After you install the primary policy server, you may want to update your PATH to include the Safeguard command.
To add quest-specific directories to your PATH environment
- If you are a Safeguard administrator, add these quest-specific directories to your PATH environment:
/opt/quest/bin:/opt/quest/sbin
In Safeguard for Sudo, the policy server acts as a central sudoers policy store for all clients with the Sudo Plugin which have been joined to the policy group. The policy server also provides centralized event tracking and keystroke logging for the Sudo Plugin hosts.
The policy server also provides a revision management system, which allows tracking and reporting on changes made to the policy. If, for example, an important entry was accidentally removed from the sudoers file, you can restore a previous version of the policy.
The first policy server configured for a policy group is the primary policy server and holds the master copy of the policy. You configure a policy server by running the pmsrvconfig command without any options, like this:
# pmsrvconfig
pmsrvconfig runs with a set of default values and only prompts you when necessary.
To override the default values, you may specify a number of options. For more information about the various command options used in the following examples, see pmsrvconfig.
To configure a policy server for a sudo policy type
- Run this command:
# /opt/quest/sbin/pmsrvconfig
By default, the local /etc/sudoers policy file is used and imported into the policy server repository. To import an alternate sudoers file, run the command with the -f option, as follows:
# /opt/quest/sbin/pmsrvconfig –f <sudoers>
where: <sudoers> is the path to the alternate sudoers file. For example:
# /opt/quest/sbin/pmsrvconfig –f /tmp/sudoers
- Accept the End User License Agreement (EULA) to configure the policy server.
-
When prompted, set the password for the new pmpolicy user.
This password is also called the "Join" password. It is used to setup an SSH key between the sudo host and the server for the off-line policy caching feature. You are required to use this password when you add secondary policy servers or join remote hosts to this policy group.
- (Optional) All Safeguard commands are in the /opt/quest/sbin and /opt/quest/bin directories, so you may want to update your PATH to include them, as follows:
# PATH=$PATH:/opt/quest/sbin:/opt/quest/bin
If you have multiple instances of sudo, updating the PATH environment variable ensures Safeguard for Sudo uses the correct version.
Configuring additional policies on a policy server
The sudo policy type supports multiple named policies in the policy server group. On the policy server, these named policies are represented as separate directories in the policy repository. Policy files are maintained using the pmpolicy command.
To configure additional policies on a policy server
-
To create a webservers policy from the file /etc/sudoers.web, run the following commands:
# pmpolicy checkout -d policydir
# mkdir policydir/policy_sudo/webservers
# cp /etc/sudoers.web policydir/policy_sudo/webservers/sudoers
# pmpolicy add -d policydir -p webservers/sudoers -n
The command checks out a copy of the current policy repository, creates a webserver directory for the new policy, populates it with the contents of the file /etc/sudoers.web, and commits the changes. After the policy directory is present on the server, a client can join to it.
The following table lists the default and alternative configuration settings when configuring a Safeguard for Sudo server. See PM settings variables for more information about the policy server configuration settings.
Table 6: Safeguard for Sudo Server configuration settings
Configure Safeguard Policy Mode |
Policy mode:
See Security policy types for more information about policy types.
Sets policymode in pm.settings. (Policy "modes" are the same as policy "types" in the console.) |
sudo |
The Sudo Plugin supports the sudo policy type and the pmpolicy type. |
Configure host as primary or secondary policy group server: |
primary |
Enter secondary, then supply the primary server host name. |
Policy Group Name:
Sets sudoersfile in pm.settings. |
<FQDN name of policy server> |
Enter policy group name of your choice. |
Path to sudoers file to import: |
/etc/sudoers |
Enter a path of your choice |
Configure Safeguard Daemon Settings |
Policy server command line options:
Sets pmmasterdopts in pm.settings. |
-ar |
Enter:
- -a to send job acceptance messages to syslog.
- -e <logfile> to use the error log file identified by <logfile>.
- -r to send job rejection messages to syslog.
- -s to send error messages to syslog.
- none to assign no options.
-a, -r, and -s override syslog no option; -e <logfile> overrides the pmmasterdlog <logfile> option. |
Configure policy server host components to communicate with remote hosts through firewall? |
No |
Do not change this setting, because firewall options to not apply to the Sudo Plugin. |
Define host services? |
Yes
Adds services entries to the /etc/services file. |
Enter No
You must add service entries to either the /etc/services file or the NIS services map. |
Communications Settings for Safeguard |
Policy server daemon port number:
Sets masterport in pm.settings. |
12345 |
Enter a port number for the policy server to communicate with agents and clients. |
Specify a range of reserved port numbers for this host to connect to other defined Safeguard hosts across a firewall?
Sets setreserveportrange in pm.settings. |
No |
Enter Yes, then enter a value between 600 and 1023:
- Minimum reserved port. (Default is 600.)
- Maximum reserved port. (Default is 1023.)
|
Specify a range of non-reserved port numbers for this host to connect to other defined Safeguard hosts across a firewall?
Sets setnonreserveportrange in pm.settings. |
No |
Enter Yes, then enter a value between 1024 and 65535:
- Minimum non-reserved port. (Default is 1024.)
- Maximum non-reserved port. (Default is 31024.)
|
Allow short host names?
Sets shortnames in pm.settings. |
Yes |
Enter No to use fully-qualified host names instead. |
Configure Kerberos on your network?
Sets kerberos in pm.settings. |
No |
Enter Yes, then enter:
- Policy server principal name. (Default is host.)
- Local principal name. (Default is host.)
- Directory for replay cache. (Default is /var/tmp.
- Path for the Kerberos configuration files [krbconf setting]. (Default is /etc/opt/quest/vas/vas.conf.)
- Full pathname of the Kerberos keytab file [keytab setting]. (Default is /etc/opt/quest/vas/host.keytab.
|
Encryption level:
Sets encryption in pm.settings. |
AES |
Enter one of these encryption options:
|
Enable certificates?
Sets certificates in pm.settings. |
No |
Enter Yes, then answer:
Generate a certificate on this host? (Default is NO.)
Enter Yes and specify a passphrase for the certificate.
Once configuration of this host is complete, swap and install keys for each host in your system that need to communicate with this host. See Swap and install keys for details. |
Activate the failover timeout? |
No |
Enter Yes, then assign the failover timeout in seconds: (Default is 10.) |
Failover timeout in seconds
Sets failovertimeout in pm.settings. |
10 |
Enter timeout interval. |
Configure Safeguard Logging Settings |
Send errors reported by the policy server and local daemons to syslog? |
Yes |
Enter No |
Policy server log location:
Sets pmmasterdlog in pm.settings. |
/var/log/pmmasterd.log |
Enter a location. |
Configure Safeguard Sudo Plugin |
Configure Sudo Plugin? |
No |
Enter Yes |
Install Safeguard Licenses |
XML license file to apply: |
(use the freeware product license) |
Enter the location of the .xml license file.
Enter Done when finished. |
Enter <password>
This password is also called the "Join" password. You will use this password when you add secondary policy servers or join remote hosts to this policy group. |
You can find an installation log file at: /opt/quest/qpm4u/install/pmsrvconfig_output_<Date>.log
Once you have installed and configured the primary policy server, you are ready to join it to a policy group. When you join a policy server to a policy group, it enables that host to validate security privileges against a single common policy file located on the primary policy server, instead of on the host.
For Sudo Plugin hosts (qpm-plugin), you must "join" your policy servers to the policy groups using the pmjoin_plugin command.