Installation Preparation
This section lists the items that you need to plan for and be aware of before starting the Endpoint Privilege Management for Unix and Linux installation.
Pre-installation Checks
pbulpreinstall.sh performs some basic preinstallation checks such as:
- Checks hostname resolution and DNS and name services resolution to verify that the default ports are not in use.
- Checks for sufficient disk space.
- Reports technical support-related information such as the operating system, NIC information, gateway, and super daemon status. If Endpoint Privilege Management for Unix and Linux is already installed, the Endpoint Privilege Management for Unix and Linux roles such as submithost, runhost, policy perver, logserver, and pbx are reported.
This script has an optional -t <datetime in UTC> argument, which initiates a time verification check. This check simply validates that the host's time is within 60 seconds of the time specified. The time specified must be UTC, in the format 20130827154130, such as:
date -u '+%Y%m%d%H%M%S'
This script has an optional -f argument, which causes pbulpreinstall.sh to produce machine readable output intended for the BeyondInsight for Unix & Linux installation console.
Prior to installation, the pbulpreinstall.sh script is located in the Endpoint Privilege Management for Unix and Linux distribution in the following directory powerbroker/<version>/<flavor>/install. After installation, this script is installed in the '$inst_admin' directory. /usr/sbin is the default.
Obtain a License Validation Key
To install Endpoint Privilege Management for Unix and Linux, you need a license string, which is provided by your BeyondTrust sales representative.
Endpoint Privilege Management for Unix and Linux primary license server hosts perform the license resolution functions for Endpoint Privilege Management for Unix and Linux and are the only Endpoint Privilege Management for Unix and Linux host types that require a license key. For a policy server host to accept a task, the primary license server must have a current valid license key. The distribution includes a temporary license key with a two month expiration date from the date of the installation.
If installing using pbinstall, the license key may be configured during installation using the Endpoint Privilege Management for Unix and Linux license installation menu item. After the installation is complete, the Endpoint Privilege Management for Unix and Linux license can also be added using the pbadmin --lic -u command.
Obtain root Access
Installation of the Endpoint Privilege Management for Unix and Linux product requires root access.
Plan Endpoint Privilege Management for Unix and Linux Hosts
an Endpoint Privilege Management for Unix and Linux installation includes several host types, each of which performs specific functions. Prior to installation, you need to determine which host type needs to be placed on the individual machines in your environment.
Endpoint Privilege Management for Unix and Linux must be installed separately on each machine running any type of Endpoint Privilege Management for Unix and Linux host.
Select License Servers
Determine which hosts to use as license servers. These are the machines that perform the license resolution functions for Endpoint Privilege Management for Unix and Linux. These hosts are the only types that require a license key. They store and maintain the product license, parameters, and usage information.
The first installation of Endpoint Privilege Management for Unix and Linux becomes the primary license server. Subsequent license server installations obtain their data when the primary license server performs synchronization.
Select Submit Hosts
Select Submit Hosts determines which machines to use as submit hosts. These are the machines where pbrun is installed and executed. pbrun is the Endpoint Privilege Management for Unix and Linux utility used to submit secure tasks that might run on the same or different hosts. At minimum, one submit host must be available to process monitored task requests.
Select Run Hosts
Determine which machines to use as Endpoint Privilege Management for Unix and Linux run hosts. These are the machines where pblocald, pbsh, and pbksh are installed and executed. pblocald is the daemon process that executes secure tasks. At minimum, one run host must be available to process accepted task requests.
Multiple Endpoint Privilege Management for Unix and Linux components can be installed on a single machine. For example, it is possible for a single physical machine to serve as a submit host, policy server host, run host, log host, and log sync host.
Select Policy Server Hosts
Determine which machines to use as Endpoint Privilege Management for Unix and Linux policy server hosts. These are the machines where pbmasterd is installed and executed. pbmasterd is the daemon process that accepts or rejects all tasks that are submitted by submit hosts, and if accepted, it authorizes a specific run host to execute each task. The policy server host is where policy files reside (by default /opt/pbul/policies/pb.conf from v9.4.3+ and /etc/pb.conf prior to v9.4.3). Any policy files referenced by include statements are also in the policy file.
There must be at least one policy server host in an Endpoint Privilege Management for Unix and Linux installation. We recommend that a second, failover policy server host also be installed and have the same policy files as the primary policy server host to give redundancy to your Endpoint Privilege Management for Unix and Linux installation.
Depending on the size of your Endpoint Privilege Management for Unix and Linux environment and the volume of tasks executed through the Endpoint Privilege Management for Unix and Linux system, it may be desirable to add additional Endpoint Privilege Management for Unix and Linux policy server hosts to your Endpoint Privilege Management for Unix and Linux installation. Additional Endpoint Privilege Management for Unix and Linux policy server hosts can be added during the initial installation of Endpoint Privilege Management for Unix and Linux or afterward.
Select Log Hosts
Using a log host to record event and I/O logs is optional. To use this feature, determine which machine (or machines) to use as Endpoint Privilege Management for Unix and Linux log hosts. This machine is where pblogd is installed and executed. For Endpoint Privilege Management for Unix and Linux, if a log host is not used, pbmasterd and pblocald are responsible for logging activities. As with policy server hosts, multiple log hosts are recommended to provide redundancy. When there is a log host failover, the log synchronization utilities in Endpoint Privilege Management for Unix and Linux can be used to resynchronize the log entries.
The load on the log hosts varies with the amount of logging performed. I/O logs require greater resources on the log hosts. Additional log hosts can be added to your environment during installation or afterward, as needed.
Enable Log Synchronization Host
Log synchronization enables a log host, or a policy server host that is acting as a log host, to participate in log synchronization. Install the log synchronization component on any log host or policy server host that may participate in log synchronization. Log synchronization should be installed on each log or policy server host if you are installing primary and failover log hosts, or are installing policy server hosts that are acting as log hosts.
If log synchronization is used, then one or more machines need to have the ability to initiate log synchronization.
Endpoint Privilege Management for Unix and Linux Utilities
Using the Endpoint Privilege Management for Unix and Linux utilities is optional. The Endpoint Privilege Management for Unix and Linux utilities are secured versions of vi, nvi, mg, umacs, and less. Endpoint Privilege Management for Unix and Linux utilities can only be installed on a machine where an Endpoint Privilege Management for Unix and Linux run host is installed.
Endpoint Privilege Management for Unix and Linux Shells
Using the Endpoint Privilege Management for Unix and Linux shells is optional. TheEndpoint Privilege Management for Unix and Linux shells are secured versions of the Korn Shell and the Borne Shell. The Endpoint Privilege Management for Unix and Linux & Linux shells can be installed only on a machine where an Endpoint Privilege Management for Unix and Linux submit host is installed.
Select Port Numbers
You need to decide whether to use the Endpoint Privilege Management for Unix and Linux default port numbers or to specify your own. Endpoint Privilege Management for Unix and Linux uses the following default port numbers:
| pbmasterd | 24345 |
| pblocald | 24346 |
| pblogd | 24347 |
| pbguid | 24348 |
| pbsguid | 24349 |
| pbsyncd | 24350 |
| pbrestport | 24351 |
If you decide to change the port number defaults, be sure to choose port numbers that do not conflict with those already in use. See /etc/services. Also, if present and active, review the services NIS map. Endpoint Privilege Management for Unix and Linux port numbers must use the non-reserved system ports. The allowed port numbers are 1024 to 65535.
Select Installation Directories
Decide whether to use the Endpoint Privilege Management for Unix and Linux default installation directories or to specify your own. Specifying your own installation directories allows for Endpoint Privilege Management for Unix and Linux optimization of the local installation.
Select syslog
Use of syslog is optional. Determine if the policy server host, run host, submit host, log sync host, and/or log host should generate syslog records when system error conditions are encountered.
Select Encryption
By default, Endpoint Privilege Management for Unix and Linux installs with AES-256 encryption; however, it can support a large number of encryption technologies. In Endpoint Privilege Management for Unix and Linux v3.0 and earlier, DES and 3DES are supported. Beginning with Endpoint Privilege Management for Unix and Linux v3.2, many additional encryption modes are supported.
Prior to selecting which encryption technology you plan to use, see the Endpoint Privilege Management for Unix and Linux Administration Guide.
Firewalls
Endpoint Privilege Management for Unix and Linux can be used in a firewall environment with special configuration.
If you are installing Endpoint Privilege Management for Unix and Linux into an environment where the Endpoint Privilege Management for Unix and Linux components need to communicate across firewalls, see the Endpoint Privilege Management for Unix and Linux Administration Guide before installing.
Use NIS
Endpoint Privilege Management for Unix and Linux can use NIS to provide configuration services for Endpoint Privilege Management for Unix and Linux settings. Netgroups can be defined for the Accept policy servers (pbacceptmaster), Submit solicy servers (pbsubmitmasters) and log host (pblogservers) settings. NIS can also be used to provide port lookup information for the Endpoint Privilege Management for Unix and Linux components. If NIS is running in your environment, consider using Endpoint Privilege Management for Unix and Linux netgroups and port definitions.
Verify Proper TCP/IP Operation
Endpoint Privilege Management for Unix and Linux uses TCP/IP as its communication protocol. Therefore, it is essential that TCP/IP be working correctly before Endpoint Privilege Management for Unix and Linux installation. Use programs such as ping, netstat, route, or traceroute to verify correct TCP/IP operation among all hosts that will have Endpoint Privilege Management for Unix and Linux components installed.
Verify Network Host Information
Ensure that each network host knows the names and addresses of all other network hosts. Network host information is generally stored in the /etc/hosts file on each network host machine or in the NIS maps or DNS files on a server. Each submit host should resolve all of the policy server host names correctly. Each policy server host should resolve all submit, run, GUI, and log host names correctly. The resolution must work correctly in both directions: name-to-IP address and IP address-to-name.
After installation, the pbbench utility generates warnings for any host name resolution issues on a host where Endpoint Privilege Management components are installed.
