Safeguard for Sudo 7.1.1 - Administration Guide

Specifying security policy type

To configure a Safeguard for Sudo policy server, you must specify the sudo policy type.

To specify the security policy type

1. To specify the sudo policy type, run:

   # pmsrvconfig -m sudo

2. To specify the pmpolicy type, run:

   # pmsrvconfig -m pmpolicy

   For more information about pmpolicy language, see Privilege Manager for Unix Administration Guide.

Related Topics

pmsrvconfig

The sudo type policy

A sudo type policy is used with the Safeguard for Sudo product. When you configure the primary policy server, if /etc/sudoers exists, it imports this file and uses it as the initial sudoers policy file. Otherwise, it creates a generic sudoers file.

By default, the Safeguard for Sudo sudoers file resides in /etc/opt/quest/qpm4u/policy/sudoers, but is not meant to be accessed directly.

Sudo type policy entries look like this:

root ALL = (ALL) ALL 
%wheel ALL = (ALL) ALL

These entries will let root or any user in the wheel group run any command on any host as any user.

Viewing the security profile changes

To view a summary of the changes you made to your security policy

1. At the command line, run:

   # pmpolicy log

   ** Validate options          [ OK ] 
   ** Check out working copy    [ OK ] 
   ** Retrieve revision details [ OK ] 
   version="3",user="pmpolicy",date=2012-07-11,time=15:43:30,msg="add sudoers.d/helpdesk " 
   version="2",user="pmpolicy",date=2012-07-11,time=15:38:21,msg="add #includedir sudoers.d" 
   version="1",user="pmpolicy",date=2012-07-11,time=15:35:19,msg="First import"

2. To examine the differences between two versions, run:

   # pmpolicy diff –r1:2

   ** Validate options                                          [ OK ] 
   ** Check out working copy (trunk revision)                   [ OK ] 
   ** Check differences                                         [ OK ] 
   ** Report differences between selected revisions             [ OK ] 
      - Differences were detected between the selected versions 
   Details: 
   Index: sudoers
   =================================================================== 
   --- sudoers (revision 1) 
   +++ sudoers (revision 2) 
   @@ -88,6 +88,6 @@ 
   # Defaults targetpw # Ask for the password of the target user
   # ALL ALL=(ALL) ALL # WARNING: only use this together with 'Defaults targetpw'
                                
   -## Read drop-in files from /etc/sudoers.d 
   +## Read drop-in files from sudoers.d 
   ## (the '#' here does not indicate a comment) 
   -##includedir /etc/sudoers.d 
   +# includedir sudoers.d 

The output shows the sudoers file from line 88. The lines that were changed between version 1 and version 2 are marked with a preceding “+” or "-". A "-" denotes lines that were changed or deleted, and a "+" denotes updated or added lines.

Administering Log and Keystroke Files

Safeguard allows you to control what is logged, as well as when and where it is logged. To help you set up and use these log files, the topics in this section explore enabling and disabling logging, as well as how to specify the log file locations.

Safeguard includes three different types of logging; the first two are helpful for audit purposes:

• keystroke logging, also referred to as I/O logging

  Keystroke logs record the user’s keystrokes and the terminal output of any sessions granted by Safeguard.

• event logging

  Event logs record the details of all requests to run privileged commands. The details include what command was requested, who made the request, when the request was sent, what host the request was submitted from, and whether the request was accepted or rejected.

• error logging

You can configure some aspects of the event and keystroke logging by means of the security policy on the policy servers. What you can configure and how you configure it depends on which type of security policy you are using on your policy server -- pmpolicy or sudo.

Related Topics

Security policy types