Chat now with support
Chat with Support

Safeguard for Sudo 2.0 - Administrators Guide

One Identity Privileged Access Suite for Unix Introducing Privilege Manager for Unix Introducing Privilege Manager for Sudo Planning Deployment Installation and Configuration
Download Privilege Manager for Unix Software Packages Download Privilege Manager for Sudo Software Packages Quick Start and Evaluation Configure a Primary Policy Server Configure a Secondary Policy Server Install PM Agent or Sudo Plugin on a Remote Host Remove Configurations
Upgrading Privilege Manager System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager Variables Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures Privilege Manager Programs Installation Packages Unsupported Sudo Options Sudo Plugin Policy Evaluation About us

System Requirements

Planning Deployment > System Requirements

Prior to installing Privilege Manager, ensure your system meets the minimum hardware and software requirements for your platform.

Table 1: Hardware and software requirements
Component Requirements
Operating Systems

Click www.quest.com/privilege-manager-for-unix to review a list of Unix and Linux® platforms that support Privilege Manager for Unix.

Click www.quest.com/quest-one-privilege-manager-for-sudo to review a list of Unix, Linux®, and Mac OS X® platforms that support Privilege Manager for Sudo.

Disk Space

80 MB of disk space for program binaries and manuals for each architecture.

NOTE: At a minimum, you must have 80 MB of free disk space. The directories in which the binaries are installed must have sufficient disk space available on a local disk drive rather than a network drive. Before you install Privilege Manager for Unix, ensure that the partitions that will contain /opt/quest have sufficient space available.

  • Sufficient space for the keystroke logs, application logs, and event logs. The size of this space depends on the number of servers, the number of commands, and the number of policies configured.

    NOTE: The space can be on a network disk drive rather than a local drive.

  • The server hosting Privilege Manager must be a separate machine dedicated to running the pmmasterd daemon.
SSH Software You must install and configure SSH client and server software on all policy server hosts, and install SSH client software on all hosts that will use the Sudo Plugin. You must enable access to SSH as the root user on the policy server hosts during configuration of the policy servers. Both OpenSSH 2.5 (and higher) and Tectia SSH 5.0 (and higher) are supported.
Processor Policy Servers - 4 cores
RAM Policy Servers - 4GB
Privilege Manager for Sudo Requirements
Table 2: Primary policy server and host system installation requirements
Systems Required Minimum Requirements
Primary Policy Server

  • Supported Unix or Linux® operating system
  • SSH (ssh-keyscan binary)

Host System

  • Supported Unix, Linux®, or Mac OS X® platform
  • SSH (ssh-keyscan binary)
  • Sudo 1.8.1 or later

Default Ports

Configure the firewall ports appropriately when installing the Sudo Plugin on separate machines from the policy server.

Table 3: Masterport requirements
Variable Default Port Description
masterport 12345 TCP/IP port for pmmasterd. Privilege Manager for Unix uses the masterport to communicate with the pmmasterd (policy server daemon).

Reserve Special User and Group Names

Planning Deployment > System Requirements > Reserve Special User and Group Names

Reserve the following names for Privilege Manager for Unix usage:

  • pmpolicy (user and group)
  • pmlog (group)

Required Privileges

Planning Deployment > System Requirements > Required Privileges

You will need root privileges to install Privilege Manager software. Either log in as root or use the su program to acquire root privileges. Due to the importance of the root account, Privilege Manager carefully protects the system against certain accidental or deliberate situations that might lead to a breach in security. For example, if Privilege Manager discovers that its configuration files are open to modification by non-root users, it will reject all job requests. Furthermore, all Privilege Manager directories back to the / directory are checked for security in the same way, to guard against accidental or deliberate replacement.

Estimating Size Requirements

Planning Deployment > Estimating Size Requirements
Keystroke and Event Log Disk Space Requirements

The amount of disk space required to store keystroke logs will vary significantly based on the amount of terminal output generated by the user's daily activity and the level of logging configured. An average Privilege Manager for Unix keystroke log will contain an additional 4KB of data on top of the amount of data displayed to the user's terminal. Taking an average of the amount of terminal output generated by a few users over the course of a normal day would allow for an approximate estimation to be calculated. For example, a developer using a vi session throughout the day may generate 200KB of terminal output. A team of 200 developers each generating a similar amount of terminal output per working day could be expected to use 31GB of disk space over a three-year period [ 204 (200 + 4KB) x 200 (developers) x 260 (working days) x 3 (years) = 31,824,000 ].

The level of logging can also be configured to reduce the overhead on the Masters. For example, some customers only log the user's input (key presses) which will dramatically reduce the amount of logging.

Event log entries will typically use 4-5KB of storage per event, but may vary slightly depending on the data stored in the events. For example, events might be slightly larger for users that have lots of environment variables defined. Taking an average of the number of events that occur over the course of a normal day should allow you to estimate the disk space requirements for event logs. For example, if the same team of developers generate 1,000 events in a normal working day, they would be expected to use nearly 4GB of disk space over a three-year period [ 5 (KB) * 1000 (events) * 260 (days) * 3 (years) = 3,900,000 ].

Policy Server Deployment Requirements

The following recommendations are only provided as a rough guideline. The number of policy servers required for your environment may vary greatly depending on usage.

  • 1 policy server is suitable for small test environments with less than 50 hosts.
  • Production environments should have minimum of 2 policy servers.
  • Add an additional policy server for every 150-200 Privilege Manager hosts.
  • Additional policy servers may be required to support geographically disparate locations.

Related Documents