サポートと今すぐチャット
サポートとのチャット

Safeguard for Sudo 7.2.1 - Administration Guide

Introducing Safeguard for Sudo Planning Deployment Installation and Configuration Upgrade Safeguard for Sudo System Administration Managing Security Policy Administering Log and Keystroke Files Supported sudo plugins Troubleshooting Safeguard Variables Safeguard programs Installation Packages Unsupported Sudo Options Safeguard for Sudo Policy Evaluation

Configuring a sudo approval plugin

Sudo version 1.9 introduced a new plugin API to apply extra restrictions to a command after it has been accepted by the sudoers policy. Safeguard for Sudo supports loading sudo-compatible approval plugins, including those written in Python, on the policy server. You can specify multiple approval plugins in the sudoers file. Safeguard for Sudo currently supports loading up to 8 Python approval plugins at once.

For more information about configuring a C-based approval plugin, see the Sudo Plugin API man page.

Prerequisites

  • Install Sudo version 1.9 or newer.

  • To use plugins written in Python:

To configure a Python-based approval plugin in the sudoers file

To configure the sudoers policy to load the Python-based approval plugin, use the following configuration in the sudoers file:

Defaults plugins += "python_approval python_plugin.so ModulePath=<path> ClassName=<class>"

Where ModulePath is the path to the Python script that the plugin uses, and ClassName denotes what gets called within the plugin.

The following example Python approval plugin only allows users running commands during business hours, that is, from Monday to Friday between 8:00 and 17:59:59.

Defaults plugins += "python_approval python_plugin.so \
			ModulePath=/root/example_approval_plugin.py \
			ClassName=BusinessHoursApprovalPlugin"

Defaults plugins += "python_approval python_plugin.so \
ModulePath=/root/example_approval_plugin.py \
ClassName=BusinessHoursApprovalPlugin"

For a more detailed Python approval plugin example, see the sudo repository on GitHub.

Configuring a sudo audit plugin

Sudo version 1.9 introduced a new plugin API to access audit information. Safeguard for Sudo supports loading sudo-compatible audit plugins, including those written in Python, on the policy server. This can be used in a number of different ways, for example to implement custom logging or to send events from Safeguard for Sudo directly to Elasticsearch or other Logging as a Service providers.

You can specify multiple audit plugins in the sudoers file. Sudo currently supports loading 8 Python audit plugins at once.

For more information about configuring a C-based audit plugin, see the Sudo Plugin API man page.

Prerequisites

  • Install Sudo version 1.9 or newer.

  • To use plugins written in Python:

To configure a Python-based audit plugin in the sudoers file

To configure the sudoers policy to load the Python-based audit plugin, use the following configuration in the sudoers file:

Defaults plugins += "python_audit python_plugin.so ModulePath=<path> ClassName=<class>"

The following example Python audit plugin logs the plugin accept / reject / error results to the output:

Defaults plugins += "python_audit python_plugin.so \
			ModulePath=/root/example_audit_plugin.py \
			ClassName=SudoAuditPlugin"

For a more detailed Python audit plugin example, see the sudo repository on GitHub.

Troubleshooting

To help you troubleshoot, One Identity recommends the following resolutions to some of the common problems you might encounter as you deploy and use Safeguard.

Enabling sudo policy debug logging

Debug logs can help you determine if the sudo options are being enabled correctly in the policy.

To enable debug logging for Sudo policy

  1. Add a debug line to the /etc/sudo.conf file. For example, to log debug and trace information to the file /var/log/sudo_debug, add: 
    Debug sudo /var/log/sudo_debug all@debug

For systems without a /var/log directory, use /var/adm/sudo_debug instead.

関連ドキュメント

The document was helpful.

評価を選択

I easily found the information I needed.

評価を選択