Privilege Management for Unix & Linux Servers Configuration

The Privilege Management for Unix & Linux Servers Configuration policy setting is designed to install a pb.conf file on target computers that are running Privilege Management for Unix & Linux Servers as a Policy Server, enabling Privilege Management for Unix & Linux Servers rules to function. The given computer's /etc/pb.settings file determines the placement of the PowerBroker configuration policy file by using the two settings policyfile and policydir. These values indicate the file and path that the given Policy Server is configured to use for determining policy (typically /etc/pb.conf). If there is a previous file at the given location, it is backed up prior to being updated by the new policy configuration installed by Group Policy.

Before Privilege Management for Unix & Linux Servers rules can be deployed using Group Policy, you must define a Privilege Management for Unix & Linux Servers configuration file (pb.conf) that will be deployed to PB Masters.

There are several sources from which you can obtain a configuration file.

  • If you are already using Privilege Management for Unix & Linux Servers, you can import your existing configuration file.
  • If you have not previously used Privilege Management for Unix & Linux Servers or do not have a configuration file, you can import a copy of the default configuration file that is installed with AD Bridge. We recommend that you use this file without modification unless you are an advanced administrator of Privilege Management for Unix & Linux Servers.
  • If you are an advanced administrator of Privilege Management for Unix & Linux Servers and familiar with Privilege Management for Unix & Linux Servers syntax, you can import a copy of the default configuration file to serve as a template and modify it as needed to use advanced Privilege Management for Unix & Linux Servers functionality.

If keystroke logging is enabled in a Privilege Management for Unix & Linux Servers rule, keystrokes are logged to a separate file for each command instance. The path and file name format for these files are specified in the pb.conf file. The path and file prefix are defined in the _iolog_file_ variable. The file name is defined by the iolog variable.

The default pb.conf file is installed in the AD Bridge software installation directory. This pb.conf file is designed to process the Privilege Management for Unix & Linux Servers Policy Rules Data (/etc/pb/Policy.csv) that is created and maintained by the Create PowerBroker Server Policy Rules policy setting. It will apply all of the fields that the Privilege Management for Unix & Linux Servers Rule Editor supports when running on target PB Master computers.

To import a copy of a Privilege Management for Unix & Linux Servers configuration file so that you can deploy Privilege Management for Unix & Linux Servers rules:

  1. In Group Policy Management Console (GPMC), right-click an existing GPO and click Edit to open the Group Policy Management Editor.

Group Policy Management Editor > PBUL Configuration

  1. In the Group Policy Management Editor, expand Computer Configuration > Policies > Unix and Linux Settings > BeyondTrust Settings > PowerBroker Servers > PBUL Configuration.

 

  1. Double-click the Define PBUL Configuration file policy setting to open the Define PBUL Configuration file Properties dialog.
  2. Click Import to import a copy of a Privilege Management for Unix & Linux Servers configuration file (pb.conf). The default pb.conf file is located in the AD Bridge software installation directory (typically C:\Program Files\BeyondTrust\PBIS\Enterprise\Resources\Configuration\pb.conf).

Define PBUL Configuration file Properties

You do not need to make any changes to the file. However, if you are an advanced administrator of PBUL who is familiar with PBUL syntax, you can edit the imported file on this dialog box.

 

  1. Optional. To turn on monitoring for local pb.conf files, check the Monitor this policy setting box. If the Group Policy agent detects local tampering of the pb.conf file, audit event warnings are logged and the local file is replaced by the pb.conf file specified in this policy setting.
  2. Click OK.

The pb.conf file that you have imported is a copy of the one installed in the AD Bridge software installation directory (typically C:\Program Files\BeyondTrust\PBIS\Enterprise\Resources\Configuration\pb.conf). If an administrator inadvertently alters the pb.conf file that has been imported, you can replace it by repeating this procedure to import a new copy of the default pb.conf file.