Chat now with support
Chat with Support

Safeguard for Sudo 2.0 - Administrators Guide

One Identity Privileged Access Suite for Unix Introducing Privilege Manager for Unix Introducing Privilege Manager for Sudo Planning Deployment Installation and Configuration
Download Privilege Manager for Unix Software Packages Download Privilege Manager for Sudo Software Packages Quick Start and Evaluation Configure a Primary Policy Server Configure a Secondary Policy Server Install PM Agent or Sudo Plugin on a Remote Host Remove Configurations
Upgrading Privilege Manager System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager Variables Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures Privilege Manager Programs Installation Packages Unsupported Sudo Options Sudo Plugin Policy Evaluation About us

logstdout

Description

Type integer READ/WRITE

Set logstdout to true to enable keystroke logging of stdout output produced during the session. The default value is true.

Example
if (command in {"csh","ksh"}) 
{ 
   iolog_encrypt = true; 
   log_passwords = false; 
   iolog_errmax = 10000; 
   iolog_opmax = 10000; 
   loggroup = "admin"; 
   logstderr = true; 
   logstdout = false; 
   logstdin = true; 
   iolog = mktemp("/usr/adm/pm." + user + "." + command + ".XXXXXX"); 
   accept; 
}

notfoundmsg

Description

Type string READ/WRITE

notfoundmsg is set to the message that displays if the selected runcommand is not available on the target host.

Example
notfoundmsg = "Command \"" + runcommand + "\" not available.";

passprompts

Description

Type list READ/WRITE

passprompts contains a list of strings that should be interpreted as password prompts when attempting to exclude passwords from iolog.

Example
passprompts={"Password=", "Enter password"};

pmshell_allow

Description

Type list READ/WRITE

pmshell_allow contains a list of regular expressions identifying Privilege Manager shell subcommands that are pre-authorized. The list may contain regular expressions.

This variable is applicable to pmsh, pmcsh, and pmksh.

On startup, the Privilege Manager shell programs load this list. Any shell subcommand entered by the user that matches one of these expressions is pre-authorized, that is, it will be allowed to run locally without any further authorization by pmmasterd, and will not be logged as an event. By default, the list is empty.

Example
pmshell_allow = {"ls","grep"};
Related Documents