with support
Chat with Support

Privilege Manager for Unix 7.1 - Administration Guide

Introducing Privilege Manager for Unix Planning Deployment Installation and Configuration Upgrade Privilege Manager for Unix System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager for Unix Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager for Unix Variables
Variable names Variable scope Global input variables Global output variables Global event log variables PM settings variables
Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures
Environment functions Hash table functions Input and output functions LDAP functions LDAP API example List functions Miscellaneous functions Password functions Remote access functions String functions User information functions Authentication Services functions
Privilege Manager for Unix programs Installation Packages

Example 4: Lists

Rather than entering individual commands as in Example 3, you can use list variables as shown below. Note the use of the && ("and") operator in the if statement.

This simple fragment allows users Dan and Robyn to run certain commands as root. Type this fragment into the /etc/opt/quest/qpm4u/policy/pm.conf file, or copy it from the examples directory in the Privilege Manager for Unix distribution directory. Replace "dan" and "robyn" with users from your own site.

adminusers={"dan", "robyn"}; 
adminprogs={"ls", "hostname", "kill"}; 

if(user in adminusers && command in adminprogs) { 
   runuser="root"; 
   accept; 
}

Check the configuration file for errors with pmcheck. Run different commands with pmrun to see which ones are accepted, and which are rejected. Try logging in as one of the users who is not listed in adminusers. Then, try running a command as that user to see if Privilege Manager for Unix rejects the request. List variables are useful in tidying up policy fragments, especially if the information in a list is used more than once.

Example 5: I/O logging, event logging, and replay

The configuration file fragment below permits admin users Dan and Robyn to run certain commands as root. If the user requests csh or ksh, the input and output from these commands is logged. Privilege Manager for Unix also logs events, whether a request was accepted or rejected, and when a job finishes.

In this example, the input/output is logged to a file in /var/adm with a filename such as pm.dan.ksh.a05998, which you can examine later using pmreplay. The name of the I/O log is a unique temporary filename generated by the mktemp function.

Type this fragment into the /etc/opt/quest/qpm4u/policy/pm.conf file, or copy it from the examples directory in the Privilege Manager for Unix distribution directory. Replace "dan" and "robyn" with users from your site.

adminusers = {"dan", "robyn"}; 
adminprogs = {"ls", "hostname", "kill", "csh", "ksh", "pmreplay"}; 

if (user in adminusers){ 
   runuser="root"; 
   if (command in {"csh", "ksh"}) 
      { iolog=mktemp("/var/adm/pm." + user + "." 
         + command + ".XXXXXX"); 
      iolog_opmax=10000; 
         print("This request will be logged in:", iolog); 
      } 
accept; 
}

Check the configuration file for errors with pmcheck. For more information about using pmcheck, see Example 1: Basics.

Try running csh or ksh with pmrun, and typing a few commands in the shell. Exit from the shell, find the I/O log file in /var/adm, and replay the session with pmreplay.

Privilege Manager for Unix sets the permissions on the I/O log file so that only root can read the file. That way, no other user can examine the contents of the log files. You must be logged in as root to use pmreplay on these files. Of course, you can use pmrun to run a csh or ksh as root, and then run pmreplay. Or you can add pmreplay to the list of adminprogs, and then use pmrun to run it directly.

Note that pmreplay can detect whether a log file has changed. See pmreplay for more information on running pmreplay interactively and non-interactively.

As root, run pmreplay, giving the name of the log file printed to the screen as an argument. For example, if the log filename is /var/adm/pm.dan.ksh.a05998, enter:

pmreplay /var/adm/pm.dan.ksh.a05998

You will see something similar to this:

================================================================ 
Log File : ./pm.dan.ksh.a05998 
Date : 2008/02/25 
Time : 12:00:00 
Client : dan@sala.companyname.com 
Agent : dan@sala.companyname.com 
Command : ksh 
Type '?' or 'h' for help 
=================================================================

Use these commands to navigate through the log file:

Table 17: Log navigation commands
Control Description
g Go to start
G Go to end
p Pause/resume replay in slide-show mode
q Quit
r Redraw from start
s skip to next time marker
t Display time stamp
u undo
v Dump variables
[Space] bar Go to next input (usually a single character)
[Enter] Next new line
[Backspace] Backup to last position
/<re>[Enter] Search for a regular expression
Repeat last search

Make your way through the log file by pressing the [Space] bar (next input character), the [Enter] or [Newline] key, or the s character which shows you what happened each time interval. You can backup through the log file by pressing the [Backspace] key. You can quickly go the start or end of the log file with g or G, respectively.

Display the time of an action at any point in the log file with t, redraw the log file with r, and undo your last action with u. You can also display all the Privilege Manager for Unix variables which were in use at the time the log file was created with v. Use q or Q to quit pmreplay.

You must run the pmreplay command as root because the log files created are readable only by root; however, pmreplay is itself a good candidate for a program to run through Privilege Manager for Unix. Note, in the following example, pmreplay is listed as one of the commands that Privilege Manager for Unix accepts.

Event logging is controlled by eventlog, which specifies the name of the file in which events ("accept", "reject", "finish") are logged. The default is /var/opt/quest/qpm4u/pmevents.db. If you do not want to use the default, see Local logging for details.

You can encrypt the contents of the event log. See Event logging for details.

To view the event log, use the pmlog command. Although pmlog prints all entries in the file by default, you can restrict it to print only certain entries. For example, to print only those events which occurred after Feb 5, 2012, enter:

pmlog -c'date=="2012/2/5"'

To print out all the variables stored with each entry, enter:

pmlog -v | more

The above command line pipes the voluminous output using more for easier viewing. You can also specify the output format and set the output for all event types.

Example 6: More complex policies

The fragment below extends the previous example by rejecting requests from Dan if they are made outside regular office hours, defined as 8:00 a.m. to 5:00 p.m., Monday through Friday. A message explaining the rejection is printed to Dan’s screen if this occurs.

Type the following code fragment into the /etc/opt/quest/qpm4u/policy/pm.conf file, or copy it from the examples directory in the Privilege Manager for Unix distribution directory. Replace "dan" and "robyn" with users from your site (in quotes). Check the configuration file for errors using pmcheck. For more information about using pmcheck, see Example 1: Basics.

adminusers={"dan", "robyn"};
adminprogs={"ls", "hostname", "kill", "csh", "ksh",
"pmreplay"};

if(user in adminusers && command in adminprogs)
   { runuser="root";
      if(command in {"csh", "ksh"}) {
         { iolog=mktemp("/var/adm/pm." + user + "."+ command
            +".XXXXXX");
            print("This command will be logged to:", iolog);
         }
         if(user=="dan" &&
            (!timebetween(800,1700) || dayname in {"Sat", "Sun"}))
         {
            print("Sorry, you can't use that command outside office hours.");
               reject;
         }
   accept;
   }

Try running a few commands with pmrun. Change the parameters for timebetween to exclude the current time, and run one of the permitted commands. Privilege Manager for Unix should reject the request and print the message to your screen. You should only be able to run the permitted commands during the specified time period. Try running pmreplay to replay some of the logged csh or ksh sessions.

Example 7: Use variables to store constraints

Similar to Example 6, the fragment below defines a variable to store a set of constraints (in this case, office hours) which may be used more than once in the configuration file. This saves you from typing the constraints each time you need to refer to them.

In the following example, there are two policies which depend on office hours. The first policy rejects Dan’s requests if they are made outside office hours. The second policy requires Robyn to type in her password if she makes a request outside regular office hours. Note that officehours is set to "true" if the time of the request falls between 8:00 a.m. and 5:00 p.m., Monday to Friday. It is "false" if it is not in that time frame.

officehours = timebetween(800, 1700) && 
   dayname !in {"Sat", "Sun"}; 
adminusers={"dan", "robyn"}; 
adminprogs={"ls", "hostname", "kill", "csh", "ksh", "pmreplay"}; 
if(user in adminusers && command in adminprogs) 
   { runuser="root"; 
      if(command in {"csh", "ksh"}) 
         { iolog=mktemp("/var/adm/pm." + user + "." 
               + command + ".XXXXXX"); 
            print("The command will be logged in:", iolog); 
   } 
# Note how compact the following fragments are compared to 
# example6.conf, referring to the "officehours" variable. 
   if(user=="dan" && !officehours) 
      { print ("Sorry, you can't do that outside office hours."); 
         reject; 
      } 
         if(user=="robyn" && !officehours) 
            if(!getuserpasswd(user)) 
               reject; 
         accept; 
      }

Type this fragment into the /etc/opt/quest/qpm4u/policy/pm.conf file, or copy it from the examples directory in the Privilege Manager for Unix distribution directory. Replace "dan" and "robyn" with users from your site. Check the configuration file for errors with pmcheck. Then try to run commands with pmrun. For more information about using pmcheck, see Example 1: Basics.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating