Quest Privilege Manager Console 1.1.1 Installation and Configuration Guide
2008 Quest Software, Inc. ALL RIGHTS RESERVED. This guide contains proprietary information protected by copyright. The software described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser's personal use without the written permission of Quest Software, Inc. If you have any questions regarding your potential use of this material, contact: Quest Software World Headquarters LEGAL Dept 5 Polaris Way Aliso Viejo, CA 92656 USA www.quest.com email: legal@quest.com Refer to our Web site for regional and international office information. TRADEMARKS Quest, Quest Software, the Quest Software logo are trademarks and registered trademarks of Quest Software, Inc. Other trademarks and registered trademarks used in this guide are property of their respective owners. Disclaimer The information in this document is provided in connection with Quest products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Quest products. EXCEPT AS SET FORTH IN QUEST'S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, QUEST ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL QUEST BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF QUEST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Quest makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Quest does not make any commitment to update the information contained in this document. Quest Privilege Manager Installation and Configuration Guide Updated - March 2008 Software Version - 1.1.1
Contents ABOUT THIS GUIDE................................ 5 WHY QUEST PRIVILEGE MANAGER CONSOLE?.............. 6 SUPPORTED PLATFORMS........................... 6 INTENDED AUDIENCE............................. 6 CONVENTIONS................................. 7 ABOUT QUEST SOFTWARE.......................... 8 CONTACTING QUEST SOFTWARE...................... 8 CONTACTING CUSTOMER SUPPORT.................. 8 CHAPTER 1: GETTING STARTED......................... 9 INSTALLING THE PMC............................10 MANAGING POLICY FILES.......................11 STARTING THE PMC.............................12 LOGGING ON TO THE PMC.........................13 SETTING AND CHANGING THE PMC PASSWORD.............14 CHAPTER 2: CONFIGURATION..........................15 ACCESSING THE PMC............................16 VIEW LICENSE..............................17 SYSTEM CONFIGURATION.......................18 POLICY EDITOR.............................28 VERIFY RULES..............................30 CHAPTER 3: AUDITING AND LOGGING....................33 AUDITING...................................34 SESSION LOGS.............................35 EVENT LOG................................36 LOGGING....................................37 PMMASTERD LOG............................37 PMLOCALD LOG.............................38 PMRUN LOG...............................39 INDEX........................................ 41 iii
About this Guide Why Quest Privilege Manager Console? Supported Platforms Intended Audience Conventions About Quest Software Contacting Quest Software 5
Quest Privilege Manager Console Why Quest Privilege Manager Console? The Quest Privilege Manager Console (PMC) is a central management console that provides administators with an easy to use, browser-based interface to Privilege Manager for configuration and management purposes. Once installed, Privilege Manager can be managed, administered and monitored via the PMC. For security, communication between the browser and the PMC is encrypted with 128-bit Secure Sockets Layer (SSL). This guide describes how to install and configure the PMC. Supported Platforms The PMC is currently supported on the following platforms: SuSE Linux Standard v8 & v9/enterprise v8 & v9 running on Intel architecture Linux Red Hat Enterprise Server v3 and v4 running on Intel architecture. Intended Audience This book is intended for administrators who want to install the PMC, and configure and manage Quest Privilege Manager for Unix via the PMC. 6
About Conventions In order to help you get the most out of this guide, we have used specific formatting conventions. These conventions apply to procedures, icons, keystrokes, and cross-references. ELEMENT Select Bolded text courier text Italic text Bold Italic text Blue text CONVENTION This word refers to actions such as choosing or highlighting various interface elements, such as files and radio buttons. Used to highlight installation questions and responses. File, daemon, utility, option, attribute names. Used for comments. Used for emphasis. Indicates a cross-reference. When viewed in Adobe Acrobat, this format can be used as a hyperlink. Used to highlight additional information pertinent to the process being described. Used to provide Best Practice information. A best practice details the recommended course of action for the best result. Used to highlight processes that should be performed with care. + A plus sign between two keystrokes means that you must press them at the same time. A pipe symbol (vertical bar) between elements means that you must select the elements in that particular sequence. \ The back slash, immediately followed by a new line, indicates a Unix command line continuation. <version>.<build number> References to the product version you are installing are displayed with <version>.<build number> in angle brackets. 7
Quest Privilege Manager Console About Quest Software Quest Software, Inc. delivers innovative products that help organizations get more performance and productivity from their applications, databases and infrastructure. Through a deep expertise in IT operations and a continued focus on what works best, Quest helps more than 18,000 customers worldwide meet higher expectations for enterprise IT. Quest Software, headquartered in Irvine, Calif., can be found in offices around the globe and at www.quest.com. Contacting Quest Software Phone Email Mail 949.754.8000 (United States and Canada) info@quest.com Quest Software World Headquarters 5 Polaris Way Aliso Viejo, CA 92656 Web site www.quest.com Please refer to our Web site for regional and international office information. Contacting Customer Support Quest Software's world-class support team is dedicated to ensuring successful product installation and use for all Quest Software solutions. SupportLink www.quest.com/support Email at support@quest.com You can use SupportLink to do the following: Create, update, or view support requests Search the knowledge base Access FAQs Download patches 8
Getting Started Installing the PMC Starting the PMC Logging on to the PMC Setting and Changing the PMC Password 9
Quest Privilege Manager Console Installing the PMC To install the PMC, download the PMC software from SupportLink at www.quest.com/support. The PMC requires 2.5 MB of disk space. Before installing the PMC, ensure that the Apache Web Server is installed and correctly configured for use with the PMC. For further information, refer to the ReadMe file included with the PMC software download. If you are running Internet Explorer for Windows version 5 or 6, your browser is unable to handle digest authentication.the following workaround is provided by Apache to allow MSIE to authenticate correctly: BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On This workaround is not necessary for MSIE 7, although enabling it does not cause any compatibility issues or significant overhead. For further information, please refer to the Apache documentation at http://httpd.apache.org/docs/2.2/mod/mod_auth_digest.html#msie From the command line, type pmcinstall. The installation options are: -v verbose. Display messages during the installation procedure -h help. Display help information during the installation procedure -u target install user id. Sets the target user id for the installation procedure. -g target install group id. Sets the target group id for the installation procedure. The PMC software is installed into the directory called /opt/quest/pmc. Symbolic links are included to/usr/sbin and the PMC Service binary. On completion of the installation procedure, start the Apache Web Server using the following command: apachectl start The PMC is then accessible via the URL. Refer to Starting the PMC. 10
Getting Started Managing Policy Files If you want to allow users to add new policy file includes or edit existing policy file includes, add the following option to /etc/opt/quest/pm.settings: policydir /opt/quest/qpm4u/policies 11
Quest Privilege Manager Console Starting the PMC Start the Apache Web Server using the following command: apachectl start SSL provides integrity and confidentiality, using a combination of public-key and symmetric-key encryption, and authentication using digital certificates. Once established, an SSL connection encrypts all of the data transmitted across it. SSL can also detect any alteration of the data while it is in transit. If you are using the SSL certificate supplied by Quest, Quest recommends that you purchase your own SSL certificate that includes the name of the server where the PMC is installed. To start the PMC from your web browser, type https://hostname/pmc/ 12
Getting Started Logging on to the PMC Logon to the PMC using the user ID and password that you specified during the installation procedure. The Configuration page is displayed: Figure 1: Console - Configuration page 13
Quest Privilege Manager Console Setting and Changing the PMC Password To set or change the password that you will use to access the PMC, use the Apache utility htpasswd, as shown below: htdigest /opt/quest/pmc/passwd PMC admin where admin is the name of the user account. You must be logged in as root. You will be prompted to type your: new password then your new password again to confirm. 14
Configuration Accessing the PMC View License System Configuration Policy Editor Verify Rules 15
Configuration Accessing the PMC Ensure that the PMC is installed on the machine designated as the Privilege Manager master host. To access the PMC, point your browser at https://hostname/pmc/. The PMC Configuration page is displayed: Figure 1: PMC Configuration page 16
Quest Privilege Manager Console View License This option displays details of your Privilege Manager license. Should you require assistance from Quest Support, you may be asked to provide this information. Click View License to view details of the Privilege Manager license installed on this server. Figure 2: View License The information on the license page is described below: Table 1: Privilege Manager for Unix - License Information Field Licensed to Version License Version Type License Expires Host IP License File Description name of the owner of this license. the version number of the Quest Privilege Manager for Unix software covered by this license. for internal use by Quest Support. the license type, either Temporary or Permanent. the date that this license will expire. the IP address of the machine for which this license is valid. the name of the license file, /opt/quest/qpm4u/.license.xml 17
Configuration System Configuration The System Config option enables you to configure Privilege Manager. If Privilege Manager is already installed and configured on your system, the configuration settings stored in the /etc/pm.settings file are displayed in the system configuration fields. Any changes you make to these settings will be saved in the /etc/opt/quest/pm.settings file. The configuration options are described briefly in this section. For further information about each setting, refer to Appendix B: Settings of the Quest Privilege Manager Installation and Administration Guide. Click System Config to configure Privilege Manager. The System Settings page is displayed. System Settings comprises six sections: System Communications Security System Behaviour System Logging Logging The configuration options are described on the following pages. 18
Quest Privilege Manager Console Privilege Manager Configuration - System options The System options enable you to specify the masterhost(s) and policy file information for your Privilege Manager configuration. Figure 3: System Config - System and Communications options 19
Configuration Table 2: Privilege Manager Configuration -System Options FIELD NAME DESCRIPTION names of the machines (masterhost) that run pmmasterd. System Masters Valid Masters Remote call clients Tunnel to these hosts The names of the System Masters are stored in the masterhost setting in the /etc/opt/quest/pm.settings file. names of the master daemon hosts that can be used with pmrun -m, but which will not be included in the normal master daemon host selection process. The names of the Valid Masters are stored in the validmasters setting in the /etc/opt/quest/pm.settings file. names of the masters allowed to access this host for system information via the remote access functions. The names of the masters are stored in the clients setting in the /etc/opt/quest/pm.settings file. specify the host(s) that require pmlocald to use a fixed port when communicating with pmrun. The names of the hosts are stored in the tunnelrunhosts setting in the /etc/opt/quest/pm.settings file. 20
Quest Privilege Manager Console The Communications options enable you to define the communication settings that will be used by the components of your Privilege Manager system. Table 3: Privilege Manager Configuration - Communications options FIELD NAME Master Daemon Port Number Local Daemon Port Number Tunnel Daemon Port Number DESCRIPTION the TCP/IP port number used by the master daemon. The port number you specify is stored in the masterport setting in the /etc/opt/quest/pm.settings file. the TCP/IP port number used by the local daemon. The port number you specify is stored in the localport setting in the /etc/opt/quest/pm.settings file. the fixed port that pmlocald will use when talking to pmrun located on any host defined in the tunnelrunhosts list. The port number you specify is stored in the tunnelport setting in the /etc/opt/quest/pm.settings file. The default port number is 12347. The IPCsock setting in the /etc/opt/quest/pm.settings file must be set to yes. Reserved Port Range specify a range of reserved port numbers on the local host that can be used to connect to any host defined in the FwExternalHosts list. The port number(s) you specify will be stored in the OpenReservePortRange setting in the /etc/opt/quest/pm.settings file. The IPCsock setting in the /etc/opt/quest/pm.settings file must be set to yes. Non Reserved Port Range specify a range of non reserved port numbers on the local host that can be used to connect to any host defined in the FwExternalHosts list. The port number(s) you specify will be stored in the OpenNonReservePortRange setting in the /etc/opt/quest/pm.settings file. The IPCsock setting in the /etc/opt/quest/pm.settings file must be set to yes. 21
Configuration Use IPCsock messaging Allow Short DNS Names Reconnect Client click the radio button to specify whether IPCsock messaging can be used. The default setting is Yes. This is the IPCsock setting in the /etc/opt/quest/pm.settings file. click the radio button to specify whether short DNS names can be used. The default setting is Yes. This is the shortnames setting in the /etc/opt/quest/pm.settings file. To avoid unnecessary connection attempts by pmmasterd to the client host, enter no in this field. The value you specify will be stored in the reconnectclient setting in the /etc/opt/quest/pm.settings file. The IPCsock setting in the /etc/opt/quest/pm.settings file must be set to yes. To avoid unnecessary connection attempts by pmmasterd to the agent host, set: Reconnect Agent reconnectagent no In the /etc/opt/quest/pm.settings file, set the IPCsock flag to yes. 22
Quest Privilege Manager Console Privilege Manager Configuration - Security options The Security options enable you to defined the security requirements of your Privilege Manager system. Figure 4: Privilege Manager Configuration - Security options 23
Configuration Table 4: Privilege Manager Configuration - Security options FIELD NAME DESCRIPTION Privilege Manager supports the following methods of encryption: Encryption AES DES TripleDES. Click the arrow in this field and select the required encryption method from the list displayed. This is the encryption setting in the /etc/opt/quest/pm.settings file. Key File Client Verification This field is for internal use only. allows you to define the level of verification that the master will apply to the hostname included in the request received from the client. The verification will ensure that the hostname belongs to the client that issued the request. Click the arrow and select the required option from the list. The verification options are: None Apply to newer agents Apply to all agents. The value you specify will be stored in the verifyclient setting in the /etc/opt/quest/pm.settings file. 24
Quest Privilege Manager Console Privilege Manager Configuration - System Behaviour options The System Behaviour options enable you to define how user login/logout information is recorded and where users are authenticated: Figure 5: Privilege Manager Configuration - System Behaviour options Table 5: Privilege Manager Configuration - System Behaviour options FIELD NAME Add Entries To UTMP DESCRIPTION specify whether entries will be added to the UTMP file when the job is accepted. This is the setutmp setting in the /etc/opt/quest/pm.settings file. specify whether the password entered by the user will be authenticated against the client or the master. Password Authenticates Against If the password entered by the user will be authenticated against the client, this is the authenticate_pam_client setting in the /etc/opt/quest/pm.settings file. If the password entered by the user will be authenticated against the master, this is the authenticate_pam setting in the /etc/opt/quest/pm.settings file. 25
Configuration Privilege Manager Configuration - System Logging options The System Logging options are described below: Figure 6: Privilege Manager Configuration - System Logging options Table 6: Privilege Manager Configuration - System Logging options FIELD NAME Log to Syslog DESCRIPTION specify that the Unix syslog subsystem should be used to log errors. The value you enter will be stored in the syslog setting in the /etc/opt/quest/pm.settings file. specify which syslog facility is used when logging to the Unix syslog subsystem. Syslog Facility Click the arrow and select the required option from the list. The value you specify will be stored in the facility setting in the /etc/opt/quest/pm.settings file. The facilities that can be specified are: LOG_KERN, LOG_USER, LOG_MAIL, LOG_DAEMON, LOG_AUTH (the default), LOG_LPR, LOG_NEWS, LOG_UUCP, LOG_CRON, and any of LOG_LOCAL0 through LOG_LOCAL7. 26
Quest Privilege Manager Console Privilege Manager Configuration - Privilege Manager Logging options The Privilege Manager Logging options enable you to specify the format and location of the log information produced by Privilege Manager. Figure 7: Privilege Manager Configuration - Logging options Table 7: Privilege Manager Configuration - Logging options FIELD NAME I/O and Event Log Format pmmasterd Log File pmlocald Log File pmrun Log File DESCRIPTION Privilege Manager transaction logging can be captured in ASCII format instead of binary format. If the existing log files are not in ASCII format they must be removed for this option to take effect. specify the name of the log file that will store the errors generated by the pmmasterd daemon program. This is the pmmasterdlog setting in the /etc/opt/quest/pm.settings file. specify the name of the log file that will store the errors generated by the pmlocald daemon program. This is the pmlocaldlog setting in the /etc/opt/quest/pm.settings file. specify the name of the log file that will store the errors generated by the pmrun daemon program. This is the pmrunlog setting in the /etc/opt/quest/pm.settings file. 27
Configuration Policy Editor The configuration file contains the security policy that pmmasterd will consider when it accepts or rejects user requests. The configuration file can specify constraints based on a number of attributes. Users submit their requests to run certain programs as root or another important account through Privilege Manager using pmrun. The master daemon, pmmasterd, examines each request from pmrun, and either accepts or rejects it based upon the policies specified in the Privilege Manager configuration file. The configuration file contains statements and declarations in a language specifically designed to express policies concerning the use of root and other controlled accounts. The configuration file allows you to set the detailed policies considered by pmmasterd when it accepts or rejects requests from pmrun. For further information, refer to Chapter 4 - Configuration of the Quest Privilege Manager for Unix Installation and Administration Guide. The Policy Editor enables you to edit the contents of the Policy file. Click Policy Editor to display the Policy Editor window: Figure 8: Privilege Manager File Editor - Policy Files 28
Quest Privilege Manager Console Select the policy file to edit from the list displayed. The contents of the policy are displayed: Figure 9: Privilege Manager Policy Editor - Policy File Editor 29
Configuration Verify Rules Use the Verify Rules option to test the validity of rules before you include them in the policy. To simulate a user submitting a command to Privilege Manager, enter the information in the fields on the Verify Rules dialog and press Simulate command. The only required field is the command. Click Verify Rules to display the Rules Verification dialog: Figure 10: Privilege Manager Configuration - Verify Rules The fields on the Rules Verification dialog are described below: Table 8: Privilege Manager - Verify Rules FIELD NAME Command Run Host Run User Submit Host DESCRIPTION the Unix command that the user will submit (will be included in the Policy). the name of the host from which the command will be run. the name of the user permitted to run the command (default is root). the name of the host from which the command can be submitted. When you have completed the fields, click Simulate Command. 30
Auditing and Logging Auditing Session Logs Event Log pmmasterd Log pmlocald Log pmrun Log 33
Quest Privilege Manager Console Auditing The Audit facility enables you to view the following logs: session logs event log. Figure 1: Audit 34
Auditing and Logging Session Logs Select Session Logs to display all of the input and output that has been logged for a specific job. Select the session log file that you want to view from the list of session logs displayed. Figure 2: Privilege Manager Session Log 35
Quest Privilege Manager Console Event Log Select Event Log to display all requests, whether accepted or rejected, and when a job finishes. Figure 3: Event Log 36
Auditing and Logging Logging The Logging facility enables you to selectively display the log files generated by the Privilege Manager components. Select Logging, then click the required log file: pmmasterd log pmlocald log pmrun log pmmasterd Log The pmmasterd log displays a list of errors generated by the pmmasterd daemon program. To display the contents of pmmasterd log, click pmmasterd log. To search for specific information, enter the keyword(s) in the Search field and then click Go. Only error messages containing the keywords you entered are displayed. Figure 4: pmmasterd Log File 37
Quest Privilege Manager Console pmlocald Log The pmlocald log stores the error messages generated by the the pmlocald daemon program. To display the contents of pmlocald log, click pmlocald log. To search for specific information, enter the keyword(s) in the Search field and then click Go. Only error messages containing the keywords you entered are displayed. Figure 5: pmlocald Log File 38
Auditing and Logging pmrun Log The pmrun log displays error messages generated by the pmrun daemon program. To display the contents of pmrun log, click pmrun log. To search for specific information, enter the keyword(s) in the Search field and then click Go. Only error messages containing the keywords you entered are displayed. Figure 6: pmrun Log File For full details of Privilege Manager auditing and logging, and the logging configuration commands, refer to Chapter 4 - Configuration and Usage of the Quest Privilege Manager Installation and Administation Guide. 39
Index B Best Practice information 7 C configuration encryption 24 logging event log 27 I/O 27 pmlocald 27 options 18 security options 23 syslog 26 system 18 system behavior 25 password 25 UTMP 25 system options 19 verification 24 verifyclient 24 console extension configuring 16 conventions 7 E encryption AES 24 DES 24 TripleDES 24 I installation directory 10 options 10 L license page 17 view 17 P password 14 changing 14 platforms 6 policy editor 28 R requirements disk space 10 S starting 12 from browser 12 supported platforms 6 system configuration 18 41
Quest Privilege Manager Console U user requirements 9 V verify rules 30 42