Chat now with support

Get Live Help
Complete Registration

Sign In

Request Pricing

Contact Sales

Safeguard for Sudo 7.2.1 - Administration Guide

Table of Contents

Introducing Safeguard for Sudo

Features and benefits of Safeguard for Sudo How Safeguard for Sudo works

Planning Deployment

System requirements

Supported platforms Reserve special user and group names Required privileges

Estimating size requirements Safeguard licensing Deployment scenarios

Single host deployment Medium business deployment Large business deployment

Installation and Configuration

Download Safeguard for Sudo software packages Verifying package signature Configure a Primary Policy Server

Checking the server for installation readiness

TCP/IP configuration Hosts database Reserve special user and group names Policy server daemon hosts Check Sudo version

Installing the Safeguard packages

Adding directories to PATH environment

Configuring the Safeguard for Sudo Primary Policy Server

Configuring additional policies on a policy server Safeguard for Sudo Server Configuration Settings

Join hosts to policy group

Joining Sudo Plugin to Policy Server

Joining Sudo Plugin to policy server using a non-default policy

Swap and install keys

Configure a secondary policy server

Installing secondary servers Configuring a secondary server

Synchronizing policy servers within a group

Install Sudo Plugin on a remote host

Checking Sudo Plugin Host for installation readiness Installing a Sudo Plugin on a remote host Joining a Sudo Plugin to a primary policy server Verifying Sudo Plugin configuration Load balancing on the client

Remove configurations

Uninstalling the Safeguard software packages Uninstalling Safeguard for Sudo on macOS

Upgrade Safeguard for Sudo

Before you upgrade Upgrading Safeguard packages

Upgrading the server package Upgrading the Sudo Plugin package

Removing Safeguard packages

Removing the server package Removing the Sudo Plugin package

System Administration

Reporting basic policy server configuration information Checking the status of the master policy Checking the policy server Checking policy server status Checking the Sudo Plugin configuration status Installing licenses

Displaying license usage

Listing policy file revisions Viewing differences between revisions Backup and recovery

Managing Security Policy

Security policy types Specifying security policy type The sudo type policy Viewing the security profile changes Managing policies in Git

Prerequisites for Git policy management

Administering Log and Keystroke Files

Configuring keystroke logging for Safeguard for Sudo policy

Validating Sudo commands

Event logging Keystroke (I/O) logging

Audit server logging

Configuration options

Viewing the log files using command line tools Listing event logs Backing up and archiving event and keystroke logs

Supported sudo plugins

Configuring a sudo approval plugin Configuring a sudo audit plugin

Troubleshooting

Enabling sudo policy debug logging Enabling tracing for Sudo Plugin Join fails to generate a SSH key for sudo policy Join to policy group failed on Sudo Plugin Load balancing and policy updates Policy servers are failing pmgit Troubleshooting

Setting alert for syntactically incorrect policies Automatic synchronization failed Failed to push references to Git URL

Sudo command is rejected by Safeguard for Sudo Sudo policy is not working properly

Safeguard Variables

Global input variables

argc argv client_parent_pid client_parent_uid client_parent_procname clienthost command cwd date day dayname domainname env false gid group groups host hour masterhost masterversion minute month nice nodename optarg opterr optind optopt optreset optstrictparameters pid pmclient_type pmclient_type_pmrun pmclient_type_sudo pmversion ptyflags requestlocal requestuser rlimit_as rlimit_core rlimit_cpu rlimit_data rlimit_fsize rlimit_locks rlimit_memlock rlimit_nofile rlimit_nproc rlimit_rss rlimit_stack samaccount selinux status submithost submithostip thishost time true ttyname tzname uid umask unameclient uniqueid user year

Global output variables Global event log variables

event exitdate exitstatus exittime

PM settings variables

Safeguard programs

pmauditsrv pmcheck pmgit

pmgit subcommands

pmgit export pmgit Import pmgit Enable pmgit Disable pmgit Update pmgit Set pmgit Status pmgit Help

pmjoin_plugin pmkey pmlicense pmloadcheck pmlog pmlogadm pmlogsearch pmlogsrvd pmlogxfer pmmasterd pmplugininfo pmpluginloadcheck pmpolicy pmpolicyplugin pmpoljoin_plugin pmpolsrvconfig pmremlog pmreplay

Navigating the log file

pmresolvehost pmserviced pmsrvcheck pmsrvconfig pmsrvinfo pmsum pmsysid

Installation Packages

Package locations Installed files and directories

Unsupported Sudo Options

Unsupported command line sudo options Behavioral change Unsupported Sudoers policy options Unsupported Sudoers directives

Safeguard for Sudo Policy Evaluation

Policy servers are failing

Troubleshooting > Policy servers are failing

The primary and secondary policy servers must be able to communicate with each other and the remote hosts must be able to communicate with the policy servers in the policy group.

For example, if you run pmpluginloadcheck on a Sudo Plugin host to determine that it can communicate with other policy servers in the group, you might get output similar to the following:

++ Checking host:myhost.example.com (10.10.181.87) ... [FAIL]

There are several possible reasons for failure:

Policy server host is down
Network outage
Service not running on policy server host

pmgit Troubleshooting

Troubleshooting > pmgit Troubleshooting

This section describes common issues that may occur when using pmgit. Follow the instructions to troubleshoot pmgit operation.

Setting alert for syntactically incorrect policies

Troubleshooting > pmgit Troubleshooting > Setting alert for syntactically incorrect policies

Since policy edits are not locally bound to the policy server when using Git policy management, syntactically incorrect policies can enter the Git repository. To address such cases, set an alert from the policy server to warn you if the policy is incorrect.

As an administrator, you can use your own alert script which pmgit tool can call if the policy syntax checking returns an error message after the synchronization between the Git policy repository and the SVN policy repository.

If an alert script is configured, the pmgit tool calls it with 2 parameters:

Email address from the last Git commit
Error message from the syntax check

Sample script

This is a sample script in bash which sends the error message to the user who initiated the last commit.

#!/bin/bash

email_address="$1"
shift
error_msg="$@"
				
/usr/sbin/sendmail -F "noreply" "${email_address}" <<EOF
subject:pmgit error
				
Syntax error occured in one of the policy files:
"${error_msg}"
EOF

To set pmgit tool to send alert messages based on your alert script, see pmgit Set.

Automatic synchronization failed

Troubleshooting > pmgit Troubleshooting > Automatic synchronization failed

Error

After a successful Git policy management configuration and automatic update interval setting, Syslog sends the error message:

pmgit: Failed to fetch <Git:_URL>.: Permission denied, please try again. <user>@<host>: Permission denied (publickey,password)

Cause

You have not configured Git for passwordless authentication.

Effect

Automatic synchronization between Git and SVN is not working because pmgit update cannot run in the background due to a password prompt.

Solution

Configure Git to allow Git operations from the policy server towards the remote repository.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating

© ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center