Chat now with support
Chat with Support

Safeguard for Sudo 2.0 - Administrators Guide

One Identity Privileged Access Suite for Unix Introducing Privilege Manager for Unix Introducing Privilege Manager for Sudo Planning Deployment Installation and Configuration
Download Privilege Manager for Unix Software Packages Download Privilege Manager for Sudo Software Packages Quick Start and Evaluation Configure a Primary Policy Server Configure a Secondary Policy Server Install PM Agent or Sudo Plugin on a Remote Host Remove Configurations
Upgrading Privilege Manager System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager Variables Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures Privilege Manager Programs Installation Packages Unsupported Sudo Options Sudo Plugin Policy Evaluation About us

Agent Configuration Settings

The following table lists the pmjoin command options, the default settings, and alternatives. (See PM Settings Variables for more information about the policy server configuration settings.)

Table 6: Agent Configuration Settings
Option Default Alternate Setting
Enable agent daemon command line options: none

Enter:

  • -e <logfile> to use the error log file identified by <logfile>.
  • -m to only accept connections from the policy server daemon on the specified host. (Use multiple -m options to specify more than one host.)
  • -s to send error messages to syslog. none to assign no options.

NOTE: These command-line options override the syslog and pmlocaldlog options configured in the pm.settings file.

Enable client daemon? YES Enter No
Configure host components to communicate with remote hosts through firewall? NO Enter Yes
Enable Privilege Manager shells (pmksh, pmsh, pmcsh)? YES

Enter No to use a Privilege Manager shell.

Use a Privilege Manager shell to control and/or log Privilege Manager sessions, regardless of how the user logs in (telnet, rlogin,rsh,rexec).

There are three shells supplied, based on standard shells:

  • pmksh, a Privilege Manager enabled version of ksh
  • pmsh, a Privilege Manager enabled version of bourne shell
  • pmcsh, a Privilege Manager version of c shell

Each shell provides command-control for every command entered by the user during a login session. You can configure each command the user enters to require authorization with the policy server for execution. This includes the shell built-in commands.

Add the entries to the /etc/services file? YES

Enter No

NOTE: You must add service entries to either the /etc/services file or the NIS services map.

Edit list of policy servers with which this agent can communicate? none Enter valid policy server names to add to the list.
Indicate if the list is correct YES Enter No
Policy Server daemon port # 12345 Enter a port number
Specify the agent daemon port number: 12346 Enter a port number for the agent to communicate with the policy server.
Specify a range of local port numbers for this host to connect to other defined Privilege Manager hosts across a firewall? NO Enter Yes, then enter:
  1. Minimum reserved port (600-1024). (Default is 600.)
  2. Maximum reserved port (600-1024). (Default is 1024.)
Allow short host names? YES Enter No to use fully qualified host names instead.
Configure Kerberos on your network? NO Enter Yes, then enter:
  1. Policy server principal name. (Default is pmmasterd.)
  2. Local principal name. (Default is pmlocald.)
  3. Directory for replay cache. (Default is /var/tmp.
  4. Path for the Kerberos configuration files. (Default is /etc/krb.conf:/etc/krb5/krb5.conf.)
  5. Full pathname of the Kerberos keytab file. (Default is /etc/krb5/krb5.keytab.
Specify encryption level:

(See Encryption for details.)

AES Enter one of these encryption options:
  • DES
  • TRIPLEDES
  • AES
Enable certificates? NO

Enter Yes, then answer:

Generate a certificate on this host? (Default is NO.)

Enter Yes and specify a passphrase for the certificate.

NOTE: Once configuration of this agent is complete, swap and install keys for each host in your system that need to communicate with this host. (See Swap and Install Keys for details.)

Activate the failover timeout? YES Enter No, then assign the failover timeout in seconds: (Default is 10.)
Assign the failover timeout 10 Enter a timeout value in seconds
Select random policy server YES Enter No
Send errors reported by agent to syslog? YES  
Store errors reported by the agent daemon in /var/log/pmlocald.log? YES Enter No, then enter a location.
Store errors reported by the run agent in /var/log/pmrun.log? YES Enter No, then enter a location.
Configure Sudo Plugin NO Enter Yes

Swap and Install Keys

If certificates are enabled in the /etc/opt/quest/qpm4u/pm.settings file of primary server, then you must exchange keys (swap certificates) prior to joining a client or secondary server to the primary server. Optionally, you can run the configuration or join with the -i option to interactively join and exchange keys.

NOTE: Quest recommends that you enable certificates for higher security.

NOTE: The examples below use the keyfile paths that are created when using interactive configuration or join if certificates are enabled.

To swap certificate keys

  1. Copy Host2's key to Host1. For example:
    # scp /etc/opt/quest/qpm4u/.qpm4u/.keyfiles/key_localhost \ root@Host1:/etc/opt/quest/qpm4u/.qpm4u/.keyfiles/key_server2
  2. Copy Host1's certificate to Host2. For example:
    # scp root@host1:/etc/opt/quest/qpm4u/.qpm4u/.keyfiles/key_localhost \ /etc/opt/quest/qpm4u/.qpm4u/.keyfiles/key_host1
  3. Install Host1's certificate on Host2. For example:
    # /opt/quest/sbin/pmkey -i \ /etc/opt/quest/qpm4u/.qpm4u/.keyfiles/key_host1
  4. Log on to Host1 and install Host2's certificate. For example:

    # /opt/quest/sbin/pmkey -i \ /etc/opt/quest/qpm4u/.qpm4u/.keyfiles/key_host2

    NOTE: If you use the interactive configure or join, the script will exchange and install keyfiles automatically.

See Configuring Certificates for more information.

Join Sudo Plugin to Policy Server

Run the pmjoin_plugin command after installing the Sudo Plugin package (qpm-plugin) on a remote host to allow it to communicate with the server(s) in the policy group.

To join Sudo Plugin to policy server

  1. Join the Sudo Plugin host to the policy server by running the following command:
    # pmjoin_plugin <PolicyServer>

    where <PolicyServer> is the host name of the primary policy server.

    To automatically accept the End User License Agreement (EULA), use the –a option with the "join" command, as follows:

    # pmjoin_plugin -a <PolicyServer> 

You have now joined the host to a primary policy server. The primary policy server is now ready to accept commands using sudo.

Configure a Secondary Policy Server

Installation and Configuration > Configure a Secondary Policy Server

The primary policy server is always the first server configured in the policy server group; secondary servers are subsequent policy servers set up in the policy server group to help with load balancing. The "master" copy of the policy is kept on the primary policy server.

All policy servers (primary and secondary) maintain a production copy of the security policy stored locally. The initial production copy is initialized by means of a checkout from the repository when you configure the policy server. Following this, the policy servers automatically retrieve updates as required.

By adding one or more secondary policy servers, the work of validating policy is balanced across all of the policy servers in the group, and provides failover in the event a policy server becomes unavailable. Use pmsrvconfig with the –s option to configure the policy server as a secondary server.

Related Documents