Chat now with support
Chat mit Support

Safeguard for Sudo 7.1 - Administration Guide

Introducing Safeguard for Sudo Planning Deployment Installation and Configuration Upgrade Safeguard for Sudo System Administration Managing Security Policy Administering Log and Keystroke Files Troubleshooting Safeguard Variables Safeguard programs Installation Packages Unsupported Sudo Options Safeguard for Sudo Policy Evaluation

Joining Sudo Plugin to Policy Server

Run the pmjoin_plugin command after installing the Sudo Plugin package (qpm-plugin) on a remote host to allow it to communicate with the servers in the policy group.

To join Sudo Plugin to policy server

  1. Join the Sudo Plugin host to the policy server by running the following command:
    # pmjoin_plugin <primary_policy_server>

    where <primary_policy_server> is the host name of the primary policy server.

  2. To automatically accept the End User License Agreement (EULA), use the –a option with the "join" command, as follows:

    # pmjoin_plugin -a <primary_policy_server> 

You have now joined the host to a primary policy server. The primary policy server is now ready to accept commands using sudo.

Joining Sudo Plugin to policy server using a non-default policy

When joining a policy group, the client may specify a policy name to use a policy other than the default sudoers file.

To join Sudo Plugin to policy server using a non-default policy

  1. Join a client to the webservers policy mentioned above by running the following command:
    pmjoin_plugin -N webservers <primary_policy_server>

    If the named policy does not exist on the server, the client will be unable to join.

Swap and install keys

If certificates are enabled in the /etc/opt/quest/qpm4u/pm.settings file of the primary server, then you must exchange keys (swap certificates) prior to joining a client or secondary server to the primary server. Optionally, you can run the configuration or join with the -i option to interactively join and exchange keys.

One Identity recommends that you enable certificates for higher security.

The examples below use the keyfile paths that are created when using interactive configuration or join if certificates are enabled.

To swap certificate keys

  1. Copy Host2's key to Host1. For example:
    # scp /etc/opt/quest/qpm4u/.qpm4u/.keyfiles/key_localhost \
    root@Host1:/etc/opt/quest/qpm4u/.qpm4u/.keyfiles/key_server2
  2. Copy Host1's certificate to Host2. For example:
    # scp root@host1:/etc/opt/quest/qpm4u/.qpm4u/.keyfiles/key_localhost \
    /etc/opt/quest/qpm4u/.qpm4u/.keyfiles/key_host1
  3. Install Host1's certificate on Host2. For example:
    # /opt/quest/sbin/pmkey -i /etc/opt/quest/qpm4u/.qpm4u/.keyfiles/key_host1
  4. Log on to Host1 and install Host2's certificate. For example:

    # /opt/quest/sbin/pmkey -i /etc/opt/quest/qpm4u/.qpm4u/.keyfiles/key_host2

If you use the interactive configure or join, the script will exchange and install keyfiles automatically.

Configure a secondary policy server

The primary policy server is always the first server configured in the policy server group; secondary servers are subsequent policy servers set up in the policy server group to help with load balancing. The "master" copy of the policy is kept on the primary policy server.

All policy servers (primary and secondary) maintain a production copy of the security policy stored locally. The initial production copy is initialized by means of a checkout from the repository when you configure the policy server. Following this, the policy servers automatically retrieve updates as required.

By adding one or more secondary policy servers, the work of validating policy is balanced across all of the policy servers in the group, and provides failover in the event a policy server becomes unavailable. Use pmsrvconfig with the –s option to configure the policy server as a secondary server.

Installing secondary servers

To install the secondary server

  1. From the command line of the host designated as your secondary policy server, log on as the root user.
  2. Change to the directory containing the qpm-server package for your specific platform.

    For example, on a 64-bit Red Hat Linux, run:

    # cd server/linux-x86_64
  3. Run the platform-specific installer. For example, run:
    # rpm –-install qpm-server-*.rpm

    The Solaris server has a filename that starts with QSFTpmsrv.

    When you install the qpm-server package, it installs all three Safeguard components on that host:

    • Safeguard Policy Server
    • PM Agent (which is used by Privilege Manager for Unix)
    • Sudo Plugin (which is used by Safeguard for Sudo)

    You can only join a PM Agent host to a Safeguard policy server or a Sudo Plugin host to a sudo policy server. See Security policy types for more information about policy types.

Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen