Chat now with support
Chat with Support

Safeguard for Sudo 2.0 - Administrators Guide

One Identity Privileged Access Suite for Unix Introducing Privilege Manager for Unix Introducing Privilege Manager for Sudo Planning Deployment Installation and Configuration
Download Privilege Manager for Unix Software Packages Download Privilege Manager for Sudo Software Packages Quick Start and Evaluation Configure a Primary Policy Server Configure a Secondary Policy Server Install PM Agent or Sudo Plugin on a Remote Host Remove Configurations
Upgrading Privilege Manager System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager Variables Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures Privilege Manager Programs Installation Packages Unsupported Sudo Options Sudo Plugin Policy Evaluation About us

Advanced Privilege Manager for Unix Configuration

Advanced Privilege Manager for Unix Configuration

This section provides advanced information on how to configure and implement Privilege Manager for Unix.

Privilege Manager Shells

Privilege Manager shells provide a means of auditing and controlling a user’s login session in a way that is transparent to the user, without the user having to preface commands with pmrun.

Privilege Manager provides enabled versions of three standard shells: pmksh, pmsh, pmcsh. Each shell uses the same policy file variables to control the behavior of the shell.

By default, all built-in shell commands are allowed to run without any further authorization by the shell; however, you must authorize all non-built-in shell commands. Once authorized, all commands are run locally by the shell with the authority of the user running the shell.

You can configure the level of control required for commands running from a shell in the policy file by configuring the policy file to either forbid commands or allow them to be run by the shell program without any further authorization to the policy server. You can also configure the policy file to authorize them as they are presented to the policy server for audit logging. Furthermore, you can configure keystroke logging for the shell session to be logged to a single I/O log file.

Privilege Manager Shell Features

Use a Privilege Manager shell to control and/or log Privilege Manager sessions, regardless of how you are logged in (for example, telnet, rlogin, rsh, rexec).

You can use one of these Privilege Manager-enabled shells to create a fully featured shell environment for a user:

  • pmksh - a Privilege Manager-enabled version of ksh
  • pmsh - a Privilege Manager-enabled version of bourne shell
  • pmcsh - a Privilege Manager version of c shell

Each shell provides command-control for every command entered by a user during a login session. You can configure each command the user enters to be authorized with the policy server before it executes. This includes the shell built-in commands.

You can configure keystroke-logging for the entire login session and login to a single file.

Alternatively, you can use pmshellwrapper to act as a Privilege Manager wrapper for any valid shell program on a host, or create a custom Privilege Manager shell by means of a shell script. In these cases, however, the individual commands run during the login session are not controlled by Privilege Manager.

To use pmshellwrapper, create a link using the name of the system shell you want to run. For example, to create a wrapper for bash, enter:

ln -s /opt/quest/libexe/pmshellwrapper/opt/quest/libexe/pmshellwrapper_bash

When you run the pmshellwrapper_bash program, it transparently runs pmrun bash instead.

For example, to create a custom Privilege Manager shell (a shell script that runs the actual shell using pmrun), run:

#!/bin/ksh
tty 2>/dev/null 1>/dev/null
x=$?
if [ $x -ne 0 ]
then
exec /opt/quest/bin/pmrun ksh "$@"
else
exec /opt/quest/bin/pmrun -c -ksh "$@"
fi

NOTE: Add the full pathname of the shell program to the /etc/shells file if you are using pmksh, pmsh, pmcsh or pmshellwrapper on your system.

Forbidden Commands

Use the pmshell_forbid list variable in the policy file to define a list of commands you want the shell to forbid without any further authorization by the policy server. The shell program interprets this list as a list of regular expressions. Privilege Manager checks each command a user enters against this list. If a match is found, it rejects the command without further authorization. These commands do not result in a reject entry in the event log as they are forbidden by the shell. You can also configure the message that is displayed when it issues one of these commands.

Related Documents