Endpoint Privilege Management for Unix and Linux Task Requests
In the context of
- Secured: Requests must undergo security validation processing by EPM-UL before they can be run.
- Unsecured: Do not undergo security validation processing. These should be tasks that are not potential threats to the system and therefore do not fall under a company’s security policy implementation. Unsecured tasks are handled by the operating system. EPM-UL is not involved in the processing of such tasks.
Secured Task Submission to SSH-Managed Devices - pbssh
Secured tasks can also be submitted through pbssh. pbssh is the Endpoint Privilege Management component used to access SSH-managed devices where Endpoint Privilege Management is not installed (routers, firewalls, Windows devices, or Unix/Linux devices where Endpoint Privilege Management is not installed). pbssh connects to the target device using the SSH configuration.
Secured Task Submission and Execution - pbrun
All secured tasks must be submitted through pbrun, the EPM-UL component that receives task requests. A separate pbrun process is started for each secured task request that is submitted. If the use of pbrun is not enforced for secured tasks, then a company’s security policy implementation could be compromised.
If the task request is accepted by the Policy Server, pbrun executes the task and logs pertinent task information to the EPM-UL event log.
pbrun is part of the EPM-UL Client, which must be installed on any machine from which a user can submit a secured task request.
Policy File Processing - pbmasterd
pbmasterd is responsible for applying the security rules (as defined in the EPM-UL policy files) which make up a company’s network security policy. It performs security verification processing to determine if a request is accepted or rejected based on the logic in the EPM-L security policy files.
- If a request is rejected, then the result is logged and processing terminates.
- If a request is accepted, then it is immediately passed to pbrun for execution.
If pblogd is used, then pbmasterd terminates when the request is passed to pblocald. A separate pbmasterd process is started for each secured task request that is submitted. If the pblogd component is not being used, then pbmasterd waits for the pblocald process to complete before terminating.
During security verification processing, the first accept or reject condition that is met causes security policy file processing to immediately terminate. No further security verification processing is performed.
If pbmasterd recognizes that a command is to be run on the host that submitted the request, then pblocald is optimized out of the connection. The command is run directly under the control of the client (that is, pbrun, pbsh, or pbksh), along with all logging and services that would have otherwise been provided by pblocald.
Task Execution - pblocald
pblocald executes task requests that have passed security verification processing (that is, requests that have been accepted by pbmasterd). After a task request is accepted, it is immediately passed from pbmasterd to pblocald in normal mode, or to pbrun, pbsh, or pbksh in local and optimized run modes. pblocald executes the task request as the user who is specified in the policy variable runuser, typically root or an administrative account. This action transfers all task input and output information back to pbrun.
In addition, pblocald logs pertinent task information to the EPM-UL event log (using pbmasterd or pblogd, depending on how EPM-UL has been deployed). The run host can also record task keystroke information to an EPM-UL I/O log (through pbmasterd or pblogd, depending on how EPM-UL has been deployed). A separate pblocald process is started for each secured task request that is submitted.
Logging - pblogd
If pblogd is not installed, then pbmasterd writes log records directly to the appropriate log files rather than passing these records to pblogd. In addition, if pblogd is not installed, then pbmasterd must wait for the pblocald process to complete. If the pblogd is used, then pbmasterd terminates after task execution starts, and pblocald sends its log records directly to pblogd.
Using pblogd optimizes EPM-UL processing by centralizing the writing of log records in a single, dedicated component and eliminating the need for the pbmasterd process to wait for task execution to complete.
Logging - Message Router (pblighttpd-svc)
In EPM-UL
