Endpoint Privilege Management for Unix & Linux 10.2 Release Notes
May 8, 2019
New Features and Enhancements:
The software has been rebranded with the new company logo and colors, and some products have been renamed.
PowerBroker for Unix & Linux is now called Endpoint Privilege Management for Unix & Linux.
PowerBroker Sudo is now called Endpoint Privilege Management for Unix & Linux - Basic Edition.
PowerBroker for Network is now called Endpoint Privilege Management for Network.
PowerBroker for Identity Services is now called AD Bridge.
PowerBroker Servers Management Console is now called BeyondInsight for Unix & Linux.
A built-in mechanism was added to assist with the debugging of Endpoint Privilege Management for Unix & Linux script-based policy.
New values for ssloptions (TLSMin<ver> and TLSMax<ver>) were added that allow the specification of the minimum and maximum TLS level to be used in the Privilege Management for Unix & Linux protocols.
A new value for ssloptions (SSLFirst) was added that forces the SSL handshake to happen before the proprietary Endpoint Privilege Management for Unix & Linux handshake.
A new value for ssloptions (SSLVerbose) was added that allows server components to log more informational messages to their error logs.
A shell script called pblighttpd_svc.sh now allows you to stop, start, or restart pblighttpd/pbconfigd services.
Use pbdbutil --info --restsvr to check on the health of the REST services (pblighttpd/pbconfigd).
Use tempfilepath in pb.settings to specify the temporary directory for Endpoint Privilege Management for Unix & Linux binaries.
Use -t <tmpdir> in pbinstall, pbsudoinstall, and solrinstall to specify the temporary directory to be used during install. When this option is used, tempfilepath in pb.settings is also set to the specified directory.
macOS 10.14 is now supported.
Issues Resolved:
An issue introduced in 10.0.0 sending UTF-8 characters between AIX and non-AIX hosts had a fix in 10.1.0 that required all Policy Servers, Log Servers, and clients to be upgraded to 10.1.0. In 10.2.0, only Policy and log servers need to be upgraded. Clients do not have to be upgraded to version 10.
When running pbinstall -z to create configuration packages, the option to change pblighttpd user is now correctly honored, and the user specified is used instead of the hard-coded pblight user.
When running pbrun -e to get the role-based policy user report on a submithost, the setting rolebasedpolicy yes is no longer required to be set on the submithost. This option now needs to be set only on the Policy Server.
The policy function remotesystem now respects the value of acceptmasters when pblocald is used to execute the command.
The usage page for pblogarchive --list has been corrected.
Client-only PKG installers now correctly respect the pbinstall selection to install or not install REST.
The option to use client registration on macOS X from pbinstall is now working.
Resolved an issue where pbreplay --timestamp <iolog> would occasionally produce a segmentation violation on some platforms (HPUX).
When enforcehighsecurity is set, the cipherlist is no longer hard-coded, and the value of cipherlist in pb.settings is now used.
In the policy on macOS X, all of a user's groups are now correctly retrieved.
pbrun no longer fails if pb.settings is encrypted.
Resolved an issue introduced in 10.1.0 where the PBSUDOADMIN app ID was no longer recognized as a valid application ID during PBsudo client install.
The file /usr/lib/beyondtrust/pb/rest/ssl/rest.pem is now only readable for the root user and group.
Resolved a sporadic issue where, if the primary license server in a Registry Name Service environment was down, during a failover, the error 3811.31 Failed to update license database '/opt/pbul/dbs/pblicense.db' - I/O error was logged in pbrest.log.
Resolved an issue where, when runhost's nodename could not be resolved on the license server, running pbrun --di or pbrun -h <remote host> on the runhost produced the error ERROR: There has been an issue with Client licensing - Host not found.
Resolved several issues in the Message Router mechanism for writing eventlog records to the event log when under load.
Resolved an issue where a buffer was not deallocated correctly in the Message Router when a socket connect to the pblogd timed out, throwing an internal error message.
Resolved an issue where an error was not correctly interpreted, resulting in throwing up a spurious error instead of processing the write queue.
Resolved an issue where the new nag logging was not creating the shared memory object correctly, resulting in a crash when logging its first nag log message.
Resolved an issue where, when logreservedfilesystems in /etc/pb.settings was set to more than one directory, pbinstall would fail with the error Character not in included set.
An appropriate error is now logged if the scheduler fails to create its defaults tasks if restkeyencryption is not set, if restkeyencryption is set incorrectly, or if the hostname is not resolvable.
In the message router client, a limit of 2*maxqsize is now used if a write queue entry could not be created (due to lack of space, for example), and an error is added to the logs, preventing the client from looping forever.
Resolved a sporadic issue where eventlog records were not written if logcachedb was not defined in pb.settings, the database pblogcache.db did not exist, and iologging was enabled.
Notes:
We recommend that you upgrade the License Server, the Policy Server (Master), and the Log Servers before upgrading any clients.
