Safeguard for Sudo might reject a sudo command. For example, let us assume you ran the following command:
$ sudo id
and received output similar to the following:
<user> is not in the sudoers file. This incident will be reported.
Request rejected by Safeguard
There are several things you can do to troubleshoot this issue.
To troubleshoot why a sudo command is rejected
Run the following from the policy server:
# sudo –U <username> -l
# pmpolicy masterstatus
In the output, ensure that Current Revision and Latest Trunk Revision have the same number and Locally modified is "No".
# cat /etc/opt/quest/qpm4u/policy/sudoers
# pmsrvcheck
This command returns output similar to:
testing policy server [ Pass ]
From the command line, enter:
# pmsrvinfo
This command returns output similar to:
Policy Server Configuration: ---------------------------- Safeguard version : 7.1.1.0 (0nn) Listening port for pmmasterd daemon : 12345 Comms failover method : random Comms timeout(in seconds) : 10 Policy type in use : sudo Group ownership of logs : pmlog Group ownership of policy repository : pmpolicy Policy server type : primary Primary policy server for this group : Myhost1 Group name for this group : Myhost1.example.com Location of the repository : file: ////var/opt/quest/qpm4u/.qpm4u/.repository/sudo_repos/trunk Hosts in the group : Myhost1
If your sudo policy is not working as expected, use these troubleshooting steps:
# sudo –V
# pmplugininfo
# sudo –l –U <username>
This command returns output similar to:
Matching Defaults entries for testuser on this host: log_output User testuser may run the following commands on this host: (ALL) /opt/quest/bin/
# pmpolicy masterstatus
Ensure that Locally modified in the output is No.
# pmpolicy sync
# pmpolicy checkout –d <dir>
# pmpolicyplugin
Use the -g option to update the local cached security policy with the latest revision on the central repository (equivalent to pmpolicy sync on a server).
This appendix provides detailed information about the variables that may be present in event log entries:
See also Profile Variables for additional information about policy profile variables.
The following predefined global variables are initialized from the submit-user’s environment.
Variable | Data type | Description |
---|---|---|
alertkeymatch | sting | The pattern matched by pmlocald. |
argc | integer | Number of arguments in the request. |
argv | list | List of arguments in the request. |
client_parent_pid | integer | Process ID of the client's parent process. |
client_parent_uid | integer | User ID associated with the client's parent process. |
client_parent_procname | string | Process name of a client's parent process. |
clienthost | string | Originating login host. |
command | string | Pathname of the request. |
cwd | string | Current working directory. |
date | string | Current date. |
day | integer | Current day of month as integer. |
dayname | string | Current day of the week. |
domainname | string | The Active Directory domain name for the submit user if Authentication Services is configured. |
env | list | List of submit user’s environment variables. |
false | integer | Constant value. |
FEATURE_LDAP | integer | Read-only constant used with feature_enabled() function. |
FEATURE_VAS | integer | Read-only constant used with feature_enabled() function. |
gid | integer | Group ID of the submitting user’s primary group on sudo host. |
group | string | Submit user’s primary group. |
groups | list | Submit user’s secondary groups. |
host | string | Host destined to run the request. |
hour | integer | Current hour. |
masterhost | sting | Host on which the master process is running. |
masterversion | string | Safeguard version of masterhost. |
minute | integer | Current minute. |
month | integer | Current month. |
nice | integer | nice value of the submit user’s login. |
nodename | string |
Hostname of the sudo client. |
integer |
Contains the parameter for the last argument or empty string. | |
integer |
Determines whether to display errors from the getopt functions. | |
integer |
Contains the current argument list index. Use with getopt functions. | |
string |
Contains the letter of the last option that had an issue. Use with getopt functions. | |
boolean |
Restarts the getopt functions from the beginning. | |
boolean |
Lets getopt_long() recognize non-compliant argument parameter forms. | |
pid | integer | Process ID of the master process. |
pmclient_type | integer | The type of client that sent the request. |
pmclient_type_pmrun | integer | Read-only constant for pmrun type clients. |
pmclient_type_sudo | integer | Read-only constant for sudo type clients. |
pmshell | integer | Identifies a Privilege Manager for Unix shell program. |
pmshell_builtin | integer | A constant value that identifies a shell builtin command. |
pmshell_cmd | integer | Identifies a command run from a Privilege Manager for Unix shell program. |
pmshell_cmdtype | integer | Identifies type of a shell subcommand. |
pmshell_exe | integer | A constant value that identifies a normal executable command. |
pmshell_interpreter | integer | Identifies the program directive of a shell script. |
pmshell_prog | string | Name of the Privilege Manager for Unix shell program. |
pmshell_script | integer | A constant value that identifies a shell script. |
pmshell_uniqueid | string | uniqueid of the Privilege Manager for Unix shell program. |
pmversion | string | SafeguardPrivilege Manager for Unix version string of client. |
ptyflags | string | Identifies ptyflags of the request. |
requestlocal | integer | Indicates if the request is local. |
requestuser | string | User that the submit user wants to run the request. |
string |
Controls the maximum memory that is available to a process. | |
string |
Controls the maximum size of a core file. | |
string |
Controls the maximum size CPU time of a process. | |
string |
Controls the maximum size of data segment of a process. | |
string |
Controls the maximum size of a file. | |
string |
Control the maximum number of file locks for a process. | |
string |
Controls the maximum number of bytes of virtual memory that can be locked. | |
string |
Controls the maximum number of files a user may have open at a given time. | |
string |
Controls the maximum number of processes a user may run at a given time. | |
string |
Controls the maximum size of the resident set (number of virtual pages resident at a given time) of a process. | |
string |
Controls the maximum size of the process stack. | |
samaccount | string | The sAMAccountName for the submit user if Authentication Services is configured. |
integer |
Identifies whether a client is running an SELinux environment. | |
status | integer | Exit status of the most recent system command. |
submithost | string | Name of the submit host. |
submithostip | string | IP address of the submit host. |
thishost | string | The value of the thishost setting in pm.settings on the client. |
time | string | Current time of request. |
true | integer | Read-only constant with a value of 1. |
ttyname | string | ttyname of the submit request. |
string |
Name of the time zone on the server at the time the event was read from the event log by pmlog. | |
uid | integer | User ID of the submitting user on host. |
umask | integer | umask of the submit user. |
unameclient | list | Uname output on host. |
list |
Unameoutput on policy server host. | |
uniqueid | string | Uniquely identifies a request in the event log. |
use_rundir | string | Contains the value "!~!" and represents the runuser’s home directory on the runhost. |
use_rungroup | string | Contains the value "!g!" and represents the runuser’s primary group on the runhost. |
use_rungroups | string | Contains the value "!G!" and represents the runuser’s secondary group list on the runhost. |
use_runshell | string | Contains the value "!!!" and represents the runuser’s login shell on the runhost. |
user | string | Submit user. |
integer |
Year of the request (YY). |
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Conditions d’utilisation Confidentialité Cookie Preference Center