Chat now with support

Get Live Help
Complete Registration

Sign In

Request Pricing

Contact Sales

Quest has tools and processes in place to identify, protect, detect, and remediate vulnerabilities and incidents when they occur, including external security partners. As part of our standard security operations, Quest does not use CrowdStrike in any of our operations. We are reviewing our third parties, and so far, there is minimal affect. It is Quest's policy not to provide further technical details unless they directly impact customer data.

Safeguard for Sudo 7.3 - Administration Guide

Table of Contents

Introducing Safeguard for Sudo

Features and benefits of Safeguard for Sudo How Safeguard for Sudo works

Planning Deployment

System requirements

Supported platforms Reserve special user and group names Required privileges

Estimating size requirements Safeguard for Sudo licensing Deployment scenarios

Single host deployment Medium business deployment Large business deployment

Installation and Configuration

Download Safeguard for Sudo software packages Verifying package signature Configure a Primary Policy Server

Checking the server for installation readiness

TCP/IP configuration Hosts database Reserve special user and group names Policy server daemon hosts Check Sudo version

Installing the Safeguard for Sudo packages

Adding directories to PATH environment

Configuring the Safeguard for Sudo Primary Policy Server

Configuring additional policies on a policy server Safeguard for Sudo Server Configuration Settings

Join hosts to policy group

Joining Sudo Plugin to Policy Server

Joining Sudo Plugin to policy server using a non-default policy

Swap and install keys

Configure a secondary policy server

Installing secondary servers Configuring a secondary server

Synchronizing policy servers within a group

Install Sudo Plugin on a remote host

Checking Sudo Plugin Host for installation readiness Installing a Sudo Plugin on a remote host Joining a Sudo Plugin to a primary policy server Verifying Sudo Plugin configuration Load balancing on the client

Remove configurations

Uninstalling the Safeguard for Sudo software packages Uninstalling Safeguard for Sudo on macOS

Upgrade Safeguard for Sudo

Before you upgrade Upgrading Safeguard for Sudo packages

Upgrading the server package Upgrading the Sudo Plugin package

Removing Safeguard for Sudo packages

Removing the server package Removing the Sudo Plugin package

System Administration

Reporting basic policy server configuration information Checking the status of the master policy Checking the policy server Checking policy server status Checking the Sudo Plugin configuration status Installing licenses

Displaying license usage

Listing policy file revisions Viewing differences between revisions Backup and recovery

Managing Security Policy

Security policy types Specifying security policy type The sudo type policy Viewing the security profile changes Managing policies in Git

Prerequisites for Git policy management Example setup with GitHub

Administering Log and Keystroke Files

Configuring keystroke logging for Safeguard for Sudo policy

Validating Sudo commands

Local logging

Event logging Keystroke (I/O) logging Sub-command logging

Audit server logging

Configuration options

Viewing the log files using command line tools Listing event logs Backing up and archiving event and keystroke logs

Supported sudo plugins

Configuring a sudo approval plugin Configuring a sudo audit plugin

Troubleshooting

Enabling sudo policy debug logging Enabling tracing for Sudo Plugin Join fails to generate a SSH key for sudo policy Join to policy group failed on Sudo Plugin Load balancing and policy updates Policy servers are failing pmgit Troubleshooting

Setting alert for syntactically incorrect policies Automatic synchronization failed Failed to push references to Git URL

Sudo command is rejected by Safeguard for Sudo Sudo policy is not working properly

Safeguard for Sudo Variables

Global input variables

argc argv client_parent_pid client_parent_uid client_parent_procname clienthost command cwd date day dayname domainname env false gid group groups host hour masterhost masterversion minute month nice nodename optarg opterr optind optopt optreset optstrictparameters pid pmclient_type pmclient_type_pmrun pmclient_type_sudo pmversion ptyflags requestlocal requestuser rlimit_as rlimit_core rlimit_cpu rlimit_data rlimit_fsize rlimit_locks rlimit_memlock rlimit_nofile rlimit_nproc rlimit_rss rlimit_stack samaccount selinux status submithost submithostip thishost time true ttyname tzname uid umask unameclient uniqueid user year

Global output variables Global event log variables

event exitdate exitstatus exittime

PM settings variables

Safeguard for Sudo programs

pmauditsrv pmcheck pmcheckperms pmgit

pmgit subcommands

pmgit export pmgit Import pmgit Enable pmgit Disable pmgit Update pmgit Set pmgit Status pmgit Help

pmjoin_plugin pmkey pmlicense pmloadcheck (or pmpluginloadcheck) pmlog pmlogadm pmlogsearch pmlogsrvd pmlogxfer pmmasterd pmplugininfo pmpluginloadcheck pmpolicy pmpolicyplugin pmpoljoin_plugin pmpolsrvconfig pmremlog pmreplay

Navigating the log file

pmresolvehost pmserviced pmsrvcheck pmsrvconfig pmsrvinfo pmsum pmsysid

Installation Packages

Package locations Installed files and directories

Supported Sudoers directives Unsupported Sudo Options

Unsupported command line sudo options Behavioral change Unsupported Sudoers policy options Unsupported Sudoers directives

Safeguard for Sudo Policy Evaluation

Troubleshooting

To help you troubleshoot, One Identity recommends the following resolutions to some of the common problems you might encounter as you deploy and use Safeguard for Sudo.

Enabling sudo policy debug logging

Enabling tracing for Sudo Plugin

Join fails to generate a SSH key for sudo policy

Join to policy group failed on Sudo Plugin

Load balancing and policy updates

Policy servers are failing

pmgit Troubleshooting

Setting alert for syntactically incorrect policies

Automatic synchronization failed

Failed to push references to Git URL

Sudo command is rejected by Safeguard for Sudo

Sudo policy is not working properly

Enabling sudo policy debug logging

Troubleshooting > Enabling sudo policy debug logging

Debug logs can help you determine if the sudo options are being enabled correctly in the policy.

To enable debug logging for Sudo policy

Add a debug line to the /etc/sudo.conf file. For example, to log debug and trace information to the file /var/log/sudo_debug, add:
```
Debug sudo /var/log/sudo_debug all@debug
```

For systems without a /var/log directory, use /var/adm/sudo_debug instead.

Enabling tracing for Sudo Plugin

Troubleshooting > Enabling tracing for Sudo Plugin

Since the Sudo Plugin is not a program, the /tmp/pmplugin.ini file needs be manually created in order to enable tracing for the Sudo Plugin itself.

To create the .ini file to enable tracing for the Sudo Plugin

Run the following as root:

printf 'FileName=/tmp/pmplugin.trc\nLevel=0xffffffff\n' > /tmp/pmplugin.ini

Once you have finished getting the trace output you need, remove the /tmp/pmplugin.ini file to disable tracing.

Join fails to generate a SSH key for sudo policy

Troubleshooting > Join fails to generate a SSH key for sudo policy

If you attempt to join a Sudo Plugin host and see a ssh-keyscan failure message similar to this:

** Generate ssh key [FAIL] 
   - failed to update known_hosts file:getaddrinfo <myhost>: Name or service not known

You might be using an unresolvable, short host name (as myhost in the above example) instead of the fully qualified domain name.

To workaround this issue, add the domain to the search line in the /etc/resolv.conf file.

Please select your product:

To serve you better, please complete the Purpose of your Chat:

Recommended Solutions for Your Problem

Safeguard for Sudo 7.3 - Administration Guide

Troubleshooting

Enabling sudo policy debug logging

Enabling tracing for Sudo Plugin

Join fails to generate a SSH key for sudo policy