Chat now with support
Chat with Support

Safeguard for Sudo 7.1 - Administration Guide

Introducing Safeguard for Sudo Planning Deployment Installation and Configuration Upgrade Safeguard for Sudo System Administration Managing Security Policy Administering Log and Keystroke Files Troubleshooting Safeguard Variables Safeguard programs Installation Packages Unsupported Sudo Options Safeguard for Sudo Policy Evaluation

Checking the server for installation readiness

Safeguard comes with a Preflight program that checks to see if your system meets the install requirements.

To check for installation readiness

  1. Log on as the root user.
  2. Change to the directory containing the qpm-server package for your specific platform.

    For example, on a 64-bit Red HatLinux, run:

    # cd server/linux-x86_64
  3. To ensure that the pmpreflight command is executable, run:
    # chmod 755 pmpreflight
  4. To verify your primary policy server host meets installation requirements, run:
    # sh pmpreflight.sh –-server

    Running pmpreflight.sh –-server performs these tests:

    • Basic Network Conditions:
      • Hostname is configured
      • Hostname can be resolved
      • Reverse lookup returns its own IP
    • Safeguard Server Network Requirements:
      • Policy server port is available (TCP/IP port 12345)
    • Safeguard Prerequisites:
      • SSH keyscan is available
  5. Resolve any reported issues and rerun pmpreflight until all tests pass.

TCP/IP configuration

Safeguard uses TCP/IP to communicate with networked computers, so it is essential that you have TCP/IP correctly configured. If you cannot use programs such as ssh and ping to communicate between your computers, then TCP/IP is not working properly; consult your system administrator to find out why and make appropriate changes.

Ensure that your host has a statically assigned IP address and that your host name is not configured to the loopback IP address 127.0.0.1 in the /etc/hosts file.

Firewalls

When the agent and policy server are on different sides of a firewall, Safeguard needs a number of ports to be kept open. By default, Safeguard can use ports in the 600 to 31024 range, but when using a firewall, you may want to limit the ports that can be used.

You can restrict Safeguard to using a range of ports in the reserved ports range (600 to 1023) and the non-reserved ports range (1024 to 65535). We recommend that a minimum of six ports are assigned to Safeguard in the reserved ports range and twice that number of ports are assigned in the non-reserved ports range.

Use the setreserveportrange and setnonreserveportrange settings in the /etc/opt/quest/qpm4u/pm.settings file to open the ports in the required ranges. See PM settings variables for details.

Hosts database

Ensure that each host on your network knows the names and IP addresses of all other hosts. This information is stored either in the /etc/hosts file on each machine, or in NIS maps or DNS files on a server. Whichever you use, ensure all host names and IP addresses are up-to-date and available.

Safeguard components must be able to use forward and reverse lookup of the host names and IP addresses of other components.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating