Chat now with support
Chat with Support

Safeguard for Sudo 2.0 - Administrators Guide

One Identity Privileged Access Suite for Unix Introducing Privilege Manager for Unix Introducing Privilege Manager for Sudo Planning Deployment Installation and Configuration
Download Privilege Manager for Unix Software Packages Download Privilege Manager for Sudo Software Packages Quick Start and Evaluation Configure a Primary Policy Server Configure a Secondary Policy Server Install PM Agent or Sudo Plugin on a Remote Host Remove Configurations
Upgrading Privilege Manager System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager Variables Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures Privilege Manager Programs Installation Packages Unsupported Sudo Options Sudo Plugin Policy Evaluation About us

Installing InTrust Plug-in Components

InTrust Plug-in for Privilege Manager > Installing InTrust Plug-in Components

To configure InTrust for Privilege Manager you must install and configure several components separately. The diagram below shows the major components for the InTrust for Active Directory Plug-in.

Figure 14: InTrust Plug-in Components

To install and configure the InTrust for Active Directory Plug-in Components

  1. Install Privilege Manager and identify which logs you wish to audit.
  2. Install and configure the pmintrust.sh script to run as the root user to extract the relevant data.

    Quest recommends that you set up a daily cron job to run “pmrun pmintrust.sh” as the pmpolicy service user.

  3. Install an InTrust Agent on the Privilege Manager Policy Server.
  4. Configure the InTrust Server: Finding, Gathering, and Storing.
  5. Gather Data.
  6. Configure the InTrust Server: Reporting.

InTrust Plug-in Installation Prerequisites

InTrust Plug-in for Privilege Manager > InTrust Plug-in Installation Prerequisites

Before you install the InTrust for Active Directory components:

  • Install and register an InTrust agent on the Privilege Manager policy server machine for the collection of syslog messages.

    (For more information on this process, please refer to the document entitled InTrust Preparing for Auditing and Monitoring Linux.)

Configuring the Policy Server for the InTrust Plug-in

InTrust Plug-in for Privilege Manager > Configuring the Policy Server for the InTrust Plug-in

Run the pmintrust.sh script as the root user.

NOTE: You might need to edit pmintrust.sh to ensure it can find all relevant event log files.

The script outputs event log data in a format that the InTrust Agent can handle. When the script runs, it creates a separate file for InTrust called /tmp/pm_evlog.intrust containing a plain text version of the events stored in the event log files.

To configure the policy server for the InTrust Plugin

  1. Extract the pmintrust.tgz archive, located in the utilities directory of the Privilege Manager for Unix distribution media, to the /tmp directory.
    # gzip –dc pmintrust.tgz | tar xvf - –C /tmp 
    pmintrust/ 
    pmintrust/pmpolicy.crontab 
    pmintrust/root.crontab 
    pmintrust/pmintrust.profile 
    pmintrust/pmintrust.sh
  2. Copy the pmintrust.sh script to the /opt/quest/sbin directory of your policy server.
    # cp /tmp/pmintrust/pmintrust.sh /opt/quest/sbin
  3. If necessary, edit the pmintrust.sh script and modify the EVDIRS and EVGLOB variables so that the script can locate the necessary event log files. For example, if your policy defines the eventlog variable as:
    eventlog="/var/log/eventlogs/"+year+"/"+month+"/"+day+"/"+user+"_events.db";

    Change the EVDIRS and EVGLOB variables in the pmintrust.sh script to:

    EVDIRS=`find /var/log/eventlogs –type d` 
    EVGLOB="*_events.db"
  4. Configure the system to run the pmintrust.sh script as the root user.

    Quest recommends that you add a crontab entry as the pmpolicy service user, and configure the cronjob to run pmrun with root user privileges.

    NOTE: The crontab entry is a file called pmpolicy.crontab in the pmintrust.tgz archive.

    1. The following crontab entry runs pmrun pmintrust.sh at 10:50 pm everyday:

      50 22 * * * /opt/quest/bin/pmrun /opt/quest/sbin/pmintrust.sh

      To add the crontab, login (or su) to the pmpolicy service account and execute the following command:

      $ crontab /tmp/pmintrust/pmpolicy.crontab

      Alternatively, you can configure the script to run directly as the root user by creating a root cron job, and skip part b) of this step.

      NOTE: There is a root.cronjob file in the pmintrust.tgz archive.

    2. If you are using the default profile-based policy, add the pmintrust.profile to your policy to allow the pmpolicy service account to run the pmintrust.sh script as the root user.

      To checkout, add, and commit the changes to the policy, run the following pmpolicy command:

      # /opt/quest/sbin/pmpolicy checkout –d /tmp 
      # cp /tmp/pmintrust/pmintrust.profile /tmp/policy_pmpolicy/profiles/ 
      # chown pmpolicy:pmpolicy /tmp/policy_pmpolicy/profiles/pmintrust.profile 
      # /opt/quest/sbin/pmpolicy add –p profiles/pmintrust.profile –d /tmp 
      # /opt/quest/sbin/pmpolicy commit –d /tmp –l ″add pmintrust profile″
  5. Execute a new command with Privilege Manager to verify the change, such as:
    # pmrun id
  6. Allow the cronjob to execute at the scheduled time, then verify the InTrust event log file, /tmp/pm_evlog.intrust, was created and contains your test event.

Installing the InTrust Knowledge Pack

InTrust Plug-in for Privilege Manager > Installing the InTrust Knowledge Pack

To install the InTrust Knowledge Pack

  1. Using a InTrust for Active Directory Administration account, login to your InTrust for Active Directory server.
  2. Extract the Privilege_Manager_InTrust_<version>.zip file to a temporary folder, such as, d:\temp.
  3. Open a command prompt and change to the following directory:
    <INTRUST_HOME>\Server\ADC\SupportTools\
  4. Import each of the XML files using the InTrustPDOImport.exe command, as following:
    # InTrustPDOImport.exe -import D:\temp\PM_DataSource.xml 
    # InTrustPDOImport.exe -import D:\temp\PM_GatheringJob.xml 
    # InTrustPDOImport.exe -import D:\temp\PM_GatheringJob_igtc.xml 
    # InTrustPDOImport.exe -import D:\temp\PM_GatheringPolicy.xml 
    # InTrustPDOImport.exe -import D:\temp\PM_GatheringTask.xml 
    # InTrustPDOImport.exe -import D:\temp\PM_Site.xml
  5. Verify the Privilege Manager objects are in the InTrust Manager, under Sites:

Related Documents