For OS patching what are the considerations with regards to Privilege Manager for Sudo Policy Servers?
For OS patching what are the considerations or best practices with regards to Privilege Manager for Sudo Policy Servers?
Planning to patch the OS that the Privilege Manager for Sudo Policy Server software is installed on.
The sudo plugin hosts that communicate with the policy servers have an offline policy evaluation that should act as a backup if a plugin host is not able to contact any of the policy servers.
Also if each server is patched one at a time, we would expect that the plugin hosts will still be able to do 'online' evaluations with one of the policy servers that are up and running.
Note: if a policy server is shut down that is currently servicing active session where keystroke logging is enabled, the active sessions will be disrupted. If this is of concern, the pmserviced service on a policy server can be disabled to stop any new requests from coming into that server. Wait until any active sessions (pmmasterd processes) have finished before shutting down the server.
General best practice guidelines would dictate that the patch updates be scheduled and performed during a quiet period (e.g. evenings or weekends) to minimize the impact of any service interruptions.
There should not be a need to start the Privilege Manager for Sudo services after bringing up the system as they start automatically.
Pmserviced is the service responsible for servicing sudo requests (pmmasterd port) from the plugin hosts. If pmserviced is stopped/disabled, the plugins can use the local pmserviced/pmmasterd to perform offline evaluations.
Pmlogsrvd is responsible for processing the eventlog files that the pmmasterd processes create and moving the event data into the eventlog database. If pmlogsrvd is stopped/disabled subsequent sudo requests will then be processed offline by the local pmserviced until the plugin hosts notice that the services on the policy service have been restored. Stopping the pmlogsrvd will not impact sudo requests.
The pmloadcheck daemon runs on Privilege Manager for Sudo policy servers. By default, every 60 minutes the daemon verifies the status of the configured policy servers. It controls load balancing and failover for connections made from the host to the configured policy servers, and on secondary servers, it sends license data to the primary server.