Chat now with support
지원 담당자와 채팅

Privilege Manager for Sudo 6.1 Common Documents - Administration Guide

One Identity Privileged Access Suite for Unix Introducing Privilege Manager for Sudo Planning Deployment Installation and Configuration Upgrade Privilege Manager for Sudo System Administration Managing Security Policy Administering Log and Keystroke Files Troubleshooting Privilege Manager Variables Privilege Manager programs Installation Packages Unsupported Sudo Options Privilege Manager for Sudo Policy Evaluation

Checking Sudo Plugin Host for installation readiness

To check a Sudo Plugin host for installation readiness

  1. Log on to the remote host system as the root user and navigate to the files you extracted on the primary policy server.
  2. From the root directory, run a readiness check to verify the host meets the requirements for installing and using the Sudo Plugin, by running:
    # sh pmpreflight.sh –-sudo –-policyserver <myhost>

    where <myhost> is the hostname of the primary policy server.

    NOTE: Running pmpreflight.sh –-sudo performs these tests:

    • Basic Network Conditions:
      • Hostname is configured
      • Hostname can be resolved
      • Reverse lookup returns it own IP
    • Policy Server Connectivity
      • Hostname of policy server can be resolved
      • Can ping the policy server
      • Can make a connection to policy server
      • Policy server is eligible for a join
    • Sudo Installation
      • sudo is present on the host
      • sudo is in a functional state
      • sudo is version 1.8.1 (or later)
    • Prerequisites to support off-line policy caching
      • SSH keyscan is available
      • Policy server port is available
  3. Resolve any reported issues and rerun pmpreflight until all tests pass.

Installing a Sudo Plugin on a remote host

To install a Sudo Plugin on a remote host

  1. Log on as the root user.
  2. Change to the directory containing the qpm-plugin package for your specific platform. For example, on a 64-bit Red Hat Linux, enter:
    # cd sudo_plugin/linux-x86_64
  3. Run the platform-specific installer. For example, on Red Hat Linux run:
    # rpm --install qpm-plugin-*.rpm

Once you install the Sudo Plugin package, the next task is to join it to the policy server.

Joining a Sudo Plugin to a primary policy server

Once you have installed a Sudo Plugin on a remote host you are ready to join it to the primary policy server. Joining a host to a policy server enables it to communicate with the servers in the policy group.

NOTE: The pmjoin command configures PM Agents (qpm-agent package) while the pmjoin_plugin command configures Sudo Plugin hosts (qpm-plugin package).

To join a Sudo Plugin to the primary policy server

  1. Run the following command:
    # pmjoin_plugin <primary_policy_server>

    where <primary_policy_server> is the host name of the primary policy server.

    To automatically accept the End User License Agreement (EULA), use the –a option with the "join" command, as follows:

    # pmjoin_plugin -a <primary_policy_server>

NOTE: When you join a Sudo Plugin to a policy server, Privilege Manager for Sudo adds the following lines to the current local sudoers file, generally found in /etc/sudoers.

## 
## WARNING: Sudoers rules are being managed by QPM4Sudo 
## WARNING: Do not edit this file, it is no longer used. 
## 
## Run "/opt/quest/sbin/pmpolicy edit" to edit the actual sudoers rules. 
##

When you unjoin the Sudo Plugin, Privilege Manager for Sudo removes those lines from the local sudoers file.

You have now installed the Privilege Manager for Sudo packages, configured a primary policy server for the sudo policy type, and joined the Sudo Plugin to the primary policy server. The primary policy server is ready to accept commands using sudo.

Verifying Sudo Plugin configuration

If you have installed the Sudo Plugin component using the qpm-plugin package, use the pmplugininfo command to verify the plugin configuration.

To verify the Sudo Plugin configuration

  1. From the command line, run:
    # pmplugininfo

    The pmcplugininfo command displays the current configuration settings. For example:

    [0][root@host2 /]# pmplugininfo
       - Joined to a policy group                 : YES
       - Name of policy group                     : polsrv1.example.com
       - Hostname of primary policy server        : polsrv1.example.com
       - Policy type configured on policy group   : sudo
       - Pathname of compatible sudo binary       : /usr/local/bin/sudo v1.8.2
    [0][root@host2 /]#

    The secondary server Sudo Plugin will be joined to the secondary server. This is unique because all other Sudo Plugin hosts must join to the primary server.

관련 문서