One Identity Management Console for Unix 2.5.2 - Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Management Console for Unix Installing Management Console for Unix Preparing Unix hosts Working with host systems Managing local groups Managing local users Active Directory integration Authentication Services integration Privilege Manager integration
Getting started Configure a primary policy server Configure a secondary policy server Install PM agent or Sudo plugin on a remote host Security policy management
Opening a policy file Edit panel commands Editing PM policy files Reviewing the Access and Privileges by User report Reviewing the Access and Privileges by Host report
Event logs and keystroke logging
Reporting Setting preferences
User preferences System preferences
Security Troubleshooting tips
Auto profiling issues Active Directory Issues Auditing and compliance Cannot create a service connection point Check Authentication Services agent status commands not available CSV or PDF reports do not open Database port number is already in use Elevation is not working Hosts do not display Import file lists fakepath Information does not display in the console License information in report is not accurate Out of memory error Post install configuration fails on Unix or Mac Privilege Manager feature issues Profile task never completes questusr account was deleted Readiness check failed Recovering from a failed upgrade Reports are slow Reset the supervisor password Running on a Windows 2008 R2 domain controller Service account login fails Setting custom configuration settings Single Sign-on (SSO) issues JVM memory tuning suggestions Start/stop/restart Management Console for Unix service Toolbar buttons are not enabled UID or GID conflicts
System maintenance Command line utilities Web services Database maintenance About us

Checking client for policy readiness

Check Client for Policy Readiness performs a series of tests to verify that the specified hosts meet the minimum requirements to be joined to a policy server.

This command is only available, if

  • a primary policy server is active in System Settings. See Configuring a service account for details.

    -AND-

  • the selected hosts are not already joined to a policy group.

Note: For the readiness check to finish successfully, the path to the Privilege Manager software packages must be correctly set in System Settings. See Setting the Privilege Manager software path for details.

To check hosts for policy readiness

  1. Select one or more hosts on the All Hosts view of the Hosts tab, open the Check menu from the Prepare panel of the toolbar, and choose Check Client for Policy Readiness.

  2. In the Check Client for Policy Readiness dialog, choose a policy group to use for the check and click OK.

  3. On the Log on to Host dialog, enter user credentials to access the hosts and click OK.

    Note: This task requires elevated credentials.

    If you select multiple hosts, you are asked if you want to use the same credentials for all the hosts (default) or enter different credentials for each host.

    1. If you selected multiple hosts and the Use the same credentials for all selected hosts option, enter your credentials to log on to access the selected hosts and click OK.

    2. If you selected multiple hosts and the Enter different credentials for each selected host option, it displays a grid which allows you to enter different credentials for each host listed. Place your cursor in a cell in the grid to activate it and enter the data.

  4. To check the results of the readiness check,

    1. Right-click the host on the All Hosts view of the Hosts tab, and choose Readiness Check Results.

    2. Choose Policy Readiness from the drop-down menu, if necessary.

    The results of the Check Client for Policy Readiness check depend on whether you run it on a Sudo Plugin or PM Agent host.

    Running the readiness check on a Sudo Plugin host performs these tests:

    • Basic Network Conditions:
      • Hostname is configured
      • Hostname can be resolved
      • Reverse lookup returns it own IP
    • Policy Server Connectivity:
      • Hostname of policy server can be resolved
      • Can ping the policy server
      • Can make a connection to policy server
      • Policy server is eligible for a join
    • Sudo Installation:
      • sudo is present on the host
      • sudo is in a functional state
      • sudo is version 1.8.1 (or greater)
    • Prerequisites to support off-line policy caching:
      • SSH keyscan is available
      • Policy server port is available

    Running the check on a PM Agent host runs these tests:

    • Basic Network Conditions:
      • Hostname is configured
      • Hostname can be resolved
      • Reverse lookup returns it own IP
    • Privilege Manager for Unix Client Network Requirements
      • PM Agent port is available (TCP/IP port 12346)
      • Tunnel port is available (TCP/IP port 12347)
    • Policy Server Connectivity:
      • Hostname of policy server can be resolved
      • Can ping the policy server
      • Can make a connection to policy server
      • Policy server is eligible for a join
      • Policy server can make a connection to the PM Agent on port 12346

    A progress bar displays in the Task Progress pane. The final status of the task displays, including any failures or advisories encountered.

  5. If the readiness check completed with failures or advisories, correct the issues and run the policy server readiness check again.

Installing Privilege Manager agent or plugin software

There are two Privilege Manager client software packages available to install onto a remote host that provide central policy management, granular access control reporting, as well as the ability to enable, gather, store and playback keystroke logs.

Note: Centralized policy management and keystroke logging are licensed separately.

  • Sudo Plugin is a plug-in to Sudo 1.8.1 (or higher). With the Sudo Plugin installed, when you execute a command using sudo, the plugin sends the command to the policy server for evaluation rather than to the local host. This allows you to centrally manage a sudoers policy file located on the primary policy server that is used by all the Sudo Plugin clients.

    Note: Before you install the Sudo Plugin on the host, ensure the host has Sudo 1.8.1 or higher installed on it. While you can install the Sudo Plugin without Sudo 1.8.1, you cannot join the host to a policy server without it.

  • Privilege Manager Agent. With the PM Agent installed, when you execute a command, the client sends the command to the policy server for evaluation rather than to the local host. This allows you to centrally manage a pmpolicy file located on the primary policy server that is used by all the PM Agent clients.

To install the Privilege Manager client software and join to a policy group

  1. Select one or more profiled hosts on the All Hosts view.
  2. Click Install Software from the Prepare panel on the All Hosts view.

    Note: The Install Software toolbar menu is enabled when you select hosts that are profiled.

    The toolbar button will not be active if

    • You have not selected any hosts.
    • You have selected hosts that are not profiled.

      Note: When you install the Privilege Manager Policy Server it installs all three Privilege Manager packages on that host. However, once you have installed the Sudo Plugin onto a remote host, the mangement console will not allow you to install the PM Agent on that host; and once you have installed the PM Agent onto a remote host, the mangement console will not allow you to install the Sudo Plugin on that host.

  3. On the Install Software dialog, select Sudo Plugin or Privilege Manager Agent and, optionally, select the Join option if you want to join the remote host to the policy group at this time. You can only install one package or the other.

    Note: If you do not see these software packages, verify the path to the software packages is correctly set in System Settings. Refer to Setting the Privilege Manager software path for details.

    Note: When you join a remote host to a policy group, you are indicating which policy group you want to use for policy verification. That is, you are enabling that host to validate security privileges against a single common policy file located on the primary policy server, instead of a policy file located on the local host.

    You can join the remote host to the policy group later. See Joining the host to a policy group for details.

    The Join process configures the host to run the Privilege Manager software with a policy group that you have previously activated in System Settings. If you have not already activated a policy group (as explained in Configuring a service account), you can install the Privilege Manager software without "joining" the host to a policy group at this time. Later, you can use the Join to Policy Group option from the Join or Configure menu to join the host to a policy group.

  4. On Join to Policy Group tab,

    1. Select the policy group to use for the policy verification.
    2. Enter the pmpolicy password in the Join password box.

      The Join password is the password for the pmpolicy user that was setup when the Policy Server was configured. See Configuring the primary policy server for details.

    3. Set the default policy server failover order within the policy group by ordering the hosts in the Policy Server list using the up and down arrows.

      Where there are two or more policy servers, Privilege Manager connects to the next available server when it cannot make a connection to a policy server.

      Note: To change the failover order, unjoin the host from the policy group and then rejoin it using new settings.

  5. At the Install Software dialog, click OK.

  6. On the Log on to Host dialog, enter your host credentials and click OK to start the installation process.

    Note: This task requires elevated credentials.

    The mangement console displays the version of Privilege Manager in the Version column; and, if it is joined, the name of the policy group to which the host is joined in the Status column.

Security policy management

The security policy lies at the heart of Privilege Manager. It stipulates which users may access which commands with escalated privileges. Privilege Manager guards access to privileged functions on your systems according to rules specified in the security policy.

Privilege Manager for Unix supports two security policy types:

  • sudo policy type – (default) uses a standard sudoers file as its security policy; that is, the sudo policy is defined by the sudoers file which contains a list of rules that control the behavior of sudo. The sudo command allows users to get elevated access to commands even if they do not have root access.
  • pmpolicy type – uses an advanced security policy which employs a high-level scripting language to specify access to commands based on a wide variety of constraints. Privilege Manager policy is defined by pm.conf, the default Privilege Manager policy configuration file which contains statements and declarations in a language specifically designed to express policies concerning the use of root and other controlled accounts.

Management Console for Unix gives you the ability to centrally manage policy located on the primary policy server. You view and edit both types of policy from the Policy tab on the mangement console.

Note: To manage policy, you must log in either as the supervisor or an Active Directory account with rights to edit the policy file; that is, an account in the Manage Sudo Policy or Manage PM Policy roles.

Opening a policy file

To open a policy

  1. From the mangement console, navigate to the Policy tab and select either the Sudo Policy Editor view or the PM Policy Editor view.

    To use the Sudo Policy Editor or the PM Policy Editor, you must first add and profile a Privilege Manager policy server, configure the service account, and activate the policy group in the mangement console. See Activating policy groups for details.

  2. From the Open menu, select either:
    1. Current version to open the latest saved version of the policy that is currently in use by the mangement console for a policy group.
    2. Version to open the Open Version dialog from which you select a policy group and a version of a policy and click OK to open the file.
  3. Once the policy is open you can modify it.

    Note: See Edit panel commands for more information about editing the policy in the text editor.

  4. After you modify the policy, save it.

    The policy is saved as a new version.

Documents connexes