Novell Privileged User Manager 2.3 User guide

Administration Guide

Privileged User Manager 2.3.1

May, 2012

Legal Notice

NetIQCorporation(“NetIQ”)makesnorepresentationsorwarrantieswithrespecttothecontentsoruseofthis

documentation,andspecificallydisclaimsanyexpressorimpliedwarrantiesofmerchantabilityorfitnessforanyparticular

purpose.Further,NetIQreservestherighttorevisethispublicationandtomakechangestoitscontent,at

anytime,without

obligationtonotifyanypersonorentityofsuchrevisionsorchanges.

NetIQmakesnorepresentationsorwarrantieswithrespecttoanysoftware,andspecificallydisclaimsanyexpressorimplied

warrantiesofmerchantabilityorfitnessforanyparticularpurpose.Further,NetIQreservestherighttomakechangesto

any

andallpartsofthesoftware,atanytime,withoutanyobligationtonotifyanypersonorentityofsuchchanges.

AnyproductsortechnicalinformationprovidedunderthisAgreementmaybesubjecttoU.S.exportcontrolsandthetrade

lawsofothercountries.Youagreetocomplywithall

exportcontrolregulationsandtoobtainanyrequiredlicensesor

classificationtoexport,re‐export,orimportdeliverables.Youagreenottoexportorre‐exporttoentitiesonthecurrentU.S.

exportexclusionlistsortoanyembargoedorterroristcountriesasspecifiedintheU.S.exportlaws.You

agreetonotuse

deliverablesforprohibitednuclear,missile,orchemicalbiologicalweaponryenduses.NetIQassumesnoresponsibilityfor

yourfailuretoobtainanynecessaryexportapprovals.

Copyright©2012NetIQCorporation.Allrightsreserved.Nopartofthispublicationmaybereproduced,photocopied,stored

onaretrievalsystem,or

transmittedwithouttheexpresswrittenconsentofthepublisher.

Allthird‐partytrademarksarethepropertyoftheirrespectiveowners.

Formoreinformation,pleasecontactNetIQat:

1233 West Loop South, Houston, Texas 77027

U.S.A.

www.netiq.com

Contents 3

Contents

About This Guide 9

1 Welcome to the Framework 11

1.1 Introduction to the Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11

1.2 System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11

1.2.1 Framework Agent Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11

1.2.2 Framework Manager Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12

1.3 Primary Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12

1.3.1 Framework Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12

1.3.2 Framework Manager Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13

1.3.3 Framework Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13

1.4 The Workspace Layout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14

1.4.1 Navigation Path . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14

1.4.2 Navigation Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14

1.4.3 Task Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

2 Managing Package Distribution 17

2.1 Downloading Packages to a Package Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17

2.1.1 Configuring the Package Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17

2.1.2 Adding Packages to the Package Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18

2.1.3 Checking for Updated Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18

2.1.4 Removing Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

2.2 Managing the Workspace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19

2.2.1 Managing the Consoles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19

2.2.2 Adding a Console to the Framework Manager Console . . . . . . . . . . . . . . . . . . . . . . . . . . .19

2.2.3 Removing Consoles from the Framework Manager Console . . . . . . . . . . . . . . . . . . . . . . . 20

2.2.4 Updating Consoles in the Framework Manager Console . . . . . . . . . . . . . . . . . . . . . . . . . .20

2.3 Downloading SLES Specific rpm Updates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20

2.3.1 Downloading the Latest SLES Specific rpms (Release) . . . . . . . . . . . . . . . . . . . . . . . . . . .21

2.3.2 Downloading the Latest SLES Specific rpms (Hot Fix) . . . . . . . . . . . . . . . . . . . . . . . . . . . .21

3 Managing Framework Hosts 23

3.1 Managing Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23

3.1.1 Creating a Domain. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

3.1.2 Modifying a Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24

3.1.3 Deleting a Domain from the Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24

3.2 Managing Hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25

3.2.1 Adding a Host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25

3.2.2 Auto Registering of Hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

3.2.3 Viewing Host Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

3.2.4 Modifying a Host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

3.2.5 Moving a Host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28

3.2.6 Deleting a Host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28

3.2.7 Finding a Host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

3.2.8 Privileged User Manager Databases. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29

3.3 Monitoring Hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32

3.3.1 Viewing the Host Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32

3.3.2 Modifying Log Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

4 Contents

3.3.3 Example Rollover Script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33

3.3.4 System Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

3.3.5 Modifying Alert Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34

3.3.6 Viewing the Host Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35

3.4 Managing Host Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36

3.4.1 Finding Packages on Hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36

3.4.2 Updating Packages for a Host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37

3.4.3 Updating SLES Specific rpms for a Host. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37

3.4.4 Rolling Back Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38

3.4.5 Committing Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

3.4.6 Registering and Unregistering Packages for a Host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39

3.4.7 Installing Packages on a Host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39

3.4.8 Uninstalling Packages from a Host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40

3.4.9 Modifying Audit Settings for the Audit Manager Package . . . . . . . . . . . . . . . . . . . . . . . . . .40

3.4.10 Configuring SMTP Settings for the Messaging Component Package . . . . . . . . . . . . . . . . .41

3.5 Tunneling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41

3.5.1 Installing the Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42

3.5.2 Enabling and Disabling Tunneling. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42

3.5.3 Reregistering the Tunnel Agent Package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

3.5.4 Listing Tunnels. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43

3.6 Increasing the Security When Accessing the Framework Manager Console. . . . . . . . . . . . . . . . . . .43

3.6.1 Requesting a Certificate for the Framework Manager Console. . . . . . . . . . . . . . . . . . . . . .44

3.6.2 Installing a Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44

3.6.3 Modifying the Connector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44

3.7 Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45

3.7.1 Promoting Managers When the Primary Manager Fails . . . . . . . . . . . . . . . . . . . . . . . . . . .45

3.7.2 Viewing Store and Forward Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

3.7.3 Managing Low Disk Space . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46

3.7.4 Restarting the Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47

3.7.5 Managing the Registry Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48

3.7.6 Time Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

4 Managing Framework Users and Groups 51

4.1 Managing Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .51

4.1.1 Configuring Account Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .51

4.1.2 Adding a Framework User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53

4.1.3 Modifying a Framework User. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53

4.1.4 Removing a Framework User Group from a User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60

4.1.5 Deleting a Framework User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60

4.2 Managing Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60

4.2.1 Adding a Framework User Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60

4.2.2 Modifying a Framework User Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61

4.2.3 Configuring a Help Desk Group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61

4.2.4 Configuring Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

4.2.5 Deleting a Framework User Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .66

4.3 Deploying the Access Control Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .67

4.4 Changing a Framework User’s Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68

5 Command Control 69

5.1 How Does Command Control Work?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .70

5.2 Integrating Command Control into User Environments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .70

5.2.1 Using usrun with a Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .71

5.2.2 Using rush for Privileged Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .73

5.2.3 Using crush for Complete Session Capture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74

5.2.4 Using rush for Complete Session Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .76

5.2.5 Using Shell Scripts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77

Contents 5

5.3 Importing Command Control Configuration Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77

5.3.1 Importing Command Control Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77

5.3.2 Exporting Command Control Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .78

5.3.3 Importing Command Control Samples. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .78

5.4 Command Control Transactions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79

5.4.1 Enabling Transactions and Configuring Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79

5.4.2 Making Command Control Configuration Changes with Transactions Enabled . . . . . . . . .79

5.4.3 Committing a Transaction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80

5.5 Configuring Command Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80

5.5.1 Defining Audit Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

5.5.2 Backing Up and Restoring. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82

5.5.3 Finding a Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

5.5.4 Defining Custom Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .83

5.5.5 Functions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .83

5.5.6 Adding a Category. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85

5.5.7 Deleting a Category. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

5.6 Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85

5.6.1 Adding a Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .87

5.6.2 Modifying a Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .87

5.6.3 Setting Conditions for a Rule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .88

5.6.4 Removing Conditions for a Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .89

5.6.5 Configuring Script Arguments and Entities for a Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

5.6.6 Assigning a Script to a Rule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

5.6.7 Removing Script Arguments and Entities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .90

5.6.8 Removing a Script from a Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .90

5.6.9 Finding a Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

5.6.10 Moving a Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

5.6.11 Copying a Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .91

5.6.12 Linking a Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .92

5.6.13 Deleting a Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

5.6.14 Viewing Pseudocode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .92

5.7 Command Control Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

5.7.1 User Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .93

5.7.2 Host Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95

5.7.3 Adding an Account Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .97

5.7.4 Modifying an Account Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .97

5.7.5 Deleting an Account Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .97

5.7.6 Copying a Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98

5.7.7 Moving a Group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

5.7.8 Enhanced Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98

5.8 Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .100

5.8.1 Adding a Command. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .101

5.8.2 Modifying a Command. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .101

5.8.3 Setting the Command Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .103

5.8.4 Removing a Command Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .104

5.8.5 Copying a Command. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .104

5.8.6 Moving a Command. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .104

5.8.7 Deleting a Command. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .105

5.8.8 Importing Sample Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .105

5.9 Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .105

5.9.1 Adding a Script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

5.9.2 Modifying a Script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .106

5.9.3 Copying a Script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .106

5.9.4 Moving a Script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .107

5.9.5 Deleting a Script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .107

5.9.6 Sample Scripts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .107

5.10 Access Times. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .109

5.10.1 Adding an Access Time. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .110

5.10.2 Modifying an Access Time. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .110

6 Contents

5.10.3 Copying an Access Time. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .110

5.10.4 Moving an Access Time. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .111

5.10.5 Deleting an Access Time. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .111

5.11 Command Control Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .111

5.11.1 Adding a Command Control Report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .112

5.11.2 Modifying a Command Control Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .112

5.11.3 Copying a Command Control Report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .113

5.11.4 Moving a Command Control Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .113

5.11.5 Deleting a Command Control Report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .113

5.12 Privileged Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .113

5.12.1 Creating an Account Domain for Windows Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . .113

5.12.2 Creating an Account Domain for Linux or Unix Systems. . . . . . . . . . . . . . . . . . . . . . . . . .115

5.13 Remote Desktop Protocol Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .117

5.13.1 Configuring the Windows Machine for the RDP Session. . . . . . . . . . . . . . . . . . . . . . . . . .117

5.13.2 Starting a Remote Desktop Session by Using an RDP Relay. . . . . . . . . . . . . . . . . . . . . .118

5.14 Privileged Access to System Tools or Processes Using PUM Run . . . . . . . . . . . . . . . . . . . . . . . . .118

5.14.1 Configuring the Windows Machine for PUM Run . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .118

5.15 Secure Shell Relay. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .120

5.15.1 Using usrun for SSH Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .121

5.16 LDAP Group Lookup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .125

5.16.1 Creating the LDAP Account in the Credential Vault . . . . . . . . . . . . . . . . . . . . . . . . . . . . .125

5.16.2 Defining the User Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .125

5.16.3 Creating a Rule for the LDAP Group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .127

5.16.4 Modifying a Rule for the LDAP Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .127

5.17 Test Suites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .128

5.17.1 Adding a Test Suite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129

5.17.2 Adding or Modifying a Test Case. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .129

5.17.3 Running a Test Suite. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

5.17.4 Viewing a Test Suite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .131

5.17.5 Modifying a Test Suite. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .131

5.17.6 Deleting a Test Case. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .132

5.17.7 Deleting a Test Suite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

5.17.8 Importing a Test Suite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

5.17.9 Exporting a Test Suite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

5.18 Deploying Command Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .133

5.18.1 Command Control Modules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .133

5.18.2 Auditing Modules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .133

5.18.3 Compliance Auditor Modules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .134

5.18.4 Installing Command Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .134

6 Managing Audit Reports 135

6.1 Audit Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .135

6.2 Encryption Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .136

6.3 Syslog Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .136

6.4 Command Control Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .137

6.4.1 Adding a Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .138

6.4.2 Viewing Report Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .138

6.4.3 Filtering the Viewable Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .139

6.4.4 Modifying General Report Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .140

6.4.5 Selecting Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .140

6.4.6 Replaying Keystrokes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .141

6.4.7 Removing a Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

6.4.8 Generating an Activity Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .142

7 Compliance Auditor 143

7.1 Controlling Access to the Compliance Auditor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .144

Contents 7

7.2 Compliance Audit Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .144

7.2.1 Adding or Modifying an Audit Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .145

7.3 Compliance Audit Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .146

7.3.1 Adding or Modifying an Audit Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .146

7.3.2 Sample Command Control Report Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .148

7.3.3 Deleting a Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

7.4 Compliance Auditor Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .151

7.4.1 Viewing a Compliance Audit Record . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .152

7.4.2 Viewing and Editing a Command Control Keystroke Report . . . . . . . . . . . . . . . . . . . . . .153

7.4.3 Viewing a Change Management Audit Record . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .153

7.4.4 Viewing a Report Audit Record . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .154

7.4.5 Editing an Audit Record . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .154

7.4.6 Archiving Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

7.4.7 Managing Archived Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .155

7.5 Access Control Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .156

7.5.1 Adding or Modifying a User ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .156

7.5.2 Deleting a User ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .156

7.6 Deploying the Compliance Auditor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .157

8 Load Balancing and Failover 159

8.1 Failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .159

8.2 Load Balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .160

9 Command Control Components 163

10 Command Line Options 165

10.1 The unifi Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .165

10.2 Command Control Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .166

10.2.1 Importing and Exporting Command Control Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . .166

10.2.2 Backing Up and Restoring a Command Control Configuration . . . . . . . . . . . . . . . . . . . . .167

10.2.3 Running Test Suites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .169

10.3 Package Distribution Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .169

10.4 Package Manager Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .169

10.5 Registry Agent Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .170

10.5.1 Registering an Agent. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .170

10.5.2 Finding a Primary Manager Package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .171

10.5.3 Agent Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .171

10.5.4 Adding Hosts and Domains. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .172

10.6 Registry Manager Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .172

10.7 Compliance Auditor Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .172

10.7.1 Exporting and Importing Compliance Auditor Settings . . . . . . . . . . . . . . . . . . . . . . . . . . .172

10.7.2 Managing Compliance Auditor Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .173

10.8 sreplay Command Line Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .175

8 NetIQ Privileged User Manager 2.3.1 Administration Guide

About This Guide 9

About This Guide

ThisAdministrationGuideexplainshowtousetheFrameworkManagertocontrolandaudit

superuseraccesstoLinux,UNIXandWindowsmachines.

 Chapter 1,“WelcometotheFramework,”onpage 11

 Chapter 2,“ManagingPackageDistribution,”onpage 17

 Chapter 3,“ManagingFrameworkHosts,”onpage 23

 Chapter 4,“ManagingFrameworkUsersand Groups,”onpage 51



Chapter 5,“CommandControl,”onpage 69

 Chapter 6,“ManagingAuditReports,”onpage 135

 Chapter 7,“ComplianceAuditor,”onpage 143

 Chapter 8,“LoadBalancingandFailover,”onpage 159

 Chapter 9,“CommandControlComponents,”onpage 163

 Chapter 10,“CommandLineOptions,”onpage 165

Audience

ThisguideisintendedforuserswhomanagethePrivilegedUserManagerproduct.

Feedback

Wewanttohearyourcommentsandsuggestionsaboutthismanualandtheotherdocumentation

includedwiththisproduct.PleaseusetheUserCommentsfeatureatthebottomofeachpageofthe

onlinedocumentation,orgotowww.novell.com/documentation/feedback.htmlandenteryour

commentsthere.

Documentation Updates

ForthemostrecentversionofthePrivilegedUserAdministrationGuide,visitthePrivilegedUser

ManagerWebsite(http://www.novell.com/documentation/privilegedusermanager23).

Additional Documentation

PrivilegedUserManagerGettingStartedGuide(http://www.novell.com/documentation/

privilegedusermanager23/npum_install/data/index.html)

10 NetIQ Privileged User Manager 2.3.1 Administration Guide

1

Welcome to the Framework 11

1

Welcome to the Framework

NetIQPrivilegedUserManagerdeliversontheWorkloadIQ™promiseofkeepingthe organization

secureandcompliantbyhelpingyoucontroladministratoraccesstotheLinux,UNIX,andWindows

servers.

NetIQPrivilegedUserManagermanagesthedelegatedadministrationthroughacentralizedpolicy

mechanism.Thisallowsyoutodefinerulesforallowingor

denyinguseractivitybasedona

combinationofusername,typedcommand,hostname,andtime(who,what,whereandwhen).By

managingprivilegesthisway,youcancontrolthecommandsusersareauthorizedtorun,alongwith

thetimeandthelocation.Useractivityisrecordedinanauditreporting

and managementtool,which

enablesyoucantakeactionrightwhensuspiciousactivityoccurs.

 Section 1.1,“IntroductiontotheFramework,”onpage 11

 Section 1.2,“SystemRequirements,”onpage 11

 Section 1.3,“PrimaryComponents,”onpage 12

 Section 1.4,“TheWorkspaceLayout,”onpage 14

1.1 Introduction to the Framework

NetIQPrivilegedUserManagerusesaFrameworkasthebaselayertoprovideaneasy‐to‐use

enterprisearchitectureintowhichPrivilegedUserManagermodulesareaddedtocreatethe

necessaryproblem‐solvingfunctionality.TheFrameworkhasseveralkeyfeatures:

 Providesthecorefunctionalityneededtoimplementsecure,enterprise‐wideservices.

 Providesservicessuchassecureandauthenticatedcommunicationamongcomponents.

 Providesintegrateddatabasesandlogging.

 AllowsthedeploymentofPrivilegedUserManagermodulestoFrameworkhoststoimplement

newfunctionality.

 Witheachmodulethatisinstalled,anadditionalconsoleisaddedtothemainFramework

Managerconsoletoallowaccess

tonewadministrationfunctionality.

1.2 System Requirements

RecommendedsystemrequirementsspecifytheminimumprerequisitestorunFrameworkAgent

andFrameworkManager.

1.2.1 Framework Agent Requirements

TheminimumrequirementsfortheFrameworkAgentare:

 1GHz(CISC)processor

12 NetIQ Privileged User Manager 2.3.1 Administration Guide

 300MHz(RISC)processor

 50MBadditionalRAMspace

 100MBadditionalharddiskspace

1.2.2 Framework Manager Requirements

TheminimumrequirementsfortheFrameworkManagerare:

 2GHzormore(CISC)processor

 1GHzormore(RISC)processor

 250MBadditionalRAMspace

 150MBadditionalharddiskspace

 HarddiskspaceforAuditStorage

NOTE:ApproximateadditionalspacecalculationforAuditS torage=(250KB)X(numberofusers)X

(averagesessionsperday,whichisusually8).

1.3 Primary Components

TheFrameworkismadeupofthreeprimarycomponents:

 Section 1.3.1,“FrameworkManager,”onpage 12

 Section 1.3.2,“FrameworkManagerConsole,”onpage 13

 Section 1.3.3,“FrameworkAgent,”onpage 13

1.3.1 Framework Manager

TheFrameworkManageristheservercomponentoftheFramework.Itprovidesacentralized

registry,enablingservicesandadministrationoftheentireFrameworkfromanysinglepointonthe

enterprisenetwork.

TheFrameworkManagerisadministeredthroughtheFrameworkManagerconsole,usingasuitable

WebbrowserwithAdobeFlashPlayer.

Themanager

modulesareinstalledontheFrameworkManagerbydefault.Themodulescanalsobe

distributedtootherFrameworkhoststoprovideloadbalancingandfailoverfortheFramework.If

therearemultipleoccurrencesofthesametypeofmanagerinstalledontheFramework,theyoperate

in primaryandbackuproles. Updatesto

thedatacontrolledbyeachgroupoflikemanagersareonly

updatedattheprimarymanager.

Thedefaultmanagermodulesare:

 AdministrationManager(admin):ProvidesthefunctionalityfortheWeb‐baseduserinterface.

FrameworkconsolescanbeinstalledontheAdministrationManagerandareusedtocontrol

productfeatures.

 AccessManager

(auth):MaintainsalistofFrameworkuseraccountsandprovides

authenticationservicesfortheFramework.ItneedstobeinstalledwithalocalRegistryManager

inordertocreateasecureuserauthenticationtoken.

Welcome to the Framework 13

 AuditManager(audit):Maintainstherepositoryforallauditinginformationcollectedbythe

Framework.

NOTE:NetIQrecommendstodeployonlytwoAuditManagers,eveninlargeenvironments.

 CommandControlManager(cmdctrl):Maintainstheruleconfigurationsandisresponsiblefor

validatingusercommandrequests.

 ComplianceAuditor(secaudit):Collects,filters,andgeneratesreportsofauditdataforanalysis

andsignoffbyauthorizedpersonnel

 MessagingComponent(msgagnt):Providesthe

transportmechanismandinteractswithe‐mail

serverstoprovidereportingfunctionality.

 PackageManager(pkgman):ManagesarepositoryforFrameworkpackages.

 RegistryManager(registry):MaintainsadatabaseofallFrameworkhostsandmodules.

Providescertificate‐basedregistrationfeaturesforthehosts.

 SyslogEmitter(syslogemit):Providesloggingofauditinformationto

asyslogserver.

1.3.2 Framework Manager Console

TheFrameworkManagerconsoleisthedefaultuserinterfacefortheFramework.Itallows

configurationandmanagementoftheFrameworkthroughagraphicaluserinterface.

Foradescriptionofthisconsole,seeSection 1.4,“TheWorkspaceLayout,”onpage 14.

1.3.3 Framework Agent

TheFrameworkAgentistheclientcomponentoftheFramework.Itisresponsibleforreceivingand

carryingoutinstructionsfromtheFrameworkManageronallhosts.ThefollowingFramework

AgentpackagesareinstalledonallFrameworkhosts:

 RegistryAg ent(regclnt):Providesalocalcachedlookupformodulelocations.TheRegistry

Agent

queriesthe RegistryManagerwhenlocalcachedinformationisnotavailableorisn’tfresh.

 DistributionAgent(distrib):Providestheinterfacetocontroltheinstallationandremovalof

packagesintheFramework.Ithasmethodstoinstall,remove,andlisttheavailableand

updatablepackages.TheDistributionAgentretrievespackagesfrom

thelocalPackage

Managers.

14 NetIQ Privileged User Manager 2.3.1 Administration Guide

 StoreandForwardAgent(strfwd):Providesastoreandforwardmechanismforguaranteed

deliveryofmessages.Itisusedforvariouscorefeaturessuchasreplicationofthemanager

databases.

 CommandControlAgent(rexec):EnablestheFrameworktocontrolandauditusercommands.

1.4 The Workspace Layout

TheFrameworkManagerconsoleconsistsofthreeareas:anavigationpath,anavigationpane,anda

taskpane.

 Section 1.4.1,“NavigationPath,”onpage 14

 Section 1.4.2,“NavigationPane,”onpage 14

 Section 1.4.3,“TaskPane,”onpage 15

1.4.1 Navigation Path

ThenavigationpathnearthetopcenterofthescreenshowsthecurrentpositionintheFramework

Managerconsole.

Clickanitemonthenavigationpathforquickaccesstoagivennavigationpane.Forexample,to

returntothehomepage,clickHome.

1.4.2 Navigation Pane

Thenavigationpaneontherightofthescreenprovidesthecurrentadministrativefacilities,

consistingoficons,datagrids,andforms.

Welcome to the Framework 15

Inthenavigationpane,youhaveaccesstosixadministrativeconsoles:

 ComplianceAuditor:ProactiveauditingtoolthatpullseventsfromtheAuditdatabasefor

analysis,accordingtopredefinedrules.Itcanbeconfiguredtopullfilteredauditeventsat

hourly,daily,weeklyormonthlyintervals.Thisenablesauditorstoviewprefiltered

security

transactions,playbackrecordingsofuseractivity,andrecordnotesforcompliancepurposes.In

aneraofincreasingregulatorycompliance,theabilitytosupplydemonstrableauditcompliance

atanytimeprovidesamoresecuresystemandreducesauditrisk.Formoreinformation,see

Chapter 7,“ComplianceAuditor,”onpage 143.

 Framework

UserManager:ManagesuserswhologintotheFrameworkManagerthroughrole‐

basedgrouping.Formoreinformation,seeChapter 4,“Managing FrameworkUsersand

Groups,”onpage 51.

 Hosts:CentrallymanagesPrivilegedUserManagerinstallationandupdates,load‐balancing,

redundancyofresources,andhostalerts.Formoreinformation,seeChapter 3,“M anaging



FrameworkHosts,”onpage 23.

 Reporting:Provideseasyaccessandsearchcapabilityforeventlogsandallowsyoureviewand

color‐codeuserkeystrokeactivitythroughtheCommandRiskAnalysisEngine.Formore

information,seeChapter 6,“ManagingAuditReports,” onpage 135.

 CommandControl:Usesanintuitivegraphicalinterfacetocreate

andmanagesecuritypolicies

forprivilegemanagement.Formoreinformation,see“CommandControl”onpage 69.

 PackageManager:AllowsyoutoeasilyupdateanyPrivilegedUserManagerhosts.Formore

information,seeChapter 2,“ManagingPackageDistribution,”onpage 17.

1.4.3 Task Pane

ThetaskpaneontheleftofthescreencontainsoptionsthatareapplicabletothecurrentFramework

Managerconsoledisplay.

16 NetIQ Privileged User Manager 2.3.1 Administration Guide

Theitemsinthetopframechange,dependinguponwhatisselectedinthenavigationpane.

2

Managing Package Distribution 17

2

Managing Package Distribution

 Section 2.1,“DownloadingPackagestoaPackageManager,”onpage 17

 Section 2.2,“ManagingtheWorkspace,”onpage 19

 Section 2.3,“DownloadingSLESSpecificrpmUpdates,”onpage 20

2.1 Downloading Packages to a Package Manager

ToupdateFrameworkhosts,youmustfirstdownloadtheupdatedpackagestoaPackageManager.

TherearethreeoptionsfordownloadingpackagestoaPackageManager:

 DownloadpackagesdirectlyfromtheNovellUpdateServer(Recommended).

 ManuallydownloadpackagesfromNovellDownloads(http://download.novell.com).

 DownloadpackagesfromaLocalPackageManager,whichwas

downloadedusingoneofthe

twomethodsmentionedabove.

Youmustconfigure thePackageManagertoaccesstheserveryourequire.

 Section 2.1.1,“ConfiguringthePackageManager,”onpage 17

 Section 2.1.2,“AddingPackagestothePackageManager,”onpage 18

 Section 2.1.3,“CheckingforUpdatedPackages,”onpage 18

 Section 2.1.4,“RemovingPackages,”onpage 19

2.1.1 Configuring the Package Manager

YoumustsupplythePackageManagerwithalocationfordownloadingthepackagesbeforeyoucan

addpackagesfordistribution.

1 ClickPackageManageronthehomepageoftheconsole.

2 ClickSettingsinthetaskpane.

3 (Conditional)TousetheNovellUpdateserver:

3a SelectNovellUpdateServer.

3b SpecifytheUserNameandPassword(ThesearetheMirroredCredentialsobtainedfrom

theNovellCustomerCenteraccountforPrivilegedUserManager).

3c Toviewtheupdateserverinformation,selectAdvancedSettings.

 SelectthePackagescheckbox,thefollowingURLisconfigured:

https://nu.novell.com:443/PUM/packages

18 NetIQ Privileged User Manager 2.3.1 Administration Guide

4 (Conditional)TouseaLocalPackageManager:

4a SelectLocalPackageManager.

4b Fillinthefollowingfields:

Hostname:SpecifytheDNSnameofthehost.

Port:Specifythecommunicationport.Thedefaultis29120.

TheLocalPackageManagerisaFrameworkhostthathasbeenconfiguredtostorethe 

packages.

5 ClickFinish.

6 ContinuewithSection 2.1.2,“AddingPackagestothePackageManager,”onpage 18.

2.1.2 Adding Packages to the Package Manager

IfyouhaveconfiguredthePackageManagertouseaNovellUpdateServerortheLocalPackage

Manager(seeSection 2.1.1,“ConfiguringthePackageManager,”onpage 17),usethefollowing

proceduretoaddpackagestothePackageManager.

NOTE:IfyoudownloadedthepackagesmanuallyfromNovellDownloads(http://

download.novell.com)toadirectory.SeeSection 10.3,“PackageDistributionOptions,”onpage 169.

1 ClickPackageManageronthehomepageoftheconsole.

2 ClickAddPackagesinthetaskpane.

3 SetthePackageFilteroptions:

Ver sio ns:Selecttheversion.

Platforms:Selecttheoperatingsystems,thenusethearrowtodisplayandselecttheplatforms.

Types:Selectthetypesofpackagesyouwanttoadd(Console,Module,Interface,Patch).

Components:Selectthecomponents(CommandControl,Framework,Miscellaneous)

4 Selectthepackagesfromthelistofavailablepackages.

Toselectmultiplepackages,presstheCtrlkeyandselectthepackagesoneata time,orpressthe

Shiftkeytoselectaconsecutivelistofpackages.Toselectallpackages,useCtrl+A.

5 ClickNexttostartdownloading.

6 ClickFinish.

7 Toinstallthesepackagesonyourhosts,continuewithSection 3.4.2,“UpdatingPackagesfora

Host,”onpage 37.

8 TousethisPackageManagerasaLocalPackageManagerfordownloadingpackages,configure

otherPackageManagerstopointtotheDNSnameofthishost.

2.1.3 Checking for Updated Packages

AfteryouhaveaddedpackagestothePackageManager,usetheCheckforUpdatesoptiontoseeifany

updatesareavailable.

1 ClickPackageManageronthehomepageoftheconsole.

2 ClickCheckforUpdatesinthetaskpane.

Managing Package Distribution 19

Ifupdatesareavailable,thenavigationpanedisplaystheupdatedpackagesthatareavailablefor

download.Else,anAlertdialogboxisdisplayedstatingNopackageupdatesareavailable.

3 Selectthepackagesfromthelistofavailablepackages.

Toselectmultiplepackages,presstheCtrlkeyandselectthepackagesoneata time,orpressthe

Shiftkeytoselectaconsecutivelistofpackages.Toselectallpackages,useCtrl+A.

4 ClickNexttostartdownloading.

5 ClickFinish.

6 Ifupdateswereavailable,continuewithSection 3.4.2,“UpdatingPackagesforaHost,”on

page 37toinstallthesepackagesonyourhosts.

2.1.4 Removing Packages

1 ClickPackageManageronthehomepageoftheconsole.

2 Inthelistofavailablepackages,selectthepackagesyouwanttoremove

Toselectmultiplepackages,theCtrlkeyandselectthepackagesoneatatime,ortheShiftkeyto

selectaconsecutivelistofpackages.Toselectallpackages,useCtrl+A.

3 ClickRemovePackagesinthetaskpane.

4 ClickNexttostartremovingpackages.

5 ClickFinish.

2.2 Managing the Workspace

 Section 2.2.1,“ManagingtheConsoles,”onpage 19

 Section 2.2.2,“AddingaConsoletotheFrameworkManagerConsole,”onpage 19

 Section 2.2.3,“RemovingConsolesfromtheFrameworkManagerConsole,”onpage 20

 Section 2.2.4,“UpdatingConsolesintheFrameworkManagerConsole,”onpage 20

2.2.1 Managing the Consoles

TheFrameworkManagerconsolecanbeextendedbyinstallingconsolepackages.Consolepackages

providetheadministrativeandreportingpanesforPrivilegedUserManagermodules.

Consolepackagesmustbedownloadedtothe PackageManagerbeforetheybecomeavailablefor

installation.

2.2.2 Adding a Console to the Framework Manager Console

1 ClickInstallConsolesonthehomepageoftheconsole.

Iftherearenoconsolesavailabletoinstall,anAlertdialogboxstatingNoconsolesareavailableis

displayed.

2 Inthelistofavailableconsoles,selecttheconsolesyouwanttoadd.

Toselectmultipleconsoles,presstheCtrlkeyandselecttheconsolesoneatatime,orpressthe

Shiftkeytoselectaconsecutivelistofconsoles.Toselectallconsoles,useCtrl+A.

3 ClickNexttostartinstalling.

20 NetIQ Privileged User Manager 2.3.1 Administration Guide

4 Reviewthelistofinstalledconsoles.

5 ClickFinish.

2.2.3 Removing Consoles from the Framework Manager Console

Tounininstallconsoles,youmustuninstallthecorrespondingconsolepackagefromthehost.

1 ClickHostonthehomepage,expandthehostyouwanttouninstallaconsolefrom,thenselect

Packages.

2 Inthelistofinstalledpackages,selecttheconsolesyouwanttoremove.

Toselectmultipleconsoles,presstheCtrlkeyandselecttheconsolesoneatatime,orpressthe

Shiftkeytoselectaconsecutivelistofconsoles.Toselectallconsoles,useCtrl+A.

3 ClickUninstallPackages.

Reviewthelistofremovedconsoles.

4 ClickNext,thenclickFinish.

2.2.4 Updating Consoles in the Framework Manager Console

Whenupdatedconsolepackagesbecomeavaila bleonyourPackageManager,youcanupdatethe

consolepackagesinstalledonyourFrameworkManagerconsole.

1 ClickUpdateConsolesinthetaskpane.

Thenavigationpanedisplaysupdatedconsolesavailablefordeployment.

2 Inthelistofavailableconsoles,selecttheconsolesyouwanttoupdate.

Toselectmultipleconsoles,presstheCtrlkeyandselecttheconsolesoneatatime,orpressthe

Shiftkeytoselectaconsecutivelistofconsoles.Toselectallconsoles,useCtrl+A.

3 ClickNexttostartinstalling.

4 Reviewthelistofupdatedconsoles.

5 ClickFinish.

NOTE:Afterupdatingaconsole,youmustlogout,closeyourbrowserandreopentheFramework

Managerconsoletoseethechanges.

2.3 Downloading SLES Specific rpm Updates

WithPrivilegedUserManager2.2.2andlater,SuSELinuxEnterpriseServer(SLES)specificrpms

werereleased.

NOTE:InstallswhichuseSLESspecificrpmscannotbepatchedthroughthePackageManagerand

mustbeupdatedusingthenativeinstallers,suchasrpmorzypper

Page is loading ...

Novell Privileged User Manager 2.3 User guide

Related papers

Other documents