Chat now with support
Chat with Support

Safeguard for Sudo 2.0 - Administrators Guide

One Identity Privileged Access Suite for Unix Introducing Privilege Manager for Unix Introducing Privilege Manager for Sudo Planning Deployment Installation and Configuration
Download Privilege Manager for Unix Software Packages Download Privilege Manager for Sudo Software Packages Quick Start and Evaluation Configure a Primary Policy Server Configure a Secondary Policy Server Install PM Agent or Sudo Plugin on a Remote Host Remove Configurations
Upgrading Privilege Manager System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager Variables Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures Privilege Manager Programs Installation Packages Unsupported Sudo Options Sudo Plugin Policy Evaluation About us

vas_user_in_ADgrouplist

Syntax
int vas_user_in_ADgrouplist ( string username, string domain, list ADgrouplist [, boolean verbose] )
Description

The vas_host_in_ADgrouplist function checks membership of the Active Directory group lists.

Returns the index of the matched list item if found, or -1 if not found.

vas_user_is_member

Syntax
int vas_user_is_member (string username, string groupname [, string domain [, boolean verbose]] )
Description

The vas_user_is_member function checks whether a selected user name and selected domain is a member of the selected group. If domain is empty, it defaults to the joined domain. You can specify the group name as <domain>/<group> or <group>@<domain>.

Returns: 0=user not in group; 1=user in group; -1: error

Privilege Manager Programs

Privilege Manager Programs

This section describes each of the Privilege Manager programs and their options. The following table indicates which Privilege Manager component installs each "program":

Table 50: Privilege Manager programs
Name Description Server Agent Sudo
pmcheck Verifies the syntax of a policy file. X - X
pmclientd (Privilege Manager for Unix only.) The Privilege Manager Client daemon that listens on the configured policy server port and responds to a remote request. X X -
pmclientinfo (Privilege Manager for Unix only.) Displays configuration information about a client host. X X -
pmcp (Privilege Manager for Unix only.) Privilege Manager remote file copy command. X X -
pmcsh (Privilege Manager for Unix only.) Privilege Manager C Shell provides transparent authorization and auditing for all commands submitted during the shell session. X X -
pmincludecheck (Privilege Manager for Unix only.) Used by pmsrvconfig script on the primary server only. When configuring a primary server in pmpolicy type, if you do not have a policy file to import into the repository, then pmincludecheck initializes the policy from the current set of default policy files provided in the installation. X - -
pminfo (Privilege Manager for Unix only.) Registers the local host with the Privilege Manager 5.5 policy server. X X -
pmjoin Configures a Privilege Manager agent to communicate with the server(s) in the group. X X -
pmjoin_plugin (Privilege Manager for Sudo only.) Joins a Sudo Plugin to the specified policy server. Joining configures the remote host to communicate with the server(s) in the group. X - X
pmkey Generates and installs configurable certificates. X X X
pmksh (Privilege Manager for Unix only.) Privilege Manager K Shell provides transparent authorization and auditing for all commands submitted during the shell session. X X -
pmless (Privilege Manager for Unix only.) A terminal pager program that allows you to view (by not modify) the contents of a text file one screen at a time. X X -
pmlicense Displays current license information and allows you to update a license (an expired one or a temporary one before it expires) or create a new one. X - -
pmlist (Privilege Manager for Unix only.) Lists the commands that the user is permitted to run. X X -
pmloadcheck (Privilege Manager for Unix only.) Controls load balancing and failover for connections made from the host to the configured policy servers. X X -
pmlocald (Privilege Manager for Unix only.) The Privilege Manager Local daemon which runs programs when instructed to do so by the appropriate policy server daemon. X X -
pmlog Displays entries in a Privilege Manager event log. X - -
pmlogadm Manages encryption options on the event log. X - -
pmlogsearch Searches all logs in a policy group based on specified criteria. X - -
pmlogxfer Transfers event logs and I/O logs after an off-line policy evaluation has occurred. pmlogxfer is initiated by pmloadcheck when there are log files queued for transfer from a Sudo Plugin host to the server. - - X
pmmasterd The Privilege Manager Master daemon which examines each user request from pmrun and either accepts or rejects it based upon information in the Privilege Manager configuration file. You can have multiple pmmasterd daemons on the network to avoid having a single point of failure. X - X
pmmg (Privilege Manager for Unix only.) A special version of an emacs text editor to use with Privilege Manager for Unix (gnu-style key bindings). X X -
pmpasswd (Privilege Manager for Unix only.) Generates an encrypted password which can be used in the configuration file. X - -
pmplugininfo (Privilege Manager for Sudo only.) Displays information about the policy server group that the Sudo Plugin host has joined. X - X
pmpluginloadcheck (Privilege Manager for Sudo only.) A daemon that runs on each Sudo Plugin host and controls load balancing and failover for connections made from the host to the configured policy servers. X - X
pmpolicy A command-line utility for managing the Privilege Manager security policy. This utility checks out the current version, checks in an updated version, and reports on the repository. X - -
pmpolicyconvert Utility that allows you to verify, and if necessary, convert any number of policy files for use with Privilege Manager V5.5 (or later). X - -
pmpolicyplugin (Privilege Manager for Sudo only.) Displays the revision status of the cached security policy on a Sudo Plugin host; allows you to request an update from the central repository. - - X
pmpoljoin_plugin (Privilege Manager for Sudo only.) Adjunct program to the pmjoin_plugin script. pmpoljoin_plugin is called by the pmjoin_plugin script when configuring a Sudo Plugin host to setup up the required read-only access to the policy repository, so that the client can operate in off-line mode. - - X
pmpolsrvconfig Configures (or un-configures) a primary or secondary policy server. Allows you to grant a user access to a repository. X - -
pmremlog Provides a wrapper for the pmlog and pmreplay utilities to access the event (audit) and keystroke (I/O) logs on any server in the policy group. X - -
pmreplay Replays an I/O log file allowing you to review what happened during a previous privileged session. X - -
pmresolvehost Verifies the host name or IP resolution for the local host or a selected host. X X X
pmrun (Privilege Manager for Unix only.) Allows a user to run a command from their local machine as root. The policy server daemon, pmmasterd, examines each request from pmrun, and either accepts or rejects it based upon the policies specified in the policy file. X X -
pmserviced The Privilege Manager Service daemon listens on the configured ports for incoming connections for the Privilege Manager daemons. pmserviced uses options in pm.settings to determine the daemons to run, the ports to use, and the command line options to use for each daemon. X X X
pmsh (Privilege Manager for Unix only.) Privilege Manager Bourne Shell that provides transparent authorization and auditing for all commands submitted during the shell session. X X -
pmshellwrapper (Privilege Manager for Unix only.) A wrapper for any valid login shell on a host. X X -
pmsrvcheck Checks the Privilege Manager policy server configuration to ensure it is setup properly. X - -
pmsrvconfig Configures a primary or secondary policy server. X - -
pmsrvinfo Verifies the policy server configuration. X - -
pmstatus Verifies connectivity between Privilege Manager and the pmlocald and pmmasterd daemons on the specified hosts. X X -
pmsum Generates a simple checksum of a binary. X - -
pmsysid Displays the Privilege Manager system ID. X X X
pmtimeout obsolete. X - -
pmtunneld (Privilege Manager for Unix only.) The Privilege Manager Tunnel daemon that acts as a proxy for pmrun when pmlocald communicates with pmrun through a firewall. X X -
pmumacs A special version of a microemacs text editor to use with Privilege Manager for Unix (gosling-style key bindings). X X -
pmverifyprofilepolicy (Privilege Manager for Unix only.) Verifies the syntax and structure of the policy file and checks whether a particular command will be accepted or rejected. X - -
pmvi (Privilege Manager for Unix only.) A special version of the vi text editor to use with Privilege Manager. X X -

pmcheck

Syntax
pmcheck [ -z on|off[:pid] ] | [ -v ] | 
           [ [ -a string ] [ -b ] [ -c ] [ -e requestuser ] 
           [ -f filename ] [ -g group ] [ -h hostname ] [ -i ] 
           [ -l shellname ] [ -m YY[YY]/MM/DD ] [ -n HH[:MM] ] 
           [ -o sudo|pmpolicy ] [ -p directory ] [ -q  ]  [  -r remotehost ] 
           [ -s submithost ] [ -t ] [ -u user ] [ command [ args ]]]
Description

Use the pmcheck command to test the policy file. Although the policy server daemon pmmasterd reports configuration file errors to a log file, always use pmcheck to verify the syntax of a policy file before you install it on a live system. You can also use the pmcheck command to simulate running a command to test whether a request will be accepted or rejected.

The pmcheck program exits with a value corresponding to the number of syntax errors found.

Options

pmcheck has the following options:

Table 51: Options: pmcheck
Option Description
-a string

Checks if the specified string, entered during the session, matches any alertkeysequence configured. You can only specify this option if you supply a command.

NOTE: This option is only relevant when using the pmpolicy type.

-b Run in batch mode. By default, pmcheck runs in interactive mode, and attempts to emulate the behavior of the pmmasterd when parsing the policy file. The -b option ensures that no user interaction is required if the policy file contains a password or input function; instead, a successful return code is assumed for any password authentication functions.
-c Runs in batch mode and displays output in csv format. By default pmcheck runs in interactive mode. The -c option ensures that no user interaction is required if the policy file contains a password prompt or input function and no commands that require remote connections are attempted.
-e requestuser Sets the value of requestuser. This option allows you to specify the group name to use when testing the configuration. This emulates running a session using the pmrun –u <user> option to request that Privilege Manager for Unix runs the command as a particular runuser.
-f filename Sets path to policy filename. Provides an alternative configuration filename to check. If not fully qualified, this path is interpreted as relative to the policydir, rather than to the current directory.
-g group Sets the group name to use. If not specified, then pmcheck looks up the user on the master policy server host to get the group information. This option is useful for checking a user and group that does not exist on the policy server.
-h hostname Specifies execution host used for testing purposes.
-i Ignores check for root ownership of policy.
-l shellprogram

Verifies the command as though it was run from within a Privilege Manager for Unix shell program. This special case of pmcheck verifies the specified shell program first, and if accepted, it verifies the specified command as a normal executable program within this shell to determine whether it would be forbidden, accepted, or rejected.

NOTE: This option is only relevant when using the pmpolicy type.

-m YY[YY]/MM/DD Checks the policy for a particular date. Enter Date in this format: YY[YY]/MM/DD. Defaults to the current date.
-n HH[:MM] Checks the policy for a particular time. Enter Time in this format: HH[:mm]. Defaults to the current time.
-o policytype Interprets the policy with the specified policytype – either sudo or pmpolicy.
-p policydir Forces pmcheck to use a different directory to search for policy files included with a relative pathname. The default location to search for policy files is the policydir setting in pm.settings.
-q Runs in quiet mode, pmcheck does not prompt the user for input, print any errors or prompts, or run any system commands. The exit status of pmcheck indicates the number of syntax errors found (0 = success). This is useful when running scripted applications that require a simple syntax check.
-r remotehost Sets the value of the clienthost variable within the configuration file, useful for testing purposes. If you login by means of pmksh or pmshellwrapper, the clienthost variable is set to the name of the remote host you used to log in. Otherwise the clienthost variable is set to the value of the submithost variable.
-s submithost Sets the value of the submithost variable within the configuration file, useful for testing purposes.
-t

Runs in quiet mode to check whether a command would be accepted or rejected. By default, pmcheck runs in interactive mode. The –t option ensures that no user interaction is required if the policy file contains a password prompt or input function, no output is displayed and no commands that require remote connections are attempted.

Exit Status:

 0: Command accepted 
11: Password prompt encountered. The command will only be accepted if authentication is successful 
12: Command rejected 
13: Syntax error encountered 
-u runuser Sets the value of the runuser variable within the configuration file, useful for testing purposes.
-v Displays the version number of Privilege Manager for Unix and exits.
-z Enables/disables debug tracing, and optionally sends SIGHUP to running process. (Refer to Enabling Program-level Tracing before using this option.)
command [args] Sets the command name and optional arguments.

You can use pmcheck two ways: to check the syntax of the configuration file, or to test whether a request is accepted or rejected (that is, to simulate running a command).

By default, pmcheck executes the configuration file interactively in the same way as pmmasterd and reports any syntax errors found. If you supply an argument to a command, it reports whether the requested command is accepted or rejected. You can use the –c and –q options to verify the syntax in batch or silent mode, without any user interaction required.

When you execute a configuration file using pmcheck, you are allowed to modify the values of the incoming variables. This is useful for testing the configuration file's response to various conditions. When pmmasterd executes a configuration file, the incoming variables are read-only.

Examples

To verify whether the pmpolicy file /opt/quest/qpm4u/policies/test.conf allows user jsmith in the users group to run the passwd root command on host, host1, enter:

pmcheck -f /opt/quest/qpm4u/policies/test.conf –o pmpolicy –u jsmith –g users 
-h host1 passwd root
Related Documents