IBM Support

QRadar: Patch upgrade fails with error "sudo: parse error in /etc/sudoers near line xxx"

Troubleshooting


Problem

Patch upgrade fails to run due to bad characters in the /etc/sudoers file.

Symptom

Immediately after running the patch upgrade, the following message is displayed:
sudo: parse error in /etc/sudoers near line xxx
sudo: no valid sudoers sources found, quitting
sudo: unable to initialize policy plugin

Cause

As QRadar® does not use sudoers by default, manual edits in the /etc/sudoers in the appliances might cause this issue when a bad-formatted text is added.

Additionally, manually copying text from Windows® to Linux® might result in the end of line characters being added.  Refer to Adding custom actions to learn how to use the dos2unix command.
Note: Administrators should not manually be adding sudo users unless they are using Security Technical Implementation Guide (STIG) on or FIPS deployments.

Environment

QRadar® Appliances with Linux sudoers customizations.

Diagnosing The Problem

  1. Take note of the line reported in the error. 
    sudo: parse error in /etc/sudoers near line 122
sudo: no valid sudoers sources found, quitting
sudo: unable to initialize policy plugin
  2. Go to the line that displays the error by using the cat command. 
    cat -An /etc/sudoers | grep 122 -B 4 -A 10
    122  Cmnd_Alias IBM_UNIX_PIM_CMDS = /usr/bin/passwd,/usr/sbin/useradd, \$
123  M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM-  /usr/sbin/usermod,/usr/sbin/userdel,/usr/bin/tee,/bin/chmod, \$
124  M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM-  /bin/cat,/bin/ls,/usr/bin/chage,/usr/bin/groups,/bin/ed, \$
125  M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM-  /bin/cp,/usr/bin/faillog,/usr/sbin/groupadd,/usr/sbin/groupmod, \$
126  M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM-  /usr/sbin/groupdel,/usr/bin/kill,/bin/hostname,/sbin/faillock, \$
127  M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM-  /sbin/pam_tally2,/bin/mkdir,/bin/rm,/usr/bin/lastlog,/sbin/faillog, \$
128  M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM-  /usr/bin/psql,/usr/bin/pg_dump,/usr/bin/htpasswd,/opt/qradar/ha/bin/ha_getstate.sh,\$
129  M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM-  /opt/qradar/support/changePasswd.sh$
130  $
131  mspipat1M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM-  ALL=NOPASSWD:IBM_UNIX_AE_BAU_CMDS$
132  svcmssM-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM- M-BM-  ALL=NOPASSWD:IBM_UNIX_PIM_CMDS$
133  $
In the previous output, the characters M-BM-indicate a bad-formatted text. A well-formatted text would look as the following:
122  Cmnd_Alias IBM_UNIX_PIM_CMDS = /usr/bin/passwd,/usr/sbin/useradd, \$
123                  /usr/sbin/usermod,/usr/sbin/userdel,/usr/bin/tee,/bin/chmod, \$
124                  /bin/cat,/bin/ls,/usr/bin/chage,/usr/bin/groups,/bin/ed, \$
125                  /bin/cp,/usr/bin/faillog,/usr/sbin/groupadd,/usr/sbin/groupmod, \$
126                  /usr/sbin/groupdel,/usr/bin/kill,/bin/hostname,/sbin/faillock, \$
127                  /sbin/pam_tally2,/bin/mkdir,/bin/rm,/usr/bin/lastlog,/sbin/faillog, \$
128                  /usr/bin/psql,/usr/bin/pg_dump,/usr/bin/htpasswd,/opt/qradar/ha/bin/ha_getstate.sh,\$
129                  /opt/qradar/support/changePasswd.sh$
130 $
131 mspipat1        ALL=NOPASSWD:IBM_UNIX_AE_BAU_CMDS$
132 svcmss          ALL=NOPASSWD:IBM_UNIX_PIM_CMDS$
133 $

Resolving The Problem

To resolve this issue, administrators must either remove the bad-formatted characters lines or replace the lines with well formatted lines in the /etc/sudoers file.
Note: The following steps use the line numbers reported in the Diagnosing the Problem section in this technote. The administrator must change the commands according to their environment.
Remove bad-formatted text procedure
  1. Log in to the appliance by using SSH, XCC, or equivalent as the root user.
  2. Delete the lines containing the bad-formatted text by using the sed command.
    1. Create a backup directory and backup the existing file. 
      mkdir -p /store/IBM_Support
cp -pfv /etc/sudoers /store/IBM_Support/
    2. Delete the conflicting lines.
      Note: In this technote, the conflicting lines start at line 122 until line 132. The following command deletes all those lines at once. 
      sed -i '122,132d' /etc/sudoers
  3. Rerun the patch. 
    /media/updates/installer
Replace bad-formatted text procedure
Note: To run this procedure, there must exist another appliance with an equivalent text to the one affected. Additionally, knowledge about the vim command is required.
  1. Gather the right output from another appliance that is not affected by this issue.
    1. Log in to the appliance by using SSH, XCC, or equivalent as the root user.
    2. Verify the content to be copied is well-formatted (see the Diagnosing the Problem section). 
      cat -A /etc/sudoers
    3. Create a backup directory and backup the existing file. 
      mkdir -p /store/IBM_Support
cp -pfv /etc/sudoers /store/IBM_Support/
    4. Copy the content of the lines required using the cat command. 
      cat /etc/sudoers
  2. Copy the previous gathered content and replace it in the /etc/sudoers on the affected appliance.
    1. Log in to the appliance by using SSH, XCC, or equivalent as the root user.
    2. Remove and replace the content of the conflicting lines by using the vim command.
      1. Go to the conflicting line (see the Diagnosing the Problem section). 
        vim +122 /etc/sudoers
      2. Press ESC to ensure vim is on Normal Mode.
      3. Type :set nu to print the line information in the file.
      4. Navigate through the lines using the arrow keys on the keyboard.
      5. Remove each of the lines by pressing dd.
      6. Paste the well-formatted lines in their corresponding line (previously gathered in step 1).
      7. Save and exit the vim editor by pressing :wq
  3. Rerun the patch 
    /media/updates/installer
Result:
The patch screen must start successfully.

Document Location

Worldwide

Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.

[{"Type":"SW","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtdAAA","label":"Upgrade"}],"ARM Case Number":"TS005544221","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Version(s)"}]

Document Information

Modified date:
20 May 2021

UID

ibm16450949

Page Feedback