Safeguard for Sudo 7.2
Release Notes
20 December 2021, 11:48
These release notes provide information about the One Identity Safeguard for Sudo release.
Topics:
About this release
Safeguard for Sudo helps Unix/Linux organizations take privileged account management through Sudo to the next level: with a central policy server, centralized management of Sudo and sudoers, centralized reporting on sudoers and elevated rights activities, and event and keystone logging of activities performed through Sudo. With Safeguard for Sudo, One Identity provides a plug-in to Sudo 1.8.1 (and later) to make administering Sudo across a few, dozens, hundreds, or thousands of Unix/Linux servers easy, intuitive, and consistent. It eliminates the box-to-box management of Sudo that is the source of so much inefficiency and inconsistency. In addition, the centralized approach delivers the ability to report on the change history of the sudoers policy file.
Safeguard for Sudo 7.2 is a patch release that includes Resolved issues.
NOTE: Beginning with version 7.0, Safeguard for Sudo supports only Linux-based systems for Safeguard policy servers.
End of support notice
After careful consideration, One Identity has decided to cease the development of the Management Console for Unix (MCU). Therefore, the MCU will enter limited support for all versions on April 1, 2021. Support for all versions will reach end of life on Nov 1, 2021.
As One Identity retires the MCU, we are building its feature set into modern platforms starting with Software Distribution and Profiling. Customers that use the MCU to deploy Authentication Services and Safeguard for Sudo can now use our Ansible collections for those products, which can be found at Ansible Galaxy.
New features in Safeguard for Sudo 7.2 :
-
You can load sudo-compatible approval and audit plugins, including plugins written in Python, on the policy server. For more information, see the following chapters in the Safeguard for Sudo Administration Guide:
-
One Identity provides newer format rpm packages, which can be installed on RHEL 8 that is switched to FIPS compliant mode as well.
-
You can manage policies using the Git workflow. The pmgit utility is a tool that can mediate version control operations between Subversion (SVN) and Git version control systems. For more information, see Managing policies in Git in the Administration Guide.
-
You can stream event logs and keystroke (IO) logs from a client to a sudo log audit server (or compatible server) that implements the sudo logsrv protocol. This feature is disabled by default. Enable the recording service through configuring the policy server with pmsrvconfig or by editing pm.settings. For more information, see Audit server logging in the Administration Guide.
-
New command line switch is added to the pmsrvinfo command. You can query from the server which client is using which sudoers policy.
-
All packages shipped by One Identity are now signed. You can verify that the packages you download has been created by OneIdentity and not by a malicious intermediate. For more information, see Verifying package signature in the Administration Guide.
See also:
The following is a list of issues addressed in this release.
Table 1: Resolved issues
|
Problem in detection of sudo binary (32/64bit) when joining the Safeguard for Sudo plugin to a policy group.
Fixed detection of sudo binary (32/64bit) when joining the Safeguard for Sudo plugin to a policy group. |
272782 |
|
The pmlogsearch command started on a primary policy server was not able to return results about iologs which has been stored on secondary policy servers.
Fixed pmlogsearch to search inside iologs stored on secondary policy servers. For the fix to work, both the primary and the secondary policy server needs to be upgraded. The problem only affects the search functionality, there is no data loss, previously stored data will be searchable after applying upgrade. |
277299 |
|
A corrupt temporary event log file could cause pmlogsrvd log storing to stuck, continuously reporting syslog error messages.
Now if a temporary event log file gets corrupted anyhow, it will be moved to the evcache "refused" subdirectory and only one error message per file appears in the syslog. |
278176 |
|
Commands run via sudo on AIX systems could take several extra seconds to complete, depending on the number of groups the invoking and target user are members of.
The sudo plugin now uses a more efficient method to query the invoking and target user's group membership. To utilize the new method, both the plugin client and the policy server must be upgraded. The slowdown was caused by a change in how the sudoers parser verifies group membership. Prior to Safeguard for Sudo 7.0, group membership was only checked when a group was encountered in the sudoers file. Starting with version 7.0, all of a user's groups must be resolved before parsing the sudoers file. |
280620 |
|
When Safeguard for Sudo is configured to send audit events to Safeguard for Privileged Sessions, commands run via sudo could time out.
Safeguard for Sudo expected Safeguard for Privileged Sessions (SPS) to respond to an accepted command message with a log identification string. SPS does not currently support restarting interrupted audit server connections and does not send a log ID. This resulted in the audit server connection timing out while Safeguard for Sudo waited for the log ID. Safeguard for Sudo now checks for the log ID asynchronously and does not explicitly wait for it. |
289715 |
The following is a list of issues, including those attributed to third-party products, known to exist at the time of release.
Table 2: General known issues
| No audit trail when offline log is sent to policy server. |
291148 |
|
When the pmbash tool tries to run a command, the command cannot run on the Apple MacOS M1 ARM64 architecture, because the bash and the product cannot link the libraries together.
The reason is that the Apple package is compiled with the ARM64 ABI set, but Apple uses the ARM64e ABI set. The dynamic library linker cannot link the ARM64e set with the ARM64 set. This issue is going to be fixed in the next release. |
292522 |
