1. Manuals
  2. Brands
  3. Novell Manuals
  4. Software
  5. PRIVILEGED USER MANAGER 2.2.1 - ADMINISTRATION GUIDE...
  6. Administration manual

Novell PRIVILEGED USER MANAGER 2.2.1 - ADMINISTRATION GUIDE 03-31-2010 Administration Manual

Hide thumbs Also See for PRIVILEGED USER MANAGER 2.2.1 - ADMINISTRATION GUIDE 03-31-2010:
Table of Contents

Advertisement

Quick Links

Download this manual
AUTHORIZED DOCUMENTATION
Administration Guide
Novell
®
Privileged User Manager
2.2.1
March 31, 2010
www.novell.com
Novell Privileged User Manager 2.2.1 Administration guide

Advertisement

Table of Contents
loading

Related Manuals for Novell PRIVILEGED USER MANAGER 2.2.1 - ADMINISTRATION GUIDE 03-31-2010

Summary of Contents for Novell PRIVILEGED USER MANAGER 2.2.1 - ADMINISTRATION GUIDE 03-31-2010

  • Page 1 AUTHORIZED DOCUMENTATION Administration Guide Novell ® Privileged User Manager 2.2.1 March 31, 2010 www.novell.com Novell Privileged User Manager 2.2.1 Administration guide...
  • Page 2 Further, Novell, Inc., reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.
  • Page 3 Novell Trademarks For Novell trademarks, see the Novell Trademark and Service Mark list (http://www.novell.com/company/legal/ trademarks/tmlist.html). Third-Party Materials All third-party trademarks are the property of their respective owners.
  • Page 4 Novell Privileged User Manager 2.2.1 Administration guide...

  • Page 5: Table Of Contents

    Contents About This Guide 1 Welcome to the Framework Introduction to the Framework ..........13 1.1.1 Framework Manager .
  • Page 6 Defining Custom Attributes ..........77 Novell Privileged User Manager 2.2.1 Administration guide...
  • Page 7 5.5.5 Functions ............77 5.5.6 Adding a Category .
  • Page 8 Load Balancing ............140 Novell Privileged User Manager 2.2.1 Administration guide...
  • Page 9 9 Command Control Components 10 Command Line Options 10.1 The unifi Options ............145 10.2 Command Control Options.
  • Page 10 Novell Privileged User Manager 2.2.1 Administration guide...

  • Page 11: About This Guide

    (>) is used to separate actions within a step and items in a cross-reference path. ® A trademark symbol ( , etc.) denotes a Novell trademark. An asterisk (*) denotes a third-party trademark. About This Guide...
  • Page 12 Novell Privileged User Manager 2.2.1 Administration guide...

  • Page 13: Welcome To The Framework

    Section 1.2, “The Workspace Layout,” on page 15 1.1 Introduction to the Framework Novell Privileged User Manager uses a Framework as the base layer to provide an easy-to-use enterprise architecture into which Privileged User Manager modules are added to create the necessary problem-solving functionality.

  • Page 14: Framework Manager Console

    The Framework Manager console is the default user interface for the Framework. It allows configuration and management of the Framework through a graphical user interface. For a description of this console, see Section 1.2, “The Workspace Layout,” on page Novell Privileged User Manager 2.2.1 Administration guide...

  • Page 15: The Workspace Layout

    1.1.3 Framework Agent The Framework Agent is the client component of the Framework. It is responsible for receiving and carrying out instructions from the Framework Manager on all hosts. The following Framework Agent packages are installed on all Framework hosts: Registry Agent (regclnt): Provides a local cached lookup for module locations.

  • Page 16: Navigation Pane

    Chapter 2, “Managing Package Distribution,” on page 1.2.3 Task Pane The task pane on the left of the screen contains options that are applicable to the current Framework Manager console display. Novell Privileged User Manager 2.2.1 Administration guide...
  • Page 17 The items in the top frame change, depending upon what is selected in the navigation pane. Welcome to the Framework...
  • Page 18 Novell Privileged User Manager 2.2.1 Administration guide...

  • Page 19: Managing Package Distribution

    There are two options for downloading packages to a Package Manager: You can download packages directly from the Novell Update Server. You can download packages from the Novell Update Server onto a local server, then download packages from this local server to your Framework hosts.

  • Page 20: Adding Packages To The Package Manager

    To select multiple packages, press the Ctrl key and select the packages one at a time, or press the Shift key to select a consecutive list of packages. To select all packages, use Ctrl+A. 4 Click Next to start downloading. Novell Privileged User Manager 2.2.1 Administration guide...

  • Page 21: Managing The Workspace

    5 Click Finish. 6 If updates were available, continue with Section 3.4.2, “Updating Packages for a Host,” on page 35 to install these packages on your hosts. 2.1.4 Removing Packages 1 Click Package Manager on the home page of the console. 2 In the list of available packages, select the packages you want to remove To select multiple packages, the Ctrl key and select the packages one at a time, or the Shift key to select a consecutive list of packages.

  • Page 22: Updating Consoles In The Framework Manager Console

    3 Click Next to start installing. 4 Review the list of updated consoles. 5 Click Finish. NOTE: After updating a console, you must shut down and reopen the Framework Manager console to see the changes. Novell Privileged User Manager 2.2.1 Administration guide...

  • Page 23: Managing Framework Hosts

    Managing Framework Hosts The Hosts console provides a hierarchical view of all currently defined hosts. Each host machine on which you have installed managers and agents must be added to the Framework Manager console through the Hosts console. Hosts are identified to the Framework Manager console by a unique agent name that is used to register the manager or agent after installation.

  • Page 24: Modifying A Domain

    IMPORTANT: This action cannot be undone. 1 Click Hosts on the home page of the console. The navigation pane displays the current hierarchy for your Framework. 2 In the navigation pane, select the domain you want to delete. Novell Privileged User Manager 2.2.1 Administration guide...

  • Page 25: Managing Hosts

    For instructions on this process, see “Installing and Registering a Framework Agent ” in the Novell Privileged User Manager 2.2.1 Getting Started Guide. 3.2.2 Viewing Host Details 1 Click Hosts on the home page of the console. 2 In the navigation pane, select the domain containing the hosts whose details you want to view.

  • Page 26: Modifying A Host

    2 In the navigation pane, select the host you want to modify. 3 In the task pane, click Modify Host. 4 Modify the general details: Agent name: Specify a display name for this agent. Novell Privileged User Manager 2.2.1 Administration guide...

  • Page 27: Moving A Host

    Encrypt: Select the databases you want to encrypt. Use care in selecting the databases you enable for encryption. Encrypting the data can affect performance. Novell recommends the following: auth.db because it contain usernames registry.db because it contains the hostnames.

  • Page 28: Deleting A Host

    Description Not used. admin.db /opt/novell/npum/service/local/admin/ admin.ldb Not used. /opt/novell/npum/service/local/admin/ Contains all configured report definitions and the audit.db settings for roll over. /opt/novell/npum/service/local/audit/ Contains role history and the metadata for audit audit.ldb logs. /opt/novell/npum/service/local/audit/ Novell Privileged User Manager 2.2.1 Administration guide...
  • Page 29 Database and Standard Location Description Contains fully replicated authorization data auth.db including user details and settings for access to the /opt/novell/npum/service/local/auth/ Framework Manager console. auth.ldb Not used. /opt/novell/npum/service/local/auth/ Contains rules and configuration for Command cmdctrl.db Control. /opt/novell/npum/service/local/ cmdctrl/ cmdctrl.ldb Not used.

  • Page 30: Monitoring Hosts

    Framework Manager console when errors occur, and allows you to view the status of each host: Section 3.3.1, “Viewing the Host Log,” on page 31 Section 3.3.2, “Modifying Log Settings,” on page 31 Novell Privileged User Manager 2.2.1 Administration guide...

  • Page 31: Viewing The Host Log

    Info displays Information, Warning, and Error messages. Debug displays Debug, Information, Warning, and Error messages. Trace displays Trace, Debug, Information, Warning, and Error messages. The Debug and Trace settings are primarily for the use of Novell Support. Managing Framework Hosts...

  • Page 32: Example Rollover Script

    Show all tasks: Click Show all tasks to have the log show all tasks. The Show all tasks option is primarily for the use of Novell Support. Rollover: Select the rollover point from the drop-down list to specify when the log file is overwritten with new information.

  • Page 33: Modifying Alert Settings

    The existence of system alerts is indicated by a flashing Framework icon in the bottom right corner of the screen. 1 Click the icon to display the System Alerts page. 2 To clear the existing alerts, click Finish. 3 To close the System Alerts page without clearing the existing alerts, click Cancel. The Framework icon continues to flash.

  • Page 34: Viewing The Host Status

    Maximum Memory (MB): If the memory used by the host exceeds the value in this field, a warning indicator is displayed. 6 To view a host’s details, double-click the host or click Close to return to the hierarchical view. Novell Privileged User Manager 2.2.1 Administration guide...

  • Page 35: Managing Host Packages

    To use a command line option to view the status, see Section 10.5.3, “Agent Status,” on page 151. 3.4 Managing Host Packages Section 3.4.1, “Finding Packages on Hosts,” on page 35 Section 3.4.2, “Updating Packages for a Host,” on page 35 Section 3.4.3, “Rolling Back Packages,”...

  • Page 36: Rolling Back Packages

    If the current package does perform correctly in your environment, you can commit the package, which frees up disk space by deleting the files in the backup directory. If your hosts have limited disk space, Novell recommends that you commit the packages on all hosts before performing the next update.

  • Page 37: Registering And Unregistering Packages For A Host

    3.4.5 Registering and Unregistering Packages for a Host If you want to stop a package from functioning without removing it completely, you can unregister it. You can then register it again later if necessary. Packages are automatically registered when you add them, so you only need to register them if you have previously unregistered them.

  • Page 38: Uninstalling Packages From A Host

    1 Click Hosts on the home page of the console. 2 Select the host where the Compliance Auditor and Messaging Component are installed. 3 Click Packages to view details of the packages installed on this host. Novell Privileged User Manager 2.2.1 Administration guide...

  • Page 39: Increasing The Security When Accessing The Framework Manager Console

    4 Select the Messaging Component (msgagnt). 5 Click SMTP Settings in the task pane. 6 Configure the following fields: SMTP Host: Specify the IP address of your e-mail server. SMTP Port: Specify the port of your e-mail server. SMTP Domain: If you are using a Lotus* Notes* server, specify the name of your SMTP domain.

  • Page 40: Modifying The Connector

    Manager packages on all other manager hosts act as backups. If your primary manager becomes unavailable, you can select single or multiple manager packages on a host to be promoted to primary status. Novell Privileged User Manager 2.2.1 Administration guide...

  • Page 41: Viewing Store And Forward Messages

    Novell recommends having one agent designated as a complete mirror of your primary manager. In event of a total failure of the primary manager, you can log into the backup console and promote it to primary status with no disruption of Privileged User Manager services.

  • Page 42: Managing Low Disk Space

    (default: 500ms): Time in milliseconds to delay the audit request. backoff_action (default: block): Either block, fail, or allow. The following Command Control script illustrates how to change these settings: my $t=$meta->child("Audit"); $t=$meta->add_node("Audit") if(! $t); $t->arg("disk_min_free","10"); $t->arg("disk_wm_free","20"); return 1; Novell Privileged User Manager 2.2.1 Administration guide...

  • Page 43: Restarting The Agent

    Ctrl+A. 3 Click Restart Agent in the task pane. 4 Select the type of restart you want to perform, as advised by Novell Support. Soft restart: Reloads the module libraries and resets the service uptime. Hard restart: Restarts the daemon, reloads all modules, and resets the service uptime.

  • Page 44: Time Synchronization

    8 Click Close. Clearing the Registry Cache Novell Support might advise you to try clearing the registry cache if you have communication problems among Privileged User Manager components. The registry cache is held by the Registry Agent and contains a list of manager and agents in your Framework, copied from the Registry Manager.

  • Page 45: Managing Framework Users And Groups

    Managing Framework Users and Groups Privileged User Manager provides comprehensive user management facilities to control access to the Framework consoles. The admin user created when the Framework is initially installed belongs to the admin group, which has full access to all installed consoles and can perform all tasks. You can use this user account to create additional user accounts and groups through the Framework User Manager console, which is part of the Access Control module.
  • Page 46 Last changed: Displays the last time the password was changed and allows the help desk user to reset it to the current date and time. Bad logons: Displays the number of bad logins and allows the help desk user to reset the count. Novell Privileged User Manager 2.2.1 Administration guide...

  • Page 47: Adding A Framework User

    Last bad logon: Displays the time and date of the last bad login and allows the help desk user to reset it to the current date and time. Last logon: Displays the last successful login of the user and allows the help desk user to reactivate the account.
  • Page 48 Last changed: Indicates when the password was last changed by the user, or, if the password has not yet been changed by the user, indicates when the user and password were created. Novell Privileged User Manager 2.2.1 Administration guide...
  • Page 49 Reset password age: Select the Reset password age check box to reset the age of the password to zero. The user can use the password for the full number of days defined in Password lifetime (days) (see Section 4.1.1, “Configuring Account Settings,” on page 45), or in the Maximum age field if it has been configured.
  • Page 50 “Modifying an Account Group” on page 91 “Modifying a User Group” on page 88) and in the Compliance Auditor (see Section 7.3.1, “Adding or Modifying an Audit Report,” on page 126). 5 Click Finish or select another option. Novell Privileged User Manager 2.2.1 Administration guide...
  • Page 51 A network/netmask pair, such as 192.168.1.0/255.255.255.0 network/nnn CIDR A network/nnn CIDR, such as 192.168.11.0/24 hostname A hostname, such as dellsrv1.novell.com domain A domain name, such as *.novell.com 4f In the Allow column, click the check box. 4g Repeat Step 4c through Step 4e for any other required location definitions.
  • Page 52 6 In the Host column, select the hostname for the UNIX or Linux platform. 7 Repeat Step 4 through Step 6 for any additional maps you require. 8 To edit a native map, select it and make the required changes. Novell Privileged User Manager 2.2.1 Administration guide...
  • Page 53 3 Click Native Maps. 4 Click Add. 5 In the User column, specify the user’s fully qualified distinguished name. For example: cn=plou,ou=development,o=novell 6 In the Host column, specify the scheme ( ) and IP address of the LDAP server. ldap ldaps Specify a port only if the LDAP server is not using the standard port for the scheme.

  • Page 54: Removing A Framework User Group From A User

    3 Click Add Group in the task pane. 4 Specify a name for the group in the Group name field. 5 Click Finish. 6 To configure the group, continue with Section 4.2.2, “Modifying a Framework User Group,” on page Novell Privileged User Manager 2.2.1 Administration guide...

  • Page 55: Modifying A Framework User Group

    4.2.2 Modifying a Framework User Group The Modify Group option allows you to: Add a comment describing the group Add users and subgroups to the group Define administrative roles for the group Specify an audit manager for the group. To modify a Framework user group: 1 Click Framework User Manager on the home page of the console.

  • Page 56: Configuring Roles

    Framework Manager users and groups. Module Role Allows users to auth act_settings Modify account settings. admin Add or delete users and groups, and assign users to groups. console View the Framework User Manager console. Novell Privileged User Manager 2.2.1 Administration guide...
  • Page 57 Module Role Allows users to helpdesk Modify the user account settings. To change which attributes are available for modification, see Section 4.1.1, “Configuring Account Settings,” on page For information on how to use this role to create a Help Desk group that can manage user passwords, see Section 4.2.3, “Configuring a Help Desk Group,”...
  • Page 58 Audit Role field on the Modify Audit Rule page. You can choose your own name for the role. Section 7.2.1, “Adding or Modifying an Audit Rule,” on page 124 for details about configuring audit rules. Novell Privileged User Manager 2.2.1 Administration guide...
  • Page 59 Module Role Allows users to audit read View a keystroke replay. auth read Extract user credentials, including name and e-mail address, from the auth database for use with reports. Host Roles The following roles can be assigned to the host module in order to control access to the Hosts console.

  • Page 60: Deleting A Framework User Group

    Chapter 2, “Managing Package Distribution,” on page 19 for details. 2 Install the Registry Manager on the host you want to be the Access Manager, then install the Access Manager on the same host. Novell Privileged User Manager 2.2.1 Administration guide...

  • Page 61: Changing A Framework User's Password

    This can be on any operating system, including Windows*. See Section 3.4.6, “Installing Packages on a Host,” on page 37 for details. The packages can be deployed to as many hosts as you need in order to build an environment with load balancing and failover. 3 Install the Administration Manager on the same host or a different host.
  • Page 62 Novell Privileged User Manager 2.2.1 Administration guide...

  • Page 63: Command Control

    Command Control The Command Control feature provides UNIX and Linux users with controlled access to privileged commands in a secure manner across the enterprise. Command Control enables the complete lockdown of user privilege by providing rules to determine the commands that are authorized to be run, and a powerful account delegation feature that removes the need for common access to the account.

  • Page 64: Integrating Command Control Into User Environments

    These shells and functions allow you to integrate Command Control into the UNIX and Linux user environments. Crush is normally used to audit users who do not need any additional privileges. With Novell Privileged User Manager, you can change a user’s login shell to crush (...
  • Page 65 usrun [-b] [-p] [-t] [-x] [-u <user>] [-h <host>] <command> Option Description Puts the execution of the command into the background. Provides a pipe compatibility option for competitive products. It is only used for a competitive swap-out. Provides a test command option that tests the specified command against the rule structure.

  • Page 66: Using Rush For Privileged Sessions

    . The Command Control Audit level is set to 1, /usr/bin/rush which enables an additional level of audit to use with the Command Risk. Rewrite: Specify the following: /usr/bin/rush -o audit 1 Novell Privileged User Manager 2.2.1 Administration guide...
  • Page 67 Commands: Specify the following commands, each on a separate line. rush shell 2e Click Finish. 3 Add an Account User Group for the rush shell: 3a Click Account Groups > User Groups, then click Add User Group in the task pane. 3b Specify a name, then click Finish.

  • Page 68: Using Crush For Complete Session Capture

    3c Select your crush user group, then click Modify User Group. 3d Fill in the following fields: Description: Explain the purpose of this user group. Specify something similar to the following: Defines the user accounts that can use the crush command. Novell Privileged User Manager 2.2.1 Administration guide...

  • Page 69: Using Rush For Complete Session Control

    Users: Specify the usernames of the users on your Linux and UNIX hosts that have your permission to use the command. crush 3e Click Finish. 4 Add a crush rule: 4a Click Rules > Add Rule. 4b Specify a name, then click Finish. 4c Select your crush command, then drag it to your crush rule.

  • Page 70: Using Shell Scripts

    With this method, the user would simply select options from the menu to perform their privileged tasks. Either method requires a shell script that executes under the rush shell and performs remote authorization. For example: Novell Privileged User Manager 2.2.1 Administration guide...

  • Page 71: Importing Command Control Configuration Data

    #!/usr/bin/rush set –o remote passwd $* This script executes the rush client, sets it to use Command Control, and executes the passwd command. 5.3 Importing Command Control Configuration Data You can import a complete command control configuration database, including test suites, using the Import Settings option, or you can import test suites only, using the Import Test Suites option under Test Suites.

  • Page 72: Importing Command Control Samples

    Exporting Command Control Settings,” on page 146. 5.3.3 Importing Command Control Samples Novell has provided a set of sample commands and Perl scripts to assist you with configuring your Command Control rules. To add these samples to your configuration: 1 Click Command Control on the home page of the console.

  • Page 73: Enabling Transactions And Configuring Settings

    5.4.1 Enabling Transactions and Configuring Settings You can configure the Command Control Manager to require the Transactions feature to be used when configuring Command Control rules. You can also configure your own Commit Transaction page to be used for committing a transaction. The data entered on the Commit Transaction page can be viewed in the Compliance Auditor.

  • Page 74: Configuring Command Control

    Section 5.5.7, “Deleting a Category,” on page 79 Section 5.3, “Importing Command Control Configuration Data,” on page 71 Section 5.4, “Command Control Transactions,” on page 72 Section 5.12, “Test Suites,” on page 107 Novell Privileged User Manager 2.2.1 Administration guide...

  • Page 75: Defining Audit Settings

    5.5.1 Defining Audit Settings All Command Control audit records contain the following information: Submit details such as the submitting username, hostname, and primary group. Target details such as the run username and the run hostname. Command details, which include the original command requested and the actual command run. Authorization status, either yes or no.

  • Page 76: Backing Up And Restoring

    3 Click Find References in the task pane. The groups or rules in which the entity is referenced are displayed. 4 To go to one of the listed groups or rules, double-click it, or to return to the navigation pane, click Close. Novell Privileged User Manager 2.2.1 Administration guide...

  • Page 77: Defining Custom Attributes

    5.5.4 Defining Custom Attributes Custom attributes can be defined for account groups, user groups, host groups, commands, and access times to provide additional parameters for use in scripts. For example, you could set an expiration date as a custom attribute for a user group, check for this date in your script, then expire the user group when the date is reached.
  • Page 78 Calling user’s primary group ID ${gecos}$ Calling user’s gecos ${home}$ Calling user’s home directory ${shell}$ Calling user’s shell ${cwd}$ Calling user’s current working directory ${lhost}$ Local hostname ${rhost}$ Remote hostname ${pid}$ PID of the individual call udsh Novell Privileged User Manager 2.2.1 Administration guide...

  • Page 79: Adding A Category

    Keyword Description ${ppid}$ PID of the udsh 5.5.6 Adding a Category You can use the appropriate Add Category option to group your account groups, user groups, host groups, commands, scripts, and access times into categories for ease of use and maintenance. 1 Click Command Control on the home page of the console.

  • Page 80: Adding A Rule

    Section 5.6.13, “Deleting a Rule,” on page 86 Section 5.6.14, “Viewing Pseudocode,” on page 86 5.6.1 Adding a Rule 1 Click Command Control on the home page of the console. 2 Click Rules in the navigation pane. Novell Privileged User Manager 2.2.1 Administration guide...

  • Page 81: Modifying A Rule

    3 To add a rule at the top level, click Add Rule in the task pane. To add a rule as a child of another rule, select the rule and click Add Rule in the task pane. 4 Specify a name for the rule. 5 Click Finish.

  • Page 82: Setting Conditions For A Rule

    7a Change user (submit user) to run user. 7b Leave the logic setting as IN. 7c Select the user group you require from the user group drop-down list. Novell Privileged User Manager 2.2.1 Administration guide...

  • Page 83: Removing Conditions For A Rule

    8 Repeat Step 6 Step 7 for any other conditions you want. Set the condition logic as necessary. You can use parentheses to group conditions according to the necessary logic by selecting the parentheses ( ) entry from the Add Condition drop-down list. The opening and closing parentheses are displayed.

  • Page 84: Assigning A Script To A Rule

    Shift key to select a consecutive list of scripts. 5 Click Remove Script in the task pane. 6 Click Yes to confirm the removal. The scripts are removed from the rule. Novell Privileged User Manager 2.2.1 Administration guide...

  • Page 85: Finding A Rule

    5.6.9 Finding a Rule 1 Click Command Control on the home page of the console. 2 Click Rules in the navigation pane. 3 To find a rule from the entire list of rules, click Find Rule in the task pane. To find a rule in a set of rules, select the parent rule, then click Find Rule.

  • Page 86: Linking A Rule

    3 Select the rule for which you want to view the pseudocode. 4 Click Pseudocode in the task pane. You can copy the pseudocode by using Ctrl+A or Ctrl+C, then paste it into a document for printing. 5 Click Close. Novell Privileged User Manager 2.2.1 Administration guide...

  • Page 87: Command Control Groups

    5.7 Command Control Groups Command Control has three types of groups: User Groups: Contain users with similar responsibilities. This allows you to use the group as a condition for a rule, which either allows or denies the users the rights to run commands. Host Groups: Contains hosts with similar content.
  • Page 88 Users: Add or change the users you want to include in this group. You can type the user names, one on each line, or paste them from elsewhere. You can use the Sort button to sort the list of users into alphabetical order. Novell Privileged User Manager 2.2.1 Administration guide...

  • Page 89: Host Groups

    /usr/bin/vi * To add a regular expression term to the list, prefix the regular expression with =~. For example, =~/^vi .*$/ =~\w+\.novell\.com The following sections explain how to manage host groups: “Adding a Host Group” on page 90 “Modifying a Host Group” on page 90 “Deleting a Host Group”...

  • Page 90: Adding An Account Group

    The host groups are deleted, and are also removed from any account group, rule conditions, and script entities in which they have been defined. 5.7.3 Adding an Account Group To add a new account group: 1 Click Command Control on the home page of the console. Novell Privileged User Manager 2.2.1 Administration guide...

  • Page 91: Modifying An Account Group

    2 Click Account Groups in the navigation pane. 3 To add an account group at the top level, click Add Account Group in the task pane. To add an account group to a category, select the category and click Add Account Group in the task pane. For information about categories, see Section 5.5.6, “Adding a Category,”...

  • Page 92: Copying A Group

    1 Click Command Control on the home page of the console. 2 From the Command Control Sample Scripts, add the Enhanced Access Control Policy script. 3 Drag the Enhanced Access Control Policy script from Scripts on to Authorizing Rule. Novell Privileged User Manager 2.2.1 Administration guide...
  • Page 93 4 Click on the Authorizing Rule and access the Script Arguments. 5 Create a script argument with a name policy and add that policy into the Value field. Path Policy A path policy restricts an application from accessing a specific directory based on the path. The syntax of a path policy is as below: path [owner] <path>...

  • Page 94: Commands

    You can also use commands as script entities. To add a new command: 1 Click Command Control on the home page of the console. 2 Click Commands in the navigation pane. Novell Privileged User Manager 2.2.1 Administration guide...

  • Page 95: Modifying A Command

    3 To add a command at the top level, click Add Command in the task pane. To add a command to a category, select the category and click Add Command in the task pane. 4 Specify a name for the command. This can be different from the name of the actual command you want to control.
  • Page 96 Replace <n> with one of the following values: 0: Disables auditing. It has the same effect as removing the audit setting from the Rewrite field. 1: Enables auditing of all commands that are not built into the user's shell. Novell Privileged User Manager 2.2.1 Administration guide...

  • Page 97: Setting The Command Risk

    2: Enables auditing of all commands, including commands that are built into the user's shell. This level of auditing can affect login times. 5.8.3 Setting the Command Risk This option allows you to set a value representing the relative risk of a command when using the rush or crush clients with the session auditing option (see Section 5.2, “Integrating Command Control into User Environments,”...

  • Page 98: Moving A Command

    Section 5.9.1, “Adding a Script,” on page 99 Section 5.9.2, “Modifying a Script,” on page 99 Section 5.9.3, “Copying a Script,” on page 99 Section 5.9.4, “Moving a Script,” on page 100 Novell Privileged User Manager 2.2.1 Administration guide...

  • Page 99: Adding A Script

    Section 5.9.5, “Deleting a Script,” on page 100 Section 5.9.6, “Sample Scripts,” on page 100 5.9.1 Adding a Script You can add your own custom attributes for account groups, user groups, host groups, commands, and access times to provide additional parameters for use in your scripts. See “Defining Custom Attributes”...

  • Page 100: Moving A Script

    To understand what is available, see the sample scripts in the following sections. “Modify Environment Script” on page 101 “Rush Illegal Commands Script” on page 103 100 Novell Privileged User Manager 2.2.1 Administration guide...
  • Page 101 To import a sample script, click > > Command Control Import Samples Sample Perl Script. Modify Environment Script This script is used to process environment variables. It has a number of script arguments that can add, delete, clear, and keep environment variables. Argument Description Clears all environment variables (unless specifically kept using keepenv)
  • Page 102 "unsetenv" && $a->value() ne "") { delete $env{$a->value()}; } elsif($a->key() eq "setenv" && $a->value() =~ /^(.*)\s*=\s*(.*)$/) { $env{$1}=$2; $meta->del($e); $e=$meta->add_node("Environment"); my $items=0; while(my ($key,$val) = each(%env)) { $e->arg("arg-$items","$key=$val"); $items++; $e->arg_int("items","$items"); return(1); 102 Novell Privileged User Manager 2.2.1 Administration guide...

  • Page 103: Access Times

    Rush Illegal Commands Script When using the rush shell, Command Control has the ability to restrict the commands being run (even as root). This sample script is named illegalcmd, and it restricts the use of the passwd command. This script does not restrict a user that initiates another shell from within a session. When a user does this, Command Control cannot continue a full audit or control the illegal commands, although the session is still captured #to set script argument - name=illegalcmd value= kill *...

  • Page 104: Modifying An Access Time

    1 Click Command Control in the navigation pane on the home page of the console. 2 Click Access Times in the navigation pane. 3 Select the access time you want to move. 104 Novell Privileged User Manager 2.2.1 Administration guide...

  • Page 105: Deleting An Access Time

    To move multiple access times in the same category, press the Ctrl key and select the required access times one at a time, or press the Shift key to select a consecutive list of access times. 4 Drag the selected access time to the desired location. 5.10.5 Deleting an Access Time 1 Click Command Control on the home page of the console.

  • Page 106: Modifying A Command Control Report

    4 To create the copy, press the Ctrl key and drag the selected report to the desired location. 5 If necessary, use the Modify Report option to rename or modify the copy, as explained in “Modifying a Command Control Report” on page 106. 106 Novell Privileged User Manager 2.2.1 Administration guide...

  • Page 107: Moving A Command Control Report

    5.11.4 Moving a Command Control Report 1 Click Command Control on the home page of the console. 2 Click Reports in the navigation pane. 3 Select the report you want to move. To select multiple reports in the same category, press the Ctrl key and select the required reports one at a time, or press the Shift key to select a consecutive list of reports.

  • Page 108: Adding Or Modifying A Test Case

    Run Host: (Optional) When the submit user is requesting to run the command on a specific host, specify the hostname that is being requested. For example, if the user would enter the following on the command line: usrun -h hosta ksh 108 Novell Privileged User Manager 2.2.1 Administration guide...

  • Page 109: Running A Test Suite

    Specify the following as the run host: hosta User Input: (Optional) Use this field to specify the information that a script, associated with the Command Control policy, expects the user to enter. Expected command: (Optional) Use this field to confirm that the command being executed is the correct command.

  • Page 110: Viewing A Test Suite

    4 Click View Test Suite in the task pane. 5 Select the test case you want to delete. 6 Click Delete Test Case in the task pane. 7 Click Yes to confirm the deletion. The test case is deleted. 110 Novell Privileged User Manager 2.2.1 Administration guide...

  • Page 111: Deleting A Test Suite

    5.12.7 Deleting a Test Suite 1 Click Command Control on the home page of the console. 2 Click Test Suites in the task pane. 3 Select the test suite you want to delete. To select multiple test suites, press the Ctrl key and select the required test suites one at a time, or press the Shift key to select a consecutive list of test suites.

  • Page 112: Deploying Command Control

    5.13.4 Installing Command Control To deploy Command Control: 1 Download the required packages to your local Package Manager. See Section 5.13, “Deploying Command Control,” on page 112 for details. 112 Novell Privileged User Manager 2.2.1 Administration guide...
  • Page 113 2 Install the Command Control Manager package on the host you want to be the Command Control Manager. This can be on any operating system, including Windows. Section 3.4.6, “Installing Packages on a Host,” on page 37 for details. Command Control Managers can be deployed to as many hosts as you need in order to build an environment with load balancing and failover.
  • Page 114 114 Novell Privileged User Manager 2.2.1 Administration guide...

  • Page 115: Managing Audit Reports

    Managing Audit Reports Privileged User Manager enables auditing of events at several levels, such as keystroke logging, command authorization, and login success or failure. The Reporting console allows you to view these records and manage them. Section 6.1, “Audit Settings,” on page 115 Section 6.2, “Encryption Settings,”...

  • Page 116: Encryption Settings

    Start Session: Sends an event when a user starts a Privileged User Manager session on a host. Session Terminate: Sends an event when a user logs out of the Privileged User Manager session. 116 Novell Privileged User Manager 2.2.1 Administration guide...

  • Page 117: Command Control Reports

    Command Audit: If you have enabled auditing on the user’s session or on commands, this option sends all audited events as syslog events. For information on configuring commands for auditing, see “Configuring Auditing with the Rewrite Functionality” on page For information on using a .profile file to enable session auditing, see Section 5.2.4, “Using rush for Complete Session Control,”...

  • Page 118: Adding A Report

    Audit Status If the record has been referenced in the Compliance Auditor, displays the name of the compliance rule and the status. Audit ID Displays the unique ID of the audit record. 118 Novell Privileged User Manager 2.2.1 Administration guide...

  • Page 119: Filtering The Viewable Records

    6.4.3 Filtering the Viewable Records Use the Filter tab to build a list of matching conditions that allows you to customize the records that are displayed in the Report Data tab. This allows you to build reports that show only the information that your users require.

  • Page 120: Modifying General Report Information

    4 Click the Log Files tab in the navigation pane. 5 Select the log files that are required for the report. To include all available log files, select the All log files box. 6 Click Apply. 120 Novell Privileged User Manager 2.2.1 Administration guide...

  • Page 121: Replaying Keystrokes

    6.4.6 Replaying Keystrokes Where a rule has been configured to capture session information, you can review the entire session in the report. 1 Click Reporting on the home page of the console. 2 Click Command Control Reports in the navigation pane. 3 Select the report in the navigation pane.

  • Page 122: Generating An Activity Report

    4 Click Activity Report in the task pane. The navigation pane displays the selected activity report. 5 To print the report, click Print. 6 To return to the list of reports, click Cancel. 122 Novell Privileged User Manager 2.2.1 Administration guide...

  • Page 123: Compliance Auditor

    Compliance Auditor The Compliance Auditor collects, filters, and generates reports of audit data for analysis and sign- off by authorized personnel. The Compliance Auditor can be used in conjunction with Command Control to enable auditors to view security transactions and play back recordings of user activity. Auditors can record notes against each record, creating permanent archives of activity.

  • Page 124: Compliance Audit Rules

    124. 7.2.1 Adding or Modifying an Audit Rule You can add, modify, and disable audit rules, but you cannot delete them. 1 Click Compliance Auditor on the home page of the console. 124 Novell Privileged User Manager 2.2.1 Administration guide...

  • Page 125: Compliance Audit Reports

    2 Click Audit Rules in the task pane. 3 Select one of the following: To add a new rule, click Add Rule in the task pane To modify an existing rule, select the rule, then click Modify Rule. To copy an existing rule and modify it, select the rule, then click Copy Rule. 4 Configure the following fields: Rule Name: Specify a name for your rule.

  • Page 126: Adding Or Modifying An Audit Report

    You can view the format in XML of the object tokens passed into the audit report by entering in the Report Template field, deselecting the HTML check box, then clicking Test Report $<>$ (ensure that you have defined a Report Target). To view just the user subtree, use $<User>$ 126 Novell Privileged User Manager 2.2.1 Administration guide...

  • Page 127: Sample Command Control Report Template

    The tokens that appear are dependent upon what has been configured for the users. If the ACT_EMAIL.value token is not present for the target, an email address has not been defined for the user. For user configuration information, see Section 4.1.3, “Modifying a Framework User,”...
  • Page 128 ($total > 0) { %> <style type="text/css"> <!-- .style1 { color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; .style2 { color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; font-weight:bold; .style4 { color: #000000 --> 128 Novell Privileged User Manager 2.2.1 Administration guide...
  • Page 129 </style> <p class="style1"> Hello $User.ACT_FULL_NAME.value$,<br/> <br/> This is an automated event notification email from the Compliance Auditor. <br/> <br/> It is the responsibility of management to log into the Compliance Auditor each day and review their team's keystroke logs. <br/> <br/> Please log on to the Compliance Auditor at your earliest convenience using this link: <a href="https://admin.company.com">https://admin.company.com</a></ p>...
  • Page 130 $tme = $ar->{'cmdctrl'}->{'time'}; $tme = localtime($tme); %> <tr class="style1"> <td><%= "$tme" %></td> <td><%= "$usr" %></td> <td><%= "$ras" %></td> <td><%= "$hst" %></td> <td><%= "$cmd" %></td> </tr> <% %> </table> <br/> <% my $gt20 = @gt20; 130 Novell Privileged User Manager 2.2.1 Administration guide...

  • Page 131: Deleting A Report

    %> <span class="style2">Events &gt; 20 days old (<%= "$gt20" %>)</span> <table border="1"> <tr class="style1"> <td>Time</td> <td>User</td> <td>Run As</td> <td>Host</td> <td>Command</td> </tr> <% foreach my $ar (@gt20) { my $cmd = $ar->{'cmdctrl'}->{'cmd'}; my $usr = $ar->{'cmdctrl'}->{'user'}; my $ras = $ar->{'cmdctrl'}->{'runAs'}; my $hst = $ar->{'cmdctrl'}->{'host'}; my $tme = $ar->{'cmdctrl'}->{'time'};...

  • Page 132: Viewing A Compliance Audit Record

    Section 7.4.7, “Managing Archived Records,” on page 136 7.4.1 Viewing a Compliance Audit Record 1 Click Compliance Auditor on the home page of the console. 2 Select the record you want to view. 132 Novell Privileged User Manager 2.2.1 Administration guide...

  • Page 133: Viewing And Editing A Command Control Keystroke Report

    3 Click View Record in the task pane. Record data for this event is shown, including the submit user and host, the run user and host, the command, whether it was authorized by Command Control, and whether the session was captured.

  • Page 134: Viewing A Change Management Audit Record

    To edit an audit record: 1 Click Compliance Auditor on the home page of the console. 2 Select the record you want to edit. 3 Click View Record in the task pane. 4 Click Edit Record. 134 Novell Privileged User Manager 2.2.1 Administration guide...

  • Page 135: Archiving Records

    5 (Optional) Authorize the event: 5a Select the Authorized check box. 5b In the Note field, specify a note to be displayed on the event list and event record. 5c In the Comment field, specify a comment to be permanently displayed in the History on the View Record page.

  • Page 136: Managing Archived Records

    * to deny access to all other commands. The allowed entries must be above the entry. By default, all commands are allowed. commands deny all 9 (Optional) Remove an attribute by selecting it and then clicking the Remove button. 136 Novell Privileged User Manager 2.2.1 Administration guide...

  • Page 137: Deleting A User Acl

    10 (Optional) Modify an entry by selecting it, then specifying the changes. 11 Click Finish. 7.5.2 Deleting a User ACL 1 Click Compliance Auditor on the home page of the console. 2 Click Access Control in the task pane. 3 Select the user for whom you want to delete an ACL. 4 Click Delete User ACL in the task pane.
  • Page 138 138 Novell Privileged User Manager 2.2.1 Administration guide...

  • Page 139: Load Balancing And Failover

    Load Balancing and Failover The load balancing and failover features work by using a hierarchical view of the hosts associated with the Framework. The hierarchy of hosts is created by using the Hosts console to group hosts into domains and subdomains, which are representative of your enterprise network structure.

  • Page 140: Load Balancing

    Framework. Replication takes place automatically when the manager is initially deployed and then again at any stage when the data on the primary manager is modified. 140 Novell Privileged User Manager 2.2.1 Administration guide...
  • Page 141 The following packages can be load balanced: Registry Manager: Maintains a database of all hosts and modules and provides certificate- based registration features for the hosts. Package Manager: Manages a repository for packages. Administration Agent: Provides the functionality for the Web-based user interface. Consoles can be installed on the Administration Agent and used to control product features.
  • Page 142 142 Novell Privileged User Manager 2.2.1 Administration guide...

  • Page 143: Command Control Components

    Command Control Components The components of the Command Control module interact with other Privileged User Manager modules as indicated in the following table. Command Control Components Table 9-1 Component Description Command Control Provides the user interface with the Command Control database to allow Console creation and management of Command Control rules.
  • Page 144 Command Control events, as well as captured sessions and replay. Available on all supported platforms. Interacts with: Audit Manager: Contains the audited information. Reporting: Parent console of the Command Control Reports console. 144 Novell Privileged User Manager 2.2.1 Administration guide...

  • Page 145: Command Line Options

    To use the command line options, change to the directory: unifi Linux/UNIX: /opt/novell/npum/sbin/unifi Windows: <Drive>:\Program Files\Novell\npum\sbin\unifi The following sections assume that you are running the commands from the directory. If you unifi are using the new Windows power shell, replace the of the syntax with .

  • Page 146: Command Control Options

    Specifies where to export the configuration to. Replace <arg> with a filename or a path and filename. Specifies that the configuration should be exported in clear text. This option cannot be used with the -p option. 146 Novell Privileged User Manager 2.2.1 Administration guide...

  • Page 147: Backing Up And Restoring A Command Control Configuration

    Options Description -p <pwd> Specifies an encryption password for the file. If a password is specified, the password must be entered when importing the file. This option cannot be used with the -c option. The import command has the following syntax: Linux Syntax: ./unifi -n cmdctrl import [options] If you have not mapped your local account to a Framework Manager user (see...
  • Page 148 --? delete Sample Commands To back up the database: ./unifi -n cmdctrl backup -t “Added the ls command.” To restore the second backup in the list: ./unifi -n cmdctrl restore -n 2 148 Novell Privileged User Manager 2.2.1 Administration guide...

  • Page 149: Running Test Suites

    10.2.3 Running Test Suites The test suite options allow you to run part or all of the Command Control test suites. Syntax: ./unifi -n cmdctrl runTest [option] If you have not mapped your local account to a Framework Manager user (see “Modify User: Native Maps”...

  • Page 150: Package Manager Options

    IP address of the agent machine, <agent name> with the name of the agent, <admin> with a Framework Manager username, and <password> with the user’s password. For example: ./unifi regclnt register manager1 29120 agent1.domain.com agent1 admin novell 150 Novell Privileged User Manager 2.2.1 Administration guide...

  • Page 151: Finding A Primary Manager Package

    10.5.2 Finding a Primary Manager Package The following command displays details about primary manager packages. It can be run from any host machine, and displays the primary manager information contained in the local machine’s databases. Syntax: ./unifi -n regclnt getManager <package> If you have not mapped your local account to a Framework Manager user (see “Modify User: Native Maps”...

  • Page 152: Compliance Auditor Options

    When executed from a backup host, a command is actually execute on the primary host. If a backup host is promoted to be a primary host, the archived database can be placed on the promoted manager and restored. 152 Novell Privileged User Manager 2.2.1 Administration guide...
  • Page 153 ${ }$ and separated from other options with a comma. The entire string is enclosed in single quotes. For example: -F '${id}$,${reason}$' archive -n <from:to> - Creates a database in the /opt/novell/npum/service/local/ p <pwd> -r “<reason>” secaudit directory with the following format: sa-2009-06-05_11-38-43.db Each archived database can then be taken offline (moved to another storage area) and put back in place at any point.
  • Page 154 Purges audit records that have been archived. purge Records that have been purged no longer appear in the Compliance Auditor console. A restore of the archive makes these records viewable again. 154 Novell Privileged User Manager 2.2.1 Administration guide...

This manual is also suitable for:

Privileged user manager 2.2.1

Table of Contents