Chat now with support
Chat with Support

Safeguard for Sudo 2.0 - Administrators Guide

One Identity Privileged Access Suite for Unix Introducing Privilege Manager for Unix Introducing Privilege Manager for Sudo Planning Deployment Installation and Configuration
Download Privilege Manager for Unix Software Packages Download Privilege Manager for Sudo Software Packages Quick Start and Evaluation Configure a Primary Policy Server Configure a Secondary Policy Server Install PM Agent or Sudo Plugin on a Remote Host Remove Configurations
Upgrading Privilege Manager System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager Variables Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures Privilege Manager Programs Installation Packages Unsupported Sudo Options Sudo Plugin Policy Evaluation About us

pmshell_allowpipe

Description

Type list READ/WRITE

pmshell_allowpipe identifies the list of Privilege Manager shell subcommands that are pre-authorized if the input to the command is from a pipe. The list may contain regular expressions.

This variable is applicable to the pmsh, pmcsh, and pmksh programs.

On startup, the Privilege Manager shells load this list. For any shell subcommand entered by the user that takes its input from a pipe, if the command matches one of these expressions, it will be allowed to run locally without any further authorization by the pmmasterd, and will not be logged as an event. By default, the list is empty.

For example, if this list contains the string "more", the "more" command will be pre-authorized in the context of the command ls | more but will require authorization in the context of the command more /tmp/file.

Example
pmshell_allow = {"grep","cat", "more"};

pmshell_checkbuiltins

Description

Type integer READ/WRITE

If pmshell_checkbuiltins is set to true, the Privilege Manager shell program will check all shell builtin commands as if they were not built-ins. That is, it will match each one against the forbidden list, then the allowed list, and if no match is found, then the command will be authorized with pmmasterd. To see a full list of the builtin commands for a particular shell program, run the shell program with the -? option. The default value for this variable is false. This variable is applicable to the pmsh, pmksh, and pmcsh programs.

Example
if (defined pmshell_cmd){ 
   if (user !in safe_shell_list) 
   { 
      #check builtins 
      pmshell_checkbuiltins=true; 
   } 
}

pmshell_forbid

Description

Type list READ/WRITE

pmshell_forbid contains a list of regular expressions loaded on startup by the Privilege Manager shell programs: pmsh, pmcsh, and pmksh. The list may contain regular expressions.

Any command entered by the user during the shell session, that matches one of these expressions, will be forbidden without any further authorization by the pmmasterd, and will not be logged as an event. All shell subcommands are matched with this list before checking the allowed list. By default, the variable contains an empty list.

Example
pmshell_forbid = {"kill","passwd"};

pmshell_readonly

Description

Type list READONLY

pmshell_readonly is only defined if the command is a shell subcommand running from within a Privilege Manager shell program (pmsh, pmcsh, pmksh). You can set this variable to a list of environment variables to mark as readonly in the shell. It defaults to an empty list.

Example
if (defined pmshell) 
{ 
   #set some application specific readonly variables for the shell 
   pmshell_readonly={"PATH", "SHELL", "APPL_HOME"}; 
}
Related Documents