Chat now with support
Chat with Support

Safeguard for Sudo 6.1 Common Documents - Administration Guide

One Identity Privileged Access Suite for Unix Introducing Privilege Manager for Sudo Planning Deployment Installation and Configuration Upgrade Privilege Manager for Sudo System Administration Managing Security Policy Administering Log and Keystroke Files Troubleshooting Privilege Manager Variables Privilege Manager programs Installation Packages Unsupported Sudo Options Privilege Manager for Sudo Policy Evaluation


Type string READONLY

exittime is the time the requested command finished running (HH:MM:SS)

#display all commands that finished after 6pm 
pmlog –c 'exittime > "18:00:00"'
Related Topics



PM settings variables

This section describes the settings and parameters used by Privilege Manager. These settings are stored on each host in the /etc/opt/quest/qpm4u/pm.settings file which contains a list of settings, one per line, in the form: settingName value1 [value2 [... valuen]].

You can modify these policy server configuration settings using the configuration script initialized by either the pmsrvconfig or pmjoin_plugin commands; or you can modify the pm.settings file manually. See Configuring the Privilege Manager for Sudo Primary Policy Server for details about running the configuration script.

NOTE: If you manually change the pm.settings file, restart the pmserviced and/or pmloadcheck daemons in order for the changes to take effect.

The following table describes each of the pm.settings variables:

NOTE: Defaults may differ depending on the platform you are configuring and whether you are configuring a policy server or Sudo Plugin. Many of these settings will not have a default value.

NOTE: The variables are not case sensitive.

Table 12: Variables: pm.settings
Variable Data type Description
certificates boolean (YES/NO)

Specifies whether certificates are enabled. To enable configurable certification, add the following statement to the /etc/opt/quest/qpm4u/pm.settings file on each host: certificates yes.

clientverify string

Identifies the level of host name verification applied by the policy server host to the submit host name. The verification ensures that the incoming IP address resolves (on the primary policy server) to the same host name as presented by the submit host.

Valid values are:

  • none: No verification performed.
  • yes: If a host name is presented for verification by the runclient it will be verified.
  • All: The policy server will only accept a request from a client if the host name is verified.

Default: NONE

encryption string

Identifies the encryption type. You must use the same encryption setting on all hosts in your system.

Valid values are:

  • AES
  • DES
  • TripleDES

Default: AES

eventlogqueue string

Directory used by pmmasterd and pmlogsrvd where event data is temporarily queued prior to being written to the event log database.

Default: /var/opt/quest/qpm4u/evcache

EventQueueFlush integer

Tells pmlogadm how often to reopen the db (in minutes) flushing the data.

Default: 0, in which case pmlogsrvd will keep the db open while the service is running.

EventQueueProcessLimit integer

Specifies the number of cached events that will be processed at a time; this limits the memory use in pmlogadm.

Default: 0, in which case pmlogsrvd will not apply a limit.

facility string Sets the SYSLOG facility name to use when logging a message to the syslog file.

Valid values are:

  • LOG_LOCAL0 through LOG_LOCAL7

Default: LOG_AUTH, if the platform defines LOG_AUTH; otherwise the default is 0 (zero).

failovertimeout integer

Sets the timeout in seconds before a connection attempt to a policy server is abandoned and the client fails over to the next policy server in the list.

NOTE: This setting also affects the timeout for the client and agent.

Default: 10 seconds. If omitted from pm.settings, default is 180 seconds.

handshake boolean (YES/NO)

Enables the encryption negotiation handshake. This allows a policy server to support clients running different levels of encryption.

Default: NO

kerberos boolean (YES/NO)

Enables or disables Kerberos.

Default: NO

keytab string

Sets the path to the Kerberos keytab file.

Default: /etc/opt/quest/vas/host.keytab

krb5rcache string

Sets the path to the Kerberos cache.

Default: /var/tmp

krbconf string

Sets the path to the Kerberos configuration file.

Default: /etc/opt/quest/vas/vas.conf

libldap string

Specifies the pathname to use for the LDAP library.

No default value.

masterport integer

Specifies the TCP/IP port to use for pmmasterd.

Default: 12345

masters list

Identifies a list of policy server hosts to which a client can submit requests for authorization, and from which an agent can accept authorized requests. This can contain host names or netgroups.

No default value.

maxofflinelogs integer

Sets the maximum number of offline keystroke or event logs that can be transferred to a policy server in a single transaction. If defined on the policy server, pmmasterd on the server only accepts that number of offline logs from a client in a single request. If configured on a plugin, the plugin only tries to send that number of logs at a time.

No default value.

mprincipal string

Sets the Kerberos service principal name to use for the policy server.

Default: host

nicevalue integer

Sets the execution priority level for Privilege Manager processes.

Default: 0

offlinetimeout integer

Sets the timeout in milliseconds before an off-line policy evaluation occurs on a Sudo Plugin host.

Default: 1500 (1.5 seconds)

NOTE: Setting offlineTimeout to 0 in the pm.settings file, forces the cache service to always perform offline (local-only) policy evaluation for sudo requests.

pmloggroup string

Specifies the group ownership for iolog and eventlogs.

Default: pmlog

pmlogsrvlog string Identifies the log used by the pmlogsrvd daemon.
pmmasterdenabled boolean (YES/NO)

Flag that enables the pmmasterd daemon.

Default: YES

pmmasterdlog string

Sets the path for the master error log.

Default: /var/adm/pmmasterd.log or /var/log/pmmasterd.log depending on the platform.

For more information, see Local logging.

pmmasterdopts string

Sets the options for the pmmasterd daemon.

Default: -ar

pmservicedlog string

Identifies the log used by the pmserviced daemon.

Default: /var/log/pmserviced.log

policydir string

Sets the directory in which to search for policy files

Default: /etc/opt/quest/qpm4u/policy

policyfile string

Sets the main policy filename.

Default: pm.conf

policymode string

Specifies the type of security policy to use, pmpolicy or Sudo.

Default: sudo

selecthostrandom boolean (YES/NO)

Set to yes to attempt connections to the list of policy servers in random order.

Set to no to attempt connections to the list of policy servers in the order listed in pm.settings.

Default: YES

setnonreserveportrange integer integer

Specifies a range of non-reserved ports to use as source ports by the client and agent.

  • Minimum non-reserved port is 1024.
  • Maximum non-reserved port is 31024.

The full range for non-reserved ports is 1024 to 65535.

setreserveportrange integer integer

Specifies a range of reserved ports to use as source ports by the client when making a connection to the policy server.

  • Minimum reserved port is 600.
  • Maximum reserved port is 1023.

The full range for reserved ports is 600 to 1023.

setutmp boolean (YES/NO)

Specifies whether pmpluginadds a utmp entry for the request.

Default: YES

shortnames boolean (YES/NO)

Enables or disables short names usage. Setting shortnames to yes allows the use of short (non-fully qualified) host names. If set to no, then the Privilege Manager components will attempt to resolve all host names to a fully qualified host name.

Default: YES

sudoersfile string

Sets the path to the sudoers policy file, if using the Sudo policy type.

Default: /etc/opt/quest/qpm4u/policy/sudoers

sudoersgid integer

Sets the group ownership of the Sudoers policy, if using the Sudo policy type.

Default: 0

sudoersmode integer

Sets the UNIX file permissions of the Sudoers policy, if using the sudo policy type. Specify it as a four-digit octal number (containing only digits 0-7) to determine the user's file access rights (read, write, execute).

Default: 0400

sudoersuid integer

Sets the user ownership of the Sudoers policy.

Default: 0

syslog boolean (YES/NO)

Set to yes to send error messages to the syslog file as well as to the Privilege Manager error log.

Default: YES

For more information, see Local logging.

thishost string

Sets the client's host name to use for verification. Specifying a thishost setting causes the Privilege Manager components to bind network requests to the specified host name or IP address. If you set thishost to the underscore character ( _ ), requests bind to the host's primary host name.

No default value.

utmpuser string

Specifies which user name pmplugin logs to the utmp entry.

Valid values are:

  • submituser
  • runuser

To log an entry to utmp, specify "setutmp yes".

NOTE: These settings only take effect if the sudoers policy allocates a pty.

A pseudo-tty is allocated by sudo when the log_input, log_output or use_pty flags are enabled in sudoers policy.

Default: submituser

Privilege Manager programs

This section describes each of the Privilege Manager programs and their options. The following table indicates which Privilege Manager component installs each program.

Table 13: Privilege Manager programs
Name Description Server Agent Sudo

Verifies the syntax of a policy file.

X - X

Joins a Sudo Plugin to the specified policy server. Joining configures the remote host to communicate with the servers in the group.

X - X

Generates and installs configurable certificates.


Displays current license information and allows you to update a license (an expired one or a temporary one before it expires) or create a new one.

X - -

Controls load balancing and failover for connections made from the host to the configured policy servers.

X X -

Displays entries in a Privilege Manager event log.

X - -

Manages encryption options on the event log.

X - -

Searches all logs in a policy group based on specified criteria.

X - -


The Privilege Manager for Sudo log access daemon, the service responsible for committing events to the Privilege Manager for Sudo event log and managing the database storage used by the event log.





Transfers event logs and I/O logs after an off-line policy evaluation has occurred. pmlogxfer is initiated by pmloadcheck when there are log files queued for transfer from a Sudo Plugin host to the server.

- - X

The Privilege Manager Master daemon which examines each user request and either accepts or rejects it based upon information in the Privilege Manager configuration file. You can have multiple pmmasterd daemons on the network to avoid having a single point of failure.

X - X

Displays information about the policy server group that the Sudo Plugin host has joined.

X - X

A daemon that runs on each Sudo Plugin host and controls load balancing and failover for connections made from the host to the configured policy servers.

X - X

A command-line utility for managing the Privilege Manager security policy. This utility checks out the current version, checks in an updated version, and reports on the repository.

X - -

Displays the revision status of the cached security policy on a Sudo Plugin host; allows you to request an update from the central repository.

- - X

Adjunct program to the pmjoin_plugin script. pmpoljoin_plugin is called by the pmjoin_plugin script when configuring a Sudo Plugin host to setup up the required read-only access to the policy repository, so that the client can operate in off-line mode.

- - X

Configures (or unconfigures) a primary or secondary policy server. Allows you to grant a user access to a repository.

X - -

Provides a wrapper for the pmlog and pmreplay utilities to access the event (audit) and keystroke (I/O) logs on any server in the policy group.

X - -

Replays an I/O log file allowing you to review what happened during a previous privileged session.

X - -

Verifies the host name or IP resolution for the local host or a selected host.


The Privilege Manager Service daemon listens on the configured ports for incoming connections for the Privilege Manager daemons. pmserviced uses options in pm.settings to determine the daemons to run, the ports to use, and the command line options to use for each daemon.


Checks the Privilege Manager policy server configuration to ensure it is setup properly.

X - -

Configures a primary or secondary policy server.

X - -
pmsrvinfo Verifies the policy server configuration. X - -

Generates a simple checksum of a binary.

X - -

Displays the Privilege Manager system ID.



pmcheck [ -v ] | 
           [ [ -a <string> ] [ -b ] [ -c ] [ -e <requestuser> ] 
           [ -f <filename> ] [ -g <group> ] [ -h <hostname> ] [ -i ] 
           [ -m <YY[YY]/MM/DD> ] [ -n <HH[:MM]> ] 
           [ -o sudo|pmpolicy ] [ -p <policydir> ] [ -q  ]  [  -r <remotehost> ] 
           [ -s <submithost> ] [ -t ] [ -u <runuser> ] [ command [ args ]]]

Use the pmcheck command to test the policy file. Although the policy server daemon pmmasterd reports configuration file errors to a log file, always use pmcheck to verify the syntax of a policy file before you install it on a live system. You can also use the pmcheck command to simulate running a command to test whether a request will be accepted or rejected.

The pmcheck program exits with a value corresponding to the number of syntax errors found.


pmcheck has the following options.

Table 14: Options: pmcheck
Option Description

-a <string>

Checks if the specified string, entered during the session, matches any alertkeysequence configured. You can only specify this option if you supply a command.

NOTE: This option is only relevant when using the pmpolicy type.


Run in batch mode. By default, pmcheck runs in interactive mode, and attempts to emulate the behavior of the pmmasterd when parsing the policy file. The -b option ensures that no user interaction is required if the policy file contains a password or input function; instead, a successful return code is assumed for any password authentication functions.


Runs in batch mode and displays output in csv format. By default pmcheck runs in interactive mode. The -c option ensures that no user interaction is required if the policy file contains a password prompt or input function and no commands that require remote connections are attempted.

-e <requestuser>

Sets the value of requestuser. This option allows you to specify the group name to use when testing the configuration. This emulates running a session using the sudo –u <user> option to request that Privilege Manager for Sudo runs the command as a particular runuser.

-f <filename>

Sets path to policy filename. Provides an alternative configuration filename to check. If not fully qualified, this path is interpreted as relative to the policydir, rather than to the current directory.

-g <group>

Sets the group name to use. If not specified, then pmcheck looks up the user on the master policy server host to get the group information. This option is useful for checking a user and group that does not exist on the policy server.

-h <hostname>

Specifies execution host used for testing purposes.


Ignores check for root ownership of policy.

-m <YY[YY]/MM/DD>

Checks the policy for a particular date. Enter Date in this format: YY[YY]/MM/DD. Defaults to the current date.

-n <HH[:MM]>

Checks the policy for a particular time. Enter Time in this format: HH[:mm]. Defaults to the current time.

-o <policytype>

Interprets the policy with the specified policy type:

  • sudo
  • pmpolicy
-p policydir Forces pmcheck to use a different directory to search for policy files included with a relative pathname. The default location to search for policy files is the policydir setting in pm.settings.
-q Runs in quiet mode, pmcheck does not prompt the user for input, print any errors or prompts, or run any system commands. The exit status of pmcheck indicates the number of syntax errors found (0 = success). This is useful when running scripted applications that require a simple syntax check.
-r remotehost

Sets the value of the clienthost variable within the configuration file, useful for testing purposes.

The clienthost variable is set to the value of the submithost variable.

-s submithost Sets the value of the submithost variable within the configuration file, useful for testing purposes.

Runs in quiet mode to check whether a command would be accepted or rejected. By default, pmcheck runs in interactive mode. The –t option ensures that no user interaction is required if the policy file contains a password prompt or input function, no output is displayed and no commands that require remote connections are attempted.

Exit Status:

  • 0: Command accepted
  • 11: Password prompt encountered. The command will only be accepted if authentication is successful
  • 12: Command rejected
  • 13: Syntax error encountered
-u <runuser> Sets the value of the runuser variable within the configuration file, useful for testing purposes.
-v Displays the version number of Privilege Manager and exits.
command [args] Sets the command name and optional arguments.

You can use pmcheck two ways: to check the syntax of the configuration file, or to test whether a request is accepted or rejected (that is, to simulate running a command).

By default, pmcheck runs the configuration file interactively in the same way as pmmasterd and reports any syntax errors found. If you supply an argument to a command, it reports whether the requested command is accepted or rejected. You can use the –c and –q options to verify the syntax in batch or silent mode, without any user interaction required.

When you run a configuration file using pmcheck, you are allowed to modify the values of the incoming variables. This is useful for testing the configuration file's response to various conditions. When pmmasterd runs a configuration file, the incoming variables are read-only.


To verify whether the sudoer policy file /etc/sudoers, ingoring permissions and ownership, allows user jsmith in the users group to run the passwd root command on host, host1, enter:

pmcheck -f /etc/sudoers -i -o sudo –u jsmith –g users 
-h host1 passwd root
Related Topics




Related Documents