Chat now with support
지원 담당자와 채팅

Privilege Manager for Sudo 6.1 Common Documents - Administration Guide

One Identity Privileged Access Suite for Unix Introducing Privilege Manager for Sudo Planning Deployment Installation and Configuration Upgrade Privilege Manager for Sudo System Administration Managing Security Policy Administering Log and Keystroke Files Troubleshooting Privilege Manager Variables Privilege Manager programs Installation Packages Unsupported Sudo Options Privilege Manager for Sudo Policy Evaluation

Planning Deployment

Before you run the installer, consider the following questions:

  1. Which machines in your network will run policy servers?

    If you only plan to use one policy server for an entire network, it should be the most reliable and secure machine.

    NOTE: You can specify multiple policy servers to avoid having a single point of failure.

    If more than 150 users will be using a single pmmasterd for validation, you will want to have multiple policy servers to avoid a UNIX network resource bottleneck. Plan to have a maximum of 150 users validating at a single policy server.

  2. Which machines will be managed hosts?

    Only those hosts running the Sudo Plugin may receive and run Privilege Manager for Sudo requests.

    One Identity recommends that you initially specify one policy server and three or four Sudo Plugin hosts when you first install and experiment with Privilege Manager for Sudo.

  3. What level of protection do you require?

    If you require greater protection, you can select an encryption level such as AES, or a dedicated encryption system such as Kerberos. When configuring Privilege Manager in interactive mode, you are asked if you are using Kerberos. If you are using Kerberos, Privilege Manager automatically uses Kerberos for encryption.

  4. What port number should pmmasterd use to listen for network requests?

    Choose numbers that do not conflict with other numbers in the /etc/services file. Ensure these entries are propagated to all machines accessing Privilege Manager.

  5. Which directory should contain the Privilege Manager log files?

    By default, the log files are placed in /var/adm or /var/log depending on the host architecture. The installer allows you to change the directory by specifying command line options to the Privilege Manager daemons. The partition needs to contain enough space for log files to increase in size.

System requirements

Prior to installing Privilege Manager, ensure your system meets the minimum hardware and software requirements for your platform.

Table 1: Hardware and software requirements
Component Requirements
Operating systems

See Supported platforms to review a list of platforms that support Privilege Manager clients.

Disk space

80 MB of disk space for program binaries and manuals for each architecture.

NOTE: At a minimum, you must have 80 MB of free disk space. The directories in which the binaries are installed must have sufficient disk space available on a local disk drive rather than a network drive. Before you install Privilege Manager, ensure that the partitions that will contain /opt/quest have sufficient space available.

  • Sufficient space for the keystroke logs, application logs, and event logs. The size of this space depends on the number of servers, the number of commands, and the number of policies configured.

    NOTE: The space can be on a network disk drive rather than a local drive.

  • The server hosting Privilege Manager must be a separate machine dedicated to running the pmmasterd daemon.
SSH software

You must install and configure SSH client and server software on all policy server hosts.

You must also install SSH client software on all hosts that will use the Sudo Plugin.

You must enable access to SSH as the root user on the policy server hosts during configuration of the policy servers. Both OpenSSH 4.3 (and later) and Tectia SSH 6.4 (and later) are supported.

Processor Policy Servers: 4 cores
RAM Policy Servers: 4GB
Privilege Manager for Sudo Requirements
Table 2: Primary policy server and host system installation requirements
Systems Required Minimum Requirements
Primary Policy Server

  • Supported Unix or Linux operating system
  • SSH (ssh-keyscan binary)

Host System

  • Supported Unix, Linux, or macOS platform
  • SSH (ssh-keyscan binary)
  • Sudo 1.8.1 (or later)

Default Ports

Configure the firewall ports appropriately when installing the Sudo Plugin on separate machines from the policy server.

Table 3: Masterport requirements
Variable Default Port Description
masterport 12345 TCP/IP port for pmmasterd. Privilege Manager uses the masterport to communicate with the pmmasterd (policy server daemon).

Supported platforms

The following table provides a list of supported platforms for Privilege Manager clients.

CAUTION: In future versions of the product, macOS, HP-UX, AIX, and Solaris will only be supported as Privilege Manager clients. The client and server will continue to be supported on Linux-based platforms. Users are advised to migrate their Privilege Manager policy servers to Linux-based systems.

Table 4: Unix client: Supported platforms

Platform

Version

Architecture

Amazon Linux AMI

 

x86_64

Apple macOS

10.12, 10.13, 10.14

x86_64

CentOS Linux

5, 6, 7, 8

Current Linux architectures: s390, s390x, PPC64, PPC64le, ia64, x86, x86_64, AARCH64

Debian

Current supported releases

x86_64, x86, AARCH64

Fedora Linux

Current supported releases

x86_64, x86, AARCH64

FreeBSD

10.x, 11.x

x32, x64

HP-UX

11.31

PA, IA-64

IBM AIX

7.1, 7.2

Power 4+

OpenSuSE

Current supported releases

x86_64, x86, AARCH64

Oracle Enterprise Linux (OEL)

5, 6, 7, 8

Current Linux architectures: s390, s390x, PPC64, PPC64le, ia64, x86, x86_64, AARCH64

Red Hat Enterprise Linux (RHEL)

5, 6, 7, 8

Current Linux architectures: s390, s390x, PPC64, PPC64le, ia64, x86, x86_64, AARCH64

Solaris

10.x, 11.x

SPARC, x64

SuSE Linux Enterprise Server (SLES)/Workstation

11, 12, 15

Current Linux architectures: s390, s390x, PPC64, PPC64le, ia64, x86, x86_64, AARCH64

Ubuntu

Current supported releases

x86_64, x86, AARCH64

Reserve special user and group names

Reserve the following names for Privilege Manager usage:

  • pmpolicy (user and group)
  • pmlog (group)

For more information, see Reserve special user and group names.

관련 문서