Sudo Manager Policy Server

Sudo Manager Policy Server is the central repository of the sudoers policy files. We highly recommend that hosts designated as Sudo Manager Policy Servers be isolated from regular user activity to shield policies from users that can elevate their privileges.

Whenever Sudo Manager is installed on a sudo client host, a copy of the sudoers file, and any included policy files, are sent via encrypted file transfer to Sudo Manager Policy Server where they are imported into a SQLite database. Subsequently, whenever sudo runs on a sudo client host, it ensures that it has the latest copy of the file(s) from Sudo Manager Policy Server. This centralization of the sudoers files gives you better control over the integrity and consistency of the policies to be used across your organization. Modification of policy files is made against a singular location, with tools to check out a file from the Policy Server’s database and to check it back in when edits are done. The policy changes are automatically distributed to appropriate hosts when the file gets pulled down at each sudo invocation at the target host, or by on-demand request.

Install Sudo Manager Policy Server

Sudo Manager Policy Server is installed using the pbinstall program.

When you run pbinstall, answer yes to the install menu:

Install Sudo Policy Server?

tempfilepath defines a temporary path to be used as the temporary filesystem for PMUL binaries. The default is set as /tmp. At install time, if pbinstall is invoked, using -t <tempdir> option, tempfilepath is set to <tempdir>. lockfilepath defines a lock file path for PMUL binaries as needed. The default is /opt/pbul/locks.

For more information, please see the Privilege Management for Unix and Linux Installation Guide.

Create an Appid and Appkey

The installation program for the Sudo Manager Policy Server creates an application ID (appid) and application key (appkey), which are used during the client registration of Sudo Manager hosts. The appid and appkey can be manually created:

# pbdbutil --rest -g appid
{ "appid":"934bbab5-503e-4c40-8486-90c748142431"}

Create a Registration Profile

When installing the Sudo Manager Policy Server, a default profile sudodefault is created by pbinstall and the file /etc/pbsudo.settings.default is generated. When installing Sudo Manager on sudo hosts, this sudodefault profile, in conjunction with the aforementioned appid and appkey, can be used during the required client registration portion of the installation. However, you can also create your own registration profile. First, create the /etc/pbsudo.settings.<name> (where name is a name to identify this specific sudo settings file). This file will be used in your registration profile and should contain the following settings that you need to copy from /etc/pb.settings:

  • restkeyencryption
  • pbrestport
  • submitmasters
  • transparentfailover
  • logport
  • logservers
  • logserverdelay
  • logserverprotocoltimeout
  • randomizelogservers
  • minoutgoingport
  • maxoutgoingport
  • networkencryption
  • enforcehighsecurity
  • ssl
  • ssloptions
  • sslengine
  • sslcountrycode
  • sslprovince
  • ssllocality
  • sslorgunit
  • sslorganization
  • registrynameservice
  • sslengine
  • sslpbruncipherlist
  • pbsudofailovertimeout
  • pbsudorefresh
  • pbsudofailover

Create the registration profile by running the following command on the Sudo Manager Policy Server as root:

# pbdbutil --reg -u '{"name":"<profile_name>","data": [{"type":"save","to":"/etc/pbsudo.settings","fname":"/etc/pbsudo.settings.<na me>"},{"type":"save","sname":"networkencryption"},
{"type":"save","sname":"restkeyencryption"},
{"type":"save","sname":"sslservercertfile"}]}'

Add the pbsudo.settings.<name> to the configuration database by running:

# pbdbutil --cfg -l /etc/pbsudo.settings.<name>

Configure Sudo Manager Policy Server

After the installation, the configuration file /etc/pb.settings is created for Sudo Manager Policy Server. The file /etc/pbsudo.settings.default is also created, to be used when registering a Sudo Manager client host with this Policy Server.

The following settings keywords are added to the /etc/pb.settings:

sudoersdb

The filename and location of the SQLite database where the sudoers files are stored.

sudoersdb /mypath/pbsudo.db

Default

sudoersdb /opt/<prefix>pbul<suffix>/dbs/pbsudo.db

sudoersdir

The absolute path of the directory which Sudo Manager Policy Server will use to export and import sudoers file. Sudoers and included files can be checked out, edited, and checked in using the existing mechanism in pbdbutil, within the --sudo option.

sudoersdir /mypath/sudoersdir

Default

sudoersdir /opt/<prefix>pbul<suffix>/sudoersdir