Chat now with support
Chat with Support

Safeguard for Sudo 2.0 - Administrators Guide

One Identity Privileged Access Suite for Unix Introducing Privilege Manager for Unix Introducing Privilege Manager for Sudo Planning Deployment Installation and Configuration
Download Privilege Manager for Unix Software Packages Download Privilege Manager for Sudo Software Packages Quick Start and Evaluation Configure a Primary Policy Server Configure a Secondary Policy Server Install PM Agent or Sudo Plugin on a Remote Host Remove Configurations
Upgrading Privilege Manager System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager Variables Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures Privilege Manager Programs Installation Packages Unsupported Sudo Options Sudo Plugin Policy Evaluation About us

Load Balancing and Policy Updates

Troubleshooting > Load Balancing and Policy Updates

pmloadcheck and pmpluginloadcheck are both commands and background daemons (run with the –i flag). When run as commands, they check, update, and report on the status of the policy server. You can use pmloadcheck from a policy server or PM Agent, and pmpluginloadcheck from a Sudo Plugin host.

When run as daemon processes, they keep track of the status of the policy servers for failover and load-balancing purposes. On policy servers, pmloadcheck is responsible for keeping the production policy file up to date and pmpluginloadcheck is responsible for keeping the production policy file up to date for the off-line policy cache.

NOTE: See pmloadcheck and pmpluginloadcheck for more information about the syntax and usage of these commands.

Policy Servers are Failing

Troubleshooting > Policy Servers are Failing

The primary and secondary policy servers must be able to communicate with each other and the remote hosts must be able to communicate with the policy servers in the policy group.

For example, if you run the pmloadcheck command on a policy server or PM Agent to determine that it can communicate with other policy servers in the policy group; or, if you run pmpluginloadcheck on a Sudo Plugin host to determine that it can communicate with the policy servers in the group, you might get output similar to the following:

++ Checking host:myhost.example.com (10.10.181.87) ... [FAIL]

There are several possible reasons for failure:

  • Policy server host is down
  • Network outage
  • Service not running on policy server host

These are some ways to verify that the Privilege Manager for Unix service is running properly on the policy server host:

  1. To verify the policy server configuration, run
    # pmsrvinfo
  2. To verify that the service is running, enter
    # ps –ef | grep pmserviced
  3. To verify that the pmmasterd port is in a listening state on the primary policy server, enter
    # netstat –na | grep 12345
  4. To verify the service is enabled, look for the following in the Privilege Manager configuration file (/etc/opt/quest/qpm4u/pm.settings)
    pmmasterdEnabled YES
  5. To restart the service (on a Linux® host), enter
    # /etc/init.d/pmserviced restart

    -Or-

    pmserviced -s
  6. Check for other communication issues, such as with your firewall, name resolution, dead network interface, and so forth.

Sudo Command is Rejected by Privilege Manager for Unix

Troubleshooting > Sudo Command is Rejected by Privilege Manager for Unix

Privilege Manager for Unix might reject a sudo command. For example, let us assume you ran the following command:

$ /usr/local/bin/sudo id

and received output similar to the following:

<user> is not in the sudoers file. This incident will be reported. 
Request rejected by Privilege Manager

There are several things you can do to troubleshoot this issue.

To troubleshoot why a sudo command is rejected

Run the following from the policy server:

  1. To ensure the user has permission, run the following as a sudo administrator.
    # sudo –U <username> -l
  2. To check that the policy is located at /etc/opt/quest/qpm4u/policy/sudoers is the current version, run:
    # pmpolicy masterstatus

    NOTE: In the output, ensure that Current Revision and Latest Trunk Revision have the same number and Locally modified is "No".

  3. To ensure the user has permission to run the command, check the /etc/opt/quest/qpm4u/policy/sudoers file and verify the user’s (or group’s) permissions:
    # cat /etc/opt/quest/qpm4u/policy/sudoers
  4. To verify that the policy server is working properly, enter:
    # pmsrvcheck

    This command returns output similar to:

    testing policy server [ Pass ]

    From the command line, enter:

    # pmsrvinfo

    This command returns output similar to:

    Policy Server Configuration: 
    ---------------------------- 
       Privilege Manager version : 6.0.0 (0nn) 
       Listening port for pmmasterd daemon  : 12345 
       Comms failover method                : random 
       Comms timeout(in seconds)            : 10 
       Policy type in use                   : sudo 
       Group ownership of logs              : pmlog 
       Group ownership of policy repository : pmpolicy 
       Policy server type                   : primary 
       Primary policy server for this group : Myhost1 
       Group name for this group            : Myhost1.example.com 
       Location of the repository           : file:
                           ////var/opt/quest/qpm4u/.qpm4u/.repository/sudo_repos/trunk 
       Hosts in the group : Myhost1 

Refer to Privilege Manager Programs for more information about the syntax and usage of the pmpolicy, pmsrvcheck, and pmsrvinfo commands.

Sudo Policy Is Not Working Properly

Troubleshooting > Sudo Policy Is Not Working Properly

If your sudo policy is not working as expected, use these troubleshooting steps:

  1. To verify the version of sudo on your host:
    # sudo –V
  2. To verify that the Sudo Plugin host is joined to policy server, run
    # pmplugininfo
  3. To see what commands the user is allowed to run:
    # sudo –l –U <username>

    This command returns output similar to:

    Matching Defaults entries for testuser on this host: 
          log_output 
    User testuser may run the following commands on this host: 
          (ALL) /opt/quest/bin/
  4. On the policy server, use the pmpolicy utility for managing the Privilege Manager for Unix security policy.
    1. To verify that you have the correct version of the policy, run
      # pmpolicy masterstatus

      NOTE: Ensure that Locally modified in the output is "No".

    2. To update the version of the policy, run
      # pmpolicy sync
    3. To verify there are no syntax errors in the policy, run
      # pmpolicy checkout –d <dir>
  5. On the Sudo Plugin host, use the pmpolicyplugin utility to display the revision status of the cached security policy on this host or to request an update from the central repository.
    1. To verify that you have the correct version of the policy on the Sudo Plugin host, run
      # pmpolicyplugin

      NOTE: Use the -g option to update the local cached security policy with the latest revision on the central repository (equivalent to pmpolicy sync on a server).

Refer to Privilege Manager Programs for more information about the syntax and usage of the pmplugininfo, pmpolicy, and pmpolicyplugin, commands.

Related Documents