The following predefined global variables are initialized from the submit user's environment. They can be changed in the policy file and are used by pmlocald to set up the runtime environment for the runcommand.
| Variable | Data Type | Description |
|---|---|---|
| alertkeyaction | string | Action to be taken when alertkeysequence is matched. |
| alertkeysequence | list | List of patterns to match in a session. |
| disable_exec | integer | Specifies whether to prevent the runcommand process from executing new processes. |
| eventlog | string | Pathname of the audit log. |
| eventloghost | string | Host name list for remote event logging. |
| execfailedmsg | string | Message to display if runcommand cannot be executed. |
| iolog | string | Pathname of the keystroke log. |
| iolog_encrypt | integer | Specifies whether to encrypt the keystroke log. |
| iolog_errmax | integer | Max bytes to log for a stderr message. |
| iolog_opmax | integer | Max chars to log for a stdout message. |
| iologhost | string | Host name list for remote keystroke logging. |
| log_passwords | integer | Specifies whether to exclude passwords from the keystroke log. |
| logomit | list | Variables to omit from the audit and keystroke logs. |
| logstderr | integer | Specifies whether to keystroke log stderr messages. |
| logstdin | integer | Specifies whether to keystroke log stdin messages. |
| logstdout | integer | Specifies whether to keystroke log stdout messages. |
| notfoundmsg | string | Message to display if the runcommand is not found on the run host. |
| passprompts | list | Detects presence of password prompts. |
| pmshell_allow | list | Commands to allow in a Privilege Manager shell without further authorization. |
| pmshell_allowpipe | list | Commands to allow in a Privilege Manager shell without further authorization if input is from a pipe. |
| pmshell_checkbuiltins | integer | Specifies whether to authorize shell built-in commands in a Privilege Manager shell. |
| pmshell_forbid | list | Commands to forbid in a Privilege Manager shell without further authorization. |
| pmshell_readonly | list | Variables to mark as read-only in a Privilege Manager shell. |
| pmshell_reject | string | Reject message to display when a forbidden command is executed in a Privilege Manager shell. |
| pmshell_restricted | integer | Specifies whether to run a Privilege Manager shell in restricted mode. |
| preserve_clienthost | integer | Specifies whether to use the originating login host name in preference to the submit host. |
| profile_keepenv | list | A list of values specified by the keepenv() call. |
| profile_setenv | list | A list of values specified by the setenv() call. |
| profile_unsetenv | list | A list of values specified by the unsetenv() call. |
| profile_use_runuser | string | Specifies whether to use the runuser’s environment rather than the submit user’s environment |
| rejectmsg | string | Message to display when a session is rejected. |
| runargv | list | List of arguments for the request. |
| runchroot | string | Requests the command to run with a specified root directory. |
| runcksum | string | Identifies a checksum to use to verify against the runcommand. |
| runclienthost | string | A modifiable copy of the clienhost input variable. |
| runcommand | string | Full pathname of the request. |
| runconfirmuser | string | Specifies whether the agent should request the runuser to authenticate before executing the runcommand. |
| runcwd | string | Working directory to set for the request. |
| runenv | list | List of environment variables to set for the request. |
| rungroup | string | Primary group to set for the request. |
| rungroups | list | List of secondary groups to set for the request. |
| runhost | string | Host on which to run the request. |
| runnice | integer | Nice value to apply for the request. |
| runpaths | list | A list of permitted paths for commands. |
| runptyflags | string | Pty flags to apply for the request. |
| runtimeout | integer | Specifies the number of seconds of idle time before ending the session. |
| runumask | integer | Umask value to apply for the request. |
| runuser | string | User to run the request. |
| runutmpuser | string | Utmp user to use when logging to utmp. |
| subprocuser | string | User name to run subprocesses of the policy server master daemon. |
| tmplogdir | integer | Directory used for temporary storage of I/O log files if a remote log host is specified in iologhost. |
Type string READ/WRITE
alertkeyaction contains the action to be taken if a command matches a pattern configured in alertkeysequence. The alertkeyaction can be defined as "reject", "log" or any custom string. The default value is "log".
switch (user) {
case "root" : alertkeyaction = "ignore"; break;
default : alertkeyaction = "log"; break;
}Type list READ/WRITE
alertkeysequence contains a list of regular expressions, against which pmlocald checks the standard input commands entered by the user during a session. If a match is found, then an alert is raised in the event log.
Switch (user) {
case "root": alertkeysequence={"passwd"};
alertkeyaction="log";
break;
default : alertkeysequence={"passwd", "shutdown"};
alertkeyaction="reject";
break;
}Type integer READ/WRITE
Use disable_exec to prevent the runcommand process from executing new UNIX® processes. For example, you can prevent a vi session from executing shell commands. This variable is only supported if the underlying operating system supports the noexec feature; that is, Linux®, Solaris®, HPUX11, and AIX5.3. If set to true(1), Privilege Manager sets the LD_PRELOAD environment variable, which causes the runcommand to be loaded with a Privilege Manager library that overrides the system exec functions, and thus prevents the runcommand from using exec to create a new process.
if (basename(runcommand) in editor_program_list)
{
disable_exec=true;
}© 2021 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy