Chat now with support
Chat mit Support

Safeguard for Sudo 7.3 - Administration Guide

Introducing Safeguard for Sudo Planning Deployment Installation and Configuration Upgrade Safeguard for Sudo System Administration Managing Security Policy Administering Log and Keystroke Files Supported sudo plugins Troubleshooting Safeguard for Sudo Variables Safeguard for Sudo programs Installation Packages Supported Sudoers directives Unsupported Sudo Options Safeguard for Sudo Policy Evaluation

Safeguard for Sudo Server Configuration Settings

The following table lists the default and alternative configuration settings when configuring a Safeguard for Sudo server. For more information about the policy server configuration settings, see PM settings variables.

Table 6: Safeguard for Sudo Server configuration settings
Configuration Setting Default Alternate

Configure Safeguard for Sudo Policy Mode

Policy mode:

For more information about policy types, see Security policy types.

Sets policymode in pm.settings. (Policy "modes" are the same as policy "types" in the console.)

sudo

The Sudo Plugin supports the sudo policy type and the pmpolicy type.

Configure host as primary or secondary policy group server:

primary

Enter secondary, then supply the primary server host name.

Policy Group Name:

Sets sudoersfile in pm.settings.

<FQDN name of policy server>

Enter policy group name of your choice.

Path to sudoers file to import:

/etc/sudoers

Enter a path of your choice

Configure Safeguard for Sudo Daemon Settings

Policy server command line options:

Sets pmmasterdopts in pm.settings.

-ar

Enter:

  • -a to send job acceptance messages to syslog.

  • -e <logfile> to use the error log file identified by <logfile>.

  • -r to send job rejection messages to syslog.

  • -s to send error messages to syslog.

  • none to assign no options.

-a, -r, and -s override syslog no option; -e <logfile> overrides the pmmasterdlog <logfile> option.

Configure policy server host components to communicate with remote hosts through firewall?

No

Do not change this setting, because firewall options to not apply to the Sudo Plugin.

Define host services?

Yes

Adds services entries to the /etc/services file.

Enter No

You must add service entries to either the /etc/services file or the NIS services map.

Communications Settings for Safeguard for Sudo

Policy server daemon port number:

Sets masterport in pm.settings.

12345

Enter a port number for the policy server to communicate with agents and clients.

Specify a range of reserved port numbers for this host to connect to other defined Safeguard for Sudo hosts across a firewall?

Sets setreserveportrange in pm.settings.

No

Enter Yes, then enter a value between 600 and 1023:

  1. Minimum reserved port. (Default is 600.)

  2. Maximum reserved port. (Default is 1023.)

Specify a range of non-reserved port numbers for this host to connect to other defined Safeguard for Sudo hosts across a firewall?

Sets setnonreserveportrange in pm.settings.

No

Enter Yes, then enter a value between 1024 and 65535:

  • Minimum non-reserved port. (Default is 1024.)

  • Maximum non-reserved port. (Default is 31024.)

Allow short host names?

Sets shortnames in pm.settings.

Yes

Enter No to use fully-qualified host names instead.

Configure Kerberos on your network?

Sets kerberos in pm.settings.

No

Enter Yes, then enter:

  1. Policy server principal name. (Default is host.)

  2. Local principal name. (Default is host.)

  3. Directory for replay cache. (Default is /var/tmp.

  4. Path for the Kerberos configuration files [krbconf setting]. (Default is /etc/opt/quest/vas/vas.conf.)

  5. Full pathname of the Kerberos keytab file [keytab setting]. (Default is /etc/opt/quest/vas/host.keytab.

Encryption level:

Sets encryption in pm.settings.

AES

Enter one of these encryption options:

  • DES

  • TRIPLEDES

  • AES

Enable certificates?

Sets certificates in pm.settings.

No

Enter Yes, then answer:

Generate a certificate on this host? (Default is NO.)

Enter Yes and specify a passphrase for the certificate.

Once configuration of this host is complete, swap and install keys for each host in your system that need to communicate with this host. For more details, see Swap and install keys.

Activate the failover timeout?

No

Enter Yes, then assign the failover timeout in seconds: (Default is 10.)

Failover timeout in seconds

Sets failovertimeout in pm.settings.

10

Enter timeout interval.

Configure Safeguard for Sudo Logging Settings

Send errors reported by the policy server and local daemons to syslog?

Yes

Enter No

Policy server log location:

Sets pmmasterdlog in pm.settings.

/var/log/pmmasterd.log

Enter a location.

Configure Safeguard for Sudo Sudo Plugin

Configure Sudo Plugin?

No

Enter Yes

Install Safeguard for Sudo Licenses

XML license file to apply:

(use the freeware product license)

Enter the location of the .xml license file.

Enter Done when finished.

Enter <password>

This password is also called the "Join" password. You will use this password when you add secondary policy servers or join remote hosts to this policy group.

You can find an installation log file at: /opt/quest/qpm4u/install/pmsrvconfig_output_<Date>.log

Join hosts to policy group

Once you have installed and configured the primary policy server, you are ready to join it to a policy group. When you join a policy server to a policy group, it enables that host to validate security privileges against a single common policy file located on the primary policy server, instead of on the host.

For Sudo Plugin hosts (qpm-plugin), you must "join" your policy servers to the policy groups using the pmjoin_plugin command.

Joining Sudo Plugin to Policy Server

Run the pmjoin_plugin command after installing the Sudo Plugin package (qpm-plugin) on a remote host to allow it to communicate with the servers in the policy group.

To join Sudo Plugin to policy server

  1. Join the Sudo Plugin host to the policy server by running the following command:

    # pmjoin_plugin <primary_policy_server>

    where <primary_policy_server> is the host name of the primary policy server.

  2. To automatically accept the End User License Agreement (EULA), use the -a option with the join command, as follows:

    # pmjoin_plugin -a <primary_policy_server>

You have now joined the host to a primary policy server. The primary policy server is now ready to accept commands using sudo.

Joining Sudo Plugin to policy server using a non-default policy

When joining a policy group, the client may specify a policy name to use a policy other than the default sudoers file.

To join Sudo Plugin to policy server using a non-default policy

  • Join a client to the webservers policy mentioned above by running the following command:

    pmjoin_plugin -N webservers <primary_policy_server>

    If the named policy does not exist on the server, the client will be unable to join.

Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen