Endpoint Privilege Management for Unix & Linux 23.1 Release Notes

July 6, 2023

Requirements:

For installation requirements and considerations, please see the Installation Guide.

For a list of supported platforms for the latest version of Endpoint Privilege Management for Unix & Linux, please see the Supported Platforms Guide.

Supported Platforms Guides for previous versions of AD Bridge can be found in the Privilege Management for Unix & Linux Documentation Archive.

New Features and Enhancements:

 

ACTION REQUIRED:The ssl keyword is now deprecated and no longer supported, since the SSL libraries specified in sharedlibssldependencies are always loaded. This means that when upgrading to v23.1, SSL will be enabled. If you are currently setting ssl to no, before upgrading your servers to v23.1, you must set ssloptions to AllowNonSSL in your pb.settings. This allows keeping compatibility with other Endpoint Privilege Management for Unix & Linux components, older servers, or clients, that are not using SSL yet.

Caching Policy and iologs on a Linux Laptop

  • Users can enable pbrun (and pbsh/pbksh) to use a local cached policy and store event and I/O log data when their Linux laptop is disconnected from the corporate network. This feature requires enabling Allow Caching on the policy servers and only role-based policy is supported. The cached policy on the client is encrypted and signed, and the local event logs and iologs are encrypted. Because this feature is only functional when there is no network connectivity, pbrun -h <another host> , pbssh -h, and RNS are not supported.

Sudo Manager Improvements

  • SudoMgr plugins are now based on the latest Sudo code v1.9.13p3.
  • SudoMgr is now supported on RHEL 9.
  • SudoMgr host alias removal enhancements: The pbdbutil --sudo -X <host> command was removing the host from its alias without verifying if the host still had SudoMgr installed. This resulted in breaking SudoMgr on the host. PMUL now queries the pbsudo database to determine if the host alias we are disassociating the host from has non-deleted sudoers policy file(s) already imported into the pbsudo database, and displays an error message. Advise the user to rerun the command with the --force option if they really want to perform this operation, and then to abort.
  • When importing a sudoers policy into SudoMgr policy server, the reported path now shows the actual path rather than the temporary path.

Miscellaneous

  • The ssl keyword is now deprecated and no longer supported, since the SSL libraries specified in sharedlibssldependencies are always loaded. When your servers are upgraded to v23.1.0, to keep compatibility with older clients not using SSL, set ssloptions to AllowNonSSL.
  • When installing pblighttpd on submit/run hosts, pblighttpd.conf now has new fastcgi settings for pblightpd-launch mode to mitigate some issues under load.
  • Added an extra check to verify that the permissions of wq files are secure when reading them, to detect potential tampering of the files.
  • We now ensure the directory where the fallback eventlog is created, and the file itself, is secure.

Issues Resolved:

Sudo Manager Improvements

  • When uninstalling PBUL from a machine where pbsudo is still installed, pbsudo.settings.default was left in pb.db database.
  • When changemanagementevents is enabled, pbinstall no longer errors during creation of PBSUDOADMIN/PBSUDOREAD appkeys.
  • When installing SudoMgr, Client Reg prompts now correctly show Sudo Manager Policy Server rather than Primary License Server.
  • Additional error checking was added during installation of SudoMgr when adding the sudoers file and verifying the alias.
  • Resolved issue in which Sudo Policy Server was not enabled on secondary RNS host, when upgrading from an older release in which SudoMgr was not available to the new release in which it was.
  • When SudoMgr fails to import /etc/sudoers to the policy server's pbsudo.db, it no longer modifies /etc/sudo.conf on SudoMgr client.

RNS

  • Config file versions that were imported before configuring the file for auto sync are now syncronized to existing secondary servers.
  • If RNS was enabled and the keyfile did not exist, pbrun did not display any output. It now displays an error.
  • The pbdbutil --dbsync -l command no longer lists pbrbpolicy.db and pbevent.db unless role-based policies and event change management are enabled.

Miscellaneous

  • Resolved memory corruption issue that occured on submitmasters after 16th server was reached.
  • Resolved Advanced Control and Audit issue in which using mv to rename files was not blocked on RHEL7+.
  • Resolved a RBP issue introduced in 22.3.0 in which the rest call displaying the list of users for a secure group was not working.
  • iolog files are now successfully sent to Logstash.
  • Resolved issue in which the error displayed erroneously indicated the directory was insecure when the fallback eventlog did not exist.
  • Resolved issue in which pbrun was failing on Solaris platforms when sharedlibsolarisprojects was undefined (commented out or had no value).
  • When updating pb.settings with the REST API endpoint PUT /settings, and there was an existing error in the file, the call would respond with the error, implying that the update failed, when it had actually succeeded. The call now shows the error as a warning and that the write was successful.
  • Invoking the REST API endpoint PUT /settings with incomplete JSON data no longer causes pbconfig to segmentation fault.
  • Resolved issue in which removing the SQLite eventlog database without stopping the message router caused an error. It now correctly closes the database before removing it.
  • Resolved issue where installing a client using client registration and the pbrestdir on the primary host was set to a non-default directory, the new installation on the client was overwriting pbrestdir to default if install rest services was set to no.
  • When pbinstall is run with -e or -b, and install rest services is set to yes, pblighttpd_svc.sh is now installed.
  • When pbinstall is run with -b and -m option (policy server-only installation), pblocald is no longer installed.
  • The when column of the license database is now correctly updated with the processing time rather than the lastupdate column.
  • Resolved issue where enabling Kerberos caused a failure or segmentation fault on Solaris when LD_LIBRARY_PATH was set and /usr/lib/beyondtrust/pb was not set first. We now display an error if LD_LIBRARY_PATH is not set properly.
  • RBP import through PMUL REST, when RBP transactions are enabled, no longer fails if there is no existing RBP database.
  • Several memory leaks were resolved.

Known Issues:

None.

Notes:

  • Upgraded third-party libraries:
    • LDAP 2.5.5
    • OpenLDAP v2.5.14
    • OpenSSL v1.1.1u
    • Curl v8.1.1
    • Kerberos v1.19.4
    • SQLite v3.42.0
    • Jansson v2.14
    • Libedit v20221030-3.1
    • Libevent v2.1.12
    • Libxml2 v2.11.4
    • UnixODBC v2.3.11
  • Solr is deprecated.
  • The tar file for Solaris Sparc 10 is now used on Solaris 11 Sparc. The solaris11+.sparc tar file is no longer needed.
  • Dropped support for RedHat PowerPC Big Endian.
  • Added support for AIX 7.3 (all TL) and Debian 11. Dropped support for AIX 7.1 (all TL), Debian 9, RedHat PowerPC Big Endian.