Chat now with support
Chat with Support

Privilege Manager for Unix 7.2.3 - Administration Guide

Introducing Privilege Manager for Unix Planning Deployment Installation and Configuration Upgrade Privilege Manager for Unix System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager for Unix Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager for Unix Variables
Variable names Variable scope Global input variables Global output variables Global event log variables PM settings variables
Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures
Environment functions Hash table functions Input and output functions LDAP functions LDAP API example List functions Miscellaneous functions Password functions Remote access functions String functions User information functions Authentication Services functions
Privilege Manager for Unix programs Installation Packages

Firewalls

When the agent and policy server are on different sides of a firewall, Privilege Manager for Unix needs a number of ports to be kept open. By default, Privilege Manager for Unix can use ports in the 600 to 31024 range, but when using a firewall, you may want to limit the ports that can be used.

You can restrict Privilege Manager for Unix to using a range of ports in the reserved ports range (600 to 1023) and the non-reserved ports range (1024 to 65535). We recommend that a minimum of six ports are assigned to Privilege Manager for Unix in the reserved ports range and twice that number of ports are assigned in the non-reserved ports range.

Use the setreserveportrange and setnonreserveportrange settings in the /etc/opt/quest/qpm4u/pm.settings file to open the ports in the required ranges. See PM settings variables for details.

If configuring Privilege Manager for Unix to use NAT (Network Address Translation), you may need to configure the pmtunneld component. See Configuring firewalls for more information about using Privilege Manager for Unix with NAT and restricting port numbers.

Hosts database

Ensure that each host on your network knows the names and IP addresses of all other hosts. This information is stored either in the /etc/hosts file on each machine, or in NIS maps or DNS files on a server. Whichever you use, ensure all host names and IP addresses are up-to-date and available.

Privilege Manager for Unix components must be able to use forward and reverse lookup of the host names and IP addresses of other components.

Reserve special user and group names

It is important for you to reserve the following special user and group names for Privilege Manager for Unix usage:

  • Users: pmpolicy
  • Groups: pmpolicy, pmlog

The pmpolicy user is created on a primary or secondary server. It is a non-privileged service account (that is, it does not require root-level permissions) that is used to synchronize the security policy on policy servers.

The pmlog and pmpolicy groups are used to control access to log files and the security policy, respectively.

Applications and file availability

Since you can use Privilege Manager for Unix to run applications on remote machines, ensure that the applications and the files that they access are available from those machines. Typically, you can use a product such as NFS (supplied with most UNIX operating systems) to make users’ home directories and other files available in a consistent location across all computers.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating