立即与支持人员聊天
与支持团队交流

Privilege Manager for Unix 7.2.1 - Administration Guide

Introducing Privilege Manager for Unix Planning Deployment Installation and Configuration Upgrade Privilege Manager for Unix System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager for Unix Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager for Unix Variables
Variable names Variable scope Global input variables Global output variables Global event log variables PM settings variables
Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures
Environment functions Hash table functions Input and output functions LDAP functions LDAP API example List functions Miscellaneous functions Password functions Remote access functions String functions User information functions Authentication Services functions
Privilege Manager for Unix programs Installation Packages

Listing policy file revisions

After you have made several revisions to your policy file under source control, you can view the list of policy file versions stored in the repository.

To display all previous version numbers with timestamps and commit logs

  1. From the command line, enter:
    # pmpolicy log

    This command returns output similar to this:

    ** Validate options          [ OK ] 
    ** Check out working copy    [ OK ] 
    ** Retrieve revision details [ OK ] 
    version="3",user="pmpolicy",date=2011-05-11,time=19:27:01,msg="" 
    version="2",user="pmpolicy",date=2011-05-11,time=19:19:47,msg="added tuser" 
    version="1",user="pmpolicy",date=2011-05-11,time=15:56:12,msg="First import"

Viewing differences between revisions

You can view the changes from revision to revision of a policy file.

To show the differences between version 1 and version 3

  1. From the command line, enter:
    # pmpolicy diff -r:1:2

    This command returns output similar to this:

    ** Validate options                                          [ OK ] 
    ** Check out working copy (trunk revision)                   [ OK ] 
    ** Check differences                                         [ OK ] 
    ** Report differences between selected revisions             [ OK ] 
       - Differences were detected between the selected versions 
    Details: 
    Index: profiles/helpdesk.profile 
    =================================================================== 
    --- profiles/helpdesk.profile (revision 1) 
    +++ profiles/helpdesk.profile (revision 2) 
    @@ -18,6 +18,7 @@ 
    enableRemoteCmds = false;   # Should remote cmds be allowed for privilege cmds ? 
                                # - ie should it allow cmds if: submithost != runhost 
                                # 
    +shellProfile = "helpdesk"; 
    authUser = "root";          # runuser to use when running the authCommands 
                                # Set to 1 of the following:

    The output reports lines removed and lines added in a unified diff format.

Backup and recovery

It is important for you to perform systematic backups of the following directories on all policy servers:

  • /var/opt/quest/qpm4u which contains:
    • Event Logs
    • Keystroke Logs (I/O logs)
    • SVN Repository
    • SSH Keys
    • pmpolicy
  • /etc/opt/quest/qpm4u which contains:
    • Settings File
    • Production Policy
  • /opt/quest/qpm4u/.license* which contains:
    • License Files
  • /opt/quest/qpm4u/license* which contains:
    • License Files
  • /opt/quest/qpm4u/install which contains:
    • Install Logs
    • End User License Agreement (EULA)

When recovering from a failure, keep the same hostname and IP address.

Managing Security Policy

The Privilege Manager for Unix security system consists of one or more centralized policy servers and one or more remote clients. A user wishing to run a command secured by Privilege Manager for Unix makes a request to their client. The request is then propagated to the policy server which consults a security policy to determine whether to allow or disallow the command. A typical Privilege Manager for Unix installation has several policy servers to provide adequate fail-over and load-balancing coverage.

The Privilege Manager for Unix policy servers are capable of recording all the activity which passes through them. The power to accurately log root, and other account activities in a safe environment allows you to implement a secure system administration regime with an indelible audit trail. You always know exactly what is happening in root, as well as who did it, when it happened, and where.

The data created by the Privilege Manager for Unix policy servers is stored in a log file called an event log. An entry in the event log is made every time a policy server is used to run a command.

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级