One Identity Privileged Access Suite for Unix
Introducing Privilege Manager for Unix
What is Privilege Manager for Unix?
Benefits of Privilege Manager for Unix
How Privilege Manager for Unix Protects
How Privilege Manager for Unix Works
What's New in Privilege Manager 6.0
Introducing Privilege Manager for Sudo
Planning Deployment
Installation and Configuration
Download Privilege Manager for Unix Software Packages
Download Privilege Manager for Sudo Software Packages
Quick Start and Evaluation
Configure a Primary Policy Server
Upgrading Privilege Manager
Check the Server for Installation Readiness
Configure a Secondary Policy Server
Install PM Agent or Sudo Plugin on a Remote Host
TCP/IP Configuration
Firewalls
Hosts Database
Reserve Special User and Group Names
Applications and File Availability
Policy Server Daemon Hosts
Local Daemon Hosts
Sudo 1.8.1
Install the Privilege Manager Packages
Configure the Primary Policy Server for Privilege Manager for Unix
pmpolicy Server Configuration Settings
Verifying the Primary Policy Server
Recompile the whatis Database
Configure the Privilege Manager for Sudo Primary Policy Server
Join Hosts to Policy Group
Check PM Agent Host for Installation Readiness
Install a PM Agent on a Remote Host
Join the PM Agent to the Primary Policy Server
CheckSudo Plugin Host for Installation Readiness
Install a Sudo Plugin on a Remote Host
Join a Sudo Plugin to a Primary Policy Server
Remove Configurations
Package Removal and Installation
System Administration
Removing Privilege Manager
Server Package Installation
Agent Package Installation
Sudo Plugin Package Installation
Upgrading to Privilege Manager for Unix 6.0
Upgrade Considerations and Recommendations
Preparing the Privilege Manager for Unix Policy for Import
Configuring the Primary Policy Server with an Imported Policy
Joining the Agent to the Policy Group
Importing Event Logs into the new Database Format
Reporting Basic Policy Server Configuration Information
Checking the Status of the Master Policy
Checking the Policy Server
Checking Policy Server Status
Checking the Sudo Plugin Configuration Status
Checking the Privilege Manager for Unix PM Agent Configuration Status
Install Licenses
Listing Policy File Revisions
Viewing Differences Between Revisions
Backup and Recovery
Managing Security Policy
Security Policy Types
Specifying Security Policy Type
The Sudo Type Policy
Pmpolicy Type Policy
Editing the Policy Interactively
Modifying Complex Policies
Viewing the Security Profile Changes
The Privilege Manager for Unix Security Policy
Default Profile-Based Policy (pmpolicy)
Exploring Profiles
Customizing the Default Profile-Based Policy (pmpolicy)
Policy Scripting Tutorial
Advanced Privilege Manager for Unix Configuration
Install the Example Policy File
Create Test Users
Set Lesson Number Variable
Introductory Lessons
Lesson 1: Basic Policy
Lesson 2: Conditional Privilege
Lesson 3: Specific Commands
Lesson 4: Policy Optimization with List Variables
Lesson 5: Keystroke Logging
Lesson 6: Conditional Keystroke Logging
Lesson 7: Policy Optimizations
Advanced Lessons
Sample Policy Files
Main Policy Configuration File
Lesson 1 Sample: Basic Policy
Lesson 2 Sample: Conditional Privilege
Lesson 3 Sample: Specific Commands
Lesson 4 Sample: Policy Optimizations with List Variables
Lesson 5 Sample: Keystroke Logging
Lesson 6 Sample: Conditional Keystroke Logging
Lesson 7 Sample: Policy Optimizations
Lesson 8 Sample: Controlling the Execution Environment
Lesson 9 Sample: Flow Control
Lesson 10 Sample: Basic Menus
Privilege Manager Shells
Administering Log and Keystroke Files
Privilege Manager Shell Features
Forbidden Commands
Allowed Commands
Allowed Piped Commands
Check Shell Built-in Commands
Read-Only Variable List
Running a Shell in Restricted Mode
Additional Shell Considerations
Configuring Privilege Manager for Policy Scripting
Configuration Prerequisites
Configuration File Examples
Configuring Firewalls
Example 1: Basics
Example 2: Accept or Reject Requests
Example 3: Command Constraints
Example 4: Lists
Example 5: I/O Logging, Event Logging and Replay
Example 6: More Complex Policies
Example 7: Use Variables to Store Constraints
Example 8: Control the Run-Time Environment
Example 9: Switch and Case Statements
Example 10: Menus
Use the While Loop
Use Parallel Lists
Best Practice Policy Guidelines
Multiple Configuration Files and Read-Only Variables
Mail
Environmental Variables
NIS Netgroups
Specify Trusted Hosts
Privilege Manager Port Usage
Restricting Port Numbers for Command Responses
Configuring pmtunneld
Configuring Network Address Translation (NAT)
Configuring Kerberos Encryption
Configuring Certificates
Configuring Alerts
Configuring Pluggable Authentication Method (PAM)
Configuring Keystroke Logging for Privilege Manager for Sudo Policy
Controlling Logs
Local Logging
Central Logging with Privilege Manager for Unix
Controlling Log Size with Privilege Manager for Unix
Viewing the Log Files Using a Web Browser
Viewing the Log Files Using Command Line Tools
Listing Event Logs
Backing up and archiving event and keystroke logs
InTrust Plug-in for Privilege Manager
InTrust Plug-in Requirements
Installing InTrust Plug-in Components
InTrust Plug-in Installation Prerequisites
Configuring the Policy Server for the InTrust Plug-in
Installing the InTrust Knowledge Pack
Installing the InTrust Reporting Pack
Configuring the InTrust Data Collection
Viewing InTrust Reports
Generating Reports
Troubleshooting
Displaying Sudo Policy Debug Information
Displaying Profile-Based Policy Debug Information
Enabling Program-level Tracing
Join Fails to Generate a SSH Key for Sudo Policy
Join to Policy Group Failed on Sudo Plugin
Load Balancing and Policy Updates
Policy Servers are Failing
Sudo Command is Rejected by Privilege Manager for Unix
Sudo Policy Is Not Working Properly
Privilege Manager for Unix Policy File Components
Privilege Manager Variables
Variable Names
Variable Scope
Global Input Variables
Privilege Manager for Unix Flow Control Statements
alertkeymatch
argc
argv
client_parent_pid
client_parent_uid
client_parent_procname
clienthost
command
cwd
date
day
dayname
domainname
env
false
FEATURE_LDAP
FEATURE_VAS
gid
group
groups
host
hour
masterhost
masterversion
minute
month
nice
nodename
pid
pmclient_type
pmclient_type_pmrun
pmclient_type_sudo
pmshell
pmshell_builtin
pmshell_cmd
pmshell_cmdtype
pmshell_exe
pmshell_interpreter
pmshell_prog
pmshell_script
pmshell_uniqueid
pmversion
ptyflags
requestlocal
requestuser
samaccount
status
submithost
submithostip
thishost
time
true
ttyname
tzname
uid
umask
unameclient
uniqueid
use_rundir
use_rungroup
use_rungroups
use_runshell
user
year
Global Output Variables
alertkeyaction
alertkeysequence
disable_exec
eventlog
eventloghost
execfailedmsg
iolog
iolog_encrypt
iolog_errmax
iolog_opmax
iologhost
log_passwords
logomit
logstderr
logstdin
logstdout
notfoundmsg
passprompts
pmshell_allow
pmshell_allowpipe
pmshell_checkbuiltins
pmshell_forbid
pmshell_readonly
pmshell_reject
pmshell_restricted
preserve_clienthost
profile_keepenv
profile_setenv
profile_unsetenv
profile_use_runuser
rejectmsg
runargv
runchroot
runcksum
runclienthost
runcommand
runconfirmuser
runcwd
runenv
rungroup
rungroups
runhost
runnice
runpaths
runptyflags
runtimeout
runumask
runuser
runutmpuser
subprocuser
tmplogdir
Global Event Log Variables
PM Settings Variables
accept
break
continue
do-while
for loop
for loop
function
if-else
include
procedure / function
readonly
readonlyexcept
reject
return
switch
while
Privilege Manager for Unix Built-in Functions and Procedures
Environment Functions
Hash Table Functions
Input and Output Functions
LDAP Functions
Privilege Manager Programs
ldap_ bind
ldap_count_entries
ldap_dn2ufn
ldap_explode_dn
ldap_first_attribute
ldap_first_entry
ldap_get_attributes
ldap_get_dn
ldap_get_values
ldap_next_attribute
ldap_next_entry
ldap_open
ldap_search
ldap_unbind
LDAP API Example
List Functions
Miscellaneous Functions
atoi
authenticate_pam
authenticate_pam_toclient
basename
comparehosts
datecmp
dirname
feature_enabled
fileexists
glob
ingroup
innetgroup
innetuser
lineno
mktemp
osname
quote
rand
stat
strftime
system
timebetween
tolower
toupper
uname
Password Functions
Remote Access Functions
remotefileexists
remotegroupinfo
remotegrouplist
remotesysinfo
remoteusergroups
remoteuserinfo
remoteuserlist
String Functions
User Information Functions
Authentication Services Functions
pmcheck
pmclientd
pmclientinfo
pmcp
pmcsh
pmincludecheck
pminfo
pmjoin
pmjoin_plugin
pmkey
pmksh
pmless
pmlicense
pmlist
pmloadcheck
pmlocald
pmlog
pmlogadm
pmlogsearch
pmlogsrvd
pmlogxfer
pmmasterd
pmmg
pmpasswd
pmplugininfo
pmpluginloadcheck
pmpolicy
pmpolicyconvert
pmpolicyplugin
pmpoljoin_plugin
pmpolsrvconfig
pmremlog
pmreplay
pmresolvehost
pmrun
pmserviced
pmsh
pmshellwrapper
pmsrvcheck
pmsrvconfig
pmsrvinfo
pmstatus
pmscp
pmsum
pmsysid
pmtunneld
pmumacs
pmverifyprofilepolicy
pmvi
Installation Packages
Unsupported Sudo Options
Unsupported Command Line Sudo Options
Behavioral Change
Unsupported Sudoers Policy Options
Unsupported Sudoers Directives
Sudo Plugin Policy Evaluation
About us
pmsh
Syntax
pmsh -a|-b|-c <file>|-e|-f|-i|-m|-n|-o <option>|-s|-u|-v|-x|-C|-E|-I|-B|-V[-U <user>]
Description
(Privilege Manager for Unix only.) The Privilege Manager Bourne Shell (pmsh) command is a fully featured version of sh, that provides transparent authorization and auditing for all commands submitted during the shell session. pmsh supports the standard options for sh.
Using the appropriate policy file variables, you can configure each command entered during a shell session, to be:
- forbidden by the shell without further authorization to the policy server
- allowed by the shell without further authorization to the policy server
- presented to the policy server for authorization
Once allowed by the shell, or authorized by the policy server, all commands are executed locally as the user running the shell program.
Options
pmsh has the following options:
| Option | Description |
|---|---|
| -a | Flag variables for export when assignments are made to them. |
| -b | Enable asynchronous notification of background job completion. (UNIMPLEMENTED) . |
| -B | Allows the shell to run in the background. |
| -c <file> | read commands from an file instead of from standard input. |
| -C | Do not overwrite existing files with `>'. |
| -e | Exit immediately if any untested command fails in non-interactive mode. The exit status of a command is considered to be explic- itly tested if the command is part of the list used to control an if, elif, while, or until; if the command is the left hand oper- and of an ``&&'' or ``||'' operator; or if the command is a pipe- line preceded by the ! operator. If a shell function is executed and its exit status is explicitly tested, all commands of the function are considered to be tested as well. |
| -E | Enable the built-in emacs(1) command line editor (disables the -V option if it has been set; set automatically when interactive on terminals). |
| -f | Disable pathname expansion.. |
| -h | A do-nothing option for POSIX compliance. |
| -i | Force the shell to behave interactively. |
| -I | Ignore EOF's from input when in interactive mode. |
| -m | Turn on job control (set automatically when interactive). |
| -n | If not interactive, read commands but do not execute them. This is useful for checking the syntax of shell scripts. |
| -o <option> | Sets the specified shell option. A list of shell options can be displayed using the set -o builtin command. |
| -p | Turn on privileged mode. This mode is enabled on startup if either the effective user or group ID is not equal to the real user or group ID. Turning this mode off sets the effective user and group IDs to the real user and group IDs. When this mode is enabled for interactive shells, the file /etc/suid_profile is sourced instead of ~/.profile after /etc/profile is sourced, and the contents of the ENV variable are ignored. |
| -s | Read commands from standard input (set automatically if no file arguments are present). This option has no effect when set after the shell has already started running (i.e., when set with the set command). |
| -u | Write a message to standard error when attempting to expand a variable, a positional parameter or the special parameter ! that is not set, and if the shell is not interactive, exit immediately. |
| -v | The shell writes its input to standard error as it is read. Useful for debugging. |
| -V | Enable the built-in vi command-line editor (disables -E if it has been set). |
| -x | Write each command (preceded by the value of the PS4 variable subjected to parameter expansion and arithmetic expansion) to standard error before it is executed. Useful for debugging. |
| -U <user> | Request to run the command as the specified user. The policy server decides whether to honor this request. |
pmsh supports the following builtin commands:
., :, [, alias, bg, break, cd, chdir, command, continueecho, eval, exec, exit, export, false, fg, getopts, hash, jobskill, local, printf, pwd, read, readonly, return, set, shift, testtimes, trap, true, type, ulimit, umask, unalias, unset, wait
pmshellwrapper
Syntax
pmshellwrapper
Description
(Privilege Manager for Unix only.) Use the pmshellwrapper program as a wrapper for any valid login shell on a host. It provides full keystroke logging for any normal shell, but does not provide authorization of the commands run from the shell.
To use pmshellwrapper, you must create a link for the real shell you want to use. For example:
ln –s /opt/quest/libexec/pmshellwrapper /opt/quest/bin/pmshellwrapper_bash
When the user runs pmshell_bash, it transparently converts this to pmrun bash.
pmsrvcheck
Syntax
pmsrvcheck --csv [ --verbose ] | --help | --pmpolicy | --primary | --secondary
Description
Use pmsrvcheck to verify that a policy server is setup properly. It produces output in either human-readable or CSV format similar to that produced by the preflight program.
The pmsrvcheck command checks:
- that the host is configured as a primary policy server and has a valid repository
- has a valid, up-to-date, checked-out copy of the repository
- has access to update the repository
- has a current valid Privilege Manager for Unix license
- pmmasterd is correctly configured
- pmmasterd can accept connections
pmsrvcheck produces output in either human-readable or CSV format similar to the pre-flight output.
Options
pmsrvcheck has the following options:
| Option | Description |
|---|---|
| --cvs | Displays csv, rather than human-readable output. |
| --help | Displays usage information. |
| --pmpolicy | Verifies that Privilege Manager policy is in use by the policy servers. |
| --primary | Verifies a primary policy server. |
| --secondary | Verifies a secondary policy server. |
| --verbose | Displays verbose output while checking the host. |
| --version | Displays the Privilege Manager for Unix version number and exits. |
Files
- Settings file: /etc/opt/quest/qpm4u/pm.settings
pmsrvconfig
Syntax
pmsrvconfig -h | --help [-abipqtv] [-d variable=value] [-f path] [-l license_file]
[-m sudo | pmpolicy] [-n group_name | -s hostname]
[-x [policy_server_host ...]] [-bpvx] -u [--accept] [--batch]
[--define variable=value] [--import path] [--interactive]
[--license license_file] [--name group_name | --secondary hostname]
[--pipestdin] [--plugin] [--policymode sudo | pmpolicy] [--tunnel]
[--unix [policy_server_host ...]] [--verbose] [--batch] [--plugin]
[--unix] [-- verbose] --unconfigDescription
Use the pmsrvconfig command to configure or reconfigure a policy server. You can run it in interactive or batch mode to configure a primary or secondary policy server.
Options
pmsrvconfig has the following options:
| Option | Description | ||
|---|---|---|---|
| -a | --accept | Accept the End User License Agreement (EULA), /opt/quest/qpm4u/qpm4u_eula.txt. | ||
| -b | --batch | Runs in batch mode; does not use colors or require userinput. | ||
| -d variable=value | --define variable=value | Specifies a variable for the pm.settings file and its associated value. | ||
| -h | --help | Displays usage information. | ||
| -i | --interactive | Runs in interactive mode; prompts for configuration parameters instead of using the default values. | ||
| -f path | --import path | Imports policy data from the specified path. The path may be set to either a file or a directory when using the pmpolicy type; the path must be set to a file when using the sudo policy type. | ||
| -l | --license | Specifies the full pathname of an .xml license file. You can specify this option multiple times with different license files. | ||
| -m sudo | pmpolicy | --policymode sudo | pmpolicy | Specifies the type of security policy: sudo or pmpolicy. The default is sudo. | ||
| -n | --name group_name | Uses group_name as the policy server group name. | ||
| -p | --plugin | Configures the Sudo Plugin. | ||
| -q | --pipestdin | Pipes password to stdin if password is required. | ||
| -s | --secondary primary_hostname | Configures host to be a secondary policy server where primary_hostname is the primary policy server. | ||
| -t | --tunnel | Configures host to allow Privilege Manager for Unix connections through a firewall. | ||
| -u | --unconfig | Unconfigures a Privilege Manager for Unix server. | ||
| -v | --verbose | Displays verbose output while configuring the host. | ||
| -x | --unix [policy_server_host ...] |
Configures Privilege Manager for Sudo on the local policy server; that is, configures pmlocald and pmrun to run on this host. If you do not specify a policy server host, it uses the local host name.
|
Examples
The following example accepts the End User License Agreement (EULA) and imports the sudoers file from /root/tmp/sudoers as the initial policy:
# pmsrvconfig –a –f /root/tmp/sudoers
By using the –a option, you are accepting the terms and obligations of the EULA in full.
By default, the primary policy server you configure uses the host name as the policy server group name. To provide your own group name, use the –n command option, like this:
# pmsrvconfig –a –n <MyPolicyGroup>
where <MyPolicyGroup> is the name of your policy group.
See Configure the Primary Policy Server for Privilege Manager for Unix and Policy Servers are Failing for other usage examples.
Files
Directory where pmsrvconfig logs are stored: /opt/quest/qpm4u/install