Safeguard for Sudo 7.2.2
Release Notes
07 October 2022, 10:07
These release notes provide information about the One Identity Safeguard for Sudo release.
Topics:
About this release
Safeguard for Sudo helps Unix/Linux organizations take privileged account management through Sudo to the next level: with a central policy server, centralized management of Sudo and sudoers, centralized reporting on sudoers and elevated rights activities, and event and keystone logging of activities performed through Sudo. With Safeguard for Sudo, One Identity provides a plug-in to Sudo 1.8.1 (and later) to make administering Sudo across a few, dozens, hundreds, or thousands of Unix/Linux servers easy, intuitive, and consistent. It eliminates the box-to-box management of Sudo that is the source of so much inefficiency and inconsistency. In addition, the centralized approach delivers the ability to report on the change history of the sudoers policy file.
Safeguard for Sudo 7.2.2 is a patch release that includes Resolved issues.
NOTE: Beginning with version 7.0, Safeguard for Sudo supports only Linux-based systems for Safeguard policy servers.
End of support notice
After careful consideration, One Identity has decided to cease the development of the Management Console for Unix (MCU). Therefore, the MCU will enter limited support for all versions on April 1, 2021. Support for all versions will reach end of life on Nov 1, 2021.
As One Identity retires the MCU, we are building its feature set into modern platforms starting with Software Distribution and Profiling. Customers that use the MCU to deploy Authentication Services and Safeguard for Sudo can now use our Ansible collections for those products, which can be found at Ansible Galaxy.
New features in Safeguard for Sudo 7.2.2:
-
Safeguard for Sudo is shipped with OpenSSL shared objects since version 7.0. Due to recent high severity fixes in the OpenSSL library, the shipped shared objects have been upgraded to version 1.1.1q, which include the corresponding fixes.
-
The macOS installer now supports dark mode.
See also:
The following is a list of issues addressed in this release.
Table 1: Resolved issues
|
The sudoers policy did not recognize audit server settings such as log_servers in the sudoers file.
For Safeguard for Sudo, the audit server settings are located in the pm.settings file, not the sudoers file. If the user attempts to configure the log_servers setting (or one of the related settings) using pmpolicy edit, they will now receive a warning that tells them what the equivalent setting is in the pm.settings file. |
287813 |
|
The macOS installer now supports dark mode. |
291222 |
|
The pmlogsrvd daemon could crash when processing events that contain an empty info record.
When a user runs a privileged command, an entry is added to the event queue. The pmlogsrvd daemon processes the event queue and stores events in a database. If an event had an empty record, or if the "event" record was missing, a crash could occur. Empty or otherwise invalid records are now ignored when processing files in the event queue. |
296321 |
|
The documentation now contains an example for setting up git policy management. |
307216 |
|
Fixed a crash which occurred when listing the allowed/forbidden commands for a specific user (sudo -l -U <user>). |
315238 |
|
Fixed an issue on AIX and Solaris systems where the Safeguard Authentication Services policy group plugin, /opt/quest/lib/libsudo_vas.so, could not be loaded.
Safeguard Authentication Services includes a policy group plugin that can be used with Safeguard for Sudo to includeActive Directory groups in the sudoers file. Recent releases of Safeguard for Sudo include 64-bit binaries and thus must load a 64-bit plugin. However, the plugin distributed with Safeguard Authentication Services was 32-bit, not 64-bit. Safeguard for Sudo will now attempt to load the 64-bit plugin that is included with Safeguard Authentication Services version 5.1, even if the sudoers file includes a path to the 32-bit version of the plugin. |
316899 |
|
Clients are now added to the license database when joined to a policy server, and are removed when unjoined.
Previously, a client was added to the license database on a policy server at the time the first pmrun or sudo command was issued. When a client was uninstalled or unconfigured, it would remain in the license database indefinitely. Now, the client is added to the license database when it is joined to a policy server and is removed when the client is unconfigured or the package is uninstalled. |
317024 |
|
Fixed an issue detecting the ELF class of sudo when readelf and elfdump programs are not present and sudo is a relative symlink. This could lead to plugin join failure with the error "architecture mismatch". |
322439 |
The following table provides a list of supported platforms for Safeguard for Sudo clients.
NOTE: Beginning with version 7.2.2, Safeguard for Sudo supports only Linux-based systems for Safeguard policy servers.
Table 2: Linux supported platforms — server and plugin
|
Amazon Linux |
AMI, 2 |
x86_64 |
|
CentOS Linux |
6, 7, 8, 9 |
Current Linux architectures: s390x, PPC64, PPC64le, x86, x86_64, AARCH64 |
|
Debian |
Current supported releases |
x86_64, x86, AARCH64 |
|
Fedora Linux |
Current supported releases |
x86_64, x86, AARCH64 |
|
OpenSuSE |
Current supported releases |
x86_64, x86, AARCH64 |
|
Oracle Enterprise Linux (OEL) |
6, 7, 8, 9 |
Current Linux architectures: s390x, PPC64, PPC64le, x86, x86_64, AARCH64 |
|
Red Hat Enterprise Linux (RHEL) |
6, 7, 8, 9 |
Current Linux architectures: s390x, PPC64, PPC64le, x86, x86_64, AARCH64 |
|
SuSE Linux Enterprise Server (SLES)/Workstation |
11 SP4, 12, 15 |
Current Linux architectures: s390x, PPC64, PPC64le, x86, x86_64, AARCH64 |
|
Ubuntu |
Current supported releases |
x86_64, x86, AARCH64 |
Table 3: Unix and Mac supported platforms — plugin
|
Apple MacOS |
10.15 or later |
x86_64, ARM64 |
|
FreeBSD |
12.x, 13.x |
x32, x64 |
|
HP-UX |
11.31 |
PA, IA-64 |
|
IBM AIX |
6.1 TL9, 7.1 TL3, 7.2 |
Power 4+ |
|
Oracle Solaris |
10 8/11 (Update 10), 11.x |
SPARC, x64 |
