To help you troubleshoot, One Identity recommends the following resolutions to some of the common problems you might encounter as you deploy and use Safeguard for Sudo.
Enabling sudo policy debug logging
Enabling tracing for Sudo Plugin
Join fails to generate a SSH key for sudo policy
Join to policy group failed on Sudo Plugin
Load balancing and policy updates
Setting alert for syntactically incorrect policies
Automatic synchronization failed
Failed to push references to Git URL
Debug logs can help you determine if the sudo options are being enabled correctly in the policy.
To enable debug logging for Sudo policy
Add a debug line to the /etc/sudo.conf file. For example, to log debug and trace information to the file /var/log/sudo_debug, add:
Debug sudo /var/log/sudo_debug all@debug
For systems without a /var/log directory, use /var/adm/sudo_debug instead.
Since the Sudo Plugin is not a program, the /tmp/pmplugin.ini file needs be manually created in order to enable tracing for the Sudo Plugin itself.
To create the .ini file to enable tracing for the Sudo Plugin
Run the following as root:
printf 'FileName=/tmp/pmplugin.trc\nLevel=0xffffffff\n' > /tmp/pmplugin.ini
Once you have finished getting the trace output you need, remove the /tmp/pmplugin.ini file to disable tracing.
If you attempt to join a Sudo Plugin host and see a ssh-keyscan failure message similar to this:
** Generate ssh key [FAIL] - failed to update known_hosts file:getaddrinfo <myhost>: Name or service not known
You might be using an unresolvable, short host name (as myhost in the above example) instead of the fully qualified domain name.
To workaround this issue, add the domain to the search line in the /etc/resolv.conf file.
© 2024 One Identity LLC. ALL RIGHTS RESERVED. 使用条款 隐私 Cookie Preference Center
