Chat now with support
Chat with Support

Safeguard for Sudo 2.0 - Administrators Guide

One Identity Privileged Access Suite for Unix Introducing Privilege Manager for Unix Introducing Privilege Manager for Sudo Planning Deployment Installation and Configuration
Download Privilege Manager for Unix Software Packages Download Privilege Manager for Sudo Software Packages Quick Start and Evaluation Configure a Primary Policy Server Configure a Secondary Policy Server Install PM Agent or Sudo Plugin on a Remote Host Remove Configurations
Upgrading Privilege Manager System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager Variables Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures Privilege Manager Programs Installation Packages Unsupported Sudo Options Sudo Plugin Policy Evaluation About us

pmpluginloadcheck

Privilege Manager Programs > pmpluginloadcheck
Syntax

pmpluginloadcheck -v 
                     -z on|off[:<pid>] 
                     -s|-p|-i [-e <interval>][-t <sec>] 
                    [-c|-f][-b][ -h <master>][-t <sec>] [-a][-r]

Description

(Privilege Manager for Sudo only.) The pmpluginloadcheck daemon runs on each Sudo Plugin host and controls load balancing and failover for connections made from the host to the configured policy servers. It runs as a daemon, and is started as needed to verify the status of the configured policy servers.

Information is gathered from a policy server each time a normal sudo session connects to the policy server. This information is used to determine which policy server to use the next time a session is requested. If a host cannot establish a connection to a policy server because, for example, the policy server is offline, then this policy server is marked as offline and no more connections are submitted to this policy server until it is available again. For each policy server that is marked as offline, the pmpluginloadcheck daemon checks at intervals, and attempts to establish a connection with the policy server to determine its current status. If pmpluginloadcheck successfully establishes a session with the policy server, it is marked as online and is made available for normal sudo sessions.

To check the current status of all configured policy servers and display a brief summary of their status, run pmpluginloadcheck with no options. Add the –f option to show full details of each policy server status.

Options

pmpluginloadcheck has the following options:

Table 76: Options: pmpluginloadcheck
Option Description
-a Verifies the connection as if certificates are configured.
-b Runs in batch mode.
-c Reports full details of selected server(s) in CSV, rather than human-readable format.
-e interval Sets the refresh interval (in minutes). The default is 60 minutes. The minimum value is 2 minutes.
-f Reports full details of data for each policy server (or selected policy server, when using the –h option).
-h Selects a policy server to verify.
-i Starts up the pmpluginloadcheck daemon, if it is not already running.
-P Pause (send SIGUSR1) to a running daemon.
-p Sends SIGHUP to a running daemon.
-r Reports last cached data for selected server(s) instead of connecting.
-s Stops the pmloadcheck daemon, if it is running.
-t Specifies a timeout (in seconds) to use for each connection.
-v Displays the version string and exits.
-z Enables/disables debug tracing. (Refer to Enabling Program-level Tracing before using this option.)

pmpolicy

Syntax
pmpolicy -v | -z on|off[:<pid>] command [args] [-c] [<command.] -h
Description

pmpolicy is a command line utility for managing the Privilege Manager for Unix security policy. Use the pmpolicy command to view and edit the policy in use by the group. Any user in the pmpolicy group may run this command on any configured policy server host.

This utility checks out the current version, checks in an updated version, and reports on the repository.

You can use the –c option to display the result of the command in CSV, rather than in a human-readable form. The CVS output displays the following fields: Resultcode, name, description, Output msg.

The pmpolicy utility exits with the following possible exit status codes, unless otherwise stated below:

Exit Status Codes
0: Success 
1: Repository does not exist 
2: Specified path does not exist 
3: Failed to checkout from the repository 
4: Failed to check in to the repository 
5: Syntax error found in new policy – check in was abandoned 
6: Conflict found when attempting a check in – check in was abandoned 
7: Policy type not found in repository 
8: Failed to access the repository to report requested information 
9: The selected version was not found in the repository 
10: Directory did not contain a working copy 
11: Check in abandoned 
12: Invalid path specified 
13: Invalid configuration
Options

The following is a summary of the commands and options available to pmpolicy.

NOTE: Run any command with a -h to get more information about it. For example:

pmpolicy <command> -h
Table 77: Commands and options: pmpolicy
Command Description
add Adds a new file from the specified path to the policy repository.

add -p path -d dir [-n [-l commitmsg]] [-c] [-u <user>]

Records the addition of a new file to the working copy of the policy. Use the -p option to specify the file path (relative to the top-level directory in the policy) to add. Use the -d option to specify the directory of the working copy. The -n option commits the changes to the repository. If you use the -n option, you can also use the -l option to provide a commit log message. If you use -n without the -l, the command interactively prompts you for the commit log message

checkout Checks out a working copy of the policy to the specified directory.

checkout -d <dir> [-c] [-r <revision>]

If the directory does not exist, it is created. If the selected directory exists, the existing contents is overwritten. By default, the latest copy is retrieved; use the –r option to check out a particular revision. You can specify a revision using SVN DATE format, or the HEAD keyword, as well as revision numbers.

NOTE: A date format specified without a time, defaults to 00:00:00.

The earliest time you can use to identify a particular revision is one second after the time you commit the revision. For example, if you committed revision 2 at 12:00:00, then you must specify a time of 12:00:01 or later to check out revision 2. For example:

pmpolicy checkout -d /tmp -r "{2012-01-02 12:00:01}" # checkout revision that existed on 2012-01-02 00:00:00

commit Checks in changes from a working copy to the policy repository.

commit -d <dir> [-l <commitmsg>] [-c] [-a force|abort|merge|overwrite][-u <user>]

Commits the working copy of the policy from the indicated directory. All files in the indicated directory are checked in to the repository.

This working copy is first verified for syntax errors using the pmcheck utility. The working copy must match the policy type currently in use, otherwise a syntax error will be produced by pmcheck.

If no syntax errors are encountered, it attempts to check in this copy into the repository, honoring the -a option as described below. Exit status of 0 indicates successful check in.

The –a option indicates the action to be taken when checking in a working copy, if the repository has changed since the working copy was checked out, that is, the edits are based on an out-of-date copy of the repository. The resulting differences between the working copy and the repository may or may not conflict.

You can specify the following actions:

  • Merge: If the only differences are non-conflicting, then merge the changes. If any conflicting changes are found, abort the check in.
  • Overwrite: Merge the changes. If any conflicting changes are found in the repository, select those from the working copy.
  • Force: Overwrite the copy in the repository with the working copy, discarding any changes that have been committed since the working copy was checked out.
  • Abort: Abandon the check in if the working copy is out of date, regardless of whether changes are in conflict (this is the default)

For example,

pmpolicy commit -d /tmp -a force

diff Checks the differences between two revisions of the policy and reports the output to stdout, or to the selected output file.

diff [-o <outfile>][-c][-f][-p <path>][-d <dir> [-r <v1>]] | [-r [<v1>:[<v2>]]

By default, this option displays the differences between the two selected revisions. If you specify the –f option, it displays the incremental differences between each revision in the specified range. You can specify revisions using any acceptable SVN revision format, such as HEAD, COMMITTED, or DATE format. You can use the –o option to report the "diff" output to a file, rather than to stdout (the default).

  • If you specify a directory, it compares the copy in that directory with the selected revision (or the latest revision in the repository, if you do not specify a revision).
  • If you specify one revision, it reports the difference between the latest and selected revision.
  • If you specify two revisions, it reports the difference between the selected revisions.

Exit Status:

0: no differences were detected. 
1: differences were detected 
2: An error occurred

For example:

pmpolicy diff -d /tmp -o /tmp/diffs.txt -r2 pmpolicy diff –r1:2 -o /tmp/diffs.txt

edit The utility checks out a temporary working copy of the policy and starts the appropriate interactive editor to edit the files. For a sudo policy, it runs visudo; for a legacy policy it uses $EDITOR.

edit [-a force|abort|merge|overwrite] [-l <commitmsg>] [-p <path>][-u <user>]

This option is useful for manual interactive editing of the policy on the command line.

On completion of the edit, it verifies the syntax of the policy. If no errors are found, it checks the edits back in to the repository. If any errors are found, then it exits without checking in the changes.

NOTE: When saving an edited policy, some non-ASCII characters in the commit log message may error and cause all changes to the policy to be discarded. To avoid this possibility, avoid using backspace, arrow keys and any other keys that may be interpreted as non-ASCII characters within the shell.

help Displays usage information.
log Logs revision information about the repository.

log [-o <outfile>][-c][-e][-r <revision>]

Reports information about the repository to stdout or to the selected output file. This displays details of the user who changed the repository, the version number for this change, along with the time and date of the change.

By default, this option shows details of each revision in the repository, one version per line. If you specify a version, it shows the details of this version. You can use the –o option to report the "log" output to a file, rather than to stdout.

The status is displayed in the following format for CSV output:

”<version>”,”<username>”,<YYYY-MM-DD>,<HH:MM:SS>”<commitmsg>”

For example:

pmpolicy log -r 3

masterstatus Reports the status of the production copy of the policy used by Privilege Manager for Unix to authorize commands.
masterstatus [-o <outfile>] [-c]

The production copy is stored in the following directory by default:

/etc/opt/quest/qpm4u/policy/

You can use the –o option to report the information to a file instead of to stdout.

It reports the following information:

  • Path to the production copy
  • Date and time the production copy was checked out
  • Revision number of the production copy
  • Latest trunk revision number of the repository
  • Locally modified flag (indicates that someone manually edited the file)

The information is displayed in the following format for CSV output:

<path>,<YYYY/MM/DD>,<HH:MM><policyrevision>,<trunkrevision>,0|1
remove

Removes a file from the specified path in the policy repository.

remove -p path -d dir [-n [-l commitmsg]] [-c] [-u <user>]

Removes a file from the indicated working copy directory. Use the -p option to specify a path to the file (relative to the top-level directory in the policy). Use the -d option to specify the directory of the working copy. The -n option commits the changes to the repository. If you use the -n option, you can also use the -l option to provide a commit log message. If you use -n without -l, the command interactively prompts you for the commit log message.

revert Reverts to the selected revision of the policy.
revert [-c] [-r <version>][-l <commitmsg>]

Checks out a copy of the selected revision, edits the files, and checks the copy back in as the latest revision.

status Verifies the working copy of the policy in the directory indicated.
status -d <dir> [-c]

Verifies the working copy of the policy in the specified directory. You can use this to verify the status of a working copy that was previously checked out, before attempting to commit any edits. Each file in the selected directory is checked against the latest version in the repository. For example:

pmpolicy status -d /tmp

Exit Status:

  • 0: The working copy is up to date and has not been modified; no action is required.
  • 1: The working copy is up to date and has been modified; you must check in to commit the edits made in the working copy.

    To commit the changes, run:

    pmpolicy commit -d <dir>
  • 2: The working copy is out of date and has not been modified; You must check out to get an up-to-date copy of the policy before editing.

    To check out the latest copy, run:

    pmpolicy checkout -d <dir>
  • 3: The working copy is out of date and has been modified, but the changes do not conflict with the latest version. Therefore, a default check in will fail. To commit the you must use the -a option.

    To commit the changes, run:

    pmpolicy commit -d <dir> -a merge
  • 4: The working copy is out of date and has been modified and the changes conflict with the latest version, therefore a default check in will fail.

    To commit the changes and overwrite any conflicts with the working copy’s changes run:

    pmpolicy commit -d <dir> -a force
  • 5: An error occurred when attempting to verify the status.

sync Checks out the latest version to the production copy of the policy used by Privilege Manager for Unix to authorize commands.
sync [-f][-c]

Synchronize the local production copy of the policy with the latest revision in the repository.

-v Displays Privilege Manager for Unix version.
-z Enables/disables debug tracing and optionally sends SIGHUP to a running process. (Refer to Enabling Program-level Tracing before using this option.)

pmpolicyconvert

Privilege Manager Programs > pmpolicyconvert
Syntax
pmpolicyconvert [-o <output dir>] [-v [-v]] path [paths...]
Description

(Privilege Manager for Unix only.) The pmpolicyconvert utility allows you to verify, and if necessary, convert any number of policy files for use with Privilege Manager for Unix V5.5 (or later).

The pmpolicyconvert utility is a perl script that takes as input one or more policy files, and makes a copy of each file, performing any translation required to allow these files to be used in Privilege Manager.

pmpolicyconvert also warns about any variables and functions that are not applicable in Privilege Manager.

You can pass one or more files or directories as parameters to this utility. If a directory is specified, then pmpolicyconvert assumes it is to translate all files contained in that directory (and all subdirectories).

It copies the updated files to the specified output directory (mirroring the original directory structure if an entire directory is being translated). All changes are marked with a comment in the copied file.

A report is generated in the file ./ pmpolicyconvert _report.txt that describes the changes made.

Options

pmpolicyconvert has the following options:

Table 78: Options: pmpolicyconvert
Option Description
-h Displays a usage message and exit.
-o Specifies an output directory to use. If not specified, the default is ./pm_policy.
-v Runs in verbose mode. Multiple –v options increase the verbosity. The maximum is two.
-V Displays the version number of Privilege Manager for Unix and exits.

pmpolicyplugin

Privilege Manager Programs > pmpolicyplugin
Syntax
pmpolicyplugin [-c] -g | -h | -l | -s | -v | -z [on|off[:<pid>]] 
Description

(Privilege Manager for Sudo only.) Use the pmpolicyplugin command to display the revision status of the cached security policy on this host or to request an update from the central repository.

Options

pmpolicyplugin has the following options:

Table 79: Options: pmpolicyplugin
Option Description
-c Displays output in CSV, rather than human-readable format.
-g Exports the latest copy of the policy to the production copy (equivalent to pmpolicy sync on a server).
-h Displays usage information.
-l Reports whether a client is configured on this host.
-s Shows details of the production policy on this host (equivalent to pmpolicy masterstatus on a server).
-v Displays Privilege Manager for Unix version number.
-z Enables/disables debug tracing and optionally sends SIGHUP to a running process. (Refer to Enabling Program-level Tracing before using this option.)

See Sudo Policy Is Not Working Properly for an example of using the pmpolicyplugin command.

Related Documents