Privilege Manager for Unix 7.3 - Administration Guide

This section describes the settings and parameters used by Privilege Manager for Unix. These settings are stored on each host in the /etc/opt/quest/qpm4u/pm.settings file which contains a list of settings, one per line, in the form: settingName value1 [value2 [... valuen]]. To view a sample pm,.settings file, see Configuration prerequisites.

You can modify these policy server configuration settings using the configuration script initialized by the pmsrvconfig command or you can modify the pm.settings file manually. For details about running the configuration script, see Configuring the primary policy server for Privilege Manager for Unix.

If you manually change the pm.settings file, restart the pmserviced and/or pmloadcheck daemons in order for the changes to take effect.

The following table describes each of the pm.settings variables:

Defaults may differ depending on the platform you are configuring and whether you are configuring a policy server or PM Agent. Many of these settings will not have a default value.

The variables are not case sensitive.

Table 32: Variables: pm.settings
Variable	Data type	Description
auditsrvCAbundle	string	The path to a certificate authority bundle file, in PEM format, to use instead of the system's default certificate authority database when doing TLS authentication. Example: /etc/ssl/sudo/ca.bundle.pem
auditsrvCert	string	The path to the policy server's certificate file, in PEM format. Used for TLS only. Example: /etc/ssl/sudo/qpm_qpmdevel1.cert.pem
auditsrvEnabled	boolean (YES/NO)	Specifies if audit server logging is on or off. The default is NO. For more information, see Audit server logging on
auditsrvEnforced	boolean (YES/NO)	If YES, the audit server connection failures will be fatal. If NO, the audit log will be collected encrypted on the file system.and sent again to the server if it comes back.
auditsrvHosts	list of host ports of the audit sever	The host:port of the audit server. Host can be an ipv4/ipv6/hostname. Multiple hosts need to be separated by comma. Example: qpmdevel1.qpmdomain:30344,127.0.0.1:30344
auditsrvKeepalive	boolean (YES/NO)	Select whether keepalive is enabled on the connection.
auditsrvLocaliologs	boolean (YES/NO)	If YES, old pmlog io logs are also written. if NO, io logs are only stored by the sudo log server.
auditsrvLogdir	string	If auditsrvEnforced is NO, this is the log directory where audit logs get saved temporarily until they can be sent successfully. Example: /var/opt/quest/qpm4u/auditserver
auditsrvPkey	string	The path to the private key of the policy server, in PEM format. Used for TLS only. Example: /etc/ssl/sudo/qpm_qpmdevel1.key.pem
auditsrvPSpaceMB	boolean (YES/NO)	The minimum amount of disk space needed before starting to write an audit trail to the temporary storage. This is to prevent disk space filled up. If the disk space is lower, the policy server will reject the connections, just like if it was in "enforced" mode.
auditsrvTimeout	integer	The connection timeout in seconds. 3 seconds is recommended.
auditsrvTLS	boolean (YES/NO)	If YES, the communication with all the servers will use TLS. Specifying a key is required in this case.
auditsrvTLSCheckpeer	boolean (YES/NO)	If YES, client certificates will be validated by the server; clients without a valid certificate will be unable to connect. If NO, no validation of client certificates will be performed. If true and client certificates are created using a private certificate authority, the tls_cacert setting must be set to a CA bundle that contains the CA certificate used to generate the client certificate. The default value is NO.
auditsrvTLSVerify	boolean (YES/NO)	If YES, the server certificate will be verified at startup and clients will authenticate the server by verifying its certificate and identity. If NO, no verification is performed of the server certificate by the server or the client. When using self-signed certificates without a certificate uthority, this setting should be set to NO. The default value is YES.
certificates	boolean (YES/NO)	Specifies whether certificates are enabled. To enable configurable certification, add the following statement to the /etc/opt/quest/qpm4u/pm.settings file on each host: certificates yes. Default: NO For more information, see Enable configurable certification..
checksumtype	string	Specifies standard or MD5 checksum types for use with pmsum program.
clients	list of hostnames	Identifies hosts for which remote access functions are allowed. Only required if one policy server needs to retrieve remote information from another policy server that does not normally accept requests from it. For more information, see Central logging with Privilege Manager for Unix..
clientverify	string	Identifies the level of host name verification applied by the policy server host to the submit host name. The verification ensures that the incoming IP address resolves (on the primary policy server) to the same host name as presented by the submit host. Valid values are: none: No verification performed. yes: If a host name is presented for verification by the runclient it will be verified. All: The policy server will only accept a request from a client if the host name is verified. Default: NONE
encryption	string	Identifies the encryption type. You must use the same encryption setting on all hosts in your system. Valid values are: AES DES TripleDES Default: AES
eventlogqueue	string	Directory used by pmmasterd and pmlogsrvd where event data is temporarily queued prior to being written to the event log database. Default: /var/opt/quest/qpm4u/evcache
EventQueueFlush	integer	Tells pmlogsrvd how often to reopen the db (in minutes) flushing the data. Default: 0, in which case pmlogsrvd will keep the db open while the service is running.
EventQueueProcessLimit	integer	Specifies the number of cached events that will be processed at a time; this limits the memory use in pmlogsrvd. Default: 0, in which case pmlogsrvd will not apply a limit.
facility	string	Sets the SYSLOG facility name to use when logging a message to the syslog file. Valid values are: LOG_AUTH LOG_CRON LOG_DAEMON LOG_KERN LOG_LOCAL0 through LOG_LOCAL7 LOG_LPR LOG_MAIL LOG_NEWS LOG_USER LOG_UUCP Default: LOG_AUTH, if the platform defines LOG_AUTH; otherwise the default is 0 (zero).
failovertimeout	integer	Sets the timeout in seconds before a connection attempt to a policy server is abandoned and the client fails over to the next policy server in the list. This setting also affects the timeout for the client and agent. Default: 10 seconds. If omitted from pm.settings, default is 180 seconds.
failsafecommand	string	Sets the command to run in failsafe mode; that is, login pmksh user as root.
fwexternalhosts	list	Identifies a list of hosts to use a different range of source ports, identified by the openreservedport and opennonreserved port settings.
getpasswordfromrun	boolean (YES/NO)	Determines whether authentication is performed on the policy server or the client when a getuserpasswd() or getgrouppasswd() function is called from the policy file. If set to yes, the authentication is performed on the client. This variable also affects the user information functions: getfullname(), getgroup(), getgroups(), gethome(), and getshell(). If set to yes in the policy server's pm.settings file, these functions retrieve user information from the client host. Default: NO
handshake	boolean (YES/NO)	Enables the encryption negotiation handshake. This allows a policy server to support clients running different levels of encryption. Default: NO
kerberos	boolean (YES/NO)	Enables or disables Kerberos. Default: NO For more information, see Configuring Kerberos encryption..
keytab	string	Sets the path to the Kerberos keytab file. Default: /etc/opt/quest/vas/host.keytab
krb5rcache	string	Sets the path to the Kerberos cache. Default: /var/tmp
krbconf	string	Sets the path to the Kerberos configuration file. Default: /etc/opt/quest/vas/vas.conf
libldap	string	Specifies the pathname to use for the LDAP library. No default value.
localport	integer	Sets the TCP/IP port to use for pmlocald. Default: 12346
logFormat	string	Specifies the format used for syslog and local file logging. The valid values are: CEF for logging in Common Event Format. default for human-readable logs.
lprincipal	string	Sets the service principal name to use for the agent. Default: pmlocald
masterport	integer	Specifies the TCP/IP port to use for pmmasterd. Default: 12345
masters	list	Identifies a list of policy server hosts to which a client can submit requests for authorization, and from which an agent can accept authorized requests. This can contain host names or netgroups. No default value.
mprincipal	string	Sets the Kerberos service principal name to use for the policy server. Default: host
nicevalue	integer	Sets the execution priority level for Privilege Manager for Unix processes. Default: 0
opennonreserveportrange	integer integer	Specifies a range of non-reserved ports to use as source ports when connecting to a host in the fwexternalhosts list. No default value.
openreserveportrange	integer integer	Specifies a range of reserved ports to use as source ports when connecting to a host in the fwexternalhosts list. No default value.
pmclientdenabled	boolean (YES/NO)	Flag that enables the pmclientd daemon.
pmclientdopts	string	Sets the options for the pmclientd daemon.
pmloadcheckInterval	integer	Sets the refresh interval (in minutes) to determine how often the pmloadcheck daemon checks the policy server status. To override the interval, use pmloadcheck -e. The default value is 60.
pmlocaldenabled	boolean (YES/NO)	Flag that enables the pmlocald daemon.
pmlocaldlog	string	Sets the path for the agent error log. Default: /var/adm/pmlocald.log or /var/log/pmlocald.log depending on the platform. For more information, see Local logging..
pmlocaldopts	string	Sets the options for the pmlocald daemon.
pmloggroup	string	Specifies the group ownership for iolog and eventlogs. Default: pmlog
pmlogsrvlog	string	Identifies the log used by the pmlogsrvd daemon.
pmmasterdenabled	boolean (YES/NO)	Flag that enables the pmmasterd daemon. Default: YES
pmmasterdlog	string	Sets the path for the master error log. Default: /var/adm/pmmasterd.log or /var/log/pmmasterd.log depending on the platform. For more information, see Local logging..
pmmasterdopts	string	Sets the options for the pmmasterd daemon. Default: -ar
pmrunlog	string	Sets the path for the client error log. Default: /var/adm/pmrun.log or /var/log/pmrun.log depending on platform. For more information, see Local logging..
pmservicedlog	string	Identifies the log used by the pmserviced daemon. Default: /var/log/pmserviced.log
pmtunneldenabled	boolean (YES/NO)	Flag that enables the pmtunneld daemon.
pmtunneldopts	string	Sets the options for the pmtunneld daemon.
policydir	string	Sets the directory in which to search for policy files Default: /etc/opt/quest/qpm4u/policy
policyfile	string	Sets the main policy filename. Default: pm.conf
policymode	string	Specifies the type of security policy to use, pmpolicy or Sudo. Default: sudo
reconnectagent	boolean (YES/NO)	Allows backwards compatibility with older agents on a policy server. Settings on policy server and agents must match. Default: NO
reconnectclient	boolean (YES/NO)	Allows backwards compatibility with older clients on a policy server. Settings on policy server and client must match. Default: NO
selecthostrandom	boolean (YES/NO)	Set to yes to attempt connections to the list of policy servers in random order. Set to no to attempt connections to the list of policy servers in the order listed in pm.settings. Default: YES
setnonreserveportrange	integer integer	Specifies a range of non-reserved ports to use as source ports by the client and agent. Minimum non-reserved port is 1024. Maximum non-reserved port is 31024. The full range for non-reserved ports is 1024 to 65535. For more information, see Restricting port numbers for command responses..
setreserveportrange	integer integer	Specifies a range of reserved ports to use as source ports by the client when making a connection to the policy server. Minimum reserved port is 600. Maximum reserved port is 1023. The full range for reserved ports is 600 to 1023. For more information, see Restricting port numbers for command responses..
setutmp	boolean (YES/NO)	Specifies whether pmlocald adds a utmp entry for the request. Default: YES
shortnames	boolean (YES/NO)	Enables or disables short names usage. Setting shortnames to yes allows the use of short (non-fully qualified) host names. If set to no, then the Privilege Manager for Unix components will attempt to resolve all host names to a fully qualified host name. Default: YES
sshKeyTypes	string	Specifies the SSH key types that will be used to access the policy and log files. Valid values are: rsa ecdsa ed25519 Default: rsa ecdsa
syslog	boolean (YES/NO)	Set to yes to send error messages to the syslog file as well as to the Privilege Manager for Unix error log. Default: YES For more information, see Local logging..
thishost	string	Sets the client's host name to use for verification. Specifying a thishost setting causes the Privilege Manager components to bind network requests to the specified host name or IP address. If you set thishost to the underscore character ( _ ), requests bind to the host's primary host name. No default value.
tunnelport	integer	Sets the TCP/IP port to use for the pmtunneld daemon. Default: 12347 For more information, see Configuring pmtunneld..
tunnelrunhosts	list	Identifies the hosts on the other side of a firewall. No default value. For full details of how to configure your system across a firewall, see Configuring firewalls.
validmasters	list	Identifies a list of policy servers that can be identified using the pmrun -m <master> option, but that will not be used when you run a normal pmrun command. This is useful for testing connections to a policy server before bringing it on line. No default value.

Table 33: Control flow reserved words
Statement	Description
accept, reject	Accept or reject the submitted request.
break	Break out of a while or for loop.
continue	Skip the rest of the loop body and continue to the next iteration of the loop.
do-while	Perform the loop body multiple times until an expression is true, evaluating the expression after running the statement.
for loop	c-style for loop.
for loop	Perform the loop body for each element in a list.
function	Stand-alone subroutine, allowing you to reuse policy.
if-else	Used to determine which statement to run next based on whether an expression is true or false.
include	Include the named policy file.
procedure / function	Stand-alone subroutine, allowing you to reuse policy.
readonly	Mark a variable as read-only.
readonlyexcept	Mark all variables as read-only except for the specified list.
return	Return from a function or procedure.
switch	Used to determine which statement to run next based on whether an expression matches one of several values.
while	Perform the loop body multiple times until an expression is true, evaluating the expression before running the statement.

Table 33: Control flow reserved words

Statement

Description

accept, reject

Accept or reject the submitted request.

break

Break out of a while or for loop.

continue

Skip the rest of the loop body and continue to the next iteration of the loop.

do-while

Perform the loop body multiple times until an expression is true, evaluating the expression after running the statement.

for loop