Chat now with support
Chat with Support

Safeguard for Sudo 2.0 - Administrators Guide

One Identity Privileged Access Suite for Unix Introducing Privilege Manager for Unix Introducing Privilege Manager for Sudo Planning Deployment Installation and Configuration
Download Privilege Manager for Unix Software Packages Download Privilege Manager for Sudo Software Packages Quick Start and Evaluation Configure a Primary Policy Server Configure a Secondary Policy Server Install PM Agent or Sudo Plugin on a Remote Host Remove Configurations
Upgrading Privilege Manager System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager Variables Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures Privilege Manager Programs Installation Packages Unsupported Sudo Options Sudo Plugin Policy Evaluation About us

exitdate

Description

Type string READONLY

exitdate is the date the requested command finished running. This is saved in the event log when the session exits, and can be viewed using pmlog.

Example
#Display all events that finished on 15 january 2009 
pmlog -c 'exitdate == "2009/01/15"'
Related Topics

exitstatus

exittime

exitstatus

Description

Type string READONLY

exitstatus contains the exit status of the runcommand. This variable is not available for use in the policy file. It is logged in the "Finish" event by pmlocald when the session ends.

Example
#Display all sh commands that failed to complete successfully on 15 january 2009 
pmlog –c 'runcommand == "sh" && exitstatus != "Command finished with exit status 0"'
Related Topics

exitdate

exittime

exittime

Description
Type string READONLY

exittime is the time the requested command finished running (HH:MM:SS)

Example
#display all commands that finished after 6pm 
pmlog –c 'exittime > "18:00:00"'
Related Topics

exitstatus

exitdate

PM Settings Variables

Privilege Manager Variables > PM Settings Variables

This section describes the settings and parameters used by Privilege Manager. These settings are stored on each host in the /etc/opt/quest/qpm4u/pm.settings file which contains a list of settings, one per line, in the form: settingName value1 [value2 [... valuen]]. (See Configuration Prerequisites to view a sample pm.settings file.)

You can modify these policy server configuration settings using the configuration script initialed by either the pmsrvconfig or pmjoin_plugin commands; or, you can modify the pm.settings file manually. (See Configure the Primary Policy Server for Privilege Manager for Unix or Configure the Privilege Manager for Sudo Primary Policy Server for details about running the configuration script.)

NOTE: If you manually change the pm.settings file, restart the pmserviced and/or pmloadcheck daemons in order for the changes to take effect.

The following table describes each of the pm.settings variables:

NOTE: Defaults may differ depending on what platform you are configuring, and whether you are configuring a policy server, PM Agent, or Sudo Plugin. Many of these settings will not have a default value.

NOTE: The variables are not case sensitive.

Table 34: Variables: pm.settings
Variable Data type Description
certificates boolean (YES/NO)

Specifies whether certificates are enabled. To enable configurable certification, add the following statement to the /etc/opt/quest/qpm4u/pm.settings file on each host: certificates yes.

For details on how to configure certificates, see Enable Configurable Certification.

Default: NO

checksumtype string Specifies standard or MD5 checksum types for use with pmsum program.
clients list of hostnames

(Privilege Manager for Unix only.) Identifies hosts for which remote access functions are allowed. Only required if one policy server needs to retrieve remote information from another policy server that does not normally accept requests from it. (See Central Logging with Privilege Manager for Unix for details.)

clientverify string

Identifies the level of host name verification applied by the policy server host to the submit host name. The verification ensures that the incoming IP address resolves (on the primary policy server) to the same host name as presented by the submit host.

Valid values are:

  • none – No verification performed.
  • yes – If a host name is presented for verification by the runclient it will be verified.
  • All – The policy server will only accept a request from a client if the host name is verified.

Default: NONE

encryption string

Identifies the encryption type. You must use the same encryption setting on all hosts in your system.

Valid values are:

  • AES
  • DES
  • TripleDES

Default: AES

eventlogqueue string

Directory used by pmmasterd and pmlogsrvd where event data is temporarily queued prior to being written to the event log database.

Default: /var/opt/quest/qpm4u/evcache

EventQueueFlush integer

Tells pmlogadm how often to reopen the db (in minutes) flushing the data.

Default: 0, in which case pmlogsrvd will keep the db open while the service is running.

EventQueueProcessLimit integer

Specifies the number of cached events that will be processed at a time; this limits the memory use in pmlogadm.

Default: 0, in which case pmlogsrvd will not apply a limit.

facility string Sets the SYSLOG facility name to use when logging a message to the syslog file.

Valid values are:

  • LOG_AUTH
  • LOG_CRON
  • LOG_DAEMON
  • LOG_KERN
  • LOG_LOCAL0 through LOG_LOCAL7
  • LOG_LPR
  • LOG_MAIL
  • LOG_NEWS
  • LOG_USER
  • LOG_UUCP

Default: LOG_AUTH, if the platform defines LOG_AUTH; otherwise the default is 0 (zero).

failovertimeout integer

Sets the timeout in seconds before a connection attempt to a policy server is abandoned and the client fails over to the next policy server in the list.

NOTE: This setting also affects the timeout for the client and agent.

Default: 10 seconds. If omitted from pm.settings, default is 180 seconds.

failsafecommand string

(Privilege Manager for Unix only.) Sets the command to run in failsafe mode; that is, login pmksh user as root.

fwexternalhosts list Identifies a list of hosts to use a different range of source ports, identified by the openreservedport and opennonreserved port settings.
getpasswordfromrun boolean (YES/NO)

(Privilege Manager for Unix only.) Determines whether authentication is performed on the policy server or the client when a getuserpasswd() or getgrouppasswd() function is called from the policy file. If set to yes, the authentication is performed on the client.

NOTE: This variable also affects the user information functions: getfullname(), getgroup(), getgroups(), gethome(), and getshell(). If set to yes in the policy server's pm.settings file, these functions retrieve user information from the client host.

Default: NO

handshake boolean (YES/NO)

Enables the encryption negotiation handshake. This allows a policy server to support clients running different levels of encryption.

Default: NO

kerberos boolean (YES/NO)

Enables or disables Kerberos. (See Configuring Kerberos Encryption for details.)

Default: NO

keytab string

Sets the path to the Kerberos keytab file.

Default: /etc/krb5/krb5.keytab

krb5rcache string

Sets the path to the Kerberos cache.

Default: /var/tmp

krbconf string

Sets the path to the Kerberos configuration file.

Default: /etc/krb5/krb5.conf

libldap string

Specifies the pathname to use for the LDAP library.

No default value.

localport integer

Sets the TCP/IP port to use for pmlocald.

Default: 12346

lprincipal string

Sets the service principal name to use for the agent.

Default: pmlocald

masterport integer

Specifies the TCP/IP port to use for pmmasterd.

Default: 12345

masters list

Identifies a list of policy server hosts to which a client can submit requests for authorization, and from which an agent can accept authorized requests. This can contain host names or netgroups.

No default value.

maxofflinelogs integer

(Privilege Manager for Sudo only.) Sets the maximum number of offline keystroke or event logs that can be transferred to a policy server in a single transaction. If defined on the policy server, pmmasterd on the server only accepts that number of offline logs from a client in a single request. If configured on a plugin, the plugin only tries to send that number of logs at a time.

No default value.

mprincipal string

Sets the Kerberos service principal name to use for the policy server.

Default: pmmasterd

nicevalue integer

Sets the execution priority level for Privilege Manager processes.

Default: 0

offlinetimeout integer

(Privilege Manager for Sudo only.) Sets the timeout in milliseconds before an off-line policy evaluation occurs on a Sudo Plugin host.

Default: 1500 (1.5 seconds)

NOTE: Setting offlineTimeout to 0 in the pm.settings file, forces the cache service to always perform offline (local-only) policy evaluation for sudo requests.

opennonreserveportrange integer integer

Specifies a range of non-reserved ports to use as source ports when connecting to a host in the fwexternalhosts list.

No default value.

openreserveportrange integer integer

Specifies a range of reserved ports to use as source ports when connecting to a host in the fwexternalhosts list.

No default value.

pmclientdenabled boolean (YES/NO)

(Privilege Manager for Unix only.) Flag that enables the pmclientd daemon.

pmclientdopts string

(Privilege Manager for Unix only.) Sets the options for the pmclientd daemon.

pmlocaldenabled boolean (YES/NO)

(Privilege Manager for Unix only.) Flag that enables the pmlocald daemon.

pmlocaldlog string

(Privilege Manager for Unix only.) Sets the path for the agent error log. (See Local Logging for details.)

Default: /var/adm/pmlocald.log or /var/log/pmlocald.log depending on the platform.

pmlocaldopts string

(Privilege Manager for Unix only.) Sets the options for the pmlocald daemon.

pmloggroup string

Specifies the group ownership for iolog and eventlogs.

Default: pmlog

pmlogsrvlog string Identifies the log used by the pmlogsrvd daemon.
pmmasterdenabled boolean (YES/NO)

Flag that enables the pmmasterd daemon.

Default: YES

pmmasterdlog string

Sets the path for the master error log. (See Local Logging for details.)

Default: /var/adm/pmmasterd.log or /var/log/pmmasterd.log depending on the platform.

pmmasterdopts string

Sets the options for the pmmasterd daemon.

Default: -ar

pmrunlog string

(Privilege Manager for Unix only.) Sets the path for the client error log. (See Local Logging for details.)

Default: /var/adm/pmrun.log or /var/log/pmrun.log depending on platform.

pmservicedlog string

Identifies the log used by the pmserviced daemon.

Default: /var/log/pmserviced.log

pmtunneldenabled boolean (YES/NO)

(Privilege Manager for Unix only.) Flag that enables the pmtunneld daemon.

pmtunneldopts string

(Privilege Manager for Unix only.) Sets the options for the pmtunneld daemon.

policydir string

Sets the directory in which to search for policy files

Default: /etc/opt/quest/qpm4u/policy

policyfile string

Sets the main policy filename.

Default: pm.conf

policymode string

Specifies the type of security policy to use, pmpolicy or Sudo.

Default: sudo

reconnectagent boolean (YES/NO)

Allows backwards compatibility with older agents on a policy server. Settings on policy server and agents must match.

Default: NO

reconnectclient boolean (YES/NO)

Allows backwards compatibility with older clients on a policy server. Settings on policy server and client must match.

Default: NO

selecthostrandom boolean (YES/NO)

Set to yes to attempt connections to the list of policy servers in random order.

Set to no to attempt connections to the list of policy servers in the order listed in pm.settings.

Default: YES

setnonreserveportrange integer integer

Specifies a range of non-reserved ports to use as source ports by the client and agent. (See Restricting Port Numbers for Command Responses for details.)

  • Minimum non-reserved port is 1024.
  • Maximum non-reserved port is 31024.

The full range for non-reserved ports is 1024 to 65535.

setreserveportrange integer integer

Specifies a range of reserved ports to use as source ports by the client when making a connection to the policy server. (See Restricting Port Numbers for Command Responses for details.)

  • Minimum reserved port is 600.
  • Maximum reserved port is 1023.

The full range for reserved ports is 600 to 1023.

setutmp boolean (YES/NO)

Specifies whether pmlocald or pmplugin adds a utmp entry for the request.

Default: YES

shortnames boolean (YES/NO)

Enables or disables short names usage. Setting shortnames to yes allows the use of short (non-fully qualified) host names. If set to no, then the Privilege Manager components will attempt to resolve all host names to a fully qualified host name.

Default: YES

sudoersfile string

(Privilege Manager for Sudo only.) Sets the path to the sudoers policy file, if using the Sudo policy type.

Default: /etc/opt/quest/qpm4u/policy/sudoers

sudoersgid integer

(Privilege Manager for Sudo only.) Sets the group ownership of the Sudoers policy, if using the Sudo policy type.

Default: 0

sudoersmode integer

(Privilege Manager for Sudo only.) Sets the UNIX® file permissions of the Sudoers policy, if using the sudo policy type. Specify it as a four-digit octal number (containing only digits 0-7) to determine the user's file access rights (read, write, execute).

Default: 0400

sudoersuid integer

(Privilege Manager for Sudo only.) Sets the user ownership of the Sudoers policy.

Default: 0

syslog boolean (YES/NO)

Set to yes to send error messages to the syslog file as well as to the Privilege Manager error log.

(See Local Logging for details.)

Default: YES

thishost string

Sets the client's host name to use for verification. Specifying a thishost setting causes the Privilege Manager components to bind network requests to the specified host name or IP address. If you set thishost to the underscore character ( _ ), requests bind to the host's primary host name.

No default value.

tunnelport integer

Sets the TCP/IP port to use for the pmtunneld daemon. (See Configuring pmtunneld for details.)

Default: 12347

tunnelrunhosts list Identifies the hosts on the other side of a firewall.

For full details of how to configure your system across a firewall, see Configuring Firewalls.

No default value.

utmpuser string

(Privilege Manager for Sudo only) Specifies which user name pmplugin logs to the utmp entry.

Valid values are:

  • submituser
  • runuser

To log an entry to utmp, specify "setutmp yes".

NOTE: These settings only take effect if the sudoers policy allocates a pty.

A pseudo-tty is allocated by sudo when the log_input, log_output or use_pty flags are enabled in sudoers policy.

Default: submituser

validmasters list

Identifies a list of policy servers that can be identified using the pmrun –m <master> option, but that will not be used when you execute a normal pmrun command. This is useful for testing connections to a policy server before bringing it on line.

No default value.

Related Documents