SUDO MANAGER INSTALLATION GUIDE
This section provides details on install Sudo Manager plugin client.
Installation programs
This section describes the Sudo Manager installation programs and their options.
sudomgrinstall
sudomgrinstall is an interactive script that is used to install the client-side component of Sudo Manager. The sudomgrinstall installer program registers the target sudo host and securely transfers the sudoers policy file, along with relevant include files, to the Sudo Manager Policy Server for storage and maintenance. It then lays down Sudo Manager’s customized policy plugin (pbsudomgr.so), hooking it into the sudo front end configuration (sudo.conf), simultaneously deactivating any pre-existing plugins for policy processing.
Syntax
sudomgrinstall [options]
Arguments
| Argument | Description |
|---|---|
| -a architecture | This option and its required argument explicitly specify which Unix or Linux architecture file to install. If the -a option is used, then the installer compares the expected flavor and the flavor that is specified with the -a option and displays a warning if they do not match. |
| -b | Runs sudomgrinstall in batch mode. In batch mode, the specified existing or default settings are automatically used. User intervention is not allowed and hit enter prompts are suppressed. This option also invokes -e. |
| -c | Perform or skip client registration for automatic configuration: yes: (default). Perform client registration. Required for initial installation. no: Skip client registration and only update local binaries. Use only in upgrade scenarios. |
| -d | Installs the static pbdemo.key for a fresh install. This keyfile is static and shipped as part of the tar file. Therefore it should only be used for demo purposes and should not be used in production environment. |
| -e | Runs sudomgrinstall automatically by bypassing the menu step of sudomgrinstall. Bypassing the sudomgrinstall menu step makes it impossible to change installation options or configurations. |
| -C alias | Configures Sudo Manager to create a host alias for this sudo client. |
| -J alias | Configures Sudo Manager to join a host alias for this sudo client. |
| -U | Automatically upload the sudoers file to the Sudo Policy Server. |
| -F | Force sudoers file upload to the Sudo Policy Server. Any existing sudoers file in the repository will be replaced. |
| -A appid | Set the Application Id for client registration |
| -K appkey | Set the Application Key for client registration. |
| -D host | Set the address for the primary server for client registration. |
| -P port | Specify the port for the primary server for client registration. |
| -S y|n | Specify y or n to if Registry Name Service is enabled for your enterprise. |
| - t | Set the temporary directory to be used during installation. When a temporary directory is defined, TMPDIR is overwritten, and the tempfilepath is included in pb.settings. -t /tmp/tempdir |
| -h | Prints the usage information for sudomgrinstall and exits. |
| -v | Prints sudomgrinstall version information and exits. |
sudomgruninstall
The sudomgruninstall program is an interactive script that is used to uninstall the client-side component of Sudo Manager. The sudomgruninstall program deregisters the target sudo host and removes its sudoers files from the repository maintained at the Sudo Policy Server. It attempts to restore the sudo host to its state prior to installation: the latest sudoers files are retrieved from the Sudo Policy Server and saved back to the original location (e.g., /etc/sudoers); references to the custom Endpoint Privilege Management plugin in the sudo configuration file are removed; and files related to Sudo Manager are uninstalled.
Syntax
sudomgruninstall [options]
Arguments
| Argument | Description |
|---|---|
| -a architecture | This option and its required argument explicitly specify which Unix or Linux architecture file to uninstall.If the -a option is used, then the uninstaller compares the expected flavor and the flavor that is specified with the -a option and displays a warning if they do not match. |
| -b | Skip confirmation prompts. |
| -P | Preserve local sudoers policy files. During the uninstallation, by default, the latest sudoers file (along with associated include files) are first pulled from the Sudo Policy Server and saved back to the original location on the sudo host. Specifying this option skips this restoration step. After initial installation by sudomgrinstall, the original sudoers files are renamed (with timestamp as a suffix) since the active sudoers files were automatically maintained by Sudo Manager. |
| -A appid | Set the Application Id for client registration |
| -K appkey | Set the Application Key for client registration. |
| -h | Prints the usage information for sudomgruninstall and exits. |
| -v | Prints sudomgruninstall version information and exits. |
Install Sudo Manager sudo clients
Sudo Manager on hosts with sudo will allow integration between sudo and Sudo Manager. Sudo clients will transfer the sudoers policy to the Sudo Policy Server, and sudo will be configured to use Sudo Manager plugins for policy processing.
When configured for Sudo Manager policy processing, the Sudo Policy Server will store the sudoers policies in the Endpoint Privilege Management sudoers database. When sudo is invoked, the policy plugin will contact the Sudo Policy Server to retrieve the latest sudoers policy for that client. The sudoers policy from the Sudo Policy Server is maintained in a cache on the client for sudo policy processing.
Sudo is configured to use the customized Endpoint Privilege Management plugin that reads the sudoers policy from the client cache database. The Endpoint Privilege Management client will initiate an accept event or a reject event based on the results of the sudoers policy processing.
Supported platforms
Note
For more information, see Supported platforms.
Unix and Linux utilities
The Sudo Manager installer requires the following Unix and Linux utilities and built-in commands:
| awk | cut | getopt | ps | sort | unset |
|---|---|---|---|---|---|
| basename | date | grep | pwd | stty | vi |
| cat | diff | id | read | tar | wc |
| cd | dirname | kill | rm | tee | xargs |
| chmod | df | ls | rmdir | touch | |
| chown | echo | mkdir | sed | tr | |
| cksum | eval | more | set | trap | |
| clear | exec | mv | shift | umask | |
| cp | export | od | sleep | uname |
System file modifications
Endpoint Privilege Management modifies sudo.conf and replaces sudoers_policy and sudoers_audit (for sudo v1.9.1+) plugins with the Sudo Manager plugins:
- Plugin sudoers_policy /usr/lib/beyondtrust/pb/pbsudomgr.so sudoers_file=/etc/sudoers
- Plugin sudoers_audit /usr/lib/beyondtrust/pb/pbsudomgr.so sudoers_file=/etc/sudoers
Prerequisites
Sudo Manager client requires v1.8.23 or higher installed and properly configured on the host prior to Endpoint Privilege Management installation. Sudo must be built with shared library support to use shared library plugins. Currently Endpoint Privilege Management does not support LDAP-enabled sudo. During the installation, the installer checks if sudo is configured to use LDAP, and if so, it will exit with an error.
Endpoint Privilege Management installation uses the client registration capabilities, and requires an Application ID, Application Key, and Client Profile name and the hostname and port for an Sudo Manager Policy Server/REST server. The Sudo Manager Policy Server installation automatically creates two related Application IDs and keys: PBSUDOADMIN and PBSDUOREAD for administration and read-only access, respectively. The PBSUDOADMIN Application ID can be used when installing the Endpoint Privilege Management client. Other Application IDs can be used as well, as long as the Application ID has the appropriate administration rights.
If, during the installation or upgrade of the Sudo Manager Policy Server/Log Server, the option Install PBSUDO Policy Server? is set to yes, the install creates a default registration profile sudodefault that can be used during the installation of Sudo Manager. The install also creates a file called /etc/pbsudo.settings.default stored as /etc/pbsudo.settings in sudodefault profile.
Although sudodefault registration profile created by pbinstall on the Policy Server is adequate to use, you can also create your own registration profile.
Prior to running sudomgrinstall, you need to create an Application ID and Key on the Policy Server.
Run the following command on the Policy Server:
pbdbutil --rest -g <appid>
For example:
# pbdbutil --rest -g sudoappid
{ "appkey":"934bbab5-503e-4c40-8486-90c748142431"}
Make sure you copy the value of the appkey generated in a secure, safe file. This information cannot be retrieved after it is generated.
The sudomgrinstall default install (option –d) can be used to automatically select the default port 24351, the default profile name sudodefault, and to automatically execute the generated installation script.
Endpoint Privilege Management host aliases (not to be confused with sudoers host aliases) can be used to group sudo client hosts that use the same sudoers policy.
Host aliases can be created on the Policy Server, or during sudomgrinstall. If a host alias is created, and the sudo client host is added to that host alias on the Policy Server prior to installing the client, that client will automatically detect that the alias is to be used.
If the client does not already belong to a host alias, the interactive installation will normally ask whether a host alias should be created or joined. The sudomgrinstall command line option –C can be used to create an alias, and the –J command line option can be used to join an alias (thus skipping the question during interactive installation).
When not using an alias, the first time the sudomgr client is installed on a host, that host’s existing sudoers policy file (and any included files) are uploaded to the Policy Server. Any subsequent re-installations do not normally re-upload the sudoers files. The –U and –F command line options used together will force re-uploading the sudoers files.
Installation
Sudo Manager client is provided as a tarball named sudomgr{arch}-{version}.tar.Z.
Prior to running the install script, make sure the path where sudo binary is located is in the environment variable PATH, and you can successfully run sudo –V.
As root:
-
Create directory /opt/beyondtrust and cd to that directory.
-
Extract the Sudo Manager installation files:
# gunzip -c sudomgr{arch}-{version}.tar.Z | tar xvf - -
Navigate to the install directory:
# cd sudomgr/{version}/pbsudo{arch}-{version}/install -
Start the sudomgrinstall script with the following command:
# ./sudomgrinstallThe sudomgrinstall menu displays options similar to the following:
Client Registration provides a method of automatic configuration based upon a profile provided by your Sudo Manager Policy Server. To use this functionality you will need to know specific parameters from your Sudo Manager Policy Server setup. See the installation guide for details. -
For a new install, enter the Application ID created on the Sudo Manager Policy Server, as well as the Application Key, the name of the host where the Policy Server is installed, the REST port (pbrestport) and the registration profile name (default sudodefault):
Enter the Application ID generated on the Sudo Manager Policy Server: PBSUDOADMIN Enter the Application Key generated on the Sudo Manager Policy Server: cefd039d- 966f-44e2-a2f8-c56804009cfb Enter the Sudo Manager Policy Server address/domain name for registering clients: host1 Enter the Sudo Manager Policy Server REST TCP/IP port [24351]: Enter the Registration Client Profile name [sudodefault]: -
After Client registration, if the client host is not already a member of a host alias on the Sudo Manager Policy Server, the install will ask if you want to join or create a Host Alias on the Sudo Manager Policy Server for this host:
an Endpoint Privilege Management for Unix and Linux Sudo Manager Host Alias, defined in the Policy Server database, provides a way to group clients that must share a common set of sudoers policies. Would you like to join an existing alias (j), create a new alias (c), or skip creating an alias (s) [s]:If join is selected, a list of existing aliases is presented. Followed by:
Please enter the Endpoint Privilege Management for Unix and Linux Sudo Manager Host Alias name to join:If create is selected, the installer prompts for the alias name:
Please enter the Endpoint Privilege Management for Unix and Linux Sudo Manager Host Alias name to create:If skip (the default) is selected, or if the host alias requires a sudoers policy, and the client’s sudoers policy cannot be located, the installer prompts for the sudoers location:
Enter the path of the primary sudoers policy [e.g. /etc/sudoers]:Alternatively, for a fresh install, you can run sudomgrinstall with command line options providing the above values (in batch mode -b or interactive mode to get the default values of the above set to the command line arguments). For example:
./sudomgrinstall -A sudoappid -D host1 -K b3d6e2c0-aee6-493f-87a5- d7900d963028 -P 24351 -N sudodefault -S sudo_alias1 -b -
For an upgrade, where sudoers file does not need to be re-imported, answer no to the prompt:
Do you wish to utilize Client Registration which will overwrite /etc/pbsudo.settings and re-import the sudoers file? [no]? -
A new install copies the files /etc/pb.settings, /etc/pb.key, /etc/pbssl.pem from the Sudo Policy Server to /etc.
It will also import the sudoers file (sudoers and all the included files specified in #includedir and #include) to the Sudoers database on the Sudo Policy Server.
It will then replace the Plugin variables in sudo.conf with Sudo Manager plugins:
- Plugin sudoers_policy /usr/lib/beyondtrust/pb/pbsudomgr.so sudoers_file=/etc/sudoers
- Plugin sudoers_audit /usr/lib/beyondtrust/pb/pbsudomgr.so sudoers_file=/etc/sudoers
Sudo Manager client uninstall
Sudo Manager client can be uninstalled by running sudomgruninstall located in the sudomgr/{version}/sudomgr{arch}-{version}/install directory.
Running sudomgruninstall will remove all files installed and remove pbsudomgr.so plugins from sudo.conf.
The sudomgruninstall file will normally restore the current sudoers policy (and included policy files) from the Sudo Policy Server, and if not using a host alias, remove the sudoers from the Sudo Policy Server’s database. The –P command line option can be used to skip this step, thus preserving any local files.
Note
If there are not any local files (sudomgruninstall renames the original), this option will leave sudo in an un-usable state.
Example of a sudomgruninstall:
BeyondTrust Endpoint Privilege Management Installation Removal
Exporting latest /etc/pbsudo.settings from /etc/pb.db
This script will remove Endpoint Privilege Management for Unix and Linux Sudo Manager programs and files from the system.
Hit return to continue
Trying /etc/pbsudo.settings
Updating policy files:
/etc/sudoers
Removing PBUL plugin definitions (if any) from /etc/sudo.conf.
Removing plugin definitions (if any) from /etc/sudo.conf.
Removing /usr/sbin/pbdbutil...
Moving /etc/pb.rest.key to /tmp/beyondtrust_pbinstall
Moving /opt/pbul/dbs/pbsvccache.db to /tmp/beyondtrust_pbinstall
BeyondTrust Endpoint Privilege Management for Unix and Linux Sudo Manager Installation Removal was successful
Endpoint Privilege Management for Unix and Linux Sudo Manager configuration files and logs were moved to
/tmp/beyondtrust_ pbinstall for removal
Updated 6 days ago