Chat now with support
Chat with Support

Safeguard for Sudo 2.0 - Administrators Guide

One Identity Privileged Access Suite for Unix Introducing Privilege Manager for Unix Introducing Privilege Manager for Sudo Planning Deployment Installation and Configuration
Download Privilege Manager for Unix Software Packages Download Privilege Manager for Sudo Software Packages Quick Start and Evaluation Configure a Primary Policy Server Configure a Secondary Policy Server Install PM Agent or Sudo Plugin on a Remote Host Remove Configurations
Upgrading Privilege Manager System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager Variables Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures Privilege Manager Programs Installation Packages Unsupported Sudo Options Sudo Plugin Policy Evaluation About us

Configuring Pluggable Authentication Method (PAM)

Advanced Privilege Manager for Unix Configuration > Configuring Pluggable Authentication Method (PAM)

Use authenticate_pam to define which users you want to authenticat by means of PAM (Pluggable Authentication Method) or SIA (Security Integration Architecture) APIs.

NOTE: This function is only available on platforms that have native support for PAM or SIA.

The operating system has configuration files, usually called /etc/pam.conf or /etc/sia/matrix.conf, that specify which security database(s) to use to authenticate users, such as LDAP, Windows® 2000 Active Directory, and various PKI implementations.

The service parameter identifies the name of the PAM service to use to authenticate users. The service parameter can be any valid service name configured in the PAM or SIA system configuration and defaults to "login".

NOTE: For more information on how to configure PAM or SIA with Privilege Manager, consult the documentation for your platform.

Utilizing PAM Authentication

Syntax
authenticate_pam (user,[service])

where service is the PAM service to use, such as sshd.

Examples

To utilize PAM authentication, add the following function to your policy file:

if ( user=="paul" && basename(command)=="useradd") { 
   if (!authenticate_pam(user, "sshd")) { reject; } 
   runuser="root"; 
   accept; 
}

This function returns 0 to indicate failure and 1 to indicate success.

Related Function

authenticate_pam_toclient

Related Topics

authenticate_pam

Authenticate PAM to Client

Syntax
authenticate_pam_toclient (user,[service])

where service is the PAM service to use, such as sshd.

Description

authenticate_pam_toclient causes pmmasterd to send a request to pmrun to perform the authenticate_pam command on the pmrun host.

NOTE: This function is only available on platforms that have native support for PAM or SIA.

Example

To utilize PAM authentication, add the following function to your policy file:

if ( user=="paul" && basename(command)=="useradd") { 
if (!authenticate_pam_toclient(user, "sshd")) { reject; } 
   runuser="root"; 
   accept; 
}

This function returns 0 to indicate failure and 1 to indicate success.

Related Function

authenticate_pam

Related Topics

authenticate_pam_toclient

Administering Log and Keystroke Files

Administering Log and Keystroke Files

Privilege Manager allows you to control what is logged, as well as when and where it is logged. To help you set up and use these log files, the topics in this section explore enabling and disabling logging, as well as how to specify the log file locations.

Privilege Manager includes three different types of logging; the first two are helpful for audit purposes:

  • keystroke logging, also referred to as I/O logging

    Keystroke logs record the user’s keystrokes and the terminal output of any sessions granted by Privilege Manager.

  • event logging

    Event logs record the details of all requests to run privileged commands. The details include what command was requested, who made the request, when the request was sent, what host the request was submitted from, and whether the request was accepted or rejected.

  • error logging

You can configure some aspects of the event and keystroke logging by means of the security policy on the policy servers. What you can configure and how you configure it depends on which type of security policy you are using on your policy server -- pmpolicy or sudo. (See Security Policy Types for more information.)

Related Documents