Privilege Management for Unix and Linux and BeyondInsight Console

Starting with v7.5, Privilege Management for Unix and Linux can be integrated with BeyondInsight. This integration with BeyondInsight has the following benefits:

Event Log Central Collection

BeyondInsight features a database-centric reporting architecture that enables event collection from multiple devices as well as the ability to report about this data from a central location.

Privilege Management for Unix and Linux uses a message router architecture to store its events (Accept events, Reject events, Keystroke Action events, and Finish events) in a database, defined by integratedproductsqueuedb, and uses a scheduler to periodically forward these event log records to BeyondInsight Web services. Using BeyondInsight, you can then sort and filter this data into useful reports. BeyondInsight also uses these events to display the list of Privilege Management for Unix and Linux servers in the BeyondInsight Assets.

I/O log Indexing for Improved Search Capabilities

This integration allows BeyondInsight to search for I/O logs via an indexed search. Privilege Management for Unix and Linux uses Solr (with Lucene and Jetty) to index I/O log output data and BeyondInsight performs Solr queries and interprets/displays the results, allowing the user to replay the resulting I/O logs via pbguid.

Integration Process

When installing or upgrading, you can enable BeyondInsight Integration and provide values to the necessary keywords to enable these features.

To enable Privilege Management for Unix and Linux v7.5 (and later) to send the event log records to BeyondInsight, perform the following actions.

  1. Copy and convert the BeyondInsight client certificate from BeyondInsight to the policy server and log server hosts.
    • Start the BeyondInsight Configuration Tool on the BeyondInsight management console server. Click Generate Certificate Zip in the BeyondInsight Configuration Tool.
    • Select the output folder for the ZIP file and a password to apply to the exported .pfx file.
    • Select a folder where you can securely copy the certificates.zip file and uncompress it.
    • Copy the following files to a secure directory on the Privilege Management policy server and log server hosts:
      • eEyeEMSClient.pem
      • <host>_eEye_EMS_CA.pem
    • In the Privilege Management servers and log server settings file, assign the keyword sslrcscertfile to the location of eEyeEMSClient.pem:
      sslrcscertfile /<secure_directory>/eEyeEMSClient.pem
    • Assign the keyword sslrcscafile to the location of the file <host>_eEye_EMS_CA.pem:
      sslrcscafile /<secure_directory>/<host>_eEye_EMS_CA.pem
    • Start the BeyondInsight Configuration Tool on the BeyondInsight management console server. Click Generate Certificate Zip in the BeyondInsight Configuration Tool.
    • Select the output folder for the ZIP file and a password to apply to the exported .pfx file.
    • Select a folder where you can securely copy the certificates.zip file and uncompress it.
    • Copy the following files to a secure directory on the Privilege Management policy server and log server hosts:
      • eEyeEMSClient.pem
      • <host>_eEye_EMS_CA.pem
    • In the Privilege Management servers and log server settings file, assign the keyword sslrcscertfile to the location of eEyeEMSClient.pem:
      sslrcscertfile /<secure_directory>/eEyeEMSClient.pem
    • Assign the keyword sslrcscafile to the location of the file <host>_eEye_EMS_CA.pem:
      sslrcscafile /<secure_directory>/<host>_eEye_EMS_CA.pem

In the Privilege Management settings file, assign the keyword rcshost to the BeyondInsight hostname exactly how it appears in this certificate.

  1. If you have not done so during the installation, set the following keywords in pb.settings on the policy server and log server hosts:
    • rcshost
    • rcswebsvcport
    • sslrcscertfile
    • sslrcscafile

To enable Privilege Management for Unix and Linux v7.5 and above to index I/O log files:

  1. Install Solr on a server of your choice.
  2. Copy SSL certs from the Solr server to policy server and log server hosts.
    • On the Solr server, securely copy the PEM encoded files (*.pem) from the etc directory under Solr install directory (for example /opt/pbul-Solr/etc) directory to the directories pointed by Solrcafile, Solrclientkeyfile , and Solrclientcertfile on the desired log server and policy server hosts.
  3. If you have not done so during the installation, set the following keywords in pb.settings on the policy server and log server hosts:
    • pbreplaylog
    • Solrhost
    • Solrport
    • Solrcafile
    • Solrclientkeyfile
    • Solrclientcertfile
    • integratedproductsqueuedb
  1. Other keywords to set (common to both event log collection and I/O log indexing):
    • pbadminpath
    • guiport
    • sguiport
    • sharedlibkrb5dependencies
    • sharedlibssldependencies
    • sharedlibldapdependencies
    • sharedlibcurldependencies

 

for more information, please see the following: