Manage and Test System Configuration

Privilege Management for Unix and Linux system administration sometimes involves validating or troubleshooting an installation. These tasks are performed using the Privilege Management for Unix and Linux pbbench and pbcheck utilities.

pbbench

The pbbench program provides useful information for solving configuration, file permission, and network problems. It reads the Privilege Management for Unix and Linux settings file on the local machine and uses system information, such as that found in /etc/services and /etc/hosts or NIS, to verify the information in the settings file.

If pbbench detects an error, then it displays an error message. Output consists of information about the tests that were performed, the results of the tests, and any errors that were encountered. By default, this output goes to standard error. If no errors are detected, then pbbench returns silently.

pbbench checks for very old versions of Privilege Management for Unix and Linux (pre-2.0) by looking for /etc/pb.ports and /etc/pb.masters and reports a warning if these are found. The HTML GUI version of pbbench does not check for the Privilege Management for Unix and Linux pre-v2 files.

pbbench is treated as a user program and can be run by root and non-root users. However, some non-root user queries might fail for lack of permissions. The location of pbbench can be set during Privilege Management for Unix and Linux installation. The default location of pbbench is /usr/local/bin.

To run pbbench and redirect the output to a file rather than to standard error, use the command:

pbbench > filename
pbbench > pbbench.output

Privilege Management for Unix and Linux expects to find some file permissions and network configurations in a certain condition. Privilege Management for Unix and Linux might or might not run depending on these conditions. pbbench generates INFO, WARNING, and ERROR messages to report its findings. Some of the findings are merely informational, but some need to be heeded.

For more information, please see pbbench.

pbcheck

The Privilege Management for Unix and Linux pbcheck utility provides the capability to test the policy file and also to produce data that describes which commands can run under what conditions.

For detailed information on this utility, please see pbcheck.

Testing Policies

pbcheck can perform syntax, type, and other checks on a policy file. A common use for this utility is to test a new policy for errors before installing it on a live system. To test a new policy, enter the following:

pbcheck -f filename

or

pbcheck --file= filename

Another typical use for pbcheck is to check the syntax in an existing policy file without executing a function or procedure. This action is done with the following command:

pbcheck -s

or

pbcheck --syntax

With no options, pbcheck performs a run-check on the configuration policy file that is specified in the settings file.

Entitlement Reporting

  • Version 4.0 and earlier: entitlement reporting not available.
  • Version 5.0 and later: entitlement reporting available.

Entitlement reporting is an essential element of audit control (for Sarbanes-Oxley compliance in the U.S., for example). Beginning with Privilege Management for Unix and Linux v5.0, pbcheck can use the Privilege Management for Unix and Linux parser to emulate simple policies and produce data that describes which commands can run under what conditions.

The resulting data is presented as comma-separated values that can be fed to the Privilege Management for Unix and Linux report writer to produce a full entitlement report, or be exported to other programs.

Because the Privilege Management for Unix and Linux policy language is so extensive, entitlement reporting has two important limitations:

  1. Policies can use external data sources and programs. Privilege Management for Unix and Linux can base entitlement decisions on these external sources. However, these external sources can produce different results without the policy ever changing.
  2. Policies can be quite complex. As a result, a complex policy could produce an incomplete report.

For more information about additional limitations of entitlement reporting, please see pbcheck.