Chat now with support
Chat with Support

Safeguard for Sudo 2.0 - Administrators Guide

One Identity Privileged Access Suite for Unix Introducing Privilege Manager for Unix Introducing Privilege Manager for Sudo Planning Deployment Installation and Configuration
Download Privilege Manager for Unix Software Packages Download Privilege Manager for Sudo Software Packages Quick Start and Evaluation Configure a Primary Policy Server Configure a Secondary Policy Server Install PM Agent or Sudo Plugin on a Remote Host Remove Configurations
Upgrading Privilege Manager System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager Variables Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures Privilege Manager Programs Installation Packages Unsupported Sudo Options Sudo Plugin Policy Evaluation About us

Configuring the Primary Policy Server with an Imported Policy

Upgrading Privilege Manager > Upgrading to Privilege Manager for Unix 6.0 > Configuring the Primary Policy Server with an Imported Policy

pmsrvconfig uses the existing pm.settings file and default values to configure your policy server. (See PM Settings Variables for details.)

NOTE: Before you import a pmpolicy, ensure that it is free of syntax errors or dependencies on any files outside the imported directory.

To import the policy file

  1. From the command line, run:
    pmsrvconfig –f <path>

    where <path> is the file or directory where the policy is located.

    For example, continuing with our previous example, run:

    # pmsrvconfig -m pmpolicy –f ~/policytmp
  2. To add secondary policy servers to the policy group, run:
    pmsrvconfig -m pmpolicy –s <primaryPolicyServer>

    pmsrvconfig reconfigures the pmlocald and pmmasterd services to run under pmserviced.

  3. If you experience any issues with the pmlocald and pmmasterd services, run:
    /opt/quest/sbin/pmserviced –s

    This command checks that the pmlocald and pmmasterd services are enabled under pmserviced. If they are not, ensure that (x)inetd is no longer listening to the pmlocald and pmmasterd ports.

    NOTE: Enable root ssh on the primary policy server while configuring secondary policy servers so that you may exchange ssh keys.

Joining the Agent to the Policy Group

By default, pmsrvconfig does not configure the Privilege Manager for Unix agent components. To configure Privilege Manager agents on your policy servers, you must "join" the agent components to a policy server using the pmjoin command.

The pmjoin command requires that you specify the name of a policy server within a policy group.

To join an agent to a policy group

  1. From the command line, run:
    # pmjoin polsrv1.example.com
    *********************************************************************** 
    * Quest Privilege Manager for Unix Version 560(xxx) 2013 
    *********************************************************************** 
    **** Detecting current Privilege Manager settings... [ OK] 
    *** Locating services file... [ OK] 
    *** Checking whether daemons are already configured on this host [ OK]

    Running pmjoin performs the configuration of the Privilege Manager agent, including modifying the pm.settings file and starting up the pmserviced daemon. pmjoin reconfigures the pmlocald service to run under pmserviced.

  2. If you experience any issues with the pmlocald service, run:
    /opt/quest/sbin/pmserviced –s

    This command checks that the pmlocald service is enabled under pmserviced. If it is not, ensure that (x)inetd is no longer listening to the pmlocald port.

Importing Event Logs into the new Database Format

Upgrading Privilege Manager > Importing Event Logs into the new Database Format

Privilege Manager now uses a new database format for storing event log data. The installation and configuration steps do not, however, automatically import the event logs from previous Privilege Manager versions. In order to access the preexisting log data, you must manually import the data into the new database format using the pmlogadm program.

For example, to import the default /var/log/pm.eventlog file from Privilege Manager 5.5.2 to /var/opt/quest/qpm4u/pmevents.db (the default location for the event log database in Privilege Manager for Unix 6.0), run the following command:

# pmlogadm import /var/log/pm.eventlog /var/opt/quest/qpm4u/pmevents.db

If your policy uses the eventlog variable to specify the location of where it writes event logs, you must move or rename the existing event log files to allow the policy server to create the new database-formatted log files with the existing name. The policy server will fail to create a new database-formatted file if a non-database-formatted file with the same name already exists.

System Administration

System Administration

Privilege Manager provides command line utilities to help you manage your policy servers. They can be used to check the status of your policy servers, edit the policy, or to simply report the information.

Related Documents