Endpoint Privilege Management for Unix & Linux 10.3 Release Notes

March 12, 2020

New Features and Enhancements:

  • Eventlog data can now be stored in MySQL and Oracle using ODBC.
  • Eventlog records are now stored in a SQLLite database by default.
  • When an iolog is indexed using Solr, the location of the iolog (hostname and path/filename) are stored in Solr. When an iolog is archived using pblogarchive to a different host or location, we now update Solr to the host and the destination of the new ones.
  • PMUL REST authentication improvements now allow use of either MD5 or SHA512 algorithms.
  • Pblighttpd services no longer need to be restarted when pb.settings (except in certain cases) or pb.keys are changed.
  • The values of sslservercertfile and sslserverkeyfile are no longer hard-coded to /etc/pbssl.pem and can now be specified as either another name or another location.
  • The script policy getstringpasswd now uses the new long-term password storage in getstringpassword (used by the role-based policy equivalent) to improve security.
  • The policy procedure readfile will now check if a file passed as an argument is in the configuration database (/etc/pb.db), and if it is, it will read it from the database. If the file is not in the database, it will revert back and check if the file is in the filesystem.
  • Logmktemp now requires a full path template, to prevent saving iologs in temporary directories.
  • FQDNs are now case sensitive.
  • Added an option to pbdbutil to get the default value of the variables in pb.settings.
  • Added an option to pblog to display inconsistencies in multiple event destinations.
  • A nag message is now logged when an eventlog record has multiple destinations and cannot be written to one of those destinations.
  • When the iologging connection drops, the status of iolog is now set to finished.

ACA Enhancements:

  • Added the ability to hide shell startup activity in ACA session history; added the ability to tag shell startup activity as such.
  • An option has been added to check the id.so.preload file (or equivalent) prior to allowing a session.
  • Added an unmatched synonym for default.
  • We now display an error if the policy has ACA statements with a log audit level not equal to 0, and iolog is not set.
  • We now display a clear error if ACA libraries do not have the right permissions.

Install Enhancements:

  • We now use pbdbutil --cfg --value --default -g <var> in pbinstall to initialize the variables in pb.settings.
  • The default values of variables in pb.settings have been changed to match those in pbinstall.
  • Database filenames in pbinstall no longer use a prefix or suffix.
  • A message at the end of pbinstall is now displayed to indicate the new eventlog format is in a database.
  • We now Initialize eventdestinations with a default value in the keywords structure in the code.
  • Added a menu to pbinstall to ask for the pblight user's group name if creating a pblight user; group creation is also verified.
  • Creation of a group for solruser has been improved.
  • The menu options for Client Registration now refer to Primary Policy Server as Primary License Server.

RNS Enhancements:

  • Added the ability to retrieve, list, and filter by id instead of by name only in the REST endpoints.
  • Added options to use the FQDN or all IP addresses held within RNS to resolve a host.
  • Changed the default value for pbsyncrefresh from 30 seconds to 3600 seconds.
  • Issuing a pbdbutil --dbsync -R <svc> command now initiates the database synchronization right away and does not wait for the next dbsyncrefresh time.
  • We now synchronize the license database immediately when any server is added or promoted to primary.
  • Added a setting to pb.settings to enable or disable displaying a message that the RNS Service Cache is out of date to pbrun user.
  • REST API: Added a filter to the RNS host list to find hosts that do not belong to any service groups.
  • REST API: Added the ability to view all hosts that belong to a specific RNS service group.
  • REST API: Added category filter to RNS service group list.

Issues Resolved:

  • Resolved an issue in which the default values of databasedir and lockfilepath incorrectly ignored /opt/<prefix>pbul<suffix/...
  • Resolved an issue in which there was a dependency to libgcc_s for default Kerberos libraries on Solaris 9-10 (sparc and x86).
  • Resolved an issue in which eventdb and other XXXXdb keywords did not prepend databasedir by default.
  • Resolved an issue in which an Command caught signal error was returned when pbrun -n id was run on RHEL6.
  • Resolved an issue in which iolog indexing failed with a bad response status:400....Unexpected character ']' error.
  • Resolved an issue in which a non-root user received the error message 3407.02 pbrunssh must be run as root.
  • Resolved an issue in which ownership of REST files showed powerbld on HP-UX Itanium run/submit host only installation.
  • Resolved an issue in which a double free error was encountered with pbmasterd when the dbencryption keyword was defined.
  • Resolved an issue in which pbreplay iologcloseaction wasn't removing missing files from the message queue.
  • Resolved an issue in which pbreplay, as an iologcloseaction daemon, wrote some diagnostic messages to stderr.
  • Resolved an issue in which pbreplay performed chdir /tmp after fork, but should have been using the tempfilepath setting.
  • Resolved an issue in which Message Router displayed a misleading error message.
  • Resolved an issue causing a segmentation fault involving the core file on linux.x86-64.
  • Resolved an issue causing a segmentation fault on Solaris 10 x86.
  • Resolved an issue where if pbrunpath is not set and PATH doesn't include the directory of pbrunssh, a call to pbssh does nothing.
  • Resolved an issue in which a PMUL race condition, pmd_ioData[fOut], occurred, and because it was readable, indicated it was closed although the error pipe needed to remain open.
  • Resolved a PMUL race condition with error pipe data vs SIGCHILD.
  • Resolved an issue in which Solr/Closeaction became stuck in processing when pbreplay was terminated.
  • Resolved an issue in which the file /etc/pb.settings gets re-written periodically on a policy/logserver server when the host is not a licenseserver.
  • Resolved an issue that caused a signal 11 segmentation fault with pbcheck -e.
  • Resolved an issue in which writesafebuf lost errno, which caused bad error reporting.
  • Resolved an issue in which pbksh 9.4.5 hangs when a successive policy function that requires a tty is interpreted by pbmasterd and the user types on the terminal.
  • Resolved an issue in which stty -echo is issued in a pbrun bash session, and a command is missing from the iolog after the password prompt.
  • Resolved an issue that was introduced in PMUL 10.3.0-15, in which the policy variable runcwd was ignored and the working directory on the runhost was set to the working directory of the submithost (cwd).
  • Resolved an issue that was introduced in PMUL 10.3.0-15, in which pbguid causes a segmentation fault on Linux x86-64 and Solaris 10 x86 systems.

ACA Issues Resolved:

  • Resolved an issue with a posix_spawn/p segmentation fault on ACA 64-bit.
  • Resolved an issue in which system() popen() always returned not found on Solaris.
  • Resolved an issue in which man, less, and other items did not show in the session history.
  • Resolved an issue in which ACA wasn't blocking signals.
  • Resolved an issue in which __openat and __openat_2 failed on Linux.
  • Resolved an unusual error message ocurring on Oracle Linux Server 6.4.
  • Resolved an issue causing a failed to audit ACA command due to bad FD error.
  • Resolved an issue in which ACA failed with ldapsearch.
  • Resolved an issue with a sudo segmentation fault under ACA on HP-UX Itanium.
  • Resolved an issue in which creating a trap used the pointer before it was initialized.
  • Resolved an issue in which ACA did not fail when the ACA shared lib was not found.
  • Resolved an issue in which ACA failed for ulimit on Solaris (Sparc, x86; 9, 11).
  • Resolved an issue in which the History was confused by /bin/echo statements.
  • Resolved an issue in which the History did not properly print out non-pipelined commands.
  • Resolved an issue where on the History report two sub command pipelines in a row appear as one pipeline.
  • Resolved an issue in which a symbolic link to itself was created and a cd to the symlink hung when executed in a pbrun bash with ACA enabled.

RNS Resolved Issues:

  • Resolved an issue in which pbdbutil --dbsync -R did not immediately initiate a database synchronization.
  • Resolved an issue in which database synchronization of pb.db on the secondary was done twice in a row.
  • Resolved an issue in which pbadmin hung for 2 minutes, listing the Service Cache while it timed out trying to contact an unreachable registration server.

Installation Resolved Issues:

  • Resolved an issue with UID/GID when pblight user was created.
  • Resolved an issue in which the pbrunpath setting was set only if a GUI was installed.
  • Resolved issues with pbmakeremotetar in which it did not generate a proper umask value and did not archive /usr/lilb/beyondtrust/pb/rest.
  • Resolved an issue in which certain keyword values were not retained in pb.settings when re-running pbinstall.
  • Resolved an issue in which the rpm packages licsvr, pbrest, and rnssvr were not signed.

ISO file for PMUL/AD Bridge/BIUL:

  • The EULA is now included in the ISO file.
  • Readme files are now included in the ISO file.
  • ADBridge files have been removed from the ISO file.
  • Completed more rebranding of PBUL to PMUL and PBSUDO to PMBASIC.
  • Included a new GPG key to sign the Linux packages: RPM-GPG-KEY-PMUL.
  • The size of binaries is now the same in RPM packages as the binaries in the linux tar files.