Chat now with support
Chat with Support

Safeguard for Sudo 2.0 - Administrators Guide

One Identity Privileged Access Suite for Unix Introducing Privilege Manager for Unix Introducing Privilege Manager for Sudo Planning Deployment Installation and Configuration
Download Privilege Manager for Unix Software Packages Download Privilege Manager for Sudo Software Packages Quick Start and Evaluation Configure a Primary Policy Server Configure a Secondary Policy Server Install PM Agent or Sudo Plugin on a Remote Host Remove Configurations
Upgrading Privilege Manager System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager Variables Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures Privilege Manager Programs Installation Packages Unsupported Sudo Options Sudo Plugin Policy Evaluation About us

Editing the Policy Interactively

Managing Security Policy > Editing the Policy Interactively

You can use the pmpolicy edit command to interactively edit each file in your security policy. Use this command if your policy is made up of one file or more files.

NOTE: See Modifying Complex Policies for a demonstration of how to check out, modify, and commit changes to the policy manually.

It is necessary to check out the policy to a temporary location first, make changes, and then commit the changes back into the repository. pmpolicy edit, automatically checks out the policy prior to editing and then checks it back in.

NOTE: You cannot edit the master copy of the policy in the repository directly.

The following example shows you how to use pmpolicy edit to modify the sudo policy type security policy.

To edit policy interactively

  1. From the command line, run:
    # /opt/quest/sbin/pmpolicy edit
    ** Validate options       [ OK ] 
    ** Edit Policy 
    ** Check out working copy [ OK ] 
    ** Editing file:sudoers

    At this point, an interactive text editor program launches with the policy file. If your policy consists of more than one file (when using the pmpolicy policy type), exiting the editor causes the next file in the policy to open. It opens each file in the policy until all files have been edited. After completing your edits, pmpolicy continues with the automatic commit, which allows you to enter a commit log message:

    "//.scratch/._29435/sudoers.tmp" 73 lines, 2523 characters 
    ** Perform syntax check                                                 [ OK ] 
    ** Verify files to commit                                               [ OK ] 
    Please enter the commit log message:   + helpdesk ALL=(ALL) PASSWD:ALL 
    
    ** Commit change from working copy                                      [ OK ] 
    ** Committed revision 2 
    ** Finished editing policy

    If you are editing a policy that consists of more than one file (such as the default Privilege Manager for Unix policy), use pmpolicy edit command with the -p flag to specify which file to edit. For example, to interactively edit the Privilege Manager for Unix pm.conf file, run the following command:

    # /opt/quest/sbin/pmpolicy edit -p pm.conf

    NOTE: See pmpolicy more information about using the pmpolicy command.

Modifying Complex Policies

Managing Security Policy > Modifying Complex Policies

If your policy consists of several files (the default pmpolicy, for example) or if you want to add files to or remove files from your policy, use a checkout, change, and commit method for implementing the changes. The pmpolicy checkout command creates a working copy of the policy where you can make any necessary changes and then use the pmpolicy commit command to apply the changes back to the repository. You can use the pmpolicy add and pmpolicy remove commands to add or delete files to your working copy, respectively.

Checkout, Change, and Commit Example

The following example modifies the default pmpolicy type profile. (See Pmpolicy Type Policy for more information on the pmpolicy type policy.) For example, say you wanted to create a new "backup" profile to allow backup operators to run the "dump" and "restore" commands. Use one of the existing profiles, helpdesk.profile, as a template. First, checkout a working copy to a temporary directory, like this:

# pmpolicy checkout -d /tmp 
** Checkout to /tmp/policy_pmpolicy 
** Create directory                                                   [ OK ] 
** Check out working copy                                             [ OK ] 
** Copy files                                                         [ OK ] 
** Perform syntax check                                               [ OK ]

As seen in the command output, the working copy is placed in /tmp/policy_pmpolicy.

Next, change to the profiles directory within the working copy, copy helpdesk.profile to backup.profile, and run pmpolicy add to record that a file has been added to the working copy of the policy, as follows:

# cd /tmp/policy_pmpolicy/profiles 
# cp -p helpdesk.profile backup.profile 
# pmpolicy add -p profiles/backup.profile -d /tmp 
   ** Validate options                                                [ OK ] 
   ** Add file: profiles/backup.profile 
   ** Validate arguments                                              [ OK ] 
   ** Check if directory contains a working copy                      [ OK ] 
      - Directory contains an svn working copy:/tmp/policy_pmpolicy 
   ** Check current status of working copy                            [ OK ] 
   ** Check working copy is up to date                                [ OK ] 
   ** Check file status                                               [ OK ] 
   ** Add entry:/tmp/policy_pmpolicy//profiles/backup.profile         [ OK ]

After editing backup.profile to make the necessary changes, use the pmpolicy commit command to apply the changes to the repository, as follows::

# pmpolicy commit -d /tmp -l "added backup.profile" 
** Validate options                                                   [ OK ] 
** Commit copy in directory:/tmp/policy_pmpolicy 
** Check directory                                                    [ OK ] 
** Perform syntax check                                               [ OK ] 
** Verify files to commit                                             [ OK ] 
** Commit change from working copy                                    [ OK ] 
** Committed revision 3

Viewing the Security Profile Changes

Managing Security Policy > Viewing the Security Profile Changes

To view a summary of the changes you made to your security policy

  1. At the command line, run:
    # pmpolicy log
    ** Validate options          [ OK ] 
    ** Check out working copy    [ OK ] 
    ** Retrieve revision details [ OK ] 
    version="3",user="pmpolicy",date=2012-07-11,time=15:43:30,msg="add helpdesk.shellprofile " 
    version="2",user="pmpolicy",date=2012-07-11,time=15:38:21,msg="add shellProfile to helpdesk " 
    version="1",user="pmpolicy",date=2012-07-11,time=15:35:19,msg="First import"
  2. To examine the differences between two versions, run:
    # pmpolicy diff –r1:2
    ** Validate options                                          [ OK ] 
    ** Check out working copy (trunk revision)                   [ OK ] 
    ** Check differences                                         [ OK ] 
    ** Report differences between selected revisions             [ OK ] 
       - Differences were detected between the selected versions 
    Details: 
    Index: profiles/helpdesk.profile 
    =================================================================== 
    --- profiles/helpdesk.profile (revision 1) 
    +++ profiles/helpdesk.profile (revision 2) 
    @@ -18,6 +18,7 @@ 
    enableRemoteCmds = false;   # Should remote cmds be allowed for privilege cmds ? 
                                # - ie should it allow cmds if: submithost != runhost 
                                # 
    +shellProfile = "helpdesk"; 
    authUser = "root";          # runuser to use when running the authCommands 
                                # Set to 1 of the following:

The output shows the helpdesk.profile file from line 18. The line that was added in the change between version 1 and version 2 is marked with a preceding “+”.

The Privilege Manager for Unix Security Policy

The Privilege Manager for Unix Security Policy

Privilege Manager for Unix uses a feature full, high-level scripting language as its security policy. This is also known as the pmpolicy or legacy type security policy. As an alternative to learning the policy scripting language and developing a security policy from scratch, the default configuration installs a "ready to use" Profile-Based security policy and a number of pre-defined profiles.

This section examines the Profile-Based policy and provides specific examples of how to modify the profiles and add custom code to adapt the policy to your needs.

Related Documents