Chat now with support
Chat with Support

Safeguard for Sudo 2.0 - Administrators Guide

One Identity Privileged Access Suite for Unix Introducing Privilege Manager for Unix Introducing Privilege Manager for Sudo Planning Deployment Installation and Configuration
Download Privilege Manager for Unix Software Packages Download Privilege Manager for Sudo Software Packages Quick Start and Evaluation Configure a Primary Policy Server Configure a Secondary Policy Server Install PM Agent or Sudo Plugin on a Remote Host Remove Configurations
Upgrading Privilege Manager System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager Variables Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures Privilege Manager Programs Installation Packages Unsupported Sudo Options Sudo Plugin Policy Evaluation About us

Privilege Manager Licensing

Planning Deployment > Privilege Manager Licensing

Privilege Manager 6.0 licensing options:

30-day Evaluation Licenses
  1. Privilege Manager for Unix evaluation license allows you to manage unlimited PM Agent hosts for 30 days.
  2. Privilege Manager for Sudo evaluation license allows you to manage unlimited Sudo Plugin hosts for 30 days; after 30 days, you are allowed to manage 10 Sudo Plugin hosts without receiving an alert.

    NOTE: A newly installed policy server comes with an evaluation license. You can install multiple evaluation licenses, but only one license of each type.

Commercial licenses
  1. Sudo Policy license for Privilege Manager for Sudo features
  2. Sudo Keystroke license for Privilege Manager for Sudo features
  3. PM Policy license for Privilege Manager for Unix features

Although licenses are allocated on a per-agent basis, you install the licenses on Privilege Manager policy servers.

The pmlicense command allows you to display current license information, update a license (an expired one or a temporary one before it expires) or create a new one. (See Install Licenses or Displaying License Usage for more examples of using the pmlicense command.)

Deployment Scenarios

Planning Deployment > Deployment Scenarios

You can deploy Privilege Manager software within any organization using UNIX® and/or Linux® systems. Privilege Manager offers a scalable solution to meet the needs of the small business through to the extensive demands of the large or global organization.

There is no right or wrong way to deploy Privilege Manager, and an understanding of the flexibility and scope of the product will aid you in determining the most appropriate solution for your particular requirements. This section describes four sample implementations:

  • a single host installation
  • a medium-sized business installation
  • a large business installation
  • an enterprise installation

Configuration Options

Decide which of the following configurations you want to set up:

  1. Primary Server Configuration: Configure a single host as the primary policy server hosting the security policy for the policy group using either the pmpolicy (Privilege Manager for Unix) or sudo (Privilege Manager for Sudo) policy type. (See Security Policy Types for more information about these policy types.)
  2. Secondary Server Configuration: Configure a secondary policy server in the policy server group to obtain a copy of the security policy from the primary policy server.
  3. PM Agent Configuration: Join a Privilege Manager for Unix Agent host to a pmpolicy server group.
  4. Sudo Plugin Configuration: Join a Privilege Manager for Sudo host to a sudo policy server group.

    NOTE: Policy servers can only be joined to policy groups they host (that is, manage). You cannot join a Sudo Plugin host to a pmpolicy server group or the PM Agent host to a sudo policy server group.

Single Host Deployment

Planning Deployment > Deployment Scenarios > Single Host Deployment

A single-host installation is typically appropriate for evaluations, proof of concept and demonstrations of Privilege Manager for Unix. This configuration example installs all of the components on a single UNIX®/Linux® host, with protection offered only within this single host. All logging and auditing takes place on this host.

Figure 6: Single Host Implementation

Medium Business Deployment

Planning Deployment > Deployment Scenarios > Medium Business Deployment

The medium business model is suitable for small organizations with relatively few hosts to protect, all of which may be located within a single data centre.

This configuration example comprises multiple UNIX®/Linux® hosts located within the SME space and one or more web servers located in a DMZ.

The tunneling feature (pmtunneld), enables Privilege Manager for Unix to control privileged commands on the web servers across a firewall, within the DMZ. This configuration significantly reduces the number of open ports at the firewall.

Multiple policy server components (pmmasterd) are installed in a failover configuration, with groups of agents balanced between the policy servers. If a policy server is unavailable for any reason, the agents will failover to the alternative policy server.

Figure 7: Medium Business Implementation

Related Documents