Chat now with support
Chat with Support

Safeguard for Sudo 6.1 Common Documents - Administration Guide

One Identity Privileged Access Suite for Unix Introducing Privilege Manager for Sudo Planning Deployment Installation and Configuration Upgrade Privilege Manager for Sudo System Administration Managing Security Policy Administering Log and Keystroke Files Troubleshooting Privilege Manager Variables Privilege Manager programs Installation Packages Unsupported Sudo Options Privilege Manager for Sudo Policy Evaluation

Required privileges

You will need root privileges to install Privilege Manager software. Either log in as root or use the su program to acquire root privileges. Due to the importance of the root account, Privilege Manager carefully protects the system against certain accidental or deliberate situations that might lead to a breach in security. For example, if Privilege Manager discovers that its configuration files are open to modification by non-root users, it will reject all job requests. Furthermore, all Privilege Manager directories back to the / directory are checked for security in the same way, to guard against accidental or deliberate replacement.

Estimating size requirements

Policy server deployment requirements

The following recommendations are only provided as a rough guideline. The number of policy servers required for your environment may vary greatly depending on usage.

  • One policy server is suitable for small test environments with less than 50 hosts.
  • Production environments should have a minimum of two policy servers.
  • Add an additional policy server for every 150-200 Privilege Manager hosts.
  • Additional policy servers may be required to support geographically disparate locations.

Privilege Manager licensing

One Identity Privileged Access Suite for Unix - Standard edition licenses you for Privilege Manager for Sudo.

Privilege Manager 6.1 licensing options include:

30-day evaluation licenses

Privilege Manager for Sudo evaluation license allows you to manage unlimited Sudo Plugin hosts for 30 days; after 30 days, you are allowed to manage 10 Sudo Plugin hosts without receiving an alert.

NOTE: A newly installed policy server comes with an evaluation license. You can install multiple evaluation licenses, but only one license of each type (that is, Privilege Manager for Sudo or Privilege Manager for Unix).

Commercial licenses

Both a Sudo Policy and a Sudo Keystoke license is required for Privilege Manager for Sudo features.

Although licenses are allocated on a per-agent basis, you install the licenses on Privilege Manager policy servers.

The pmlicense command allows you to display current license information, update a license (an expired one or a temporary one before it expires) or create a new one. See Installing licenses or Displaying license usage for more examples of using the pmlicense command.

Deployment scenarios

You can deploy Privilege Manager software within any organization using UNIX and/or Linux systems. Privilege Manager offers a scalable solution to meet the needs of the small business through to the extensive demands of the large or global organization.

There is no right or wrong way to deploy Privilege Manager, and an understanding of the flexibility and scope of the product will aid you in determining the most appropriate solution for your particular requirements. This section describes the following sample implementations:

  • a single host installation
  • a medium-sized business installation
  • a large business installation

Configuration options

Decide which of the following configurations you want to set up:

  1. Primary Server Configuration: Configure a single host as the primary policy server hosting the security policy for the policy group using either the pmpolicy (Privilege Manager for Unix) or sudo (Privilege Manager for Sudo) policy type. See Security policy types for more information about these policy types.

    If you are configuring the primary policy server using the pmpolicy policy type, see the One Identity Privilege Manager for Unix Administration Guide.

  2. Secondary Server Configuration: Configure a secondary policy server in the policy server group to obtain a copy of the security policy from the primary policy server.
  3. Sudo Plugin Configuration: Join a Privilege Manager for Sudo host to a sudo policy server group.

    NOTE: Policy servers can only be joined to policy groups they host (that is, manage). You cannot join a Sudo Plugin host to a pmpolicy server group or the PM Agent host to a sudo policy server group.

Related Documents