Other Security Issues

runsecurecommand

• Version 4.0.0 and later: runsecurecommand setting available.

The runsecurecommand setting enables the administrator to perform an extra check on the security of the requested command. This check helps to ensure that someone other than root or the runuser (for example, sys or oracle) could not have compromised the command.

When set to yes, the runcommand and all directories above it are checked to determine if anyone other than root or the runuser has write permission. If the command file or any of the directories above it are writable by anyone other than root or the runuser, then the run host refuses to run the command. The policy language variable runsecurecommand can be set to true by the configuration policy on the policy server host for the same effect.

This keyword does not apply to pbssh. If it is present in the settings file, it does not have any effect on pbssh and is ignored.

runsecurecommand yes

Default

runsecurecommand no

Used on

• Run hosts
• Submit hosts, when using local mode

rejectnullpasswords

• Version 4.0.0 and later: rejectnullpasswords setting available.

Some systems allow the use of null passwords in their password databases. When null passwords are allowed, a carriage-return at a password prompt matches that null password. If you want to always reject attempts to enter a password for an account with a null password, you can set rejectnullpasswords to yes.

rejectnullpasswords yes

Default

rejectnullpasswords no

Used on

• Policy server hosts
• Submit hosts
• Run hosts

enforceRunCwd

• Version 5.0.2 and earlier: enforceRunCwd setting not available.
• Version 5.0.3 and later: enforceRunCwd setting available.

The enforceRunCwd setting enforces the runcwd when set to yes or when it is not set. When set to yes and the user does not have permission for the runcwd, the task is rejected. When the secured task cannot change to the runcwd directory (because of bad permissions, or because the directory does not exist), then the enforceRunCwd setting determines whether the secured task should be run from /tmp, or whether it should be denied.

This keyword does not apply to pbssh. If it is present in the settings file, it does not have any effect on pbssh and is ignored.

Syntax

enforceRunCwd <yes|no>

Valid Values

• yes: Enforce the runcwd and do not run the command in /tmp.
• no: Revert to the old behavior and run the command in /tmp.

enforceRunCwd yes

Default

enforceRunCwd yes

Used on

Run hosts

warnuseronerror

• Version 4.0.0 and later: warnuseronerror setting available.

Endpoint Privilege Management programs, such as pbrun, pblogd, and pbmasterd, can produce diagnostic message about security problems. These messages include file systems that are writable, the pb.conf file being writable, and so forth.

Because a user might be able to use that information to damage a system, the full diagnostic messages are recorded only in the log files. The user sees the generic message, Security error, see your administrator.

To enable the user see the full diagnostic messages, set warnuseronerror to yes.

There is a limitation to this setting. When an error about the security of the settings file occurs, the user is never notified.

warnuseronerror yes

Default

warnuseronerror no

Used on

• Policy server hosts
• Run hosts
• Submit hosts

showunsecurewarnings

• Version 5.1.1 and earlier:showunsecurewarnings setting not available.
• Version 5.1.2 and later: showunsecurewarnings setting available.

Endpoint Privilege Management programs, such as pbrun and pbmasterd, can produce diagnostic message about security problems. These messages include information about licensing files and expiration.

This setting supersedes the value of warnuseronerror only if the messages do not pose a security risk. When showunsecurewarnings is enabled, all messages that can safely be displayed on the client system are displayed. Display of secure messages still depends on the value of warnuseronerror.

To allow the user to see the unsecure diagnostic messages, set showunsecurewarnings to yes.

showunsecurewarnings yes

Default

No default value

Used on

• Policy server hosts
• Run hosts
• Submit hosts

clientdisableoptimizedrunmode

• Version 5.2 and earlier:clientdisableoptimizedrunmode setting not available.
• Version 6.0 and later: clientdisableoptimizedrunmode setting available.

EPM-UL optimized run mode feature enables a task to be run on the submit host after being validated by the Policy Server host, without invoking pblocald.

When set to yes, the clientdisableoptimizedrunmode setting disables optimized run mode for all pbrun invocations on the affected host. This setting is equivalent to invoking pbrun with the --disable_ optimized_runmode command line option.

clientdisableoptimizedrunmode yes

Default

clientdisableoptimizedrunmode no

Used on

Submit hosts

masterdisableoptimizedrunmode

• Version 5.2 and earlier:masterdisableoptimizedrunmode setting not available.
• Version 6.0 and later: masterdisableoptimizedrunmode setting available.

EPM-UL optimized run mode feature enables a task to be run on the submit host after being validated by the policy server host, without invoking pblocald.

When set to yes, the clientdisableoptimizedrunmode setting disables optimized run mode for all pbrun invocations that are accepted by the affected policy server host. This setting is equivalent to invoking pbmasterd with the --disable_optimized_runmode command line option.

masterdisableoptimizedrunmode yes

Default

masterdisableoptimizedrunmode no

Used On

Policy server hosts

execute_via_su

• Version 7.0 and earlier: execute_via_su setting not available.
• Version 7.1.0 and later: execute_via_su setting available.

The run environment for the secured task is normally dictated by the policy server policy. It may be desirable to have the runhost dictate the run environment for the secured task. EPM-ULv7.1 and above can use the su - command to create a login shell for the secured task, thus allowing the login mechanism to setup the run environment. The policy server host keyword execute_via_su in /etc/pb.settings globally enables using su - to execute the secured task.

This keyword can be overridden by the policy variable with the same name execute_via_su. The execute_ via_su variable's initial value is based on the keyword setting's value. When execute_via_su is used, any run environment setup in the policy affects the execution of su - rather than the execution of the secured task. This includes the use of runcwd, setenv(), keepenv(), etc as well as !g!, !G!, etc. Entitlement reports do not indicate that su - is used, however the Accept events in the event log show that su - is used to invoke the secured task.

This feature does not work for runusers whose login is disabled (for example, via /sbin/nologin or /bin/false).

On some operating systems, the su program does not pass the tty through to the command executed. The execute_ via_su feature should not be used with secured tasks that require a tty on those operating systems.

Keyword/Policy Variable Hierarchy

execute_via_su yes

Default

execute_via_su no

Used On

Policy server hosts

credentialtimeout

Use the command pbadmin --auth --login to cache credentials to facilitate working with remote services. The credentialtimeout setting is the maximum length of time (in seconds) that the authentication credential is cached.

credentialtimeout 900

Default

credentialtimeout 1800

For more information, see Authentication Credential Cache Options .

logfilepermissions

The logfilepermissions setting specifies the permissions that EPM-UL uses when creating certain files such as generated pbreport files, I/O logs, and flat file event logs. The default permission is 600 and you can not specify permission less secure than 644.

Default

logfilepermissions 600

Used On

All servers