Chatta subito con l'assistenza
Chat con il supporto

Safeguard for Sudo 7.3 - Administration Guide

Introducing Safeguard for Sudo Planning Deployment Installation and Configuration Upgrade Safeguard for Sudo System Administration Managing Security Policy Administering Log and Keystroke Files Supported sudo plugins Troubleshooting Safeguard for Sudo Variables Safeguard for Sudo programs Installation Packages Supported Sudoers directives Unsupported Sudo Options Safeguard for Sudo Policy Evaluation

Behavioral change

Table 55: Behavioral change
Sudo option Description

-k and -K

These flags only remove the user’s credentials within the cache.

env_file

When in "offline policy evaluation" mode, this option only works if the file is present on the off-line host.

fqdn

Normally, when a policy has this flag enabled, sudo resolves host names on the policy server. However, when in off-line mode, sudo resolves host names from the policy cache server, which may produce different results.

group_plugin

When in "off-line policy evaluation" mode, this option only works if the off-line host has group_plugin in the same path as the primary/secondary server.

lecture_file

When in "off-line policy evaluation" mode, this option only works if the file is present on the off-line host.

logfile

When in "off-line policy evaluation" mode, this option only works if the file is present on the off-line host.

Unsupported Sudoers policy options

Table 56: Unsupported Sudoers policy options
Sudoers option Explanation

admin_flag

Safeguard does not use an admin flag file.

apparmor_profile

AppArmor policies are not supported.

compress_io

Compresses I/O logs using zlib.

fast_glob

fast_glob is always enabled; disabling fast_glob has no effect.

fdexec

Initialization by file descriptor instead of path, not supported.

ignore_local_sudoers

Sudoers in LDAP is not supported.

iolog_dir (‘%’) escape sequences %{seq}

The %{seq} escape sequence is not supported.

iolog_flush

Safeguard for Sudo keystroke logs are not buffered so this option is always on.

iolog_group

Safeguard for Sudo keystroke logs are owned by the pmlog group.

iolog_mode

Safeguard for Sudo keystroke logs are readable and writable by the root user and readable by the pmlog group.

iolog_user

Safeguard for Sudo keystroke logs are owned by the root user.

lecture_status_dir

Safeguard stores the lecture status with the time stamp data.

limitprivs

Default set of Solaris limit privileges; not supported.

log_server_cabundle

Safeguard uses auditsrvCAbundle in pm.settings instead.

log_server_keepalive

Safeguard uses auditsrvKeepalive in pm.settings instead.

log_server_peer_cert

Safeguard uses auditsrvCert in pm.settings instead.

log_server_peer_key

Safeguard uses auditsrvPkey in pm.settings instead.

log_server_timeout

Safeguard uses auditsrvTimeout in pm.settings instead.

log_server_verify

Safeguard uses auditsrvTLSVerify in pm.settings instead.

log_servers

Safeguard uses auditsrvHosts in pm.settings instead.

maxseq

Maximum I/O sequence number; not used by Safeguard for Sudo.

noninteractive_auth

Authentication is only attempted in interactive mode.

pam_acct_mgmt

Safeguard for Sudo always runs PAM account management modules.

pam_askpass_service

PAM service to use with "sudo -A"; Safeguard for Sudo always uses "sudo".

pam_login_service

PAM service to use for login shells; Safeguard for Sudo always uses "sudo".

pam_rhost

Safeguard for Sudo does not set the PAM remote host.

pam_ruser

Safeguard does not set the PAM remote user.

pam_service

PAM service name to use; Safeguard for Sudo always uses "sudo".

pam_session

Safeguard for Sudo always creates a new PAM session.

pam_setcred

Attempts to establish PAM credentials for the target user; not used by Safeguard for Sudo.

passprompt_override

Forces sudo to always use passprompt.

privs

Default set of permitted Solaris privileges, not supported.

pwfeedback

When set, sudo provides visual feedback when you press a key.

role

SELinux RBAC not supported.

selinux

SELinux RBAC not supported.

stay_setuid

Forces sudo to act as a setuid wrapper.

timestamp_type

Safeguard for Sudo uses its own time stamp format.

timestampdir

The directory in which sudo stores its timestamp files.

timestampowner

The owner of the timestamp directory and the timestamps stored therein.

type

SELinux RBAC not supported.

use_loginclass

BSD login classes are not supported.

use_pty

Not relevant; pty is always used.

visiblepw

Safeguard for Sudo does not allow the password to echo to screen.

Unsupported Sudoers directives

Table 57: Unsupported Sudoers directives
Sudoers directive Description / Explanation

#include & #includedir

Safeguard for Sudo does not support these options.

Because these options use absolute paths they can point outside the policy repository making it impossible to sync the policy files that are included among the policy servers.

You can use #include and #includedir to include files and directories, so long as you keep them in a separate directory from the working copy, but you need to know that the included files/directories will not be under revision control.

Safeguard for Sudo Policy Evaluation

Safeguard for Sudo enhances traditional sudo by providing centralized services for policy evaluation, as well as event and keystroke logging. Safeguard for Sudo provides continuity of service in the event of a network or server outage by means of off-line policy evaluation.

Sudo off-line policy evaluation is available when using the Sudo Plugin joined to a policy server that evaluates a sudoers policy.

How it works

The Sudo Plugin package provides a cache service by installing a client version of the policy server daemon (pmmasterd) on the Plugin host. When you configure and join the host to a policy server, it sets up the policy management subsystem, and checks out the cache’s copy of the security policy from the central repository on the primary policy server.

When you run a sudo command, it sends the initial Sudo Plugin request to the cache service running on the Plugin host. In most cases, the cache service forwards the request to a central policy server on the network. However, if the cache service does not receive a timely response from a central policy server, it services the request locally, performing an off-line evaluation of the cached policy and storing the event and keystroke logs in a temporary holding location on the Plugin host (under /var/opt/quest/qpm4u/offline/).

You can configure the time period before an off-line policy evaluation occurs by adding the offlineTimeout setting in the /etc/opt/quest/qpm4u/pm.settings file. offlineTimeout defaults to 1500 milliseconds (1.5 seconds). To modify that setting, specify the timeout period in milliseconds as an integer value. For example, to set a timeout of 5 seconds (5000 milliseconds), enter the following into the pm.settings file:

offlineTimeout 5000

Setting offlineTimeout to 0 in the pm.settings file, forces the cache service to always perform off-line (local-only) policy evaluation for sudo requests.

Once an off-line policy evaluation has occurred, the pmloadcheck daemon periodically checks to see if any policy server has come back online. Upon returning to an online state, the pmloadcheck daemon initiates a log file transfer to copy the logs to a temporary quarantine area on the policy server (/var/opt/quest/qpm4u/quarantine). The policy server validates the integrity of the log files in the quarantine and processes them, appending events to the central log store.

Determining off-line events

When off-line policy evaluation occurs, the cache service’s pmmasterd process writes a message to the pmmasterd.log file located in either /var/log or /var/adm, depending on your operating system, and is configurable in the /etc/opt/quest/qpm4u/pm.settings file.

Once processed into a policy server’s central event store, you can identify off-line events by examining the offlinesession event variable (pmlog -c "offlinesession==1") or the masterhost variable which is set to the Plugin host’s hostname.

Off-line policy cache updates

At regular intervals and whenever a request is sent to a central policy server for online evaluation, the pmloadcheck daemon checks the revision number of the cached policy. You can also use the pmpolicyplugin utility to display the revision status of the cached policy or to request an update. For more information about this utility, see pmpolicyplugin.

Related Documents

The document was helpful.

Seleziona valutazione

I easily found the information I needed.

Seleziona valutazione