Chat now with support
Chat with Support

Safeguard for Sudo 6.1 Common Documents - Administration Guide

One Identity Privileged Access Suite for Unix Introducing Privilege Manager for Sudo Planning Deployment Installation and Configuration Upgrade Privilege Manager for Sudo System Administration Managing Security Policy Administering Log and Keystroke Files Troubleshooting Privilege Manager Variables Privilege Manager programs Installation Packages Unsupported Sudo Options Privilege Manager for Sudo Policy Evaluation

Security policy types

The security policy lies at the heart of Privilege Manager. Privilege Manager guards access to privileged functions on your systems according to rules specified in the security policy. It stipulates which users may access which commands with escalated privileges.

Privilege Manager supports two security policy types (or modes):

  • sudo policy type: Privilege Manager for Sudo uses a standard sudoers file as its security policy; that is, the sudo policy is defined by the sudoers file which contains a list of rules that control the behavior of sudo. The sudo command allows users to get elevated access to commands even if they do not have root access.

    NOTE: Privilege Manager uses the sudo policy type by default. The sudo policy type is only supported with the One Identity Privilege Manager for Sudo product. Joining a Sudo Plugin host to a Privilege Manager Policy Server is not a supported configuration.

  • pmpolicy type: Privilege Manager for Unix uses an advanced security policy which employs a high-level scripting language to specify access to commands based on a wide variety of constraints. Privilege Manager policy is defined in pm.conf, the default policy configuration file which contains statements and declarations in a language specifically designed to express policies concerning the use of root and other controlled accounts.

    NOTE: The pmpolicy type is the "legacy" security policy that was used in Privilege Manager for Unix, prior to version 6.0. The pmpolicy type is only supported with the Privilege Manager for Unix product. Joining a PM Agent host to a sudo policy server is not a supported configuration.

NOTE: Management Console for Unix gives you the ability to centrally manage policy located on the primary policy server. You view and edit both pmpolicy and sudo policy from the Policy tab on the mangement console.

By default, the policy server configuration tool (pmsrvconfig) uses the sudo policy type on new installations; if you want to run Privilege Manager for Unix using the pmpolicy type you must specify that explicitly when using the policy server configuration script.

NOTE: The pmsrvconfig program is used by both Privilege Manager for Unix and Privilege Manager for Sudo. Run pmsrvconfig -m sudo or pmsrvconfig -m pmpolicy to specify the policy type. See pmsrvconfig for more information about the pmsrvconfig command options.

The default behavior for setting up the initial policy depends on which type of policy you are using. If you configure Privilege Manager for Sudo using the default sudo policy type, pmsrvconfig uses a copy of the /etc/sudoers file as its initial security policy if the file exists, otherwise it creates a generic sudoers file.

NOTE: When you join a Sudo Plugin to a policy server, Privilege Manager for Sudo adds the following lines to the current local sudoers file, generally found in /etc/sudoers.

## WARNING: Sudoers rules are being managed by QPM4Sudo 
## WARNING: Do not edit this file, it is no longer used.
## Run "/opt/quest/sbin/pmpolicy edit" to edit the actual sudoers rules. 

When you unjoin the Sudo Plugin, Privilege Manager for Sudo removes those lines from the local sudoers file.

NOTE: Use the pmsrvconfig -f <path> command to override the default and import the initial security policy from the specified location. When using the sudo policy type, you can only use the -f option to import a file; you can not import a directory.

Privilege Manager uses a version control system to manage and maintain the security policy. This allows auditors and system administrators to track changes that have been made to the policy and also allows a single policy to be shared and distributed among several policy servers. The "master" copy of the security policy and all version information is kept in a repository on the primary policy server.

You manage the security policy using the pmpolicy command and a number of pmpolicy subcommands. It is important that you only make changes to the policy using the pmpolicy command. Using pmpolicy ensures that the policy is updated in the repository and across all policy servers in the policy group. You can run the pmpolicy command from any policy server in the policy group.

NOTE: Do not edit the security policy on a policy server directly. Changes made using visudo will eventually be overwritten by the version control system.

The primary policy server uses a local service account, pmpolicy, to own and manage the security policy repository. The pmpolicy service account is set when you configure the primary policy server. At that time you assign the pmpolicy service account a password and set its home directory to /var/opt/quest/qpm4u/pmpolicy. This password is also called the "Join" password because you use it when you add secondary policy servers or join remote hosts to this policy group.

You can manually create the pmpolicy user prior to running the pmsrvconfig script, but if the user account does not exist, the script creates the user and asks you for a password.

When you run the pmsrvconfig command, it attempts to initialize the security policy by reusing an existing policy file on this host. If a security policy does not exist, it generates a default policy.

Specifying security policy type

To configure a Privilege Manager for Sudo policy server, you must specify the sudo policy type.

To specify the security policy type

  1. To specify the sudo policy type, run:
    # pmsrvconfig -m sudo
Related Topics


The sudo type policy

A sudo type policy is used with the Privilege Manager for Sudo product. When you configure the primary policy server, if /etc/sudoers exists, it imports this file and uses it as the initial sudoers policy file. Otherwise, it creates a generic sudoers file.

By default, the Privilege Manager for Sudo sudoers file resides in /etc/opt/quest/qpm4u/policy/sudoers, but is not meant to be accessed directly.

Sudo type policy entries look like this:

root ALL = (ALL) ALL 
%wheel ALL = (ALL) ALL

These entries will let root or any user in the wheel group run any command on any host as any user.

Viewing the security profile changes

To view a summary of the changes you made to your security policy

  1. At the command line, run:
    # pmpolicy log
    ** Validate options          [ OK ] 
    ** Check out working copy    [ OK ] 
    ** Retrieve revision details [ OK ] 
    version="3",user="pmpolicy",date=2012-07-11,time=15:43:30,msg="add sudoers.d/helpdesk " 
    version="2",user="pmpolicy",date=2012-07-11,time=15:38:21,msg="add #includedir sudoers.d" 
    version="1",user="pmpolicy",date=2012-07-11,time=15:35:19,msg="First import"
  2. To examine the differences between two versions, run:
    # pmpolicy diff –r1:2
    ** Validate options                                          [ OK ] 
    ** Check out working copy (trunk revision)                   [ OK ] 
    ** Check differences                                         [ OK ] 
    ** Report differences between selected revisions             [ OK ] 
       - Differences were detected between the selected versions 
    Index: sudoers
    --- sudoers (revision 1) 
    +++ sudoers (revision 2) 
    @@ -88,6 +88,6 @@ 
    # Defaults targetpw # Ask for the password of the target user
    # ALL ALL=(ALL) ALL # WARNING: only use this together with 'Defaults targetpw'
    -## Read drop-in files from /etc/sudoers.d 
    +## Read drop-in files from sudoers.d 
    ## (the '#' here does not indicate a comment) 
    -##includedir /etc/sudoers.d
    +# includedir sudoers.d

The output shows the sudoers file from line 88. The lines that were changed between version 1 and version 2 are marked with a preceding “+” or "-". A "-" denotes lines that were changed or deleted, and a "+" denotes updated or added lines.

Related Documents