Summary of Contents for Novell PRIVILEGED USER MANAGER 2.2.1 - ADMINISTRATION GUIDE 03-31-2010
Page 1
AUTHORIZED DOCUMENTATION Administration Guide Novell ® Privileged User Manager 2.2.1 March 31, 2010 www.novell.com Novell Privileged User Manager 2.2.1 Administration guide...
Page 2
Further, Novell, Inc., reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.
Page 3
Novell Trademarks For Novell trademarks, see the Novell Trademark and Service Mark list (http://www.novell.com/company/legal/ trademarks/tmlist.html). Third-Party Materials All third-party trademarks are the property of their respective owners.
Page 4
Novell Privileged User Manager 2.2.1 Administration guide...
(>) is used to separate actions within a step and items in a cross-reference path. ® A trademark symbol ( , etc.) denotes a Novell trademark. An asterisk (*) denotes a third-party trademark. About This Guide...
Page 12
Novell Privileged User Manager 2.2.1 Administration guide...
Section 1.2, “The Workspace Layout,” on page 15 1.1 Introduction to the Framework Novell Privileged User Manager uses a Framework as the base layer to provide an easy-to-use enterprise architecture into which Privileged User Manager modules are added to create the necessary problem-solving functionality.
The Framework Manager console is the default user interface for the Framework. It allows configuration and management of the Framework through a graphical user interface. For a description of this console, see Section 1.2, “The Workspace Layout,” on page Novell Privileged User Manager 2.2.1 Administration guide...
1.1.3 Framework Agent The Framework Agent is the client component of the Framework. It is responsible for receiving and carrying out instructions from the Framework Manager on all hosts. The following Framework Agent packages are installed on all Framework hosts: Registry Agent (regclnt): Provides a local cached lookup for module locations.
Chapter 2, “Managing Package Distribution,” on page 1.2.3 Task Pane The task pane on the left of the screen contains options that are applicable to the current Framework Manager console display. Novell Privileged User Manager 2.2.1 Administration guide...
Page 17
The items in the top frame change, depending upon what is selected in the navigation pane. Welcome to the Framework...
Page 18
Novell Privileged User Manager 2.2.1 Administration guide...
There are two options for downloading packages to a Package Manager: You can download packages directly from the Novell Update Server. You can download packages from the Novell Update Server onto a local server, then download packages from this local server to your Framework hosts.
To select multiple packages, press the Ctrl key and select the packages one at a time, or press the Shift key to select a consecutive list of packages. To select all packages, use Ctrl+A. 4 Click Next to start downloading. Novell Privileged User Manager 2.2.1 Administration guide...
5 Click Finish. 6 If updates were available, continue with Section 3.4.2, “Updating Packages for a Host,” on page 35 to install these packages on your hosts. 2.1.4 Removing Packages 1 Click Package Manager on the home page of the console. 2 In the list of available packages, select the packages you want to remove To select multiple packages, the Ctrl key and select the packages one at a time, or the Shift key to select a consecutive list of packages.
3 Click Next to start installing. 4 Review the list of updated consoles. 5 Click Finish. NOTE: After updating a console, you must shut down and reopen the Framework Manager console to see the changes. Novell Privileged User Manager 2.2.1 Administration guide...
Managing Framework Hosts The Hosts console provides a hierarchical view of all currently defined hosts. Each host machine on which you have installed managers and agents must be added to the Framework Manager console through the Hosts console. Hosts are identified to the Framework Manager console by a unique agent name that is used to register the manager or agent after installation.
IMPORTANT: This action cannot be undone. 1 Click Hosts on the home page of the console. The navigation pane displays the current hierarchy for your Framework. 2 In the navigation pane, select the domain you want to delete. Novell Privileged User Manager 2.2.1 Administration guide...
For instructions on this process, see “Installing and Registering a Framework Agent ” in the Novell Privileged User Manager 2.2.1 Getting Started Guide. 3.2.2 Viewing Host Details 1 Click Hosts on the home page of the console. 2 In the navigation pane, select the domain containing the hosts whose details you want to view.
2 In the navigation pane, select the host you want to modify. 3 In the task pane, click Modify Host. 4 Modify the general details: Agent name: Specify a display name for this agent. Novell Privileged User Manager 2.2.1 Administration guide...
Encrypt: Select the databases you want to encrypt. Use care in selecting the databases you enable for encryption. Encrypting the data can affect performance. Novell recommends the following: auth.db because it contain usernames registry.db because it contains the hostnames.
Description Not used. admin.db /opt/novell/npum/service/local/admin/ admin.ldb Not used. /opt/novell/npum/service/local/admin/ Contains all configured report definitions and the audit.db settings for roll over. /opt/novell/npum/service/local/audit/ Contains role history and the metadata for audit audit.ldb logs. /opt/novell/npum/service/local/audit/ Novell Privileged User Manager 2.2.1 Administration guide...
Page 29
Database and Standard Location Description Contains fully replicated authorization data auth.db including user details and settings for access to the /opt/novell/npum/service/local/auth/ Framework Manager console. auth.ldb Not used. /opt/novell/npum/service/local/auth/ Contains rules and configuration for Command cmdctrl.db Control. /opt/novell/npum/service/local/ cmdctrl/ cmdctrl.ldb Not used.
Framework Manager console when errors occur, and allows you to view the status of each host: Section 3.3.1, “Viewing the Host Log,” on page 31 Section 3.3.2, “Modifying Log Settings,” on page 31 Novell Privileged User Manager 2.2.1 Administration guide...
Info displays Information, Warning, and Error messages. Debug displays Debug, Information, Warning, and Error messages. Trace displays Trace, Debug, Information, Warning, and Error messages. The Debug and Trace settings are primarily for the use of Novell Support. Managing Framework Hosts...
Show all tasks: Click Show all tasks to have the log show all tasks. The Show all tasks option is primarily for the use of Novell Support. Rollover: Select the rollover point from the drop-down list to specify when the log file is overwritten with new information.
The existence of system alerts is indicated by a flashing Framework icon in the bottom right corner of the screen. 1 Click the icon to display the System Alerts page. 2 To clear the existing alerts, click Finish. 3 To close the System Alerts page without clearing the existing alerts, click Cancel. The Framework icon continues to flash.
Maximum Memory (MB): If the memory used by the host exceeds the value in this field, a warning indicator is displayed. 6 To view a host’s details, double-click the host or click Close to return to the hierarchical view. Novell Privileged User Manager 2.2.1 Administration guide...
To use a command line option to view the status, see Section 10.5.3, “Agent Status,” on page 151. 3.4 Managing Host Packages Section 3.4.1, “Finding Packages on Hosts,” on page 35 Section 3.4.2, “Updating Packages for a Host,” on page 35 Section 3.4.3, “Rolling Back Packages,”...
If the current package does perform correctly in your environment, you can commit the package, which frees up disk space by deleting the files in the backup directory. If your hosts have limited disk space, Novell recommends that you commit the packages on all hosts before performing the next update.
3.4.5 Registering and Unregistering Packages for a Host If you want to stop a package from functioning without removing it completely, you can unregister it. You can then register it again later if necessary. Packages are automatically registered when you add them, so you only need to register them if you have previously unregistered them.
1 Click Hosts on the home page of the console. 2 Select the host where the Compliance Auditor and Messaging Component are installed. 3 Click Packages to view details of the packages installed on this host. Novell Privileged User Manager 2.2.1 Administration guide...
4 Select the Messaging Component (msgagnt). 5 Click SMTP Settings in the task pane. 6 Configure the following fields: SMTP Host: Specify the IP address of your e-mail server. SMTP Port: Specify the port of your e-mail server. SMTP Domain: If you are using a Lotus* Notes* server, specify the name of your SMTP domain.
Manager packages on all other manager hosts act as backups. If your primary manager becomes unavailable, you can select single or multiple manager packages on a host to be promoted to primary status. Novell Privileged User Manager 2.2.1 Administration guide...
Novell recommends having one agent designated as a complete mirror of your primary manager. In event of a total failure of the primary manager, you can log into the backup console and promote it to primary status with no disruption of Privileged User Manager services.
(default: 500ms): Time in milliseconds to delay the audit request. backoff_action (default: block): Either block, fail, or allow. The following Command Control script illustrates how to change these settings: my $t=$meta->child("Audit"); $t=$meta->add_node("Audit") if(! $t); $t->arg("disk_min_free","10"); $t->arg("disk_wm_free","20"); return 1; Novell Privileged User Manager 2.2.1 Administration guide...
Ctrl+A. 3 Click Restart Agent in the task pane. 4 Select the type of restart you want to perform, as advised by Novell Support. Soft restart: Reloads the module libraries and resets the service uptime. Hard restart: Restarts the daemon, reloads all modules, and resets the service uptime.
8 Click Close. Clearing the Registry Cache Novell Support might advise you to try clearing the registry cache if you have communication problems among Privileged User Manager components. The registry cache is held by the Registry Agent and contains a list of manager and agents in your Framework, copied from the Registry Manager.
Managing Framework Users and Groups Privileged User Manager provides comprehensive user management facilities to control access to the Framework consoles. The admin user created when the Framework is initially installed belongs to the admin group, which has full access to all installed consoles and can perform all tasks. You can use this user account to create additional user accounts and groups through the Framework User Manager console, which is part of the Access Control module.
Page 46
Last changed: Displays the last time the password was changed and allows the help desk user to reset it to the current date and time. Bad logons: Displays the number of bad logins and allows the help desk user to reset the count. Novell Privileged User Manager 2.2.1 Administration guide...
Last bad logon: Displays the time and date of the last bad login and allows the help desk user to reset it to the current date and time. Last logon: Displays the last successful login of the user and allows the help desk user to reactivate the account.
Page 48
Last changed: Indicates when the password was last changed by the user, or, if the password has not yet been changed by the user, indicates when the user and password were created. Novell Privileged User Manager 2.2.1 Administration guide...
Page 49
Reset password age: Select the Reset password age check box to reset the age of the password to zero. The user can use the password for the full number of days defined in Password lifetime (days) (see Section 4.1.1, “Configuring Account Settings,” on page 45), or in the Maximum age field if it has been configured.
Page 50
“Modifying an Account Group” on page 91 “Modifying a User Group” on page 88) and in the Compliance Auditor (see Section 7.3.1, “Adding or Modifying an Audit Report,” on page 126). 5 Click Finish or select another option. Novell Privileged User Manager 2.2.1 Administration guide...
Page 51
A network/netmask pair, such as 192.168.1.0/255.255.255.0 network/nnn CIDR A network/nnn CIDR, such as 192.168.11.0/24 hostname A hostname, such as dellsrv1.novell.com domain A domain name, such as *.novell.com 4f In the Allow column, click the check box. 4g Repeat Step 4c through Step 4e for any other required location definitions.
Page 52
6 In the Host column, select the hostname for the UNIX or Linux platform. 7 Repeat Step 4 through Step 6 for any additional maps you require. 8 To edit a native map, select it and make the required changes. Novell Privileged User Manager 2.2.1 Administration guide...
Page 53
3 Click Native Maps. 4 Click Add. 5 In the User column, specify the user’s fully qualified distinguished name. For example: cn=plou,ou=development,o=novell 6 In the Host column, specify the scheme ( ) and IP address of the LDAP server. ldap ldaps Specify a port only if the LDAP server is not using the standard port for the scheme.
3 Click Add Group in the task pane. 4 Specify a name for the group in the Group name field. 5 Click Finish. 6 To configure the group, continue with Section 4.2.2, “Modifying a Framework User Group,” on page Novell Privileged User Manager 2.2.1 Administration guide...
4.2.2 Modifying a Framework User Group The Modify Group option allows you to: Add a comment describing the group Add users and subgroups to the group Define administrative roles for the group Specify an audit manager for the group. To modify a Framework user group: 1 Click Framework User Manager on the home page of the console.
Framework Manager users and groups. Module Role Allows users to auth act_settings Modify account settings. admin Add or delete users and groups, and assign users to groups. console View the Framework User Manager console. Novell Privileged User Manager 2.2.1 Administration guide...
Page 57
Module Role Allows users to helpdesk Modify the user account settings. To change which attributes are available for modification, see Section 4.1.1, “Configuring Account Settings,” on page For information on how to use this role to create a Help Desk group that can manage user passwords, see Section 4.2.3, “Configuring a Help Desk Group,”...
Page 58
Audit Role field on the Modify Audit Rule page. You can choose your own name for the role. Section 7.2.1, “Adding or Modifying an Audit Rule,” on page 124 for details about configuring audit rules. Novell Privileged User Manager 2.2.1 Administration guide...
Page 59
Module Role Allows users to audit read View a keystroke replay. auth read Extract user credentials, including name and e-mail address, from the auth database for use with reports. Host Roles The following roles can be assigned to the host module in order to control access to the Hosts console.
Chapter 2, “Managing Package Distribution,” on page 19 for details. 2 Install the Registry Manager on the host you want to be the Access Manager, then install the Access Manager on the same host. Novell Privileged User Manager 2.2.1 Administration guide...
This can be on any operating system, including Windows*. See Section 3.4.6, “Installing Packages on a Host,” on page 37 for details. The packages can be deployed to as many hosts as you need in order to build an environment with load balancing and failover. 3 Install the Administration Manager on the same host or a different host.
Page 62
Novell Privileged User Manager 2.2.1 Administration guide...
Command Control The Command Control feature provides UNIX and Linux users with controlled access to privileged commands in a secure manner across the enterprise. Command Control enables the complete lockdown of user privilege by providing rules to determine the commands that are authorized to be run, and a powerful account delegation feature that removes the need for common access to the account.
These shells and functions allow you to integrate Command Control into the UNIX and Linux user environments. Crush is normally used to audit users who do not need any additional privileges. With Novell Privileged User Manager, you can change a user’s login shell to crush (...
Page 65
usrun [-b] [-p] [-t] [-x] [-u <user>] [-h <host>] <command> Option Description Puts the execution of the command into the background. Provides a pipe compatibility option for competitive products. It is only used for a competitive swap-out. Provides a test command option that tests the specified command against the rule structure.
. The Command Control Audit level is set to 1, /usr/bin/rush which enables an additional level of audit to use with the Command Risk. Rewrite: Specify the following: /usr/bin/rush -o audit 1 Novell Privileged User Manager 2.2.1 Administration guide...
Page 67
Commands: Specify the following commands, each on a separate line. rush shell 2e Click Finish. 3 Add an Account User Group for the rush shell: 3a Click Account Groups > User Groups, then click Add User Group in the task pane. 3b Specify a name, then click Finish.
3c Select your crush user group, then click Modify User Group. 3d Fill in the following fields: Description: Explain the purpose of this user group. Specify something similar to the following: Defines the user accounts that can use the crush command. Novell Privileged User Manager 2.2.1 Administration guide...
Users: Specify the usernames of the users on your Linux and UNIX hosts that have your permission to use the command. crush 3e Click Finish. 4 Add a crush rule: 4a Click Rules > Add Rule. 4b Specify a name, then click Finish. 4c Select your crush command, then drag it to your crush rule.
With this method, the user would simply select options from the menu to perform their privileged tasks. Either method requires a shell script that executes under the rush shell and performs remote authorization. For example: Novell Privileged User Manager 2.2.1 Administration guide...
#!/usr/bin/rush set –o remote passwd $* This script executes the rush client, sets it to use Command Control, and executes the passwd command. 5.3 Importing Command Control Configuration Data You can import a complete command control configuration database, including test suites, using the Import Settings option, or you can import test suites only, using the Import Test Suites option under Test Suites.
Exporting Command Control Settings,” on page 146. 5.3.3 Importing Command Control Samples Novell has provided a set of sample commands and Perl scripts to assist you with configuring your Command Control rules. To add these samples to your configuration: 1 Click Command Control on the home page of the console.
5.4.1 Enabling Transactions and Configuring Settings You can configure the Command Control Manager to require the Transactions feature to be used when configuring Command Control rules. You can also configure your own Commit Transaction page to be used for committing a transaction. The data entered on the Commit Transaction page can be viewed in the Compliance Auditor.
Section 5.5.7, “Deleting a Category,” on page 79 Section 5.3, “Importing Command Control Configuration Data,” on page 71 Section 5.4, “Command Control Transactions,” on page 72 Section 5.12, “Test Suites,” on page 107 Novell Privileged User Manager 2.2.1 Administration guide...
5.5.1 Defining Audit Settings All Command Control audit records contain the following information: Submit details such as the submitting username, hostname, and primary group. Target details such as the run username and the run hostname. Command details, which include the original command requested and the actual command run. Authorization status, either yes or no.
3 Click Find References in the task pane. The groups or rules in which the entity is referenced are displayed. 4 To go to one of the listed groups or rules, double-click it, or to return to the navigation pane, click Close. Novell Privileged User Manager 2.2.1 Administration guide...
5.5.4 Defining Custom Attributes Custom attributes can be defined for account groups, user groups, host groups, commands, and access times to provide additional parameters for use in scripts. For example, you could set an expiration date as a custom attribute for a user group, check for this date in your script, then expire the user group when the date is reached.
Page 78
Calling user’s primary group ID ${gecos}$ Calling user’s gecos ${home}$ Calling user’s home directory ${shell}$ Calling user’s shell ${cwd}$ Calling user’s current working directory ${lhost}$ Local hostname ${rhost}$ Remote hostname ${pid}$ PID of the individual call udsh Novell Privileged User Manager 2.2.1 Administration guide...
Keyword Description ${ppid}$ PID of the udsh 5.5.6 Adding a Category You can use the appropriate Add Category option to group your account groups, user groups, host groups, commands, scripts, and access times into categories for ease of use and maintenance. 1 Click Command Control on the home page of the console.
Section 5.6.13, “Deleting a Rule,” on page 86 Section 5.6.14, “Viewing Pseudocode,” on page 86 5.6.1 Adding a Rule 1 Click Command Control on the home page of the console. 2 Click Rules in the navigation pane. Novell Privileged User Manager 2.2.1 Administration guide...
3 To add a rule at the top level, click Add Rule in the task pane. To add a rule as a child of another rule, select the rule and click Add Rule in the task pane. 4 Specify a name for the rule. 5 Click Finish.
7a Change user (submit user) to run user. 7b Leave the logic setting as IN. 7c Select the user group you require from the user group drop-down list. Novell Privileged User Manager 2.2.1 Administration guide...
8 Repeat Step 6 Step 7 for any other conditions you want. Set the condition logic as necessary. You can use parentheses to group conditions according to the necessary logic by selecting the parentheses ( ) entry from the Add Condition drop-down list. The opening and closing parentheses are displayed.
Shift key to select a consecutive list of scripts. 5 Click Remove Script in the task pane. 6 Click Yes to confirm the removal. The scripts are removed from the rule. Novell Privileged User Manager 2.2.1 Administration guide...
5.6.9 Finding a Rule 1 Click Command Control on the home page of the console. 2 Click Rules in the navigation pane. 3 To find a rule from the entire list of rules, click Find Rule in the task pane. To find a rule in a set of rules, select the parent rule, then click Find Rule.
3 Select the rule for which you want to view the pseudocode. 4 Click Pseudocode in the task pane. You can copy the pseudocode by using Ctrl+A or Ctrl+C, then paste it into a document for printing. 5 Click Close. Novell Privileged User Manager 2.2.1 Administration guide...
5.7 Command Control Groups Command Control has three types of groups: User Groups: Contain users with similar responsibilities. This allows you to use the group as a condition for a rule, which either allows or denies the users the rights to run commands. Host Groups: Contains hosts with similar content.
Page 88
Users: Add or change the users you want to include in this group. You can type the user names, one on each line, or paste them from elsewhere. You can use the Sort button to sort the list of users into alphabetical order. Novell Privileged User Manager 2.2.1 Administration guide...
/usr/bin/vi * To add a regular expression term to the list, prefix the regular expression with =~. For example, =~/^vi .*$/ =~\w+\.novell\.com The following sections explain how to manage host groups: “Adding a Host Group” on page 90 “Modifying a Host Group” on page 90 “Deleting a Host Group”...
The host groups are deleted, and are also removed from any account group, rule conditions, and script entities in which they have been defined. 5.7.3 Adding an Account Group To add a new account group: 1 Click Command Control on the home page of the console. Novell Privileged User Manager 2.2.1 Administration guide...
2 Click Account Groups in the navigation pane. 3 To add an account group at the top level, click Add Account Group in the task pane. To add an account group to a category, select the category and click Add Account Group in the task pane. For information about categories, see Section 5.5.6, “Adding a Category,”...
1 Click Command Control on the home page of the console. 2 From the Command Control Sample Scripts, add the Enhanced Access Control Policy script. 3 Drag the Enhanced Access Control Policy script from Scripts on to Authorizing Rule. Novell Privileged User Manager 2.2.1 Administration guide...
Page 93
4 Click on the Authorizing Rule and access the Script Arguments. 5 Create a script argument with a name policy and add that policy into the Value field. Path Policy A path policy restricts an application from accessing a specific directory based on the path. The syntax of a path policy is as below: path [owner] <path>...
You can also use commands as script entities. To add a new command: 1 Click Command Control on the home page of the console. 2 Click Commands in the navigation pane. Novell Privileged User Manager 2.2.1 Administration guide...
3 To add a command at the top level, click Add Command in the task pane. To add a command to a category, select the category and click Add Command in the task pane. 4 Specify a name for the command. This can be different from the name of the actual command you want to control.
Page 96
Replace <n> with one of the following values: 0: Disables auditing. It has the same effect as removing the audit setting from the Rewrite field. 1: Enables auditing of all commands that are not built into the user's shell. Novell Privileged User Manager 2.2.1 Administration guide...
2: Enables auditing of all commands, including commands that are built into the user's shell. This level of auditing can affect login times. 5.8.3 Setting the Command Risk This option allows you to set a value representing the relative risk of a command when using the rush or crush clients with the session auditing option (see Section 5.2, “Integrating Command Control into User Environments,”...
Section 5.9.1, “Adding a Script,” on page 99 Section 5.9.2, “Modifying a Script,” on page 99 Section 5.9.3, “Copying a Script,” on page 99 Section 5.9.4, “Moving a Script,” on page 100 Novell Privileged User Manager 2.2.1 Administration guide...
Section 5.9.5, “Deleting a Script,” on page 100 Section 5.9.6, “Sample Scripts,” on page 100 5.9.1 Adding a Script You can add your own custom attributes for account groups, user groups, host groups, commands, and access times to provide additional parameters for use in your scripts. See “Defining Custom Attributes”...
To understand what is available, see the sample scripts in the following sections. “Modify Environment Script” on page 101 “Rush Illegal Commands Script” on page 103 100 Novell Privileged User Manager 2.2.1 Administration guide...
Page 101
To import a sample script, click > > Command Control Import Samples Sample Perl Script. Modify Environment Script This script is used to process environment variables. It has a number of script arguments that can add, delete, clear, and keep environment variables. Argument Description Clears all environment variables (unless specifically kept using keepenv)
Rush Illegal Commands Script When using the rush shell, Command Control has the ability to restrict the commands being run (even as root). This sample script is named illegalcmd, and it restricts the use of the passwd command. This script does not restrict a user that initiates another shell from within a session. When a user does this, Command Control cannot continue a full audit or control the illegal commands, although the session is still captured #to set script argument - name=illegalcmd value= kill *...
1 Click Command Control in the navigation pane on the home page of the console. 2 Click Access Times in the navigation pane. 3 Select the access time you want to move. 104 Novell Privileged User Manager 2.2.1 Administration guide...
To move multiple access times in the same category, press the Ctrl key and select the required access times one at a time, or press the Shift key to select a consecutive list of access times. 4 Drag the selected access time to the desired location. 5.10.5 Deleting an Access Time 1 Click Command Control on the home page of the console.
4 To create the copy, press the Ctrl key and drag the selected report to the desired location. 5 If necessary, use the Modify Report option to rename or modify the copy, as explained in “Modifying a Command Control Report” on page 106. 106 Novell Privileged User Manager 2.2.1 Administration guide...
5.11.4 Moving a Command Control Report 1 Click Command Control on the home page of the console. 2 Click Reports in the navigation pane. 3 Select the report you want to move. To select multiple reports in the same category, press the Ctrl key and select the required reports one at a time, or press the Shift key to select a consecutive list of reports.
Run Host: (Optional) When the submit user is requesting to run the command on a specific host, specify the hostname that is being requested. For example, if the user would enter the following on the command line: usrun -h hosta ksh 108 Novell Privileged User Manager 2.2.1 Administration guide...
Specify the following as the run host: hosta User Input: (Optional) Use this field to specify the information that a script, associated with the Command Control policy, expects the user to enter. Expected command: (Optional) Use this field to confirm that the command being executed is the correct command.
4 Click View Test Suite in the task pane. 5 Select the test case you want to delete. 6 Click Delete Test Case in the task pane. 7 Click Yes to confirm the deletion. The test case is deleted. 110 Novell Privileged User Manager 2.2.1 Administration guide...
5.12.7 Deleting a Test Suite 1 Click Command Control on the home page of the console. 2 Click Test Suites in the task pane. 3 Select the test suite you want to delete. To select multiple test suites, press the Ctrl key and select the required test suites one at a time, or press the Shift key to select a consecutive list of test suites.
5.13.4 Installing Command Control To deploy Command Control: 1 Download the required packages to your local Package Manager. See Section 5.13, “Deploying Command Control,” on page 112 for details. 112 Novell Privileged User Manager 2.2.1 Administration guide...
Page 113
2 Install the Command Control Manager package on the host you want to be the Command Control Manager. This can be on any operating system, including Windows. Section 3.4.6, “Installing Packages on a Host,” on page 37 for details. Command Control Managers can be deployed to as many hosts as you need in order to build an environment with load balancing and failover.
Page 114
114 Novell Privileged User Manager 2.2.1 Administration guide...
Managing Audit Reports Privileged User Manager enables auditing of events at several levels, such as keystroke logging, command authorization, and login success or failure. The Reporting console allows you to view these records and manage them. Section 6.1, “Audit Settings,” on page 115 Section 6.2, “Encryption Settings,”...
Start Session: Sends an event when a user starts a Privileged User Manager session on a host. Session Terminate: Sends an event when a user logs out of the Privileged User Manager session. 116 Novell Privileged User Manager 2.2.1 Administration guide...
Command Audit: If you have enabled auditing on the user’s session or on commands, this option sends all audited events as syslog events. For information on configuring commands for auditing, see “Configuring Auditing with the Rewrite Functionality” on page For information on using a .profile file to enable session auditing, see Section 5.2.4, “Using rush for Complete Session Control,”...
Audit Status If the record has been referenced in the Compliance Auditor, displays the name of the compliance rule and the status. Audit ID Displays the unique ID of the audit record. 118 Novell Privileged User Manager 2.2.1 Administration guide...
6.4.3 Filtering the Viewable Records Use the Filter tab to build a list of matching conditions that allows you to customize the records that are displayed in the Report Data tab. This allows you to build reports that show only the information that your users require.
4 Click the Log Files tab in the navigation pane. 5 Select the log files that are required for the report. To include all available log files, select the All log files box. 6 Click Apply. 120 Novell Privileged User Manager 2.2.1 Administration guide...
6.4.6 Replaying Keystrokes Where a rule has been configured to capture session information, you can review the entire session in the report. 1 Click Reporting on the home page of the console. 2 Click Command Control Reports in the navigation pane. 3 Select the report in the navigation pane.
4 Click Activity Report in the task pane. The navigation pane displays the selected activity report. 5 To print the report, click Print. 6 To return to the list of reports, click Cancel. 122 Novell Privileged User Manager 2.2.1 Administration guide...
Compliance Auditor The Compliance Auditor collects, filters, and generates reports of audit data for analysis and sign- off by authorized personnel. The Compliance Auditor can be used in conjunction with Command Control to enable auditors to view security transactions and play back recordings of user activity. Auditors can record notes against each record, creating permanent archives of activity.
124. 7.2.1 Adding or Modifying an Audit Rule You can add, modify, and disable audit rules, but you cannot delete them. 1 Click Compliance Auditor on the home page of the console. 124 Novell Privileged User Manager 2.2.1 Administration guide...
2 Click Audit Rules in the task pane. 3 Select one of the following: To add a new rule, click Add Rule in the task pane To modify an existing rule, select the rule, then click Modify Rule. To copy an existing rule and modify it, select the rule, then click Copy Rule. 4 Configure the following fields: Rule Name: Specify a name for your rule.
You can view the format in XML of the object tokens passed into the audit report by entering in the Report Template field, deselecting the HTML check box, then clicking Test Report $<>$ (ensure that you have defined a Report Target). To view just the user subtree, use $<User>$ 126 Novell Privileged User Manager 2.2.1 Administration guide...
The tokens that appear are dependent upon what has been configured for the users. If the ACT_EMAIL.value token is not present for the target, an email address has not been defined for the user. For user configuration information, see Section 4.1.3, “Modifying a Framework User,”...
Page 129
</style> <p class="style1"> Hello $User.ACT_FULL_NAME.value$,<br/> <br/> This is an automated event notification email from the Compliance Auditor. <br/> <br/> It is the responsibility of management to log into the Compliance Auditor each day and review their team's keystroke logs. <br/> <br/> Please log on to the Compliance Auditor at your earliest convenience using this link: <a href="https://admin.company.com">https://admin.company.com</a></ p>...
Section 7.4.7, “Managing Archived Records,” on page 136 7.4.1 Viewing a Compliance Audit Record 1 Click Compliance Auditor on the home page of the console. 2 Select the record you want to view. 132 Novell Privileged User Manager 2.2.1 Administration guide...
3 Click View Record in the task pane. Record data for this event is shown, including the submit user and host, the run user and host, the command, whether it was authorized by Command Control, and whether the session was captured.
To edit an audit record: 1 Click Compliance Auditor on the home page of the console. 2 Select the record you want to edit. 3 Click View Record in the task pane. 4 Click Edit Record. 134 Novell Privileged User Manager 2.2.1 Administration guide...
5 (Optional) Authorize the event: 5a Select the Authorized check box. 5b In the Note field, specify a note to be displayed on the event list and event record. 5c In the Comment field, specify a comment to be permanently displayed in the History on the View Record page.
* to deny access to all other commands. The allowed entries must be above the entry. By default, all commands are allowed. commands deny all 9 (Optional) Remove an attribute by selecting it and then clicking the Remove button. 136 Novell Privileged User Manager 2.2.1 Administration guide...
10 (Optional) Modify an entry by selecting it, then specifying the changes. 11 Click Finish. 7.5.2 Deleting a User ACL 1 Click Compliance Auditor on the home page of the console. 2 Click Access Control in the task pane. 3 Select the user for whom you want to delete an ACL. 4 Click Delete User ACL in the task pane.
Page 138
138 Novell Privileged User Manager 2.2.1 Administration guide...
Load Balancing and Failover The load balancing and failover features work by using a hierarchical view of the hosts associated with the Framework. The hierarchy of hosts is created by using the Hosts console to group hosts into domains and subdomains, which are representative of your enterprise network structure.
Framework. Replication takes place automatically when the manager is initially deployed and then again at any stage when the data on the primary manager is modified. 140 Novell Privileged User Manager 2.2.1 Administration guide...
Page 141
The following packages can be load balanced: Registry Manager: Maintains a database of all hosts and modules and provides certificate- based registration features for the hosts. Package Manager: Manages a repository for packages. Administration Agent: Provides the functionality for the Web-based user interface. Consoles can be installed on the Administration Agent and used to control product features.
Page 142
142 Novell Privileged User Manager 2.2.1 Administration guide...
Command Control Components The components of the Command Control module interact with other Privileged User Manager modules as indicated in the following table. Command Control Components Table 9-1 Component Description Command Control Provides the user interface with the Command Control database to allow Console creation and management of Command Control rules.
Page 144
Command Control events, as well as captured sessions and replay. Available on all supported platforms. Interacts with: Audit Manager: Contains the audited information. Reporting: Parent console of the Command Control Reports console. 144 Novell Privileged User Manager 2.2.1 Administration guide...
To use the command line options, change to the directory: unifi Linux/UNIX: /opt/novell/npum/sbin/unifi Windows: <Drive>:\Program Files\Novell\npum\sbin\unifi The following sections assume that you are running the commands from the directory. If you unifi are using the new Windows power shell, replace the of the syntax with .
Specifies where to export the configuration to. Replace <arg> with a filename or a path and filename. Specifies that the configuration should be exported in clear text. This option cannot be used with the -p option. 146 Novell Privileged User Manager 2.2.1 Administration guide...
Options Description -p <pwd> Specifies an encryption password for the file. If a password is specified, the password must be entered when importing the file. This option cannot be used with the -c option. The import command has the following syntax: Linux Syntax: ./unifi -n cmdctrl import [options] If you have not mapped your local account to a Framework Manager user (see...
Page 148
--? delete Sample Commands To back up the database: ./unifi -n cmdctrl backup -t “Added the ls command.” To restore the second backup in the list: ./unifi -n cmdctrl restore -n 2 148 Novell Privileged User Manager 2.2.1 Administration guide...
10.2.3 Running Test Suites The test suite options allow you to run part or all of the Command Control test suites. Syntax: ./unifi -n cmdctrl runTest [option] If you have not mapped your local account to a Framework Manager user (see “Modify User: Native Maps”...
IP address of the agent machine, <agent name> with the name of the agent, <admin> with a Framework Manager username, and <password> with the user’s password. For example: ./unifi regclnt register manager1 29120 agent1.domain.com agent1 admin novell 150 Novell Privileged User Manager 2.2.1 Administration guide...
10.5.2 Finding a Primary Manager Package The following command displays details about primary manager packages. It can be run from any host machine, and displays the primary manager information contained in the local machine’s databases. Syntax: ./unifi -n regclnt getManager <package> If you have not mapped your local account to a Framework Manager user (see “Modify User: Native Maps”...
When executed from a backup host, a command is actually execute on the primary host. If a backup host is promoted to be a primary host, the archived database can be placed on the promoted manager and restored. 152 Novell Privileged User Manager 2.2.1 Administration guide...
Page 153
${ }$ and separated from other options with a comma. The entire string is enclosed in single quotes. For example: -F '${id}$,${reason}$' archive -n <from:to> - Creates a database in the /opt/novell/npum/service/local/ p <pwd> -r “<reason>” secaudit directory with the following format: sa-2009-06-05_11-38-43.db Each archived database can then be taken offline (moved to another storage area) and put back in place at any point.
Page 154
Purges audit records that have been archived. purge Records that have been purged no longer appear in the Compliance Auditor console. A restore of the archive makes these records viewable again. 154 Novell Privileged User Manager 2.2.1 Administration guide...