Endpoint Privilege Management for Unix and Linux Policy Files

/opt/pbul/policies/pb.conf (from v9.4.3+ and /etc/pb.conf prior to v9.4.3) is usually the root or entry point to the Endpoint Privilege Management for Unix and Linux policy tree. Although pb.conf can contain actual policy code, we recommend that you use it strictly as a list of include statements that reference other policy modules. Referencing other policy modules in the pb.conf file keeps a large policy tree manageable.

For more information about policy files, see the Endpoint Privilege Management for Unix and Linux Policy Language Guide.

Role Based Policy Database

With the introduction Endpoint Privilege Management for Unix and Linux version 9, there is a Role Based Policy Database. Role Based Policy simplifies the definition of policy for administrators. Policies are kept within structured records in a database, simplifying maintenance, decreasing system load, increasing throughput, and providing a comprehensive REST API to integrate policy management with existing customer systems and procedures. It also simplifies bulk import and bulk export of data. Once the customers data is held within the Role Based Policy database, it is much easier to provide management information, such as user entitlement reports. This can be used instead of policy script configuration to quickly and succinctly define, retrieve, and report on role based policy.

For more information, see the Endpoint Privilege Management for Unix and Linux Sudo Manager Administration Guide.

Default Policies

Starting with version 8.0.0, a default policy is installed by default if an existing policy does not exist. The files pbul_policy.conf and pbul_functions.conf are created in the /opt/pbul/policies directory by default. pbul_policy.conf is included in the main policy by default /opt/pbul/policies/pb.conf from v9.4.3+ and /etc/pb.conf prior to v9.4.3.

This default policy contains the following roles.

Helpdesk Role

  • Enabled by default. When invoking pbrun helpdesk, the role allows any user in HelpdeskUsers (default root) to initiate a Helpdesk Menu as root on any host in HelpdeskHosts (default submithost only). The actions include
    • Obtaining a list of processes (ps -ef)
    • Checking if a machine is available (ping <host>)
    • Obtaining a list or current users on this host (who -H)
    • Displaying the Host's IP settings (ifconfig -a)

PBTest

  • Enabled by default for all users on all hosts. The role allows pbrun pbtest to be used to check connectivity and the policy.

Controlled Shells

  • Enabled by default. The role allows users in ControlledShellUsers (by default the submituser) for runhosts in ControlledShellHosts (by default only submithost) to enable I/O logging for pbksh/pbsh. I/O logs are created by default in /tmp/pb.<user>.<runhost>.<YYYY-MM-DD>.[pbksh|pbsh].XXXXXX. This role has a list of commands (empty by default) to elevate privileges for as well as a list of commands (empty by default) to reject.

Admin Role

  • Enabled by default. The role allows users in AdminUsers (by default root) to run any command on runhosts in AdminHosts (by default only submithost).

Demo Role

  • Disabled by default. The role allows users in DemoUsers (default all users) to run commands in DemoCommands (default id and whoami) as root on any host in DemoHosts (default all hosts).

Splunk Role

Disabled by default. If enabled, only when pbrun is invoked, enables iologging (creating iologs in /pbiologs), sets default ACA rule, enables aca session history and sets iologcloseaction to a script sending records to Splunk.

Sudo Role

Disabled by default, allows users in SudoUsers (only root, by default) to run any command on runhosts defined in SudoHosts (default submithosts).

This serves as a demo policy for the sudo wrapper which requires policy modification before it is installed. It illustrates what changes to start with to make all the sudo wrapper options available.

The policy ends by allowing all users to run any command as themselves without any privilege escalation.