To help you troubleshoot, One Identity recommends the following resolutions to some of the common problems you might encounter as you deploy and use Safeguard for Sudo.
Debug logs can help you determine if the sudo options are being enabled correctly in the policy.
To enable debug logging for Sudo policy
-
Add a debug line to the /etc/sudo.conf file. For example, to log debug and trace information to the file /var/log/sudo_debug, add:
Debug sudo /var/log/sudo_debug all@debug
For systems without a /var/log directory, use /var/adm/sudo_debug instead.
Since the Sudo Plugin is not a program, the /tmp/pmplugin.ini file needs be manually created in order to enable tracing for the Sudo Plugin itself.
To create the .ini file to enable tracing for the Sudo Plugin
-
Run the following as root:
printf 'FileName=/tmp/pmplugin.trc\nLevel=0xffffffff\n' > /tmp/pmplugin.ini
-
Once you have finished getting the trace output you need, remove the /tmp/pmplugin.ini file to disable tracing.
If you attempt to join a Sudo Plugin host and see a ssh-keyscan failure message similar to this:
** Generate ssh key [FAIL]
- failed to update known_hosts file:getaddrinfo <myhost>: Name or service not known
You might be using an unresolvable, short host name (as myhost in the above example) instead of the fully qualified domain name.
To workaround this issue, add the domain to the search line in the /etc/resolv.conf file.