Chat now with support
Chat with Support

Safeguard for Sudo 2.0 - Administrators Guide

One Identity Privileged Access Suite for Unix Introducing Privilege Manager for Unix Introducing Privilege Manager for Sudo Planning Deployment Installation and Configuration
Download Privilege Manager for Unix Software Packages Download Privilege Manager for Sudo Software Packages Quick Start and Evaluation Configure a Primary Policy Server Configure a Secondary Policy Server Install PM Agent or Sudo Plugin on a Remote Host Remove Configurations
Upgrading Privilege Manager System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager Variables Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures Privilege Manager Programs Installation Packages Unsupported Sudo Options Sudo Plugin Policy Evaluation About us

pmshell_uniqueid

Description

Type string READONLY

pmshell_uniqueid is only defined if the command is a shell subcommand running from a Privilege Manager shell (pmsh, pmcsh and pmksh). It contains the uniqueid of the session running the shell program. It allows the individual commands running within the shell to be identified as part of the same shell session when viewing the audit log entries.

Example
#shell script example to print out all shell commands for each shell run on 
#15 january 2009 

#constraint to select pmshell programs running on selected date 
constraint="(date=\"2009/01/15\") && (pmshell==1) && (pmshell_cmd==0))" 

#format to display user and shell program name 
userformat="sprintf(\"User:%s, shell:%s\", user, pmshell_prog)" 

#format to display shell subcommand name and time 
shellformat="sprintf(\" Time:%s, ShellCommand:%s\n", time, runcommand)" 

#find the unique IDs for all shell sessions 
allids=`/bin/sh –c "pmlog –p 'sprintf(\"%s\", uniqueid)' –c '${constraint}'"` 

#for each shell session, print out the username and shell program name, 
#and display each shell command run from the shell, with the time it was 
#executed for one in $allids 
do 
   cmd="pmlog –p '${userformat}' –c 'uniqueid==\"${one}\"'" 
   /bin/sh –c "${cmd}" 
   cmd="pmlog –p '${shellformat}' -c 'pmshell_uniqueid==\"${one}\"'" 
   /bin/sh –c "$cmd" 
done

pmversion

Description

Type string READONLY

pmversion contains the Privilege Manager version and build number.

Example
print("The current Privilege Manager version is %s", pmversion);

ptyflags

Description

Type string READONLY

ptyflags contains a bitmask indicating the ptyflags set from the submit user's environment. If set, the following bits indicate:

Bit 0: stdin is open Bit 1: stdout is open Bit 2: stderr is open Bit 3: pmrun –p option was selected to run pmrun in pipe mode Bit 4: stdin is from a socket Bit 5: pmrun –d option was selected to allow the runcommand to be run using nohup
Example
PTY_IN=0x1; 
if (ptyflags & PTY_IN) 
{ 
   #only authenticate if stdin is open and password can be entered 
   if (!authenticate_pam(user, "sshd")) 
   { 
      reject "Failed to authenticate user"; 
   } 
} 
else 
{ 
   reject "Cannot authenticate the user"; }
Related Topics

runptyflags

requestlocal

Description

Type integer READONLY

Indicates if the request is local. requestlocal is true if no request was made to run on a remote host using pmrun -h.

Example
# reject requests to run on a remote host 
if (requestLocal == false) 
   reject "remote requests are not allowed";
Related Documents