Chat now with support
Chat with Support

Safeguard for Sudo 2.0 - Administrators Guide

One Identity Privileged Access Suite for Unix Introducing Privilege Manager for Unix Introducing Privilege Manager for Sudo Planning Deployment Installation and Configuration
Download Privilege Manager for Unix Software Packages Download Privilege Manager for Sudo Software Packages Quick Start and Evaluation Configure a Primary Policy Server Configure a Secondary Policy Server Install PM Agent or Sudo Plugin on a Remote Host Remove Configurations
Upgrading Privilege Manager System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager Variables Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures Privilege Manager Programs Installation Packages Unsupported Sudo Options Sudo Plugin Policy Evaluation About us

Configure the Privilege Manager for Sudo Primary Policy Server

Installation and Configuration > Configure a Primary Policy Server > Configure the Privilege Manager for Sudo Primary Policy Server

In Privilege Manager for Sudo, the policy server acts as a central sudoers policy store for all clients with the Sudo Plugin which have been joined to the policy group. The policy server also provides centralized event tracking and keystroke logging for the Sudo Plugin hosts.

The policy server also provides a revision management system, which allows tracking and reporting on changes made to the policy. If, for example, an important entry was accidentally removed from the sudoers file, you can restore a previous version of the policy.

The first policy server configured for a policy group is the primary policy server and holds the master copy of the policy. You configure a policy server by running the pmsrvconfig command without any options, like this:

# pmsrvconfig

pmsrvconfig runs with a set of default values and only prompts you when necessary.

NOTE: To override the default values, you may specify a number of options. For more information about the various command options used in the following examples, see pmsrvconfig.

To configure a policy server for a sudo policy type

  1. Run this command:
    # /opt/quest/sbin/pmsrvconfig

    NOTE: By default, the local /etc/sudoers policy file is used and imported into the policy server repository. To import an alternate sudoers file, run the command with the -f option, as follows:

    # /opt/quest/sbin/pmsrvconfig –f <sudoers>

    where: <sudoers> is the path to the alternate sudoers file. For example:

    # /opt/quest/sbin/pmsrvconfig –f /tmp/sudoers
  2. Accept the End User License Agreement (EULA) to configure the policy server.
  3. When prompted, set the password for the new pmpolicy user.

    NOTE: This password is also called the "Join" password. It is used to setup an SSH key between the sudo host and the server for the off-line policy caching feature. You are required to use this password when you add secondary policy servers or join remote hosts to this policy group.

  4. (Optional) All Privilege Manager commands are in the /opt/quest/sbin and /opt/quest/bin directories, so you may want to update your PATH to include them, as follows:
    # PATH=$PATH:/opt/quest/sbin:/opt/quest/bin

    If you have multiple instances of sudo, updating the PATH environment variable ensures Privilege Manager for Sudo uses the correct version.

Privilege Manager for Sudo Server Configuration Settings

The following table lists the default and alternative configuration settings when configuring a Privilege Manager for Sudo server. (See PM Settings Variables for more information about the policy server configuration settings.)

Table 5: Privilege Manager for Sudo: Server configuration settings
Configuration Setting Default Alternate
Configure Privilege Manager Policy Mode

Policy mode:

(See Security Policy Types for more information about policy types.)

NOTE: Sets policymode in pm.settings. (Policy "modes" are the same as policy "types" in the console.)

sudo Enter pmpolicy
Configure host as primary or secondary policy group server: primary Enter secondary, then supply the primary server host name.

Policy Group Name:

NOTE: Sets sudoersfile in pm.settings.

<FQDN name of policy server> Enter policy group name of your choice.
Path to sudoers file to import: /etc/sudoers Enter a path of your choice
Configure Privilege Manager Daemon Settings

Policy server command line options:

NOTE: Sets pmmasterdopts in pm.settings.

-ar

Enter:

  • -a to send job acceptance messages to syslog.
  • -e <logfile> to use the error log file identified by <logfile>.
  • -r to send job rejection messages to syslog.
  • -s to send error messages to syslog.
  • none to assign no options.

NOTE: -a, -r, and -s override syslog no option; -e <logfile> overrides the pmmasterdlog <logfile> option.

Configure policy server host components to communicate with remote hosts through firewall? NO Enter Yes
Configure pmtunneld on this host? NO Enter Yes
Define host services? YES

Adds services entries to the /etc/services file.

Enter No

NOTE: You must add service entries to either the /etc/services file or the NIS services map.

Communications Settings for Privilege Manager

Policy server daemon port number:

NOTE: Sets masterport in pm.settings.

12345 Enter a port number for the policy server to communicate with agents and clients.

Specify a range of reserved port numbers for this host to connect to other defined Privilege Manager hosts across a firewall?

NOTE: Sets setreserveportrange in pm.settings.

NO Enter Yes, then enter a value between 600 and 1023:
  1. Minimum reserved port. (Default is 600.)
  2. Maximum reserved port. (Default is 1023.)

Specify a range of non-reserved port numbers for this host to connect to other defined Privilege Manager hosts across a firewall?

NOTE: Sets setnonreserveportrange in pm.settings.

NO Enter Yes, then enter a value between 1024 and 65535:
  • Minimum non-reserved port. (Default is 1024.)
  • Maximum non-reserved port. (Default is 31024.)

Allow short host names?

NOTE: Sets shortnames in pm.settings.

YES Enter No to use fully-qualified host names instead.

Configure Kerberos on your network?

NOTE: Sets kerberos in pm.settings.

NO Enter Yes, then enter:
  1. Policy server principal name. (Default is pmmasterd.)
  2. Local principal name. (Default is pmlocald.)
  3. Directory for replay cache. (Default is /var/tmp.
  4. Path for the Kerberos configuration files [krbconf setting]. (Default is /etc/krb.conf:/etc/krb5/krb5.conf.)
  5. Full pathname of the Kerberos keytab file [keytab setting]. (Default is /etc/krb5/krb5.keytab.
Encryption level:

(See Encryption for details.)

NOTE: Sets encryption in pm.settings.

AES Enter one of these encryption options:
  • DES
  • TRIPLEDES
  • AES

Enable certificates?

NOTE: Sets certificates in pm.settings.

NO

Enter Yes, then answer:

Generate a certificate on this host? (Default is NO.)

Enter Yes and specify a passphrase for the certificate.

NOTE: Once configuration of this host is complete, swap and install keys for each host in your system that need to communicate with this host. (See Swap and Install Keys for details.)

Activate the failover timeout? YES Enter Yes, then assign the failover timeout in seconds: (Default is 10.)

Failover timeout in seconds

NOTE: Sets failovertimeout in pm.settings.

10 Enter timeout interval.
Configure Privilege Manager Logging Settings
Send errors reported by the policy server and local daemons to syslog? YES Enter No

Policy server log location:

NOTE: Sets pmmasterdlog in pm.settings.

/var/log/pmmasterd.log Enter a location.
Configure Privilege Manager Sudo Plugin
Configure Sudo Plugin? NO Enter Yes
Install Privilege Manager Licenses
XML license file to apply: (use the freeware product license)

Enter enter location of the .xml license file.

Enter Done when finished.

Password for pmpolicy user:

(See Configure the Privilege Manager for Sudo Primary Policy Server for more information about pmpolicy service account.)

 

Enter <password>

NOTE: This password is also called the "Join" password. You will use this password when you add secondary policy servers or join remote hosts to this policy group.

NOTE: You can find an installation log file at: /opt/quest/qpm4u/install/pmsrvconfig_output_<Date>.log

Join Hosts to Policy Group

Once you have installed and configured the primary policy server, you are ready to join it to a policy group. When you join a policy server to a policy group, it enables that host to validate security privileges against a single common policy file located on the primary policy server, instead of on the host. You must "join" your policy servers to the policy group using the pmjoin command.

NOTE: The pmjoin command configures standard Unix agents (qpm-agent package) while the pmjoin_plugin command configures Sudo Plugin hosts (qpm-plugin package).

Join PM Agent to a Privilege Manager for Unix Policy Server

Installation and Configuration > Configure a Primary Policy Server > Join Hosts to Policy Group > Join PM Agent to a Privilege Manager for Unix Policy Server

To join a PM Agent to a policy server

  1. Log on as the root user and change to the directory containing the qpm-agent package for your specific platform. For example, on a 64-bit Red Hat® Linux®, enter:
    # cd agent/linux-x86_64
  2. Run:
    # pmjoin

    Running pmjoin performs the configuration of the PM Agent, including modifying the pm.settings file.

    NOTE: The pmjoin command supports many command line options. (See pmjoin for details or run pmjoin with the -h option to display the help.)

    • When you run pmjoin with no options, the configuration script automatically configures the agent with default settings. (See Agent Configuration Settings for details about the default and alternate agent configuration settings.)

      NOTE: You can modify the /etc/opt/quest/qpm4u/pm.settings file later, if you want to change one of the settings. (See PM Settings Variables for details.)

    • When you run pmjoin with the -i (interactive) option, the configuration script gathers information from you by asking you a series of questions. During this interview, you are allowed to either accept a default setting or set an alternate setting.

      Once you have completed the configuration script interview, it configures the agent and joins it to the policy server.

  3. When you run pmjoin for the first time, it asks you to read and accept the End User License Agreement (EULA).

    Once you complete the agent configuration script (by running the pmjoin command), it:

    • Enables the pmlocald service
    • Updates the pm.settings file
    • Creates wrappers for the installed shells
    • Updates /etc/shells
    • Reloads the pmserviced configuration
    • Checks the connection to the policy server host
  4. To verify that the agent installation has been successful, as an unprivileged user, run a command that is permitted by the default Privilege Manager for Unix security policy, demo.profile. For example, the default security policy allows any user to run the id command as the root user:
    # pmrun id

    This returns the root user id, not the user’s own id, to show that the command was executed as root.

Related Documents