Safeguard for Sudo 2.0 - Administrators Guide

Click www.quest.com/quest-one-privilege-manager-for-sudo to review a list of Unix, Linux^®, and Mac OS X^® platforms that support Privilege Manager for Sudo.

Disk Space

80 MB of disk space for program binaries and manuals for each architecture.

NOTE: At a minimum, you must have 80 MB of free disk space. The directories in which the binaries are installed must have sufficient disk space available on a local disk drive rather than a network drive. Before you install Privilege Manager for Unix, ensure that the partitions that will contain /opt/quest have sufficient space available.

Sufficient space for the keystroke logs, application logs, and event logs. The size of this space depends on the number of servers, the number of commands, and the number of policies configured.

NOTE: The space can be on a network disk drive rather than a local drive.
The server hosting Privilege Manager must be a separate machine dedicated to running the pmmasterd daemon.

SSH Software

You must install and configure SSH client and server software on all policy server hosts, and install SSH client software on all hosts that will use the Sudo Plugin. You must enable access to SSH as the root user on the policy server hosts during configuration of the policy servers. Both OpenSSH 2.5 (and higher) and Tectia SSH 5.0 (and higher) are supported.

Processor

Policy Servers - 4 cores

RAM

Policy Servers - 4GB

Privilege Manager for Sudo Requirements

Table 2: Primary policy server and host system installation requirements
Systems Required	Minimum Requirements
Primary Policy Server	Supported Unix or Linux^® operating system SSH (ssh-keyscan binary)
Host System	Supported Unix, Linux^®, or Mac OS X^® platform SSH (ssh-keyscan binary) Sudo 1.8.1 or later

Default Ports

Configure the firewall ports appropriately when installing the Sudo Plugin on separate machines from the policy server.

Table 3: Masterport requirements
Variable	Default Port	Description
masterport	12345	TCP/IP port for pmmasterd. Privilege Manager for Unix uses the masterport to communicate with the pmmasterd (policy server daemon).

Reserve Special User and Group Names

Planning Deployment > System Requirements > Reserve Special User and Group Names

Reserve the following names for Privilege Manager for Unix usage:

pmpolicy (user and group)
pmlog (group)

Required Privileges

Planning Deployment > System Requirements > Required Privileges

You will need root privileges to install Privilege Manager software. Either log in as root or use the su program to acquire root privileges. Due to the importance of the root account, Privilege Manager carefully protects the system against certain accidental or deliberate situations that might lead to a breach in security. For example, if Privilege Manager discovers that its configuration files are open to modification by non-root users, it will reject all job requests. Furthermore, all Privilege Manager directories back to the / directory are checked for security in the same way, to guard against accidental or deliberate replacement.

Estimating Size Requirements

Planning Deployment > Estimating Size Requirements

Keystroke and Event Log Disk Space Requirements

The amount of disk space required to store keystroke logs will vary significantly based on the amount of terminal output generated by the user's daily activity and the level of logging configured. An average Privilege Manager for Unix keystroke log will contain an additional 4KB of data on top of the amount of data displayed to the user's terminal. Taking an average of the amount of terminal output generated by a few users over the course of a normal day would allow for an approximate estimation to be calculated. For example, a developer using a vi session throughout the day may generate 200KB of terminal output. A team of 200 developers each generating a similar amount of terminal output per working day could be expected to use 31GB of disk space over a three-year period [ 204 (200 + 4KB) x 200 (developers) x 260 (working days) x 3 (years) = 31,824,000 ].

The level of logging can also be configured to reduce the overhead on the Masters. For example, some customers only log the user's input (key presses) which will dramatically reduce the amount of logging.

Event log entries will typically use 4-5KB of storage per event, but may vary slightly depending on the data stored in the events. For example, events might be slightly larger for users that have lots of environment variables defined. Taking an average of the number of events that occur over the course of a normal day should allow you to estimate the disk space requirements for event logs. For example, if the same team of developers generate 1,000 events in a normal working day, they would be expected to use nearly 4GB of disk space over a three-year period [ 5 (KB) * 1000 (events) * 260 (days) * 3 (years) = 3,900,000 ].

Policy Server Deployment Requirements

The following recommendations are only provided as a rough guideline. The number of policy servers required for your environment may vary greatly depending on usage.

1 policy server is suitable for small test environments with less than 50 hosts.
Production environments should have minimum of 2 policy servers.
Add an additional policy server for every 150-200 Privilege Manager hosts.
Additional policy servers may be required to support geographically disparate locations.

Please select your product:

To serve you better, please complete the Purpose of your Chat:

Recommended Solutions for Your Problem