Configure BeyondInsight for Unix & Linux

You can customize the console using the pbsmc.toml.default file located in:

  • Linux: /etc/pbsmc
  • Windows: %ProgramFiles%\PBSMC

First, you must create a copy of the file using the name pbsmc.toml. You can include only the settings that you want to customize.

The BIUL API uses a markup language called TOML that is hierarchical. The settings are divided into sections and keys. Be sure to include the section title in pbsmc.toml. For example, if you want to change the default port number, the text will look similar to the following:

[server]
port="4443"

Apply proper security settings on the TOML file. The file owner requires Read and Write privileges.

You can configure the following settings.

Database

By default, the console creates a SQLite database in /etc/pbsmc/pbsmc.sqlite on Linux, or in %ProgramFiles%\pbsmc on Windows. This can be changed to another location.

[database]
dialect="sqlite3"
url="./pbsmc.db"

dialect

Default: sqlite3

The dialect key allows a user to specify what type of database BIUL will connect to.

url

Default: The default is OS specific, but maps to using an sqlite database file with the following config:

pbsmc.db?cache=shared&mode=rwc&_busy_timeout=9999999999999999

The url is a key that will allow a user to provide connection information to our database driver.

MSSQL URLstyle
sqlserver://sa:Hello2018@pbsmc-sqlserver:1433?database=pbsmc
MSSQL ADO Style
server=pbsmc-sqlserver;user id=sa;password=Hello2018;port=1433;database=pbsmc
sqlite
etc/pbsmc/pbsmc.db?cache=shared&mode=rwc&_busy_timeout=9999999999999999

Server

By default, the console runs on port 4443. Before changing this value, stop the service.

[server]
disabled=false
port=":4443"
softwarepath="/usr/local/bin/software"
uploads="/tmp/pbsmcUploads"
passwordcost=14

port

Default: :4443

The port that BIUL listens for connections on.

disabled

Default: false

A setting to disable BIUL from attempting to initialize.

softwarepath

Default: ""

The path to where installers are stored on disk.

uploads

Default: An OS specific folder where uploads are temporarily stored until they can be moved to the softwarepath.

passwordcost

Default: 14

The bcrypt cost factor for hashing passwords. Values less than 12 use 12. Values greater than 20 use 20.

SSL

By default, the console supports encrypted HTTPS connections using automatically generated, self-signed certificates. The console serves only HTTPS traffic on the configured port, unless explicitly configured to fall back to insecure HTTPS in the pbsmc.toml configuration file. A custom certificate pair may also be provided and placed in the configuration file.

[ssl]
enabled=true
cert="/usr/local/bin/cert.pem"
key="/usr/local/bin/key.pem"

enabled

Default: true

Whether to use TLS 1.2+ to secure connections to BIUL or not.

cert

Default: unset

The location on disk to use as the public key/cert for encrypting communications.

If key and cert are provided, key pairs stored in the database are not used.

key

Default: unset

The location on disk to use as the private key for encrypting communications.

If key and cert are provided, key pairs stored in the database are not used.

Worker Pool

Console tasks are run in a concurrent pool of processes. The default number of processes running at a time is 20. You can increase the pool size to allow jobs to complete faster. However, the server performance might lag, and decreasing the pool size has the opposite effect.

[pool]
size=20

size

Default: 20

The number of workers that are allowed to operate performing remote actions simultaneously.

Logging

The logging level configuration.

[logging]
loglevel="info"
maxage=365
maxsize=10

loglevel

Default: info

The level of logging to write to disk.

maxage

Default: 365

The maximum age of rotated log files. When a logfile is rotated it has the timestamp of when it was rotated added to the logfile's name. Any logfiles that are more than maxage days old when the next file is rotated are deleted.

If a logfile happens to be rotated every 10 days, then it is possible for a logfile to exist on disk for more than 365 days.

If set to zero (0), old logfiles are not deleted.

maxsize

Default: 10

The size of a logfile in number of megabytes before the log is rotated.

If set to zero (0), the logfile is not rotated.

Encryption Keys

Encryption keys for BIUL use base64 encoded AES-256 encryption. The key secures sensitive data stored in the database. More than one key can be used at a time. The active key in the pbsmc.toml file is the key currently in use. If you start BeyondInsight for Unix & Linux without an encryption key, one is generated for you. You can review the comments in the pbsmc.toml.default file.

[keys]
active="abcdefg"
revoked= [
    "abcd",
    "efgh"
]
known = [
    "abcde",
    "fghij"

]

active

Default: unset

This is the key that is used to encrypt all secrets in the database. If not provided it is created and the settings file mutated.

revoked

Default: dYFnQ8eNHRTnqRahhqwbpizzrEQVK7LK, 8vkb8JJgWRy5h1C421zy2q0sS7i2mdw2

This is a list of keys that are no longer active; any secrets that are encrypted with the keys should be re-encrypted with the active key.

known

Default: unset

This is a list of keys that BIUL uses to decrypt secrets. known is used as a step in the process of rolling a key. In the event of a cluster of BIUL servers, it is necessary to synchronize keys to all servers before the process of re-encrypting all secrets occurs.

This allows a key to be known by all servers, then you can update active to the new key, potentially moving an old key to revoked, and then begin the process of moving other servers to update their active key to the new key.

This allows all secrets to be readable by all servers.

 

You must restart the service to apply changes.

SSH Cipher and Key Exchange Configuration

[ssh]
ciphers=[
  "aes128-ctr",
  "aes128-gcm",
  "aes128-cbc"
]
key_exchanges=[
  "curve25519-sha256",
  "ecdh-sha2-nistp256",
  "ecdh-sha2-nistp384"
]

ciphers

Default: a list containing the values aes128-gcm, chacha20-poly1305, aes128-ctr, aes192-ctr, aes256-ctr

This is used to configure the list of allowed ciphers to be used while connecting to remote hosts.

Supported values:

  • aes128-ctr
  • aes192-ctr
  • aes256-ctr
  • aes128-gcm
  • chacha20-poly1305
  • arcfour256
  • arcfour128
  • arcfour
  • aes128-cbc
  • 3des-cbc

key exchanges

Default: a list containing the values curve25519-sha256, ecdh-sha2-nistp256, ecdh-sha2-nistp384

This is used to configure the list of allowed key exchange algorithms used to secure the initial connection to remote hosts.

Supported values:

  • curve25519-sha256
  • ecdh-sha2-nistp256
  • ecdh-sha2-nistp384
  • ecdh-sha2-nistp521
  • diffie-hellman-group14-sha1
  • diffie-hellman-group1-sha1
  • diffie-hellman-group-exchange-sha256
  • diffie-hellman-group-exchange-sha1