PowerBroker for Unix & Linux - NIAP CCEVS process for installing PowerBroker for Unix & Linux and...

PowerBroker for Unix & Linux

Common Criteria – Supplementary Guide

DOCUMENTATION

2

© 2016. BeyondTrust Software, Inc. Common Criteria Guide

Table of Contents

Executive Summary .................................................................................... 4

High Level Product Architecture ......................................................................................... 4

Assumptions ............................................................................................... 4

Installation .................................................................................................. 5

1 Pre-Installation Checks ......................................................................................................................... 5

2 Product Installation ............................................................................................................................... 5

3 Encryption ............................................................................................................................................. 6

4 PB.Settings ........................................................................................................................................... 6

5 Define Policy ......................................................................................................................................... 9

6 Configure Desired Auditing ................................................................................................................... 9

7 Start issuing commands ..................................................................................................................... 11

Encryption Settings ................................................................................... 11

enforcehighsecurity ...........................................................................................................12

Controlling Commands ............................................................................. 12

Conditional Command Processing ............................................................ 13

Requesting User ..................................................................................................................................... 13

Requesting Hostname ............................................................................................................................ 13

Time of Request...................................................................................................................................... 13

Remote Host Execution ............................................................................ 14

PowerBroker for Unix & Linux Auditing ..................................................... 14

Event Audit Records ................................................................................. 15

Audit Record Inclusion/Exclusion .............................................................. 17

Logomit .............................................................................................................................17

Event Record Format ................................................................................ 18

Session Recording .................................................................................... 23

Session Recording Example ..................................................................... 25

PBLogD Logging Process ......................................................................... 26

Audit Record Breakdown .......................................................................... 27

3


Server Tracking Audit Information ............................................................. 36

Additional Audit Functions and Change Management ............................... 37

Configuration Files .................................................................................... 40

Policy Files .............................................................................................................................................. 40

Root Policy File (/etc/pb.conf) ...........................................................................................40

Main Policy File (pbul_policy.conf) ....................................................................................40

Functions Policy File (pbul_functions.conf) ........................................................................44

LDAP Authentication Policy File (ldap.conf) ......................................................................53

RADIUS Authentication Policy File (pam_radius_auth.conf) .............................................53

RADIUS PAM Configuration File (pbul_pam_radius) ........................................................53

Supported Platforms ................................................................................. 54

Additional Reference Material ................................................................... 54

Appendix A: Event Log Fields ................................................................... 55

Appendix B: Change Management Event Log Fields ................................ 65

About BeyondTrust ................................................................................... 67

4


Executive Summary

PowerBroker for Unix & Linux has undergone Common Criteria testing. This document contains details that are relevant to a number of items in the security target, including platforms tested, encryption methods used and common configuration settings required to complete the testing.

High Level Product Architecture

The BeyondTrust PowerBroker UNIX® + Linux® Edition v9 is compliant to the following protection profiles:

Standard Protection Profile for Enterprise Security Management Access Control, Version 2.1, 24 October 2013 (pp_esm_ac_v2.1) with no additional optional SFRs.

Standard Protection Profile for Enterprise Security Management Policy Management, Version 2.1, 24 October 2013 (pp_esm_pm_v2.1) and includes the additional optional SFRs: FAU_SEL.1, and FMT_MTD.1.

Assumptions

The evaluated configuration includes several assumptions and requirements that must be met by the intended environment for the installed BeyondTrust PowerBroker UNIX® + Linux® Edition v9. These are as follows:

The TOE will use cryptographic primitives provided by the Operational Environment to perform cryptographic services.

The TOE will be able to establish connectivity to other ESM products to share security data.

The TOE will receive policy data from the Operational Environment.

5


The Operational Environment will provide mechanisms to the TOE that reduce the ability for an attacker to impersonate a legitimate user during authentication.

The TOE will receive reliable time data from the Operational Environment.

The TOE will receive identity data from the Operational Environment.

There will be one or more competent individuals assigned to install, configure, and operate the TOE.

Installation

The process for installing PowerBroker for Unix & Linux and configuring the tool to meet the common criteria standards should be performed in the following manner:

1 Pre-Installation Checks

The following items are either required or highly recommend before installation is performed:

o Bi-Direction Name Resolution using DNS o Use of a Super Daemon (such as inetd/xinetd is recommend) o Disable all firewalls until a working configuration has been achieved o Disable SELinux (if appropriate) until a working configuration has been achieved o Ensure the correct installation package is selected for the target system o Ensure enough free space is available to complete the installation o Root permissions are required to perform the installation

2 Product Installation

When PowerBroker for Unix & Linux is configured with Kerberos, SSL, LDAP, or CURL it requires the appropriate third-party libraries. The PowerBroker for Unix & Linux installation provides Kerberos, SSL, LDAP, or CURL libraries that are designed to work with PowerBroker for Unix & Linux. The Common Criteria evaluated configuration requires that the PowerBroker for Unix & Linux third-party libraries be installed.

Install the required components. At a minimum a Policy Server, Log Server, Submit Host and Run Host will be required. If performing an install for the first time, all components may be selected using option 1 after running the pbinstall.sh installation utility.

For example, initiate the installation located in the platform specific location,

<untarred location>/powerbroker/v9.1/pbx86_64_linuxA-9.2.0-08/install/pbinstall

o Skip the client registration option o Press enter to continue o Select your preferred editor (default vi)

6


Select option 1 and change the value to ‘YES’ as shown:

Press C to continue and complete the installation. Additional components can be selectively installed on additional servers as required.

“The administrative commands are restricted to authenticated users with root access. The TOE includes a pre-defined administrative role with root access: the Admin role (also referred to as AdminUsers). Administrators can define additional roles using policies for users to manage the TOE or portions of the TOE in addition to the AdminUsers role; however this is not within the scope of the evaluation.”

For more information, refer to PowerBroker_Install_V9.1.pdf guide referenced in the Additional Reference Material.

3 Encryption

Fresh installations of PowerBroker for Unix & Linux will default to the highest levels and be fully compatible with the Common Criteria requirements.

This can be checked post installation. Confirm the enforcehighsecurity keyword is set to Yes in the /etc/pb.settings file.

For more information, see Encryption Settings in this document.

4 PB.Settings

Every host where PBUL is installed (Submit Host, Run Host, Master, Log Server, etc..) will have a file located in ‘/etc’ by default named pb.settings. This is a core configuration file used for almost all aspects of the production

7


configuration and operation. You can check the settings on any host if you are logged on as root or have root lever privileges by issuing the ‘cat /etc/pb.settings’ command.

The following is an example of the top of a typical pb.settings file:

# Installation date: Fri Mar 4 16:37:21 EST 2016 # Location of: # user programs: /usr/local/bin # admin programs: /usr/sbin # daemons: /usr/sbin # pbinstall: /tmp/pbul/powerbroker/v9.2/pbx86_64_linuxA-9.2.0-08/install/pbinstall # TMPDIR: /tmp/beyondtrust_pbinstall kerberos no #mprincipal pbmasterd #lprincipal pblocald #gprincipal pblogd #sprincipal pbsyncd #keytab /etc/krb5.keytab #shortnamesok no allownonreservedconnections yes #minlisteningport 1025 #maxlisteningport 65535 #minoutgoingport 1025 #maxoutgoingport 65535 pbrestport 24351 pblocaldlog /var/log/pblocald.log pblogdlog /var/log/pblogd.log pbmasterdlog /var/log/pbmasterd.log pbguidlog /var/log/pbguid.log eventlog /var/log/pb.eventlog syslog yes #pbrunlog none #pbsshlog none facility LOG_AUTHPRIV policyfile /etc/opt/pbul/pb.conf passwordlogging never policydir /etc warnuseronerror yes #secureoutput no masterport 24345 localport 24346 guiport 24348 submitmasters masterhostname.example.com randomizesubmitmasters no acceptmasters masterhostname.example.com #masterdelay 500 #logserverdelay 500 rejectnullpasswords no allowlocalmode yes logservers masterhostname.example.com syncport 24350 #logresynctimermin 15 pbsyncdlog /var/log/pbsyncd.log

8


pbsynclog /var/log/pbsync.log #ssl no #tcpkeepalive no kshlog /var/log/pbksh.log shlog /var/log/pbsh.log #validateclienthostname no #validatemasterhostname no #allowremotejobs yes pam yes pampasswordservice powerbroker #pamsessionservice none pamsuppresspbpasswprompt no #yes #no libpam /lib64/libpam.so.0.82.2 #pamsetcred no recordunixptysessions yes #syslogsessions no #guidefaults none #pblocaldcommand none rootshelldefaultiolog /pbshell.iolog #localsocketdir none #runsecurecommand no transparentfailover yes pbsshshell /bin/sh

Although the pb.settings file contains many critical settings, the defaults will suffice for most installations and on new installations will default to the most secure settings. There are a few settings however that either must be set or are commonly changed. The most important of these are the server names/IP’s used to check the policy and record the log data. These settings are referred to as the submitmasters, acceptmasters and logservers. The settings can have as many entries as desired and are simply separated by a comma. Alternatively, you can also specify DNS SVR records in order to locate service providing hosts:

submitmasters masterhostname.example.com acceptmasters masterhostname.example.com logservers masterhostname.example.com, masterhostname2.example.com

To see the current selected ports for the product, you may grep for key words against the pb.settings file. Below is an example of how to view all of the ports used for various communications during the product’s normal operation:

# cat /etc/pb.settings |grep port #minlisteningport 1025 #maxlisteningport 65535 #minoutgoingport 1025 #maxoutgoingport 65535 pbrestport 24351 masterport 24345 localport 24346 logport 24347 guiport 24348 syncport 24350 rcswebsvcport 443 solrport 8443

9


5 Define Policy

After the first server has been installed in demo mode, all components required to make the system operational will have been installed. In addition, default policy files will also have been created, with the root policy file located here:

/etc/pb.conf

Additional policy files are merged to form a complete sample policy file using the following include files:

include '/etc/pb/pbul_policy.conf';

include '/etc/pb/pbul_functions.conf';

For details on how the policy files function, see the following sections in this document:

Controlling Commands

Conditional Command Processing

Additional Authentication

Remote Host Execution

The policy files and other configuration files defined when this document was created are also included in this document:

Configuration Files Used During Testing

Note: The included example files may be used to perform testing in other lab environments, however most PowerBroker for Unix & Linux policy and configuration files contain environmental specific information, such as IP addresses, user and host names. Care should be taken to ensure any reference policy is properly adapted for your environment. Care should also be taken to ensure that any copy/paste activities do not warp the policy and/or configuration files by introducing unsupported characters or clipping sections of the file during transfer.

For more information, refer to PowerBroker_Language_V9.1.pdf guide referenced in Additional Reference Material.

6 Configure Desired Auditing

As detailed later in this document, ‘Eventlog’ auditing is on by default when issuing commands via PowerBroker for Unix & Linux. See item 6 about issuing commands. This document contains a number of dedicated sections around how auditing and logging works. The defaults however are as follows:

Located on the Log Server:

/var/log/pb.eventlog

Located on the Log Server:

iologging directory = /tmp

Note: File names will be generated in line with the policy when iologging is turned on.

For details on how the auditing functions in PowerBroker for Unix & Linux work, refer to the following sections in this document:

PowerBroker for Unix & Linux Auditing

Event Audit Records

Audit Record Inclusion/Exclusion

Event Record Format

10


Session Recording

Session Recording Example

PBLogD Logging Process

Audit Record Breakdown

For more information, refer to PowerBroker_Administration_V9.1.pdf guide referenced in Additional Reference Material.

11


7 Start issuing commands

The last thing to do is start issuing commands. For PowerBroker for Unix & Linux, commands are invoked using the pbrun command. Here are some commands you can use with the default policies.

pbrun pbtest

pbrun whoami

pbrun bash

pbrun helpdesk

The sample policies are well documented and can be easily modified to allow different user, host and commands to be controlled.

For more information, refer to PowerBroker_Administration_V9.1.pdf guide referenced in Additional Reference Material.

Encryption Settings

During Common Criteria testing, PowerBroker for Unix & Linux was installed and configured with the "enforcehighsecurity" and "ssl" both enabled. This switches PowerBroker for Unix & Linux into FIPS 140-2 mode and are the mandatory security settings for normal operation of the solution to meet common criteria certification.

The secure protocols are provided by NIST-validated cryptographic mechanisms are included in the operational

environment. The TOE relies on 3rd party FIPS capable OpenSSL 1.0.2a in conjunction with the TOEs FIPS mode

(that disables non FIPS algorithms). Customers should choose their own validated FIPS validated Object Module

and link that with the provided FIPS capable OpenSSL v1.0.2a. The combination of the FIPS validated Object

Module linked with the FIPS capable OpenSSL provide key management, random bit generation,

encryption/decryption, digital signature and cryptographic hashing and keyed-hash message authentication

features in support of higher level cryptographic protocols, including TLS and HTTP over TLS.

Testing by the CCTL included the installation and use of the OpenSSL FIPS Object Module SE v2.0.12, CMVP

Certificate #2398.

To enable compliance with US government regulations, and specifically FIPS 140-2, the encryption in PowerBroker for Unix & Linux has been updated. Many of the older, less secure encryption algorithms have been deprecated, and when high security is enforced, they are disabled completely.

When new PowerBroker for Unix & Linux clients are installed, the pb.setting "enforcehighsecurity" and "ssl" are both enabled. This switches PowerBroker for Unix & Linux into FIPS 140-2 mode. All encryption algorithms are FIPS 140-2 compliant, and it will not communicate, encrypt or decrypt any data that isn't encrypted in AES-128, AES-192, AES-256 or TripleDes (3DES). If a customer is installing version 9 of PowerBroker for Unix & Linux from scratch high security mode is recommended.

During the installation, install option 129 should set to Yes to force the installation to use the settings required for common criteria certification compliance:

129. Enforce High Security Encryption:

Enabling High Security will enforce configuration to adhere to FIPS 140‐2 security. Non‐FIPS compatible encryption and hashing algorithms will be disabled. SSL running in strict FIPS mode will be enabled, enhancing the security of the installation.

This will provide a setting in /etc/pb.settings [enforcehighsecurity]

12


enforcehighsecurity

This will enforce the use of more secure configuration, including using SSL for communications, FIPS 140‐2 compliant symmetric encryption algorithms, an enhanced Pseudo Random Number Generator, and the use of the enhanced pb.key format.

Only encryption algorithms that are accredited by FIPS 140‐2 can be used for network and file encryption (i.e. aes‐128, aes‐192, aes‐256 and tripledes). All others are deprecated.

Once this has been enabled the following pb.settings need to be configured:

ssl yes

ssloptions requiressl

sslservercertfile /etc/pbssl.pem

sslserverkeyfile /etc/pbssl.pem

sslpbruncipherlist HIGH:!MD5:@STRENGTH

sslservercipherlist HIGH:!MD5:@STRENGTH

sslcountrycode US

sslprovince AZ

ssllocality Phoenix

sslorgunit Security

sslorganization BeyondTrust

Example

enforcehighsecurity yes

Default

enforcehighsecurity no

Used on

Policy Server hosts

Submit hosts

Run hosts

Controlling Commands

Standard functionality in PowerBroker for Unix & Linux allows for commands to be whitelisted (run with higher privileges) and blacklisted (denied from running). This also allows new commands to be created to control everything on a system, including management of PowerBroker for Unix & Linux itself. For example, if your master policy file is located in /etc and is named pb.conf, you would need to be ‘root’ on the policy server to edit that policy file.

if( basename(command) == “editpolicy” ) {

runcommand = "vi";

runargv = split("vi /etc/pb.conf");

runuser = "root";

accept;

13


}

The above example can be altered to control administrative operations in PowerBroker for Unix & Linux such as the ability to view the event log using the pblog command:

if( basename(command) == “pblog” ) {

Or replaying a recorded session using the pbreplay command:

if( basename(command) == “pbreplay” ) {

Conditional Command Processing

PowerBroker for Unix & Linux can perform an almost endless list of additional checks before allowing a command to be processed. Conditional processing statements such as IF and CASE can be used to leverage hundreds of variables as part of the decision making process before a command is allowed to run, elevated and in what way, or rejected. Some of the command checks include:

Requesting User

Requesting Hostname

Time of Request

Requesting User

Checking the username of the user making the command request:

if (user == “requesting user name) {

* Allow/Disallow Processing Policy *

}

Requesting Hostname

Checking the hostname where the command is being requested from:

if (submithost == “requesting hostname) {


}

Time of Request

There are many more options available for validating the date/time/day of a request. Some of the out of the box variables include:

date = "2015/11/05"

day = 5

dayname = "Wed"

hour = 13

i18n_date = "11/05/2015"

i18n_day = "05"

i18n_dayname = "Tue"

14


i18n_exitdate = "11/05/2015"

i18n_exittime = "01:34:34 PM"

i18n_hour = "13"

i18n_minute = "34"

i18n_month = "01"

i18n_time = "01:34:33 PM"

i18n_year = "2015"

minute = 34

month = 11

year = 2015

Checking using these variables with And, Or and TimeBetween operators allow for tight control over when a command may or may not be accepted. For example, if you want to allow certain commands to only be executed over a weekend (or block certain commands over a weekend) you could use the dayname variable as follows:

if (dayname == “Sat” || dayname == “Sun”) {


}

Remote Host Execution

The remote host execution feature of PowerBroker for Unix & Linux is available from the command line:

‘pbrun –h remote_host_name command’

Can also be used to allow the policy file to be edited from any system. The run host can also be specified with a fixed name or a variable in the policy when using the runhost setting:

runhost = "remote_system_name";

PowerBroker for Unix & Linux Auditing

PowerBroker for Unix & Linux has two main forms of audit capability:

Event Log - The Event Log can be compared to taking a photograph of a command request being processed by the application. It will record all the details of the request regardless if the request is approved or rejected at that moment in time.

Event log auditing is always on and cannot be turned off.

Session Recording - Session Recording is different from an event log record in that it more closely resembles a video recording of the user’s activity. A session recording may be from the moment a user logs on to the system until the time they log off. Or can be more focused to down to an individual command, such as a user’s interactive vim session editing a systems hosts file.

Session Recording is optional and can be invoked on a single user, single host, single command, during certain periods of time, and so on. It is possible to perform session recording as much or as little as desired.

Session Recording is PowerBroker for Unix & Linux method of ‘Selective Auditing’ in the solution. That is to say that these audit records (session recordings) are only generated ‘on-demand’ where stated in the policy.

15


For example, you can conditional process statements such as:

If the User is….

If the requesting user belongs to group X….

If the host where the command is being executed is in the following list….

If the day is a weekend day….

And so on. The list of conditional processing statements can be as long and complex as the policy creator wishes.

Example Conditional Statement:

if (user == “requesting user name) {

* Optionally turn on Session

Recording Process Command *

}

Session Recording Example:

printf("Command accepted by: %s\n", masterhost);

print("Warning this session is being logged:", iolog);

iolog = "/iologs/"

+ sprintf("%d-%d-%d",month,day,year) + "."

+ logtime + "."

+ split(runhost,".")[0] + "."

+ user + "."

+ basename(command) + "."; # + ".XXXXXX";

setenv("IOLOG", "done");

Event Audit Records

Every time a command is submitted to PowerBroker for Unix & Linux an event log record is generated regardless of if the event is accepted or rejected. The basic format of an event includes the four W’s: Who, What, Where and When:

Accept 2015/11/05 11:08:35 [email protected] ->

[email protected] by svr1centos63.demo.corp

whoami

Command finished with exit status 0

Reject 2015/11/05 11:08:37 [email protected] by svr1centos63.demo.corp

kill

Request rejected by pbmasterd on svr1centos63.demo.corp.

Each event has well over 100 different fields recorded each time a command is processed. In addition, custom data derived during the processing of the policy when a command is executed can also be added to the event log.

The event log can be view using the ‘pblog’ command. The user will need root level privileges to view the event log, but these rights can be delegated using PowerBroker for Unix & Linux as described later in this document.

Physical storage for log records (internal and external) is provided by the operational environment. The amount of audit data which can be stored is dependent upon on the amount of disk space available on the server hosting pblogd. The same applies for logs exported to external log servers. The TOE includes options for log file management, i.e. log file rotation and archiving based on time and/or size. Additionally, to help prevent loss of space on the file system for audit logs; space on the log host can be controlled and the system can be configured to fail over to the next log server with the logreservedfilesystems and logreservedblocks settings.

The logreservedfilesystems and logreservedblocks settings enable the administrator to control free space on the logreservedfilesystems file systems, and cause an immediate failover if the log host’s free space falls below

16


logreservedblocks. If the number of free 1-KB blocks falls below logreservedblocks on any of the file systems that are specified in any of the logreservedfilesystems on the log host, then the log daemon immediately refuses any new requests, causing an immediate failover. The same happens on the Policy Server host if you are not using a log server. If the free space in any of the file systems containing /var/log or /usr/log falls below 10,000 blocks, then new requests are rejected. Requests that are already in progress are allowed to continue. If there are no Log Servers (including the Master Host) capable of recording an event (e.g., no disk space is available), the TOE itself would fail and therefore stop.

Detailed information about additional logging options, including log file management and log file rotation can be found in the reference information guides listed below.

Refer to PowerBroker Unix-Linux_Administration_V9.1.pdf, Event Logging for more information about the event log.

Refer to PowerBroker Unix-Linux_Administration_V9.1.pdf, PBLog for more information on viewing the event log.

17


Audit Record Inclusion/Exclusion

The event log is always on by default and every command issued generates an event log entry. See Appendix A: Event Log Fields.

If however you want to implement selective auditing, i.e. to disable certain items being entered into the event log, anywhere in the policy file you may use the LogOmit function. If used globally, then selected items will be excluded from all event log records. However the LogOmit function can be used in certain rules allowing item level omissions to occur only when certain conditions are met, i.e. for certain users, certain commands or certain hosts.

Refer to PowerBroker_Language_V9.1.pdf, LOGOMIT for more information about this function.

Logomit

Data Type

List

Description

The logomit variable specifies which PowerBroker for Unix & Linux user‐defined variables to omit from the event log. Use this variable to reduce the disk space that is used by the event log.

Metacharacter patterns can be used. By default, this variable is undefined, which means that all PowerBroker for Unix & Linux variables are written to the event log.

Syntax

logomit = list;

In addition, at any time from within the policy, event logging can be disabled. Although not recommended due to a major reduction in security provided by the solution, you can globally disable the eventlog from writing any records with the following statement inside the policy file:

eventlog = "/dev/null";

A more selective method allows for the eventlog to be disabled based on statement inside the policy file.

if (condition) { # normal policy processing . . eventlog = "/dev/null"; accept; (or reject;) }

For example, to disable the eventlog for the whoami command, but still allow the command to run, the follow policy code will disable the eventlog for this command only:

If (basename(command)==”/usr/bin/whoami”) { eventlog = “/dev/null”; accept; }

18


Event Record Format

See Appendix A: Event Log Fields for a detailed list of all default fields included in each event log entry.

To provide an example of the amount of data collected in each event record, this is a single accepted command:



whoami


AdmGroup = "LinuxAdmins"

AuditGroup = "Audit"

LocalGroup = "LocalGroup"

PBgroups = {"root"}

PolicyServer = "svr1centos63.demo.corp"

PwrUsers = {"root", "dba"}

StdGroup = "LinuxUsers"

StdUsers = {"Ray", "Dan", "Sam", "Amy", "Lee", "demo1", "demo7", "demo8",

"demo9", "oracle", "OracleDBA", "c1kpadmin"}

argc = 1

argv = {"whoami"}

bkgd = 0

clienthost = "svr1centos63.demo.corp"

clienthost_uuid = "02ceb4bf-90c7-4374-93c9-5811d34ed58f"

clienthost_uuid_created = 0

command = "whoami"

commandset = {"whoami", "id", "top", "who", "cal", "cat", "ssh"}

cwd = "/root"

date = "2015/11/05 "

day = 5

dayname = "Tue"

env = {"HOSTNAME=svr1centos63", "TERM=xterm", "SHELL=/bin/bash",

"HISTSIZE=1000", "SSH_CLIENT=192.168.0.155 63282 22", "QTDIR=/usr/lib64/qt-3.3",

"QTINC=/usr/lib64/qt-3.3/include", "SSH_TTY=/dev/pts/1", "USER=root",

"LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=4

0;33;01:or=40;31;01:mi=01;05;37;41:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=

37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.lzma=0

1;31:*.tlz=01;31:*.txz=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:

*.lz=01;31:*.xz=01;31:*.bz2=01;31:*.tbz=01;31:*.tbz2=01;31:*.bz=01;31:*.tz=01;31:*.

deb=01;31:*.rpm=01;31:*.jar=01;31:*.rar=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:

*.7z=01;31:*.rz=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:

*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;3

5:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01

;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v

=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb

=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=

01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.axv=01;35:*.anx=01;35:*.ogv

=01;35:*.ogx=01;35:*.aac=01;36:*.au=01;36:*.flac=01;36:*.mid=01;36:*.midi=01;36:*.m

ka=01;36:*.mp3=01;36:*.mpc=01;36:*.ogg=01;36:*.ra=01;36:*.wav=01;36:*.axa=01;36:*.o

19


ga=01;36:*.spx=01;36:*.xspf=01;36:", "MAIL=/var/spool/mail/root",

"PATH=/usr/lib64/qt-

3.3/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin",

"PWD=/root", "JAVA_HOME=/usr/lib/jvm/jre-1.6.0-openjdk.x86_64/", "LANG=en_US.UTF-

8", "KDE_IS_PRELINKED=1", "KDEDIRS=/usr", "SSH_ASKPASS=/usr/libexec/openssh/gnome-

ssh-askpass", "HISTCONTROL=ignoredups", "SHLVL=1", "HOME=/root", "LOGNAME=root",

"QTLIB=/usr/lib64/qt-3.3/lib", "CVS_RSH=ssh", "SSH_CONNECTION=192.168.0.155 63282 192.168.0.160 22", "LESSOPEN=|/usr/bin/lesspipe.sh %s", "G_BROKEN_FILENAMES=1",

"_=/usr/local/bin/pbrun"}

event = "Accept"

eventlog = "/var/log/pb.eventlog"

execute_via_su = 0

exitdate = "2015/11/05 "

exitstatus = "Command finished with exit status 0"

exittime = "11:27:02"

false = 0

group = "root"

groups = {"root"}

host = "svr1centos63.demo.corp"

hour = 11

i18n_date = "11/05/2015"

i18n_day = "05"

i18n_dayname = "Tue"

i18n_exitdate = "11/05/2015"

i18n_exittime = "11:27:02 AM"

i18n_hour = "11"

i18n_minute = "27"

i18n_month = "11"

i18n_time = "11:27:02 AM"

i18n_year = "2015"

iolog = ""

iolog_part = 1

lineinfile = "/etc/opt/pbul/pb.conf"

linenum = "311"

localmode = 0

logdversion = "9.1.0-08"

loghostip = "127.0.0.1"

lognopassword = 1

logpid = 18997

logport = "24347"

logserver_utcoffset = "-5.00"

logserverlocale = "en_US"

logservers = {"svr1centos63"}

20


logstderr = 1

logstdin = 1

logstdout = 1

master_utcoffset = "-5.00"

masterdversion = "9.1.0-08"

masterhost = "svr1centos63.demo.corp"

masterhostip = "127.0.0.1"

masterlocale = "en_US"

minute = 27

month = 1

nice = 0

noexec = 0

optarg = ""

opterr = 1

optimizedrunmode = 1

optind = 1

optopt = ""

optreset = 1

optstrictparameters = 1

passwordloggingprompts = {"Password", "password", "Passwd", "passwd"}

pbclientmode = "run"

pbclientname = "pbrun"

pblogdmachine = "x86_64"

pblogdnodename = "svr1centos63"

pblogdrelease = "2.6.32-358.6.1.el6.x86_64"

pblogdsysname = "Linux"

pblogdversion = "#1 SMP Tue Apr 23 19:29:00 UTC 2013"

pbmasterdmachine = "x86_64"

pbmasterdnodename = "svr1centos63"

pbmasterdrelease = "2.6.32-358.6.1.el6.x86_64"

pbmasterdsysname = "Linux"

pbmasterdversion = "#1 SMP Tue Apr 23 19:29:00 UTC 2013"

pbrisklevel = 0

pbrunmachine = "x86_64"

pbrunnodename = "svr1centos63"

pbrunrelease = "2.6.32-358.6.1.el6.x86_64"

pbrunsysname = "Linux"

pbrunversion = "#1 SMP Tue Apr 23 19:29:00 UTC 2013"

pbulacapolicy = {"file default all", "file /tmp/banned/* !all|log=9", "file

/scripts/* all|log=9", "file /sbin/reboot !exec|log=9", "file /sbin/shutdown

!exec|log=9", "file /usr/bin/reboot !exec|log=9", "file /usr/bin/shutdown

21


!exec|log=9", "file /etc/shadow !all", "file /usr/bin/* all|log=9", "file

/usr/sbin/* all|log=9", "file /bin/* all|log=9", "file /sbin/* all|log=9"}

pbversion = "9.1.0-08"

pid = 18984

ptyflags = 7

rcsworkgroup = "BeyondTrust Workgroup"

rejectnullpasswords = 0

requestuser = "root"

rlimit_as = -1

rlimit_core = 0

rlimit_cpu = -1

rlimit_data = -1

rlimit_fsize = -1

rlimit_locks = -1

rlimit_memlock = 65536

rlimit_nofile = 1024

rlimit_nproc = 7784

rlimit_rss = -1

rlimit_stack = 10485760

rule = 3

runargv = {"whoami"}

runbkgd = 0

runcommand = "whoami"

runcwd = "/root"

runeffectiveuser = "root"

runenablerlimits = 0

runenv = {"HOSTNAME=svr1centos63", "TERM=xterm", "SHELL=/bin/bash",

"HISTSIZE=1000", "SSH_CLIENT=192.168.0.155 63282 22", "QTDIR=/usr/lib64/qt-3.3",

"QTINC=/usr/lib64/qt-3.3/include", "SSH_TTY=/dev/pts/1", "USER=root",

"LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=4

0;33;01:or=40;31;01:mi=01;05;37;41:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=

37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.lzma=0

1;31:*.tlz=01;31:*.txz=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:

*.lz=01;31:*.xz=01;31:*.bz2=01;31:*.tbz=01;31:*.tbz2=01;31:*.bz=01;31:*.tz=01;31:*.

deb=01;31:*.rpm=01;31:*.jar=01;31:*.rar=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:

*.7z=01;31:*.rz=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:

*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;3

5:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01

;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v

=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb

=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=

01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.axv=01;35:*.anx=01;35:*.ogv

=01;35:*.ogx=01;35:*.aac=01;36:*.au=01;36:*.flac=01;36:*.mid=01;36:*.midi=01;36:*.m

ka=01;36:*.mp3=01;36:*.mpc=01;36:*.ogg=01;36:*.ra=01;36:*.wav=01;36:*.axa=01;36:*.o

ga=01;36:*.spx=01;36:*.xspf=01;36:", "MAIL=/var/spool/mail/root",

"PATH=/usr/lib64/qt-

3.3/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin",

"PWD=/root", "JAVA_HOME=/usr/lib/jvm/jre-1.6.0-openjdk.x86_64/", "LANG=en_US.UTF-

22


8", "KDE_IS_PRELINKED=1", "KDEDIRS=/usr", "SSH_ASKPASS=/usr/libexec/openssh/gnome-

ssh-askpass", "HISTCONTROL=ignoredups", "SHLVL=1", "HOME=/root", "LOGNAME=root",

"QTLIB=/usr/lib64/qt-3.3/lib", "CVS_RSH=ssh", "SSH_CONNECTION=192.168.0.155 63282

192.168.0.160 22", "LESSOPEN=|/usr/bin/lesspipe.sh %s", "G_BROKEN_FILENAMES=1",

"_=/usr/local/bin/pbrun"}

rungroup = "root"

rungroups = {"root"}

runhost = "svr1centos63.demo.corp"

runlocalmode = 0

runnice = 0

runoptimizedrunmode = 1

runpid = 18982

runptyflags = 7

runrlimit_as = -1

runrlimit_core = 0

runrlimit_cpu = -1

runrlimit_data = -1

runrlimit_fsize = -1

runrlimit_locks = -1

runrlimit_memlock = 65536

runrlimit_nofile = 1024

runrlimit_nproc = 7784

runrlimit_rss = -1

runrlimit_stack = 10485760

runsolarisproject = ""

runtimeout = 0

runtimeoutoverride = 0

runumask = 18

runuser = "root"

solarisproject = ""

status = 0

submithost = "svr1centos63.demo.corp"

submithostip = "127.0.0.1"

submitlocale = "en_US.UTF-8"

submitpid = 18982

subprocuser = "root"

taskpid = 18995

taskttyname = "/dev/pts/2"

testmaster = 0

time = "11:27:02"

timezone = "EST"

23


true = 1

ttyname = "/dev/pts/1"

umask = 18

uniqueid = "7f000001568beed64A28"

unixtimestamp = 1452011222

user = "root"

xwinforward = 0

year = 2015

Session Recording

Session recording is enabled in a PowerBroker for Unix & Linux policy. Session recording can be enabled per command, per user, per host, during specific time frames, groups of these items or any other variable that can be referenced on the system during a command request.

As described in the PowerBroker for Unix & Linux Auditing section, this type of auditing is optional whereby the Policy Creator/Administrator can selectively choose which commands, users, hosts, actions, times and so on are recorded. Session recording is only invoked when using the iolog command in the policy outlined below.

Auditing this type of data is optional and not within the scope of the Common Criteria evaluation and has not been tested.

24


Data Type

String

Description

The iolog variable contains the absolute path specification for the current I/O log file. The default value for this variable is undefined, which does no I/O logging. The iolog file can log standard input, standard output, and standard error information that is associated with the current task request.

Syntax

iolog = string;

Valid Values

A string that contains the absolute path specification for the current iolog file. The default value is undefined.

Example

iolog = "/var/log/sample.log";

The location and name of a recorded session can be configured in the policy. For example, you can use variables which are configured or set during normal PowerBroker for Unix & Linux operations to build the path location and name of the file for the recording.

Example:

logtime=strftime("%H:%M");

iolog = "/iologs/"


+ logtime + "."


+ user + "."




Recorded sessions can be viewed using the ‘pbreplay’ command. The user will need root level privileges to view the event log, but these rights can be delegated using PowerBroker for Unix & Linux as described later in this document.

Refer to PowerBroker Unix-Linux_Administration_V9.1.pdf, iolog for more information about turning on and the creation of the session recordings.

Refer to PowerBroker Unix-Linux_Administration_V9.1.pdf, pbreplay for more information on viewing session recording.

25


Session Recording Example

Now we can combine these two features to control who can edit the policy, audit the entire editing session of the policy and also have the audit event records.

if( basename(command) == “editpolicy” ) {

logtime=strftime("%H:%M");

iolog = "/iologs/"


+ logtime + "."


+ user + "."




runcommand = "vi";

runargv = split("vi /etc/pb.conf");

runuser = "root";

accept;

}

This will allow for the following command:

pbrun editpolicy (or pbrun –h hostname editpolicy)

Which will generate an event log record:



vi /etc/pb.conf


And produce a session recording on the logging server in the /iologs folder with the current date, time, hostname, username and command (editpolicy) combined to make the file name.

26


PBLogD Logging Process

The ‘ps’ command can be used to look for running instances of ‘pblogd’ (PowerBroker for Unix & Linux logging daemon).

[root@ systemname ~]# ps -ef |grep pblogd

root 21415 1 0 15:39 ? 00:00:00 pblogd -i demo1@svr3centos63 26394

root:/bin/bash

root 21417 15921 0 15:39 pts/1 00:00:00 grep pblogd

You may also use the ‘pbbench’ command to make sure that any/all configured log servers are

[root@ systemname ~]# pbbench -l

svr1centos63.demo.corp:port=24347 OK 9.1.0-08

[root@systemname ~]# cat /var/log/messages |grep pblogd

Jan 5 15:43:47 svr1centos63 xinetd[2092]: START: pblogd pid=21453

from=::ffff:127.0.0.1

Jan 5 15:43:47 svr1centos63 xinetd[2092]: EXIT: pblogd status=0 pid=21453

duration=0(sec)

All of the above commands being executed as root can be delegated using the policy and pbrun as described above.

27


Audit Record Breakdown

The Standard Protection Profile for Enterprise Security Management Access Control and the Standard Protection Profile for Enterprise Security Management Policy Management requires the audit generation for specific security functional requirements as identified in the security target.

Not all audit records identified in the security target are applicable since the BeyondTrust PowerBroker UNIX + Linux Edition V9 is both a policy management product and an access control product. Examples of the applicable audit records and their format are identified below.

Component Event Additional Information

Example Audit

ESM_ACD.1 Creation or modification of policy

Unique policy identifier

The audit record entry records the creation or modification of the policy. The policy is identified as /etc/pb/pbul_functions.conf".

"hostname":"pbul-qa-aix61-01.unix.symark.com",

"evtname":

"file_import",

"service":"pbdbutil9.1.0-08",

"who":"root",

"severity":16,

"utc":"2015-12-07 14:59:11",

"progname":"pbdbutil9.1.0-08",

"version":"9.1.0-08",

"arch":"rs6000_aixC",

"data":{

"fname":"/etc/pb/pbul_functions.conf",

"msg":"Innitial import",

"version":1,

"sid":8978524,

"pid":10420340,

"uid":0}

Audit Record Location: Configuration Database

ESM_ACT.1 [ESM_PM]

Transmission of policy to Access Control products

Destination of policy

Policies are not transmitted, instead policies are stored centrally and requests are made against the central policy. Requests from the Submit Host (the Access control portion of the TOE) are transmitted to the Master Host (the Policy Management portion of the TOE). If the task is ACCECPTED by the policy, the Master Host transmits the secure task to the Run Host (the Access control portion of the TOE). The event log captures the entire process in the Event Log Accept record. The ACCECPT record captures the identification of the requesting user and each TOE component is identified.

Portions of the ACCEPT Event Log entry is provided below. The information in the Event Log entry provides the identification of the information ('Accept' command), the destination (submithostip '10.0.2.20', runhost 'CC-PowerBroker-RunHost', and Master Host

28



Example Audit

masterhost '10.0.2.11'). The Name of the policy in effect (lineinfile '/etc/pb/pbul_functions.conf') verifies that the latest and correct policy is in effect.

Name of User Requesting the Privileged Command

'SUDO_USER=cctester'

cwd '/home/cctester'

Submit Host Identification

TargetSubmitHostShortName 'CC-PowerBroker-Client'

submithost 'CC-PowerBroker-Client'

submithostip '10.0.2.20'

clienthost '10.0.2.20'

Run Host Identification

pblocaldnodename 'CC-PowerBroker-RunHost'

runhost 'CC-PowerBroker-RunHost'

Master Host Identification

pbmasterdnodename 'CC-PowerBroker-Master2'

masterhost '10.0.2.11'

masterhostip '10.0.2.11'

Type of Command

event 'Accept'

Requested Elevated Command

command 'whoami'

Successful Execution of the Command

event 'Finish'

exitdate '2016/06/27'

exitstatus 'Command finished with exit status 0'

Location of the Audit Record

eventlog '/var/log/pb.eventlog'

Name of the Policy in Effect

lineinfile '/etc/pb/pbul_functions.conf'

Audit Record Location: Event Log

ESM_EAU.2 [ESM_PM]

All use of the authenticatio

None The ACCEPT Event Log record below captures the successful authentication of “root” via the browser interface GUI.

29



Example Audit

n mechanism

Accept 2015/12/07 15:50:04

root pbul-qa-hpux11v3-01.unix.symark.com

root 172.20.31.66

pbul-qa-hpux11v3-01.unix.symark.com

/usr/sbin/pbguid log Authorized


FAU_GEN.1 Start-up of the audit functions;

None Dec 8 11:33:08 pbul-qa-hpux11v3-01 inetd[3821]: pblogd/tcp: Added service, server /usr/sbin/pblogd

Audit Record Location

/var/log/syslog (on Linux)

/var/adm/syslog (on Unix)

FAU_GEN.1 Shut-down of the audit functions

None Dec 8 11:39:18 pbul-qa-hpux11v3-01 inetd[3821]: Going down on signal 15

Audit Record Location

/var/log/syslog (on Linux)

/var/adm/syslog (on Unix)

FAU_SEL.1 [ESM_AC]

All modifications to audit configuration

None The audit record below captures the audit configuration modified by the “logomit” command.

"hostname": "pbul-qa-aix61-01.unix.symark.com",

"evtname": "file_import",

"service": "pbdbutil9.2.0-08",

"who": "root",

"severity": 16,

"utc": "2016-05-24 17:17:48",

"progname": "pbdbutil9.1.0-08", "version": "9.1.0-08",

"arch": "rs6000_aixC",

"data": { "fname": "/etc/pb.conf",

"msg": "Logomit Added",

"version": 3,

"sid": 6226020,

"pid": 4718624,

"uid": 0}


FAU_SEL_EXT.1 [ESM_PM]

All modifications to audit configuration

None The audit record below captures the audit configuration modified by the “logomit” command.

"hostname": "pbul-qa-aix61-01.unix.symark.com",

30



Example Audit



"who": "root",

"severity": 16,

"utc": "2016-05-24 17:17:48",

"progname": "pbdbutil9.1.0-08",

"version": "9.1.0-08",

"arch": "rs6000_aixC",

"data": {

"fname": "/etc/pb.conf",

"msg": "Logomit Added",

"version": 3,

"sid": 6226020,

"pid": 4718624,

"uid": 0}


FAU_STG_EXT.1 [ESM_PM], [ESM_AC]

Establishment and disestablishment of communications with audit server

Identification of audit server

The audit record captures the establishment of communication with the pblogd audit server.

Dec 8 11:33:08 pbul-qa-hpux11v3-01 inetd[3821]: pblogd/tcp: Added service, server /usr/sbin/pblogd


FCO_NRR.2 [ESM_AC]

The invocation of the non-repudiation service

Identification of the information, the destination, and a copy of the evidence provided

Policies are not transmitted, instead policies are stored centrally and requests are made against the central policy. Requests from the Submit Host (the Access control portion of the TOE) are transmitted to the Master Host (the Policy Management portion of the TOE). If the task is ACCECPTED by the policy, the Master Host transmits the secure task to the Run Host (the Access control portion of the TOE). The event log captures the entire process in the Event Log Accept record. The ACCECPT record captures the identification of the requesting user and each TOE component is identified.

Portions of the ACCEPT Event Log entry is provided below. The information in the Event Log entry provides the identification of the information ('Accept' command), the destination (submithostip '10.0.2.20', runhost 'CC-PowerBroker-RunHost', and Master Host masterhost '10.0.2.11'). A copy of the evidence provided is verified by the successful execution of the command (event 'Finish', exitdate '2016/06/27' exitstatus 'Command finished with exit status 0').




31



Example Audit













Type of Command

event 'Accept'


command 'whoami'


event 'Finish'

exitdate '2016/06/27'







FDP_ACC.1(1), (2)[ESM_AC]

Any changes to the enforced policy or policies

Identification of Policy Management product making the change

The audit record captures the policy "/etc/pb/pbul_functions.conf" modification.

"hostname":"pbul-qa-spsol11-01.unix.symark.com",

"evtname":"file_import",


"who":"root",

"severity":16,

"utc":"2015-12-07 15:21:17",


32



Example Audit

"version":"9.1.0-08",

"arch":"sparc_solarisD",

"data":{

"version":2,


"msg":"Policy Changed",

"sid":15438,

"pid":15484,

"uid":0}


FDP_ACF.1(1), (2) [ESM_AC]

All requests to perform an operation on an object covered by the SFP

Subject identity, object identity, requested operation

Portions of the ACCEPT Event Log entry is provided below. The information in the Event Log entry provides the identification of the information ('Accept' command), the destination (submithostip '10.0.2.20', runhost 'CC-PowerBroker-RunHost', and Master Host masterhost '10.0.2.11'). The Name of the policy in effect (lineinfile '/etc/pb/pbul_functions.conf') verifies that the latest and correct policy is in effect.

The subject “cctester” is requesting access to run the elevated command 'whoami'.
















Type of Command

event 'Accept'


33



Example Audit

command 'whoami'


event 'Finish'

exitdate '2016/06/27'





FMT_MOF.1 [ESM_PM], [ESM_AC]

All modifications to TSF behavior

None The audit record captures the policy "/etc/pb/pbul_functions.conf" modification.

“hostname":"pbul-qa-hpux11v3-01.unix.symark.com",



"who": "root",

"severity": 16,

"utc":"2015-12-07 16:09:25",


"version": "9.1.0-08",

"arch": "ia64_hpuxA",

"data":{

"version" :1,

"fname": "/etc/pb/pbul_functions.conf",

"msg": "Policy Modified",

"sid": 23198,

"pid":24697,

"uid": 0}


FMT_SMF.1 [ESM_PM], [ESM_AC]

Use of the management functions

Management function performed

The audit record captures the management function of the creation of the "/etc/pb/pbul_functions.conf" policy.

"hostname":"pbul-qa-spsol11-01.unix.symark.com",



"who":"root",

"severity":16,

"utc":"2015-12-07 15:15:21",


"version":"9.1.0-08",

"arch":"sparc_solarisD",

34



Example Audit

"data":{

"msg":"New Policy Created",


"version":7

,"sid":15438,

"pid":15469,

"uid":0}


FMT_SMR.1 [ESM_PM]

Modifications to the members of the management roles

None This is an audit record from importing the policy file, thus applying the policy. The policy file is what controls who can perform the management functions.

"hostname":"pbul-qa-aix61-01.unix.symark.com",



"who":"root",

"severity":16,

"utc":"2015-12-07 14:59:11",


"version":"9.1.0-08",

"arch":"rs6000_aixC",

"data":{


"msg":"Innitial import",

"version":1,

"sid":8978524,

"pid":10420340,

"uid":0}


FPT_FLS_EXT.1 [ESM_AC]

Failure of communication between the TOE and Policy Management product

Identity of the Policy Management product, reason for the failure

Dec 4 12:34:36 pbul-qa-spsol11-01 pbmasterd9.1.0-08: [ID 702911 auth.error] [14388] 8540.2 client on pbul-qa-hpux11v3-01.unix.symark.com is not SSL enabled

Audit Record Location:

/var/log/pbmasterd.log (on Linux)

/var/adm/pbmasterd.log (on Unix)

FTP_ITC.1 [ESM_AC]

All use of trusted channel functions

Identity of the initiator and target of the trusted channel

The ACCEPT Event Log entry captures the use of the trusted channel functions. Portions of the ACCEPT Event Log entry are provided below that are applicable to this audit requirement.

These two fields are in the Event Log entry identifies the initiator and target of the trusted channel. The IP address of the remote LDAP server and the user attempting to authenticate over the trusted channel to LDAP are recorded.

35



Example Audit

LDAPServer “10.42.215.74”

LDAPUser “tester”

Portions of the ACCEPT Event Log entry are provided below that are applicable to this audit requirement. The fields are in the Event Log entry identifies the internal TOE component communications. The identity of the initiator and the targets for the trusted channel are recorded.
















Type of Command

event 'Accept'


event 'Finish'

exitdate '2016/06/27'






36



Example Audit


FTP_TRP.1 [ESM_PM]

All attempted uses of the trusted path functions

Identification of user associated with all trusted path functions, if available

Portions of the ACCEPT Event Log entry are provided below that are applicable to this audit requirement. The Event Log entry records the identification of the user associated with the trusted path function.

Accept 2015/12/07 15:50:04

root CC-PowerBroker-Client

root CC-PowerBroker-Master

CC-PowerBroker-Master /usr/sbin/pbguid log Authorized


Server Tracking Audit Information

All event log entries and each individual recorded session contains a set of headers that audit details about the Log Server, where you can track information such as the server name, IP address, SSL Cert info, version, time zone and more:

pblogdcertificateissuer =

"/C=US/ST=AZ/L=Phoenix/O=BeyondTrust/OU=PowerBroker/CN=centos7.demo.corp"

pblogdcertificatesubject =

"/C=US/ST=AZ/L=Phoenix/O=BeyondTrust/OU=PowerBroker/CN=centos7.demo.corp"

pblogdmachine = "x86_64"

pblogdnodename = "centos7.demo.corp"

pblogdrelease = "3.10.0-229.11.1.el7.x86_64"

pblogdsysname = "Linux"

pblogdversion = "#1 SMP Thu Aug 6 01:06:18 UTC 2015"

eventlog = "/var/log/pb.eventlog"

iolog = "/var/log/pbsudo/centos7-client.demo.corp-pbsudo-io.XXXXXX"

iolog_list = {"centos7.demo.corp:/var/log/pbsudo/centos7-client.demo.corp-pbsudo-

io.joZema"}

iolog_part = 1

logdversion = "9.2.0-08"

loghostip = "192.168.0.163"

lognopassword = 1

logpid = 17259

logport = "24347"

logserver_utcoffset = "-4.00"

logserverlocale = "en_US.UTF-8"

logservers = {"centos7.demo.corp"}

37


logstderr = 1

logstdin = 1

logstdout = 1

In addition, each event log entry and each recorded session contains the audit entry header, information on any/all components that participated in the action. This includes the Submit Host, the Run Host, the Master Host (Policy Server) and the Log Host (Logging Server). Here is an example of the information contained in the headers:

host = "centos7-client.demo.corp"

clienthost = "centos7-client.demo.corp"

clienthost_uuid = "83c2c51d-0e38-481f-970a-8a03b057835d"

clienthost_uuid_created = 0

loghostip = "192.168.0.163"

masterhost = "centos7.demo.corp"

masterhostip = "192.168.0.163"

runhost = "centos7-client.demo.corp"

submithost = "centos7-client.demo.corp"

submithostip = "192.168.0.164"

Additional Audit Functions and Change Management

An optional feature exists in PowerBroker for Unix & Linux to move key configuration, settings and policy files to a version controlled database, including auditing of activities such as the creation of new files and version changes in controlled files.

To enable the configuration database, the administrator needs to import a file (any file, but preferably an important control file such as pb.conf or pb.settings) using the pbdbutil command, with the --cfg parameter and -i flag to initiate an import.

IMPORTANT: Before moving any files into the configuration database, if change tracking is required, ensure the following two lines are added to the end of the pb.settings file first:

changemanagementevents yes

eventdb /etc/pbevents.db

Change management is not enforced or enabled by default, but is required to meet the requirements outlined in the Common Criteria requirements document. When any file is added to the configuration database using the pbdbutil command, PowerBroker for Unix & Linux will automatically handle the creation of the database and appropriate configuration for version control and file tracking. For example, to take /etc/pb.settings and /etc/pb.conf under management, enter the following commands:

[root@centos7 etc]# pbdbutil --cfg -i /etc/pb.settings

{"fname":"/etc/pb.settings","version":1}

[root@centos7 etc]# pbdbutil --cfg -i /etc/pb.conf

{"fname":"/etc/pb.conf","version":1}

The imported files that are being managed can then be viewed using the -l flag (list) as shown below:

[root@centos7 etc]# pbdbutil --cfg -l

38


{"version":1,"pathname":"/etc/pb.conf","deleted":0,"created":"2016-04-21 11:34:15"}

{"version":1,"pathname":"/etc/pb.settings","deleted":0,"created":"2016-04-21

11:34:09"}

[root@centos7 etc]#

A detailed transaction log of additions, updates and deletions can be shown using the change event log as follows:

pbdbutil --evt -s '{ "taxonomy" : "chgmgt" }'

The same data can be shown broken out using the ‘Printable’ switch to make each event easier to read:

pbdbutil --evt -P -s '{ "taxonomy" : "chgmgt" }'

Below is an example audit record showing settings file being updates:

"hostname": "centos7.demo.corp",



"who": "root",

"severity": 16,

"utc": "2016-04-26 21:43:18",


"version": "9.2.0-08",

"arch": "x86_64_linuxA",

"data": {

"fname": "/etc/pb.settings",

"version": 6,

"msg": "New example comment added",

"sid": 9354,

"pid": 4761,

"uid": 0

Below is an example command to show the differential between V5 (the old version) and V6 (the new version) with an addition of a comment line highlighted below:

[root@centos7 etc]# pbdbutil --cfg -D /etc/pb.settings -V5:6

*** /tmp/.pbdiff_Ja9ruT 2016-04-26 21:47:31.351401559 -0400

--- /tmp/.pbdiff_DczUEd 2016-04-26 21:47:31.350401541 -0400

***************

*** 5,10 ****

--- 5,11 ----

# daemons: /usr/sbin

# pbinstall: /BT/powerbroker/v9.2/pbx86_64_linuxA-9.2.0-08/install/pbinstall

# TMPDIR: /tmp/beyondtrust_pbinstall

39


+ # Comment added for change event tracking example

kerberos no

#mprincipal pbmasterd

#lprincipal pblocald

For a detailed breakdown of the data types and data that is stored in the change management database, please see Appendix B: Change Management Event Log Fields.

40


Configuration Files

Used During Testing/Creation of Supplementary Guide.

Policy Files

The following files were used during the testing of PowerBroker for Unix & Linux to ensure that all the requirements laid out in the common criteria template were met by the solution. These files are environment specific and should be used as examples only.

Note: If communication to the Master Host and its policy is unavailable, the default action is to deny all pbrun requests.

Example File Index:

Root Policy (pb.conf)

Main Policy (pbul_policy.conf)

Functions (pbul_functions.conf)

LDAP Policy (ldap.conf)

RADIUS Policy (pam_radius_auth.conf)

RADIUS PAM Config (pbul_pam_radius)

Root Policy File (/etc/pb.conf)

include '/etc/pb/pbul_policy.conf';

#include '/etc/pb/pbul_gui.conf';

#ldap_open("cc-powerbroker-ldap");

Main Policy File (pbul_policy.conf)

include '/etc/pb/pbul_functions.conf';

#===========================================================================

# Copyright 2013 by BeyondTrust Software International, Inc.

# All rights reserved.

# pbul_policy.conf

# Version: 1.0

#

# This default role-based policy is provided as a simple default policy for

PowerBroker.

# For each of role defined, you can add additional users, commands and hosts to the

lists pre-defined for each role.

#

# It contains the following roles:

41


#

# Helpdesk role:

# Enabled by default, when invoking "pbrun helpdesk" it allows any user in

HelpdeskUsers (default 'root')

# to initiate a Helpdesk Menu as 'root' on any host in HelpdeskHosts (default

submithost only)

# Helpdesk Menu of actions comprising

# - List of processes (ps -ef)

# - Check if a machine is up (ping <host>)

# - List current users on this host (who -H)

# - Display Host's IP settings (ifconfig -a)

#

# PBTest:

# Enabled by default, for all users on all hosts, "pbrun pbtest" allows

checking connectivity and policy.

#

# Controlled Shells:

# Enabled by default, allows users in ControlledShellUsers (by default the

submituser),

# for runhosts in ControlledShellHosts (by default only submithost), to

enable iologging for pbksh/pbsh.

# iologs are created by default in "/tmp/pb.<user>.<runhost>.<YYYY-MM-

DD>.[pbksh|pbsh].XXXXXX"

# This role has a list of commands (empty by default) to elevate privileges

for, as well as

# a list of commands (empty by default) to reject.

#

# Admin role:

# Enabled by default, allows users in AdminUsers (by default 'root') to run

any command on runhosts in AdminHosts

# (by default only submithost)

#

# Demo role:

# Disabled by default, allows users in DemoUsers (default all users) to run

commands in

# DemoCommands (default 'id' and 'whoami') as 'root' on any host in DemoHosts

(default all hosts)

#

#

# The policy ends by allowing all users to run any command as themselves without

any privilege escalation.

#

#

#TargetRunHostShortName = split(runhost, ".")[0];

42


TargetRunHostShortName = "CC-PowerBroker-RunHost";

runhost = "10.0.2.24";

TargetSubmitHostShortName = split(submithost, ".")[0];

#

# This enables "HelpDesk role", which allows any user in HelpdeskUsers (default

'root') to initiate a Helpdesk Menu as 'root'

# on any host in HelpdeskHosts (default submithost only)

# By default this role is enabled. To disable this set EnableHelpdeskRole to false

below.

#

#EnableHelpdeskRole = true;

#HelpdeskUsers = {"root"};

#HelpdeskHosts = {submithost, TargetSubmitHostShortName};

#HelpdeskRole();

#

# This enables a command 'pbtest', when invoked with pbrun, allows to check

connectivity and policy.

# By default this role is enabled. To disable this set EnablePBTest to false

#

EnablePBTest = true;

PBTest();

#

# This enables "ControlledShell role", which turn on iologging for any user in

ControlledShellUsers (default all users)

# on any host in ControlledShellHosts (default all run hosts) when running pbksh

and pbsh.

# By default, this role is enabled. To disable this set EnableControlledShellRole

to true below.

#

# Two variables are defined for this role:

# List variable ControlledShellRejectedCmds - List of rejected commands (empty by

default)

# If you want any specific command to be rejected during the pbksh/pbsh session,

add the command to the list below

# For example:

# ControlledShellRejectedCmds = {"rm", "mv"};

#

# List variable ControlledShellPrivilegedCmds - List of commands to elevate

privileges for (empty by default)

# If you want any specific command to be rejected during the pbksh/pbsh session,

add the command to the list below

43


# For example:

# ControlledShellPrivilegedCmds = {"id", "reboot"};

#

#

EnableControlledShellRole = true;

#ControlledShellUsers = {user};

#ControlledShellHosts = {runhost, TargetRunHostShortName};

#ControlledShellRejectedCmds = {};

#ControlledShellPrivilegedCmds = {};

#ControlledShellRole();

#

# This enables "Admin role", which allows root (or any user in AdminUsers) to run

any command on the current host (or any host in AdminHosts)

# By default this role is enabled. To disable this set EnableAdminRole to false

below.

#

EnableAdminRole = true;

AdminUsers = {"root"};

AdminHosts = {submithost};

AdminRole();

#

# This enables "Demo role", which allows any user in DemoUsers (default all users)

to run commands in DemoCommands (default 'id' and 'whoami') as 'root'

# on any host in DemoHosts (default all hosts)

# By default, this role is disabled. To ensable this set EnableDemoRole to true

below.

#

# IMPORTANT: note that ANY command in the list of DemoCommands will run as 'root'.

#

#EnableDemoRole = false;

#DemoUsers = {user};

#DemoCommands = {"id", "whoami"};

#DemoHosts = {runhost, TargetRunHostShortName};

#DemoRole();

# If here, the user will only have the permissions to run commands as itself on the

submithost.

#if ( submithost == runhost || pbclientmode == 'pbssh' )

#{

# SetRunEnv(runuser, false);

44


# accept;

#}

EnableCCRole = true;

CCUsers = {user};

PrivlidgedLDAPUsers = {"tester","othertester"};

PrivlidgedRadiusUsers = {"beyondtrustuser","beyondtrustuser2"};

LDAPCommands = {"vi", "gedit","rm","chmod","cat","kill"};

RadiusCommands = {"cat","top","ps","kill"};

FileCommands = {"vi", "gedit", "rm", "cat"};

CCHosts = {runhost, TargetRunHostShortName, submithost, TargetSubmitHostShortName};

CCRole();

Functions Policy File (pbul_functions.conf)

# Copyright 2013 by BeyondTrust Software International, Inc.

# All rights reserved.

# pbul_functions.conf

# Version: 1.0

#

# Procedures used in pbul_policy.conf

#

#

# The procedure SetRunEnv sets the run environtment for a particular

# runuser. The procedure accepts one argument, the runuser.

# To call the procedure procedure:

# SetRunEnv("root");

#

function SetRunEnv(RunUserName, SetRunCommand) {

runuser = RunUserName;

rungroup = "!g!";

rungroups = {"!G!"};

runcwd = "!~!";

setenv("SHELL", "!!!");

setenv("HOME", "!~!");

setenv("USER", RunUserName);

setenv("USERNAME", RunUserName);

setenv("LOGNAME", RunUserName);

setenv("PWD", runcwd);

setenv("PATH", "/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin");

45


keepenv("SHELL", "HOME", "USER", "USERNAME", "LOGNAME", "PWD", "PATH");

SetRunEnv=runuser;

if ( SetRunCommand == true )

{

# Setting runcommand to basename(command) forces 'command' path to be part

of PATH.

# and prevents the user cannot execute a command from a different path.

runcommand=basename(command);

}

if ( runuser == 'root' )

runsecurecommand=true;

}

#

# Procedure PBTest:

# This is a debugging test that can test the network connectivity and host name

resolution.

# Invocation: pbrun pbtest

#

procedure PBTest(){

if ( EnablePBTest && basename(command) == "pbtest" ) {

SetRunEnv(user, true);

print(" clienthost:", clienthost);

print("clienthostip:", ipaddress(clienthost));

print(" host:", host);

print(" hostip:", ipaddress(host));

print(" masterhost:", masterhost);

print("masterhostip:", ipaddress(masterhost));

print(" runhost:", runhost);

print(" runhostip:", ipaddress(runhost));

print(" submithost:", submithost);

print("submithostip:", submithostip);

print(" requestuser:", requestuser);

print(" runuser:", runuser);

print(" user:", user);

# policysetenv("LDAPCONF","/etc/ldap.conf");

connid=ldap_initialize("ldap://10.42.215.124",3);

if(length(connid)<1){

print("Can't connect to LDAP server");

reject("");

}

46


print("echo","Policy and network connections are OK.");

result = ldap_bind(connid,"cn=CCTL Tester, cn=Users, dc=ccmstest,

dc=com","Pa55w*rd");

unset("Pa55w*rd");

if(result!=0){

print("Can't bind to LDAP server");

reject("");

}

search = ldap_search(connid,"cn=Computers, dc=ccmstest, dc=com",

"subtree", "cn="+submithost,{},0);

if(ldap_entry_count(search)==0)

{

print("This user does not have the proper permissions");

ldap_unbind(connid);

reject("");

}

print(search);


# result = getuserpasswdpam("beyondtrustuser", "pbul_pam_radius", "Please

enter radius Password: ");

# if(result!=true){

# print("Can't authenticate radius user");

# reject("");

# }

# runcommand="echo";

# runargv = {"echo","Policy and network connections are OK."};

# #runuser="root";

accept;

}

}

#

# Procedure AdminRole:

# If 'EnableAdminRole' is enabled, it allows any user in AdminUsers list to run any

command on hosts in AdminHosts

#

procedure AdminRole()

{

if ( EnableAdminRole && user in AdminUsers && (submithost in AdminHosts) &&

basename(command) == "passwd" )

{

47


SetRunEnv("root", false);

accept;

}

}

#

# Procedure DemoRole:

# If 'EnableDemoRole' is enabled, it allows any user in DemoUsers (default all

users) to run commands in DemoCommands (default 'id' and 'whoami') as 'root'

#

#procedure DemoRole()

#{

# if ( EnableDemoRole && user in DemoUsers && (runhost in DemoHosts ||

TargetRunHostShortName in DemoHosts) && basename(command) in DemoCommands )

# {

# SetRunEnv("root", true);

# accept;

# }

#}

procedure CCRole()

{

if ( EnableCCRole && user in CCUsers && (runhost in CCHosts ||

TargetRunHostShortName in CCHosts || submithost in CCHosts))

{

AuthType= input("Authenticate as an LDAP or RADIUS user: ");

if(AuthType=="LDAP"||AuthType=="ldap"){

policysetenv("LDAPCONF","/etc/ldap.conf");

connid=ldap_initialize("ldap://10.42.215.124",3);

if(length(connid)<1){

print("Can't connect to LDAP server");

reject("");

}

print("Policy and network connections are OK.");

LDAPUser=input("Enter LDAP username: ");

Password=input("Enter LDAP password: ");

result = ldap_bind(connid,"cn="+LDAPUser+", cn=Users, dc=ccmstest,

dc=com",Password);

if(result!=0){

print("LDAP Authentication Failed");

reject("");

48


}

#search = ldap_search(connid,"cn="+submithost+", cn=Computers,

dc=ccmstest, dc=com", "subtree", "cn="+submithost,{},0);

#if(ldap_entry_count(search)==0)

#{

# print("This user does not have the proper permissions");

# ldap_unbind(connid);

# reject("");

#}

if(LDAPUser in PrivlidgedLDAPUsers && basename(command) in LDAPCommands){

if(command in FileCommands){

if(argv[1]

=="/etc/file.file"||argv[1]=="/etc/pb.settings"){

SetRunEnv("root", true);


accept;

}else{

print("This user does not have the proper

permissions");


reject("");

}

}else if(command == "kill"){

if(argv[1] == "-9"&& user != "othertester"){



accept;

}else{


permissions");


reject("");

}

}else{



accept;

}

}

else{


49



reject("");

}


}else if(AuthType=="RADIUS"||AuthType=="Radius"||AuthType=="radius"){

RadiusUser= input("Enter RADIUS username: ");

result = getuserpasswdpam(RadiusUser, "pbul_pam_radius","Enter radius

password below");

if(result!=true){

print("Radius Authentication Failed");

reject("");

}

if(RadiusUser in PrivlidgedRadiusUsers && basename(command) in

RadiusCommands){

if(command in FileCommands){

if(argv[1] =="/etc/file2.file2"){


accept;

}else{


permissions");

reject("");

}

}else if(RadiusUser=="beyondtrustuser2"){


accept;

}else{


reject("");

}

}

else{


reject("");

}

}else{

print("Invalid Authentication Type");

reject("");

}

50


}

}

#

# Procedure HelpdeskRole:

# If 'EnableHelpdeskRole' is enabled, it allows any user in HelpdeskUsers (default

'root') to run commands in a Helpdesk menu

#

procedure HelpdeskRole()

{

if ( command == 'helpdesk' )

{

if ( EnableHelpdeskRole == true )

{

if ( submithost != runhost && runhost !in HelpdeskHosts )

{

print("\nCannot execute this option for host", runhost);

reject;

}

if ( user in HelpdeskUsers )

{

do {

print("Welcome to HelpDesk Menu. This menu will allow you to:");

print(" 1. List of processes of a host");

print(" 2. Check if a host is up and running");

print(" 3. List current users logged in on a host");

print(" 4. Display Host's IP Settings");

print(" 5. Exit");

print("");

option=input("Please select an option [1-5]: ");

if ( option in {"1", "2", "3", "4"} )

{

if ( runhost != submithost )

thehost=runhost;

else

{

buf = "Please enter the hostname of the machine ["

+ submithost + "]: ";

thehost=input(buf);

if ( thehost == "")

thehost=submithost;

51


}

if ( thehost in HelpdeskHosts )

{

switch (option)

{

case "1":

output=remotesystem(thehost, "root",

{"PATH=/bin:/usr/bin:/usr/sbin:"}, 20, "/tmp", "ps -ef", "");

if ( status == 0 )

printf("\nList of Processes of

%s:\n%s\n\n", thehost, output);

else

printf("\nAn error occured when getting

the list of processes of %s\n", thehost);

break;

case "2":

str="ping -c 1 " + thehost;

output=system(str);

if ( status == 0 )

printf("\nHost %s is up and

running\n\n", thehost );

else

printf("\nAn error occured when

checking if of %s\n", thehost);

break;

case "3":


{"PATH=/bin:/usr/bin:/usr/sbin:"}, 20, "/tmp", "who -H", "");

if ( status == 0 )

printf("\nList of active users on

%s:\n%s\n\n", thehost, output);

else


the list of active users on %s\n", thehost);

break;

case "4":


{"PATH=/bin:/usr/bin:/usr/sbin:"}, 20, "/tmp", "ifconfig -a", "");

if ( status == 0 )

printf("\nIP Settings of %s:\n%s\n\n",

thehost, output);

else


the IP Settings of %s\n", thehost);

52


break;

}

}

else

{

print("\nCannot execute this option for host",

thehost);

}

}

} while ( option != "5" );

runcommand = "echo";

runargv = { "echo", "Exit Helpdesk menu"};

SetRunEnv(user, false);

accept;

}

else

reject("You do not have the permission to run this command on this

host");

}

else

reject("Helpdesk role is not enabled");

}

}

#

# Procedure ControlledShellRole:

# If 'ControlledShellRole' is enabled, it allows any user in ControlledShellUsers

(default all usersroot) when running on hosts

# in ControlledShellHosts (default all run hosts) to get iologged.

#

procedure ControlledShellRole()

{

if ( EnableControlledShellRole && user in ControlledShellUsers && (runhost in

ControlledShellHosts || TargetRunHostShortName in ControlledShellHosts) )

{

if ( pbclientmode == "shell start" )

{

iolog_dir = "/tmp" ;

iolog = iolog_dir + "/pb." + user + "." + split(runhost,".")[0] + "." +

sprintf("%d-%d-%d",year,month,day) + "." + basename(command) + ".XXXXXX";


accept;

53


}

if ( pbclientmode == "shell command" )

{

if ( basename(command) in ControlledShellRejectedCmds )

reject("You do not have the permission to run this command on

this host");

if ( basename(command) in ControlledShellPrivilegedCmds )


accept;

}

}

}

LDAP Authentication Policy File (ldap.conf)

SIZELIMIT 0

TIMELIMIT 15

DEREF never

#TLS_CIPHER_SUITE HIGH:MEDIUM:+SSLv3

TLS_CACERT /etc/openldap/ssl/ldapCA.pem

TLS_CERT /etc/openldap/ssl/Master.pem

TLS_KEY /etc/openldap/ssl/private.pem

TLS_REQCERT allow

URI ldaps://1.2.3.4

BASE dc=ldap,dc=com

RADIUS Authentication Policy File (pam_radius_auth.conf)

1.2.3.4:1812 shared_secret

RADIUS PAM Configuration File (pbul_pam_radius)

auth required /usr/lib/beyondtrust/pb/pam_radius_auth.so.1.3.17

conf=/etc/pam_radius_auth.conf

account required /usr/lib/beyondtrust/pb/pam_radius_auth.so.1.3.17


password required /usr/lib/beyondtrust/pb/pam_radius_auth.so.1.3.17


54


Supported Platforms

The following list covers the Tested/Supported PowerBroker for Unix & Linux platforms used throughout the common criteria testing process to ensure compliance across a range of the PowerBroker for Unix & Linux supported platforms:

Vendor Operating System Version

IBM Aix V6.1 and V7.1

HP HP-UX 11i V3 (B.11.31) (PA-RISC 64-bit, Itanium 64-bit)

Oracle Solaris (Sparc) 11

Oracle Solaris (Intel) 11 64-bit

RedHat Linux (Intel) v6.x (64-bit)

RedHat Linux (Intel) v7.x (64-bit)

Ubuntu Linux (Intel) 13.4 (64-bit)

Ubuntu Linux (Intel) 14.4 (64-bit)

Additional Reference Material

Additional documents relating to the installation and use of PowerBroker for Unix & Linux include:

Product Documentation that ships with PowerBroker for Unix & Linux can be found in the following location:

PRODUCT ISO:\PBUL\Documentation

PowerBroker_Install_V9.1.pdf

PowerBroker Unix-Linux_Administration_V9.1.pdf

PowerBroker_Language_V9.1.pdf

55


Appendix A: Event Log Fields

This appendix details all of the runtime event variables that are captured each time a command is processed by PowerBroker for Unix & Linux. Included in the following table is the name of each variable as stored in the pb.eventlog file, the data type of the captured variable, a description of the data that is stored in the given variable and the type from which the data is collected.

Variable Data type Definition Type

argc integer Argument count (items on the command line) Task Information

argv list List of the arguments to the requested command, including the name of the command

Task Information

bkgd integer The user requested the job run in the background and ignore HUP signals by using pbrun -b.

Task Information

browserhost string The hostname of the machine that connected to pbguid (usually the browser, possibly a proxy)

Task Information

browserip string The IP address of the machine that connected to pbguid (usually the browser, possibly a proxy)

Task Information

clienthost string The name of the client (submit) host as resolved on the client host

Task Information

clienthost_uuid string UUID of the client used for licensing Host identification

clienthost_uuid_created integer Flag if UUID is created by pbmasterd or pblocald Host identification

command string The command, without arguments, the user wishes to run Task Information

cwd string The user's current working directory Task Information

date string The date the request was started; year/month/day (e.g. "2005/6/17")

System

day integer Day of the month the request started (1-31) System

dayname string Day of the week the request started ("Mon", "Tue", "Wed", "Thu", "Fri", `"Sat", or "Sun")

System

env list A list of environment variables present when the user initiated the request

Task Information

event String Type of event e.g. Accept, Reject, Finish,Keystroke Logging

eventlog string The name of the file in which events are logged Logging

execute_via_su integer A flag to indicate if PBUL will use the 'su -' command to create a login shell for the secured task, thus allowing the login mechanism to setup the run environment, overriding the run environment that the policy on the master has set up. 0 = false, 1 = true

Task Information

exit_timestamp integer The date/time when a task finished, expressed in Unix time format (number of seconds since midnight, January 1, 1970 (UTC) )

Logging

exitdate string The date the requested command finished running Logging

exitstatus string How the request finished Logging

exittime String The time the requested command finished running (hours:minutes:seconds)

Logging

false integer The value of false, used for condition checking. Defaults to 0. System

56



forbidkeyaction - obsolete

String Action when a forbidden key sequence is encountered; Obsolete, see keystrokestatus

Logging

forbidkeypatterns - obsolete

List Keystroke patterns to log; Obsolete, see keystroke Logging

group string The primary group to which the user belongs (e.g. "admin", "operators", "XXXproject")

Task Information

groups list A list of all the secondary groups to which a user belongs Task Information

host string The host on which the task is requested to execute Task Information

hour integer Hour the request started (0-23) System

i18n_date string The I18N date the request was started System

i18n_day string I18N Day of the month the request started System

i18n_dayname string I18N Day of the week the request started System

i18n_exitdate string The I18N date the requested command finished running Logging

i18n_exittime string The I18N time the requested command finished running Logging

i18n_hour string I18N Hour the request started System

i18n_minute string The I18N minute the request started System

i18n_month string The I18N month the request started System

i18n_time string The I18N time the command started System

i18n_year string The I18N year the request started System

iolog string The name of the file in which input, output and error output is logged

Logging

iolog_list list A list of the actual I/O log filename(s) that were created for the session.

Logging

iologtemplate string A character string that contains a file name template for use with the logmktemp function.

Logging

keystroke string The keystroke pattern in the input stream which triggered an action.

Logging

keystrokedate string The time when the keystroke pattern was matched. (e.g. "2005/6/17")

Logging

keystrokestatus string The action that was triggered when the keystroke pattern was detected in the input stream.

Logging

keystroketime string The date when the keystroke pattern was matched. (e.g. 14:01:14)

Logging

keystrokeunixtime integer The date/time when the keystroke pattern was matched, expressed in Unix time format (number of seconds since midnight, January 1, 1970 (UTC) )

Logging

lineinfile string The filename of the policy file that accepted or rejected the request

System

linenum integer The line number where the policy accepted or rejected the request

System

localmode integer The user requested the program replace pbrun instead of

starting a proxy session using pblocald, typically by

invoking pbrun with the -l option

Task Information

loghostip string IP address of the logserver Task Information

57



lognopassword integer Controls whether non-echoed output (traditionally passwords) is logged

Logging

lognoreconnect integer PowerBroker optimizes its network traffic where possible (default).

System

logomit list A list of variable names to omit when logging to an eventlog or I/O log

Logging

logpid integer log daemon pid Logging

logport integer log daemon port number Logging

logretrylimit integer Controls the maximum number of log retries for a job. When the maximum number of failures is exceeded, the secured task terminates.

Logging

logretrylimit integer The maximum number of log failures allowed for a job before the secured task terminates. (formerly logmaximumfailures)

Logging

logservers list A list of log hosts for pblocald to use for event and I/O logging.

Run environment

logstderr integer If true error output is logged Logging

logstderrlimit integer How much error output is logged per consecutive stream Logging

logstdin integer If true input is logged Logging

logstdinlimit integer How much input is logged per consecutive stream Logging

logstdout integer If true output is logged Logging

logstdoutlimit integer How much output is logged per consecutive stream Logging

masterhost string The name of the machine running pbmasterd System

masterhostip string IP address of the master Task Information

masterlocale string The locale of the master host System

mastertimelimit number The number of seconds a master daemon is allowed to run after a request is accepted. At the end of this time period the master daemon terminates.

Run environment

mastertimeout number The number of seconds of idle time allowed after a request is accepted. If no activity is detected, the master daemon terminates.

Run environment

minute integer The minute the request started (0-59) System

month integer The month the request started (-1) System

nice integer The user's nice value at the time of the request Task Information

noreconnect integer PowerBroker optimizes its network traffic where possible (default).

System

optarg string The parameter for the last argument processed by a

getopt, getopt_long or getopt_long_only

function, or an empty string if none was found

Command Line Parsing

opterr integer Determines whether to print errors from the getopt,

getopt_long and getopt_long_only functions


optimizedrunmode integer Optimized run mode allows pbrun to execute the secured task directly, instead of starting a proxy session using pblocald, thus using fewer resources. Optimized run mode is used automatically, when the submit host and the run host are the same host, and a logserver is used.

Task Information

58



optind integer Contains the current argument list index for getopt,

getopt_long and getopt_long_only functions


optopt string Contains the letter of the last option that had a problem in a getopt() function.


optreset integer If set to true, optind will be set to 1, and the next call to

getopt, getopt_long or getopt_long_only will

start from the beginning of the argv list.


optstrictparameters integer The getopt_long function provides strict intrepretation of argument parameters. In particular arguments with optional parameters are only accepted in the form --argument=parameter. Some non-compliant programs allow --argument parameter. To make getopt_long recognize the latter form, set optstrictparameters to false.


origsolarisproject string Name of a the original Solaris project Task Information

outputredirect string Output stream PowerBroker policy prompts are directed to.

This can be stderr or stdout

System

passwordloggingprompts

list A list of possible password prompts that helps the lognopassword feature to recognize when to hide the non-echoed input when I/O logging in active.

Logging

pbclientcertificateissuer string The issuer string from the client (e.g. pbrun, pbguid,

pbksh, pbsh) program's certificate

System

pbclientcertificatesubject

string The subject string from the client (e.g. pbrun, pbguid,

pbksh, pbsh) program's certificate

System

pbclientkerberosname string The principal from the invoking client (e.g. pbrun, pbguid,

pbksh, pbsh) when Kerberos is active

System

pbclientkerberosuser string Contains the name of the client user’s principal when Kerberos is used

System

pbclientmode string The mode of the command invoking PowerBroker. System

pbclientname string The basename of the command invoking PowerBroker System

pbguidmachine string The machine type id from uname on the gui host Host identification

pbguidnodename string The nodename from uname on the gui host Host identification

pbguidrelease string The OS release from uname on the gui host Host identification

pbguidsysname string The system name from uname on the gui host Host identification

pbguidversion string The OS version from uname on the gui host Host identification

pbkshmachine string The machine type id from uname on the pbksh machine Host identification

pbkshnodename string The nodename from uname on the pbksh machine Host identification

pbkshrelease string The OS release from uname on the pbksh machine Host identification

pbkshsysname string The system name from uname on the pbksh machine Host identification

pbkshversion string The OS version from uname on the pbksh machine Host identification

pblocaldcertificateissuer string The issuer string from pblocald's certificate Host identification

pblocaldcertificatesubject

string The subject string from pblocald's certificate Host identification

pblocaldmachine string The machine type id from uname on the run host Host identification

59



pblocaldnodename string The nodename from uname on the run host Host identification

pblocaldnoglob integer If true, pblocald skips metacharacter expansion on runargv

Run environment

pblocaldrelease string The OS release from uname on the run host Host identification

pblocaldsysname string The system name from uname on the run host Host identification

pblocaldversion string The OS version from uname on the run host Host identification

pblogdcertificateissuer string The issuer string from pblogd's certificate Host identification

pblogdcertificatesubject string The subject string from pblogd's certificate Host identification

pblogdmachine string The machine type id from uname on the log server Host identification

pblogdnodename string The nodename from uname on the log server Host identification

pblogdreconnection integer If true, pblogd initiates log reconnects when logmktemp() is used

System

pblogdrelease string The OS release from uname on the log server Host identification

pblogdsysname string The system name from uname on the log server Host identification

pblogdversion string The OS version from uname on the log server Host identification

pbmasterdcertificateissuer

string The issuer string from pbmasterd's certificate Host identification

pbmasterdcertificatesubject

string The subject string from pbmasterd's certificate Host identification

pbmasterdmachine string The machine type id from uname on the master host Host identification

pbmasterdnodename string The nodename from uname on the master host Host identification

pbmasterdrelease string The OS release from uname on the master host Host identification

pbmasterdsysname string The system name from uname on the master host Host identification

pbmasterdversion string The OS version from uname on the master host Host identification

pbrunmachine string The machine type id from uname on the submit host Host identification

pbrunnodename string The nodename from uname on the submit host Host identification

pbrunreconnection integer If true, pbrun initiates reconnections to pblocald System

pbrunrelease string The OS release from uname on the submit host Host identification

pbrunsysname string The system name from uname on the submit host Host identification

pbrunversion string The OS version from uname on the submit host Host identification

pbshmachine string The machine type id from uname on the pbsh machine Host identification

pbshnodename string The nodename from uname on the pbsh machine Host identification

pbshrelease string The OS release from uname on the pbsh machine Host identification

pbshsysname string The system name from uname on the pbsh machine Host identification

pbshversion string The OS version from uname on the pbsh machine Host identification

pbsshmachine string The machine type id from uname on the pbssh machine Host identification

pbsshnodename string The nodename from uname on the pbssh machine Host identification

pbsshrelease string The OS release from uname on the pbssh machine Host identification

pbsshsysname string The system name from uname on the pbssh machine Host identification

pbsshversion string The OS version from uname on the pbssh machine Host identification

pbulacapolicy list List of ACA permissions

pbversion string The version number for PowerBroker System

60



pid integer The process ID number of the pbmasterd process System

ptyflags integer Flags used for pty settings - reserved for internal use System

requestuser string Name of requested runuser as specified in pbrun's -u argument

Task Information

rlimit_as number The maximum memory available to a process, in bytes, as a 32-bit number, or 2147483647 if unlimited or not supported by submit host. This is equivalent to vmem on some systems.

Task Information

rlimit_core number The maximum size of a core file as a 32-bit number, or 2147483647 if unlimited or not supported by submit host

Task Information

rlimit_cpu number The maximum CPU time, in seconds, as a 32-bit number, or 2147483647 if unlimited or not supported by submit host

Task Information

rlimit_data number The maximum data segement size as a 32-bit number, or 2147483647 if unlimited or not supported by submit host

Task Information

rlimit_fsize number The maximum file size as a 32-bit number, or 2147483647 if unlimited or not supported by submit host

Task Information

rlimit_locks number The maximum number of file locks as a 32-bit number, or 2147483647 if unlimited or not supported by submit host

Task Information

rlimit_memlock number The maximum bytes of virtual memory that can be locked as a 32-bit number, or 2147483647 if unlimited or not supported by the submit host

Task Information

rlimit_nofile number The maximum number of files that can be opened as a 32-bit number, or 2147483647 if unlimited or not supported by the submit host

Task Information

rlimit_nproc number The maximum number of process the user can run as a 32-bit number, or 2147483647 if unlimited or not supported by the submit host

Task Information

rlimit_rss number The maximum size of a process' resident segment (virtual pages) as a 32-bit number, or 2147483647 if unlimited or not supported by the submit host

Task Information

rlimit_stack number The maximum number of bytes in a process' stack as a 32-bit number, or 2147483647 if unlimited or not supported by the submit host

Task Information

runargv list The argument list for the request Run environment

runbkgd integer If true, HUP signals are ignored by the command when it is run

Run environment

runchroot string The directory to be the request's root ("/") directory Run environment

runcksum string Validate a file's checksum before execution Run environment

runcksumlist list A list of checksum values used to validate a file before execution.

Task Information

runcommand string The command, without arguments, that the request will run Run environment

runconfirmmessage string The prompt message to use when runconfirmuser is set. If not set this is "type in user's password"

Run environment

61



runconfirmpasswdservice

string The runconfirmpasswdservice variable stores the name of the PAM password service which will be used to perform password authentication and account management for the user named by the runconfirmuser variable. It overrides pampasswordservice in pb.settings of the run host.

Run environment

runconfirmuser string The user name to password-validate on the run host Run environment

runcwd string The request's starting working directory Run environment

runeffectivegroup string The effective group (egid) for the request Run environment

runeffectiveuser string The effective user (euid) for the request Run environment

runenablerlimits number When true, use the runrlimit_* variables to set up ulimits for the secured task.

Run environment

runenv list A list of environment variables to set for a job when PowerBroker runs it

Run environment

runenvironmentfile string The value of environment file on run host Run environment

rungroup string The primary group to which the request will belong Run environment

rungroups list The list of secondary groups to which the request will belong Run environment

runhost string The host on which the request will execute Run environment

runlocale string The locale of the run host Run environment

runlocalmode integer If true, the program replaces pbrun rather than launching a separate session with pblocald.

Run environment

runmd5sum string Validate a file's md5 checksum before execution Run environment

runmd5sumlist list A list of md5 checksum used to validate a file checksum before execution.

Task Information

runnice integer The request's execution priority Run environment

runoptimizedrunmode integer Optimized run mode allows pbrun to execute the secured task directly, instead of starting a proxy session using pblocald, thus using fewer resources. Optimized run mode is used automatically, when the submit host and the run host are the same host, and a logserver is used.

Run environment

runpid number pid of pblocald Run environment

runptyflags integer Flags used internally for pty settings - reserved for internal use

Run environment

runrlimit_as number The maximum memory available to a process, in bytes, as a 32-bit number, or 2147483647 for unlimited

Run environment

runrlimit_core number The maximum size of a core file as a 32-bit number, or 2147483647 for unlimited

Run environment

runrlimit_cpu number The maximum CPU time, in seconds, as a 32-bit number, or 2147483647 for unlimited

Run environment

runrlimit_data number The maximum data segement size as a 32-bit number, or 2147483647 for unlimited

Run environment

runrlimit_fsize number The maximum file size as a 32-bit number, or 2147483647 for unlimited

Run environment

runrlimit_locks number The maximum number of file locks as a 32-bit number, or 2147483647 for unlimited

Run environment

62



runrlimit_memlock number The maximum bytes of virtual memory that can be locked as a 32-bit number, or 2147483647 for unlimited

Run environment

runrlimit_nofile number The maximum number of files that can be opened as a 32-bit number, or 2147483647 for unlimited

Run environment

runrlimit_nproc number The maximum number of process the user can run as a 32-bit number, or 2147483647 for unlimited

Run environment

runrlimit_rss number The maximum size of a process' resident segment (virtual pages) as a 32-bit number, or 2147483647 for unlimited

Run environment

runrlimit_stack number The maximum number of bytes in a process' stack as a 32-bit number, or 2147483647 for unlimited

Run environment

runsecurecommand number When true (non-zero), check that the runcommand is

writable only by root or the runuser.

Run environment

runsolarisproject string Name of a Solaris project to associate the secured task with. Overrides the solarisproject specified on the pbrun commandline.

Run environment

runtimelimit number The number of seconds of that the job may execute Run environment

runtimeout number The number of seconds of idle time allowed before the request is terminated

Run environment

runtimeoutoverride number When true allows runtimeout to be overwritten Run environment

runumask integer The umask filter to determine file permissions (read, write, execute)

Run environment

runuser string The login name of the user that will run the request (for example, root)

Run environment

runutmpuser string The name of the user that will appear in utmp Run environment

selinux string If set, selinux is enabled System

shellallowedcommands list A list of commands that a PowerBroker shell may execute without further authorization or logging

Run environment

shellcheckbuiltins number If true, PowerBroker shells authorize and log shell builtins Run environment

shellcheckredirections number If true PowerBroker shells authorize and log shell I/O redirection requests

Run environment

shellforbiddencommands

list A list of commands which a PowerBroker shell should reject without further authorization or logging

Run environment

shelllogincludedfiles number If true, PowerBroker shells authorize and log files which shell scripts and profiles include (source)

Run environment

shellreadonly list A list of environment variables the PowerBroker shell sets read-only

Run environment

shellrestricted string Controls whether PowerBroker Servers shells run in restricted mode.

Run environment

shellretricted number When true, PowerBroker shells run in restricted mode. Run environment

solarisproject string Name of a Solaris project specified on the pbrun commandline.

Task Information

63



status integer The exit status of the most recent command run by the system function; 0 (Unix default for success), non-0 (Anything other than the Unix default success value)

System

submithost string Name of the submitting (client) host machine as resolved on the master host

Task Information

submithostip string IP address of the submitting host machine as resolved on the master

Task Information

submitlocale string The locale of the submithost Task Information

submitpid number pid of pbrun or pbshells Task Information

submittimeout number Idle time, in seconds, that is allotted to the submitting user before the submit host terminates the current request.

Task Information

subprocuser string The user name under which all subprocesses of pbmasterd

will run. (i.e. commands run using the system function)

System

taskpid integer pid of the task Task Information

taskttyname string The runtime-generated ttyname of the secured task. Task Information

time string The time the command started; hours:minutes:seconds (e.g. "08:24:52")

System

timezone string A standardized representation of the time zone of the submit host

Task Information

true integer The value of true, used for condition checking. Defaults to 1. System

ttyname string The name of the tty device from which the user submits the request

Task Information

umask integer The user's umask value, which determines file permissions (read, write, execute) for newly created files

Task Information

uniqueid string A string guaranteed to be unique across the PB Servers system (that is, master host, submit host, run host and log host). Can be used as a unique indentification in the event log.

System

unixtimestamp integer The event accept/reject date/time, expressed in Unix time format (number of seconds since midnight, January 1, 1970 (UTC) )

Task Information

user string The login name of the user submitting a request Task Information

xwincookie string The xwincookie variable contains the X Windows Authentication cookie from the client and is available for logging.

Logging

xwindisplay string The xwindisplay variable contains the X Windows Authentication DISPLAY string from the client and is available for logging.

Logging

xwinforward integer The xwinforward variable controls whether PowerBroker will forward X Windows applications through to the client X Server.

Logging

xwinproto string The xwinproto variable contains the X Windows Authentication protocol from the client and is available for logging.

Logging

xwinreconnect integer The xwinreconnect variable contains how PowerBroker servers optimizes X Windows network traffic between pbrun

Logging

64



and pblocald.

year integer The year the request started; CCYY (e.g. 2005) System

65


Appendix B: Change Management Event Log Fields

This appendix details the contents of the Change Management events that are generated when the functionality is enabled within pb.settings, and files are managed within the pb.db facility.

Variable Data type Definition

hostname string The hostname that generated the change management event

evtname enumerated string Type of change management operation (see table below)

service string binary that was used that triggered the change management event

who string username of the user who called the management binary

severity integer bit field The severity of the logged information (see table below)

progname string

version string version of the software used that triggered the change management record

arch string Plaform/Architecture string of the host that triggered the change management record

data various Various data, usually base64 encoded JSON representing the data that changed

evtname

name description

registered host has successfully registered using Client Registration

file_import Configuration file version imported into pb.db

reg_del_profile Client Registration profile deleted

reg_put_profile Client Registration profile updated

rekey Database re-encrypted with new key

new_keyfile New encryption keyfile generated into the database

tag_file File tagged in set

untag_file File untagged in set

del_file File marked as deleted

encrypt_file File encrypted using pbencode

put Role Based policy updated

deleted Role Based policy deleted

transaction Role Based Policy transaction of records committed

force_rollback Role Based Policy transaction of records rolled back

import_table Role Based Policy imported

66


severity

integer bit value type description

0x000 debug Debug message (currently not used)

0x010 information Informational message

0x020 alert Alert message

0x040 error Error message

0x080 critical Critical message

0x100 emergency Emergency message

67


About BeyondTrust

BeyondTrust® is a global security company that believes preventing data breaches requires the right visibility to enable control over internal and external risks.

We give you the visibility to confidently reduce risks and the control to take proactive, informed action against data breach threats. And because threats can come from anywhere, we built a platform that unifies the most effective technologies for addressing both internal and external risk: Privileged Account Management and Vulnerability Management. Our solutions grow with your needs, making sure you maintain control no matter where your organization goes.

BeyondTrust's security solutions are trusted by over 4,000 customers worldwide, including over half of the Fortune 100. To learn more about BeyondTrust, please visit www.beyondtrust.com.

http://www.beyondtrust.com/Products/BeyondInsight

http://www.beyondtrust.com/Products/PrivilegedAccountManagement

http://www.beyondtrust.com/Products/PrivilegedAccountManagement

http://www.beyondtrust.com/Products/VulnerabilityManagement

http://www.beyondtrust.com/

PowerBroker for Unix & Linux - NIAP CCEVS process for installing PowerBroker for Unix & Linux and...

Documents

Transcript of PowerBroker for Unix & Linux - NIAP CCEVS process for installing PowerBroker for Unix & Linux and...