After you make sure your primary policy server host meets the system requirements, you are ready to install the Safeguard packages.
To install the Safeguard packages
- From the command line of the host designated as your primary policy server, run the platform-specific installer. For example, run:
# rpm --install qpm-server-*.rpm
The Solaris server has a filename that starts with QSFTpmsrv.
When you install the qpm-server package, it installs all three Safeguard components on that host: the Safeguard Policy Server, the PM Agent, and the Sudo Plugin.
For details instructions on installing and configuring Privilege Manager for Unix, see the One Identity Privilege Manager for Unix Administration Guide.
After you install the primary policy server, you may want to update your PATH to include the Safeguard command.
To add quest-specific directories to your PATH environment
- If you are a Safeguard administrator, add these quest-specific directories to your PATH environment:
/opt/quest/bin:/opt/quest/sbin
In Safeguard for Sudo, the policy server acts as a central sudoers policy store for all clients with the Sudo Plugin which have been joined to the policy group. The policy server also provides centralized event tracking and keystroke logging for the Sudo Plugin hosts.
The policy server also provides a revision management system, which allows tracking and reporting on changes made to the policy. If, for example, an important entry was accidentally removed from the sudoers file, you can restore a previous version of the policy.
The first policy server configured for a policy group is the primary policy server and holds the master copy of the policy. You configure a policy server by running the pmsrvconfig command without any options, like this:
# pmsrvconfig
pmsrvconfig runs with a set of default values and only prompts you when necessary.
To override the default values, you may specify a number of options. For more information about the various command options used in the following examples, see pmsrvconfig.
To configure a policy server for a sudo policy type
- Run this command:
# /opt/quest/sbin/pmsrvconfig
By default, the local /etc/sudoers policy file is used and imported into the policy server repository. To import an alternate sudoers file, run the command with the -f option, as follows:
# /opt/quest/sbin/pmsrvconfig -f <sudoers>
where: <sudoers> is the path to the alternate sudoers file. For example:
# /opt/quest/sbin/pmsrvconfig -f /tmp/sudoers
- Accept the End User License Agreement (EULA) to configure the policy server.
-
When prompted, set the password for the new pmpolicy user.
This password is also called the "Join" password. It is used to setup an SSH key between the sudo host and the server for the off-line policy caching feature. You are required to use this password when you add secondary policy servers or join remote hosts to this policy group.
- (Optional) All Safeguard commands are in the /opt/quest/sbin and /opt/quest/bin directories, so you may want to update your PATH to include them, as follows:
# PATH=$PATH:/opt/quest/sbin:/opt/quest/bin
If you have multiple instances of sudo, updating the PATH environment variable ensures Safeguard for Sudo uses the correct version.
The sudo policy type supports multiple named policies in the policy server group. On the policy server, these named policies are represented as separate directories in the policy repository. Policy files are maintained using the pmpolicy command.
To configure additional policies on a policy server
-
To create a webservers policy from the file /etc/sudoers.web, run the following commands:
# pmpolicy checkout -d policydir
# mkdir policydir/policy_sudo/webservers
# cp /etc/sudoers.web policydir/policy_sudo/webservers/sudoers
# pmpolicy add -d policydir -p webservers/sudoers -n
The command checks out a copy of the current policy repository, creates a webserver directory for the new policy, populates it with the contents of the file /etc/sudoers.web, and commits the changes. After the policy directory is present on the server, a client can join to it.
