Chat now with support
Chat mit Support

Safeguard for Sudo 7.3 - Administration Guide

Introducing Safeguard for Sudo Planning Deployment Installation and Configuration Upgrade Safeguard for Sudo System Administration Managing Security Policy Administering Log and Keystroke Files Supported sudo plugins Troubleshooting Safeguard for Sudo Variables Safeguard for Sudo programs Installation Packages Supported Sudoers directives Unsupported Sudo Options Safeguard for Sudo Policy Evaluation

Joining a Sudo Plugin to a primary policy server

Once you have installed a Sudo Plugin on a remote host you are ready to join it to the primary policy server. Joining a host to a policy server enables it to communicate with the servers in the policy group.

The pmjoin command configures PM Agents (qpm-agent package) while the pmjoin_plugin command configures Sudo Plugin hosts (qpm-plugin package).

To join a Sudo Plugin to the primary policy server

  1. Run the following command:

    # pmjoin_plugin <primary_policy_server>

    where <primary_policy_server> is the host name of the primary policy server.

    To automatically accept the End User License Agreement (EULA), use the -a option with the join command, as follows:

    # pmjoin_plugin -a <primary_policy_server>

When you join a Sudo Plugin to a policy server, Safeguard for Sudo adds the following lines to the current local sudoers file, generally found in /etc/sudoers.

## 
## WARNING: Sudoers rules are being managed by Safeguard for Sudo 
## WARNING: Do not edit this file, it is no longer used. 
## 
## Run "/opt/quest/sbin/pmpolicy edit" to edit the actual sudoers rules. 
##

When you unjoin the Sudo Plugin, Safeguard for Sudo removes those lines from the local sudoers file.

You have now installed the Safeguard for Sudo packages, configured a primary policy server for the sudo policy type, and joined the Sudo Plugin to the primary policy server. The primary policy server is ready to accept commands using sudo.

Verifying Sudo Plugin configuration

If you have installed the Sudo Plugin component using the qpm-plugin package, use the pmplugininfo command to verify the plugin configuration.

To verify the Sudo Plugin configuration

  1. From the command line, run:

    # pmplugininfo

    The pmcplugininfo command displays the current configuration settings. For example:

    [0][root@host2 /]# pmplugininfo
       - Joined to a policy group                 : YES
       - Name of policy group                     : polsrv1.example.com
       - Hostname of primary policy server        : polsrv1.example.com
       - Policy type configured on policy group   : sudo
       - Pathname of compatible sudo binary       : /usr/local/bin/sudo v1.8.2
    [0][root@host2 /]#

    The secondary server Sudo Plugin will be joined to the secondary server. This is unique because all other Sudo Plugin hosts must join to the primary server.

Load balancing on the client

Load balancing is handled on each client, using information that is returned from the policy server each time a session is established.

If a session cannot be established because the policy server is unavailable (or offline) that policy server is marked as unavailable, and no further sudo sessions are sent to it until the next retry interval.

pmpluginloadcheck runs transparently on each host to check the availability and loading of the policy server. When a policy server is marked as unavailable, pmpluginloadcheck attempts to connect to it at intervals. If it succeeds, the policy server is marked as available and able to run Safeguard for Sudo sessions.

To view the current status of the policy server

  • Run the following command:

    # pmpluginloadcheck [-f]

If the policy server cannot be contacted, the last known information for this host is reported.

Remove configurations

You can remove the Safeguard for Sudo Server or Sudo Plugin configurations by using the -u option with the following commands:

  • pmsrvconfig to remove the Safeguard for Sudo Server configuration

  • pmjoin_plugin to remove the Sudo Plugin configuration

Take care when you remove the configuration from a policy server, particularly if the policy server is a primary server with secondary policy servers in the policy group, as agents joined to the policy group will be affected.

Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen