Endpoint Privilege Management for Unix and Linux 22.2 Release Notes

June 30, 2022

New Features and Enhancements:

  • PMUL events are now indexed with Elastic Common Schema (ECS) fields. A conversion tool is available to convert PMUL 22.1.0 indexes to the PMUL 22.2.0 ECS indexes. Please contact BeyondTrust Support if you have used Elasticsearch with Endpoint Privilege Management for Unix & Linux or AD Bridge v22.1.0.
  • Elasticsearch integration now uses ECS common fields for better integration.
  • PMUL I/O logs are now indexed in Elasticsearch.
  • Sudo Manager reintroduces support for a Sudo plugin that stores Sudo policies on a PMUL Sudo Policy Server. This release supports RHEL/CentOS/OL 7, 8 Workstation and Ubuntu 20.04 and 22.04 and Sudo versions 1.8.23 and above. Sudo’s policy plugin and audit plugin will be set to PMUL’s Sudo Manager plugin. Using the PMUL plugin for I/O logging (sudoers_io) is not supported in this release. Sudo Manager includes a new optional feature to disallow operation when the policy server cannot be contacted. The Sudo Manager plugin is based on sudo’s v1.9.10 release.
  • The third-party libraries used in Endpoint Privilege Management for Unix and Linux 22.2 (PMUL) have been upgraded to the following releases:
    • OpenSSL 1.1.1o
    • OpenLDAP 2.5.12
    • Curl 7.83.0
    • libxml2 2.9.14
  • Message Router/Write Queue improvements:
    • Message Router now handles read/write operations with a timeout, and can handle less than the requested number of bytes. These situations occur often on busy hosts.
    • The Scheduler now updates the next schedule time (epoch) to current time, and sets retried to -1 when a scheduled task fails and is configured to be rescheduled.
    • Write Queue processing improvements.
  • Added a keyword to enable/disable logging stacktrace upon progerr_exit() calls, so we can debug when that function is called. Use only under supervision of BeyondTrust Technical Support.
  • Improved error reporting for failed scheduled tasks.
  • Added UTC offset for runhost and submithost to the eventlog.
  • The Failed clntCall for task... errors in pbrest.log are now more specific.
  • Added a diagnostic log for pbadmin (pbadmin.log).
  • Keystroke event sequence numbers (for Elasticsearch) are optimized when queued before sending to ELK.

Issues Resolved:

  • Licensing: Running pbssh from a retired host is now properly stopped.
  • Kerberos: KRB5CCNAME environment variable is no longer ignored.
  • RNS: database synchronization is no longer attempted on deleted secondary servers.
  • S390x powerbroker-shlibs packages no longer fail to install with Failed dependencies error.
  • Issue in v22.1.0 only: pbrestcall GET REST/v2.0/events file=/var/log/pb.eventlog format=ff no longer fails.
  • When the same IP is resolved to two different hostnames, the host no longer takes 2 entries in the license database.
  • Install/uninstall changes:
    • PBuninstall no longer leaves pblighttpd service definition in systemd.
    • Resolved RPM install/uninstall errors related to .closeactionsplunk.pl.SAMPLE file.
    • Package installer Linux now sets KillMode=none in the systemd service files (pblocald, pbmasterd, pblogd). This matches the service files created by pbinstall, and prevents termination of necessary service programs.
    • Resolved issue with init.d script (used by the service command) for pblighttpd to work with prefix/suffix.
    • Pbinstall installs Sudo policy server on all RNS server installations.
    • Pbinstall batch mode (-b) now honors baseport (-B).
  • REST:
    • pblighttpd is now the owner when pbrestdir is set to a different sub-directory under /usr/lib/beyondtrust.
    • When stopping pblighttpd/pbconfigd processes, pblighttpd now waits for children/grandchildren before terminating.