Estimating size requirements
Keystroke and event log disk space requirements
The amount of disk space required to store keystroke logs will vary significantly based on the amount of terminal output generated by the user's daily activity and the level of logging configured. An average Privilege Manager for Unix keystroke log will contain an additional 4KB of data on top of the amount of data displayed to the user's terminal. Taking an average of the amount of terminal output generated by a few users over the course of a normal day would allow for an approximate estimation to be calculated. For example, a developer using a vi session throughout the day may generate 200KB of terminal output. A team of 200 developers each generating a similar amount of terminal output per working day could be expected to use 31GB of disk space over a three-year period [ 204 (200 + 4KB) x 200 (developers) x 260 (working days) x 3 (years) = 31,824,000 ].
The level of logging can also be configured to reduce the overhead on the Masters. For example, some customers only log the user's input (key presses) which will dramatically reduce the amount of logging.
Event log entries will typically use 4-5KB of storage per event, but may vary slightly depending on the data stored in the events. For example, events might be slightly larger for users that have lots of environment variables defined. Taking an average of the number of events that occur over the course of a normal day should allow you to estimate the disk space requirements for event logs. For example, if the same team of developers generate 1,000 events in a normal working day, they would be expected to use nearly 4GB of disk space over a three-year period [ 5 (KB) * 1000 (events) * 260 (days) * 3 (years) = 3,900,000 ].
Policy server deployment requirements
The following recommendations are only provided as a rough guideline. The number of policy servers required for your environment may vary greatly depending on usage.
- One policy server is suitable for small test environments with less than 50 hosts.
- Production environments should have a minimum of two policy servers.
- Add an additional policy server for every 150-200 Privilege Manager hosts.
- Additional policy servers may be required to support geographically disparate locations.
Privilege Manager licensing
One Identity Privileged Access Suite for Unix - Advanced edition licenses you for Privilege Manager for Unix.
Privilege Manager 6.1.1 licensing options include:
30-day evaluation licenses
Privilege Manager for Unix evaluation license allows you to manage unlimited PM Agent hosts for 30 days.
A PM Policy license is required for Privilege Manager for Unix features.
Although licenses are allocated on a per-agent basis, you install the licenses on Privilege Manager policy servers.
The pmlicense command allows you to display current license information, update a license (an expired one or a temporary one before it expires) or create a new one. See Installing licenses or Displaying license usage for more examples of using the pmlicense command.
You can deploy Privilege Manager software within any organization using UNIX and/or Linux systems. Privilege Manager offers a scalable solution to meet the needs of the small business through to the extensive demands of the large or global organization.
There is no right or wrong way to deploy Privilege Manager, and an understanding of the flexibility and scope of the product will aid you in determining the most appropriate solution for your particular requirements. This section describes the following sample implementations:
- a single host installation
- a medium-sized business installation
- a large business installation
- an enterprise installation
Decide which of the following configurations you want to set up:
Primary Server Configuration: Configure a single host as the primary policy server hosting the security policy for the policy group using either the pmpolicy (Privilege Manager for Unix) or sudo (Privilege Manager for Sudo) policy type. See Security policy types for more information about these policy types.
If you are configuring the primary policy server using the sudo policy type, see the One Identity Privilege Manager for Sudo Administration Guide.
- Secondary Server Configuration: Configure a secondary policy server in the policy server group to obtain a copy of the security policy from the primary policy server.
PM Agent Configuration: Join a Privilege Manager for Unix Agent host to a pmpolicy server group.
Policy servers can only be joined to policy groups they host (that is, manage). You cannot join a Sudo Plugin host to a pmpolicy server group or the PM Agent host to a sudo policy server group.
Single host deployment
A single-host installation is typically appropriate for evaluations, proof of concept, and demonstrations of Privilege Manager. This configuration example installs all of the components on a single UNIX/Linux host, with protection offered only within this single host. All logging and auditing takes place on this host.