Chat now with support
지원 담당자와 채팅

Privilege Manager for Sudo 6.1 Common Documents - Administration Guide

One Identity Privileged Access Suite for Unix Introducing Privilege Manager for Sudo Planning Deployment Installation and Configuration Upgrade Privilege Manager for Sudo System Administration Managing Security Policy Administering Log and Keystroke Files Troubleshooting Privilege Manager Variables Privilege Manager programs Installation Packages Unsupported Sudo Options Privilege Manager for Sudo Policy Evaluation

Policy servers are failing

The primary and secondary policy servers must be able to communicate with each other and the remote hosts must be able to communicate with the policy servers in the policy group.

For example, if you run pmpluginloadcheck on a Sudo Plugin host to determine that it can communicate with other policy servers in the group, you might get output similar to the following:

++ Checking host:myhost.example.com (10.10.181.87) ... [FAIL]

There are several possible reasons for failure:

  • Policy server host is down
  • Network outage
  • Service not running on policy server host

Sudo command is rejected by Privilege Manager for Sudo

Privilege Manager for Sudo might reject a sudo command. For example, let us assume you ran the following command:

$ sudo id

and received output similar to the following:

<user> is not in the sudoers file. This incident will be reported. 
Request rejected by Privilege Manager

There are several things you can do to troubleshoot this issue.

To troubleshoot why a sudo command is rejected

Run the following from the policy server:

  1. To ensure the user has permission, run the following as a sudo administrator.
    # sudo –U <username> -l
  2. To check that the policy is located at /etc/opt/quest/qpm4u/policy/sudoers is the current version, run:
    # pmpolicy masterstatus

    NOTE: In the output, ensure that Current Revision and Latest Trunk Revision have the same number and Locally modified is "No".

  3. To ensure the user has permission to run the command, check the /etc/opt/quest/qpm4u/policy/sudoers file and verify the user’s (or group’s) permissions:
    # cat /etc/opt/quest/qpm4u/policy/sudoers
  4. To verify that the policy server is working properly, enter:
    # pmsrvcheck

    This command returns output similar to:

    testing policy server [ Pass ]

    From the command line, enter:

    # pmsrvinfo

    This command returns output similar to:

    Policy Server Configuration: 
    ---------------------------- 
       Privilege Manager version : 6.0.0 (0nn) 
       Listening port for pmmasterd daemon  : 12345 
       Comms failover method                : random 
       Comms timeout(in seconds)            : 10 
       Policy type in use                   : sudo 
       Group ownership of logs              : pmlog 
       Group ownership of policy repository : pmpolicy 
       Policy server type                   : primary 
       Primary policy server for this group : Myhost1 
       Group name for this group            : Myhost1.example.com 
       Location of the repository           : file:
                           ////var/opt/quest/qpm4u/.qpm4u/.repository/sudo_repos/trunk 
       Hosts in the group : Myhost1 
Related Topics

pmpolicy

pmsrvcheck

pmsrvinfo

Sudo policy is not working properly

If your sudo policy is not working as expected, use these troubleshooting steps:

  1. To verify the version of sudo on your host:
    # sudo –V
  2. To verify that the Sudo Plugin host is joined to the policy server, run:
    # pmplugininfo
  3. To see what commands the user is allowed to run:
    # sudo –l –U <username>

    This command returns output similar to:

    Matching Defaults entries for testuser on this host: 
          log_output 
    User testuser may run the following commands on this host: 
          (ALL) /opt/quest/bin/
  4. On the policy server, use the pmpolicy utility for managing the Privilege Manager for Sudo security policy.
    1. To verify that you have the correct version of the policy, run:
      # pmpolicy masterstatus

      NOTE: Ensure that Locally modified in the output is No.

    2. To update the version of the policy, run:
      # pmpolicy sync
    3. To verify there are no syntax errors in the policy, run:
      # pmpolicy checkout –d <dir>
  5. On the Sudo Plugin host, use the pmpolicyplugin utility to display the revision status of the cached security policy on this host or to request an update from the central repository.
    1. To verify that you have the correct version of the policy on the Sudo Plugin host, run
      # pmpolicyplugin

      NOTE: Use the -g option to update the local cached security policy with the latest revision on the central repository (equivalent to pmpolicy sync on a server).

Related Topics

pmplugininfo

pmpolicy

pmpolicyplugin

Privilege Manager Variables

This appendix provides detailed information about the variables that may be present in event log entries:

관련 문서