Chat now with support
Chat with Support

Safeguard for Sudo 2.0 - Administrators Guide

One Identity Privileged Access Suite for Unix Introducing Privilege Manager for Unix Introducing Privilege Manager for Sudo Planning Deployment Installation and Configuration
Download Privilege Manager for Unix Software Packages Download Privilege Manager for Sudo Software Packages Quick Start and Evaluation Configure a Primary Policy Server Configure a Secondary Policy Server Install PM Agent or Sudo Plugin on a Remote Host Remove Configurations
Upgrading Privilege Manager System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager Variables Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures Privilege Manager Programs Installation Packages Unsupported Sudo Options Sudo Plugin Policy Evaluation About us

Sudo Plugin Package Installation

To install the Sudo Plugin package

  1. Change to the directory containing the qpm-plugin package for your specific platform. For example, on a 64-bit Red Hat® Linux® 5 system, run:
    # cd sudo_plugin/linux-x86_64
  2. Run the platform-specific installer. For example, run:
    # rpm –-install qpm-plugin*.rpm

Upgrading to Privilege Manager for Unix 6.0

Upgrading Privilege Manager > Upgrading to Privilege Manager for Unix 6.0

The topics in this section explain how to upgrade an existing Privilege Manager master to a Privilege Manager 6.0 primary policy server.

Upgrade Considerations and Recommendations

Upgrading Privilege Manager > Upgrading to Privilege Manager for Unix 6.0 > Upgrade Considerations and Recommendations

Because the Privilege Manager for Unix 6.0 native platform installer packages do not provide an automated rollback script, Quest highly recommends that you back up important data such as your license, pm.settings file, policy, and log files before you attempt to upgrade your existing Privilege Manager masters or policy servers.

If your Privilege Manager 5.5 master is a member of a License Cluster, Quest recommends that you unconfigure the License Cluster before starting the upgrade. License Clusters are not supported in Privilege Manager for Unix 6.0.

If you are upgrading a master with a version earlier than 5.5.0, Quest.short recommends that you back up important data and uninstall the previously installed version of Privilege Manager prior to installing version 6.0. Note that the master will not be able to service any agent requests while the previous version of Privilege Manager is uninstalled and before the new version is installed and configured.

NOTE: To install Privilege Manager 6.0, change to the directory where the install package is located for your platform and run the package installer. (See Install the Privilege Manager Packages for details about how to install the Privilege Manager for Unix software.)

Unlike the Privilege Manager for Unix 5.5 installation and configuration program, there are separate Server and Agent installation packages provided in Privilege Manager for Unix 6.0. If you are upgrading a Privilege Manager for Unix master, install only the Server package, as it includes both server and agent components. If you are upgrading a Privilege Manager for Unix agent, install the agent package and then skip to "Joining the Agent to the Policy Group".

Preparing the Privilege Manager for Unix Policy for Import

Upgrading Privilege Manager > Upgrading to Privilege Manager for Unix 6.0 > Preparing the Privilege Manager for Unix Policy for Import

The pmsrvconfig configuration script initializes the policy repository on the primary policy server. pmsrvconfig creates a pmpolicy service account, which is used to own and manage the security policy repository. The configuration script asks you to provide a new password for the pmpolicy user. Please take note of this password, as you will need to provide it when configuring any secondary policy server(s). (See Security Policy Types for more information about the pmpolicy user.)

By default, the pmsrvconfig command generates a new policy. However, you may wish to import an existing policy (for example, if you are upgrading from a version prior to 5.6). To do this, use the pmsrvconfig command with the –f option. (See pmsrvconfig for details.)

Use the following guidelines for importing a policy:

  • If the policy consists of more than one file, create a temporary directory to contain a copy of the policy and any files referenced by the policy.
  • The policy must be contained in a single directory tree, with the main policy named pm.conf, located in the top-level directory.
  • To keep the entire policy in the repository, examine the policy for the following statements and ensure that all pathnames are specified relative to the top-level directory:
    • include statements
    • fileexists
    • readfile
    • stat
    • hashtable_import
    • readdir
  • Test the policy using pmcheck prior to configuring the policy server. (See pmcheck for details.)

The default profile-based policy in Privilege Manager 5.5.2 uses two distinct locations for its policy files. The main policy file, pm.conf, is located in /etc/opt/quest/qpm4u, while the remaining policy files are located in /opt/quest/qpm4u/policies.

The following example shows you how to import the policy.

To import the Privilege Manager 5.5.2 profile-based policy into Privilege Manager 6.0

  1. From the command line, run:
    # mkdir ~/policytmp 
    # cp /etc/opt/quest/qpm4u/policy/pm.conf ~/policytmp 
    # cp –r /opt/quest/qpm4u/policies/* ~/policytmp 
    # vi ~/policytmp/pm.conf
  2. Change the following line in the pm.conf file:
    include "/opt/quest/qpm4u/policies/profileBasedPolicy.conf";

    to:

    include "profileBasedPolicy.conf";

    Now that you have modified the policy to conform to the above guidelines, test the policy using the pmcheck command.

    NOTE: pmcheck and other Privilege Manager administrative commands are located in the /opt/quest/sbin directory.

  3. From the command line, run:
    # pmcheck –p ~/policytmp –f ~/policytmp/pm.conf

    The command returns:

    Version 6.0.0 (021) licensed with no expiry date. 
    ******************************************************************** 
    ** QuestPrivilege Manager for Unix Version 6.0.0 (021) 
    ** This request is being authorized on master :polsrv1.example.com 
    ** User "root" has submitted a request from host "polsrv1.example.com" 
    ** to run the command "NONE" 
    ******************************************************************** 
    Request accepted by the "admin" profile 
    User : root 
    Host : polsrv1.example.com 
    Command : NONE 
    All interactions with this command will be recorded in the file: 
    /opt/quest/qpm4u/iologs/admin/root/NONE_20120525_1516_DDv0O1 
    Executing "NONE" as user "root" ... 
    ******************************************************************** 
    File /root/policytmp/pm.conf contains 0 errors.
Related Documents