Improve Security

Additional configuration can improve the security of Privilege Management for Unix and Linux.

Privilege Management for Unix and Linux does not contain a Certificate Authority; therefore, certificates generated during install are self-signed, and cannot be used to properly identify the host. Creating and deploying proper x509 certificates, with hostname information in the Subject Alternative Name field, allows Privilege Management for Unix and Linux hosts to properly identify hosts.

TLS clients can verify the server’s certificate and hostname by adding the ValidateServer option to the ssloptions keyword in /etc/pb.settings. For TLS, pbmasterd and pblocald are clients to pblogd. Additionally, servers can validate the certificates and hostname of the client hosts by adding the ValidateClients option to the ssloptions keyword in /etc/pb.settings.

Configure Privilege Management for Unix and Linux to use the SSLFirst keyword in /etc/pb.settings. This keyword must have the same value on all hosts in the Privilege Management for Unix and Linux domain. The SSLFirst keyword results in SSL/TLS occurring prior to any Privilege Management for Unix and Linux proprietary protocol negotiations (that use symmetric keys), reducing any issue with compromised symmetric network encryption keys.

The TLS ciphers should be changed to disallow anonymous ciphers.

Edit the sslpbruncipherlist and sslservercipherlist entries in /etc/pb.settings:

sslpbruncipherlist      TLSv1.2:!SSLv2:!3DES:!MD5:!ADH:!AECDH:!DHE:!eNULL:@STRENGTH
sslservercipherlist     TLSv1.2:!SSLv2:!3DES:!MD5:!ADH:!AECDH:!DHE:!eNULL:@STRENGTH

Edit the ssl.cipher-list entry in /usr/lib/beyondtrust/pb/rest/etc/pblighttpd.conf:

ssl.cipher-list          = " TLSv1.2:!SSLv2:!3DES:!MD5:!ADH:!AECDH:!DHE:!eNULL:@STRENGTH"