Chat now with support
Chat with Support

Safeguard for Sudo 7.2.1 - Administration Guide

Introducing Safeguard for Sudo Planning Deployment Installation and Configuration Upgrade Safeguard for Sudo System Administration Managing Security Policy Administering Log and Keystroke Files Supported sudo plugins Troubleshooting Safeguard Variables Safeguard programs Installation Packages Unsupported Sudo Options Safeguard for Sudo Policy Evaluation

Enabling tracing for Sudo Plugin

Since the Sudo Plugin is not a program, the /tmp/pmplugin.ini file needs be manually created in order to enable tracing for the Sudo Plugin itself.

To create the .ini file to enable tracing for the Sudo Plugin

  1. Run the following as root: 
    printf 'FileName=/tmp/pmplugin.trc\nLevel=0xffffffff\n' > /tmp/pmplugin.ini
  2. Once you have finished getting the trace output you need, remove the /tmp/pmplugin.ini file to disable tracing.

Join fails to generate a SSH key for sudo policy

If you attempt to join a Sudo Plugin host and see a ssh-keyscan failure message similar to this:

** Generate ssh key [FAIL] 
   - failed to update known_hosts file:getaddrinfo <myhost>: Name or service not known

You might be using an unresolvable, short host name (as myhost in the above example) instead of the fully qualified domain name.

To workaround this issue, add the domain to the search line in the /etc/resolv.conf file.

Join to policy group failed on Sudo Plugin

When you join a host with the Sudo Plugin to a policy group you are required to enter a password. The Join password is the password for the pmpolicy user that was set when the qpm-server was configured. See Configuring the Safeguard for Sudo Primary Policy Server for more information about pmpolicy service account.

If the Join operation does not recognize the pmpolicy user password, you will receive an error message with the following snippet:

Enter join password for remote user:pmpolicy@example.com: 

[FAIL] 
   - Failed to copy file using ssh. 
   - Error: Failed to add the host to the list of known hosts 
      (/var/opt/quest/qpm4u/pmpolicy/.ssh/known_hosts). 
      Permission denied (gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive). 

   ** Failed to setup the required ssh access. 
   ** The pmpolicy password is required to copy a file to the primary 
   ** policy server. 
   ** To complete this configuration, please rerun this command and 
   ** provide the correct password. 

      - ERROR: Failed to configure pmclient user 
      - ERROR: Configuration of qpm4u unsuccessful. 
      - ERROR: Installation log file is 
        /opt/quest/qpm4u/install/pmjoin_plugin_output_20121022.log 
[1][root@sles10-qa ~]#

Run the Join operation again entering a correct password.

Load balancing and policy updates

pmpluginloadcheck is both a command and a background daemon (run with the -i flag). When run as a command, it checks, updates, and reports on the status of the policy server. You can use pmpluginloadcheck from a Sudo Plugin host.

When run as a daemon process, it keeps track of the status of the policy servers for failover and load-balancing purposes. On policy servers, pmpluginloadcheck is responsible for keeping the production policy file up to date for the offline policy cache.

See pmpluginloadcheck for more information about the syntax and usage of this command.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating