Safeguard for Sudo 7.2.3
Release Notes
21 April 2023, 11:06
These release notes provide information about the One Identity Safeguard for Sudo release.
Topics:
About this release
Safeguard for Sudo helps Unix/Linux organizations take privileged account management through Sudo to the next level: with a central policy server, centralized management of Sudo and sudoers, centralized reporting on sudoers and elevated rights activities, and event and keystone logging of activities performed through Sudo. With Safeguard for Sudo, One Identity provides a plug-in to Sudo 1.8.1 (and later) to make administering Sudo across a few, dozens, hundreds, or thousands of Unix/Linux servers easy, intuitive, and consistent. It eliminates the box-to-box management of Sudo that is the source of so much inefficiency and inconsistency. In addition, the centralized approach delivers the ability to report on the change history of the sudoers policy file.
Safeguard for Sudo 7.2.3 is a patch release that includes Resolved issues.
NOTE: Beginning with version 7.0, Safeguard for Sudo supports only Linux-based systems for Safeguard policy servers.
End of support notice
After careful consideration, One Identity has decided to cease the development of the Management Console for Unix (MCU). Therefore, the MCU will enter limited support for all versions on April 1, 2021. Support for all versions will reach end of life on Nov 1, 2021.
As One Identity retires the MCU, we are building its feature set into modern platforms starting with Software Distribution and Profiling. Customers that use the MCU to deploy Authentication Services and Safeguard for Sudo can now use our Ansible collections for those products, which can be found at Ansible Galaxy.
The following is a list of issues addressed in this release.
Table 1: Resolved issues
|
pmsrvconfig --unconfig asks for the removal of the pm.settings file.
sudo /opt/quest/sbin/pmsrvconfig --unconfig will ask the user to delete the pm.settings file. |
280111 |
|
The commands pmjoin and pmsrvconfig will now recommend installing the security module selinux automatically if SELinux is in enforced or permissive mode. |
306219 |
|
Resolved a database contention issue on the policy server that caused the following error message: Event log storage library returned an error: database is locked
When a Safeguard for Sudo plugin client connects to a policy server, the name of the sudoers policy file that is used gets recorded in a database on the policy server. These database transactions were creating contention with the log server daemon (pmlogsrvd), which updates the database at the same time. A change was made to have pmlogsrvd perform the sudoers policy name update instead, eliminating the database contention. |
330778 |
|
Resolved an issue where unjoined clients were not removed from the license database.
Clients that were joined to a policy server could end up having multiple entries in the license database. This prevented the client from being fully removed at unjoin time as well as the client being listed multiple times in the output of pmlicense -uf and pmlicense -us. The pmlicence -R command can be used to remove these phantom entries if necessary after upgrading. |
385800 |
|
Invalid offline log files are now moved to a quarantine directory on the client instead of being transferred to the policy server repeatedly. |
405557 |
|
Packages do not ship sysv init script anymore on distributions where systemd is used.
Previously we shipped both sysv and systemd service files. This change was introduced to avoid issues observed on Suse and SLES where systemd-sysv compatibility is enforced and broken on default installations, preventing the service to get enabled. |
409691 |
|
Resolved an issue that prevented the configuration of Safeguard for Sudo on RHEL 9 when the SELinux policy module from the Safeguard Authentication Services client package was also installed.
The issue occurred because the SELinux policy module from the Safeguard Authentication Services client package included rules that installed the files of Safeguard for Sudo with incorrect security contexts. This prevented the successful configuration of the product on RHEL 9 when SELinux was in enforcing mode.
The issue was solved by updating the SELinux policy for Safeguard for Sudo to include rules that explicitly label the package files with the proper security contexts. |
414363 |
The following table provides a list of supported platforms for Safeguard for Sudo clients.
NOTE: Beginning with version 7.2.3, Safeguard for Sudo supports only Linux-based systems for Safeguard policy servers.
Table 2: Linux supported platforms — server and plugin
|
Amazon Linux |
AMI, 2 |
x86_64 |
|
CentOS Linux |
6, 7, 8, 9 |
Current Linux architectures: s390x, PPC64, PPC64le, x86, x86_64, AARCH64 |
|
Debian |
Current supported releases |
x86_64, x86, AARCH64 |
|
Fedora Linux |
Current supported releases |
x86_64, x86, AARCH64 |
|
OpenSuSE |
Current supported releases |
x86_64, x86, AARCH64 |
|
Oracle Enterprise Linux (OEL) |
6, 7, 8, 9 |
Current Linux architectures: s390x, PPC64, PPC64le, x86, x86_64, AARCH64 |
|
Red Hat Enterprise Linux (RHEL) |
6, 7, 8, 9 |
Current Linux architectures: s390x, PPC64, PPC64le, x86, x86_64, AARCH64 |
|
SuSE Linux Enterprise Server (SLES)/Workstation |
11 SP4, 12, 15 |
Current Linux architectures: s390x, PPC64, PPC64le, x86, x86_64, AARCH64 |
|
Ubuntu |
Current supported releases |
x86_64, x86, AARCH64 |
Table 3: Unix and Mac supported platforms — plugin
|
Apple MacOS |
10.15 or later |
x86_64, ARM64 |
|
FreeBSD |
12.x, 13.x |
x32, x64 |
|
HP-UX |
11.31 |
PA, IA-64 |
|
IBM AIX |
6.1 TL9, 7.1 TL3, 7.2 |
Power 4+ |
|
Oracle Solaris |
10 8/11 (Update 10), 11.x |
SPARC, x64 |
Before installing Safeguard 7.2.3, ensure that your system meets the following minimum hardware and software requirements.
NOTE: Beginning with version 7.2.3, Safeguard for Sudo supports only Linux-based systems for Safeguard policy servers.
Table 4: Hardware and software requirements
| Operating systems |
See Supported platforms to review a list of platforms that support Safeguard clients. |
| Disk space |
80 MB of disk space for program binaries and manuals for each architecture.
Considerations:
- At a minimum, you must have 80 MB of free disk space. The directories in which the binaries are installed must have sufficient disk space available on a local disk drive rather than a network drive. Before you install Safeguard, ensure that the partitions that will contain /opt/quest have sufficient space available.
-
Sufficient space for the keystroke logs, application logs, and event logs. The size of this space depends on the number of servers, the number of commands, and the number of policies configured.
-
The space can be on a network disk drive rather than a local drive.
- The server hosting Safeguard must be a separate machine dedicated to running the pmmasterd daemon.
|
| SSH software |
You must install and configure SSH client and server software on all policy server hosts.
You must also install SSH client software on all hosts that will use the Sudo Plugin.
You must enable access to SSH as the root user on the policy server hosts during configuration of the policy servers. Both OpenSSH 4.3 (and later) and Tectia SSH 6.4 (and later) are supported. |
| Processor |
Policy Servers: 4 cores |
|
RAM |
Policy Servers: 8GB |
Table 5: Primary policy server and host system installation requirements
| Primary Policy Server |
- Supported Unix or Linux operating system
- SSH (ssh-keyscan binary)
|
|
Host System |
- Supported Unix, Linux, or macOS platform
- SSH (ssh-keyscan binary)
- Sudo 1.8.1 (or later)
|
Upgrade and compatibility
Safeguard for Sudo supports a direct upgrade installation from versions 2.0 and higher. The Safeguard software in this release is provided using platform-specific installation packages. For more information on upgrading, see the One Identity Safeguard for Sudo Administration Guide.
One Identity recommends that:
- You upgrade your policy server (Master) systems before Sudo plugins, and that a policy server is run at the same or higher level than Sudo plugins.
- All policy server systems and Sudo plugins are upgraded to the latest version to take advantage of all new features.
The upgrade process will create symbolic links to ensure that your existing paths function correctly.
