Chat now with support
Chat with Support

Safeguard for Sudo 2.0 - Administrators Guide

One Identity Privileged Access Suite for Unix Introducing Privilege Manager for Unix Introducing Privilege Manager for Sudo Planning Deployment Installation and Configuration
Download Privilege Manager for Unix Software Packages Download Privilege Manager for Sudo Software Packages Quick Start and Evaluation Configure a Primary Policy Server Configure a Secondary Policy Server Install PM Agent or Sudo Plugin on a Remote Host Remove Configurations
Upgrading Privilege Manager System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager Variables Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures Privilege Manager Programs Installation Packages Unsupported Sudo Options Sudo Plugin Policy Evaluation About us

Join the PM Agent to the Primary Policy Server

Installation and Configuration > Install PM Agent or Sudo Plugin on a Remote Host > Join the PM Agent to the Primary Policy Server

Once you have installed a Privilege Manager agent on a remote host you are ready to join it to the primary policy server.

To join a PM Agent to the primary policy server

  1. From the command line of the remote host, run:
    # opt/quest/sbin/pmjoin <policy_server>.example.com

    where <policy_server> is the name of the primary policy server host.

    If you are not running the pmjoin command on a policy server, it requires that you specify the name of a policy server within a policy group.

    NOTE: The pmjoin command supports many command line options. (See pmjoin for details or run pmjoin with the -h option to display the help.)

    • When you run pmjoin with no options, the configuration script automatically configures the agent with default settings. (See Agent Configuration Settings for details about the default and alternate agent configuration settings.)

      NOTE: You can modify the /etc/opt/quest/qpm4u/pm.settings file later, if you want to change one of the settings. (See PM Settings Variables for details.)

    • When you run pmjoin with the -i (interactive) option, the configuration script gathers information from you by asking you a series of questions. During this interview, you are allowed to either accept a default setting or set an alternate setting.

      Once you have completed the configuration script interview, it configures the agent and joins it to the policy server.

    Running pmjoin performs the configuration of the Privilege Manager agent, including modifying the pm.settings file and starting up the pmserviced daemon.

  2. When you run pmjoin for the first time, it asks you to read and accept the End User License Agreement (EULA).

    Once you complete the agent configuration script (by running the pmjoin command), it:

    • Enables the pmlocald service
    • Updates the pm.settings file
    • Creates wrappers for the installed shells
    • Updates /etc/shells
    • Reloads the pmserviced configuration
    • Checks the connection to the policy server host
  3. To verify that the agent installation has been successful, run
    # pmclientinfo

    This returns displays configuration information about a client host. (See pmclientinfo for details.

CheckSudo Plugin Host for Installation Readiness

Installation and Configuration > Install PM Agent or Sudo Plugin on a Remote Host > CheckSudo Plugin Host for Installation Readiness

To check a Sudo Plugin host for installation readiness

  1. Log on to the remote host system as the root user and navigate to the files you extracted on the primary policy server.
  2. From the root directory, run a readiness check to verify the host meets the requirements for installing and using the Sudo Plugin, by running:
    # sh pmpreflight.sh –-sudo –-policyserver <myhost>

    where <myhost> is the hostname of the primary policy server.

    NOTE: Running pmpreflight.sh –-sudo performs these tests:

    • Basic Network Conditions:
      • Hostname is configured
      • Hostname can be resolved
      • Reverse lookup returns it own IP
    • Policy Server Connectivity
      • Hostname of policy server can be resolved
      • Can ping the policy server
      • Can make a connection to policy server
      • Policy server is eligible for a join
    • Sudo Installation
      • sudo is present on the host
      • sudo is in a functional state
      • sudo is version 1.8.1 (or greater)
    • Prerequisites to support off-line policy caching
      • SSH keyscan is available
      • Policy server port is available
  3. Resolve any reported issues and rerun pmpreflight until all tests pass.

Install a Sudo Plugin on a Remote Host

To install a Sudo Plugin on a remote host

  1. Log on as the root user.
  2. Change to the directory containing the qpm-plugin package for your specific platform. For example, on a 64-bit Red Hat® Linux®, enter:
    # cd sudo_plugin/linux-x86_64
  3. Run the platform-specific installer. For example, on Red Hat® Linux® run:
    # rpm --install qpm-plugin-*.rpm

    Once you install the Sudo Plugin package, the next task is to join it to the policy server.

Join a Sudo Plugin to a Primary Policy Server

Installation and Configuration > Install PM Agent or Sudo Plugin on a Remote Host > Join a Sudo Plugin to a Primary Policy Server

Once you have installed a Sudo Plugin on a remote host you are ready to join it to the primary policy server. Joining a host to a policy server enables it to communicate with the server(s) in the policy group.

NOTE: The pmjoin command configures PM Agents (qpm-agent package) while the pmjoin_plugin command configures Sudo Plugin hosts (qpm-plugin package).

To join a Sudo Plugin to the primary policy server

  1. Run the following command:
    # pmjoin_plugin <PolicyServer>

    where <PolicyServer> is the host name of the primary policy server.

    To automatically accept the End User License Agreement (EULA), use the –a option with the "join" command, as follows:

    # pmjoin_plugin -a <PolicyServer>

NOTE: When you join a Sudo Plugin to a policy server, Privilege Manager for Sudo adds the following lines to the current local sudoers file, generally found in /etc/sudoers.

## 
## WARNING: Sudoers rules are being managed by QPM4Sudo 
## WARNING: Do not edit this file, it is no longer used. 
## 
## Run "/opt/quest/sbin/pmpolicy edit" to edit the actual sudoers rules. 
##

When you unjoin the Sudo Plugin, Privilege Manager for Sudo removes those lines from the local sudoers file.

You have now installed the Privilege Manager for Sudo packages, configured a primary policy server for the sudo policy type, and joined the Sudo Plugin to the primary policy server. The primary policy server is ready to accept commands using sudo.

Related Documents