Chat now with support
Chat with Support

Safeguard for Sudo 2.0 - Administrators Guide

One Identity Privileged Access Suite for Unix Introducing Privilege Manager for Unix Introducing Privilege Manager for Sudo Planning Deployment Installation and Configuration
Download Privilege Manager for Unix Software Packages Download Privilege Manager for Sudo Software Packages Quick Start and Evaluation Configure a Primary Policy Server Configure a Secondary Policy Server Install PM Agent or Sudo Plugin on a Remote Host Remove Configurations
Upgrading Privilege Manager System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager Variables Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures Privilege Manager Programs Installation Packages Unsupported Sudo Options Sudo Plugin Policy Evaluation About us

Environmental Variables

You can use environment variables to turn on or off special features of Privilege Manager configuration files. In the following example, the list of Privilege Manager variables is printed to the user's screen if the DEBUG environment variable is set to "yes". This is useful when debugging a configuration file. Simply set the DEBUG variable to "yes" in your shell, then run pmrun. Privilege Manager notices the DEBUG variable, and calls the printvars function.

if(getenv("DEBUG")=="yes") 
   printvars();

NIS Netgroups

If you have a large site where you add and remove hosts frequently, you may already be using netgroups to associate a group name with a set of hosts. The Privilege Manager innetgroup function inquires if a named host is a member of a named netgroup.

For example, you can reject requests originating from any machine that is not in the netgroup myhosts as follows:

if(!innetgroup("myhosts", host)) 
   reject;

Specify Trusted Hosts

You can reject all requests that do not originate from your domain; that is, specify only the hosts that you trust to issue requests by using the following:

if(submithost !in {"*.quest.com"}) 
   reject;

Configuring Firewalls

When the agent and policy server are on different sides of a firewall, Privilege Manager needs a number of ports to be kept open. By default, Privilege Manager can use ports in the 600 to 31024 range, but when using a firewall, you may want to limit the ports that can be used. (See Restricting Port Numbers for Command Responses for more information.)

This section describes

  • how Privilege Manager uses ports from both the reserved and non-reserved port ranges during a session
  • how to configure Privilege Manager over a firewall and, optionally, Network Address Translation (NAT)

Related Documents