Install Sudo Policy Server
Privilege Management for Unix and Linux Sudo Manager, hereinafter Sudo Manager, provides improved management and maintenance of sudo files and data, while leveraging some of the features of Privilege Management for Unix and Linux without replacing sudo itself.
There are two components to install to use Sudo Manager:
- Sudo Manager policy server
- Sudo Manager plugin client
This section guides you through installing the Sudo Manager policy server.
Sudo Manager Installation Considerations
Sudo Manager is a non-intrusive software program that does not require kernel reconfiguration, system reboot, or to replace system executable files. The items in this section contain information you should consider when planning your implementation.
For more detailed information about Sudo Manager, please see the Privilege Management for Unix and Linux Sudo Manager Administration Guide.
Flavor and Release Definitions
Flavor is a BeyondTrust term that defines a build of a BeyondTrust product, such as Sudo Manager, that is compiled and tested for a certain range of operating system versions and underlying hardware. The README file describes which flavor is the right match for specific combinations of hardware and operating systems in the Release Identifier column. The release identifier is the flavor plus the version of the Sudo Manager distribution.
During installation, the flavor of the distribution you are using will be compared to the flavor required for the operating system and hardware version combination you are installing on. If you believe that you are using the correct version for the machine you are installing on but the installer is returning a flavor mismatch, please contact BeyondTrust Technical Support for assistance.
Sudo Policy Server
All Sudo Policy Server flavors can be installed by using an interactive program that presents you with a series of options. Your choices determine the details of the installation for a particular host.
The client registration facility can be used to automate the installation of new clients by downloading the default configuration from the primary Policy Server. Options are defaulted within the interactive installation, and shared encryption keys are copied over.
For certain flavors, the Sudo Policy Server can be installed by using package installers. Package installers enable you to choose the options once, and then install that configuration of Sudo Policy Server non-interactively on multiple identical hosts. Using package installers also takes advantage of the operating system’s installation management system, which tracks the source of installed files and enables their safe removal.
Sudo Manager Clients
The Sudo Manager client is only supported on Linux x86_64.The installation method is through the interactive sudomgrinstall program. Package installers are not available.
For more information, please see Supported Platforms.
There are not any start-up or shutdown programs associated with Sudo Manager client. From a system resource perspective, a basic Sudo Manager session uses about the same overhead as a telnet session with additional front-end work for processing the policy security file.
The Sudo Manager Policy Server is the pblighttpd/pbconfigd REST server daemon. The accept, reject and finish events are logged by the pblogd daemon on a Log Server. These resources are requested by the sudo manager plugin client. The REST services are started by a superdaemon, and normally run continuously. The pblogd daemon can be started by a superdaemon, or may itself run continuously as a daemon. The superdaemons include systemd, inetd, xinetd, launchd, or SMF depending on the platform.
For systems based on RedHat version 7+, xinetd is no longer installed by default since it has been superceded by systemd, which is an init system. The installation program performs a check to see if systemd exists and is functional. If it exists, it configures Sudo Manager daemons to be managed by systemd. If systemd is not present, the installation program checks if xinetd is installed and running and displays a warning message if it is not.
For more information, please see the Privilege Management for Unix and Linux Sudo Manager Administration Guide.
The terms monitored task and secured task are interchangeable.
SSL adds some startup overhead for certificate exchange and verification. The encryption overhead is slightly larger than self-contained encryption technologies such as DES because of the use of packet checksums by SSL.
Sudo Manager requires 10 to 50 MB of disk space, depending on the installation options selected.
Sudo Manager is not sensitive about the location of its binary files; you can place them in any convenient directory. However, there are a few points to consider when you are selecting installation directories:
- Online manuals such as user man pages and Sudo Manager documentation should be accessible from every computer to enable users to get online help for Sudo Manager programs.
The following table lists Sudo Manager components and their locations. The installation script uses these locations by default, but you can change them during installation. Usually /usr/local/bin is used for user programs and /usr/sbin for administrator and daemon programs, depending on the platform.
Default Directories for Sudo Manager Components
Encryption KeySudo Manager policy server config fileSudo Manager plugin config file
|/usr/adm, /var/adm, or /var/log||pb.eventlogpblogd.log||Default event log filepblogd diagnostic log file|
|/usr/sbin||pbdbutil||Utility providing Sudo Manager database maintenance.|
The default log directory varies by platform to match that platform’s conventions. The directories /usr/adm, /var/adm, and /var/log are used interchangeably throughout as the default location of the database files generated and used by Sudo Manager log files.
Prefix and Suffix Installations
The Sudo Manager policy server or Sudo Manager clients do not support prefix and suffix installations.
System File Modifications
The Sudo Manager client modifies:
- /etc/sudo.conf to use the Sudo Manager plugin.
- /etc/pam.d/sudo-I might be copied from /etc/pam.d/sudo; and the necessary libraries and plugin are installed in /usr/lib/beyondtrust/pb/