Chat now with support
Chat with Support

Safeguard for Sudo 2.0 - Administrators Guide

One Identity Privileged Access Suite for Unix Introducing Privilege Manager for Unix Introducing Privilege Manager for Sudo Planning Deployment Installation and Configuration
Download Privilege Manager for Unix Software Packages Download Privilege Manager for Sudo Software Packages Quick Start and Evaluation Configure a Primary Policy Server Configure a Secondary Policy Server Install PM Agent or Sudo Plugin on a Remote Host Remove Configurations
Upgrading Privilege Manager System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager Variables Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures Privilege Manager Programs Installation Packages Unsupported Sudo Options Sudo Plugin Policy Evaluation About us

pmlogadm

Syntax
pmlogadmin> archive event_log_path archive_path --before YYYY-MM-DD [--clean-source] [--dest-dir destination_path] [--no-zip]
pmlogadmin> archive event_log_path archive_path --older-than days [--clean-source] [--dest-dir destination_path] [--no-zip]
pmlogadmin> backup event_log_path backup_path
pmlogadmin> create new_event_log_path
pmlogadmin> encrypt enable|disable|rekey event_log_path
pmlogadmin> help [command]
pmlogadmin> import [-y|-n] source_event_log dest_event_log
pmlogadmin> info event_log_path
pmlogadmin> --help|-h
pmlogadmin> --version|-v
pmlogadmin> -z on|off[:<pid>]
Description

Privilege Manager event log administration utility. Use pmlogadm to manage encryption options on the event log.

Options

pmlogadm has the following options:

Table 66: Options: pmlogadm
Option Description
-h, --help

Displays usage information.

help [command]

By default the help command displays the general usage output. When you specify a command, it displays a usage summary for that command.

-v, --version Displays the version number of Privilege Manager for Unix and exits.
-z Enables/disables debug tracing, and optionally sends SIGHUP to running process. (Refer to Enabling Program-level Tracing before using this option.)
Table 67: Global options: pmlogadm
Option Description
--verbose Enables verbose output.
--silent Disables all output to stdout. Errors are output to stderr.
Table 68: Valid commands: pmlogadm
Option Description
archive

Moves old events to an archive.

archive event_log_path archive_name --before YYYY-MM-DD [--cleansource] [--dest-dir destination_path] [--no-zip]

-OR-

archive event_log_path archive_name --older-than days [--cleansource] [--dest-dir destination_path] [--no-zip]

Moves events that occurred before the indicated date (YYYY-MM-DD) to an archive-named archive_name. If you use the second form, specify the date as days before the current date.

The archive is created in the current working directory unless you specify a destination path using the --dest-dir option. By default, the archive is compressed using tar and gzip, but you can skip this using the --no-zip option, in which case the resulting archive is a directory containing the new log with the archived events.

NOTE: All files in that directory are required to access the archive. To access the archive, use pmlog. Moving events to an archive may not reduce the actual file size of the event log. To reduce the file size, the source log must be cleaned. To clean the source log, add the --clean-source option. When a large number of events are present in the source log this option can increase the archive process time and use a large amount of disk space while the process runs. Once started, do not interrupt the process.

backup Creates a backup of source_log, in location backup_log.
create

Creates new empty audit files for that log.

create new_event_log_path

This may include a keyfile which has the "-kf" suffix, a journal file with the "-wal" suffix, and a "-shm" system file. It is critical that the group of files that make up an event log remain together at all times. Removal of any one of these files may result in permanent loss of access to the event log.

encrypt

Enables or disables encryption of an event log.

encrypt enable|disable|rekey event_log_path

By default all event logs created by Privilege Manager are encrypted using the AES-256 standard. The encryption key is stored in the keyfile which is in the same path as the event log and has the same file name, and the "-kf" suffix. It is critical that this file remain in the same path as the main event log file. You can decrypt the whole log file using the encrypt disable command, passing the path of the main event log file as an argument. Enable encryption using encrypt enable. The encrypt rekey command generates a new encryption key and re-encrypt all data in the event log using that new key data. The key file is automatically updated with the new key data if the operation succeeds.

import

Imports events.

import [-y|-n] source_event_log dest_event_log

Import events from source_event_log, adding them to dest_event_log.

info

Displays information about the event log.

info event_log_path

Displays information about the event_log_path. The information reported includes the current encryption status of the event log, the size of the file and the number of events contained in the log.

Settings

The following entries in the /etc/opt/quest/qpm4u/pm.settings file are used by pmlogadm

Table 69: Settings: pmlogadm
Option Description
eventLogQueue pathname Specify the location of the event log queue, used by both pmmasterd and pmlogsrvd. This option is only used to determine whether the pmlogsrvd service is currently running.

NOTE: For more usage information for a specific command please run:

pmlogadm help command

Files

The default Privilege Manager event log file is located at:

/var/opt/quest/qpm4u/pmevents.db

Other files that may be used by pmlogadm are:

  • settings file: /etc/opt/quest/qpm4u/pm.settings
  • pid file: /var/opt/quest/qpm4u/evcache/pmlogsrvd.pid
Related Topics

pmlog

pmlogsrvd

pmmasterd

pmlogsearch

Syntax
pmlogsearch [--csv] [--no-sort] 
               [--before "YYYY/MM/DD hh:mm:ss"] [--after "YYYY/MM/DD hh:mm:ss"] 
               [--user <username>] [--host <hostname>] [--result accept|reject] 
               [--text <keyword>]
               -h | --help  
               -v | --version
Description

Use the pmlogsearch command to perform a search on all logs in this policy group based on specified criteria.

You must specify at least one search condition; you can combine conditions.

Options

pmlogsearch has the following options:

Table 70: Options: pmlogsearch
Option Description
--csv

Outputs the search results in CSV format, suitable for consumption by Management Console for Unix. If this option is not present, the output is human-readable.

One or more of the search criteria must be present, and any combination of the criteria is accepted. When multiple criteria are present they must all be matched (that is, the query criteria are combined using AND logic) for a log to be included in the results.

--after

--before

Returns logs generated for sessions initiated after and/or before the specified time and date. For example:

# pmlogsearch --after “2012/01/04 00:00:00”

returns all logs for sessions since January 4, 2012.

# pmlogsearch --after “2012/01/01 00:00:00” --before “2012/12/31 23:59”

returns all logs generated during 2012.

--user username Searches for logs generated by sessions requested by the specified user name. username is case sensitive. For example:

# pmlogsearch --user harry

returns the locations of all keystrokelogs for sessions requested by the user named "harry".

The pattern may include the following wild card symbols:

  • * = match any string
  • ? = match any single character
--host hostnamePattern

Searches for logs generated by sessions executed on hosts matching the given pattern. The pattern may include the following wild card symbols:

  • * = match any string
  • ? = match any single character

For example:

# pmlogsearch --host “myhost?.mydomain.com”

matches logs for sessions executed on myhost1.mydomain.com or myhost2.mydomain.com, but not myhost1 or myhost10.mydomain.com.

# pmlogsearch --host “myhost*”

matches logs for sessions executed on myhost1.mydomain.com, myhost2.mydomain.com, myhost1 or myhost10.mydomain.com, but will not match anotherhost.mydomain.com.

# pmlogsearch --host myhost11.mydomain.com

only matches logs for sessions executed on host myhost11.mydomain.com.

--result Returns only events with the indicated result.
--text “keyword

Searches for events where the specified text occurs in the command line or events with keystroke logs that contain the specified text.

NOTE: You must enter the keyword or phrase as one argument. If the phrase contains a space, enclose the whole phrase in quotes. For example:

# pmlogsearch --text “my phrase

matches any log containing the string "my phrase".

# pmlogsearch --text phone

matches logs containing any word with the substring phone (such as, telephone, headphones, phones), or the complete word phone.

--no-sort Do not sort the results.
–v (or --version) Displays the version number of Privilege Manager for Unix and exits.
–h (or --help) Displays usage information and exits.
Output

You can output the search results in either human-readable or CSV format.

Human-Readable Output

The following is an example of the human-readable output of a search:

# pmlogsearch --user sheldon --text Linux 
Search matches 5 events 
2012/01/19 18:12:25 : Accept : sheldon@host1.example.com 
   Request: sheldon@host1.example.com : uname -a 
Executed: root@host1.example.com : uname -a 
   IO Log: pmsrv1.example.com: opt/quest/qpm4u/iologs/sheldon/root/uname-20120119-181225.OiaiBr 
2012/01/19 18:11:56 : Accept : sheldon@host1.example.com 
   Request: sheldon@host1.example.com : uname -a 
Executed: root@host1.example.com : uname -a 
   IO Log: pmsrv2.example.com: opt/quest/qpm4u/iologs/sheldon/root/uname-20120119-181156.x46qJP 
2012/01/19 17:59:09 : Accept : sheldon@host2.example.com 
   Request: sheldon@host2.example.com : uname -a 
Executed: root@host2.example.com : uname -a 
   IO Log: pmsrv2.example.com: opt/quest/qpm4u/iologs/sheldon/root/uname-20120119-175909.1H0P5n 
2012/01/19 17:58:42 : Accept : sheldon@host2.example.com 
   Request: sheldon@host2.example.com : uname -a 
Executed: root@host2.example.com : uname -a 
   IO Log: pmsrv2.example.com: opt/quest/qpm4u/iologs/sheldon/root/uname-20120119-175842.ZvfrMv 
2012/01/19 17:58:14 : Accept : sheldon@host2.example.com 
   Request: sheldon@host2.example.com : uname -a 
Executed: root@host2.example.com : uname -a 
   IO Log: pmsrv1.example.com: opt/quest/qpm4u/iologs/sheldon/root/uname-20120119-175814.
CVS Output

The results are output in CSV format, without field headings. The columns are listed in order below:

  1. Session date/time
  2. Session Unique ID
  3. Master host
  4. Submit host (host from which the session was requested)
  5. Submit user (the user that requested the session)
  6. Requested host
  7. Requested user account
  8. Requested command line
  9. Result (Accept/Reject)
  10. Run host (the host on which the command was executed)
  11. Run user (the user account used to execute the command)
  12. Command line actually executed
  13. The exit return code if the command executed, or "NO_EXIT" if the event is a reject or the command failed to execute
  14. Keystroke log host. This column is blank, if it is the same as #3 Master host.
  15. Keystroke log file path

The following is an example of CSV output:

# pmlogsearch --csv --user penny --text "Linux" 
"2012/01/19 18:10:40", "4d3729207eec", "pmsrv1.example.com", "host1.example.com", "penny", "uname", "Accept", "host1.example.com", "penny", "uname", "pmsrv1.example.com", "opt/quest/qpm4u/iologs/host1.example.com/penny/uname-20120119-181040.hLqZFY" 
"2012/01/19 18:10:13", "4d3729057e5f", "pmsrv1.example.com", "host1.example.com", "penny", "uname", "Accept", "host1.example.com", "penny", "uname", "pmsrv1.example.com", "opt/quest/qpm4u/iologs/host1.example.com/penny/uname-20120119-181013.yG1m41" 
"2012/01/19 18:00:14", "4d3726ae1ec0", "pmsrv2.example.com", "host1.example.com", "penny", "uname", "Accept", "host1.example.com", "penny", "uname", "pmsrv2.example.com", "opt/quest/qpm4u/iologs/host1.example.com/penny/uname-20120119-180015.Z42heZ" 
"2012/01/19 18:00:47", "4d3726cf1f9d", "pmsrv1.example.com", "host1.example.com", "penny", "uname", "Accept", "host1.example.com", "penny", "uname", "pmsrv1.example.com", "opt/quest/qpm4u/iologs/host1.example.com/penny/uname-20120119-180047.GUtrRt"

pmlogsrvd

Syntax

pmlogsrvd [-d | --debug] [-h | --help] [--log-level level] [--no-detach] 
             [--once] [-q | --queue queue_path] [--syslog [facility]] 
             [-t | --timeout delay_seconds] [-v | --version] [-z on|off [:<pid>]]

Description

pmlogsrvd is the Privilege Manager log access daemon, the service responsible for committing events to the Privilege Manager event log, and managing the database storage used by the event log.

When an incoming event is processed by pmmasterd that event must be logged to the event log. pmmasterd commits a record of the log to the event log queue, which is monitored by pmlogsrvd. pmlogsrvd takes each event from the queue and commits that event to the actual event log.

Options

pmlogsrvd has the following options:

Table 71: Options: pmlogsrvd
Option Description
-d, --debug Enables debug operation. This option prevents pmlogsrvd from running in the background, and enables debug output to both the log and the terminal.
-h, --help Displays the usage information and exits.
--log-level level Controls the level of log messages included in the log file. By default the logging level logs only error messages. Valid logging levels, in ascending order by volume of messages, are none, error, warning, info, and debug.
--no-detach Do not run in the background or create a pid file. By default, pmlogsrvd forks and runs as a background daemon. When you specify the --no-detach option, it stays in the foreground.
--once Processes the queue once immediately and then exits.
-q, --queue path Specifies the location of the event log queue as path.
--syslog Enables logging to syslog.
-t, --timeout time Specifies the time delay between processing the queue as time seconds. By default pmlogsrvd waits for 120 seconds before waking to scan the event log queue if no other trigger causes it to begin processing. Normally processing is triggered directly by pmmasterd immediately after an event is processed.
-v, --version Displays the version and exits.
-z Enables/disables debug tracing. (Refer to Enabling Program-level Tracing before using this option.)

Settings

pmlogsrvd uses the following entries in the /etc/opt/quest/qpm4u/pm.settings file:

Table 72: Settings: pmlogsrvd
Setting Description
eventLogQueue pathname Specifies the location of the event log queue, used by both pmmasterd and pmlogsrvd. This setting is ignored by pmlogsrvd when you use the --queue option on the command line.
pmlogsrvlog pathname Fully qualified path to the pmlogsrvd log file.
syslog yes|no By default, /fBpmlogsrvd/fR used this setting to determine whether to send log messages to syslog. When you use the /fIsyslog/fR option on the command line, this setting is ignored.

Files

  • settings file: /etc/opt/quest/qpm4u/pm.settings
  • pid file: /var/opt/quest/qpm4u/evcache/pmlogsrvd.pid

Related Topics

pmlog

pmlogsearch

pmmasterd

pmlogxfer

Syntax
pmlogxfer -h | -v | [ -z on|off[:pid] ]
Description

Transfers event logs and I/O logs after an off-line policy evaluation has occurred. pmlogxfer is initiated by pmloadcheck when there are log files queued for transfer from a Sudo Plugin host to the server.

NOTE: pmlogxfer is not intended to be run directly, it is normally invoked by pmpluginloadcheck at a regular interval (every 30 minutes by default).

Options

pmlogxfer has the following options:

Table 73: Options: pmlogxfer
Option Description
-h Displays usage information.
-v Displays the version number of Privilege Manager for Unix and exits.
-z Enables/disables debug tracing, and optionally sends SIGHUP to running process. (Refer to Enabling Program-level Tracing before using this option.)
Files

Directory for offline log files:

/var/opt/quest/qpm4u/offline
Related Topics

pmpluginloadcheck

Related Documents