Advanced Installation Instructions Using pbinstall

This section provides step-by-step instructions for using all the installation options that are available using the pbinstall script. These options are discussed in the order that they are used in the Endpoint Privilege Management for Unix and Linux installation menu.

These steps are optional and should be selected after reviewing Installation Considerations and Installation Preparation.

In addition, some options do not appear unless certain combinations of options are selected.

For more information, see Complete the Installation.

Start pbinstall

If you downloaded Endpoint Privilege Management for Unix and Linux using the Web or FTP, do the following.

  1. Extract the tarball files into /opt/beyondtrust by executing the following command:
    gunzip -c pmul<flavor_version>.tar.Z | tar xvf -
  2. Navigate to the installation directory:
    cd /opt/beyondtrust/powerbroker/<version>/<flavor>/install
  3. Execute the installation script by typing:
    ./pbinstall
  4. After reading the initial messages, press Enter.

For more information, see the following:

Use the Menu Options

Depending on your operating system and other factors, the option numbers listed in the following table may not match the menu option numbers you see on the screen, and some items might not be available. In these steps, choose this option means to type the number that corresponds to the option on the screen and press Enter.

Opt # Menu Item Description

1 

 Install Everything Here (Demo Mode)? Choose this option and specify y to install the policy server host, run host, submit host, and log host on this computer. This option is useful for testing or demonstrating Endpoint Privilege Management for Unix and Linux on a single computer in your environment.

2 

 Install license server? Specify y to install a license server which provides product license management for Endpoint Privilege Management for Unix and Linux.

3 

 Install Registry Name Services Server?

Specify y to install the Registry Name Service which provides the product with a method of addressing and locating other parts of Endpoint Privilege Management for Unix and Linux.

Installing the Registry Name Services Server makes installing the Sudo Policy Server mandatory.

For more information, see Install Sudo Policy Server.

4 

 Install Client registration Server? Specify y to install the client registration Server which provides a repository for customized install profiles. If you already chose to install the Registry Name Service, installing client registration Server is mandatory.

5 

 Install Policy Server Host? Choose this option and specify y to install the policy server host component on this host.

6 

 Allow Policy & Log Caching?

This option is only available when you are installing on a policy server or a client registration server.

If you choose this option and specify y on a client registration server, any policy server that registers with this host will automatically have the policy caching feature enabled.

If you choose this option and specify y on a policy server, you can optionally enable the policy caching feature on any of this server's clients so they can function even in a disconnected state from the network.

Enabling this feature automatically enables the required role-based policy feature.

For more information on the Cached Policy feature, see the Endpoint Privilege Management for Unix and Linux Administration Guide.

7 

 Enable Role-Based Policy?

This option is only available when you are installing on a policy server. Choose this option and specify y to enable the role-based policy feature.

This feature is mandatory if you enabled the Cached Policy feature.

For more information on the Role-Based Policy feature, see the Role Based Policy.

8 

 Install Run Host? Choose this option and specify y to install the run host component on this host.

9 

 Install Submit Host? Choose this option and specify y to install the submit host component on this host.

This option installs pbrun.

10 

 Enable Policy & Logs Caching for client?

Available in v23.1.0 and later, and only on Linux.

This option is available when installing an EPM-UL client host which registered with a policy server that allows policy caching. Specify y if you want this client programs like pbrun to function even without network connection.

11 

 Install PBSSH This item is available only when you specify y for the previous item. Using the Endpoint Privilege Management for Unix and Linuxpbssh program, you can control access to, and activities on, SSH-managed devices. The pbssh program uses the SSH protocol (or, optionally, the telnet protocol) to connect to devices that do not have Endpoint Privilege Management for Unix and Linux installed on them; such devices can include Windows computers and certain network devices. Choose this option and specify y to install the ppssh program.

12 

 Install sudo Policy Server?

Enter y to configure the server to be able to store and process sudo policies.

Installing the Sudo Policy Server is mandatory if installing the Registry Name Services Server.

13 

 Install Log Host? Choose this option and specify y to install the log host component on this host.

14 

 Enable Logfile Tracking and Archiving?

If the installation detects that the user is installing the policy server host or the log host on the current machine, it displays in the menu the install question Enable Logfile Tracking and Archiving? and set it to yes by default. When the answer to this question is set to yes, the installer prompts the user for the Log Archive Storage Server name and the Log Archiver Database Server name. Log Tracking and Archiving requires REST services to be installed.

15 

 Is this a Log Archiver Storage Server? If the current machine is the intended Log Archive Database Server, it must have the REST service preinstalled on it. It is also required to have the logarchivedb setting in pb.settings, which specifies the SQLite database that stores the location of logfiles, as well as where the archiving information is located.

If the answer to this question is set to yes, the install displays the following question:

Configure this host to be a Log Archive Storage Server which receives logfiles to archive and stores them in the appropriate path: Yes
This host will be configured as a Log Archiver Storage Server
No This host will NOT be configured as a LogArchiver Storage Server
Set as a Log Archiver Storage Server? [no]? yes
The Log Archive Storage Server which will accept and place archived logfiles in a designated pathname.
Ensure that it is located in filesystem with ample free space to 
accommodate incoming logfiles.
Enter the default directory path for archived logfiles []: /pbul/logs

It also sets the Log Archive Storage Server name to the hostname of the current machine.

16 

 Is this a Log Archiver Database Server? If the current machine is the intended Log Archive Database Server, it must have the REST service preinstalled on it. It is also required to have the logarchivedb setting in pb.settings, which specifies the SQLite database that stores the location of logfiles, as well as where the archiving information is located. If the answer to this question is set to yes, the install displays the following question: 
Configure this host to be a Log Archive Database Server which creates and maintains the log tracking database:
Yes This host will be configured as a Log Archiver Database Server
No This host will NOT be configured as a LogArchiver Database Server
Set as a Log Archiver Database Server? [no]? yes
Endpoint Privilege Management for Unix and Linux will create and maintain a SQLite database to track the location of logfiles. Specify the path and filename of the SQLite 
logfile tracking database file and ensure that the given database 
file system has ample space for growth.
Enter the path and filename of Endpoint Privilege Management for Unix and Linux's SQLite log tracking database file []: /var/log/pbul90_tracking.db

It also sets the Log Archive Database Server name to the hostname of the current machine.

17 

 Install File Integrity Monitoring Policy Server? Specify y to install and configure the centralized repository for FIM policies.

18 

 Install REST Services? This option is automatically enabled to install the Endpoint Privilege Management RESTful web-based API for product settings, policy configuration, and I/O log retrieval. When installing server-side components of Endpoint Privilege Management for Unix and Linux, installing the REST Services is mandatory. This option is automatically enabled to install the Endpoint Privilege Management RESTful web-based API for product settings, policy configuration, and I/O log retrieval. When installing server-side components of Endpoint Privilege Management for Unix and Linux, installing the REST Services is mandatory.

19 

 List of license servers Enter a space-separated list of hostnames of license servers within the Endpoint Privilege Management for Unix and Linux installation. The primary license server is first in the list, followed by secondary license servers listed in order of failover. If Registry Name Service is configured, this value should be an asterisk (*), denoting that the value is held within the service database.

20 

 Central License Enter the JSON-formatted data which represents the license you received from your BeyondTrust representative.

21 

 Enable License History? Choose yes to enable the logging of license usage history

22 

 Installation base directory?

By default, Endpoint Privilege Management for Unix and Linuxcreates subdirectories and files it needs under '/opt/pbul' by default. This menu option allows you to change the base directory path.

The base directory provided must be:

  • an absolute path
  • owned by root
  • only root can read/write

It is recommended that you provide a directory location that is dedicated for Endpoint Privilege Management for Unix and Linux.

23 

 Database directory? Choose this option and select a secure directory location. This path is assigned to the databasedir setting which defines the default location of databases used in Endpoint Privilege Management for Unix and Linux, when only the relative path is provided.

24 

 Path to Password Safe 'pkrun' binary This item is available only if you choose to install PBSSH. Choose this option to specify where the BeyondTrustPassword Safepkrun binary resides. The pbssh command can use BeyondTrustPassword Safe for the userid’s password acquisition. To do this, Endpoint Privilege Management for Unix and Linux needs to know where the BeyondTrustPassword Safepkrun binary resides. Choose this option and do one of the following:
  • Specify the absolute path where pkrun resides.
  • Specify none to clear the entry (default).

25 

 Password Safe certificate file []

26 

 Primary failover Password Safe appliances []

27 

 Support short names in Password Safe certificate? [no]

28 

 Install Synchronization program? Choose this option and specify y to enable this host to participate in log synchronization.

29 

 Install Utilities: pbvi, pbnvi, pbmg, pbumacs, pbless Choose this option and specify y to install the Endpoint Privilege Management for Unix and Linux utilities on this host.

30 

 Install pbksh? Choose this option and specify y to install the pbksh component on this host.

31 

 Install pbsh? Choose this option and specify y to install the pbsh component on this host.

32 

 Install man pages? Choose this option and specify y to install the man pages.

33 

 Will this host use a Log Host? Choose this option and specify y to log the components on this host to a log server.

34 

 AD Bridge Integration? The pbinstall program does not detect whether AD Bridge is installed. Choose this option and specify one of the following:
  • no to disable Endpoint Privilege Management for Unix and Linux integration with AD Bridge. This is the default.
  • yes to enable Endpoint Privilege Management for Unix and Linux integration with AD Bridge.

35 

 Install AD Bridge? [no]

36 

 Enable failover event logging to AD Bridge? [yes]

37 

 Enable successful connection event logging to AD Bridge? [yes]

38 

 Enable event logging to AD Bridge? [no]

39 

 AD Bridge shared libraries [/opt/pbis/lib64/libeventlo...]

40 

 Integration with BeyondInsight? This option is available for log servers and policy server hosts. This option allows the sending of eventlog records to BeyondInsight and indexing of I/O logs.

41 

 Send event log records to BeyondInsight? [yes]

42 

 BeyondInsight hostname [none]

43 

 BeyondInsight Workgroup ID [BeyondTrust Workgroup]

44 

 BeyondInsight SSL port number [443]

45 

 BeyondInsight SSL Client Certificate [none]

46 

 BeyondInsight SSL CA file [none]

47 

 Index IO Logs using Solr? [yes]

48 

 Solr hostname [none]

49 

 Solr SSL port number [8443]

50 

 Solr SSL CA file [none]

51 

 Solr SSL Client key file [none]

52 

 Solr SSL Client Certificate file [none]

53 

 Registry Name Service database path? [/opt/pbul/dbs/pbsvc.db]

54 

 Client Registry database path? [/opt/pbul/dbs/pbregclnt.db]

55 

 sudo policy database file path and filename? [/opt/pbul/dbs/pbsudo.db]

56 

 Directory location for sudo policy files? [/opt/pbul/sudoersdir]

57 

 Synchronization can be initiated from this host? Choose this option and specify y to install pbsync to enable this host to start log synchronization.

58 

 Daemons location Choose this option and specify a location for it. We recommend that you use the default location, but you can choose to specify a different location. However, do not use system directories for this purpose.

59 

 Number of reserved spaces for submit process information of pbmasterd, pblogd, and pblocald [80]

Available in v8.0 and later, and only on Linux and AIX platforms, this feature modifies the pbmasterd, pblocald and pblogd command line arguments (viewable via ps) to include information about the originating pbrun request. This allows administrators to determine which pbrun/pbmasterd/pblocald/pblogd processes are related to a given request.

Choose this option and specify the number of space to reserve in the process list of pbmasterd, pblocald and pblogd processes by adding a -i to the daemon startup files. This new command line option is used to reserve space in the process list so that the command line argument space can be updated with information about the originating request (submituser, submithost, runcommand, and the pbrun pid).

60 

 Administration programs location Choose this option and specify a location for administration programs. We recommend that you use the default location, but you can choose to specify a different location. However, do not use system directories for this purpose.

61 

 User programs location Choose this option and specify a location for user programs. We recommend that you use the default location, but you may choose to specify a different location. However, do not use system directories for this purpose.

62 

 Policy include (sub) file directory Choose this option and specify a directory for the policy files. We recommend that you use the default location, but you can specify a different location. However, do not use system directories for this purpose.

63 

 Policy file name Enter the Endpoint Privilege Management for Unix and Linux policy file name.

64 

 User man page location [/usr/local/man/man1]

65 

 Admin man page location [/usr/local/man/man8]

66 

 Log Archive Storage Server name The Log Archive Storage Server is the destination host where the logfiles are archived. The PBUL REST service must be pre-installed on that machine. There is no default value for this field, but the user is not allowed to proceed without specifying the appropriate server name. The value is saved in the logarchivehost setting.

67 

 Log Archive destination directory? [/var/log/pblogarchive]

68 

 Log Archiver Database Server name The Log Archive Database Server is the destination host where the logfile tracking database resides. The REST service must be preinstalled on that machine. There is no default value for this field, but the user is not allowed to proceed without specifying the appropriate server name. The value is saved in the logarchivedbhost setting.

69 

 Log Tracking Database file path and filename? [/opt/pbul/dbs/pblogarchive.db]

70 

 Enable Caching of Log Locations? [yes]

71 

 Event Logfile Name Cache Database file path? [/opt/pbul/dbs/pblogcache.db]

72 

 I/O Logfile Name Cache Database file path? Enter the path of the database file to cache the location of event and I/O logfiles. It is used when integrating BeyondInsight for Unix and Linux with Endpoint Privilege Management for Unix and Linux. Enter none to disable the feature.

73 

 REST Service installation directory?

This menu item is enabled only if REST services are to be installed.

74 

 Install REST API sample code?

This menu item is enabled only if REST services are to be installed.

75 

 REST API sample code directory? [/usr/local/lib/pbrest]

76 

 Pblighttpd user

The user name used to run the REST services as. The default value is pblight. This user is created if you answer yes to the menu option Create Pblighttpd User?. This menu item is enabled only if installing REST Services.

77 

 Create Pblighttpd user? [yes]

78 

 Pblighttpd user UID []

79 

 Pblighttpd user GID []

80 

 Pblighttpd user group name

Enter a user group name or use the default value.

The pblighttpd user specified in step 73 is assigned to the group name provided.

  • If you enter a group name that does not exist, that group is created and the pblighttpd user specified in step 73 is assigned to it.
  • If you enter a group name that exists, then the pblighttpd user is assigned to that preexisting group.

81 

 File Integrity Monitor db path? [/opt/pbul/dbs/pbfim.db]

82 

 Configure systemd? Choose this option and specify y if you want to configure the file. Endpoint Privilege Management for Unix and Linux can be configured into the systemd, inetd, xinetd, launchd, or SMF superdaemons, which are OS-dependent. These superdaemons are used by Endpoint Privilege Management for Unix and Linux to listen on a TCP/IP port for inbound connections requesting Endpoint Privilege Management for Unix and Linux daemon services. When the superdaemon detects a connection request, it forks a copy of the Endpoint Privilege Management for Unix and Linux daemon to serve the request.

If you specify no, any existing Endpoint Privilege Management for Unix and Linux installation that is configured with the specified prefix and/or suffix is removed from the superdaemon configuration.

This menu option is platform dependent. On older RHEL or other operating systems using inetd or xinetd, it may display Configure inetd or xinetd, while on Solaris, it displays Configure Solaris Services.

83 

 Command line options for pbmasterd

Choose this option and specify the command line options that you want. Available syntax and command line options for pbmasterd are:

Syntax: [-arsV] [-e logfile]
[--disable_optimized_runmode]

-a: Send the job acceptance messages to syslog.

-e: Use the log file as the pbmasterd diagnostic log file. The -e command line option overrides the syslog setting in the pb.settings file. You must specify the file name if you use the -e option.

-r: Send the job rejection messages to syslog.

-s: Send the error messages to syslog. The -s command line option overrides the syslog setting in the pb.settings file, if you want to change it in the future.

-V: Print the version number mismatch messages.

none: Erase all options.

--disable_optimized_runmode: Suppresses optimized run mode for any tasks that are authorized by this policy server host.

The installation is currently set to use the syslog in the Endpoint Privilege Management for Unix and Linuxpb.settings file. This setting is the default.

84 

 Policy Server Delay Choose this option and specify the length of time (in milliseconds) that a pbrun command should wait for an initial connection to a policy server host. If a connection does not occur within a specified number of milliseconds, then the command uses another host that is specified in the pb.settings file for submitmasters.

85 

 Policy Server Protocol Timeout Choose this option and specify the length of time the daemon should wait for a response from a policy server host or the time a policy server host should wait for a response from another Endpoint Privilege Management for Unix and Linux program.

86 

 pbmasterd diagnostic log Choose this option and specify a location. This option enables you to specify where the pbmasterd diagnostic log is located.

87 

 Eventlog filename Choose this option and specify a location. This option enables you to specify where the event log file is located.

88 

 Configure eventlog rotation via size Choose this option and specify a size for event log rotation.

89 

 Configure eventlog rotation path Choose this option and specify a path where the event log is moved to.

90 

 Configure eventlog rotation via cron Choose this option add a cron job to rotate the eventlog, and specify the cron minute, hour, days-of-the-month, month, and days-of-the-week fields.

91 

 Validate Submit Host Connections?

Choose this option and specify one of the following settings. The Endpoint Privilege Management for Unix and Linux policy server daemon (pbmasterd) can use name resolution to validate the host name and IP address of the submit host connection to a policy server host.

  • Specify y to validate submit host connections. If you decide to use this facility, then you must do the following:
    • Ensure that name resolution works correctly on all machines.
    • Ensure all policy server hosts and submit hosts are upgraded to Endpoint Privilege Management for Unix and Linux v3.5.7 or higher before enabling this feature.
    • Ensure that each submit host connection’s host name and IP address match those that are listed in the policy server host’s name resolution services.
  • Specify n to disable this checking. This setting is the default value.

92 

 List of Policy Servers to submit to

Choose this option and do the following:

  • If submitmasters already has a value, specify y at the Do you wish to make changes to this list? prompt.
  • At the Enter Policy Server list (submitmasters) prompt, specify a host name, or a list of space-delimited host names, to serve as policy servers to submit secured tasks to (a fully-qualified domain name may be required):

    The host names should now appear in the List of Endpoint Privilege Management policy server hosts to submit to line of the pbinstall menu.

93 

 pbrun diagnostic log? Choose this option and specify a location for the diagnostic log. This option is typically used only when requested by BeyondTrust Technical Support.

94 

 pbssh diagnostic log?

The BeyondTrustEndpoint Privilege Management for Unix and Linuxpbssh program can maintain a separate, individual host diagnostic log file. This log file is typically only used when requested by BeyondTrust Technical Support.

Specify a full path specification for the pbssh diagnostic log file or none for none.

95 

 Allow Local Mode? Choose this option and specify y to allow Local Mode. This option allows the requested secured task to replace the executing copy of pbrun. Local Mode executes secured tasks on the submit host only.

96 

 Additional secured task checks?

Choose this option and specify whether to enable additional secured task checks.

This option determines whether the run host or submit host performs an additional check on the security of the requested command. This check helps to ensure that the command cannot be compromised by a user other than root or the user running the Endpoint Privilege Management for Unix and Linux command (for example, sys, oracle). This setting is used on run hosts or submit hosts using Local Mode. The policy language variable runsecurecommand can be set by the configuration policy on the policy server host for the same effect.

  • Specify y to check the runcommand and all directories above it to see if anyone other than root or the runuser has write permission. If the command file or any of the directories above it are writable by anyone other than root or the runuser, then the run host refuses to run the command.
  • Specify n to disable this feature.

97 

 Suppress Policy Server host failover error messages?

When a connection to policy server host fails, Endpoint Privilege Management for Unix and Linux fails over to another available policy server host (if configured), and generate an error message regarding the event. Choose this option and do one of the following:

  • Specify n to enable the policy server host failover error messages (default).
  • Specify y to suppress the policy server host failover error messages.

98 

 List of Policy Servers to accept from

Choose this option and then do the following:

  • If acceptmasters already has a value, specify y at the Do you wish to make changes to this list? prompt.
  • At the Enter Incoming Policy Server list (acceptmasters) prompt, specify a host name, or a list of space-delimited host names, to serve as policy servers to accept secured tasks from (a fully-qualified domain name may be required).

    The accept policy server host name should now display in the List of Endpoint Privilege Management Policy Server hosts to accept from ... line of the pbinstall menu.

99 

 pblocald diagnostic log Choose this option and specify a directory and file name for it.

100 

 Command line options for pblocald Choose this option and specify the command line options that you want. Available syntax and command line options for pblocald are:
[-sV] [-e logfile] [-m master_host]
  • -s: Send error messages to syslog. The -s command line option overrides the syslog setting in the pb.settings file if you decide to change it in the future.
  • -e: Use logfile as the pblocald diagnostic log file. The -e command line option overrides the settings file.
  • -m: Accept pbmasterd connections from master_host only. Multiple -m options can be used to specify more than one host.
  • -V: Print version number mismatch messages.
  • none: Erase all options.

The installation is currently set to use the syslog in the Endpoint Privilege Management for Unix and Linuxpb.settings file. This setting is the default.

101 

 Syslog pblocald sessions? Choose this option and specify y to log pblocald accepted and rejected requests to syslog.

102 

 Record PTY sessions in utmp/utmpx? Choose this option and specify y to record Endpoint Privilege Management for Unix and Linux terminal sessions in the utmp (or utmpx) file.

103 

 Validate Policy Server Host Connections?

Choose this option and specify one of the following settings. The Endpoint Privilege Management for Unix and Linux local daemon (pblocald) can use name resolution to validate the host name and IP address of the policy server host connection to a run host.

  • Specify y to validate policy server host connections. This validation requires that each policy server connection’s host name and internet address match those that are retrieved from name resolution services.

If you decide to use this facility, then you must ensure that name resolution works correctly on all machines before enabling this feature. You must also ensure that all policy server hosts and run hosts are upgraded to Endpoint Privilege Management for Unix and Linux v3.5.7 or later before enabling this feature.

  • Specify n to disable this checking. This setting is the default value.

104 

 List of Log Hosts

Choose this option and specify which machines are to be log hosts. Endpoint Privilege Management for Unix and Linux needs to know which machines you have selected as log hosts. Log hosts are the hosts that policy server hosts select to perform event and I/O logging. To accomplish this task, policy server looks at the setting for logservers in the pb.settings file. This logservers setting contains the names of the log host machines or a netgroup. You can add, modify, or remove machine names by doing the following:

  • If logservers already has a value, specify y at the Do you wish to make changes to this list? prompt.

  • At the Enter Log Server list (logservers) prompt, specify a host name, or a list of space-delimited host names, to serve as Log Hosts:

    The log host names should now appear in the List of Privilege Management Log Hosts line of the pbinstall menu.

A logserver must be installed before enabling the changemanagementevents keyword.

105 

 Command line options for pblogd

Choose this option and specify the command line options that you want. The available syntax and command line options for pblogd are:

[-ars] [-e logfile]

-a: Record accept events on syslog.

-e: Use logfile as the pblogd diagnostic log file. If you previously specified the pblogd log file as /var/log/pblogd.log, the -e command line option overrides the pblogd setting in the pb.settings file.

-r: Record reject events on syslog.

-s: Send error messages to syslog. If you have previously specified to use the syslog setting in the pb.settings file, the -s command line option overrides the settings file if you decide to change it in the future.

none: Erase all options.

106 

 Log Host Delay Choose this option and specify the length of time (in milliseconds) that a daemon should wait for an initial connection to a log host. If a connection does not occur within a specified number of milliseconds, then it tries another server that is specified in the logservers setting in the pb.settings file.

107 

 Log Host Protocol Timeout Choose this option and specify the length of time a daemon should wait for a response from a log host or the time a log host should wait for a response from another Endpoint Privilege Management for Unix and Linux program. Enter the value of the log host protocol timeout (-1 to 1200000). 0 or -1 disables this timeout. -1 is the default.

108 

 pblogd diagnostic log Choose this option and specify a location for it. This option enables you to specify the directory and file name for the pblogd diagnostic log. Enter none for no error reporting.

109 

 List of log reserved file systems

Choose this option to specify reserved file systems. Endpoint Privilege Management for Unix and Linux allows the log host to control the file system space and enables the immediate failover to the next log host.

  • Enter none to specify no reserved file systems.
  • To specify reserved file systems, type the names of the reserved file systems that you want to failover. Use spaces to separate multiple file system names.

When a file system is specified in this option, you also should use the next option to specify the minimum number of free blocks that the log system file must have available. If that number of free blocks is not available, then the logging is done on the next log host.

110 

 Number of free blocks per log system file Choose this option and specify the minimum number of free blocks or enter 0 to have no minimum number of free blocks allowed for the file systems specified in the previous option. The valid values for the minimum number of free blocks are 0 to 2048000.

111 

 Command line options for pbsyncd

Choose this option and specify the command line options that you want. The available command line options for pbsyncd are:

[-s] [-e logfile]
  • -e: Use logfile as the pbsyncd diagnostic log file.
  • -s: Use the syslog facilities.

112 

 Sync Protocol Timeout Choose this option and specify the length of time a synchronization client or server should wait for protocol checks to be completed. Enter the value of the synchronization protocol timeout (-1 to 1200000). 0 or -1 disables this timeout. -1 is the default.

113 

 pbsyncd diagnostic log Choose this option and specify the directory and file name for the pbsyncd diagnostic log.

114 

 pbsync diagnostic log This option enables you to specify the directory and file name for the pbsync diagnostic log.

115 

 pbsync synchronization time interval (in minutes) Choose this option to specify the time interval in minutes between synchronizations.

116 

 Add installed shells to /etc/shells

Choose this option and specify whether to add installed shells. The operating system can validate your Endpoint Privilege Management for Unix and Linux shells and then add them to /etc/shells.

  • yes: Add installed shells to /etc/shells.
  • no: Do not add installed shells to /etc/shells.

117 

 pbksh diagnostic file Choose this option to specify the directory and file name for the pbksh diagnostic log.

118 

 pbsh diagnostic file Choose this option to specify the directory and file name for the pbsh diagnostic log.

119 

 Stand-alone pblocald command

shell executes with the system in Single-User Mode, it is necessary to know which command to execute for some secured task requests that are handled by pblocald. This setting provides the Endpoint Privilege Management for Unix and Linux shell, running in Single-User Mode, with the pblocald command to execute. Specify the full command for the local daemon.

Choose this option and indicate whether to specify a stand-alone pblocald command. When an Endpoint Privilege Management for Unix and Linux

/usr/sbin/[prefix]pblocald[suffix] -s

When you specify the command, any installation prefix or suffix must be included. Specify none to specify no command for the local daemon in Single-User Mode.

120 

 Stand-alone root shell default iolog [/pbshell.iolog]

121 

 Use syslog?

Choose this option to specify whether to use the system syslog facility.

The Endpoint Privilege Management for Unix and Linux programs can send errors reported by the policy server and local daemons to the syslog. If you decide to use the system’s syslog facility, then you must ensure that the facility selected for use by Endpoint Privilege Management for Unix and Linux is enabled according to your system’s documentation.

  • Specify y to use the system syslog facility.
  • Specify n to not use the system syslog facility.

122 

 Syslog facility to use?

Choose this option to specify the syslog facility to use. For Endpoint Privilege Management for Unix and Linux to use the syslog facility, it must be specified. The facilities that can be specified are:

  • LOG_AUTH security/authorization messages
  • LOG_AUTHPRIV security/authorization messages (Linux). Only supported in Endpoint Privilege Management for Unix and Linux 7.1.0 and later.
  • LOG_DAEMON daemon messages
  • LOG_LOCAL0 local messages
  • LOG_LOCAL1 local messages
  • LOG_LOCAL2 local messages
  • LOG_LOCAL3 local messages
  • LOG_LOCAL4 local messages
  • LOG_LOCAL5 local messages
  • LOG_LOCAL6 local messages
  • LOG_LOCAL7 local messages
  • LOG_USER user messages

The default [LOG_AUTH] is usually sufficient. The message severity level that is used by Endpoint Privilege Management for Unix and Linux is LOG_INFO.

123 

 Base daemon port number

 

Unlike individual daemon ports, the base port may not be a Unix or Linux domain socket or a program name. Any daemon port that is already set to either a Unix or Linux domain socket or program name will not be changed. However, the used port number will be skipped. For more information about assigning ports, see Installation Preparation.

Choose this option and do one of the following:

  • If ports 24345 to 24350 are available for all of the Endpoint Privilege Management for Unix and Linux daemon ports, then accept these ports and continue the installation.
  • If those ports are not available, then do one of the following:
    • Specify an available port number that also has the next six sequential port numbers available to set all of the Endpoint Privilege Management for Unix and Linux daemon ports. The specified value must be numeric and must fall within the range from 1024 to 65530 (inclusive).

      The pbmasterd port is set to the specified value.

      The pblocald port is set to the specified value +1.

      The pblogd port is set to the specified value +2.

      The pbguid port is set to the specified value +3.

      The pbsguid port is set to the specified value +4.

      The pbsyncd port is set to the specified value +5.

      The pbrest port is set to the specified value +6.

    • Use the following port-related menu options to set the port numbers individually for pbmasterd, pblocald, pblogd, pbguid, pbsyncd and pbrestport.

124 

 pbmasterd port number

Choose this option to specify the port number for pbmasterd. The Endpoint Privilege Management for Unix and Linux policy server host daemon (pbmasterd) requires a dedicated port number or a Unix or Linux domain socket name to receive inbound secured task requests from submit hosts. See Important! in step 126.

125 

 pblocald port number

Choose this option to specify the port number for pblocald. The Endpoint Privilege Management for Unix and Linux run host daemon (pblocald) requires a dedicated port number or a Unix or Linux domain socket name to receive inbound secured task requests from policy server hosts. See Important! in menu item Base daemon port number.

126 

 pblogd port number

Choose this option to specify the port number for pblogd. The Endpoint Privilege Management for Unix and Linux log host daemon (pblogd) requires a dedicated port number or a Unix or Linux domain socket name to receive inbound secured task requests from policy server and local daemons. See Important! in menu item Base daemon port number.

127 

 pbsyncd port number

Choose this option to specify the port number for pbsyncd. The Endpoint Privilege Management for Unix and Linux log synchronization daemon (pbsyncd) requires a dedicated port number or a Unix or Linux domain socket name to receive inbound requests. See Important! in menu item Base daemon port number.

128 

 REST Service port number Choose the TCP/IP port number on which the REST service is listening, on the primary policy manager.

129 

 Add entries to '/etc/services'

Choose this option and specify y to have the services entries added to /etc/services. Endpoint Privilege Management for Unix and Linux must be able to look up the port numbers to be used by the various Endpoint Privilege Management for Unix and Linux services. The port number lookup can be done from NIS after you manually create the appropriate NIS entries. Otherwise, these services should be listed in /etc/services.

Only ports that are specified by number for the Endpoint Privilege Management for Unix and Linux daemons can have services added to /etc/services. Unix and Linux domain sockets and ports that are specified by name are not added to /etc/services by this installation procedure.

On some systems you must put entries into your NIS services map (or reboot) because inetd ignores /etc/services after boot time.

130 

 Allow non-reserved port connections

Choose this option and choose one of the following:

  • Specify y to allow non-reserved port connections.
  • Specify n to disallow connections from non-reserved port connections.

131 

 Inbound port range

The MinListeningPort setting in the pb.settings file determines the lower bound on the originating port range that may be used to make Endpoint Privilege Management for Unix and Linux connections on the listening side. The MaxListeningPort setting determines the upper bound on the originating port range that may be used to make Endpoint Privilege Management for Unix and Linux connections on the listening side.

Choose this option and do the following:

  • Specify the value of the minimum port number to listen on. The value of this setting must be between 1 and the current value of the MaxListeningPort setting (65535).
  • Specify the value of the maximum port number to listen on. The value of this setting must be between the current value of the MinListeningPort setting (1025) and 65535.

132 

 Outbound port range

The MinOutgoingPort setting in the pb.settings file determines the lower bound on the originating port range that may be used to make Endpoint Privilege Management for Unix and Linux connections on the originating side. The MaxOutgoingPort setting determines the upper bound on the originating port range that may be used to make Endpoint Privilege Management for Unix and Linux connections on the originating side.

Choose this option and do the following:

  • Specify the value of the minimum outbound port number to originate from. The value of this setting must be between 1 and 65535.
  • Specify the value of the maximum outbound port number to originate from. The value of this setting must be between the current value of the MinOutgoingPort setting (600) and 65535.

Starting with version 8.0, the new default in pbinstall for the minimum value of the outbound port range was changed from 600 to 1025. However, if you don't set this value during the install and the keyword minoutgoingport is commented out in the pb.settings, the default used by the binaries is still 600. This is in order to keep backward compatibility with older releases of Endpoint Privilege Management for Unix and Linux.

133 

 Network encryption options

Before specifying any file types are to be encrypted, see "Network Traffic and File Encryption" in the Endpoint Privilege Management for Unix and Linux Administration Guide.

Choose this option and do one of the following:

  • Specify none to not use any network encryption. Optionally, you can type the start date and/or end date for not using any network encryption in the format: yyyy/mm/dd. Dates are evaluated in Universal Coordinated Time (UTC).
  • To add a new network encryption option, do the following:
    • Specify a to add a new network encryption option.
    • Specify the encryption type from the list in the following table. The default for version 8.0 and later is AES-256, and for versions prior to 8.0 is DES. The default (AES-256 or DES) is used if end dates are specified for the listed network encryption algorithm and they have all expired. If you do not want the default to be used, then specify a network encryption or none with no end date.

      Algorithm

      Encryption Type

      none

      none

      DES

      des 3des

      tripledes

      AES

      aes-16-16 (or aes-128) aes-16-24 (or aes-192) aes-16-32 (or aes-256) aes-24-16

      aes-24-24 aes-24-32 aes-32-16 aes-32-24 aes-32-32

      Blowfish

      blowfish

      Cast128

      cast128

      Gost

      gost

      Loki97

      loki97

      Saferplus

      saferplus-16 saferplus-24 saferplus-32

      Serpent

      serpent-16 serpent-24 serpent-32

      Threeway

      threeway

      Tiny

      tiny

      Twofish

      twofish-16 twofish-24 twofish-32

    • Type the full path and file name where Endpoint Privilege Management for Unix and Linux is to place the encryption key file. The default is /etc/pb.key. Endpoint Privilege Management for Unix and Linux requires a key file to use encryption. We recommend that you specify the /etc directory for the encryption key file.
    • Optional. Type the start date and/or end date for the encryption pair in the format: yyyy/mm/dd. Dates are evaluated in Universal Coordinated Time (UTC).

 

Administrators must ensure that all hosts are using the same encryption pair; otherwise, the hosts cannot communicate with each other.

  • Specify e to edit an existing network encryption option and specify the number of the network encryption option. You can edit any of the following items for the selected option:
    • Network encryption type
    • Location and file name for the encryption file
    • Start date for the encryption pair to take effect
    • End date for the encryption pair
  • Specify d to delete an existing network encryption option and specify the number of the network encryption option to delete it.
  • Specify x to exit this option.

134 

 Event log encryption options

Choose this option and do one of the following:

  • Specify none to not use any event log encryption. Optionally, you may type the start date and/or end date for not using any event log encryption in the format: yyyy/mm/dd. Dates are evaluated in Universal Coordinated Time (UTC).
  • To add a new event log encryption option, do the following:
    • Specify a to add a new event log encryption option.
    • Set the encryption type. The default for version 8.0 and later is AES-256, and for versions prior to 8.0 is DES.
    • Specify the full path and file name where Endpoint Privilege Management for Unix and Linux is to place the encryption key file. The default is /etc/pb.key. Endpoint Privilege Management for Unix and Linux requires a key file to use encryption. We recommend that you specify the /etc directory for the encryption key file.
    • Optional. Type the start date and/or end date for the encryption pair in the format: yyyy/mm/dd. Dates are evaluated in Universal Coordinated Time (UTC).
  • Specify e to edit an existing event log encryption option and specify the number of the event log encryption option. You can edit any of the following items for the selected option:
    • Event log encryption type
    • Location and file name for the encryption file
    • Start date for the encryption pair to take effect
    • End date for the encryption pair
  • Specify d to delete an existing event log encryption option and specify the number of the event log encryption option to delete it.
  • Choose x to exit this option.

135 

 I/O log encryption options

Choose this option and do one of the following:

  • Specify none to not use any I/O log encryption. Optionally, you may type the start date and/or end date for not using any I/O log encryption in the format: yyyy/mm/dd. Dates are evaluated in Universal Coordinated Time (UTC).
  • To add a new I/O log encryption option, do the following:
    • Specify a to add a new I/O log encryption option.
    • Set the encryption type. The default for version 8.0 and later is AES-256, and for versions prior to 8.0 is DES.
    • Specify the full path and file name where Endpoint Privilege Management for Unix and Linux is to place the encryption key file. The default is /etc/pb.key. Endpoint Privilege Management for Unix and Linux requires a key file to use encryption. We recommend that you specify the /etc directory for the encryption key file.
    • Optional. Type the start date and/or end date for the encryption pair in the format: yyyy/mm/dd. Dates are evaluated in Universal Coordinated Time (UTC).

 

Administrators must ensure that all hosts are using the same encryption pair; otherwise, the hosts cannot communicate with each other.

  • Specify e to edit an existing I/O log encryption option and specify the number of the I/O log encryption option. You can edit any of the following items for the selected option:
    • I/O log encryption type
    • Location and file name for the encryption file
    • Start date for the encryption pair to take effect
    • End date for the encryption pair
  • Specify d to delete an existing I/O log encryption option and specify the number of the I/O log encryption option to delete it.
  • Choose x to exit this option.

136 

 Policy file encryption options

Choose this option and do the following:

  • Enter none to not use any policy file encryption.
  • To use the policy file encryption options, do the following:
    • Set the encryption type. The default for version 8.0 and later is AES-256, and for versions prior to 8.0 is DES.
    • Specify the full path and file name where Endpoint Privilege Management for Unix and Linux is to place the encryption key file. The default is /etc/pb.key.Endpoint Privilege Management for Unix and Linux requires a key file to use encryption. We recommend that you specify the /etc directory for the encryption key file.

137 

 Settings file encryption type

Choose this option and do one of the following:

  • Specify none to not use any settings file encryption.
  • Specify one of the encryption types.

138 

 REST API encryption options

Configure encryption for the REST service Application Key database. Choose this option and do one of the following:

  • Specify none to not use encryption for the REST keystore. Optionally you may type the start date and/or end date for not using any REST keystore encryption in the format: yyyy/mm/dd. Dates are evaluated in Universal Coordinated Time (UTC).
  • To add a new REST keystore encryption option, do the following:
    • Choose a to add a new REST keystore encryption option.
    • Set the encryption type. The default for version 8.0 and later is AES-256, and for versions prior to 8.0 is DES.
    • Specify the full path and file name where Endpoint Privilege Management for Unix and Linux is to place the encryption key file. The default is /etc/pb.rest.key. Endpoint Privilege Management for Unix and Linux requires a key file to use encryption. We recommend that you specify the /etc directory for the encryption key file.
    • Optional. Type the start date and/or end date for the encryption pair in the format: yyyy/mm/dd. Dates are evaluated in Universal Coordinated Time (UTC).
  • Choose e to edit an existing REST keystore encryption option and specify the entry number of the encryption option to change. You can edit any of the following items for the selected option:
    • REST keystore encryption type.
    • Location and file name for the encryption file
    • Start date for the encryption pair to take effect
    • End date for the encryption pair
  • Choose d to delete an existing REST keystore encryption option and specify the entry number of the encryption option to delete.
  • Specify x to exit this option.

139 

 Configure with Kerberos v5?

Choose this option and do one of the following:

  • Specify n if Kerberos v5 is not used.
  • Specify y to configure using Kerberos v5. You need also to perform steps 148 through 152.

140 

 Policy Server Daemon Kerberos Principal [pbmasterd]

141 

 Local Daemon Kerberos Principal [pblocald]

142 

 Log Daemon Kerberos Principal [pblogd]

143 

 Sync Daemon Kerberos Principal [pbsyncd]

144 

 Kerberos Keytab File [/etc/krb5.keytab]

145 

 Enforce High Security Encryption

Enabling High Security enforces configuration to adhere to FIPS 140-2 security. Non-FIPS compatible encryption and hashing algorithms will be disabled. SSL running in strict FIPS mode will be enabled, enhancing the security of the installation.

146 

 SSL Configuration?

Choose this option and do one of the following:

  • Specify allownonssl to allow connections to and from non-SSL hosts.
  • Specify clientcertificates to require client certificates.
  • Specify requiressl to allow communication among Endpoint Privilege Management for Unix and Linux components without requiring Endpoint Privilege Management for Unix and Linux client certificates. This option is not compatible with the AllowNonSSL option.
  • Specify none to clear all existing parameters.

147 

 SSL pbrun Certificate Authority Directory?

Choose this option and do one of the following:

  • Specify the directory location for the SSL pbrun certificate authority files.
  • Specify none to not specify a directory for the SSL pbrun certificate authority file. If you do not specify a directory, then you must specify the full path and file name for the SSL pbrun certificate authority file in the next step.

148 

 SSL pbrun Certificate Authority File?

Choose this option and do one of the following:

  • Specify the file name for the SSL pbrun certificate authority file. If you did not specify a directory in the previous step, then you need to provide the full path and file name.
  • Specify none to not specify a filename for the SSL pbrun certificate authority file.

 

Failure to specify this file name results in failed communication negotiation.

149 

 SSL pbrun Cipher List?

SSL provides a variety of algorithms that can be used for encryption. This option enables you to restrict the set of encryption algorithms that are used by pbrun for server communication to a subset of those ciphers that are available to SSL.

Choose this option and do one of the following:

  • Specify ALL to allow all ciphers to be used from the list in the following table:

    NULL-MD5

    NULL-SHA

    EXP-RC4-MD5

    RC4-MD5

    RC4-SHA

    EXP-RC2-CBC-MD5

    EXP-DES-CBC-SHA

    DES-CBC-SHA

    DES-CBC3-SHA

    EXP-EDH-DSS-DES-CBC-SHA

    EDH-DSS-CBC-SHA

    EDH-DSS-DFS-CBC3-SHA

    EXP-EDH-RSA-DES-CBC-SHA

    EDH-RSA-DES-CBC-SHA

    EDH-RSA-DES-CBC3-SHA

     

  • Specify one or more of the ciphers. If more than one cipher is specified, then type a space between the ciphers.

150 

 SSL pbrun Certificate Directory?

Choose this option and do one of the following:

  • Specify the directory location for the SSL pbrun certificate file.
  • Specify none to not specify a directory for the SSL pbrun certificate file. If you do not specify a directory, then you must specify the full path and file name for the SSL pbrun certificate file in the next step.

151 

 SSL pbrun Certificate File?

Choose this option and do one of the following:

  • Specify the file name for the SSL pbrun certificate file. If you did not specify a directory in the previous step, you need to provide the full path and file name.
  • Specify none to not specify a file name for the SSL pbrun certificate file.

 

Failure to specify this file name results in failed communication negotiation.

152 

 SSL pbrun Private Key Directory?

Choose this option and do one of the following:

  • Specify the directory for the SSL pbrun private key file.
  • Specify none to not specify a directory for the SSL pbrun private key file. If you do not specify a directory, you need to provide the full path and file name in the next step.

153 

 SSL pbrun Private Key File?

Choose this option and do one of the following:

  • Specify the file name for the SSL pbrun private key file. This is the PEM-formatted private key for the client certificate file. If you did not specify a directory in the previous step, then you need to provide the full path and file name.
  • Specify none to not specify a filename for the SSL pbrun private key file.

 

Failure to specify this file name results in failed communication negotiation.

154 

 SSL pbrun Certificate Subject Checks?

The sslpbrunverifysubject setting enables strings or substrings of the subjects of SSL certificates to be checked and accepted by pbrun from pbmasterd.

Choose this option and do one of the following:

  • Specify the string or substring to check in the SSL pbrun certificate subject. If the specified string or substring finds a match in the certificate subject, then the connection proceeds; otherwise, the connection fails.
  • Specify none to remove all checks.

155 

 SSL Server Certificate Authority Directory?

Choose this option and do one of the following:

  • Specify the directory for the SSL server certificate authority file.
  • Specify none to not specify a directory for the SSL server certificate file. If you do not specify a directory, then you need to provide the full path and file name for the SSL server certificate authority directory in the next step.

156 

 SSL Server Certificate Authority File?

Choose this option and do one of the following:

  • Specify the file name for the SSL server certificate authority file. If you did not specify a directory in the previous step, then you need to provide the full path and file name.
  • Specify none to not specify a SSL server certificate authority file.

 

Failure to specify this file name results in failed communication negotiation.

157 

 SSL Server Cipher List?

OpenSSL provides a variety of algorithms which can be used for encryption. This option enables you to restrict the set of encryption algorithms that are used by the SSL server for communication to a subset of those ciphers that are available to OpenSSL.

Choose this option and do one of the following:

  • Specify ALL to allow all ciphers in the following table to be used

    NULL-MD5

    NULL-SHA

    EXP-RC4-MD5

    RC4-MD5

    RC4-SHA

    EXP-RC2-CBC-MD5

    EXP-DES-CBC-SHA

    DES-CBC-SHA

    DES-CBC3-SHA

    EXP-EDH-DSS-DES-CBC-SHA

    EDH-DSS-CBC-SHA

    EDH-DSS-DFS-CBC3-SHA

    EXP-EDH-RSA-DES-CBC-SHA

    EDH-RSA-DES-CBC-SHA

    EDH-RSA-DES-CBC3-SHA

     

  • Specify one or more of the ciphers. If more than one cipher is specified, type a space between the ciphers.

158 

 SSL Server Certificate Directory?

Choose this option and do one of the following:

  • Specify the directory for the SSL server certificate file.
  • Specify none to not specify a directory for the SSL server certificate file. If you do not specify a directory, then you need to provide the full path and file name for the SSL server certificate file in the next step.

159 

 SSL Server Certificate File?

Choose this option and do one of the following:

  • Specify the file name for the SSL server certificate file. If you did not specify a directory in the previous step, you need to provide the full path and file name.
  • Specify none to not specify a SSL server certificate file name.

As a convenience, pbinstall can generate the SSL server certificate file if it doesn't yet exist, provided that the absolute path is specified and the parent directories already exist.

 

Failure to specify this file name results in failed communication negotiation.

160 

 SSL Server Private Key Directory?

Choose this option and do one of the following:

  • Specify the directory for the SSL server private key file.
  • Specify none to not specify a directory for the SSL server private key file. If you do not specify a directory, then you need to provide the full path and file name for the SSL server private key file in the next step.

161 

 SSL Server Private Key File?

Choose this option and do one of the following:

  • Specify the file name for the SSL server private key file. If you did not specify a directory in the previous step, then you need to provide the full path and file name.
  • Specify none to not specify the SSL server private key file name.

As a convenience, pbinstall can generate the SSL Server private key file if it doesn't yet exist, provided that the absolute path is specified and the parent directories already exist.

 

Failure to specify this file name results in failed communication negotiation.

162 

 SSL Server Certificate Subject Checks?

Choose this option and do one of the following:

  • Specify the string or substring to check in the SSL server certificate subject. If the specified string or substring finds a match in the certificate subject, then the connection proceeds; otherwise, the connection fails.
  • Specify none to remove all checks.

163 

 SSL Certificate Country Code The Country Code used when creating client x509 certificates.

164 

 SSL Certificate State/Province The State/Province used when creating client x509 certificates.

165 

 SSL Certificate Location/Town The general location or town used when creating client x509 certificates.

166 

 SSL Certificate Organizational Unit The organizational unit used when creating client x509 certificates.

167 

 SSL Certificate Organization The organization used when creating client x509 certificates.

168 

 Configure Privilege Management for Unix & Linux with LDAP?

Choose this option and do one of the following:

  • Specify n to not enable Endpoint Privilege Management for Unix and Linux to use LDAP
  • Specify y to enable Endpoint Privilege Management for Unix and Linux to use LDAP.

169 

 Install BeyondTrust built-in third-party libraries?

Choose this option and do one of the following:

  • Specify y to install the BeyondTrust built-in third-party libraries.
  • Specify n to not install BeyondTrust built-in third party libraries.

If you are using LDAP, Kerberos, or SSL, then you need to install third-party libraries. You can install the BeyondTrust third-party libraries or your own. We recommend that you use the BeyondTrust third-party libraries.

170 

 BeyondTrust built-in third-party library directory

Choose this option and specify the directory for the BeyondTrust built-in third-party libraries. You also need to specify a directory for your own built-in libraries in step 188 .

171 

 Kerberos shared library default directory [none]

172 

 Kerberos libkrb5 shared library filename [none]

173 

 Kerberos libgssapi_krb5 shared library filename [none]

174 

 Kerberos libcom_err shared library filename [none]

175 

 Kerberos libk5crypto shared library filename [none]

176 

 SSL shared library default directory [none]

177 

 SSL libssl shared library filename [none]

178 

 SSL libcrypto shared library filename [none]

179 

 LDAP shared library default directory [none]

180 

 LDAP libldap shared library filename [none]

181 

 LDAP liblber shared library filename [none]

182 

 Use PAM?

Endpoint Privilege Management for Unix and Linux enables the use of Pluggable Authentication Modules (PAM) when Endpoint Privilege Management for Unix and Linux asks for password confirmation.

The authentication and account management portions of this service are invoked whenever Endpoint Privilege Management for Unix and Linux verifies a password.

  • PAM is used on a policy server host when the getuserpasswd() and getgrouppasswd() policy functions are invoked and this setting is set to y.
  • PAM is used on a submit host when the policy calls the submitconfirmuser() policy language function and this setting is set to y.
  • PAM is used on a run host when the policy sets the runconfirmuser policy language variable to TRUE and this setting is set to y.

Choose this option and do one of the following:

  • Specify y to use PAM Endpoint Privilege Management for Unix and Linux processing on this machine. You also need to perform the next PAM-related steps.
  • Specify n to not use PAM Endpoint Privilege Management for Unix and Linux processing on this machine.

183 

 PAM service for password verification [none]

184 

 PAM session service [none]

185 

 PAM suppress password prompting? [yes]

186 

 PAM library file name [none]

187 

 Call pam_setcred? [no]

188 

 Enable non-PAM Solaris Projects? [no]

189 

 Solaris Projects library file name [none]

190 

 Allow Remote Jobs?

When this option is set to n, Endpoint Privilege Management for Unix and Linux prohibits the control of remotely executed jobs as follows:

  • On a policy server host, requests that have different submit host and run host names are automatically rejected. The runhost policy variable is set to read only.
  • On a submit host, the -h option for the pbrun command is disabled, and the runhost variable of the request is set to the IP address of the submit host.
  • On a run host, all requests that do not originate from the Run Host are rejected. Choose this option and do one of the following:
    • Specify y to allow remote jobs. This setting is the default.
    • Specify n to not allow remote jobs.

191 

 UNIX Domain Socket directory

When Endpoint Privilege Management for Unix and Linux determines that communication may occur using Unix or Linux domain sockets, there must be a protected directory that contains the sockets used for reconnects and backconnects. Using Unix and Linux domain sockets for communication between daemons on the same machine should be more efficient than TCP socket communications.

The directory that is specified for Endpoint Privilege Management for Unix and Linux Unix and Linux domain sockets must be protected from non-root read and write access, and each of the parent directories must be protected from non-root write access.

Choose this option and specify the directory for the Endpoint Privilege Management for Unix and Linux Unix or Linux domain socket.

192 

 Reject Null Passwords?

Choose this option and do one of the following:

  • Specify n to match an entered null password to any existing password.
  • Specify y to require the user to exactly match the password.

193 

 Enable TCP keepalives? Endpoint Privilege Management for Unix and Linux enables the communication TCP connections to use the TCP stack’s keepalive feature. TCP keepalives can be useful in cases where a firewall keeps track of idle TCP connections and terminates the sessions prematurely.

Choose this option and do one of the following:

  • Specify n to disable TCP keepalive signals.
  • Specify y to enable TCP keepalive signals.

194 

 Name Resolution Timeout Endpoint Privilege Management for Unix and Linux attempts to obtain fully qualified domain names when a pblogd, pblocald, pbmasterd, or pbrun session is started. This setting defines the timeout period (in seconds) to be used for the request to expire.

Choose this option and do one of the following:

  • Set the value to 0 to disable this feature (default).
  • Set the value from 1 to 7200 to define the number of seconds to use for the timeout period.

For more information, see the following: