Chat now with support
Chat with Support

Safeguard for Sudo 2.0 - Administrators Guide

One Identity Privileged Access Suite for Unix Introducing Privilege Manager for Unix Introducing Privilege Manager for Sudo Planning Deployment Installation and Configuration
Download Privilege Manager for Unix Software Packages Download Privilege Manager for Sudo Software Packages Quick Start and Evaluation Configure a Primary Policy Server Configure a Secondary Policy Server Install PM Agent or Sudo Plugin on a Remote Host Remove Configurations
Upgrading Privilege Manager System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager Variables Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures Privilege Manager Programs Installation Packages Unsupported Sudo Options Sudo Plugin Policy Evaluation About us

Default Profile-Based Policy (pmpolicy)

The Privilege Manager for Unix Security Policy > Default Profile-Based Policy (pmpolicy)

The default configuration for the pmpolicy type is a profile-based security policy, which consists of several files. The main policy code resides in the global_profile.conf and profileBasedPolicy.conf files. Quest recommends that you do not enter customized code in these files because it will impact the effectiveness and accuracy of the reports produced by Management Console for Unix. Instead, Quest recommends that you use the profiles to affect change in policy.

best practice: Create custom code in profile_customer_policy.conf. (See Policy Scripting Tutorial to learn the basics of advanced policy scripting.)

Policy Profiles

If you configure Privilege Manager using the pmpolicy type, pmsrvconfig creates a group of default profile-based policy files that you can customize to define which commands you want to allow your users to run. This provides a convenient way to experience the benefits of Privilege Manager for Unix while familiarizing yourself with the basics of policy scripting. The default security policy is made up of four sample profiles (admin, demo, helpdesk, webadmin) and three shell profiles (root, restricted, qpm4u_login).

Profiles

These profiles are enabled by default:

  • admin.profile allows its members to run any command as the root user with full keystroke logging. You can add users to this profile by adding either their user ID or primary group ID to the pf_authusers or pf_authgroups variables, respectively. By default, the only member is the root user.
  • demo.profile allows its members to run the id command as the root user to demonstrate how rights are delegated to non-privileged users. By default, all users are members of this profile.

These profiles are disabled by default:

  • webadmin.profile allows for webserver administration commands.
  • helpdesk.profile allows simple helpdesk functions.

These profiles provide additional examples of how to create and configure profiles. They are disabled by default to prevent the granting of unwanted access.

Shell Profiles

In addition, three shell profiles are also included in the /profiles/shellprofiles directory, that permit the users to run specified shell programs.

These shells profiles are enabled by default:

  • root.shellprofile allows the root user unrestricted access to any of the pmshells (pmksh, pmcsh, pmsh) as the root user. This shellprofile is enabled by default.
  • qpm4u_login.shellprofile allows any user unrestricted access to any of the pmshellwrapper wrapped shells that are configured on your system. See Privilege Manager Shell Features. This shell profile is enabled by default.

This shell profile is disabled by default:

  • restricted.shellprofile allows any user to restrict access to any of the pmshells (pmksh, pmcsh, pmsh) as the root user with access to programs in /opt/quest/bin and /sbin only. This shell profile is disabled by default.

Profile-Based Policy Files

The profiles and shell profiles allow for easy management of your policy, but the core of the policy is included in other policy files. The following table briefly describes the files that are used in the Profile-Based Policy:

Table 10: Profile-based policy files
File Description
pm.conf Main policy file.

includes: global_profile.conf, profileBasedPolicy.conf

included by: NONE

NOTE: Do not put custom code in this policy file.

global_profile.conf Defines default global variables. Also includes extensive comments documenting the variables.

includes: NONE

included by: pm.conf

NOTE: Do not put custom code in this policy file; however, you may change the default settings.

profileBasedPolicy.conf

Primary decision making policy file for the profile-based policy. (Not meant to be edited by customers) includes:

profile_customer_policy.conf, *.profile, *.shellprofile

included by: pm.conf

NOTE: Special hook functions defined in profile_customer_policy.conf are called from this policy file.

profile_customer_policy.conf Custom policy file for customer-defined global variables and policy code. You can modify special hook functions to execute custom policy code at certain points in the profile evaluation:
  • fn_log_and_accept_custom
  • fn_custom_profile_init
  • pr_custom_profile_reset fn_customer_init

includes: NONE

included by: profileBasedPolicy.conf

You can create custom policy in this file. However, custom policies may affect the accuracy of the reports generated in Management Console for Unix. (See The Privilege Manager for Unix Security Policy.)

*.profile

in profiles directory*

Profile configuration file for allowing certain commands to be run by pmrun.

includes: NONE

included by: profileBasedPolicy.conf

NOTE: Do not put custom code in this policy file.

*.shellprofile in profiles or shellprofiles directory. Profile configuration file for interactive Privilege Manager shells (including wrapped shells).

includes: NONE

included by: profileBasedPolicy.conf

NOTE: * Profiles and shell profiles only contain variable assignments that are used in the policy decision making.

Profile Selection

When evaluating the profile-based policy, the policy server must first determine which of the profiles match the incoming request. The policy uses the Who, What, Where, and When criteria specified in the profiles to determine a match. Note that the filename used for the profile is significant. The policy checks each of the profiles sequentially, in lexical order until a match is found. Once the a profile is selected, the remaining profiles are not evaluated.

Related Documents