Chat now with support
Chat with Support

Safeguard for Sudo 2.0 - Administrators Guide

One Identity Privileged Access Suite for Unix Introducing Privilege Manager for Unix Introducing Privilege Manager for Sudo Planning Deployment Installation and Configuration
Download Privilege Manager for Unix Software Packages Download Privilege Manager for Sudo Software Packages Quick Start and Evaluation Configure a Primary Policy Server Configure a Secondary Policy Server Install PM Agent or Sudo Plugin on a Remote Host Remove Configurations
Upgrading Privilege Manager System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager Variables Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures Privilege Manager Programs Installation Packages Unsupported Sudo Options Sudo Plugin Policy Evaluation About us

Displaying Profile-Based Policy Debug Information

Troubleshooting > Displaying Profile-Based Policy Debug Information

To view debug information for profile-based policy, set the value for the pf_tracelevel variable either globally in global_profile.conf, or in an individual profile.

To set the pf_tracelevel variable in the profile

  1. Enable the pf_tracelevel option. For example:
    # Variable: pf_tracelevel: Enables tracing/debugging output at different levels: 
    # 1:show reason for reject, 2: verbose output, 3: show debug trace 
    pf_tracelevel=2;
  2. To view the trace output, run a command with pmrun, like this:
    $ pmrun id 
    ******************************************************************** 
    ** Quest Privilege Manager for Unix Version 6.0.0 (006) ** 
    ** This request is being authorized on master :<HostName> 
    ** User "luser" has submitted a request from host "<HostName>" 
    ** to run the command "id" 
    ******************************************************************** 
       User : luser 
       Host : <HostName> 
       Command : id 
    * Check profile:profiles/admin.profile 
    ** Profile:admin does not match user 
    ** Profile:admin does not match UNIX group 
    ** Profile:admin does not match AD group list 
    * Check profile:profiles/demo.profile 
    ** Validate command:id 
    ** Profile:demo cmd[0] matches command:id Request accepted by the "demo" profile 
    
    All interactions with this command will be recorded in the file: 
       /var/opt/quest/qpm4u/iolog/demo/luser/id_20121023_1038_qu3zcf 
    
    Executing "id" as user "root" ... 
    ******************************************************************************** 
    
    uid=0(root) gid=0(root) groups=0(root)

Enabling Program-level Tracing

Troubleshooting > Enabling Program-level Tracing

Technical Support may ask you to create a trace file when you run a program by using the -z option. The -z option enables tracing on a specific program or currently running process.

To display program-level tracing

  1. Run a program with the -z option, like this:
    # <CommandName> -z on

    The -z option creates a <CommandName>.ini file which then creates a <CommandName>.trc file when you run the command. The .trc file contains the debug information. Both the .ini and the .trc files are created in the /tmp directory.

    Once you have finished getting the trace output you need, run the program with the -z off option so the log will not continue to grow.

Join Fails to Generate a SSH Key for Sudo Policy

Troubleshooting > Join Fails to Generate a SSH Key for Sudo Policy

If you attempt to join a Sudo Plugin host and see a ssh-keyscan failure message similar to this:

** Generate ssh key [FAIL] 
   - failed to update known_hosts file:getaddrinfo <myhost>: Name or service not known

You might be using an un-resolvable, short host name (as myhost in the above example) instead of the fully qualified domain name.

To workaround this issue, add the domain to the search line in the /etc/resolv.conf file.

Join to Policy Group Failed on Sudo Plugin

Troubleshooting > Join to Policy Group Failed on Sudo Plugin

When you join a host with the Sudo Plugin to a policy group you are required to enter a password. The Join password is the password for the pmpolicy user that was set when the qpm-server was configured. (See Configure the Privilege Manager for Sudo Primary Policy Server for more information about pmpolicy service account.)

If the Join operation does not recognize the pmpolicy user password, you will receive an error message with the following snippet:

Enter join password for remote user:pmpolicy@example.com: 

[FAIL] 
   - Failed to copy file using ssh. 
   - Error: Failed to add the host to the list of known hosts 
      (/var/opt/quest/qpm4u/pmpolicy/.ssh/known_hosts). 
      Permission denied (gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive). 

   ** Failed to setup the required ssh access. 
   ** The pmpolicy password is required to copy a file to the primary 
   ** policy server. 
   ** To complete this configuration, please rerun this command and 
   ** provide the correct password. 

      - ERROR: Failed to configure pmclient user 
      - ERROR: Configuration of qpm4u unsuccessful. 
      - ERROR: Installation log file is 
        /opt/quest/qpm4u/install/pmjoin_plugin_output_20121022.log 
[1][root@sles10-qa ~]#

Run the Join operation again entering a correct password.

Related Documents