Chat now with support
Chat with Support

Safeguard for Sudo 7.1 - Administration Guide

Introducing Safeguard for Sudo Planning Deployment Installation and Configuration Upgrade Safeguard for Sudo System Administration Managing Security Policy Administering Log and Keystroke Files Troubleshooting Safeguard Variables Safeguard programs Installation Packages Unsupported Sudo Options Safeguard for Sudo Policy Evaluation

Reserve special user and group names

It is important for you to reserve the following special user and group names for Safeguard usage:

  • Users: questusr, pmpolicy, pmclient
  • Groups: questgrp, pmpolicy, pmlog

The questusr account is a user service account created and used by Management Console for Unix to manage Safeguard policy and search event logs. It is a non-privileged account (that is, it does not require root-level permissions) that is used by the console to gather information about existing policy servers in a read-only fashion. The mangement console does not use questusr account to make changes to any configuration files. questgrp is the primary group (gid) for questusr.

The pmpolicy user is created on a primary or secondary server. It is a non-privileged service account (that is, it does not require root-level permissions) that is used to synchronize the security policy on policy servers.

The pmclient user is created on a Sudo Plugin host. It is a non-privileged service account (that is, it does not require root-level permissions) that is used to synchronize the security policy on Sudo Plugin hosts (offline policy cache).

The pmlog and pmpolicy groups are used to control access to log files and the security policy, respectively.

Policy server daemon hosts

Safeguard requires that you choose a host to act as the policy server. This machine will run the pmmasterd daemon and must be available to manage requests for the whole network.

Run the policy server daemon on the most secure and reliable node. To maximize security, ensure the computer is physically inaccessible and carefully isolated from the network.

The policy server requires that the pmmasterd port (TCP/IP port 12345, by default) is available, and that Sudo Plugin hosts joined to the policy server are able to communicate with the policy server on this network port.

You can run multiple policy servers for redundancy and stability. Safeguard automatically selects an available policy server if more than one is on the network. For now, choose one machine to run pmmasterd. See pmmasterd for more information.

Check Sudo version

Ensure that hosts running the Sudo Plugin have Sudo 1.8.1 (or later) installed.

If you have multiple instances of Sudo, update the PATH environment variable to ensure Safeguard for Sudo uses the correct version.

Installing the Safeguard packages

After you make sure your primary policy server host meets the system requirements, you are ready to install the Safeguard packages.

To install the Safeguard packages

  1. From the command line of the host designated as your primary policy server, run the platform-specific installer. For example, run:
    # rpm –-install qpm-server-*.rpm

    The Solaris server has a filename that starts with QSFTpmsrv.

    When you install the qpm-server package, it installs all three Safeguard components on that host: the Safeguard Policy Server, the PM Agent, and the Sudo Plugin.

For details instructions on installing and configuring Privilege Manager for Unix, see the One Identity Privilege Manager for Unix Administration Guide.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating