In Privilege Manager for Sudo, the policy server acts as a central sudoers policy store for all clients with the Sudo Plugin which have been joined to the policy group. The policy server also provides centralized event tracking and keystroke logging for the Sudo Plugin hosts.
The policy server also provides a revision management system, which allows tracking and reporting on changes made to the policy. If, for example, an important entry was accidentally removed from the sudoers file, you can restore a previous version of the policy.
The first policy server configured for a policy group is the primary policy server and holds the master copy of the policy. You configure a policy server by running the pmsrvconfig command without any options, like this:
# pmsrvconfig
pmsrvconfig runs with a set of default values and only prompts you when necessary.
|
NOTE: To override the default values, you may specify a number of options. For more information about the various command options used in the following examples, see pmsrvconfig. |
To configure a policy server for a sudo policy type
# /opt/quest/sbin/pmsrvconfig
|
NOTE: By default, the local /etc/sudoers policy file is used and imported into the policy server repository. To import an alternate sudoers file, run the command with the -f option, as follows: # /opt/quest/sbin/pmsrvconfig –f <sudoers> where: <sudoers> is the path to the alternate sudoers file. For example: # /opt/quest/sbin/pmsrvconfig –f /tmp/sudoers |
When prompted, set the password for the new pmpolicy user.
|
NOTE: This password is also called the "Join" password. It is used to setup an SSH key between the sudo host and the server for the off-line policy caching feature. You are required to use this password when you add secondary policy servers or join remote hosts to this policy group. |
# PATH=$PATH:/opt/quest/sbin:/opt/quest/bin
If you have multiple instances of sudo, updating the PATH environment variable ensures Privilege Manager for Sudo uses the correct version.
The following table lists the default and alternative configuration settings when configuring a Privilege Manager for Sudo server. (See PM Settings Variables for more information about the policy server configuration settings.)
Configuration Setting | Default | Alternate | ||||
---|---|---|---|---|---|---|
Configure Privilege Manager Policy Mode | ||||||
Policy mode: (See Security Policy Types for more information about policy types.)
|
sudo | Enter pmpolicy | ||||
Configure host as primary or secondary policy group server: | primary | Enter secondary, then supply the primary server host name. | ||||
Policy Group Name:
|
<FQDN name of policy server> | Enter policy group name of your choice. | ||||
Path to sudoers file to import: | /etc/sudoers | Enter a path of your choice | ||||
Configure Privilege Manager Daemon Settings | ||||||
Policy server command line options:
|
-ar |
Enter:
| ||||
Configure policy server host components to communicate with remote hosts through firewall? | NO | Enter Yes | ||||
Configure pmtunneld on this host? | NO | Enter Yes | ||||
Define host services? | YES
Adds services entries to the /etc/services file. |
Enter No
| ||||
Communications Settings for Privilege Manager | ||||||
Policy server daemon port number:
|
12345 | Enter a port number for the policy server to communicate with agents and clients. | ||||
Specify a range of reserved port numbers for this host to connect to other defined Privilege Manager hosts across a firewall?
|
NO | Enter Yes, then enter a value between 600 and 1023:
| ||||
Specify a range of non-reserved port numbers for this host to connect to other defined Privilege Manager hosts across a firewall?
|
NO | Enter Yes, then enter a value between 1024 and 65535:
| ||||
Allow short host names?
|
YES | Enter No to use fully-qualified host names instead. | ||||
Configure Kerberos on your network?
|
NO | Enter Yes, then enter:
| ||||
Encryption level:
(See Encryption for details.)
|
AES | Enter one of these encryption options:
| ||||
Enable certificates?
|
NO |
Enter Yes, then answer: Generate a certificate on this host? (Default is NO.) Enter Yes and specify a passphrase for the certificate.
| ||||
Activate the failover timeout? | YES | Enter Yes, then assign the failover timeout in seconds: (Default is 10.) | ||||
Failover timeout in seconds
|
10 | Enter timeout interval. | ||||
Configure Privilege Manager Logging Settings | ||||||
Send errors reported by the policy server and local daemons to syslog? | YES | Enter No | ||||
Policy server log location:
|
/var/log/pmmasterd.log | Enter a location. | ||||
Configure Privilege Manager Sudo Plugin | ||||||
Configure Sudo Plugin? | NO | Enter Yes | ||||
Install Privilege Manager Licenses | ||||||
XML license file to apply: | (use the freeware product license) |
Enter enter location of the .xml license file. Enter Done when finished. | ||||
Password for pmpolicy user:
(See Configure the Privilege Manager for Sudo Primary Policy Server for more information about pmpolicy service account.) |
Enter <password>
|
|
NOTE: You can find an installation log file at: /opt/quest/qpm4u/install/pmsrvconfig_output_<Date>.log |
Once you have installed and configured the primary policy server, you are ready to join it to a policy group. When you join a policy server to a policy group, it enables that host to validate security privileges against a single common policy file located on the primary policy server, instead of on the host. You must "join" your policy servers to the policy group using the pmjoin command.
|
NOTE: The pmjoin command configures standard Unix agents (qpm-agent package) while the pmjoin_plugin command configures Sudo Plugin hosts (qpm-plugin package). |
To join a PM Agent to a policy server
# cd agent/linux-x86_64
# pmjoin
Running pmjoin performs the configuration of the PM Agent, including modifying the pm.settings file.
|
NOTE: The pmjoin command supports many command line options. (See pmjoin for details or run pmjoin with the -h option to display the help.)
|
Once you complete the agent configuration script (by running the pmjoin command), it:
# pmrun id
This returns the root user id, not the user’s own id, to show that the command was executed as root.
© 2021 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy