Install sudo policy server
Endpoint Privilege Management Unix & Linux Sudo Manager, hereinafter Sudo Manager, provides improved management and maintenance of sudo files and data, while leveraging some of the features of Endpoint Privilege Management Unix & Linux without replacing sudo itself.
There are two components to install to use Sudo Manager:
- Sudo Manager policy server
- Sudo Manager plugin client
This section guides you through installing the Sudo Manager policy server.
Sudo Manager installation considerations
Sudo Manager is a non-intrusive software program that does not require kernel reconfiguration, system reboot, or to replace system executable files. The items in this section contain information you should consider when planning your implementation.
Flavor and release definitions
Flavor is a BeyondTrust term that defines a build of a BeyondTrust product, such as Sudo Manager, that is compiled and tested for a certain range of operating system versions and underlying hardware. The README file describes which flavor is the right match for specific combinations of hardware and operating systems in the Release Identifier column. The release identifier is the flavor plus the version of the Sudo Manager distribution.
During installation, the flavor of the distribution you are using will be compared to the flavor required for the operating system and hardware version combination you are installing on. If you believe that you are using the correct version for the machine you are installing on but the installer is returning a flavor mismatch, please contact BeyondTrust Technical Support for assistance.
Interactive versus packaged installation
Sudo policy server
All Sudo Policy Server flavors can be installed by using an interactive program that presents you with a series of options. Your choices determine the details of the installation for a particular host.
The client registration facility can be used to automate the installation of new clients by downloading the default configuration from the primary Policy Server. Options are defaulted within the interactive installation, and shared encryption keys are copied over.
For certain flavors, the Sudo Policy Server can be installed by using package installers. Package installers enable you to choose the options once, and then install that configuration of Sudo Policy Server non-interactively on multiple identical hosts. Using package installers also takes advantage of the operating system’s installation management system, which tracks the source of installed files and enables their safe removal.
Sudo Manager clients
The Sudo Manager client is only supported on Linux x86_64.The installation method is through the interactive sudomgrinstall program. Package installers are not available.
Note
For more information, Supported platforms.
Resource overhead
There are not any start-up or shutdown programs associated with Sudo Manager client. From a system resource perspective, a basic Sudo Manager session uses about the same overhead as a telnet session with additional front-end work for processing the policy security file.
The Sudo Manager Policy Server is the pblighttpd/pbconfigd REST server daemon. The accept, reject and finish events are logged by the pblogd daemon on a Log Server. These resources are requested by the sudo manager plugin client. The REST services are started by a superdaemon, and normally run continuously. The pblogd daemon can be started by a superdaemon, or may itself run continuously as a daemon. The superdaemons include systemd, inetd, xinetd, launchd, or SMF depending on the platform.
For systems based on RedHat version 7+, xinetd is no longer installed by default since it has been superceded by systemd, which is an init system. The installation program performs a check to see if systemd exists and is functional. If it exists, it configures Sudo Manager daemons to be managed by systemd. If systemd is not present, the installation program checks if xinetd is installed and running and displays a warning message if it is not.
Note
The terms monitored task and secured task are interchangeable.
SSL adds some startup overhead for certificate exchange and verification. The encryption overhead is slightly larger than self-contained encryption technologies such as DES because of the use of packet checksums by SSL.
Note
Sudo Manager requires 10 to 50 MB of disk space, depending on the installation options selected.
Installation directories
Sudo Manager is not sensitive about the location of its binary files; you can place them in any convenient directory. However, there are a few points to consider when you are selecting installation directories:
- Online manuals such as user man pages and Sudo Manager documentation should be accessible from every computer to enable users to get online help for Sudo Manager programs.
Default directories
The following table lists Sudo Manager components and their locations. The installation script uses these locations by default, but you can change them during installation. Usually /usr/local/bin is used for user programs and /usr/sbin for administrator and daemon programs, depending on the platform.
Default directories for Sudo Manager components
| Directory | Files | Description |
|---|---|---|
| /etc | pb.keypb.settings pbsudo.settings | Encryption Key Sudo Manager policy server config file Sudo Manager plugin config file |
| /usr/adm, /var/adm, or /var/log | pb.eventlog pblogd.log | Default event log file pblogd diagnostic log file |
| /usr/sbin | pbdbutil | Utility providing Sudo Manager database maintenance. |
| /opt/pbul/dbs | pbsvccache.db |
The default log directory varies by platform to match that platform’s conventions. The directories /usr/adm, /var/adm, and /var/log are used interchangeably throughout as the default location of the database files generated and used by Sudo Manager log files.
Prefix and suffix installations
The Sudo Manager policy server or Sudo Manager clients do not support prefix and suffix installations.
System file modifications
The Sudo Manager client modifies:
- /etc/sudo.conf to use the Sudo Manager plugin.
- /etc/pam.d/sudo-I might be copied from /etc/pam.d/sudo; and the necessary libraries and plugin are installed in /usr/lib/beyondtrust/pb/
Installation preparation
This section lists the items that you need to plan for and be aware of before beginning your installation.
Pre-installation checks
pbulpreinstall.sh performs some pre-installation checks such as:
- Checks Hostname resolution and DNS and name services resolution to verify that the default ports are not in use.
- Checks for sufficient disk space.
- Reports technical support-related information such as the Operating System, NIC information, gateway, and super daemon status. If is already installed, the roles such as submithost, runhost, Policy Server, logserver, and pbx are reported.
This script has an optional -t argument, which initiates a time verification check. This check simply validates that the host's time is within 60 seconds of the time specified. The time specified must be UTC and in the format 20130827154130, such as:
date -u '+%Y%m%d%H%M%S'
This script has an optional -f argument, which causes pbulpreinstall.sh to produce machine readable output intended for the installation console.
Prior to installation, the pbulpreinstall.sh script is located in the distribution in the following directory powerbroker///install. After installation, this script is installed in the '$inst_admin' directory. /usr/sbin is the default.
Obtain a license validation key
To install , you need a license string, which is provided by your sales representative.
Primary License Server hosts perform the license resolution functions for and are the only host types that require a license key. For a Policy Server host to accept a task, the Primary License Server must have a current valid license key. The distribution includes a temporary license key with a two-month expiration date from the date of the installation.
If installing using pbinstall, the license key may be configured during installation using the License installation menu item. After the installation is complete, the license can also be added using the "pbadmin --lic -u" command.
Obtain root access
Installing requires root access.
Plan hosts
an installation includes several host types, each of which performs specific functions. Prior to installation, you need to determine which host type needs to be placed on the individual machines in your environment.
must be installed separately on each machine that will run any type of host.
Select license servers
Determine which hosts to use as License Servers, the machines that perform the license resolution functions for . These hosts are the only types that require a license key. They store and maintain the product license, parameters, and usage information.
The first installation of becomes the Primary License Server. Subsequent License Server installations will obtain their data when the Primary License Server performs synchronization.
Select sudo policy server hosts
Determine which machines to use as sudo Policy Servers for . These hosts act as central repositories of the sudoers policy files obtained from sudo client hosts. It is highly recommended that hosts designated as sudo Policy Servers are isolated from regular user activity to shield policies from users that can elevate their privileges.
Select log hosts
Using a log host to record event and I/O logs is optional. To use this feature, determine which machine to use as the log host and the machines where pblogd will be installed and executed. As with sudo Policy Server hosts, multiple log hosts are recommended to provide redundancy. When there is a log host failover, the log synchronization utilities in can be used to resynchronize the log entries.
The load on the log hosts varies with the amount of logging that is performed. I/O logs require greater resources on the log hosts. Additional log hosts can be added to your environment during installation, or afterward as needed.
Enable log synchronization host
Log synchronization enables a log host, or a Policy Server host that is acting as a log host, to participate in log synchronization. Install the log synchronization component on any log host or Policy Server host that may participate in log synchronization. Log synchronization should be installed on each log and Policy Server host if you are installing primary and failover log hosts, or are installing Policy Server hosts that are acting as log hosts.
If log synchronization is used, then one or more machines need to have the ability to initiate log synchronization.
Select sudo hosts (clients)
Determine which sudo hosts in the enterprise will have their sudoers files and generated data managed by . Sudo on these hosts will be configured to use the customized plugin that will install.
Select port numbers
You need to decide whether to use the default port numbers or to specify your own. uses the following default port numbers:
| pblogd | 24347 |
| pbrestport | 24351 |
If you decide to change the port number defaults, be sure to choose port numbers that do not conflict with those already in use. See /etc/services. Also, if present and active, review the services NIS map. port numbers must use the non-reserved system ports. The allowed port numbers are 1024 to 65535.
Select installation directories
Decide whether to use the default installation directories or to specify your own. Specifying your own installation directories allows for optimization of the local installation.
Select syslog
Use of syslog is optional. Determine if the log host should generate syslog records when system error conditions are encountered.
Select encryption
By default, installs with aes-256 encryption. Prior to version 8.0, the default was DES; however, it can support a large number of encryption technologies.
Firewalls
Sudo Manager can be used in a firewall environment with special configuration.
Use NIS
can use NIS to provide configuration services for settings. Netgroups can be defined for the Log Host (pblogservers) settings. NIS can also be used to provide port lookup information for the components. If NIS is running in your environment, consider using netgroups and port definitions.
Verify proper TCP/IP operation
uses TCP/IP as its communication protocol. Therefore, it is essential that TCP/IP be working correctly before installation. Use programs such as ping, netstat, route, or traceroute to verify correct TCP/IP operation among all hosts that will have components installed.
Verify network host information
Ensure that each network host knows the names and addresses of all other network hosts. Network host information is generally stored in the /etc/hosts file on each network host machine or in the NIS maps or DNS files on a server. Each submit host should resolve all of the Policy Server host names correctly. Each Sudo Policy Server host should resolve all log host names correctly. The resolution must work correctly in both directions: name-to-IP address and IP address-to-name.
After installation, the pbbench utility generates warnings for any host name resolution issues on a host where components are installed.
Install sudo policy server
The Sudo Policy Server supports interactive installation methods and package installation methods for its server components.
Note
For more information, see:
- Interactive versus packaged installation for sudo manager policy server: review to help you decide on the right install for your Sudo Manager implementation.
- Basic pbinstall Information: learn more about the pbinstall program.
- Advanced installation instructions using pbinstall: provides indepth details for install options
Install overview
If you are installing Sudo Policy Server using pbinstall, the menu options will look similar to the following table.
- For option 9, Install sudo Policy Server?, enter yes. If Registry Name Service is enabled, you are also required to install the Registry Name Services Server. Review the section noted in the information box for more details.
| Opt | Description | [Value] |
|---|---|---|
| 1 | Install Everything Here (Demo Mode)? | [no] |
| 2 | Install License Server? | [no] |
| 3 | Install Registry Name Services Server? | [no] |
| 4 | Install Client Registration Server? | [no] |
| 5 | Install Policy Server Host? | [yes] |
| 6 | Allow Policy & Log Caching? | [no] |
| 7 | Enable Role Based Policy? | [no] |
| 8 | Install Run Host? | [yes] |
| 9 | Install Submit Host? | [yes] |
| 11 | Install PBSSH? | [yes] |
| 12 | Install sudo Policy Server? | [yes] |
| 13 | Install Log Host? | [yes] |
| 14 | Enable Logfile Tracking and Archiving? | [yes] |
| 15 | Is this a Log Archiver Storage Server? | [no] |
| 16 | Is this a Log Archiver Database Server? | [no] |
| 17 | Install File Integrity Monitoring Polic... | [no] |
| 18 | Install REST Services? | [yes] |
| 19 | List of License Servers | [*] |
| 55 | sudo policy database file path and filename? | [/opt/pbul/dbs/pbsudo.db] |
| 56 | Directory location for sudo policy files? | [/opt/pbul/sudoersdir]? |
- Choose your options.
- Use the c navigation command to continue the installation.
- A prompt asks if you want to view the install script. Enter n.
Important
This option is intended for troubleshooting by BeyondTrust Technical Support. The generated install script contains thousands of lines of code.
- A prompt asks if you want to install the product now. Enter y.
The pbinstall install script executes and installs components on this machine.
Upgrades and Reinstallations
The Sudo Policy Server installers are designed to enable easy upgrades of an installed version to a new version. During an upgrade, the current configuration can be retained, or a new Sudo Policy Server configuration can be put in place.
Sudo Policy Server installation scripts pbinstall and pbmakeremotetar can also be used to perform upgrades and reinstallations.
Pre-upgrade instructions
Before performing an upgrade or reinstallation, do the following:
- Obtain the new release, either on a CD or using FTP.
- Read the release notes and installation instructions.
- Determine the order for updating the Policy Server host machines. If your current installation includes Policy Server host failover machines, you may want to consider upgrading the Policy Server hosts failover machines first, followed by the submit hosts and run hosts, followed by the primary Policy Server hosts.
Note
The settings files on the Policy Server hosts may need to be updated as each Policy Server host is upgraded.
- If your current installation includes one or more Policy Server host failover machines, then ensure that the security policy files on the primary Policy Server host and the Policy Server host failover machines are synchronized.
- Verify the current location of the administration programs, user programs, and log files. This information is in the pb.cfg file (/etc/pb.cfg or pb/install/pb.cfg.{flavor}) and the settings file, /etc/pb.settings.
- If you do not have a recent backup of the host, or if it is imperative that no log entries can be lost, then create a save directory (for example, /var/tmp/pb.{rev_rel}) that can be used to restore Sudo Policy Server files from in case the upgrade fails. After creating the directory, copy (do not use move) the files that are listed below to the new save directory (a shell script can be created to copy the necessary files).
| Sudo Policy Server files for all host types |
|---|
| /etc/services |
| /etc/pb.settings |
| /etc/pb.cfg (and pb.cfg.* on older installations) |
| /etc/pb.key (if encryption is in use on the system) |
| pb* log files (typically in /var/adm, /var/log or /usr/adm) |
| Files for Sudo Policy Server |
|---|
| Database files (contents of databasedir which default to /opt/pbul/dbs) /etc/inetd.conf (or your xinetd, launchd, or SMF configuration file) |
| Any event log or I/O log files to save |
| Sudo Policy Server Log Server files |
|---|
| /etc/inetd.conf (or your xinetd, launchd, or SMF configuration file), /etc/inetd.conf |
| Any event log or I/O log files to save |
| Sudo Policy Server GUI Host files |
|---|
| /etc/inetd.conf (or your xinetd, launchd, or SMF configuration file), /etc/inetd.conf |
- Determine in which directories to install the new log files, administration programs, and user programs. If you chose different directories for the Sudo Policy Server programs, you might need to update the path variable for the root user and other users.
- Be aware that users cannot submit monitored task requests while Sudo Policy Server updates are in progress. Consider writing a Sudo Policy Server configuration policy file that rejects all users from executing pbrun and echoes a print statement to their screen, informing them that a Sudo Policy Server upgrade is in progress.
- Sudo Policy Server releases are always upward-compatible when encryption is not used. We recommend that you perform an uninstall if a release is replaced by a Sudo Policy Server version older than v2.8.1.
- If you use an encrypted settings file and intend to do an upgrade or reinstall, then the unencrypted version of the settings file needs to be restored before performing an upgrade or reinstall; otherwise, the settings file cannot be read.
- If you have a previous installation of Sudo Policy Server for v5.1 or earlier and your encryption is set to none, then when you install Sudo Policy Server v5.2, all the encryption options (options 98 through 103) will be set to none. You can change these options during installation.
Note
For more information on changing these options, see Step-by-Step Instructions for a Basic Installation Using pbinstall .
pbinstall install upgrades
To upgrade or reinstall Sudo Policy Server with the same configuration as the currently installed version, run pbinstall in batch mode:
./pbinstall -b
If you perform a reinstall of an older version, be aware that the older version may not have the same features as the newer version. In this case, the upgrade process discards the configuration of the features that are not available in the older version of Sudo Policy Server. When you upgrade to the newer version, make sure to configure the newer features when running pbinstall.
To change the configuration of Sudo Policy Server during the upgrade or reinstall, run pbinstall in interactive mode:
./pbinstall
The present configuration is read into pbinstall. Make the desired configuration changes and then use the c command to continue. pbinstall then installs Sudo Policy Server with the new configuration.
Note
For step-by-step instructions for using pbinstall, see [see Step-by-Step Instructions for a Basic Installation Using pbinstall .
Post-upgrade instructions
If you want to encrypt your settings file after upgrading Sudo Policy Server, then save a copy of the unencrypted file (for future upgrades) and re-encrypt the settings file.
Updated 6 days ago