Chat now with support
Chat with Support

Privilege Manager for Unix 7.2.3 - Administration Guide

Introducing Privilege Manager for Unix Planning Deployment Installation and Configuration Upgrade Privilege Manager for Unix System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager for Unix Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager for Unix Variables
Variable names Variable scope Global input variables Global output variables Global event log variables PM settings variables
Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures
Environment functions Hash table functions Input and output functions LDAP functions LDAP API example List functions Miscellaneous functions Password functions Remote access functions String functions User information functions Authentication Services functions
Privilege Manager for Unix programs Installation Packages

pmpolicyconvert

Syntax
pmpolicyconvert [-o <output dir>] [-v [-v]] path [paths...]
Description

The pmpolicyconvert utility allows you to verify, and if necessary, convert any number of policy files for use with Privilege Manager for Unix V5.5 (or later).

The pmpolicyconvert utility is a perl script that takes as input one or more policy files, and makes a copy of each file, performing any translation required to allow these files to be used in Privilege Manager for Unix.

pmpolicyconvert also warns about any variables and functions that are not applicable in Privilege Manager for Unix.

You can pass one or more files or directories as parameters to this utility. If a directory is specified, then pmpolicyconvert assumes it is to translate all files contained in that directory (and all subdirectories).

It copies the updated files to the specified output directory (mirroring the original directory structure if an entire directory is being translated). All changes are marked with a comment in the copied file.

A report is generated in the file ./ pmpolicyconvert _report.txt that describes the changes made.

Options

pmpolicyconvert has the following options.

Table 74: Options: pmpolicyconvert
Option Description

-h

Displays a usage message and exit.

-o <output dir>

Specifies an output directory to use. If not specified, the default is ./pm_policy.

-v

Runs in verbose mode. Multiple -v options increase the verbosity. The maximum is two.

-V

Displays the version number of Privilege Manager for Unix and exits.

pmpolsrvconfig

Syntax
pmpolsrvconfig -p <policygroupname> [-b][-i <path>][-o][-r <dir>] 
                 [-t sudo|pmpolicy] [-u <policyuser][-w <userpasswd>]  
                 [-g <policygroup>][-l <loggroup>] -s <host> [-b][-q] [-q] 
                  -a <user> [-b][-q] [-q] 
                  -d [-f] 
                  -e <host> [-f] 
                  -x [-f] 
                  -v 
                  -h 
                  -[-z on|off[:<pid>]]
Description

The pmpolsrvconfig program is normally run by pmsrvconfig script, not by the user, to configure or un-configure a primary or secondary policy server. But, you can use it to grant a user access to a repository.

Options

pmpolsrvconfig has the following options.

Table 75: Options: pmpolsrvconfig
Option Description

-a <user>

Provides the selected user with access to the existing repository. If the user does not exist, it is created. The host must first have been configured as a policy server.

This user will be added to the pmpolicy group to grant it read/write access to the repository files, and to the pmlog group to grant it read access to the log files.

On a secondary policy server, an ssh key will also be generated to provide access to the pmpolicy user account on the primary policy server. The "join" password is required to copy this ssh key to the primary policy server.

-b

Runs the script in batch mode (that is, no user interaction is possible).

Default: Runs in interactive mode.

-d

Unconfigures the policy server, and deletes the repository if this is a primary server.

If you do not specify the -f option, then it prompts you to confirm the action.

-e <host>

Removes the selected host from the server group.

-f

Forces the unconfigure action (that is, no user interaction required)

Default: Prompt for confirmation for -x option.

-g <policygroup>

Specifies the policy group ownership for the repository. If this group does not exist, it is created.

Default: pmpolicy

-h

Prints help.

-i <path>

Imports the selected policy into the repository. If this is a directory, the entire contents of the directory will be imported.

Default: /etc/sudoers.

-l <loggroup>

Specifies the pmlog group ownership for the keystroke and audit logs

Default: pmlog

-o

Overwrites the repository if it already exists.

Default: Does not overwrite if the repository already exists.

-p <policygroup>

Configures a primary policy server for the selected group name.
-q Reads the pmpolicy user's password from stdin.
-r <dir>

Creates the repository in the selected directory.

Default: /var/opt/quest/qpm4u/.qpm4u/.repository

-s <host> Configures a secondary policy server. You must supply the primary policy server host name. The secondary policy server retrieves the details of the policy group from the primary policy server. It creates the policygroup and loggroup groups to match those on the primary policy server and configures the policyuser user to grant it ssh access to the repository on the primary server. The "join" password is required to copy this ssh key to the primary policy server.
-t sudo|pmpolicy

Specifies the security policy type: sudo or pmpolicy.

Default: sudo policy type

-u <policyuser>

Specifies the policy user account that manages the production copy. If this user does not exist, it is created and added to both the policygroup and loggroup groups. This user owns the repository on the primary policy server and provides remote access to the repository files to the secondary policy servers.

Default: pmpolicy

-v Prints the product version.
-w <userpasswd>

(Optional) Sets new user's password for -a option.

Default: No password is configured.

-x

Unconfigures the policy server. If you do not specify the -f option, you are prompted to confirm the action.

This does not remove the repository.

-z

Enables or disables debug tracing, and optionally send SIGHUP to a running process.

Refer to Enabling program-level tracing before using this option.

pmremlog

Syntax
pmremlog -v | -z on|off[:<pid>] 
pmremlog -p pmlog|pmreplay|pmlogtxtsearch [-o <outfile>] 
pmremlog [-h <host>] [-b] [-c] -- <program args>
Description

The pmremlog command provides a wrapper for the pmlog and pmreplay utilities to access the event (audit) and keystroke (I/O) logs on any server in the policy group. Anyone in the pmlog group can run this utility on the primary policy server.

Note that pmlogtxtsearch is a command located in /opt/quest/libexec.

Options

pmremlog has the following options.

Table 76: Options: pmremlog
Option Description
-b Disables interactive input and uses batch mode.
-c Displays output in CSV, rather than human-readable format.

-h <host>

Specifies a host in the policy server group to access.

-o <outfile>

Saves the pmlog output to a file.
-p

Specifies program to run:

  • pmlog
  • pmreplay
  • pmlogtxtsearch
-v Displays the Privilege Manager for Unix version number.

-z

Enables or disables debug tracing.

Refer to Enabling program-level tracing before using this option.

Examples

To view the audit log on the primary policy server, enter:

pmremlog -p pmlog -- -f /var/opt/quest/qpm4u/pmevents.db

To view the audit events for user fred on secondary policy server host1, save the pmlog output to a file, and display the result of the pmremlog command in CSV format, enter:

pmremlog -p pmlog -c -o /tmp/events.txt -h host1 -- --user fred

To view the stdout from keystroke log id_host1_x3jfuy, on secondary policy server host1, enter:

pmremlog -p pmreplay -h host1 -- -o -f /var/opt/quest/qpm4u/iologs/id_host1_x3jfuy

To retrieve the contents of keystroke log id_host1_x3jfuy, from secondary policy server host1, formatted for the pmreplay GUI, save the output to a temporary file, and display the result of the pmremlog command in CSV format, enter:

pmremlog -p pmreplay -h host1 -c -o /tmp/replay -- -zz -f /var/opt/quest/qpm4u/iologs/id_host1_x3jfuy

pmreplay

Syntax
pmreplay -V 
pmreplay -[t|s|i] -[Th] <filename> 
pmreplay -[e][I][o] -[EhKTv] <filename> 
pmreplay -z on|off[:<pid>]
Description

Use the pmreplay command to replay a log file to review what happened during a specified privileged session. The program can also display the log file in real time.

When using Privilege Manager for Unix, enable keystroke logging by configuring the iolog variable. If you are using the default profile policy, please consult global_variable.conf for details about configuring keystroke logging.

pmreplay can distinguish between old and new log files. If pmreplay detects that a log file has been changed, a message displays to tell you that the integrity of the file cannot be confirmed. This also occurs if you run pmreplay in real time and the Privilege Manager for Unix session that generated the events in the log file is active; that is, the client session has not completed or closed yet. In this case, the message does not necessarily indicate that the file has been tampered with.

The name of the I/O log is a unique filename constructed with the mktemp function using a combination of policy file variables, such as username, command, date, and time.

Privilege Manager for Unix sets the permissions on the I/O log file so that only root and users in the pmlog group can read it. That way, ordinary users cannot examine the contents of the log files. You must be logged in as root or be a member of the pmlog group to use pmreplay on these files. You may want to allow users to use Privilege Manager for Unix to run pmreplay.

By default pmreplay runs in interactive mode. Enter ? to display a list of the interactive commands you can use to navigate through the file.

For example, replay a log file interactively by typing:

pmreplay /var/opt/quest/qpm4u/iolog/demo/dan/id_20130221_0855_gJfeP4 

the results will show a header similar to this:

 Log File : /var/opt/quest/qpm4u/iolog/demo/dan/id_20130221_0855_gJfeP4 Date : 2013/02/21 Time : 08:55:17 Client : dan@sala.abc.local Agent : root@sala.abc.local Command : id Type ’?’ or ’h’ for help

Type ? or h at any time while running in interactive mode to display the list of commands that are available.

Options

pmreplay has the following options.

Table 77: Options: pmreplay
Option Description
-e Dumps the recorded standard error.
-E Includes vi editing sessions when used with -K.
-h When used with -o or -I, prints an optional header line. The header is always printed in interactive mode.
-i Replays the recorded standard input.
-I Dumps the recorded standard input, but converts carriage returns to new lines in order to improve readability.
-K When used with -e, -I, and -o, removes all control characters and excludes vi editing sessions. Use with -E to include vi editing sessions.
-o Dumps the recorded standard output.
-s

Automatically replays the file in slide show mode.

Use + and - keys to vary the speed of play.

-t Replays the file in tail mode, displaying new activity as it occurs.
-T Displays command timestamps.
-v Prints unprintable characters in octal form (\###)
-V Displays the Privilege Manager for Unix version number.

-z

Enables or disables debug tracing.

Refer to Enabling program-level tracing before using this option.

Exit codes

pmreplay returns these codes:

  • 1: File format error – Cannot parse the logfile.
  • 2: File access error – Cannot open the logfile for reading
  • 4: Usage error – Incorrect parameters were passed on the command line
  • 8: Digest error – The contents of the file and the digest in the header do not match
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating