Chat now with support
Chat with Support

Safeguard for Sudo 2.0 - Administrators Guide

One Identity Privileged Access Suite for Unix Introducing Privilege Manager for Unix Introducing Privilege Manager for Sudo Planning Deployment Installation and Configuration
Download Privilege Manager for Unix Software Packages Download Privilege Manager for Sudo Software Packages Quick Start and Evaluation Configure a Primary Policy Server Configure a Secondary Policy Server Install PM Agent or Sudo Plugin on a Remote Host Remove Configurations
Upgrading Privilege Manager System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager Variables Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures Privilege Manager Programs Installation Packages Unsupported Sudo Options Sudo Plugin Policy Evaluation About us

pmkey

Syntax
pmkey -v | [-z on|off[:<pid>]] 
         -a <keyfile> 
         [ [-l | -r | -i <keyfile>] 
         [-p <phrase>] [-f]]
Description

Use the pmkey command to generate and install configurable certificates.

For a policy evaluation request to execute, keys must be installed on all hosts involved in the request. The keyfile must be owned by root and have permissions set so only root can read or write the keyfile.

Options

pmkey has the following options:

Table 61: Options: pmkey
Option Description
-a filename Creates an authentication certificate.
-i filename Installs an authentication certificate.
-l

Creates and installs a local authentication certificate to this file:

/etc/opt/quest/qpm4u/.qpm4u/.keyfiles/key_localhost

NOTE: This is equivalent to running the following two commands:

  • pmkey -a /etc/opt/quest/qpm4u/.qpm4u/.keyfiles/ key_localhost

    -OR-

  • pmkey -i /etc/opt/quest/qpm4u/.qpm4u/.keyfiles/ key_localhost

-f Forces the operation. For example:
  • Ignore the password check when installing keyfile using -i or -r
  • Overwrite existing keyfile when installing local keyfile using –l
-p passphrase

Passes the passphrase on the command line for the -a or -l option.

If not specified, pmkey prompts the user for a passphrase.

-r

Installs all remote keys that have been copied to this directory:

/etc/opt/quest/qpm4u/.qpm4u/.keyfiles/key_<hostname>

NOTE: This provides a quick way to install multiple remote keys.

-v Displays the Privilege Manager for Unix version and exits.
-z Enables/disables debug tracing. (Refer to Enabling Program-level Tracing before using this option.)
Examples

The following command generates a new certificate, and puts it into the specified file:

pmkey -a <filename>

The following command installs the newly generated certificate from the specified file:

pmkey -i <filename>

pmksh

Syntax
pmksh
Description

(Privilege Manager for Unix only.) The Privilege Manager K Shell (pmksh) starts a Korn shell, an interactive command interpreter and a command programming language. The Korn shell carries out commands either interactively from a terminal keyboard or from a file. pmksh is a fully featured version of ksh, that provides transparent authorization and auditing for all commands submitted during the shell session. All standard options for ksh are supported by pmksh.

To see details of the options and the shell built-in commands supported by pmksh, run pmksh -?.

NOTE: pmksh supports the -B option which allows the entire shell to run in the background when used in conjunction with '&. For example, pmksh –B –c backgroundshellscript.sh & will run the specified shell script in the background using pmksh.

Using the appropriate policy file variables, you can configure each command entered during a shell session, to be:

  • forbidden by the shell without further authorization to the policy server
  • allowed by the shell without further authorization to the policy server
  • presented to the policy server for authorization

Once allowed by the shell, or authorized by the policy server, all commands are executed locally as the user running the shell program.

pmless

Syntax
pmless /full_path_name
Description

(Privilege Manager for Unix only.) The pmless pager is similar to the less pager. It has been modified so that you can use it securely with the Privilege Manager programs. Because of this, you must specify a full pathname as a command line argument to pmless. Also, you will not be able to access any files other than the ones you specify at startup time. Nor will you be allowed to spawn any processes.

Using this program in conjunction with Privilege Manager allows you to access a specific file as root but not other root functions.

pmlicense

Syntax
pmlicense -h 
            [-c] 
            -v [-c] 
            -v <xmlfile> [-c]  
            -l|-x <xmlfile> [-c] [-f] [e]
            -u [s|f][-c][-d m|y][-o <outfile>][-s d|h][-t u|p|k]
            -r [e]
            -z on |off[:<pid>]
Description

The pmlicense command allows you to display current license information, update a license (an expired one or a temporary one before it expires) or create a new one. If you do not supply an option, then pmlicense displays a summary of the combined licenses configured on this host.

Options

pmlicense has the following options:

Table 62: Options: pmlicense
Option Description
-c Displays output in CSV, rather than human-readable format.
–d Filters a license report; restricting the date to either:
  • m: Only report licenses used in the past month.
  • y: Only report licenses used in the past year.
-e Do not forward the license change to the other servers in the group.
-f Do not prompt for confirmation in interactive mode.
-h Displays usage.
-l

Configures the selected XML license file, and forwards it the to the other servers in the policy group.

NOTE: This option must be run as the root user or a member of the pmpolicy group.

-o Sends report output to selected file rather than to the default. For csv output, the default is file: /tmp/pmlicense_report_<uid>.txt; for human-readable output, the default is stdout.
-r Regenerates and configures the default trial license, removing any configured commercial licenses, and forwards this change to the other servers in the policy group.
-s Sort the report data by either:
  • d: date (newest first)
  • h: hostname (lowest first)
-t Filters license report by client type:
  • u: Privilege Manager for Unix client
  • p: sudo policy plugin
  • k: sudo keystroke plugin
-u Displays the current license utilization on the master policy server:
  • s: Show summary of hosts licensed
  • f: Show full details of hosts licensed, with last used times
-v If you do not provide a file argument, it displays the details of the currently configured license. If you provide a file argument, it verifies the selected XML license file and displays the license details.
-x

Configures the selected XML license file.

NOTE: This option is deprecated, use the "-l" option instead.

-z Enables/disables debug tracing. (Refer to Enabling Program-level Tracing before using this option.)

Note: License data is updated periodically by the pmloadcheck daemon. (See pmloadcheck for details.)

Examples

To display current license status information, enter the following:

# pmlicense

Privilege Manager for Unix displays the current license information, noting the status of the license. The output will be similar to the following:

*** Quest Privilege Manager for Unix *** 
*** Privilege Manager for UnixVERSION 6.n.n (nnn) *** 
*** CHECKING LICENSE ON HOSTNAME:<host>, IP address: <IP> 
*** SUMMARY OF ALL LICENSES CURRENTLY INSTALLED *** 
*License Type                                  PERMANENT 
*Commercial/Freeware License                   COMMERCIAL 
*Expiration Date                               NEVER 
*Max QPM4U Client Licenses                     1000 
*Max Sudo Policy Plugin Licenses               0 
*Max Sudo Keystroke Plugin Licenses            0 
*Authorization Policy Type permitted           ALL 
*Total QPM4U Client Licenses In Use            2 
*Total Sudo Policy Plugins Licenses in Use     0 
*Total Sudo Keystroke Plugins Licenses in Use  0

*** LICENSE DETAILS FOR PRODUCT:QPM4U 
*License Version                               1.0 
*Licensed to company                           Testing 
*Licensed Product                              QPM4U(1) 
*License Type                                  PERMANENT 
*Commercial/Freeware License                   COMMERCIAL 
*License Status                                VALID
*License Key                                   PSXG-GPRH-PIGF-QDYV 
*License tied to IP Address                    NO 
*License Creation Date                         Tue Feb 08 2012 
*Expiration Date                               NEVER 
*Number of Hosts                               1000

To update or create a new a license, enter the following at the command line:

pmlicense -l <xmldoc>

Privilege Manager for Unix displays the current license information, noting the status of the license, and then validates the information in the selected .xml file, for example:

*** Quest Privilege Manager for Unix *** 
*** Privilege Manager for UnixVERSION 6.n.n (nnn) *** 
*** CHECKING LICENSE ON HOSTNAME:<host>, IP address:<IP> *** 
*** SUMMARY OF ALL LICENSES CURRENTLY INSTALLED *** 
*License Type                                  PERMANENT 
*Commercial/Freeware License                   COMMERCIAL 
*Expiration Date                               NEVER 
*Max QPM4U Client Licenses                     1000 
*Max Sudo Policy Plugin Licenses               0 
*Max Sudo Keystroke Plugin Licenses            0 
*Authorization Policy Type permitted           ALL 
*Total QPM4U Client Licenses In Use            2 
*Total Sudo Policy Plugins Licenses in Use     0 
*Total Sudo Keystroke Plugins Licenses in Use  0 
*** Validating license file: <xmldoc> *** 
*** LICENSE DETAILS FOR PRODUCT:QPM4U 
*License Version                               1.0 
*Licensed to company                           Testing 
*Licensed Product                              QPM4U(1) 
*License Type                                  PERMANENT 
*Commercial/Freeware License                   COMMERCIAL 
*License Status                                VALID 
*License Key                                   PNFT-FDIO-YSLX-JBBH 
*License tied to IP Address                    NO 
*License Creation Date                         Tue Feb 08 2012 
*Expiration Date                               NEVER 
*Number of Hosts                               100 
*** The selected license file (<xmldoc>) contains a valid license *** 

Would you like to install the new license? y 
Type y to update the current license. 
Archiving current license… [OK] 
*** Successfully installed new license ***
Related Documents