Chat now with support
Chat with Support

Safeguard for Sudo 7.0 - Administration Guide

Introducing Safeguard for Sudo Planning Deployment Installation and Configuration Upgrade Safeguard for Sudo System Administration Managing Security Policy Administering Log and Keystroke Files Troubleshooting Safeguard Variables Safeguard programs Installation Packages Unsupported Sudo Options Safeguard for Sudo Policy Evaluation

Sudo command is rejected by Safeguard for Sudo

Safeguard for Sudo might reject a sudo command. For example, let us assume you ran the following command:

$ sudo id

and received output similar to the following:

<user> is not in the sudoers file. This incident will be reported. 
Request rejected by Safeguard

There are several things you can do to troubleshoot this issue.

To troubleshoot why a sudo command is rejected

Run the following from the policy server:

  1. To ensure the user has permission, run the following as a sudo administrator.
    # sudo –U <username> -l
  2. To check that the policy is located at /etc/opt/quest/qpm4u/policy/sudoers is the current version, run:
    # pmpolicy masterstatus

    In the output, ensure that Current Revision and Latest Trunk Revision have the same number and Locally modified is "No".

  3. To ensure the user has permission to run the command, check the /etc/opt/quest/qpm4u/policy/sudoers file and verify the user’s (or group’s) permissions:
    # cat /etc/opt/quest/qpm4u/policy/sudoers
  4. To verify that the policy server is working properly, enter:
    # pmsrvcheck

    This command returns output similar to:

    testing policy server [ Pass ]

    From the command line, enter:

    # pmsrvinfo

    This command returns output similar to:

    Policy Server Configuration: 
    ---------------------------- 
       Safeguard version : 7.0.0 (0nn) 
       Listening port for pmmasterd daemon  : 12345 
       Comms failover method                : random 
       Comms timeout(in seconds)            : 10 
       Policy type in use                   : sudo 
       Group ownership of logs              : pmlog 
       Group ownership of policy repository : pmpolicy 
       Policy server type                   : primary 
       Primary policy server for this group : Myhost1 
       Group name for this group            : Myhost1.example.com 
       Location of the repository           : file:
                           ////var/opt/quest/qpm4u/.qpm4u/.repository/sudo_repos/trunk 
       Hosts in the group : Myhost1 
Related Topics

pmpolicy

pmsrvcheck

pmsrvinfo

Sudo policy is not working properly

If your sudo policy is not working as expected, use these troubleshooting steps:

  1. To verify the version of sudo on your host:
    # sudo –V
  2. To verify that the Sudo Plugin host is joined to the policy server, run:
    # pmplugininfo
  3. To see what commands the user is allowed to run:
    # sudo –l –U <username>

    This command returns output similar to:

    Matching Defaults entries for testuser on this host: 
          log_output 
    User testuser may run the following commands on this host: 
          (ALL) /opt/quest/bin/
  4. On the policy server, use the pmpolicy utility for managing the Privilege Manager for Sudo security policy.
    1. To verify that you have the correct version of the policy, run:
      # pmpolicy masterstatus

      Ensure that Locally modified in the output is No.

    2. To update the version of the policy, run:
      # pmpolicy sync
    3. To verify there are no syntax errors in the policy, run:
      # pmpolicy checkout –d <dir>
  5. On the Sudo Plugin host, use the pmpolicyplugin utility to display the revision status of the cached security policy on this host or to request an update from the central repository.
    1. To verify that you have the correct version of the policy on the Sudo Plugin host, run
      # pmpolicyplugin

      Use the -g option to update the local cached security policy with the latest revision on the central repository (equivalent to pmpolicy sync on a server).

Related Topics

pmplugininfo

pmpolicy

pmpolicyplugin

Safeguard Variables

This appendix provides detailed information about the variables that may be present in event log entries:

See also Profile Variables for additional information about policy profile variables.

Global input variables

The following predefined global variables are initialized from the submit-user’s environment.

Table 10: Global input variables
Variable Data type Description
alertkeymatch sting The pattern matched by pmlocald.
argc integer Number of arguments in the request.
argv list List of arguments in the request.
client_parent_pid integer Process ID of the client's parent process.
client_parent_uid integer User ID associated with the client's parent process.
client_parent_procname string Process name of a client's parent process.
clienthost string Originating login host.
command string Pathname of the request.
cwd string Current working directory.
date string Current date.
day integer Current day of month as integer.
dayname string Current day of the week.
domainname string The Active Directory domain name for the submit user if Authentication Services is configured.
env list List of submit user’s environment variables.
false integer Constant value.
FEATURE_LDAP integer Read-only constant used with feature_enabled() function.
FEATURE_VAS integer Read-only constant used with feature_enabled() function.
gid integer Group ID of the submitting user’s primary group on sudo host.
group string Submit user’s primary group.
groups list Submit user’s secondary groups.
host string Host destined to run the request.
hour integer Current hour.
masterhost sting Host on which the master process is running.
masterversion string Safeguard version of masterhost.
minute integer Current minute.
month integer Current month.
nice integer nice value of the submit user’s login.
nodename string

Hostname of the sudo client.

optarg

integer

Contains the parameter for the last argument or empty string.

opterr

integer

Determines whether to display errors from the getopt functions.

optind

integer

Contains the current argument list index. Use with getopt functions.

optopt

string

Contains the letter of the last option that had an issue. Use with getopt functions.

optreset

boolean

Restarts the getopt functions from the beginning.

optstrictparameters

boolean

Lets getopt_long() recognize non-compliant argument parameter forms.

pid integer Process ID of the master process.
pmclient_type integer The type of client that sent the request.
pmclient_type_pmrun integer Read-only constant for pmrun type clients.
pmclient_type_sudo integer Read-only constant for sudo type clients.
pmshell integer Identifies a Privilege Manager for Sudo shell program.
pmshell_builtin integer A constant value that identifies a shell builtin command.
pmshell_cmd integer Identifies a command run from a Privilege Manager for Sudo shell program.
pmshell_cmdtype integer Identifies type of a shell subcommand.
pmshell_exe integer A constant value that identifies a normal executable command.
pmshell_interpreter integer Identifies the program directive of a shell script.
pmshell_prog string Name of the Privilege Manager for Sudo shell program.
pmshell_script integer A constant value that identifies a shell script.
pmshell_uniqueid string uniqueid of the Privilege Manager for Sudo shell program.
pmversion string SafeguardPrivilege Manager for Sudo version string of client.
ptyflags string Identifies ptyflags of the request.
requestlocal integer Indicates if the request is local.
requestuser string User that the submit user wants to run the request.

rlimit_as

string

Controls the maximum memory that is available to a process.

rlimit_core

string

Controls the maximum size of a core file.

rlimit_cpu

string

Controls the maximum size CPU time of a process.

rlimit_data

string

Controls the maximum size of data segment of a process.

rlimit_fsize

string

Controls the maximum size of a file.

rlimit_locks

string

Control the maximum number of file locks for a process.

rlimit_memlock

string

Controls the maximum number of bytes of virtual memory that can be locked.

rlimit_nofile

string

Controls the maximum number of files a user may have open at a given time.

rlimit_nproc

string

Controls the maximum number of processes a user may run at a given time.

rlimit_rss

string

Controls the maximum size of the resident set (number of virtual pages resident at a given time) of a process.

rlimit_stack

string

Controls the maximum size of the process stack.

samaccount string The sAMAccountName for the submit user if Authentication Services is configured.

selinux

integer

Identifies whether a client is running an SELinux environment.

status integer Exit status of the most recent system command.
submithost string Name of the submit host.
submithostip string IP address of the submit host.
thishost string The value of the thishost setting in pm.settings on the client.
time string Current time of request.
true integer Read-only constant with a value of 1.
ttyname string ttyname of the submit request.

tzname

string

Name of the time zone on the server at the time the event was read from the event log by pmlog.

uid integer User ID of the submitting user on host.
umask integer umask of the submit user.
unameclient list Uname output on host.

unamemaster

list

Unameoutput on policy server host.

uniqueid string Uniquely identifies a request in the event log.
use_rundir string Contains the value "!~!" and represents the runuser’s home directory on the runhost.
use_rungroup string Contains the value "!g!" and represents the runuser’s primary group on the runhost.
use_rungroups string Contains the value "!G!" and represents the runuser’s secondary group list on the runhost.
use_runshell string Contains the value "!!!" and represents the runuser’s login shell on the runhost.
user string Submit user.

year

integer

Year of the request (YY).

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating