Chat now with support
Chat with Support

Safeguard for Sudo 2.0 - Administrators Guide

One Identity Privileged Access Suite for Unix Introducing Privilege Manager for Unix Introducing Privilege Manager for Sudo Planning Deployment Installation and Configuration
Download Privilege Manager for Unix Software Packages Download Privilege Manager for Sudo Software Packages Quick Start and Evaluation Configure a Primary Policy Server Configure a Secondary Policy Server Install PM Agent or Sudo Plugin on a Remote Host Remove Configurations
Upgrading Privilege Manager System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager Variables Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures Privilege Manager Programs Installation Packages Unsupported Sudo Options Sudo Plugin Policy Evaluation About us

Navigating the Log File

Privilege Manager Programs > pmreplay > Navigating the Log File

Use the following commands to navigate the log file in interactive mode.

Table 84: Log file navigation shortcuts
Command Description
g Go to start of file.
G Go to end of file.
p Pause/resume replay in slide-show mode.
q Quit the replay.
r Redraw the log file from start.
s Skip to next time marker. Allows you to see what happened each second.
t Display time of an action at any point in the log file.
u Undo your last action.
v Display all environment variables in use at the time the log file was created.
[space] key Go to next position (usually a single character); that is, step forward through the log file.
[Enter] key Go to next line.
[backspace] key Back up to last position; that is, step backwards through the log file.
/<Regluar Expression>[Enter] Search for a regular expression while in interactive mode.
/[Enter] Repeat last search.

Display the time of an action at any point in the log file with t, redraw the log file with r, and undo your last action with u.

You can also display all the environment variables which were in use at the time the log file was created using v. Use q or Q to quit pmreplay.

Type any key to continue replaying the I/O log.

pmresolvehost

Syntax
pmresolvehost -p|-v|[-h <hostname>] [-q][-s yes|no]
Description

The pmresolvehost command verifies the host name / IP resolution for the local host or for a selected host. If you do not supply arguments, pmresolvehost checks the local host name/IP resolution.

Options

pmresolvehost has the following options:

Table 85: Options: pmresolvehost
Option Description
-h Verify the selected host name.
-p Print the fully qualified local host name.
-q Run in silent mode; display no errors.
-s Specify whether to allow short names.
-v Display Privilege Manager version.

pmrun

Syntax

pmrun -v | -z on|off[<pid>] [-b][-d][-n][-p] [-m masterhost] [-h hostname] 
        [-u requestuser] command [arg(s)]

Description

(Privilege Manager for Unix only.) The pmrun command requests that an application is run in a controlled account. Simply add pmrun to the beginning of the command line. For example:

pmrun backup /usr dev/dat

pmrun checks the /etc/opt/quest/pm.settings file to determine which the policy server daemon to send the request. Once it has contacted a policy server daemon, it sends a request to the daemon to run the application specified. As with the rlogin command, you can type ~^Z to suspend pmrun, or ~. to terminate it. You must enter these commands at the beginning of a new line.

Options

pmrun has the following options:

Table 86: Options: pmrun
Option Description
-b Allows the runcommand process to run in the background, permitting you to execute other programs or commands from the same window. You can use the -b switch with any application process which does not require output that changes the tty mode. Because of this restriction, you can not use the -b switch with applications that require a password.
-d The -d option is required if the application you are running uses the nohup command. Include the -d parameter to ensure that the nohup command functions correctly.
-h host Allows you to request a particular execution host to run the request. Enter -h hostbefore the command you are requesting.
-m polserverhost Allows you to select the policy server host to contact, bypassing the usual selection methods. The specified host must be in the masters setting in the pm.settings file.
-n Redirects the input of pmrun to /dev/null. Use the -n option to avoid unfortunate interactions between pmrun and the shell which invokes it. For example, if you are running pmrun and start a pmrun in the background without redirecting its input away from the terminal, it will block even if no reads are posted by the remote command.
-p Puts pmrun into pipe mode, in which all interactions with the user's terminal are done without changing any of the terminal parameters. Normally, pmrun puts the terminal into raw mode, so that programs such as text editors, which require raw mode, can run properly under pmrun. Pipe mode is useful when you need to pipe several pmrun commands together. For example:

pmrun -p ls /etc/secure | pmrun -p dbadd listing

-u user Request to run the command as the specified user. The policy server decides whether to honor this request.
-v Displays the version number of Privilege Manager for Unix and exits.
-z Enable/disable tracing for this program and optionally for a currently running process. (Refer to Enabling Program-level Tracing before using this option.)
Files

File containing Privilege Manager communication parameters, including the list of valid master hosts:

/etc/opt/quest/qpm4u/pm.settings 

pmserviced

Syntax

pmserviced [-d] [-n] [-s] [-v] [-z on|off[:<pid>]]

Description

The Privilege Manager service daemon, (pmserviced) is a persistent process that spawns the configured Privilege Manager services on demand. The pmserviced daemon is responsible for listening on the configured ports for incoming connections for the Privilege Manager for Unix daemons. It is capable of running the pmmasterd, pmlocald, pmclientd and pmtunneld services. Note that only one of pmmasterd and pmclientd may be enabled as they use the same TCP/IP port. (See the individual topics in PM Settings Variables for more information about these daemon settings.)

Options

pmserviced has the following options:

Table 87: Options: pmserviced
Option Description
-d Logs debugging information such as connection received, signal receipt and service execution.

By default, pmserviced only logs errors.

-n Do not run in the background or create a pid file. By default, pmserviced forks and runs as a background daemon, storing its pid in /var/opt/quest/qpm4u/pmserviced.pid. When you specify the -n option, it stays in the foreground. If you also specify the -d option, error and debug messages are logged to the standard error in addition to the log file or syslog.
-s Connects to the running pmserviced and displays the status of the services, then exits.
-v Displays the version number of Privilege Manager for Unix and exits.
-z Enables/disables tracing for pmserviced. (Refer to Enabling Program-level Tracing before using this option.)

pmserviced Settings

pmserviced uses the following options in /etc/opt/quest/qpm4u/pm.settings to determine the daemons to run, the ports to use, and the command line options to use for each daemon:

Table 88: Options: pmserviced
Daemon Name Flag to Enable daemon Listen on Port Command Line Options
pmclientd pmclientdEnabled masterport pmclientdOpts
pmlocald pmlocaldEnabled localport pmlocaldOpts
pmmasterd pmmasterdEnabled masterport pmmasterdOpts
pmtunneld pmtunneldEnabled tunnelport pmtunneldOpts

Table 89: Settings: pmserviced
Setting Description
pmservicedLog pathname | syslog Fully qualified path to the pmserviced log file or syslog.
pmmasterdEnabled YES | NO When set to YES, pmserviced runs pmmasterd on demand.
masterport number The TCP/IP port pmmasterd or pmclientd uses to listen.
pmmasterdOpts options Any command line options passed to pmmasterd when executed.
pmlocaldEnabled YES | NO When set to YES, pmserviced runs pmlocald on demand.
localport number The TCP/IP port pmlocald uses to listen.
pmlocaldOpts options Command line options passed to pmmasterd when executed.
pmlocaldEnabled YES | NO When set to YES, pmserviced runs pmlocald on demand.
localport number The TCP/IP port pmlocald uses to listen.
pmlocaldOpts options Any command line options passed to pmlocald when executed.
pmclientdEnabled YES | NO When set to YES, pmserviced runs pmclientd on demand.
pmclientdOpts options Any command line options passed to pmclientd when executed.
pmtunneldEnabled YES | NO When set to YES, pmserviced runs pmtunneld on demand.
tunnelport number The TCP/IP port pmtunneld uses to listen.
pmtunneldOpts options Any command line options passed to pmtunneld when executed.

Files
  • settings file: /etc/opt/quest/qpm4u/pm.settings
  • pid file: /var/opt/quest/qpm4u/pmserviced.pid
Related Topics

pmlocald

pmmasterd

Related Documents