Chatta subito con l'assistenza
Chat con il supporto

Safeguard for Sudo 7.3 - Administration Guide

Introducing Safeguard for Sudo Planning Deployment Installation and Configuration Upgrade Safeguard for Sudo System Administration Managing Security Policy Administering Log and Keystroke Files Supported sudo plugins Troubleshooting Safeguard for Sudo Variables Safeguard for Sudo programs Installation Packages Supported Sudoers directives Unsupported Sudo Options Safeguard for Sudo Policy Evaluation

Troubleshooting

To help you troubleshoot, One Identity recommends the following resolutions to some of the common problems you might encounter as you deploy and use Safeguard for Sudo.

Enabling sudo policy debug logging

Debug logs can help you determine if the sudo options are being enabled correctly in the policy.

To enable debug logging for Sudo policy

  1. Add a debug line to the /etc/sudo.conf file. For example, to log debug and trace information to the file /var/log/sudo_debug, add:

    Debug sudo /var/log/sudo_debug all@debug

For systems without a /var/log directory, use /var/adm/sudo_debug instead.

Enabling tracing for Sudo Plugin

Since the Sudo Plugin is not a program, the /tmp/pmplugin.ini file needs be manually created in order to enable tracing for the Sudo Plugin itself.

To create the .ini file to enable tracing for the Sudo Plugin

  1. Run the following as root:

    printf 'FileName=/tmp/pmplugin.trc\nLevel=0xffffffff\n' > /tmp/pmplugin.ini
  2. Once you have finished getting the trace output you need, remove the /tmp/pmplugin.ini file to disable tracing.

Join fails to generate a SSH key for sudo policy

If you attempt to join a Sudo Plugin host and see a ssh-keyscan failure message similar to this:

** Generate ssh key [FAIL] 
   - failed to update known_hosts file:getaddrinfo <myhost>: Name or service not known

You might be using an unresolvable, short host name (as myhost in the above example) instead of the fully qualified domain name.

To workaround this issue, add the domain to the search line in the /etc/resolv.conf file.

Related Documents

The document was helpful.

Seleziona valutazione

I easily found the information I needed.

Seleziona valutazione