Safeguard for Sudo 7.2.1
Release Notes
07 March 2022, 17:27
These release notes provide information about the One Identity Safeguard for Sudo release.
Topics:
About this release
Safeguard for Sudo helps Unix/Linux organizations take privileged account management through Sudo to the next level: with a central policy server, centralized management of Sudo and sudoers, centralized reporting on sudoers and elevated rights activities, and event and keystone logging of activities performed through Sudo. With Safeguard for Sudo, One Identity provides a plug-in to Sudo 1.8.1 (and later) to make administering Sudo across a few, dozens, hundreds, or thousands of Unix/Linux servers easy, intuitive, and consistent. It eliminates the box-to-box management of Sudo that is the source of so much inefficiency and inconsistency. In addition, the centralized approach delivers the ability to report on the change history of the sudoers policy file.
Safeguard for Sudo 7.2.1 is a patch release that includes Resolved issues.
NOTE: Beginning with version 7.0, Safeguard for Sudo supports only Linux-based systems for Safeguard policy servers.
End of support notice
After careful consideration, One Identity has decided to cease the development of the Management Console for Unix (MCU). Therefore, the MCU will enter limited support for all versions on April 1, 2021. Support for all versions will reach end of life on Nov 1, 2021.
As One Identity retires the MCU, we are building its feature set into modern platforms starting with Software Distribution and Profiling. Customers that use the MCU to deploy Authentication Services and Safeguard for Sudo can now use our Ansible collections for those products, which can be found at Ansible Galaxy.
New features in Safeguard for Sudo 7.2.1:
-
Safeguard for Sudo is shipped with OpenSSL shared objects since version 7.0. Due to recent high severity fixes in the OpenSSL library, the shipped shared objects have been upgraded to version 1.1.1m, which include the corresponding fixes.
-
The text of the End-user license agreement (EULA) has been updated. Users must accept the updated EULA upon installing this product.
See also:
The following is a list of issues addressed in this release.
Table 1: Resolved issues
|
Fixed updating the /etc/services file during policy server configuration.
In some cases, after unconfiguring the policy server, the policy server could leave entries belonging to Privilege Manager daemons in /etc/services file and the policy server configuration could result in having multiple entries. |
287684 |
|
Fixed issue when orphaned pmmasterd processes hang indefinitely due to network disconnect.
If the policy server disconnects from the network while there is an open sudo session on a client, there is a chance that the pmmasterd process handling that client connection never terminates. This issue has been fixed by enabling SO_KEEPALIVE socket option on the socket by default. It can be disabled by setting the 'masterkeepalive' configuration option to 'NO' in the pm.settings product configuration file. |
288722 |
|
For sudo clients, license validity could be reported wrongly for short time periods.
Some tools like "pmplugininfo -v" could report having no license for the product for short periods of time, even if a valid license has previously been installed for the policy server. These wrong messages only affected sudo clients joined to the policy server and not the policy server itself. |
295769 |
|
On the relatively new Fedora 35, pmlogsearch failed to return search results.
pmlogsearch did not previously support "protected regular" security hardening option (which is enabled by default on the Fedora 35 server). This resulted the tool to run on error and search results to become empty. |
296543 |
|
Fixed issue when audit trail files stored on the policy server could not be transmitted to an SPS logserver.
When the connection between the Safeguard for Sudo policy server and an SPS logserver is interrupted, IO logs are cached on the policy server if the policy server is not in 'enforced' mode. Later on, when the connection is restored, the cached trails can be sent to the SPS logserver by running the pmauditsrv send command. This caused critical error on SPS side, the received trails became corrupt, and data loss could happen. |
296550 |
|
Linux packages now ship with native service files for systemd.
To work on older systems as well, our packages provide sysv init scripts for service maintenance.
Newer linux distributions however may not provide compatibility with these by default: some additional packages need to be installed for that (for example systemd-sysvinit / initscripts). Now these additional packages are not needed any more. Note that sysv init scripts are still provided, and distributions without systemd remains supported (like RHEL 6). |
298900 |
|
Improved git-svn handling.
Prior to git-svn 1.8 it is not possible to query the version number without a working repository. In order to make the user interface more convenient, we postponed the version check until it is necessary. Because of this it is less likely to get warnings about missing or incompatible programs, however with this change the dependency is less obvious. |
300197 |
|
Fixed a race condition between pmmasterd and pmlogsrvd.
There is a rare race condition between pmlogsrvd and pmmasterd when they both access the same event in the database. From now on pmlogsrvd detects such a situation and solves the problem by restarting the affected database operation. |
300333 |
The following table provides a list of supported platforms for Safeguard for Sudo clients.
NOTE: Beginning with version 7.2.1, Safeguard for Sudo supports only Linux-based systems for Safeguard policy servers.
Table 2: Linux supported platforms — server and plugin
|
Amazon Linux |
AMI, 2 |
x86_64 |
|
CentOS Linux |
6, 7, 8 |
Current Linux architectures: s390x, PPC64, PPC64le, x86, x86_64, AARCH64 |
|
Debian |
Current supported releases |
x86_64, x86, AARCH64 |
|
Fedora Linux |
Current supported releases |
x86_64, x86, AARCH64 |
|
OpenSuSE |
Current supported releases |
x86_64, x86, AARCH64 |
|
Oracle Enterprise Linux (OEL) |
6, 7, 8 |
Current Linux architectures: s390x, PPC64, PPC64le, x86, x86_64, AARCH64 |
|
Red Hat Enterprise Linux (RHEL) |
6, 7, 8 |
Current Linux architectures: s390x, PPC64, PPC64le, x86, x86_64, AARCH64 |
|
SuSE Linux Enterprise Server (SLES)/Workstation |
11 SP4, 12, 15 |
Current Linux architectures: s390x, PPC64, PPC64le, x86, x86_64, AARCH64 |
|
Ubuntu |
Current supported releases |
x86_64, x86, AARCH64 |
Table 3: Unix and Mac supported platforms — plugin
|
Apple MacOS |
10.15 or later |
x86_64, ARM64 |
|
FreeBSD |
12.x, 13.x |
x32, x64 |
|
HP-UX |
11.31 |
PA, IA-64 |
|
IBM AIX |
6.1 TL9, 7.1 TL3, 7.2 |
Power 4+ |
|
Oracle Solaris |
10 8/11 (Update 10), 11.x |
SPARC, x64 |
