Sudo Plugin Package Installation
To install the Sudo Plugin package
- Change to the directory containing the qpm-plugin package for your specific platform. For example, on a 64-bit Red Hat® Linux® 5 system, run:
# cd sudo_plugin/linux-x86_64
- Run the platform-specific installer. For example, run:
# rpm –-install qpm-plugin*.rpm
Upgrading to Privilege Manager for Unix 6.0
The topics in this section explain how to upgrade an existing Privilege Manager master to a Privilege Manager 6.0 primary policy server.
Upgrade Considerations and Recommendations
Because the Privilege Manager for Unix 6.0 native platform installer packages do not provide an automated rollback script, Quest highly recommends that you back up important data such as your license, pm.settings file, policy, and log files before you attempt to upgrade your existing Privilege Manager masters or policy servers.
If your Privilege Manager 5.5 master is a member of a License Cluster, Quest recommends that you unconfigure the License Cluster before starting the upgrade. License Clusters are not supported in Privilege Manager for Unix 6.0.
If you are upgrading a master with a version earlier than 5.5.0, Quest.short recommends that you back up important data and uninstall the previously installed version of Privilege Manager prior to installing version 6.0. Note that the master will not be able to service any agent requests while the previous version of Privilege Manager is uninstalled and before the new version is installed and configured.
|
|
NOTE: To install Privilege Manager 6.0, change to the directory where the install package is located for your platform and run the package installer. (See Install the Privilege Manager Packages for details about how to install the Privilege Manager for Unix software.) |
Unlike the Privilege Manager for Unix 5.5 installation and configuration program, there are separate Server and Agent installation packages provided in Privilege Manager for Unix 6.0. If you are upgrading a Privilege Manager for Unix master, install only the Server package, as it includes both server and agent components. If you are upgrading a Privilege Manager for Unix agent, install the agent package and then skip to "Joining the Agent to the Policy Group".
Preparing the Privilege Manager for Unix Policy for Import
The pmsrvconfig configuration script initializes the policy repository on the primary policy server. pmsrvconfig creates a pmpolicy service account, which is used to own and manage the security policy repository. The configuration script asks you to provide a new password for the pmpolicy user. Please take note of this password, as you will need to provide it when configuring any secondary policy server(s). (See Security Policy Types for more information about the pmpolicy user.)
By default, the pmsrvconfig command generates a new policy. However, you may wish to import an existing policy (for example, if you are upgrading from a version prior to 5.6). To do this, use the pmsrvconfig command with the –f option. (See pmsrvconfig for details.)
Use the following guidelines for importing a policy:
- If the policy consists of more than one file, create a temporary directory to contain a copy of the policy and any files referenced by the policy.
- The policy must be contained in a single directory tree, with the main policy named pm.conf, located in the top-level directory.
- To keep the entire policy in the repository, examine the policy for the following statements and ensure that all pathnames are specified relative to the top-level directory:
- include statements
- fileexists
- readfile
- stat
- hashtable_import
- readdir
- Test the policy using pmcheck prior to configuring the policy server. (See pmcheck for details.)
The default profile-based policy in Privilege Manager 5.5.2 uses two distinct locations for its policy files. The main policy file, pm.conf, is located in /etc/opt/quest/qpm4u, while the remaining policy files are located in /opt/quest/qpm4u/policies.
The following example shows you how to import the policy.
To import the Privilege Manager 5.5.2 profile-based policy into Privilege Manager 6.0
- From the command line, run:
# mkdir ~/policytmp # cp /etc/opt/quest/qpm4u/policy/pm.conf ~/policytmp # cp –r /opt/quest/qpm4u/policies/* ~/policytmp # vi ~/policytmp/pm.conf
- Change the following line in the pm.conf file:
include "/opt/quest/qpm4u/policies/profileBasedPolicy.conf";
to:
include "profileBasedPolicy.conf";
Now that you have modified the policy to conform to the above guidelines, test the policy using the pmcheck command.
NOTE: pmcheck and other Privilege Manager administrative commands are located in the /opt/quest/sbin directory.
- From the command line, run:
# pmcheck –p ~/policytmp –f ~/policytmp/pm.conf
The command returns:
Version 6.0.0 (021) licensed with no expiry date. ******************************************************************** ** QuestPrivilege Manager for Unix Version 6.0.0 (021) ** This request is being authorized on master :polsrv1.example.com ** User "root" has submitted a request from host "polsrv1.example.com" ** to run the command "NONE" ******************************************************************** Request accepted by the "admin" profile User : root Host : polsrv1.example.com Command : NONE All interactions with this command will be recorded in the file: /opt/quest/qpm4u/iologs/admin/root/NONE_20120525_1516_DDv0O1 Executing "NONE" as user "root" ... ******************************************************************** File /root/policytmp/pm.conf contains 0 errors.