Chat now with support
Chat with Support

Safeguard for Sudo 2.0 - Administrators Guide

One Identity Privileged Access Suite for Unix Introducing Privilege Manager for Unix Introducing Privilege Manager for Sudo Planning Deployment Installation and Configuration
Download Privilege Manager for Unix Software Packages Download Privilege Manager for Sudo Software Packages Quick Start and Evaluation Configure a Primary Policy Server Configure a Secondary Policy Server Install PM Agent or Sudo Plugin on a Remote Host Remove Configurations
Upgrading Privilege Manager System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager Variables Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures Privilege Manager Programs Installation Packages Unsupported Sudo Options Sudo Plugin Policy Evaluation About us

pmlist

Syntax
pmlist
Description

(Privilege Manager for Sudo only.) The pmlist command displays a list of commands the current user is permitted to run. It is only valid when using the profile-based policy.

If the server is configured to use the default profile policy, use the pmlist command to list the commands that you are permitted to run. The server evaluates all configured profiles in the policy; for those that match the submit user and host, it prints out the commands that are permitted by the profile.

pmloadcheck

Syntax
pmloadcheck -v 
               -z on}off[:<pid>] 
               -s|-p|-i [-e <interval>][-t <sec>] 
               [-c|-f][-b][ -h <master>][-t <sec>] [-a][-r]
Description

The pmloadcheck daemon runs on each host. By default, every 60 minutes the daemon verifies the status of the configured policy servers. It controls load balancing and failover for connections made from the host to the configured policy servers, and on secondary servers, it sends license data to the primary server.

When the pmloadcheck daemon runs, it attempts to establish a connection with the policy servers to determine their current status. If pmloadcheck successfully establishes a session with a policy server, it is marked as online and is made available for normal pmrun sessions. If pmloadcheck does not successfully establish a session with a policy server, it is marked as offline.

Information is gathered from a policy server each time a normal pmrun session connects to the policy server. This information is used to determine which policy server to use the next time a session is requested. If an agent cannot establish a connection to a policy server because, for example, the policy server is offline, then this policy server is marked as offline and no more connections are submitted to this policy server until it is marked available again.

To check the current status of all configured policy servers, and display a brief summary of their status, run pmloadcheck with no options. Add the –f option to show full details of each policy server status.

Options

pmloadcheck has the following options:

Table 63: Options: pmloadcheck
Option Description
-a Verify the connection as if certificates were configured.
-b Run in batch mode.
-c Display output in CSV format.
-e Set the refresh interval (in minutes) to determine how often the pmloadcheck daemon checks the policy server status. Default = 60.
-f Show full details of the policy server status when verifying and displaying policy server status.
-h Select a policy server to verify.
-i Start up the pmloadcheck daemon, or prompt an immediate recheck of the policy server status if it is already running.
-P Send SIGNUP to a running daemon.
-p Pause (send SIGUSR1) to a running daemon.
-r Report last cached data for selected server(s) instead of connecting to each one.
-s Stop the pmloadcheck daemon if it is running.
-t Specify a timeout (in seconds) to use for each connection.
-v Display the version string and exit.
-z Enable/disable debug tracing. (Refer to Enabling Program-level Tracing before using this option.)

pmlocald

Syntax
pmlocald - v | [-s] [-e <filename>] [-m <masterspec>] | -z on|off [:<pid>]
Description

(Privilege Manager for Unix only.) The Privilege Manager local daemon (pmlocald) runs programs when instructed to do so by the appropriate policy server daemon. pmlocald is started from pmserviced.

Unless the -m option is used, it first checks the /etc/opt/quest/qpm4u/pm.settings file to determine the policy server daemons from which it is allowed to accept requests. If the request is legitimate, it then runs and manages the program.

Options

pmlocald has the following options:

Table 64: Options: pmlocald
Option Description
-e filename Send any errors to the specified file; applies only to local daemon errors.
-m polserverspec

Specifies the policy server daemon from which requests are accepted. polserverspec is either a host name, or a netgroup name preceded by a + or a - (+ includes the netgroup, - excludes it). You can specify polserverspec more than once.

If you use the -m option, it does not consult masterhost setting in the /etc/opt/quest/qpm4u/pm.settings file.

-s Send any errors generated to syslog.
-v Displays the version number of Privilege Manager for Unix and exits.
-z Enable/disable tracing for this program and optionally for a currently running process. (Refer to Enabling Program-level Tracing before using this option.)
Files

File containing Privilege Manager communication parameters, including the list of valid master hosts:

/etc/opt/quest/qpm4u/pm.settings

pmlog

Syntax
pmlog [-dlvq] [-p|a|e|r|x printexpr] [-f filename] [[-c] constraint] 
         [[-c] constraint] [-f filename] -h [-z on|off[:<pid>]] [--user username] 
         [--runuser username] [--runhost hostname] [--reqhost hostname]  
         [--masterhost hostname][--command pattern] [--reqcommand pattern]  
         [--runcommand pattern][--before "YYYY/MM/DD hh:mm:ss"]  
         [--after "YYYY/MM/DD hh:mm:ss"][--result Accept|Reject]
Description

Use the pmlog command to selectively choose and display entries in a Privilege Manager for Unix event log. Each time a job is accepted, rejected, or completed by pmmasterd, an entry is appended to the file specified by the eventlog variable in the configuration file. eventlog is sent to /var/opt/quest/qpm4u/pmevents.db on all platforms.

Options

pmlog has the following options:

Table 65: Options: pmlog
Option Description
-a expression Sets the print expression to 'accept' events for expression.
-c constraint Selects particular entries to print; specify constraint as a Boolean expression. (See Examples below).
-d Dumps each entry as it is read without matching 'accept' and 'end' entries. The -d (dump) option forces pmlog to print each entry as it is read from the file. The default output format includes a unique identifier at the start of each record, allowing 'end' events to be matched with 'accept' events.
-e expression Sets the print expression for 'finish' events to expression.
-f filename Reads the eventlog information from filename.
-h Displays usage information.
-l Dumps alert log entries only.
-p expression Sets the print expression for all event types to expression.
-q Runs in quiet mode; no expression errors (for example, undefined variables) are printed.
-r expression Sets the print expression to 'reject' events for expression.
-v Turns on verbose mode.
-x Sets the print expression for 'alert' events to expression.
-z Enables/disables debug tracing. (Refer to Enabling Program-level Tracing before using this option.)
Quick Search Options
--user username Selects entries in which the requesting user matches username.
--runuser username Selects entries in which runuser matches username.
--runhost hostname Selects entries in which runhost matches hostname.
--reqhost hostname Selects entries in which the requesting host matches hostname.
--masterhost hostname Selects entries in which masterhost matches hostname.
--command pattern Selects entries in which the requested command matches pattern.
--reqcommand pattern Return events where the given text appears anywhere in the requested command line.
--runcommand pattern Selects entries in which the runcommand host matches pattern.
--before "YYYY/MM/DD hh:mm:ss" Selects entries occurring before the specified date and time.
--after "YYYY/MM/DD hh:mm:ss" Selects entries occurring after the specified date and time.
--result Accept|Reject Selects entries that were accepted or rejected.

Examples

Without arguments, pmlog reads the default eventlog file and prints all its entries. If you have chosen a different location for the event log, use the -f option to specify the file for pmlog.

By default, pmlog displays one entry for each completed session (either rejected or accepted). You can filter the results to print only entries which satisfy the specified constraint using the -c option. In this example the event policy variable is compared to Reject to specify a constraint as a Boolean expression:

pmlog -c'event=="Reject"' pmlog -c'date > "2008/02/11"' pmlog -c'user=="dan"'

which prints only rejected entries, entries that occur after February 11, 2008, or requests by user Dan, respectively.

NOTE: See Privilege Manager Variables for more information about policy variables.

The following options accept shortcut notations to specify constraints:

  • --user username
  • --runuser username
  • --reqhost hostname
  • --runhost hostname
  • --masterhost hostname
  • --command command
  • --runcommand command
  • --reqcommand command
  • --before "YYYY/MM/DD hh:mm:ss"
  • --after "YYYY/MM/DD hh:mm:ss"
  • --result Accept|Reject

For example, here are equivalent constraints to the previous example specified using shortcuts:

pmlog --result Reject pmlog --after "2008/02/11 00:00:00" pmlog --user dan 

With shortcuts, you can express user names and host names as patterns containing wild card characters (? and *). For example, to display entries for all requests for user1, user2, and user3, use the following shortcut:

pmlog --user “user?"

NOTE: Enclose patterns containing wild card characters in quotes to avoid being interpreted by the command shell.

Use the -d and -v options for debugging. Normally, when pmlog finds an 'accept' entry, it refrains from printing until the matching 'end' entry is found; all requested information including exitstatus, exitdate, and exittime is then available to print.

The -d (dump) option forces pmlog to print each entry as it is read from the file. The default output format includes a unique identifier at the start of each record, allowing 'end' events to be matched with 'accept' events.

The -v (verbose) option prints all the variables stored with each entry.

The -t option turns on tail follow mode. The program enters an endless loop, sleeping and printing new event records as they are appended to the end of the log file. The -d flag is implied when using -t.

You can specify the output format for each of the three event types - 'accept', 'reject' or 'finish' - with the -a, -r, and -e options. Use the -p option to set the output for all three event types.

For example, to print only the dates and names of people making requests, enter:

pmlog -p'date + "\t" + user + "\t" + event'

-OR-

pmlog -p 'sprintf("%s %-8s %s", date, user, event)'

See Listing Event Logs for more examples of using the pmlog command.

NOTE: If you run pmlog --csv console to obtain CSV output from pmlog, refer to pmlogsearch for a list of the column headings.

Related Documents