Chat now with support
Chat mit Support

Safeguard for Sudo 7.3 - Administration Guide

Introducing Safeguard for Sudo Planning Deployment Installation and Configuration Upgrade Safeguard for Sudo System Administration Managing Security Policy Administering Log and Keystroke Files Supported sudo plugins Troubleshooting Safeguard for Sudo Variables Safeguard for Sudo programs Installation Packages Supported Sudoers directives Unsupported Sudo Options Safeguard for Sudo Policy Evaluation

Setting alert for syntactically incorrect policies

Since policy edits are not locally bound to the policy server when using Git policy management, syntactically incorrect policies can enter the Git repository. To address such cases, set an alert from the policy server to warn you if the policy is incorrect.

As an administrator, you can use your own alert script which pmgit tool can call if the policy syntax checking returns an error message after the synchronization between the Git policy repository and the SVN policy repository.

If an alert script is configured, the pmgit tool calls it with 2 parameters:

  • Email address from the last Git commit

  • Error message from the syntax check

Sample script

This is a sample script in bash which sends the error message to the user who initiated the last commit.

#!/bin/bash

email_address="$1"
shift
error_msg="$@"
				
/usr/sbin/sendmail -F "noreply" "${email_address}" <<EOF
subject:pmgit error
				
Syntax error occured in one of the policy files:
"${error_msg}"
EOF

To set pmgit tool to send alert messages based on your alert script, see pmgit Set.

Automatic synchronization failed

Error

After a successful Git policy management configuration and automatic update interval setting, Syslog sends the error message:

pmgit: Failed to fetch <Git:_URL>.: Permission denied, please try again. <user>@<host>: Permission denied (publickey,password)
Cause

You have not configured Git for passwordless authentication.

Effect

Automatic synchronization between Git and SVN is not working because pmgit update cannot run in the background due to a password prompt.

Solution

Configure Git to allow Git operations from the policy server towards the remote repository.

Failed to push references to Git URL

Error

After export pmgit sends the error message:

# pmgit export --git-url <Git_URL>
Creating backup from SVN repository ...                             [ OK ]
Creating directory for local Git repository ...                     [ OK ]
Cloning SVN ...                                                     [ OK ]
Setting Git remote ...                                              [ OK ]
Push Git repository to remote ...                               [ ERROR ]
   To <Git_URL>
! [rejected]        <Git_branch> -> <Git_branch> (fetch first)
error: failed to push some refs to '<Git_URL>'
Cause

You tried to export to a Git repository which is not empty.

Effect

You are unable to export the policies to that Git repository.

Solution

Create an empty bare repository.

Example

This is an example for creating an empty bare Git repository from command line.

git init --bare <repo_name>.git

Sudo command is rejected by Safeguard for Sudo

Safeguard for Sudo might reject a sudo command. For example, let us assume you ran the following command:

$ sudo id

and received output similar to the following:

<user> is not in the sudoers file. This incident will be reported. 
Request rejected by Safeguard

There are several things you can do to troubleshoot this issue.

To troubleshoot why a sudo command is rejected

Run the following from the policy server:

  1. To ensure the user has permission, run the following as a sudo administrator.

    # sudo -U <username> -l
  2. To check that the policy is located at /etc/opt/quest/qpm4u/policy/sudoers is the current version, run:

    # pmpolicy masterstatus

    In the output, ensure that Current Revision and Latest Trunk Revision have the same number and Locally modified is No.

  3. To ensure the user has permission to run the command, check the /etc/opt/quest/qpm4u/policy/sudoers file and verify the user’s (or group’s) permissions:

    # cat /etc/opt/quest/qpm4u/policy/sudoers
  4. To verify that the policy server is working properly, enter:

    # pmsrvcheck

    This command returns output similar to:

    testing policy server [ Pass ]

    From the command line, enter:

    # pmsrvinfo

    This command returns output similar to:

    Policy Server Configuration: 
    ---------------------------- 
       Safeguard version : 7.3.0 (0nn) 
       Listening port for pmmasterd daemon  : 12345 
       Comms failover method                : random 
       Comms timeout(in seconds)            : 10 
       Policy type in use                   : sudo 
       Group ownership of logs              : pmlog 
       Group ownership of policy repository : pmpolicy 
       Policy server type                   : primary 
       Primary policy server for this group : Myhost1 
       Group name for this group            : Myhost1.example.com 
       Location of the repository           : file:
                           ////var/opt/quest/qpm4u/.qpm4u/.repository/sudo_repos/trunk 
       Hosts in the group : Myhost1 
Related Topics

pmpolicy

pmsrvcheck

pmsrvinfo

Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen