Installation Preparation

This section lists the items that you need to plan for and be aware of before beginning your installation.

Pre-installation Checks

pbulpreinstall.sh performs some pre-installation checks such as:

  • Checks Hostname resolution and DNS and name services resolution to verify that the default ports are not in use.
  • Checks for sufficient disk space.
  • Reports technical support-related information such as the Operating System, NIC information, gateway, and super daemon status. If Sudo Manager is already installed, the roles such as submithost, runhost, Policy Server, logserver, and pbx are reported.

This script has an optional -t <datetime in UTC> argument, which initiates a time verification check. This check simply validates that the host's time is within 60 seconds of the time specified. The time specified must be UTC and in the format 20130827154130, such as:

date -u '+%Y%m%d%H%M%S'

This script has an optional -f argument, which causes pbulpreinstall.sh to produce machine readable output intended for the BeyondInsight for Unix & Linux installation console.

Prior to installation, the pbulpreinstall.sh script is located in the Sudo Manager distribution in the following directory powerbroker/<version>/<flavor>/install. After installation, this script is installed in the '$inst_admin' directory. /usr/sbin is the default.

Obtain a License Validation Key

To install Sudo Manager, you need a license string, which is provided by your BeyondTrust sales representative.

Endpoint Privilege Management for Unix and Linux Primary License Server hosts perform the license resolution functions for Sudo Manager and are the only Sudo Manager host types that require a license key. For a Policy Server host to accept a task, the Primary License Server must have a current valid license key. The distribution includes a temporary license key with a two-month expiration date from the date of the installation.

If installing using pbinstall, the license key may be configured during installation using the Sudo Manager License installation menu item. After the installation is complete, the Sudo Manager license can also be added using the "pbadmin --lic -u" command.

Obtain root Access

Installing Sudo Manager requires root access.

Plan Sudo Manager Hosts

an Sudo Manager installation includes several host types, each of which performs specific functions. Prior to installation, you need to determine which host type needs to be placed on the individual machines in your environment.

Sudo Manager must be installed separately on each machine that will run any type of Sudo Manager host.

Select License Servers

Determine which hosts to use as License Servers, the machines that perform the license resolution functions for Sudo Manager. These hosts are the only types that require a license key. They store and maintain the product license, parameters, and usage information.

The first installation of Sudo Manager becomes the Primary License Server. Subsequent License Server installations will obtain their data when the Primary License Server performs synchronization.

Select Sudo Policy Server Hosts

Determine which machines to use as sudo Policy Servers for Sudo Manager. These hosts act as central repositories of the sudoers policy files obtained from sudo client hosts. It is highly recommended that hosts designated as sudo Policy Servers are isolated from regular user activity to shield policies from users that can elevate their privileges.

Select Log Hosts

Using a log host to record event and I/O logs is optional. To use this feature, determine which machine to use as the Sudo Manager log host and the machines where pblogd will be installed and executed. As with sudo Policy Server hosts, multiple log hosts are recommended to provide redundancy. When there is a log host failover, the log synchronization utilities in Sudo Manager can be used to resynchronize the log entries.

The load on the log hosts varies with the amount of logging that is performed. I/O logs require greater resources on the log hosts. Additional log hosts can be added to your environment during installation, or afterward as needed.

Enable Log Synchronization Host

Log synchronization enables a log host, or a Policy Server host that is acting as a log host, to participate in log synchronization. Install the log synchronization component on any log host or Policy Server host that may participate in log synchronization. Log synchronization should be installed on each log and Policy Server host if you are installing primary and failover log hosts, or are installing Policy Server hosts that are acting as log hosts.

If log synchronization is used, then one or more machines need to have the ability to initiate log synchronization.

Select Sudo Hosts (Clients)

Determine which sudo hosts in the enterprise will have their sudoers files and generated data managed by Sudo Manager. Sudo on these hosts will be configured to use the customized plugin that Sudo Manager will install.

Select Port Numbers

You need to decide whether to use the Sudo Manager default port numbers or to specify your own. Sudo Manager uses the following default port numbers:

pblogd 24347
pbrestport 24351

If you decide to change the port number defaults, be sure to choose port numbers that do not conflict with those already in use. See /etc/services. Also, if present and active, review the services NIS map. Sudo Manager port numbers must use the non-reserved system ports. The allowed port numbers are 1024 to 65535.

Select Installation Directories

Decide whether to use the Sudo Manager default installation directories or to specify your own. Specifying your own installation directories allows for Sudo Manager optimization of the local installation.

Select Syslog

Use of syslog is optional. Determine if the log host should generate syslog records when system error conditions are encountered.

Select Encryption

By default, Sudo Manager installs with aes-256 encryption. Prior to version 8.0, the default was DES; however, it can support a large number of encryption technologies.

Prior to selecting which encryption technology you plan to use, please see the Endpoint Privilege Management for Unix and Linux Administration Guide.

Firewalls

Sudo Manager can be used in a firewall environment with special configuration.

If you are installing Sudo Manager into an environment where the components need to communicate across firewalls, please see the Endpoint Privilege Management for Unix and Linux Administration Guide.

Use NIS

Endpoint Privilege Management for Unix and Linux can use NIS to provide configuration services for Sudo Manager settings. Netgroups can be defined for the Log Host (pblogservers) settings. NIS can also be used to provide port lookup information for the Sudo Manager components. If NIS is running in your environment, consider using Sudo Manager netgroups and port definitions.

Verify Proper TCP/IP Operation

Endpoint Privilege Management for Unix and Linux uses TCP/IP as its communication protocol. Therefore, it is essential that TCP/IP be working correctly before Sudo Manager installation. Use programs such as ping, netstat, route, or traceroute to verify correct TCP/IP operation among all hosts that will have Sudo Manager components installed.

Verify Network Host Information

Ensure that each network host knows the names and addresses of all other network hosts. Network host information is generally stored in the /etc/hosts file on each network host machine or in the NIS maps or DNS files on a server. Each submit host should resolve all of the Policy Server host names correctly. Each Sudo Policy Server host should resolve all log host names correctly. The resolution must work correctly in both directions: name-to-IP address and IP address-to-name.

After installation, the pbbench utility generates warnings for any host name resolution issues on a host where components are installed.