Endpoint Privilege Management for Unix & Linux 10.3.1 Release Notes

August 20, 2020

New Features and Enhancements:

  • Improvements to PBUL write queue performance.
  • Added support for RHEL 8.
  • Added support for Solaris 11.4.
  • Dropped support for 32-bit Linux.
  • Added support for Debian 9, Debian 10, and Ubuntu 18.04, 20.04 (LTS).
  • Added a keyword to enable or disable logcaching.
  • Updated pbinstall script to create a /lib64/libncurses.so.5 symlink on RHEL 8 and above versions.
  • Dropped support for unsupported vendor platforms: AIX 6.1, Linux 32-bit, RHEL/CentOS/Oracle Linux v5, RHEL Itanium, Debian prior to 9.12, and Ubuntu versions prior to 16.04.
  • Changed the context of PBUL binaries to bin_t in case SELinux is enforcing.

Issues Resolved:

  • Message Router
    • Split the logcache database into two databases, so that two different processes could operate on events and iologs separately without lock contention.
    • Improved message router performance with several internal changes that reduced unnecessary overhead.
    • Resolved issue in which the #mr-ioc process and other children failed to terminate when the #mr-svc parent watchdog process wanted to restart them.
    • Resolved issue in which write queue was slow processing when replies were received out of order.
  • Miscellaneous
    • Resolved issue in which networkencryption caused pbrun -h <client> to hang when issued from the policy server, multiple encryptions were listed, and the remote client’s encryption was not first in the list.
    • Setting the keywords masterprotocoltimeout, logserverprotocoltimeout, and syncprotocoltimeout to -1 implies no protocol timeout. Resolved issue in which pbinstall commented out these keywords when explicitly set to -1, causing them to default to a finite timeout value of 500.
    • Resolved issue in which the presence of a non-existent keyfile in the eventlogencryption list caused 3033 key file unreachable error in pblog regardless of whether the correct algorithm or key pair appeared at the head of the list.
    • Resolved issue in which the RNS post-install configuration script (pbrnscfg.sh) menu options were using the obsolete term Primary Policy Server, rather than the updated term Primary License Server.
    • Resolved an issue in which a PMUL config package upgrade could truncate the eventlog.
    • Resolved issue in which processing wq_**** files took too long or completely stopped.
    • Resolved issue in which there was a segmentation fault when there was an ACA rule in a policy that did not have the default ACA rule.
    • Resolved closeactionsplunk.pl errors in the Splunk integration when new non-exec related ACA data was in the iolog.
    • Resolved issue in which pblog segmentation faults occured when MySQL ODBC was configured for SSL libraries other than PBUL's. The solution is to set loadssllibs to yes.
    • Resolved issue in which certain ACA trapped functions upon error returned the correct errno but returned a value of 0 instead of -1.
    • Resolved issue in which pbinstall did not retain the value of settings keyword loadssllibs during an upgrade.
    • Resolved issue in which event log files were created with bad permissions.
    • Resolved issue in which calling pbdbutil --info --uuid on an installation directory from version 10.3.0 did not return the UUID of a local client host when /etc/pb.db from v9.3 already existed.
    • Resolved lock contention issue that pertained only to physical policy server machines.
    • Resolved issue with turning on SSL in mixed environments in which some machines had SSL running and others did not.
    • Resolved pblocald issue in which it terminated before it was able to execute and monitor a requested secured task on RHEL8 and derivatives.
    • Resolved Memory Corruption in logEventServer when configured to send events to AD Bridge.
    • Resolved issue in which debug logs were created with world-writable permissions.
    • Resolved issue in which pbksh and pbsh, when in native root mode, encountered a segmentation fault when attempting to log the event.
    • Resolved issue in which pbksh and pbsh no longer created a local eventlog in native root mode.
    • Resolved issue in which pbinstall commented out enforcehighsecurity and ssl in pb.settings (hence implying default value of yes) if they were explicitly set to no during install.
    • Resolved issue in package installer in which symbolic links to liblber-2.4.so.2, libldap-2.4.so.2, and others were missing or incorrect.
    • Resolved issue in which piping a command into pbrun --di caused it to hang.
    • Resolved issue in which using pbreplay -X or -O on an iolog file caused a segmentation violation when replaying the terminal control commands involving a resized screen.