Chat now with support
Chat with Support

Safeguard for Sudo 7.2.3 - Administration Guide

Introducing Safeguard for Sudo Planning Deployment Installation and Configuration Upgrade Safeguard for Sudo System Administration Managing Security Policy Administering Log and Keystroke Files Supported sudo plugins Troubleshooting Safeguard Variables Safeguard programs Installation Packages Supported Sudoers directives Unsupported Sudo Options Safeguard for Sudo Policy Evaluation


pmsrvcheck --csv [ --verbose ] | --help | --pmpolicy | --primary | --secondary

Use pmsrvcheck to verify that a policy server is setup properly. It produces output in either human-readable or CSV format similar to that produced by the preflight program.

The pmsrvcheck command checks:

  • that the host is configured as a primary policy server and has a valid repository
  • has a valid, up-to-date, checked-out copy of the repository
  • has access to update the repository
  • has a current valid Safeguard license
  • pmmasterd is correctly configured
  • pmmasterd can accept connections

pmsrvcheck produces output in either human-readable or CSV format similar to the pre-flight output.


pmsrvcheck has the following options.

Table 44: Options: pmsrvcheck
Option Description
--cvs Displays csv, rather than human-readable output.
--help Displays usage information.
--pmpolicy Verifies that Safeguard policy is in use by the policy servers.
--primary Verifies a primary policy server.
--secondary Verifies a secondary policy server.
--verbose Displays verbose output while checking the host.


Displays the Safeguard version number and exits.

  • Settings file: /etc/opt/quest/qpm4u/pm.settings
Related Topics




pmsrvconfig -h | --help [-abipqtv] [-d <variable>=<value>] [-f <path>] 
            [-l <license_file>] [-m sudo | pmpolicy] [-n <group_name> | -s <hostname>] [-bpvx] -u [--accept] [--batch] [--define <variable>=<value>] [--import <path>] [--interactive] [--license <license_file>]
            [--name <group_name> | --secondary <hostname>] [--pipestdin] [--plugin] [--policymode sudo | pmpolicy]
[--unix [<policy_server_host> ...]] [--verbose] [--batch]
         [--plugin] [--unix] [-- verbose] --unconfig -N policy_name [--policyname policy_name]

Use the pmsrvconfig command to configure or reconfigure a policy server. You can run it in interactive or batch mode to configure a primary or secondary policy server.


pmsrvconfig has the following options.

Table 45: Options: pmsrvconfig
Option Description

-a | --accept

Accepts the End User License Agreement (EULA), /opt/quest/qpm4u/qpm4u_eula.txt.

-b | --batch

Runs in batch mode; does not use colors or require user input.

-d <variable>=<value> | --define <variable>=<value>

Specifies a variable for the pm.settings file and its associated value.

-h | --help

Displays usage information.

-i | --interactive

Runs in interactive mode; prompts for configuration parameters instead of using the default values.

-f <path> | --import <path>

Imports policy data from the specified path.

  • Privilege Manager for Unix: The path may be set to either a file or a directory when using the pmpolicy type.
  • Safeguard for Sudo: The path must be set to a file when using the sudo policy type.

-l | --license <license_file>

Specifies the full pathname of an .xml license file. You can specify this option multiple times with different license files.

-m sudo | pmpolicy | --policymode sudo | pmpolicy

Specifies the type of security policy:

  • sudo
  • pmpolicy

Default: sudo

-n | --name <group_name>

Uses group_name as the policy server group name.

-p | --plugin

Configures the Sudo Plugin.

This option is only available when using the sudo policy type (Safeguard for Sudo).

-q | --pipestdin

Pipes password to stdin if password is required.

-s | --secondary <hostname>

Configures host to be a secondary policy server where hostname is the primary policy server.

-u | --unconfig

Unconfigures a Privilege Manager for Unix server.

-v | --verbose

Displays verbose output while configuring the host.

-N policy_name | --policyname policy_name

When configuring the plugin, use policy_name as the name of the policy instead of the default. This option is used to specify the name of the policy that the server should use when making policy decisions.


The following example accepts the End User License Agreement (EULA) and imports the sudoers file from /root/tmp/sudoers as the initial policy:

# pmsrvconfig -a -f /root/tmp/sudoers

By using the -a option, you are accepting the terms and obligations of the EULA in full.

By default, the primary policy server you configure uses the host name as the policy server group name. To provide your own group name, use the -n command option, like this:

# pmsrvconfig -a -n <MyPolicyGroup>

where <MyPolicyGroup> is the name of your policy group.


Directory where pmsrvconfig logs are stored: /opt/quest/qpm4u/install


pmsrvinfo [--csv] | -v

Use the pmsrvinfo command to display information about the group in either human readable or CSV format. You can run this program on any server in the policy group.


pmsrvinfo has the following options.

Table 46: Options: pmsrvinfo
Option Description
-c Displays information in .CSV format, instead of human readable output.


By using this option, you can detect which client uses which sudo policy on the policy server. This option lists the following client information from the policy server:

  • Client's hostname

  • Sudoers file used by the client

  • Client's version

This option can be used together with the "-c" option.


Displays the Safeguard version number and exits.

# pmsrvinfo
Policy Server Configuration: 
Safeguard version   : 6.0.0 (nnn) 
Listening port for pmmasterd daemon    : 12345 
Comms failover method                  : random 
Comms timeout(in seconds)              : 10 
Policy type in use                     : sudo 
Group ownership of logs                : pmlog 
Group ownership of policy repository   : pmpolicy 
Policy server type                     : primary 
Primary policy server for this group   : adminhost1 
Group name for this group              : adminGroup1 
Location of the repository             :
Hosts in the group                     : adminhost1 adminhost2


pmsum /<full_path_name>

Use pmsum to generate a checksum of the named file. The output it produces can be used in a policy with the runcksum variable. If the requested binary/command does not match the checksum, it rejects the command.


pmsum has the following options.

Table 47: Options: pmsum
Option Description


Prints the version number of Safeguard and exits.

# pmsum /bin/ls 
5591e026 /bin/ls
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating