Troubleshooting
Problem
Patch upgrade fails to run due to bad characters in the /etc/sudoers file.
Symptom
Immediately after running the patch upgrade, the following message is displayed:
sudo: parse error in /etc/sudoers near line xxx
sudo: no valid sudoers sources found, quitting
sudo: unable to initialize policy plugin
Cause
As QRadar® does not use sudoers by default, manual edits in the /etc/sudoers in the appliances might cause this issue when a bad-formatted text is added.
Additionally, manually copying text from Windows® to Linux® might result in the end of line characters being added. Refer to Adding custom actions to learn how to use the dos2unix command.
Additionally, manually copying text from Windows® to Linux® might result in the end of line characters being added. Refer to Adding custom actions to learn how to use the dos2unix command.
Note: Administrators should not manually be adding sudo users unless they are using Security Technical Implementation Guide (STIG) on or FIPS deployments.
Environment
QRadar® Appliances with Linux sudoers customizations.
Diagnosing The Problem
- Take note of the line reported in the error.
sudo: parse error in /etc/sudoers near line 122 sudo: no valid sudoers sources found, quitting sudo: unable to initialize policy plugin
- Go to the line that displays the error by using the cat command.
cat -An /etc/sudoers | grep 122 -B 4 -A 10
122 Cmnd_Alias IBM_UNIX_PIM_CMDS = /usr/bin/passwd,/usr/sbin/useradd, \$ 123 M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- /usr/sbin/usermod,/usr/sbin/userdel,/usr/bin/tee,/bin/chmod, \$ 124 M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- /bin/cat,/bin/ls,/usr/bin/chage,/usr/bin/groups,/bin/ed, \$ 125 M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- /bin/cp,/usr/bin/faillog,/usr/sbin/groupadd,/usr/sbin/groupmod, \$ 126 M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- /usr/sbin/groupdel,/usr/bin/kill,/bin/hostname,/sbin/faillock, \$ 127 M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- /sbin/pam_tally2,/bin/mkdir,/bin/rm,/usr/bin/lastlog,/sbin/faillog, \$ 128 M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- /usr/bin/psql,/usr/bin/pg_dump,/usr/bin/htpasswd,/opt/qradar/ha/bin/ha_getstate.sh,\$ 129 M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- /opt/qradar/support/changePasswd.sh$ 130 $ 131 mspipat1M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- ALL=NOPASSWD:IBM_UNIX_AE_BAU_CMDS$ 132 svcmssM-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- ALL=NOPASSWD:IBM_UNIX_PIM_CMDS$ 133 $
In the previous output, the characters M-BM-indicate a bad-formatted text. A well-formatted text would look as the following:
122 Cmnd_Alias IBM_UNIX_PIM_CMDS = /usr/bin/passwd,/usr/sbin/useradd, \$
123 /usr/sbin/usermod,/usr/sbin/userdel,/usr/bin/tee,/bin/chmod, \$
124 /bin/cat,/bin/ls,/usr/bin/chage,/usr/bin/groups,/bin/ed, \$
125 /bin/cp,/usr/bin/faillog,/usr/sbin/groupadd,/usr/sbin/groupmod, \$
126 /usr/sbin/groupdel,/usr/bin/kill,/bin/hostname,/sbin/faillock, \$
127 /sbin/pam_tally2,/bin/mkdir,/bin/rm,/usr/bin/lastlog,/sbin/faillog, \$
128 /usr/bin/psql,/usr/bin/pg_dump,/usr/bin/htpasswd,/opt/qradar/ha/bin/ha_getstate.sh,\$
129 /opt/qradar/support/changePasswd.sh$
130 $
131 mspipat1 ALL=NOPASSWD:IBM_UNIX_AE_BAU_CMDS$
132 svcmss ALL=NOPASSWD:IBM_UNIX_PIM_CMDS$
133 $
Resolving The Problem
To resolve this issue, administrators must either remove the bad-formatted characters lines or replace the lines with well formatted lines in the /etc/sudoers file.
Note: The following steps use the line numbers reported in the Diagnosing the Problem section in this technote. The administrator must change the commands according to their environment.
Remove bad-formatted text procedure
- Log in to the appliance by using SSH, XCC, or equivalent as the root user.
- Delete the lines containing the bad-formatted text by using the sed command.
- Create a backup directory and backup the existing file.
mkdir -p /store/IBM_Support cp -pfv /etc/sudoers /store/IBM_Support/
- Delete the conflicting lines.
Note: In this technote, the conflicting lines start at line 122 until line 132. The following command deletes all those lines at once.sed -i '122,132d' /etc/sudoers
- Create a backup directory and backup the existing file.
- Rerun the patch.
/media/updates/installer
Replace bad-formatted text procedure
Note: To run this procedure, there must exist another appliance with an equivalent text to the one affected. Additionally, knowledge about the vim command is required.
- Gather the right output from another appliance that is not affected by this issue.
- Log in to the appliance by using SSH, XCC, or equivalent as the root user.
- Verify the content to be copied is well-formatted (see the Diagnosing the Problem section).
cat -A /etc/sudoers
- Create a backup directory and backup the existing file.
mkdir -p /store/IBM_Support cp -pfv /etc/sudoers /store/IBM_Support/
- Copy the content of the lines required using the cat command.
cat /etc/sudoers
- Copy the previous gathered content and replace it in the /etc/sudoers on the affected appliance.
- Log in to the appliance by using SSH, XCC, or equivalent as the root user.
- Remove and replace the content of the conflicting lines by using the vim command.
- Go to the conflicting line (see the Diagnosing the Problem section).
vim +122 /etc/sudoers
- Press ESC to ensure vim is on Normal Mode.
- Type :set nu to print the line information in the file.
- Navigate through the lines using the arrow keys on the keyboard.
- Remove each of the lines by pressing dd.
- Paste the well-formatted lines in their corresponding line (previously gathered in step 1).
- Save and exit the vim editor by pressing :wq
- Go to the conflicting line (see the Diagnosing the Problem section).
- Rerun the patch
/media/updates/installer
Result:
The patch screen must start successfully.
Document Location
Worldwide
[{"Type":"SW","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtdAAA","label":"Upgrade"}],"ARM Case Number":"TS005544221","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Version(s)"}]
Was this topic helpful?
Document Information
Modified date:
20 May 2021
UID
ibm16450949