Privilege Management for Unix and Linux Task Requests

In the context of Privilege Management for Unix and Linux, there are two types of task requests:

  • Secured: Requests must undergo security validation processing by Privilege Management for Unix and Linux before they can be run.
  • Unsecured: Do not undergo security validation processing. These should be tasks that are not potential threats to the system and therefore do not fall under a company’s security policy implementation. Unsecured tasks are handled by the operating system. Privilege Management for Unix and Linux is not involved in the processing of such tasks.

Secured Task Submission to SSH-Managed Devices - pbssh

Secured tasks can also be submitted through pbssh. pbssh is the Privilege Management component used to access SSH-managed devices where Privilege Management is not installed (routers, firewalls, Windows devices, or Unix/Linux devices where Privilege Management is not installed). pbssh connects to the target device using the SSH configuration.

Secured Task Submission - pbrun

All secured tasks must be submitted through pbrun, the Privilege Management for Unix and Linux component that receives task requests. A separate pbrun process is started for each secured task request that is submitted. If the use of pbrun is not enforced for secured tasks, then a company’s security policy implementation could be compromised.

pbrun must be installed on any machine from which a user can submit a secured task request.

Policy File Processing - pbmasterd

pbmasterd is responsible for applying the security rules (as defined in the Privilege Management for Unix and Linux policy files) which make up a company’s network security policy. In other words, pbmasterd performs security verification processing to determine if a request is accepted or rejected based on the logic in the Privilege Management for Unix and Linux security policy files. If a request is rejected, then the result is logged and processing terminates. If a request is accepted, then it is immediately passed to pblocald for execution.

If pblogd is used, then pbmasterd terminates when the request is passed to pblocald. A separate pbmasterd process is started for each secured task request that is submitted. If the pblogd component is not being used, then pbmasterd waits for the pblocald process to complete before terminating.

During security verification processing, the first accept or reject condition that is met causes security policy file processing to immediately terminate. No further security verification processing is performed.

If pbmasterd recognizes that a command is to be run on the host that submitted the request, then pblocald is optimized out of the connection. The command is run directly under the control of the client (that is, pbrun, pbsh, or pbksh), along with all logging and services that would have otherwise been provided by pblocald.

Task Execution - pblocald

pblocald executes task requests that have passed security verification processing (that is, requests that have been accepted by pbmasterd). After a task request is accepted, it is immediately passed from pbmasterd to pblocald in normal mode, or to pbrun, pbsh, or pbksh in local and optimized run modes. pblocald executes the task request as the user who is specified in the policy variable runuser, typically root or an administrative account. This action transfers all task input and output information back to pbrun.

In addition, pblocald logs pertinent task information to the Privilege Management for Unix and Linux event log (using pbmasterd or pblogd, depending on how Privilege Management for Unix and Linux has been deployed). The run host can also record task keystroke information to a Privilege Management for Unix and Linux I/O log (through pbmasterd or pblogd, depending on how Privilege Management for Unix and Linux has been deployed). A separate pblocald process is started for each secured task request that is submitted.

Logging - pblogd

pblogd is an optional Privilege Management for Unix and Linux component that is responsible for writing event and I/O log records. If pblogd is not installed, then pbmasterd writes log records directly to the appropriate log files rather than passing these records to pblogd. In addition, if pblogd is not installed, then pbmasterd must wait for the pblocald process to complete. If the pblogd is used, then pbmasterd terminates after task execution starts, and pblocald sends its log records directly to pblogd.

Using pblogd optimizes Privilege Management for Unix and Linux processing by centralizing the writing of log records in a single, dedicated component and eliminating the need for the pbmasterd process to wait for task execution to complete.

Logging - Message Router (pblighttpd-svc)

In Privilege Management for Unix and Linux v10.1.0, a new Message Router service was introduced to streamline the processing of events and other important messages throughout the system. It allows a single log server to quickly accept, process, and store tens of thousands of events every second.