This section provides advanced information on how to configure and implement Privilege Manager for Unix.
Privilege Manager shells provide a means of auditing and controlling a user’s login session in a way that is transparent to the user, without the user having to preface commands with pmrun.
Privilege Manager provides enabled versions of three standard shells: pmksh, pmsh, pmcsh. Each shell uses the same policy file variables to control the behavior of the shell.
By default, all built-in shell commands are allowed to run without any further authorization by the shell; however, you must authorize all non-built-in shell commands. Once authorized, all commands are run locally by the shell with the authority of the user running the shell.
You can configure the level of control required for commands running from a shell in the policy file by configuring the policy file to either forbid commands or allow them to be run by the shell program without any further authorization to the policy server. You can also configure the policy file to authorize them as they are presented to the policy server for audit logging. Furthermore, you can configure keystroke logging for the shell session to be logged to a single I/O log file.
Use a Privilege Manager shell to control and/or log Privilege Manager sessions, regardless of how you are logged in (for example, telnet, rlogin, rsh, rexec).
You can use one of these Privilege Manager-enabled shells to create a fully featured shell environment for a user:
Each shell provides command-control for every command entered by a user during a login session. You can configure each command the user enters to be authorized with the policy server before it executes. This includes the shell built-in commands.
You can configure keystroke-logging for the entire login session and login to a single file.
Alternatively, you can use pmshellwrapper to act as a Privilege Manager wrapper for any valid shell program on a host, or create a custom Privilege Manager shell by means of a shell script. In these cases, however, the individual commands run during the login session are not controlled by Privilege Manager.
To use pmshellwrapper, create a link using the name of the system shell you want to run. For example, to create a wrapper for bash, enter:
ln -s /opt/quest/libexe/pmshellwrapper/opt/quest/libexe/pmshellwrapper_bash
When you run the pmshellwrapper_bash program, it transparently runs pmrun bash instead.
For example, to create a custom Privilege Manager shell (a shell script that runs the actual shell using pmrun), run:
#!/bin/ksh tty 2>/dev/null 1>/dev/null x=$? if [ $x -ne 0 ] then exec /opt/quest/bin/pmrun ksh "$@" else exec /opt/quest/bin/pmrun -c -ksh "$@" fi
NOTE: Add the full pathname of the shell program to the /etc/shells file if you are using pmksh, pmsh, pmcsh or pmshellwrapper on your system.
Use the pmshell_forbid list variable in the policy file to define a list of commands you want the shell to forbid without any further authorization by the policy server. The shell program interprets this list as a list of regular expressions. Privilege Manager checks each command a user enters against this list. If a match is found, it rejects the command without further authorization. These commands do not result in a reject entry in the event log as they are forbidden by the shell. You can also configure the message that is displayed when it issues one of these commands.