Chat now with support
Chat with Support

Safeguard for Sudo 7.2 - Administration Guide

Introducing Safeguard for Sudo Planning Deployment Installation and Configuration Upgrade Safeguard for Sudo System Administration Managing Security Policy Administering Log and Keystroke Files Supported sudo plugins Troubleshooting Safeguard Variables Safeguard programs Installation Packages Unsupported Sudo Options Safeguard for Sudo Policy Evaluation

Installing the Safeguard packages

After you make sure your primary policy server host meets the system requirements, you are ready to install the Safeguard packages.

To install the Safeguard packages

  1. From the command line of the host designated as your primary policy server, run the platform-specific installer. For example, run:
    # rpm --install qpm-server-*.rpm

    The Solaris server has a filename that starts with QSFTpmsrv.

    When you install the qpm-server package, it installs all three Safeguard components on that host: the Safeguard Policy Server, the PM Agent, and the Sudo Plugin.

For details instructions on installing and configuring Privilege Manager for Unix, see the One Identity Privilege Manager for Unix Administration Guide.

Adding directories to PATH environment

After you install the primary policy server, you may want to update your PATH to include the Safeguard command.

To add quest-specific directories to your PATH environment

  1. If you are a Safeguard administrator, add these quest-specific directories to your PATH environment:
    /opt/quest/bin:/opt/quest/sbin

Configuring the Safeguard for Sudo Primary Policy Server

In Safeguard for Sudo, the policy server acts as a central sudoers policy store for all clients with the Sudo Plugin which have been joined to the policy group. The policy server also provides centralized event tracking and keystroke logging for the Sudo Plugin hosts.

The policy server also provides a revision management system, which allows tracking and reporting on changes made to the policy. If, for example, an important entry was accidentally removed from the sudoers file, you can restore a previous version of the policy.

The first policy server configured for a policy group is the primary policy server and holds the master copy of the policy. You configure a policy server by running the pmsrvconfig command without any options, like this:

# pmsrvconfig

pmsrvconfig runs with a set of default values and only prompts you when necessary.

To override the default values, you may specify a number of options. For more information about the various command options used in the following examples, see pmsrvconfig.

To configure a policy server for a sudo policy type

  1. Run this command:
    # /opt/quest/sbin/pmsrvconfig

    By default, the local /etc/sudoers policy file is used and imported into the policy server repository. To import an alternate sudoers file, run the command with the -f option, as follows:

    # /opt/quest/sbin/pmsrvconfig -f <sudoers>

    where: <sudoers> is the path to the alternate sudoers file. For example:

    # /opt/quest/sbin/pmsrvconfig -f /tmp/sudoers
  2. Accept the End User License Agreement (EULA) to configure the policy server.
  3. When prompted, set the password for the new pmpolicy user.

    This password is also called the "Join" password. It is used to setup an SSH key between the sudo host and the server for the off-line policy caching feature. You are required to use this password when you add secondary policy servers or join remote hosts to this policy group.

  4. (Optional) All Safeguard commands are in the /opt/quest/sbin and /opt/quest/bin directories, so you may want to update your PATH to include them, as follows:
    # PATH=$PATH:/opt/quest/sbin:/opt/quest/bin

    If you have multiple instances of sudo, updating the PATH environment variable ensures Safeguard for Sudo uses the correct version.

Configuring additional policies on a policy server

The sudo policy type supports multiple named policies in the policy server group. On the policy server, these named policies are represented as separate directories in the policy repository. Policy files are maintained using the pmpolicy command.

To configure additional policies on a policy server

  1. To create a webservers policy from the file /etc/sudoers.web, run the following commands:

    # pmpolicy checkout -d policydir
    # mkdir policydir/policy_sudo/webservers
    # cp /etc/sudoers.web policydir/policy_sudo/webservers/sudoers
    # pmpolicy add -d policydir -p webservers/sudoers -n

The command checks out a copy of the current policy repository, creates a webserver directory for the new policy, populates it with the contents of the file /etc/sudoers.web, and commits the changes. After the policy directory is present on the server, a client can join to it.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating