지금 지원 담당자와 채팅
지원 담당자와 채팅

Safeguard for Sudo 7.2.3 - Administration Guide

Introducing Safeguard for Sudo Planning Deployment Installation and Configuration Upgrade Safeguard for Sudo System Administration Managing Security Policy Administering Log and Keystroke Files Supported sudo plugins Troubleshooting Safeguard Variables Safeguard programs Installation Packages Supported Sudoers directives Unsupported Sudo Options Safeguard for Sudo Policy Evaluation

Verifying package signature

All packages shipped by (Undefined variable: General.vendor) come with a signature. Signature verification depends on the platform:

  • MacOS packages are signed by an Apple developer certificate.

  • Linux, FreeBSD, AIX, Solaris and HP-UX packages are signed with a PGP key.

You can find the public key at pgp.mit.edu and at keyserver.ubuntu.com.

To fetch the public key, use its id:

gpg --keyserver <keyserver> --recv C5C4EC20AFB5B8E678085F81B161CD624417450C

You can also find the same public key in the oneidentity_pgpkey.pub file. To import it, use the following command:

gpg --import oneidentity_pgpkey.pub

To verify package signature

  1. Download the public key.

  2. Verify the files.

    • For platforms with separate .sig file signatures, use gpg2:

      gpg --verify <file>.sig <file>
    • For rpm packages, import the public key into the rpm's database:

      gpg --export -a "C5C4EC20AFB5B8E678085F81B161CD624417450C" >pubkey
      rpm --import pubkey

      And verify with:

      rpm --checksig --verbose <file>
    • For debian packages, use debsig-verify.

Configure a Primary Policy Server

The first thing you must do is install and configure the host you want to use as your primary policy server.

Checking the server for installation readiness

Safeguard comes with a Preflight program that checks to see if your system meets the install requirements.

To check for installation readiness

  1. Log on as the root user.
  2. Change to the directory containing the qpm-server package for your specific platform.

    For example, on a 64-bit Red HatLinux, run:

    # cd server/linux-x86_64
  3. Check if the pmpreflight command is executable. If it is not, run:
    # chmod 755 pmpreflight
  4. To verify your primary policy server host meets installation requirements, run:
    # sh pmpreflight.sh --server

    NOTE: The pmpreflight.sh shell script is not in the same directory as the pmpreflight binary. It is directly under the 7.2.2 directory. The user needs to change directory before running the script.

    Running pmpreflight.sh --server performs these tests:

    • Basic Network Conditions:
      • Hostname is configured
      • Hostname can be resolved
      • Reverse lookup returns its own IP
    • Safeguard Server Network Requirements:
      • Policy server port is available (TCP/IP port 12345)
    • Safeguard Prerequisites:
      • SSH keyscan is available
  5. Resolve any reported issues and rerun pmpreflight until all tests pass.

TCP/IP configuration

Safeguard uses TCP/IP to communicate with networked computers, so it is essential that you have TCP/IP correctly configured. If you cannot use programs such as ssh and ping to communicate between your computers, then TCP/IP is not working properly; consult your system administrator to find out why and make appropriate changes.

Ensure that your host has a statically assigned IP address and that your host name is not configured to the loopback IP address 127.0.0.1 in the /etc/hosts file.

관련 문서

The document was helpful.

평가 결과 선택

I easily found the information I needed.

평가 결과 선택