Chat now with support
Chat with Support

Privilege Manager for Unix 7.2.1 - Administration Guide

Introducing Privilege Manager for Unix Planning Deployment Installation and Configuration Upgrade Privilege Manager for Unix System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager for Unix Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager for Unix Variables
Variable names Variable scope Global input variables Global output variables Global event log variables PM settings variables
Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures
Environment functions Hash table functions Input and output functions LDAP functions LDAP API example List functions Miscellaneous functions Password functions Remote access functions String functions User information functions Authentication Services functions
Privilege Manager for Unix programs Installation Packages

pmsh

Syntax
pmsh -a|-b|-c <file>|-e|-f|-i|-m|-n|-o <option>|-s|-u|-v|-x|-C|-E|-I|-B|-V
     [-U <user>]
Description

The Privilege Manager for Unix Bourne Shell (pmsh) command is a fully featured version of sh, that provides transparent authorization and auditing for all commands submitted during the shell session. pmsh supports the standard options for sh.

Using the appropriate policy file variables, you can configure each command entered during a shell session, to be:

  • forbidden by the shell without further authorization to the policy server
  • allowed by the shell without further authorization to the policy server
  • presented to the policy server for authorization

Once allowed by the shell, or authorized by the policy server, all commands run locally as the user running the shell program.

Options

pmsh has the following options.

Table 84: Options: pmsh
Option Description

-a

Flags variables for export when assignments are made to them.

-b

Enables asynchronous notification of background job completion. (UNIMPLEMENTED) .

-B

Allows the shell to run in the background.

-c <file>

Reads commands from a file instead of from standard input.

-C

Does not overwrite existing files with `>'.

-e

Exits immediately if any untested command fails in non-interactive mode. The exit status of a command is considered to be explic- itly tested if the command is part of the list used to control an if, elif, while, or until; if the command is the left hand oper- and of an ``&&'' or ``||'' operator; or if the command is a pipe- line preceded by the ! operator. If a shell function runs and its exit status is explicitly tested, all commands of the function are considered to be tested as well.

-E

Enables the built-in emacs(1) command line editor (disables the -V option if it has been set; set automatically when interactive on terminals).

-f

Disables pathname expansion..

-h

A do-nothing option for POSIX compliance.

-i

Forces the shell to behave interactively.

-I

Ignores EOF's from input when in interactive mode.

-m

Turns on job control (set automatically when interactive).

-n

If not interactive, reads commands but do not run them. This is useful for checking the syntax of shell scripts.

-o <option>

Sets the specified shell option. A list of shell options can be displayed using the set -o builtin command.

-s

Reads commands from standard input (set automatically if no file arguments are present). This option has no effect when set after the shell has already started running (i.e., when set with the set command).

-u

Writes a message to standard error when attempting to expand a variable, a positional parameter or the special parameter ! that is not set, and if the shell is not interactive, exit immediately.

-v

The shell writes its input to standard error as it is read. Useful for debugging.

-V

Enables the built-in vi command-line editor (disables -E if it has been set).

-x

Writes each command (preceded by the value of the PS4 variable subjected to parameter expansion and arithmetic expansion) to standard error before it is run. Useful for debugging.

pmsh supports the following builtin commands:

., :, [, alias, bg, break, cd, chdir, command, continue, echo, eval, exec, exit, export, false, fg, getopts, hash, jobs, kill, local, printf, pwd, read, readonly, return, set, shift, test, times, trap, true, type, ulimit, umask, unalias, unset, wait

pmshellwrapper

Syntax
pmshellwrapper
Description

Use the pmshellwrapper program as a wrapper for any valid login shell on a host. It provides full keystroke logging for any normal shell, but does not provide authorization of the commands run from the shell.

To use pmshellwrapper, you must create a link for the real shell you want to use. For example:

ln -s /opt/quest/libexec/pmshellwrapper 
/opt/quest/bin/pmshellwrapper_bash

When the user runs pmshell_bash, it transparently converts this to pmrun bash.

pmsrvcheck

Syntax
pmsrvcheck --csv [ --verbose ] | --help | --pmpolicy | --primary | --secondary
Description

Use pmsrvcheck to verify that a policy server is setup properly. It produces output in either human-readable or CSV format similar to that produced by the preflight program.

The pmsrvcheck command checks:

  • that the host is configured as a primary policy server and has a valid repository
  • has a valid, up-to-date, checked-out copy of the repository
  • has access to update the repository
  • has a current valid Privilege Manager for Unix license
  • pmmasterd is correctly configured
  • pmmasterd can accept connections

pmsrvcheck produces output in either human-readable or CSV format similar to the pre-flight output.

Options

pmsrvcheck has the following options.

Table 85: Options: pmsrvcheck
Option Description
--cvs Displays csv, rather than human-readable output.
--help Displays usage information.
--pmpolicy Verifies that Privilege Manager for Unix policy is in use by the policy servers.
--primary Verifies a primary policy server.
--secondary Verifies a secondary policy server.
--verbose Displays verbose output while checking the host.

--version

Displays the Privilege Manager for Unix version number and exits.

Files
  • Settings file: /etc/opt/quest/qpm4u/pm.settings
Related Topics

pmmasterd

pmsrvconfig

pmsrvconfig

Syntax
pmsrvconfig -h | --help [-abipqtv] [-d <variable>=<value>] [-f <path>] 
            [-l <license_file>] [-m sudo | pmpolicy] [-n <group_name> | -s <hostname>] [-x [<policy_server_host> ...]] [-bpvx] -u [--accept] [--batch] [--define <variable>=<value>] [--import <path>] [--interactive] [--license <license_file>]
            [--name <group_name> | --secondary <hostname>] [--pipestdin] [--plugin] [--policymode sudo | pmpolicy]
         [--selinux] [--tunnel] [--unix [<policy_server_host> ...]] [--verbose] [--batch]
         [--unix] [-- verbose] --unconfig -N policy_name [--policyname policy_name]
Description

Use the pmsrvconfig command to configure or reconfigure a policy server. You can run it in interactive or batch mode to configure a primary or secondary policy server.

Options

pmsrvconfig has the following options.

Table 86: Options: pmsrvconfig
Option Description

-a | --accept

Accepts the End User License Agreement (EULA), /opt/quest/qpm4u/qpm4u_eula.txt.

-b | --batch

Runs in batch mode; does not use colors or require user input.

-d <variable>=<value> | --define <variable>=<value>

Specifies a variable for the pm.settings file and its associated value.

-h | --help

Displays usage information.

-i | --interactive

Runs in interactive mode; prompts for configuration parameters instead of using the default values.

-f <path> | --import <path>

Imports policy data from the specified path.

  • Privilege Manager for Unix: The path may be set to either a file or a directory when using the pmpolicy type.
  • Safeguard for Sudo: The path must be set to a file when using the sudo policy type.

-l | --license <license_file>

Specifies the full pathname of an .xml license file. You can specify this option multiple times with different license files.

-m sudo | pmpolicy | --policymode sudo | pmpolicy

Specifies the type of security policy:

  • sudo
  • pmpolicy

Default: sudo

-n | --name <group_name>

Uses group_name as the policy server group name.

-q | --pipestdin

Pipes password to stdin if password is required.

-s | --secondary <hostname>

Configures host to be a secondary policy server where hostname is the primary policy server.

-S | --selinux

Enable support for SELinux in Privilege Manager for Unix.

An SELinux policy module will be installed, which allows the pmlocal daemon to set the security context to that of the run user when executing commands. This requires that the policycoreutils package and either the selinux-policy-devel (RHEL7 and above) or selinux-policy (RHEL6 and below) packages be installed.

-t | --tunnel

Configures host to allow Privilege Manager for Unix connections through a firewall.

This option is only available when using the pmpolicy policy type (Privilege Manager for Unix).

-u | --unconfig

Unconfigures a Privilege Manager for Unix server.

-v | --verbose

Displays verbose output while configuring the host.

-x | --unix [policy_server_host ...]

Configures Privilege Manager for Unix on the local policy server; that is, configures pmlocald and pmrun to run on this host. If you do not specify a policy server host, it uses the local host name.

This option is only available when using the pmpolicy policy type (Privilege Manager for Unix).

Examples

The following example accepts the End User License Agreement (EULA) and imports the sudoers file from /root/tmp/sudoers as the initial policy:

# pmsrvconfig -a -f /root/tmp/sudoers

By using the -a option, you are accepting the terms and obligations of the EULA in full.

By default, the primary policy server you configure uses the host name as the policy server group name. To provide your own group name, use the -n command option, like this:

# pmsrvconfig -a -n <MyPolicyGroup>

where <MyPolicyGroup> is the name of your policy group.

See Configuring the primary policy server for Privilege Manager for Unix and Policy servers are failing for other usage examples.

Files

Directory where pmsrvconfig logs are stored: /opt/quest/qpm4u/install

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating