Chat now with support
Chat with Support

Safeguard for Sudo 2.0 - Administrators Guide

One Identity Privileged Access Suite for Unix Introducing Privilege Manager for Unix Introducing Privilege Manager for Sudo Planning Deployment Installation and Configuration
Download Privilege Manager for Unix Software Packages Download Privilege Manager for Sudo Software Packages Quick Start and Evaluation Configure a Primary Policy Server Configure a Secondary Policy Server Install PM Agent or Sudo Plugin on a Remote Host Remove Configurations
Upgrading Privilege Manager System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager Variables Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures Privilege Manager Programs Installation Packages Unsupported Sudo Options Sudo Plugin Policy Evaluation About us

Configuring Kerberos Encryption

Advanced Privilege Manager for Unix Configuration > Configuring Kerberos Encryption

You can configure Privilege Manager to use Kerberos encryption to authenticate and to exchange encryption key information

To configure Privilege Manager to use Kerberos encryption, edit or insert the following line in the /etc/opt/quest/qpm4u/pm.settings file:

kerberos yes

Also, to use Kerberos with Privilege Manager, ensure that suitable Service Principal Names (SPNs) are registered. Using the generic host service-type, configure the SPNs like this:

host/sun17.quest.com

NOTE: Substitute your own host names.

If the SPN has been registered using the fully qualified DNS name, you can abbreviate the SPNs to the service-type, such as:

host

Specify the service principal names using the mprincipal and lprincipal settings in the pm.settings file. For example, on an agent with a host name of sun17.quest.com, and a SPN registered as db_serve1.quest.com, specify:

mprincipal host 
lprincipal host/db_server1.quest.com

You may need to modify these other settings according to your Kerberos configuration:

Table 20: Other Kerberos configuration settings
Kerberos Setting Description
keytab Location of the keytab file.
krb5rchache Location of the Kerberos cache.
krbconf Location of the Kerberos configuration file.

See PM Settings Variables for more information about modifying the Privilege Manager configuration settings.

Configuring Certificates

You can enable configurable certification for use with Privilege Manager. Configurable certification is a method of proprietary certification based on the system hardware ID, MD5 checksums and DES encryption.

Use the pmkey command to generate and install certificates. For example, to generate a new certificate and put it into the specified file, enter:

# pmkey -a <filename>

To install the newly generated certificate from the specified file, enter:

# pmkey -i <filename>

Enable Configurable Certification

To enable configurable certification

  1. Ensure that you have configured a Privilege Manager policy server and a Privilege Manager client.
  2. Add the following statement to the /etc/opt/quest/qpm4u/pm.settings file on each host:
    certificates YES
  3. To generate a key on the Privilege Manager policy server, enter:
    # pmkey –a <policy server filename>

    When prompted, enter a phrase or keyword.

  4. To install the key on the Privilege Manager policy server, run
    # pmkey -i <policy server filename>

    NOTE: You must enter the same filename in both the -a and -i commands shown above.

  5. To generate a key on each Privilege Manager client, enter:
    # pmkey –a <client filename>

    When prompted, enter a phrase or keyword. Note: you must use the same phrase or keyword to generate the client and policy server certificates.

  6. To install the key on the Privilege Manager client, run
    # pmkey -i <client filename>

    NOTE: You must enter the same filename in both the -a and -i commands shown above.

  7. Copy the key file you have created on each of the Privilege Manager clients to the Privilege Manager policy server.
  8. Copy the key file you have created on the Privilege Manager policy server to the Privilege Manager client.

    The keys are located in /etc/opt/quest/qpm4u/.qpm4u/.keyfiles/<key filename>.

  9. On the Privilege Manager policy server, enter:
    # pmkey -i <client filename>
  10. On the Privilege Manager client, enter:
    # pmkey -i <policy server filename>

    Configurable certification is now enabled.

    NOTE: By default, pmkey certifies the pass phrase when installing the keyfile for other hosts. If you do not want pmkey to certify the pass phrase when installing the keyfile for other hosts, use -f in the pmkey -i command, like this:

    # pmkey -i <keyfile> -f

Configuring Alerts

Alerts enable you to specify commands that raise an alert if entered by a user, and the action you want Privilege Manager to take.

Use the alertkeyaction variable to specify the action Privilege Manager is to take when an alert is raised. The default action logs the alert and allows the command to continue.

Enter alertkeysequence in the policy as a list of regular expressions, like this:

alertkeysequence={"^rm.*", "/rm.*", ".*xterm"};

Other valid alert actions are:

  • log
  • reject
  • or any valid string

For example:

if (user=="root") 
{ 
   alertkeyaction="ignore"; 
} 
   else if (user=="john") 
{ 
   alertkeyaction="alert"; 
} 
   else if (user=="dave") 
{ 
   alertkeyaction="trace"; 
} 
   else 
{ 
   alertkeyaction="reject"; 
}

If an event raises an alert, Privilege Manager logs an AlertRaised event log. The alertkeyaction variable is also included in the log as part of the event.

If the alertkeyaction variable is set to reject, Privilege Manager cancels the command, terminates the user’s session, and displays a rejection message.

If the alertkeyaction variable is not set to reject, Privilege Manager allows the command to run and logs it in the event log. The example shown above shows how you can enter different strings for different users. This enables you to use the alertkeyaction variable as a filter to search the event log for these events.

alertkeyaction logging is enabled even if iologging is disabled. If iologging is disabled, a new session is started with pmmasterd for each alertraised event.

By default, alertraised events are not displayed in pmlog. To view the alertraised event, use the -l parameter or the -d parameter. For example:

# pmlog -l

Alert events have the same unique ID as the Privilege Manager session from which they were generated. This enables you to identify alert events raised during a specific session.

Use pmcheck to check a given string against any expression defined in the alertkeypatterns list:

# pmcheck -a"<string>"<command>

For example,

# pmcheck -a "rm /etc/opt/quest/qpm4u/pm.settings" ksh
Related Documents