To configure a Safeguard for Sudo policy server, you must specify the sudo policy type.
To specify the security policy type
# pmsrvconfig -m sudo
# pmsrvconfig -m pmpolicy
For more information about pmpolicy language, see Privilege Manager for Unix Administration Guide.
A sudo type policy is used with the Safeguard for Sudo product. When you configure the primary policy server, if /etc/sudoers exists, it imports this file and uses it as the initial sudoers policy file. Otherwise, it creates a generic sudoers file.
By default, the Safeguard for Sudo sudoers file resides in /etc/opt/quest/qpm4u/policy/sudoers, but is not meant to be accessed directly.
Sudo type policy entries look like this:
root ALL = (ALL) ALL %wheel ALL = (ALL) ALL
These entries will let root or any user in the wheel group run any command on any host as any user.
To view a summary of the changes you made to your security policy
# pmpolicy log
** Validate options [ OK ] ** Check out working copy [ OK ] ** Retrieve revision details [ OK ] version="3",user="pmpolicy",date=2012-07-11,time=15:43:30,msg="add sudoers.d/helpdesk " version="2",user="pmpolicy",date=2012-07-11,time=15:38:21,msg="add #includedir sudoers.d" version="1",user="pmpolicy",date=2012-07-11,time=15:35:19,msg="First import"
# pmpolicy diff –r1:2
** Validate options [ OK ] ** Check out working copy (trunk revision) [ OK ] ** Check differences [ OK ] ** Report differences between selected revisions [ OK ] - Differences were detected between the selected versions Details: Index: sudoers =================================================================== --- sudoers (revision 1) +++ sudoers (revision 2) @@ -88,6 +88,6 @@ # Defaults targetpw # Ask for the password of the target user # ALL ALL=(ALL) ALL # WARNING: only use this together with 'Defaults targetpw' -## Read drop-in files from /etc/sudoers.d +## Read drop-in files from sudoers.d ## (the '#' here does not indicate a comment)
-##includedir /etc/sudoers.d
+# includedir sudoers.d
The output shows the sudoers file from line 88. The lines that were changed between version 1 and version 2 are marked with a preceding “+” or "-". A "-" denotes lines that were changed or deleted, and a "+" denotes updated or added lines.
Safeguard allows you to control what is logged, as well as when and where it is logged. To help you set up and use these log files, the topics in this section explore enabling and disabling logging, as well as how to specify the log file locations.
Safeguard includes three different types of logging; the first two are helpful for audit purposes:
Keystroke logs record the user’s keystrokes and the terminal output of any sessions granted by Safeguard.
Event logs record the details of all requests to run privileged commands. The details include what command was requested, who made the request, when the request was sent, what host the request was submitted from, and whether the request was accepted or rejected.
You can configure some aspects of the event and keystroke logging by means of the security policy on the policy servers. What you can configure and how you configure it depends on which type of security policy you are using on your policy server -- pmpolicy or sudo.
© 2024 One Identity LLC. ALL RIGHTS RESERVED. 使用条款 隐私 Cookie Preference Center