Safeguard for Sudo 2.0 - Administrators Guide

Chat now with support

TCP/IP Configuration Firewalls Hosts Database Reserve Special User and Group Names Applications and File Availability Policy Server Daemon Hosts Local Daemon Hosts Sudo 1.8.1

Install the Privilege Manager Packages

Modify User's PATH Environment Variable

Configure the Primary Policy Server for Privilege Manager for Unix

pmpolicy Server Configuration Settings Verifying the Primary Policy Server Recompile the whatis Database

Configure the Privilege Manager for Sudo Primary Policy Server

Privilege Manager for Sudo Server Configuration Settings

Join Hosts to Policy Group

Join PM Agent to a Privilege Manager for Unix Policy Server

Agent Configuration Settings Swap and Install Keys

Join Sudo Plugin to Policy Server

Configure a Secondary Policy Server

Installing Secondary Servers Configuring a Secondary Server

Verify Privilege Manager for Unix PM Agent Configuration Load Balancing on the Client Synchronizing Policy Servers within a Group

Install PM Agent or Sudo Plugin on a Remote Host

Check PM Agent Host for Installation Readiness Install a PM Agent on a Remote Host Join the PM Agent to the Primary Policy Server CheckSudo Plugin Host for Installation Readiness Install a Sudo Plugin on a Remote Host Join a Sudo Plugin to a Primary Policy Server

Remove Configurations

Uninstall the Privilege Manager Software Packages Uninstalling Privilege Manager for Sudo on Mac OS X

Upgrading Privilege Manager

Package Removal and Installation

Removing Privilege Manager Server Package Installation Agent Package Installation Sudo Plugin Package Installation

Upgrading to Privilege Manager for Unix 6.0

Upgrade Considerations and Recommendations Preparing the Privilege Manager for Unix Policy for Import Configuring the Primary Policy Server with an Imported Policy Joining the Agent to the Policy Group

Importing Event Logs into the new Database Format

System Administration

Reporting Basic Policy Server Configuration Information Checking the Status of the Master Policy Checking the Policy Server Checking Policy Server Status Checking the Sudo Plugin Configuration Status Checking the Privilege Manager for Unix PM Agent Configuration Status Install Licenses

Displaying License Usage

Listing Policy File Revisions Viewing Differences Between Revisions Backup and Recovery

Managing Security Policy

Security Policy Types Specifying Security Policy Type The Sudo Type Policy Pmpolicy Type Policy Editing the Policy Interactively Modifying Complex Policies Viewing the Security Profile Changes

The Privilege Manager for Unix Security Policy

Default Profile-Based Policy (pmpolicy)

Policy Profiles Profile-Based Policy Files Profile Selection Profile Variables

Exploring Profiles Customizing the Default Profile-Based Policy (pmpolicy)

Customization Example - pf_forbidusers List

Policy Scripting Tutorial

Install the Example Policy File Create Test Users Set Lesson Number Variable Introductory Lessons

Lesson 1: Basic Policy Lesson 2: Conditional Privilege Lesson 3: Specific Commands Lesson 4: Policy Optimization with List Variables Lesson 5: Keystroke Logging Lesson 6: Conditional Keystroke Logging Lesson 7: Policy Optimizations

Advanced Lessons

Lesson 8: Controlling the Execution Environment Lesson 9: Flow Control Lesson 10: Basic Menus

Sample Policy Files

Main Policy Configuration File Lesson 1 Sample: Basic Policy Lesson 2 Sample: Conditional Privilege Lesson 3 Sample: Specific Commands Lesson 4 Sample: Policy Optimizations with List Variables Lesson 5 Sample: Keystroke Logging Lesson 6 Sample: Conditional Keystroke Logging Lesson 7 Sample: Policy Optimizations Lesson 8 Sample: Controlling the Execution Environment Lesson 9 Sample: Flow Control Lesson 10 Sample: Basic Menus

Advanced Privilege Manager for Unix Configuration

Privilege Manager Shells

Privilege Manager Shell Features Forbidden Commands Allowed Commands Allowed Piped Commands Check Shell Built-in Commands Read-Only Variable List Running a Shell in Restricted Mode Additional Shell Considerations

Configuring Privilege Manager for Policy Scripting

Configuration Prerequisites Configuration File Examples

Example 1: Basics Example 2: Accept or Reject Requests Example 3: Command Constraints Example 4: Lists Example 5: I/O Logging, Event Logging and Replay Example 6: More Complex Policies Example 7: Use Variables to Store Constraints Example 8: Control the Run-Time Environment Example 9: Switch and Case Statements Example 10: Menus

Use the While Loop Use Parallel Lists Best Practice Policy Guidelines Multiple Configuration Files and Read-Only Variables Mail Environmental Variables NIS Netgroups Specify Trusted Hosts

Configuring Firewalls

Privilege Manager Port Usage Restricting Port Numbers for Command Responses Configuring pmtunneld Configuring Network Address Translation (NAT)

Configuring Kerberos Encryption Configuring Certificates

Enable Configurable Certification

Configuring Alerts Configuring Pluggable Authentication Method (PAM)

Utilizing PAM Authentication Authenticate PAM to Client

Administering Log and Keystroke Files

Configuring Keystroke Logging for Privilege Manager for Sudo Policy

Validating Sudo Commands

Controlling Logs Local Logging

Event Logging Keystroke (I/O) Logging

Keystroke Logging In Sudo Policy Type Keystroke Logging Using the pmpolicy Type

Central Logging with Privilege Manager for Unix Controlling Log Size with Privilege Manager for Unix Viewing the Log Files Using a Web Browser Viewing the Log Files Using Command Line Tools Listing Event Logs Backing up and archiving event and keystroke logs

InTrust Plug-in for Privilege Manager

InTrust Plug-in Requirements Installing InTrust Plug-in Components InTrust Plug-in Installation Prerequisites Configuring the Policy Server for the InTrust Plug-in Installing the InTrust Knowledge Pack

InTrust Knowledge Pack Objects

Installing the InTrust Reporting Pack Configuring the InTrust Data Collection Viewing InTrust Reports Generating Reports

Gathering InTrust Data

Troubleshooting

Displaying Sudo Policy Debug Information Displaying Profile-Based Policy Debug Information Enabling Program-level Tracing Join Fails to Generate a SSH Key for Sudo Policy Join to Policy Group Failed on Sudo Plugin Load Balancing and Policy Updates Policy Servers are Failing Sudo Command is Rejected by Privilege Manager for Unix Sudo Policy Is Not Working Properly

Privilege Manager for Unix Policy File Components

Lexical and Syntactic Productions Data Types Operators and Expressions

Privilege Manager Variables

Variable Names Variable Scope Global Input Variables

alertkeymatch argc argv client_parent_pid client_parent_uid client_parent_procname clienthost command cwd date day dayname domainname env false FEATURE_LDAP FEATURE_VAS gid group groups host hour masterhost masterversion minute month nice nodename pid pmclient_type pmclient_type_pmrun pmclient_type_sudo pmshell pmshell_builtin pmshell_cmd pmshell_cmdtype pmshell_exe pmshell_interpreter pmshell_prog pmshell_script pmshell_uniqueid pmversion ptyflags requestlocal requestuser samaccount status submithost submithostip thishost time true ttyname tzname uid umask unameclient uniqueid use_rundir use_rungroup use_rungroups use_runshell user year

Global Output Variables

alertkeyaction alertkeysequence disable_exec eventlog eventloghost execfailedmsg iolog iolog_encrypt iolog_errmax iolog_opmax iologhost log_passwords logomit logstderr logstdin logstdout notfoundmsg passprompts pmshell_allow pmshell_allowpipe pmshell_checkbuiltins pmshell_forbid pmshell_readonly pmshell_reject pmshell_restricted preserve_clienthost profile_keepenv profile_setenv profile_unsetenv profile_use_runuser rejectmsg runargv runchroot runcksum runclienthost runcommand runconfirmuser runcwd runenv rungroup rungroups runhost runnice runpaths runptyflags runtimeout runumask runuser runutmpuser subprocuser tmplogdir

Global Event Log Variables

alertdate alerttime event exitdate exitstatus exittime

PM Settings Variables

Privilege Manager for Unix Flow Control Statements

accept break continue do-while for loop for loop function if-else include procedure / function readonly readonlyexcept reject return switch while

Privilege Manager for Unix Built-in Functions and Procedures

Environment Functions

getenv keepenv setenv unsetenv

Hash Table Functions

hashtable_add hashtable_create hashtable_enum hashtable_import hashtable_lookup

Input and Output Functions

fprintf input inputnoecho print printf printnnl printvars readdir readfile sprintf syslog

LDAP Functions

ldap_ bind ldap_count_entries ldap_dn2ufn ldap_explode_dn ldap_first_attribute ldap_first_entry ldap_get_attributes ldap_get_dn ldap_get_values ldap_next_attribute ldap_next_entry ldap_open ldap_search ldap_unbind

LDAP API Example List Functions

append insert join length lsubst range replace search split splitSubst

Miscellaneous Functions Password Functions

getgrouppasswd getstringpasswd getuserpasswd

Remote Access Functions

remotefileexists remotegroupinfo remotegrouplist remotesysinfo remoteusergroups remoteuserinfo remoteuserlist

String Functions

match strindex strlen strsub subst substr

User Information Functions

getfullname getgroup getgroups gethome getshell

Authentication Services Functions

vas_auth_user_password vas_host_in_ADgrouplist vas_host_is_member vas_user_get_groups vas_user_in_ADgrouplist vas_user_is_member

Privilege Manager Programs

pmcheck pmclientd pmclientinfo pmcp pmcsh pmincludecheck pminfo pmjoin pmjoin_plugin pmkey pmksh pmless pmlicense pmlist pmloadcheck pmlocald pmlog pmlogadm pmlogsearch pmlogsrvd pmlogxfer pmmasterd pmmg pmpasswd pmplugininfo pmpluginloadcheck pmpolicy pmpolicyconvert pmpolicyplugin pmpoljoin_plugin pmpolsrvconfig pmremlog pmreplay

Navigating the Log File

pmresolvehost pmrun pmserviced pmsh pmshellwrapper pmsrvcheck pmsrvconfig pmsrvinfo pmstatus pmscp pmsum pmsysid pmtunneld pmumacs pmverifyprofilepolicy pmvi

Installation Packages

Package Locations Installed Files and Directories

Unsupported Sudo Options

Unsupported Command Line Sudo Options Behavioral Change Unsupported Sudoers Policy Options Unsupported Sudoers Directives

Sudo Plugin Policy Evaluation About us

innetgroup

Privilege Manager for Unix Built-in Functions and Procedures > Miscellaneous Functions > innetgroup

Syntax

int innetgroup ( string netgroup, string host )

Description

innetgroup returns true if the specified host is in the specified NIS netgroup on the policy server; otherwise returns false.

Example

if ( ! innetgroup("submithosts", submithost)) { 
   reject "You are not permitted to submit a command from this host"; 
}

innetuser

Privilege Manager for Unix Built-in Functions and Procedures > Miscellaneous Functions > innetuser

Syntax

int innetuser (string netgroup, string user)

Description

innetuser returns true if the specified user is in the specified NIS netgroup on the policy server; otherwise returns false.

Example

if ( ! innetuser("submitusers", user)) { 
   reject "You are not permitted to submit a command from this host"; 
}

lineno

Privilege Manager for Unix Built-in Functions and Procedures > Miscellaneous Functions > lineno

Syntax

int lineno( )

Description

lineno returns the current line number in the policy file.

Example

printf("TRACE: user:%s, cmd:%s, lineno:%d\n", user, command, lineno());

mktemp

Privilege Manager for Unix Built-in Functions and Procedures > Miscellaneous Functions > mktemp

Syntax

string mktemp ( string template )

Description

mktemp returns a unique filename which is guaranteed not to exist on the policy server. Use the mktemp function to create unique temporary filenames.

NOTE: For more information, see the mktemp(3) man page.

Example

#generate a unique filename–the XXXXXX chars will be replaced to construct a unique name 
filename=mktemp("/tmp/pmXXXXXX"); 
print(filename); // prints "/tmp/pmAxK2de"

Please select your product:

To serve you better, please complete the Purpose of your Chat:

Recommended Solutions for Your Problem

Safeguard for Sudo 2.0 - Administrators Guide

innetgroup

Syntax

Description

Example

innetuser

Syntax

Description

Example

Related Topics

lineno

Syntax

Description

Example

mktemp

Syntax

Description

Example