Ensure that each host on your network knows the names and IP addresses of all other hosts. This information is stored either in the /etc/hosts file on each machine, or in NIS maps or DNS files on a server. Whichever you use, ensure all host names and IP addresses are up-to-date and available.
Safeguard components must be able to use forward and reverse lookup of the host names and IP addresses of other components.
It is important for you to reserve the following special user and group names for Safeguard usage:
- Users: pmpolicy, pmclient
- Groups: pmpolicy, pmlog
The pmpolicy user is created on a primary or secondary server. It is a non-privileged service account (that is, it does not require root-level permissions) that is used to synchronize the security policy on policy servers.
The pmclient user is created on a Sudo Plugin host. It is a non-privileged service account (that is, it does not require root-level permissions) that is used to synchronize the security policy on Sudo Plugin hosts (offline policy cache).
The pmlog and pmpolicy groups are used to control access to log files and the security policy, respectively.
Safeguard requires that you choose a host to act as the policy server. This machine will run the pmmasterd daemon and must be available to manage requests for the whole network.
Run the policy server daemon on the most secure and reliable node. To maximize security, ensure the computer is physically inaccessible and carefully isolated from the network.
The policy server requires that the pmmasterd port (TCP/IP port 12345, by default) is available, and that Sudo Plugin hosts joined to the policy server are able to communicate with the policy server on this network port.
You can run multiple policy servers for redundancy and stability. Safeguard automatically selects an available policy server if more than one is on the network. For now, choose one machine to run pmmasterd. See pmmasterd for more information.
Ensure that hosts running the Sudo Plugin have Sudo 1.8.1 (or later) installed.
If you have multiple instances of Sudo, update the PATH environment variable to ensure Safeguard for Sudo uses the correct version.