Configure BeyondInsight for Unix & Linux
You can customize the console using the pbsmc.toml.default file located in:
- Linux: /etc/pbsmc
- Windows: %ProgramFiles%\PBSMC
First, you must create a copy of the file using the name pbsmc.toml. You can include only the settings that you want to customize.
The BIUL API uses a markup language called TOML that is hierarchical. The settings are divided into sections and keys. Be sure to include the section title in pbsmc.toml. For example, if you want to change the default port number, the text will look similar to the following:
[server] port="4443"
Apply proper security settings on the TOML file. The file owner requires Read and Write privileges.
You can configure the following settings.
Database
By default, the console creates a SQLite database in /etc/pbsmc/pbsmc.sqlite on Linux, or in %ProgramFiles%\pbsmc on Windows. This can be changed to another location.
[database] dialect="sqlite3" url="./pbsmc.db"
dialect
Default: sqlite3
The dialect key allows a user to specify what type of database BIUL will connect to.
url
Default: The default is OS specific, but maps to using an sqlite database file with the following config:
pbsmc.db?cache=shared&mode=rwc&_busy_timeout=9999999999999999
The url is a key that allows a user to provide connection information to our database driver.
sqlserver://sa:Hello2018@pbsmc-sqlserver:1433?database=pbsmc
server=pbsmc-sqlserver;user id=sa;password=Hello2018;port=1433;database=pbsmc
etc/pbsmc/pbsmc.db?cache=shared&mode=rwc&_busy_timeout=9999999999999999
Server
By default, the console runs on port 4443. Before changing this value, stop the service.
[server] disabled=false port=":4443" softwarepath="/usr/local/bin/software" uploads="/tmp/pbsmcUploads" passwordcost=14
By default, the BeyondInsight for Unix & Linux server runs as the root user. In a Linux environment, you can override this default behavior to run as a dedicated user with only access to the BIUL resources.
- Create a Linux user and group you want to use for running BeyondInsight for Unix & Linux.
useradd biul groupadd biul usermod -a -G biul biul
- Stop the BeyondInsight for Unix & Linux service using systemctl stop pbsmc.
- Specify this user and group as a value in the BeyondInsight for Unix & Linux config file (pbsmc.toml), in the server section, via the key runprivs, separated by a colon (user:group).
runprivs = "biul:biul"
See also the sample config file included with the installation, /etc/pbsmc/pbsmc.toml.default.
port
Default: :4443
The port that BIUL listens for connections on.
disabled
Default: false
A setting to disable BIUL from attempting to initialize.
softwarepath
Default: ""
The path to where installers are stored on disk.
uploads
Default: An OS specific folder where uploads are temporarily stored until they can be moved to the softwarepath.
passwordcost
Default: 14
The bcrypt cost factor for hashing passwords. Values less than 12 use 12. Values greater than 20 use 20.
SSL
By default, the console supports encrypted HTTPS connections using automatically generated, self-signed certificates. The console serves only HTTPS traffic on the configured port, unless explicitly configured to fall back to insecure HTTPS in the pbsmc.toml configuration file. A custom certificate pair may also be provided and placed in the configuration file.
[ssl] enabled=true cert="/usr/local/bin/cert.pem" key="/usr/local/bin/key.pem"
enabled
Default: true
Whether to use TLS 1.2+ to secure connections to BIUL or not.
cert
Default: unset
The location on disk to use as the public key/cert for encrypting communications.
If key and cert are provided, key pairs stored in the database are not used.
key
Default: unset
The location on disk to use as the private key for encrypting communications.
If key and cert are provided, key pairs stored in the database are not used.
Worker Pool
Console tasks are run in a concurrent pool of processes. The default number of processes running at a time is 20. You can increase the pool size to allow jobs to complete faster. However, the server performance might lag, and decreasing the pool size has the opposite effect.
[pool] size=20
size
Default: 20
The number of workers that are allowed to operate performing remote actions simultaneously.
Logging
The logging level configuration.
[logging] loglevel="info" maxage=365 maxsize=10
loglevel
Default: info
The level of logging to write to disk.
maxage
Default: 365
The maximum age of rotated log files. When a logfile is rotated it has the timestamp of when it was rotated added to the logfile's name. Any logfiles that are more than maxage days old when the next file is rotated are deleted.
If a logfile happens to be rotated every 10 days, then it is possible for a logfile to exist on disk for more than 365 days.
If set to zero (0), old logfiles are not deleted.
maxsize
Default: 10
The size of a logfile in number of megabytes before the log is rotated.
If set to zero (0), the logfile is not rotated.
Encryption Keys
Encryption keys for BIUL use base64 encoded AES-256 encryption. The key secures sensitive data stored in the database. More than one key can be used at a time. The active key in the pbsmc.toml file is the key currently in use. If you start BeyondInsight for Unix & Linux without an encryption key, one is generated for you. You can review the comments in the pbsmc.toml.default file.
[keys]
active="abcdefg"
revoked= [
"abcd",
"efgh"
]
known = [
"abcde",
"fghij"
]
active
Default: unset
This is the key that is used to encrypt all secrets in the database. If not provided, it is created and the settings file mutated.
revoked
Default: dYFnQ8eNHRTnqRahhqwbpizzrEQVK7LK, 8vkb8JJgWRy5h1C421zy2q0sS7i2mdw2
This is a list of keys that are no longer active; any secrets that are encrypted with the keys should be re-encrypted with the active key.
known
Default: unset
This is a list of keys that BIUL uses to decrypt secrets. known is used as a step in the process of rolling a key. In the event of a cluster of BIUL servers, it is necessary to synchronize keys to all servers before the process of re-encrypting all secrets occurs.
This allows a key to be known by all servers, then you can update active to the new key, potentially moving an old key to revoked, and then begin the process of moving other servers to update their active key to the new key.
This allows all secrets to be readable by all servers.
You must restart the service to apply changes.
SSH Cipher and Key Exchange Configuration
[ssh] ciphers=[ "aes128-ctr", "aes128-gcm", "aes128-cbc" ] key_exchanges=[ "curve25519-sha256", "ecdh-sha2-nistp256", "ecdh-sha2-nistp384" ]
ciphers
Default: a list containing the values aes128-gcm, chacha20-poly1305, aes128-ctr, aes192-ctr, aes256-ctr
This is used to configure the list of allowed ciphers to be used while connecting to remote hosts.
Supported values:
- aes128-ctr
- aes192-ctr
- aes256-ctr
- aes128-gcm
- chacha20-poly1305
- arcfour256
- arcfour128
- arcfour
- aes128-cbc
- 3des-cbc
key exchanges
Default: a list containing the values curve25519-sha256, ecdh-sha2-nistp256, ecdh-sha2-nistp384
This is used to configure the list of allowed key exchange algorithms used to secure the initial connection to remote hosts.
Supported values:
- curve25519-sha256
- ecdh-sha2-nistp256
- ecdh-sha2-nistp384
- ecdh-sha2-nistp521
- diffie-hellman-group14-sha1
- diffie-hellman-group1-sha1
- diffie-hellman-group-exchange-sha256
- diffie-hellman-group-exchange-sha1
Scrypt
Increasing the value of the parameters makes it more difficult for an attacker to crack a given password, but that increase in security slows down the login process for a legitimate user.
Unless you fully understand the implications of adjustments to the parameters below, we recommend using the default parameters. For help with this specific configuration, contact BeyondTrust Support.
[scrypt] N-65536 r=8 p=1
N
Default: 65536
The CPU/Memory cost parameter. N is the most commonly adjusted parameter. N is the main factor governing how much memory the algorithm uses.
Value for N must be:
- Greater than 1
- A power of 2
- Less than 2^(128*r/8)
r
Default: 8
The block size parameter.
Value for r must be greater than 0.
p
Default: 1
The degree of parallelism parameter.
Value for p must be greater than 0.
