Privilege Management for Unix and Linux Policy Files
/opt/pbul/policies/pb.conf (from v9.4.3+ and /etc/pb.conf prior to v9.4.3) is usually the root or entry point to the Privilege Management for Unix and Linux policy tree. Although pb.conf can contain actual policy code, we recommend that you use it strictly as a list of include statements that reference other policy modules. Referencing other policy modules in the pb.conf file keeps a large policy tree manageable.
For more information about policy files, please see the Privilege Management for Unix and Linux Policy Language Guide.
Role Based Policy Database
With the introduction Privilege Management for Unix and Linux version 9, there is a Role Based Policy Database. Role Based Policy simplifies the definition of policy for administrators. Policies are kept within structured records in a database, simplifying maintenance, decreasing system load, increasing throughput, and providing a comprehensive REST API to integrate policy management with existing customer systems and procedures. It also simplifies bulk import and bulk export of data. Once the customers data is held within the Role Based Policy database, it is much easier to provide management information, such as user entitlement reports. This can be used instead of policy script configuration to quickly and succinctly define, retrieve, and report on role based policy.
For more information, please see the Privilege Management for Unix and Linux Administration Guide.
Starting with version 8.0.0, a default policy is installed by default if an existing policy does not exist. The files pbul_policy.conf and pbul_functions.conf are created in the /opt/pbul/policies directory by default. pbul_policy.conf is included in the main policy by default /opt/pbul/policies/pb.conf from v9.4.3+ and /etc/pb.conf prior to v9.4.3.
This default policy contains the following roles.
- Enabled by default. When invoking pbrun helpdesk, the role allows any user in HelpdeskUsers (default root) to initiate a Helpdesk Menu as root on any host in HelpdeskHosts (default submithost only). The actions include
- Obtaining a list of processes (ps -ef)
- Checking if a machine is available (ping <host>)
- Obtaining a list or current users on this host (who -H)
- Displaying the Host's IP settings (ifconfig -a)
- Enabled by default for all users on all hosts. The role allows pbrun pbtest to be used to check connectivity and the policy.
- Enabled by default. The role allows users in ControlledShellUsers (by default the submituser) for runhosts in ControlledShellHosts (by default only submithost) to enable I/O logging for pbksh/pbsh. I/O logs are created by default in /tmp/pb.<user>.<runhost>.<YYYY-MM-DD>.[pbksh|pbsh].XXXXXX. This role has a list of commands (empty by default) to elevate privileges for as well as a list of commands (empty by default) to reject.
- Enabled by default. The role allows users in AdminUsers (by default root) to run any command on runhosts in AdminHosts (by default only submithost).
- Disabled by default. The role allows users in DemoUsers (default all users) to run commands in DemoCommands (default id and whoami) as root on any host in DemoHosts (default all hosts).
The policy ends by allowing all users to run any command as themselves without any privilege escalation.