Privilege Management for Unix and Linux and AD Bridge

Starting with v7.0, Privilege Management for Unix and Linux can be integrated with AD Bridge. Integrating Privilege Management for Unix and Linux with AD Bridge has the following benefits:

Event Log Central Collection

AD Bridge features a database-centric reporting architecture that enables event collection from multiple devices as well as the ability to report about this data from a central location using standard plug-ins. Events are forwarded to the AD Bridge collector machines where AD Bridge tools are installed and are running BTCollector services. The collector machines then aggregate all events in an enterprise-wide MS SQL Server database.

Starting with v7.0, Privilege Management for Unix and Linux incorporates the collection of Privilege Management for Unix and Linux events (Accept events, Reject events, Finish events, and Keystroke Action events) by AD Bridge collectors as well as the ability to query this information using the standard AD Bridge report plug-in.

The AD Bridge Enterprise tools on Windows include a management console, which supports a number of plug-ins for performing various tasks. The reports plug-in has many available reports for viewing configuration and event related queries. Privilege Management for Unix and Linux now has dedicated reports for the various operations that it performs.

Privilege Management for Unix and Linux Health Check

Starting with v7.0, Privilege Management for Unix and Linux, as part of integration with AD Bridge, sends events to AD Bridge Collectors based on the responsiveness of Privilege Management for Unix and Linux policy server hosts, log hosts, and pblocald. Privilege Management for Unix and Linux clients pbrun, pbsh, pbksh, and pbssh, optionally report a new failover event every time a Privilege Management for Unix and Linux policy server host or log host fails to respond in a timely manner.

This feature is closely tied to the current Privilege Management for Unix and Linux failover mechanism. Any policy server that does not respond within the number of seconds specified by the masterdelay setting causes the new failover event to be written to both syslog and the AD Bridge event log database. Any log host that does not respond within the number of seconds specified by the logserverdelay setting causes the new failover event to be written to both syslog and the AD Bridge event log database. Similarly, pbmasterd reports events any time pblocald fails to respond. This new feature also allows for the optional recording of successful connection events.

Another plug-in for the management console is the Privilege Management Operations Dashboard. This is a tool that provides a view on key metrics that an administrator can configure to show green, yellow, and red status indicators depending on user-defined thresholds. The health events are illustrated on this Privilege Management Operation Dashboard using the colors green, yellow, and red to indicate status.

Integration Process

To enable AD Bridge to work with Privilege Management for Unix and Linux, the AD Bridge agent must be installed on the appropriate Privilege Management for Unix and Linux machines:

  • On the Privilege Management for Unix and Linux policy server host and log host computers to send the event log records (Accept, Reject, Finish, and Keystroke Actions events) and the health event log records (related to pblocald) to AD Bridge.
  • On the client computers (where pbrun, pbksh or pbsh, and pbssh are installed), policy server host, and run host (where pblocald is installed), to send the health event log records related to the policy server host and log host to AD Bridge.

To send Privilege Management for Unix and Linux event logs to AD Bridge, you must set the following in the pb.settings file:

  • sharedlibpbisdependencies
  • pbis_event_logging

To send event records about the health of the policy server host, log host, and pblocald to the AD Bridge, you must set the following in the pb.settings file:

  • sharedlibpbisdependencies
  • pbis_log_failover
  • pbis_log_connect_success

 

For more information, please see the following: