Chat now with support
Chat with Support

Safeguard for Sudo 7.2.1 - Administration Guide

Introducing Safeguard for Sudo Planning Deployment Installation and Configuration Upgrade Safeguard for Sudo System Administration Managing Security Policy Administering Log and Keystroke Files Supported sudo plugins Troubleshooting Safeguard Variables Safeguard programs Installation Packages Unsupported Sudo Options Safeguard for Sudo Policy Evaluation

Verifying package signature

All packages shipped by One Identity come with a signature. Signature verification depends on the platform:

  • MacOS packages are signed by an Apple developer certificate.

  • Linux, FreeBSD, AIX, Solaris and HP-UX packages are signed with a PGP key.

You can find the public key at pgp.mit.edu and at keyserver.ubuntu.com.

To fetch the public key, use its id:

gpg --keyserver <keyserver> --recv C5C4EC20AFB5B8E678085F81B161CD624417450C

You can also find the same public key in the oneidentity_pgpkey.pub file. To import it, use the following command:

gpg --import oneidentity_pgpkey.pub

To verify package signature

  1. Download the public key.

  2. Verify the files.

    • For platforms with separate .sig file signatures, use gpg2:

      gpg --verify <file>.sig <file>

    • For rpm packages, import the public key into the rpm's database:

      gpg --export -a "C5C4EC20AFB5B8E678085F81B161CD624417450C" >pubkey
      rpm --import pubkey

      And verify with:

      rpm --checksig --verbose <file>

    • For debian packages, use debsig-verify.

Configure a Primary Policy Server

The first thing you must do is install and configure the host you want to use as your primary policy server.

Checking the server for installation readiness

Safeguard comes with a Preflight program that checks to see if your system meets the install requirements.

To check for installation readiness

  1. Log on as the root user.
  2. Change to the directory containing the qpm-server package for your specific platform.

    For example, on a 64-bit Red HatLinux, run:

    # cd server/linux-x86_64
  3. To ensure that the pmpreflight command is executable, run: 
    # chmod 755 pmpreflight
  4. To verify your primary policy server host meets installation requirements, run: 
    # sh pmpreflight.sh --server

    Running pmpreflight.sh --server performs these tests:

    • Basic Network Conditions:
      • Hostname is configured
      • Hostname can be resolved
      • Reverse lookup returns its own IP
    • Safeguard Server Network Requirements:
      • Policy server port is available (TCP/IP port 12345)
    • Safeguard Prerequisites:
      • SSH keyscan is available
  5. Resolve any reported issues and rerun pmpreflight until all tests pass.

TCP/IP configuration

Safeguard uses TCP/IP to communicate with networked computers, so it is essential that you have TCP/IP correctly configured. If you cannot use programs such as ssh and ping to communicate between your computers, then TCP/IP is not working properly; consult your system administrator to find out why and make appropriate changes.

Ensure that your host has a statically assigned IP address and that your host name is not configured to the loopback IP address 127.0.0.1 in the /etc/hosts file.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating