powerbroker for unix & linux - niap ccevs process for installing powerbroker for unix &...
TRANSCRIPT
PowerBroker for Unix & Linux
Common Criteria – Supplementary Guide
DOCUMENTATION
2
© 2016. BeyondTrust Software, Inc. Common Criteria Guide
Table of Contents
Executive Summary .................................................................................... 4
High Level Product Architecture ......................................................................................... 4
Assumptions ............................................................................................... 4
Installation .................................................................................................. 5
1 Pre-Installation Checks ......................................................................................................................... 5
2 Product Installation ............................................................................................................................... 5
3 Encryption ............................................................................................................................................. 6
4 PB.Settings ........................................................................................................................................... 6
5 Define Policy ......................................................................................................................................... 9
6 Configure Desired Auditing ................................................................................................................... 9
7 Start issuing commands ..................................................................................................................... 11
Encryption Settings ................................................................................... 11
enforcehighsecurity ...........................................................................................................12
Controlling Commands ............................................................................. 12
Conditional Command Processing ............................................................ 13
Requesting User ..................................................................................................................................... 13
Requesting Hostname ............................................................................................................................ 13
Time of Request...................................................................................................................................... 13
Remote Host Execution ............................................................................ 14
PowerBroker for Unix & Linux Auditing ..................................................... 14
Event Audit Records ................................................................................. 15
Audit Record Inclusion/Exclusion .............................................................. 17
Logomit .............................................................................................................................17
Event Record Format ................................................................................ 18
Session Recording .................................................................................... 23
Session Recording Example ..................................................................... 25
PBLogD Logging Process ......................................................................... 26
Audit Record Breakdown .......................................................................... 27
3
© 2016. BeyondTrust Software, Inc. Common Criteria Guide
Server Tracking Audit Information ............................................................. 36
Additional Audit Functions and Change Management ............................... 37
Configuration Files .................................................................................... 40
Policy Files .............................................................................................................................................. 40
Root Policy File (/etc/pb.conf) ...........................................................................................40
Main Policy File (pbul_policy.conf) ....................................................................................40
Functions Policy File (pbul_functions.conf) ........................................................................44
LDAP Authentication Policy File (ldap.conf) ......................................................................53
RADIUS Authentication Policy File (pam_radius_auth.conf) .............................................53
RADIUS PAM Configuration File (pbul_pam_radius) ........................................................53
Supported Platforms ................................................................................. 54
Additional Reference Material ................................................................... 54
Appendix A: Event Log Fields ................................................................... 55
Appendix B: Change Management Event Log Fields ................................ 65
About BeyondTrust ................................................................................... 67
4
© 2016. BeyondTrust Software, Inc. Common Criteria Guide
Executive Summary
PowerBroker for Unix & Linux has undergone Common Criteria testing. This document contains details that are relevant to a number of items in the security target, including platforms tested, encryption methods used and common configuration settings required to complete the testing.
High Level Product Architecture
The BeyondTrust PowerBroker UNIX® + Linux® Edition v9 is compliant to the following protection profiles:
Standard Protection Profile for Enterprise Security Management Access Control, Version 2.1, 24 October 2013 (pp_esm_ac_v2.1) with no additional optional SFRs.
Standard Protection Profile for Enterprise Security Management Policy Management, Version 2.1, 24 October 2013 (pp_esm_pm_v2.1) and includes the additional optional SFRs: FAU_SEL.1, and FMT_MTD.1.
Assumptions
The evaluated configuration includes several assumptions and requirements that must be met by the intended environment for the installed BeyondTrust PowerBroker UNIX® + Linux® Edition v9. These are as follows:
The TOE will use cryptographic primitives provided by the Operational Environment to perform cryptographic services.
The TOE will be able to establish connectivity to other ESM products to share security data.
The TOE will receive policy data from the Operational Environment.
5
© 2016. BeyondTrust Software, Inc. Common Criteria Guide
The Operational Environment will provide mechanisms to the TOE that reduce the ability for an attacker to impersonate a legitimate user during authentication.
The TOE will receive reliable time data from the Operational Environment.
The TOE will receive identity data from the Operational Environment.
There will be one or more competent individuals assigned to install, configure, and operate the TOE.
Installation
The process for installing PowerBroker for Unix & Linux and configuring the tool to meet the common criteria standards should be performed in the following manner:
1 Pre-Installation Checks
The following items are either required or highly recommend before installation is performed:
o Bi-Direction Name Resolution using DNS o Use of a Super Daemon (such as inetd/xinetd is recommend) o Disable all firewalls until a working configuration has been achieved o Disable SELinux (if appropriate) until a working configuration has been achieved o Ensure the correct installation package is selected for the target system o Ensure enough free space is available to complete the installation o Root permissions are required to perform the installation
2 Product Installation
When PowerBroker for Unix & Linux is configured with Kerberos, SSL, LDAP, or CURL it requires the appropriate third-party libraries. The PowerBroker for Unix & Linux installation provides Kerberos, SSL, LDAP, or CURL libraries that are designed to work with PowerBroker for Unix & Linux. The Common Criteria evaluated configuration requires that the PowerBroker for Unix & Linux third-party libraries be installed.
Install the required components. At a minimum a Policy Server, Log Server, Submit Host and Run Host will be required. If performing an install for the first time, all components may be selected using option 1 after running the pbinstall.sh installation utility.
For example, initiate the installation located in the platform specific location,
<untarred location>/powerbroker/v9.1/pbx86_64_linuxA-9.2.0-08/install/pbinstall
o Skip the client registration option o Press enter to continue o Select your preferred editor (default vi)
6
© 2016. BeyondTrust Software, Inc. Common Criteria Guide
Select option 1 and change the value to ‘YES’ as shown:
Press C to continue and complete the installation. Additional components can be selectively installed on additional servers as required.
“The administrative commands are restricted to authenticated users with root access. The TOE includes a pre-defined administrative role with root access: the Admin role (also referred to as AdminUsers). Administrators can define additional roles using policies for users to manage the TOE or portions of the TOE in addition to the AdminUsers role; however this is not within the scope of the evaluation.”
For more information, refer to PowerBroker_Install_V9.1.pdf guide referenced in the Additional Reference Material.
3 Encryption
Fresh installations of PowerBroker for Unix & Linux will default to the highest levels and be fully compatible with the Common Criteria requirements.
This can be checked post installation. Confirm the enforcehighsecurity keyword is set to Yes in the /etc/pb.settings file.
For more information, see Encryption Settings in this document.
4 PB.Settings
Every host where PBUL is installed (Submit Host, Run Host, Master, Log Server, etc..) will have a file located in ‘/etc’ by default named pb.settings. This is a core configuration file used for almost all aspects of the production
7
© 2016. BeyondTrust Software, Inc. Common Criteria Guide
configuration and operation. You can check the settings on any host if you are logged on as root or have root lever privileges by issuing the ‘cat /etc/pb.settings’ command.
The following is an example of the top of a typical pb.settings file:
# Installation date: Fri Mar 4 16:37:21 EST 2016 # Location of: # user programs: /usr/local/bin # admin programs: /usr/sbin # daemons: /usr/sbin # pbinstall: /tmp/pbul/powerbroker/v9.2/pbx86_64_linuxA-9.2.0-08/install/pbinstall # TMPDIR: /tmp/beyondtrust_pbinstall kerberos no #mprincipal pbmasterd #lprincipal pblocald #gprincipal pblogd #sprincipal pbsyncd #keytab /etc/krb5.keytab #shortnamesok no allownonreservedconnections yes #minlisteningport 1025 #maxlisteningport 65535 #minoutgoingport 1025 #maxoutgoingport 65535 pbrestport 24351 pblocaldlog /var/log/pblocald.log pblogdlog /var/log/pblogd.log pbmasterdlog /var/log/pbmasterd.log pbguidlog /var/log/pbguid.log eventlog /var/log/pb.eventlog syslog yes #pbrunlog none #pbsshlog none facility LOG_AUTHPRIV policyfile /etc/opt/pbul/pb.conf passwordlogging never policydir /etc warnuseronerror yes #secureoutput no masterport 24345 localport 24346 guiport 24348 submitmasters masterhostname.example.com randomizesubmitmasters no acceptmasters masterhostname.example.com #masterdelay 500 #logserverdelay 500 rejectnullpasswords no allowlocalmode yes logservers masterhostname.example.com syncport 24350 #logresynctimermin 15 pbsyncdlog /var/log/pbsyncd.log
8
© 2016. BeyondTrust Software, Inc. Common Criteria Guide
pbsynclog /var/log/pbsync.log #ssl no #tcpkeepalive no kshlog /var/log/pbksh.log shlog /var/log/pbsh.log #validateclienthostname no #validatemasterhostname no #allowremotejobs yes pam yes pampasswordservice powerbroker #pamsessionservice none pamsuppresspbpasswprompt no #yes #no libpam /lib64/libpam.so.0.82.2 #pamsetcred no recordunixptysessions yes #syslogsessions no #guidefaults none #pblocaldcommand none rootshelldefaultiolog /pbshell.iolog #localsocketdir none #runsecurecommand no transparentfailover yes pbsshshell /bin/sh
Although the pb.settings file contains many critical settings, the defaults will suffice for most installations and on new installations will default to the most secure settings. There are a few settings however that either must be set or are commonly changed. The most important of these are the server names/IP’s used to check the policy and record the log data. These settings are referred to as the submitmasters, acceptmasters and logservers. The settings can have as many entries as desired and are simply separated by a comma. Alternatively, you can also specify DNS SVR records in order to locate service providing hosts:
submitmasters masterhostname.example.com acceptmasters masterhostname.example.com logservers masterhostname.example.com, masterhostname2.example.com
To see the current selected ports for the product, you may grep for key words against the pb.settings file. Below is an example of how to view all of the ports used for various communications during the product’s normal operation:
# cat /etc/pb.settings |grep port #minlisteningport 1025 #maxlisteningport 65535 #minoutgoingport 1025 #maxoutgoingport 65535 pbrestport 24351 masterport 24345 localport 24346 logport 24347 guiport 24348 syncport 24350 rcswebsvcport 443 solrport 8443
9
© 2016. BeyondTrust Software, Inc. Common Criteria Guide
5 Define Policy
After the first server has been installed in demo mode, all components required to make the system operational will have been installed. In addition, default policy files will also have been created, with the root policy file located here:
/etc/pb.conf
Additional policy files are merged to form a complete sample policy file using the following include files:
include '/etc/pb/pbul_policy.conf';
include '/etc/pb/pbul_functions.conf';
For details on how the policy files function, see the following sections in this document:
Controlling Commands
Conditional Command Processing
Additional Authentication
Remote Host Execution
The policy files and other configuration files defined when this document was created are also included in this document:
Configuration Files Used During Testing
Note: The included example files may be used to perform testing in other lab environments, however most PowerBroker for Unix & Linux policy and configuration files contain environmental specific information, such as IP addresses, user and host names. Care should be taken to ensure any reference policy is properly adapted for your environment. Care should also be taken to ensure that any copy/paste activities do not warp the policy and/or configuration files by introducing unsupported characters or clipping sections of the file during transfer.
For more information, refer to PowerBroker_Language_V9.1.pdf guide referenced in Additional Reference Material.
6 Configure Desired Auditing
As detailed later in this document, ‘Eventlog’ auditing is on by default when issuing commands via PowerBroker for Unix & Linux. See item 6 about issuing commands. This document contains a number of dedicated sections around how auditing and logging works. The defaults however are as follows:
Located on the Log Server:
/var/log/pb.eventlog
Located on the Log Server:
iologging directory = /tmp
Note: File names will be generated in line with the policy when iologging is turned on.
For details on how the auditing functions in PowerBroker for Unix & Linux work, refer to the following sections in this document:
PowerBroker for Unix & Linux Auditing
Event Audit Records
Audit Record Inclusion/Exclusion
Event Record Format
10
© 2016. BeyondTrust Software, Inc. Common Criteria Guide
Session Recording
Session Recording Example
PBLogD Logging Process
Audit Record Breakdown
For more information, refer to PowerBroker_Administration_V9.1.pdf guide referenced in Additional Reference Material.
11
© 2016. BeyondTrust Software, Inc. Common Criteria Guide
7 Start issuing commands
The last thing to do is start issuing commands. For PowerBroker for Unix & Linux, commands are invoked using the pbrun command. Here are some commands you can use with the default policies.
pbrun pbtest
pbrun whoami
pbrun bash
pbrun helpdesk
The sample policies are well documented and can be easily modified to allow different user, host and commands to be controlled.
For more information, refer to PowerBroker_Administration_V9.1.pdf guide referenced in Additional Reference Material.
Encryption Settings
During Common Criteria testing, PowerBroker for Unix & Linux was installed and configured with the "enforcehighsecurity" and "ssl" both enabled. This switches PowerBroker for Unix & Linux into FIPS 140-2 mode and are the mandatory security settings for normal operation of the solution to meet common criteria certification.
The secure protocols are provided by NIST-validated cryptographic mechanisms are included in the operational
environment. The TOE relies on 3rd party FIPS capable OpenSSL 1.0.2a in conjunction with the TOEs FIPS mode
(that disables non FIPS algorithms). Customers should choose their own validated FIPS validated Object Module
and link that with the provided FIPS capable OpenSSL v1.0.2a. The combination of the FIPS validated Object
Module linked with the FIPS capable OpenSSL provide key management, random bit generation,
encryption/decryption, digital signature and cryptographic hashing and keyed-hash message authentication
features in support of higher level cryptographic protocols, including TLS and HTTP over TLS.
Testing by the CCTL included the installation and use of the OpenSSL FIPS Object Module SE v2.0.12, CMVP
Certificate #2398.
To enable compliance with US government regulations, and specifically FIPS 140-2, the encryption in PowerBroker for Unix & Linux has been updated. Many of the older, less secure encryption algorithms have been deprecated, and when high security is enforced, they are disabled completely.
When new PowerBroker for Unix & Linux clients are installed, the pb.setting "enforcehighsecurity" and "ssl" are both enabled. This switches PowerBroker for Unix & Linux into FIPS 140-2 mode. All encryption algorithms are FIPS 140-2 compliant, and it will not communicate, encrypt or decrypt any data that isn't encrypted in AES-128, AES-192, AES-256 or TripleDes (3DES). If a customer is installing version 9 of PowerBroker for Unix & Linux from scratch high security mode is recommended.
During the installation, install option 129 should set to Yes to force the installation to use the settings required for common criteria certification compliance:
129. Enforce High Security Encryption:
Enabling High Security will enforce configuration to adhere to FIPS 140‐2 security. Non‐FIPS compatible encryption and hashing algorithms will be disabled. SSL running in strict FIPS mode will be enabled, enhancing the security of the installation.
This will provide a setting in /etc/pb.settings [enforcehighsecurity]
12
© 2016. BeyondTrust Software, Inc. Common Criteria Guide
enforcehighsecurity
This will enforce the use of more secure configuration, including using SSL for communications, FIPS 140‐2 compliant symmetric encryption algorithms, an enhanced Pseudo Random Number Generator, and the use of the enhanced pb.key format.
Only encryption algorithms that are accredited by FIPS 140‐2 can be used for network and file encryption (i.e. aes‐128, aes‐192, aes‐256 and tripledes). All others are deprecated.
Once this has been enabled the following pb.settings need to be configured:
ssl yes
ssloptions requiressl
sslservercertfile /etc/pbssl.pem
sslserverkeyfile /etc/pbssl.pem
sslpbruncipherlist HIGH:!MD5:@STRENGTH
sslservercipherlist HIGH:!MD5:@STRENGTH
sslcountrycode US
sslprovince AZ
ssllocality Phoenix
sslorgunit Security
sslorganization BeyondTrust
Example
enforcehighsecurity yes
Default
enforcehighsecurity no
Used on
Policy Server hosts
Submit hosts
Run hosts
Controlling Commands
Standard functionality in PowerBroker for Unix & Linux allows for commands to be whitelisted (run with higher privileges) and blacklisted (denied from running). This also allows new commands to be created to control everything on a system, including management of PowerBroker for Unix & Linux itself. For example, if your master policy file is located in /etc and is named pb.conf, you would need to be ‘root’ on the policy server to edit that policy file.
if( basename(command) == “editpolicy” ) {
runcommand = "vi";
runargv = split("vi /etc/pb.conf");
runuser = "root";
accept;
13
© 2016. BeyondTrust Software, Inc. Common Criteria Guide
}
The above example can be altered to control administrative operations in PowerBroker for Unix & Linux such as the ability to view the event log using the pblog command:
if( basename(command) == “pblog” ) {
Or replaying a recorded session using the pbreplay command:
if( basename(command) == “pbreplay” ) {
Conditional Command Processing
PowerBroker for Unix & Linux can perform an almost endless list of additional checks before allowing a command to be processed. Conditional processing statements such as IF and CASE can be used to leverage hundreds of variables as part of the decision making process before a command is allowed to run, elevated and in what way, or rejected. Some of the command checks include:
Requesting User
Requesting Hostname
Time of Request
Requesting User
Checking the username of the user making the command request:
if (user == “requesting user name) {
* Allow/Disallow Processing Policy *
}
Requesting Hostname
Checking the hostname where the command is being requested from:
if (submithost == “requesting hostname) {
* Allow/Disallow Processing Policy *
}
Time of Request
There are many more options available for validating the date/time/day of a request. Some of the out of the box variables include:
date = "2015/11/05"
day = 5
dayname = "Wed"
hour = 13
i18n_date = "11/05/2015"
i18n_day = "05"
i18n_dayname = "Tue"
14
© 2016. BeyondTrust Software, Inc. Common Criteria Guide
i18n_exitdate = "11/05/2015"
i18n_exittime = "01:34:34 PM"
i18n_hour = "13"
i18n_minute = "34"
i18n_month = "01"
i18n_time = "01:34:33 PM"
i18n_year = "2015"
minute = 34
month = 11
year = 2015
Checking using these variables with And, Or and TimeBetween operators allow for tight control over when a command may or may not be accepted. For example, if you want to allow certain commands to only be executed over a weekend (or block certain commands over a weekend) you could use the dayname variable as follows:
if (dayname == “Sat” || dayname == “Sun”) {
* Allow/Disallow Processing Policy *
}
Remote Host Execution
The remote host execution feature of PowerBroker for Unix & Linux is available from the command line:
‘pbrun –h remote_host_name command’
Can also be used to allow the policy file to be edited from any system. The run host can also be specified with a fixed name or a variable in the policy when using the runhost setting:
runhost = "remote_system_name";
PowerBroker for Unix & Linux Auditing
PowerBroker for Unix & Linux has two main forms of audit capability:
Event Log - The Event Log can be compared to taking a photograph of a command request being processed by the application. It will record all the details of the request regardless if the request is approved or rejected at that moment in time.
Event log auditing is always on and cannot be turned off.
Session Recording - Session Recording is different from an event log record in that it more closely resembles a video recording of the user’s activity. A session recording may be from the moment a user logs on to the system until the time they log off. Or can be more focused to down to an individual command, such as a user’s interactive vim session editing a systems hosts file.
Session Recording is optional and can be invoked on a single user, single host, single command, during certain periods of time, and so on. It is possible to perform session recording as much or as little as desired.
Session Recording is PowerBroker for Unix & Linux method of ‘Selective Auditing’ in the solution. That is to say that these audit records (session recordings) are only generated ‘on-demand’ where stated in the policy.
15
© 2016. BeyondTrust Software, Inc. Common Criteria Guide
For example, you can conditional process statements such as:
If the User is….
If the requesting user belongs to group X….
If the host where the command is being executed is in the following list….
If the day is a weekend day….
And so on. The list of conditional processing statements can be as long and complex as the policy creator wishes.
Example Conditional Statement:
if (user == “requesting user name) {
* Optionally turn on Session
Recording Process Command *
}
Session Recording Example:
printf("Command accepted by: %s\n", masterhost);
print("Warning this session is being logged:", iolog);
iolog = "/iologs/"
+ sprintf("%d-%d-%d",month,day,year) + "."
+ logtime + "."
+ split(runhost,".")[0] + "."
+ user + "."
+ basename(command) + "."; # + ".XXXXXX";
setenv("IOLOG", "done");
Event Audit Records
Every time a command is submitted to PowerBroker for Unix & Linux an event log record is generated regardless of if the event is accepted or rejected. The basic format of an event includes the four W’s: Who, What, Where and When:
Accept 2015/11/05 11:08:35 [email protected] ->
[email protected] by svr1centos63.demo.corp
whoami
Command finished with exit status 0
Reject 2015/11/05 11:08:37 [email protected] by svr1centos63.demo.corp
kill
Request rejected by pbmasterd on svr1centos63.demo.corp.
Each event has well over 100 different fields recorded each time a command is processed. In addition, custom data derived during the processing of the policy when a command is executed can also be added to the event log.
The event log can be view using the ‘pblog’ command. The user will need root level privileges to view the event log, but these rights can be delegated using PowerBroker for Unix & Linux as described later in this document.
Physical storage for log records (internal and external) is provided by the operational environment. The amount of audit data which can be stored is dependent upon on the amount of disk space available on the server hosting pblogd. The same applies for logs exported to external log servers. The TOE includes options for log file management, i.e. log file rotation and archiving based on time and/or size. Additionally, to help prevent loss of space on the file system for audit logs; space on the log host can be controlled and the system can be configured to fail over to the next log server with the logreservedfilesystems and logreservedblocks settings.
The logreservedfilesystems and logreservedblocks settings enable the administrator to control free space on the logreservedfilesystems file systems, and cause an immediate failover if the log host’s free space falls below
16
© 2016. BeyondTrust Software, Inc. Common Criteria Guide
logreservedblocks. If the number of free 1-KB blocks falls below logreservedblocks on any of the file systems that are specified in any of the logreservedfilesystems on the log host, then the log daemon immediately refuses any new requests, causing an immediate failover. The same happens on the Policy Server host if you are not using a log server. If the free space in any of the file systems containing /var/log or /usr/log falls below 10,000 blocks, then new requests are rejected. Requests that are already in progress are allowed to continue. If there are no Log Servers (including the Master Host) capable of recording an event (e.g., no disk space is available), the TOE itself would fail and therefore stop.
Detailed information about additional logging options, including log file management and log file rotation can be found in the reference information guides listed below.
Refer to PowerBroker Unix-Linux_Administration_V9.1.pdf, Event Logging for more information about the event log.
Refer to PowerBroker Unix-Linux_Administration_V9.1.pdf, PBLog for more information on viewing the event log.
17
© 2016. BeyondTrust Software, Inc. Common Criteria Guide
Audit Record Inclusion/Exclusion
The event log is always on by default and every command issued generates an event log entry. See Appendix A: Event Log Fields.
If however you want to implement selective auditing, i.e. to disable certain items being entered into the event log, anywhere in the policy file you may use the LogOmit function. If used globally, then selected items will be excluded from all event log records. However the LogOmit function can be used in certain rules allowing item level omissions to occur only when certain conditions are met, i.e. for certain users, certain commands or certain hosts.
Refer to PowerBroker_Language_V9.1.pdf, LOGOMIT for more information about this function.
Logomit
Data Type
List
Description
The logomit variable specifies which PowerBroker for Unix & Linux user‐defined variables to omit from the event log. Use this variable to reduce the disk space that is used by the event log.
Metacharacter patterns can be used. By default, this variable is undefined, which means that all PowerBroker for Unix & Linux variables are written to the event log.
Syntax
logomit = list;
In addition, at any time from within the policy, event logging can be disabled. Although not recommended due to a major reduction in security provided by the solution, you can globally disable the eventlog from writing any records with the following statement inside the policy file:
eventlog = "/dev/null";
A more selective method allows for the eventlog to be disabled based on statement inside the policy file.
if (condition) { # normal policy processing . . eventlog = "/dev/null"; accept; (or reject;) }
For example, to disable the eventlog for the whoami command, but still allow the command to run, the follow policy code will disable the eventlog for this command only:
If (basename(command)==”/usr/bin/whoami”) { eventlog = “/dev/null”; accept; }
18
© 2016. BeyondTrust Software, Inc. Common Criteria Guide
Event Record Format
See Appendix A: Event Log Fields for a detailed list of all default fields included in each event log entry.
To provide an example of the amount of data collected in each event record, this is a single accepted command:
Accept 2015/11/05 11:27:02 [email protected] ->
[email protected] by svr1centos63.demo.corp
whoami
Command finished with exit status 0
AdmGroup = "LinuxAdmins"
AuditGroup = "Audit"
LocalGroup = "LocalGroup"
PBgroups = {"root"}
PolicyServer = "svr1centos63.demo.corp"
PwrUsers = {"root", "dba"}
StdGroup = "LinuxUsers"
StdUsers = {"Ray", "Dan", "Sam", "Amy", "Lee", "demo1", "demo7", "demo8",
"demo9", "oracle", "OracleDBA", "c1kpadmin"}
argc = 1
argv = {"whoami"}
bkgd = 0
clienthost = "svr1centos63.demo.corp"
clienthost_uuid = "02ceb4bf-90c7-4374-93c9-5811d34ed58f"
clienthost_uuid_created = 0
command = "whoami"
commandset = {"whoami", "id", "top", "who", "cal", "cat", "ssh"}
cwd = "/root"
date = "2015/11/05 "
day = 5
dayname = "Tue"
env = {"HOSTNAME=svr1centos63", "TERM=xterm", "SHELL=/bin/bash",
"HISTSIZE=1000", "SSH_CLIENT=192.168.0.155 63282 22", "QTDIR=/usr/lib64/qt-3.3",
"QTINC=/usr/lib64/qt-3.3/include", "SSH_TTY=/dev/pts/1", "USER=root",
"LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=4
0;33;01:or=40;31;01:mi=01;05;37;41:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=
37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.lzma=0
1;31:*.tlz=01;31:*.txz=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:
*.lz=01;31:*.xz=01;31:*.bz2=01;31:*.tbz=01;31:*.tbz2=01;31:*.bz=01;31:*.tz=01;31:*.
deb=01;31:*.rpm=01;31:*.jar=01;31:*.rar=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:
*.7z=01;31:*.rz=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:
*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;3
5:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01
;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v
=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb
=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=
01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.axv=01;35:*.anx=01;35:*.ogv
=01;35:*.ogx=01;35:*.aac=01;36:*.au=01;36:*.flac=01;36:*.mid=01;36:*.midi=01;36:*.m
ka=01;36:*.mp3=01;36:*.mpc=01;36:*.ogg=01;36:*.ra=01;36:*.wav=01;36:*.axa=01;36:*.o
19
© 2016. BeyondTrust Software, Inc. Common Criteria Guide
ga=01;36:*.spx=01;36:*.xspf=01;36:", "MAIL=/var/spool/mail/root",
"PATH=/usr/lib64/qt-
3.3/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin",
"PWD=/root", "JAVA_HOME=/usr/lib/jvm/jre-1.6.0-openjdk.x86_64/", "LANG=en_US.UTF-
8", "KDE_IS_PRELINKED=1", "KDEDIRS=/usr", "SSH_ASKPASS=/usr/libexec/openssh/gnome-
ssh-askpass", "HISTCONTROL=ignoredups", "SHLVL=1", "HOME=/root", "LOGNAME=root",
"QTLIB=/usr/lib64/qt-3.3/lib", "CVS_RSH=ssh", "SSH_CONNECTION=192.168.0.155 63282 192.168.0.160 22", "LESSOPEN=|/usr/bin/lesspipe.sh %s", "G_BROKEN_FILENAMES=1",
"_=/usr/local/bin/pbrun"}
event = "Accept"
eventlog = "/var/log/pb.eventlog"
execute_via_su = 0
exitdate = "2015/11/05 "
exitstatus = "Command finished with exit status 0"
exittime = "11:27:02"
false = 0
group = "root"
groups = {"root"}
host = "svr1centos63.demo.corp"
hour = 11
i18n_date = "11/05/2015"
i18n_day = "05"
i18n_dayname = "Tue"
i18n_exitdate = "11/05/2015"
i18n_exittime = "11:27:02 AM"
i18n_hour = "11"
i18n_minute = "27"
i18n_month = "11"
i18n_time = "11:27:02 AM"
i18n_year = "2015"
iolog = ""
iolog_part = 1
lineinfile = "/etc/opt/pbul/pb.conf"
linenum = "311"
localmode = 0
logdversion = "9.1.0-08"
loghostip = "127.0.0.1"
lognopassword = 1
logpid = 18997
logport = "24347"
logserver_utcoffset = "-5.00"
logserverlocale = "en_US"
logservers = {"svr1centos63"}
20
© 2016. BeyondTrust Software, Inc. Common Criteria Guide
logstderr = 1
logstdin = 1
logstdout = 1
master_utcoffset = "-5.00"
masterdversion = "9.1.0-08"
masterhost = "svr1centos63.demo.corp"
masterhostip = "127.0.0.1"
masterlocale = "en_US"
minute = 27
month = 1
nice = 0
noexec = 0
optarg = ""
opterr = 1
optimizedrunmode = 1
optind = 1
optopt = ""
optreset = 1
optstrictparameters = 1
passwordloggingprompts = {"Password", "password", "Passwd", "passwd"}
pbclientmode = "run"
pbclientname = "pbrun"
pblogdmachine = "x86_64"
pblogdnodename = "svr1centos63"
pblogdrelease = "2.6.32-358.6.1.el6.x86_64"
pblogdsysname = "Linux"
pblogdversion = "#1 SMP Tue Apr 23 19:29:00 UTC 2013"
pbmasterdmachine = "x86_64"
pbmasterdnodename = "svr1centos63"
pbmasterdrelease = "2.6.32-358.6.1.el6.x86_64"
pbmasterdsysname = "Linux"
pbmasterdversion = "#1 SMP Tue Apr 23 19:29:00 UTC 2013"
pbrisklevel = 0
pbrunmachine = "x86_64"
pbrunnodename = "svr1centos63"
pbrunrelease = "2.6.32-358.6.1.el6.x86_64"
pbrunsysname = "Linux"
pbrunversion = "#1 SMP Tue Apr 23 19:29:00 UTC 2013"
pbulacapolicy = {"file default all", "file /tmp/banned/* !all|log=9", "file
/scripts/* all|log=9", "file /sbin/reboot !exec|log=9", "file /sbin/shutdown
!exec|log=9", "file /usr/bin/reboot !exec|log=9", "file /usr/bin/shutdown
21
© 2016. BeyondTrust Software, Inc. Common Criteria Guide
!exec|log=9", "file /etc/shadow !all", "file /usr/bin/* all|log=9", "file
/usr/sbin/* all|log=9", "file /bin/* all|log=9", "file /sbin/* all|log=9"}
pbversion = "9.1.0-08"
pid = 18984
ptyflags = 7
rcsworkgroup = "BeyondTrust Workgroup"
rejectnullpasswords = 0
requestuser = "root"
rlimit_as = -1
rlimit_core = 0
rlimit_cpu = -1
rlimit_data = -1
rlimit_fsize = -1
rlimit_locks = -1
rlimit_memlock = 65536
rlimit_nofile = 1024
rlimit_nproc = 7784
rlimit_rss = -1
rlimit_stack = 10485760
rule = 3
runargv = {"whoami"}
runbkgd = 0
runcommand = "whoami"
runcwd = "/root"
runeffectiveuser = "root"
runenablerlimits = 0
runenv = {"HOSTNAME=svr1centos63", "TERM=xterm", "SHELL=/bin/bash",
"HISTSIZE=1000", "SSH_CLIENT=192.168.0.155 63282 22", "QTDIR=/usr/lib64/qt-3.3",
"QTINC=/usr/lib64/qt-3.3/include", "SSH_TTY=/dev/pts/1", "USER=root",
"LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=4
0;33;01:or=40;31;01:mi=01;05;37;41:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=
37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.lzma=0
1;31:*.tlz=01;31:*.txz=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:
*.lz=01;31:*.xz=01;31:*.bz2=01;31:*.tbz=01;31:*.tbz2=01;31:*.bz=01;31:*.tz=01;31:*.
deb=01;31:*.rpm=01;31:*.jar=01;31:*.rar=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:
*.7z=01;31:*.rz=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:
*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;3
5:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01
;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v
=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb
=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=
01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.axv=01;35:*.anx=01;35:*.ogv
=01;35:*.ogx=01;35:*.aac=01;36:*.au=01;36:*.flac=01;36:*.mid=01;36:*.midi=01;36:*.m
ka=01;36:*.mp3=01;36:*.mpc=01;36:*.ogg=01;36:*.ra=01;36:*.wav=01;36:*.axa=01;36:*.o
ga=01;36:*.spx=01;36:*.xspf=01;36:", "MAIL=/var/spool/mail/root",
"PATH=/usr/lib64/qt-
3.3/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin",
"PWD=/root", "JAVA_HOME=/usr/lib/jvm/jre-1.6.0-openjdk.x86_64/", "LANG=en_US.UTF-
22
© 2016. BeyondTrust Software, Inc. Common Criteria Guide
8", "KDE_IS_PRELINKED=1", "KDEDIRS=/usr", "SSH_ASKPASS=/usr/libexec/openssh/gnome-
ssh-askpass", "HISTCONTROL=ignoredups", "SHLVL=1", "HOME=/root", "LOGNAME=root",
"QTLIB=/usr/lib64/qt-3.3/lib", "CVS_RSH=ssh", "SSH_CONNECTION=192.168.0.155 63282
192.168.0.160 22", "LESSOPEN=|/usr/bin/lesspipe.sh %s", "G_BROKEN_FILENAMES=1",
"_=/usr/local/bin/pbrun"}
rungroup = "root"
rungroups = {"root"}
runhost = "svr1centos63.demo.corp"
runlocalmode = 0
runnice = 0
runoptimizedrunmode = 1
runpid = 18982
runptyflags = 7
runrlimit_as = -1
runrlimit_core = 0
runrlimit_cpu = -1
runrlimit_data = -1
runrlimit_fsize = -1
runrlimit_locks = -1
runrlimit_memlock = 65536
runrlimit_nofile = 1024
runrlimit_nproc = 7784
runrlimit_rss = -1
runrlimit_stack = 10485760
runsolarisproject = ""
runtimeout = 0
runtimeoutoverride = 0
runumask = 18
runuser = "root"
solarisproject = ""
status = 0
submithost = "svr1centos63.demo.corp"
submithostip = "127.0.0.1"
submitlocale = "en_US.UTF-8"
submitpid = 18982
subprocuser = "root"
taskpid = 18995
taskttyname = "/dev/pts/2"
testmaster = 0
time = "11:27:02"
timezone = "EST"
23
© 2016. BeyondTrust Software, Inc. Common Criteria Guide
true = 1
ttyname = "/dev/pts/1"
umask = 18
uniqueid = "7f000001568beed64A28"
unixtimestamp = 1452011222
user = "root"
xwinforward = 0
year = 2015
Session Recording
Session recording is enabled in a PowerBroker for Unix & Linux policy. Session recording can be enabled per command, per user, per host, during specific time frames, groups of these items or any other variable that can be referenced on the system during a command request.
As described in the PowerBroker for Unix & Linux Auditing section, this type of auditing is optional whereby the Policy Creator/Administrator can selectively choose which commands, users, hosts, actions, times and so on are recorded. Session recording is only invoked when using the iolog command in the policy outlined below.
Auditing this type of data is optional and not within the scope of the Common Criteria evaluation and has not been tested.
24
© 2016. BeyondTrust Software, Inc. Common Criteria Guide
Data Type
String
Description
The iolog variable contains the absolute path specification for the current I/O log file. The default value for this variable is undefined, which does no I/O logging. The iolog file can log standard input, standard output, and standard error information that is associated with the current task request.
Syntax
iolog = string;
Valid Values
A string that contains the absolute path specification for the current iolog file. The default value is undefined.
Example
iolog = "/var/log/sample.log";
The location and name of a recorded session can be configured in the policy. For example, you can use variables which are configured or set during normal PowerBroker for Unix & Linux operations to build the path location and name of the file for the recording.
Example:
logtime=strftime("%H:%M");
iolog = "/iologs/"
+ sprintf("%d-%d-%d",month,day,year) + "."
+ logtime + "."
+ split(runhost,".")[0] + "."
+ user + "."
+ basename(command) + "."; # + ".XXXXXX";
setenv("IOLOG", "done");
print("Warning this session is being logged:", iolog);
Recorded sessions can be viewed using the ‘pbreplay’ command. The user will need root level privileges to view the event log, but these rights can be delegated using PowerBroker for Unix & Linux as described later in this document.
Refer to PowerBroker Unix-Linux_Administration_V9.1.pdf, iolog for more information about turning on and the creation of the session recordings.
Refer to PowerBroker Unix-Linux_Administration_V9.1.pdf, pbreplay for more information on viewing session recording.
25
© 2016. BeyondTrust Software, Inc. Common Criteria Guide
Session Recording Example
Now we can combine these two features to control who can edit the policy, audit the entire editing session of the policy and also have the audit event records.
if( basename(command) == “editpolicy” ) {
logtime=strftime("%H:%M");
iolog = "/iologs/"
+ sprintf("%d-%d-%d",month,day,year) + "."
+ logtime + "."
+ split(runhost,".")[0] + "."
+ user + "."
+ basename(command) + "."; # + ".XXXXXX";
setenv("IOLOG", "done");
print("Warning this session is being logged:", iolog);
runcommand = "vi";
runargv = split("vi /etc/pb.conf");
runuser = "root";
accept;
}
This will allow for the following command:
pbrun editpolicy (or pbrun –h hostname editpolicy)
Which will generate an event log record:
Accept 2015/11/05 12:33:55 [email protected] ->
[email protected] by svr1centos63.demo.corp
vi /etc/pb.conf
Command finished with exit status 0
And produce a session recording on the logging server in the /iologs folder with the current date, time, hostname, username and command (editpolicy) combined to make the file name.
26
© 2016. BeyondTrust Software, Inc. Common Criteria Guide
PBLogD Logging Process
The ‘ps’ command can be used to look for running instances of ‘pblogd’ (PowerBroker for Unix & Linux logging daemon).
[root@ systemname ~]# ps -ef |grep pblogd
root 21415 1 0 15:39 ? 00:00:00 pblogd -i demo1@svr3centos63 26394
root:/bin/bash
root 21417 15921 0 15:39 pts/1 00:00:00 grep pblogd
You may also use the ‘pbbench’ command to make sure that any/all configured log servers are
[root@ systemname ~]# pbbench -l
svr1centos63.demo.corp:port=24347 OK 9.1.0-08
[root@systemname ~]# cat /var/log/messages |grep pblogd
Jan 5 15:43:47 svr1centos63 xinetd[2092]: START: pblogd pid=21453
from=::ffff:127.0.0.1
Jan 5 15:43:47 svr1centos63 xinetd[2092]: EXIT: pblogd status=0 pid=21453
duration=0(sec)
All of the above commands being executed as root can be delegated using the policy and pbrun as described above.
27
© 2016. BeyondTrust Software, Inc. Common Criteria Guide
Audit Record Breakdown
The Standard Protection Profile for Enterprise Security Management Access Control and the Standard Protection Profile for Enterprise Security Management Policy Management requires the audit generation for specific security functional requirements as identified in the security target.
Not all audit records identified in the security target are applicable since the BeyondTrust PowerBroker UNIX + Linux Edition V9 is both a policy management product and an access control product. Examples of the applicable audit records and their format are identified below.
Component Event Additional Information
Example Audit
ESM_ACD.1 Creation or modification of policy
Unique policy identifier
The audit record entry records the creation or modification of the policy. The policy is identified as /etc/pb/pbul_functions.conf".
"hostname":"pbul-qa-aix61-01.unix.symark.com",
"evtname":
"file_import",
"service":"pbdbutil9.1.0-08",
"who":"root",
"severity":16,
"utc":"2015-12-07 14:59:11",
"progname":"pbdbutil9.1.0-08",
"version":"9.1.0-08",
"arch":"rs6000_aixC",
"data":{
"fname":"/etc/pb/pbul_functions.conf",
"msg":"Innitial import",
"version":1,
"sid":8978524,
"pid":10420340,
"uid":0}
Audit Record Location: Configuration Database
ESM_ACT.1 [ESM_PM]
Transmission of policy to Access Control products
Destination of policy
Policies are not transmitted, instead policies are stored centrally and requests are made against the central policy. Requests from the Submit Host (the Access control portion of the TOE) are transmitted to the Master Host (the Policy Management portion of the TOE). If the task is ACCECPTED by the policy, the Master Host transmits the secure task to the Run Host (the Access control portion of the TOE). The event log captures the entire process in the Event Log Accept record. The ACCECPT record captures the identification of the requesting user and each TOE component is identified.
Portions of the ACCEPT Event Log entry is provided below. The information in the Event Log entry provides the identification of the information ('Accept' command), the destination (submithostip '10.0.2.20', runhost 'CC-PowerBroker-RunHost', and Master Host
28
© 2016. BeyondTrust Software, Inc. Common Criteria Guide
Component Event Additional Information
Example Audit
masterhost '10.0.2.11'). The Name of the policy in effect (lineinfile '/etc/pb/pbul_functions.conf') verifies that the latest and correct policy is in effect.
Name of User Requesting the Privileged Command
'SUDO_USER=cctester'
cwd '/home/cctester'
Submit Host Identification
TargetSubmitHostShortName 'CC-PowerBroker-Client'
submithost 'CC-PowerBroker-Client'
submithostip '10.0.2.20'
clienthost '10.0.2.20'
Run Host Identification
pblocaldnodename 'CC-PowerBroker-RunHost'
runhost 'CC-PowerBroker-RunHost'
Master Host Identification
pbmasterdnodename 'CC-PowerBroker-Master2'
masterhost '10.0.2.11'
masterhostip '10.0.2.11'
Type of Command
event 'Accept'
Requested Elevated Command
command 'whoami'
Successful Execution of the Command
event 'Finish'
exitdate '2016/06/27'
exitstatus 'Command finished with exit status 0'
Location of the Audit Record
eventlog '/var/log/pb.eventlog'
Name of the Policy in Effect
lineinfile '/etc/pb/pbul_functions.conf'
Audit Record Location: Event Log
ESM_EAU.2 [ESM_PM]
All use of the authenticatio
None The ACCEPT Event Log record below captures the successful authentication of “root” via the browser interface GUI.
29
© 2016. BeyondTrust Software, Inc. Common Criteria Guide
Component Event Additional Information
Example Audit
n mechanism
Accept 2015/12/07 15:50:04
root pbul-qa-hpux11v3-01.unix.symark.com
root 172.20.31.66
pbul-qa-hpux11v3-01.unix.symark.com
/usr/sbin/pbguid log Authorized
Audit Record Location: Event Log
FAU_GEN.1 Start-up of the audit functions;
None Dec 8 11:33:08 pbul-qa-hpux11v3-01 inetd[3821]: pblogd/tcp: Added service, server /usr/sbin/pblogd
Audit Record Location
/var/log/syslog (on Linux)
/var/adm/syslog (on Unix)
FAU_GEN.1 Shut-down of the audit functions
None Dec 8 11:39:18 pbul-qa-hpux11v3-01 inetd[3821]: Going down on signal 15
Audit Record Location
/var/log/syslog (on Linux)
/var/adm/syslog (on Unix)
FAU_SEL.1 [ESM_AC]
All modifications to audit configuration
None The audit record below captures the audit configuration modified by the “logomit” command.
"hostname": "pbul-qa-aix61-01.unix.symark.com",
"evtname": "file_import",
"service": "pbdbutil9.2.0-08",
"who": "root",
"severity": 16,
"utc": "2016-05-24 17:17:48",
"progname": "pbdbutil9.1.0-08", "version": "9.1.0-08",
"arch": "rs6000_aixC",
"data": { "fname": "/etc/pb.conf",
"msg": "Logomit Added",
"version": 3,
"sid": 6226020,
"pid": 4718624,
"uid": 0}
Audit Record Location: Configuration Database
FAU_SEL_EXT.1 [ESM_PM]
All modifications to audit configuration
None The audit record below captures the audit configuration modified by the “logomit” command.
"hostname": "pbul-qa-aix61-01.unix.symark.com",
30
© 2016. BeyondTrust Software, Inc. Common Criteria Guide
Component Event Additional Information
Example Audit
"evtname": "file_import",
"service": "pbdbutil9.2.0-08",
"who": "root",
"severity": 16,
"utc": "2016-05-24 17:17:48",
"progname": "pbdbutil9.1.0-08",
"version": "9.1.0-08",
"arch": "rs6000_aixC",
"data": {
"fname": "/etc/pb.conf",
"msg": "Logomit Added",
"version": 3,
"sid": 6226020,
"pid": 4718624,
"uid": 0}
Audit Record Location: Configuration Database
FAU_STG_EXT.1 [ESM_PM], [ESM_AC]
Establishment and disestablishment of communications with audit server
Identification of audit server
The audit record captures the establishment of communication with the pblogd audit server.
Dec 8 11:33:08 pbul-qa-hpux11v3-01 inetd[3821]: pblogd/tcp: Added service, server /usr/sbin/pblogd
Audit Record Location: Configuration Database
FCO_NRR.2 [ESM_AC]
The invocation of the non-repudiation service
Identification of the information, the destination, and a copy of the evidence provided
Policies are not transmitted, instead policies are stored centrally and requests are made against the central policy. Requests from the Submit Host (the Access control portion of the TOE) are transmitted to the Master Host (the Policy Management portion of the TOE). If the task is ACCECPTED by the policy, the Master Host transmits the secure task to the Run Host (the Access control portion of the TOE). The event log captures the entire process in the Event Log Accept record. The ACCECPT record captures the identification of the requesting user and each TOE component is identified.
Portions of the ACCEPT Event Log entry is provided below. The information in the Event Log entry provides the identification of the information ('Accept' command), the destination (submithostip '10.0.2.20', runhost 'CC-PowerBroker-RunHost', and Master Host masterhost '10.0.2.11'). A copy of the evidence provided is verified by the successful execution of the command (event 'Finish', exitdate '2016/06/27' exitstatus 'Command finished with exit status 0').
Name of User Requesting the Privileged Command
'SUDO_USER=cctester'
cwd '/home/cctester'
31
© 2016. BeyondTrust Software, Inc. Common Criteria Guide
Component Event Additional Information
Example Audit
Submit Host Identification
TargetSubmitHostShortName 'CC-PowerBroker-Client'
submithost 'CC-PowerBroker-Client'
submithostip '10.0.2.20'
clienthost '10.0.2.20'
Run Host Identification
pblocaldnodename 'CC-PowerBroker-RunHost'
runhost 'CC-PowerBroker-RunHost'
Master Host Identification
pbmasterdnodename 'CC-PowerBroker-Master2'
masterhost '10.0.2.11'
masterhostip '10.0.2.11'
Type of Command
event 'Accept'
Requested Elevated Command
command 'whoami'
Successful Execution of the Command
event 'Finish'
exitdate '2016/06/27'
exitstatus 'Command finished with exit status 0'
Location of the Audit Record
eventlog '/var/log/pb.eventlog'
Name of the Policy in Effect
lineinfile '/etc/pb/pbul_functions.conf'
Audit Record Location: Event Log
FDP_ACC.1(1), (2)[ESM_AC]
Any changes to the enforced policy or policies
Identification of Policy Management product making the change
The audit record captures the policy "/etc/pb/pbul_functions.conf" modification.
"hostname":"pbul-qa-spsol11-01.unix.symark.com",
"evtname":"file_import",
"service":"pbdbutil9.1.0-08",
"who":"root",
"severity":16,
"utc":"2015-12-07 15:21:17",
"progname":"pbdbutil9.1.0-08",
32
© 2016. BeyondTrust Software, Inc. Common Criteria Guide
Component Event Additional Information
Example Audit
"version":"9.1.0-08",
"arch":"sparc_solarisD",
"data":{
"version":2,
"fname":"/etc/pb/pbul_functions.conf",
"msg":"Policy Changed",
"sid":15438,
"pid":15484,
"uid":0}
Audit Record Location: Configuration Database
FDP_ACF.1(1), (2) [ESM_AC]
All requests to perform an operation on an object covered by the SFP
Subject identity, object identity, requested operation
Portions of the ACCEPT Event Log entry is provided below. The information in the Event Log entry provides the identification of the information ('Accept' command), the destination (submithostip '10.0.2.20', runhost 'CC-PowerBroker-RunHost', and Master Host masterhost '10.0.2.11'). The Name of the policy in effect (lineinfile '/etc/pb/pbul_functions.conf') verifies that the latest and correct policy is in effect.
The subject “cctester” is requesting access to run the elevated command 'whoami'.
Name of User Requesting the Privileged Command
'SUDO_USER=cctester'
cwd '/home/cctester'
Submit Host Identification
TargetSubmitHostShortName 'CC-PowerBroker-Client'
submithost 'CC-PowerBroker-Client'
submithostip '10.0.2.20'
clienthost '10.0.2.20'
Run Host Identification
pblocaldnodename 'CC-PowerBroker-RunHost'
runhost 'CC-PowerBroker-RunHost'
Master Host Identification
pbmasterdnodename 'CC-PowerBroker-Master2'
masterhost '10.0.2.11'
masterhostip '10.0.2.11'
Type of Command
event 'Accept'
Requested Elevated Command
33
© 2016. BeyondTrust Software, Inc. Common Criteria Guide
Component Event Additional Information
Example Audit
command 'whoami'
Successful Execution of the Command
event 'Finish'
exitdate '2016/06/27'
exitstatus 'Command finished with exit status 0'
Name of the Policy in Effect
lineinfile '/etc/pb/pbul_functions.conf'
Audit Record Location: Event Log
FMT_MOF.1 [ESM_PM], [ESM_AC]
All modifications to TSF behavior
None The audit record captures the policy "/etc/pb/pbul_functions.conf" modification.
“hostname":"pbul-qa-hpux11v3-01.unix.symark.com",
"evtname": "file_import",
"service": "pbdbutil9.1.0-08",
"who": "root",
"severity": 16,
"utc":"2015-12-07 16:09:25",
"progname": "pbdbutil9.1.0-08",
"version": "9.1.0-08",
"arch": "ia64_hpuxA",
"data":{
"version" :1,
"fname": "/etc/pb/pbul_functions.conf",
"msg": "Policy Modified",
"sid": 23198,
"pid":24697,
"uid": 0}
Audit Record Location: Configuration Database
FMT_SMF.1 [ESM_PM], [ESM_AC]
Use of the management functions
Management function performed
The audit record captures the management function of the creation of the "/etc/pb/pbul_functions.conf" policy.
"hostname":"pbul-qa-spsol11-01.unix.symark.com",
"evtname":"file_import",
"service":"pbdbutil9.1.0-08",
"who":"root",
"severity":16,
"utc":"2015-12-07 15:15:21",
"progname":"pbdbutil9.1.0-08",
"version":"9.1.0-08",
"arch":"sparc_solarisD",
34
© 2016. BeyondTrust Software, Inc. Common Criteria Guide
Component Event Additional Information
Example Audit
"data":{
"msg":"New Policy Created",
"fname":"/etc/pb/pbul_functions.conf",
"version":7
,"sid":15438,
"pid":15469,
"uid":0}
Audit Record Location: Configuration Database
FMT_SMR.1 [ESM_PM]
Modifications to the members of the management roles
None This is an audit record from importing the policy file, thus applying the policy. The policy file is what controls who can perform the management functions.
"hostname":"pbul-qa-aix61-01.unix.symark.com",
"evtname":"file_import",
"service":"pbdbutil9.1.0-08",
"who":"root",
"severity":16,
"utc":"2015-12-07 14:59:11",
"progname":"pbdbutil9.1.0-08",
"version":"9.1.0-08",
"arch":"rs6000_aixC",
"data":{
"fname":"/etc/pb/pbul_functions.conf",
"msg":"Innitial import",
"version":1,
"sid":8978524,
"pid":10420340,
"uid":0}
Audit Record Location: Configuration Database
FPT_FLS_EXT.1 [ESM_AC]
Failure of communication between the TOE and Policy Management product
Identity of the Policy Management product, reason for the failure
Dec 4 12:34:36 pbul-qa-spsol11-01 pbmasterd9.1.0-08: [ID 702911 auth.error] [14388] 8540.2 client on pbul-qa-hpux11v3-01.unix.symark.com is not SSL enabled
Audit Record Location:
/var/log/pbmasterd.log (on Linux)
/var/adm/pbmasterd.log (on Unix)
FTP_ITC.1 [ESM_AC]
All use of trusted channel functions
Identity of the initiator and target of the trusted channel
The ACCEPT Event Log entry captures the use of the trusted channel functions. Portions of the ACCEPT Event Log entry are provided below that are applicable to this audit requirement.
These two fields are in the Event Log entry identifies the initiator and target of the trusted channel. The IP address of the remote LDAP server and the user attempting to authenticate over the trusted channel to LDAP are recorded.
35
© 2016. BeyondTrust Software, Inc. Common Criteria Guide
Component Event Additional Information
Example Audit
LDAPServer “10.42.215.74”
LDAPUser “tester”
Portions of the ACCEPT Event Log entry are provided below that are applicable to this audit requirement. The fields are in the Event Log entry identifies the internal TOE component communications. The identity of the initiator and the targets for the trusted channel are recorded.
Name of User Requesting the Privileged Command
'SUDO_USER=cctester'
cwd '/home/cctester'
Submit Host Identification
TargetSubmitHostShortName 'CC-PowerBroker-Client'
submithost 'CC-PowerBroker-Client'
submithostip '10.0.2.20'
clienthost '10.0.2.20'
Run Host Identification
pblocaldnodename 'CC-PowerBroker-RunHost'
runhost 'CC-PowerBroker-RunHost'
Master Host Identification
pbmasterdnodename 'CC-PowerBroker-Master2'
masterhost '10.0.2.11'
masterhostip '10.0.2.11'
Type of Command
event 'Accept'
Successful Execution of the Command
event 'Finish'
exitdate '2016/06/27'
exitstatus 'Command finished with exit status 0'
Location of the Audit Record
eventlog '/var/log/pb.eventlog'
Name of the Policy in Effect
lineinfile '/etc/pb/pbul_functions.conf'
36
© 2016. BeyondTrust Software, Inc. Common Criteria Guide
Component Event Additional Information
Example Audit
Audit Record Location: Event Log
FTP_TRP.1 [ESM_PM]
All attempted uses of the trusted path functions
Identification of user associated with all trusted path functions, if available
Portions of the ACCEPT Event Log entry are provided below that are applicable to this audit requirement. The Event Log entry records the identification of the user associated with the trusted path function.
Accept 2015/12/07 15:50:04
root CC-PowerBroker-Client
root CC-PowerBroker-Master
CC-PowerBroker-Master /usr/sbin/pbguid log Authorized
Audit Record Location: Event Log
Server Tracking Audit Information
All event log entries and each individual recorded session contains a set of headers that audit details about the Log Server, where you can track information such as the server name, IP address, SSL Cert info, version, time zone and more:
pblogdcertificateissuer =
"/C=US/ST=AZ/L=Phoenix/O=BeyondTrust/OU=PowerBroker/CN=centos7.demo.corp"
pblogdcertificatesubject =
"/C=US/ST=AZ/L=Phoenix/O=BeyondTrust/OU=PowerBroker/CN=centos7.demo.corp"
pblogdmachine = "x86_64"
pblogdnodename = "centos7.demo.corp"
pblogdrelease = "3.10.0-229.11.1.el7.x86_64"
pblogdsysname = "Linux"
pblogdversion = "#1 SMP Thu Aug 6 01:06:18 UTC 2015"
eventlog = "/var/log/pb.eventlog"
iolog = "/var/log/pbsudo/centos7-client.demo.corp-pbsudo-io.XXXXXX"
iolog_list = {"centos7.demo.corp:/var/log/pbsudo/centos7-client.demo.corp-pbsudo-
io.joZema"}
iolog_part = 1
logdversion = "9.2.0-08"
loghostip = "192.168.0.163"
lognopassword = 1
logpid = 17259
logport = "24347"
logserver_utcoffset = "-4.00"
logserverlocale = "en_US.UTF-8"
logservers = {"centos7.demo.corp"}
37
© 2016. BeyondTrust Software, Inc. Common Criteria Guide
logstderr = 1
logstdin = 1
logstdout = 1
In addition, each event log entry and each recorded session contains the audit entry header, information on any/all components that participated in the action. This includes the Submit Host, the Run Host, the Master Host (Policy Server) and the Log Host (Logging Server). Here is an example of the information contained in the headers:
host = "centos7-client.demo.corp"
clienthost = "centos7-client.demo.corp"
clienthost_uuid = "83c2c51d-0e38-481f-970a-8a03b057835d"
clienthost_uuid_created = 0
loghostip = "192.168.0.163"
masterhost = "centos7.demo.corp"
masterhostip = "192.168.0.163"
runhost = "centos7-client.demo.corp"
submithost = "centos7-client.demo.corp"
submithostip = "192.168.0.164"
Additional Audit Functions and Change Management
An optional feature exists in PowerBroker for Unix & Linux to move key configuration, settings and policy files to a version controlled database, including auditing of activities such as the creation of new files and version changes in controlled files.
To enable the configuration database, the administrator needs to import a file (any file, but preferably an important control file such as pb.conf or pb.settings) using the pbdbutil command, with the --cfg parameter and -i flag to initiate an import.
IMPORTANT: Before moving any files into the configuration database, if change tracking is required, ensure the following two lines are added to the end of the pb.settings file first:
changemanagementevents yes
eventdb /etc/pbevents.db
Change management is not enforced or enabled by default, but is required to meet the requirements outlined in the Common Criteria requirements document. When any file is added to the configuration database using the pbdbutil command, PowerBroker for Unix & Linux will automatically handle the creation of the database and appropriate configuration for version control and file tracking. For example, to take /etc/pb.settings and /etc/pb.conf under management, enter the following commands:
[root@centos7 etc]# pbdbutil --cfg -i /etc/pb.settings
{"fname":"/etc/pb.settings","version":1}
[root@centos7 etc]# pbdbutil --cfg -i /etc/pb.conf
{"fname":"/etc/pb.conf","version":1}
The imported files that are being managed can then be viewed using the -l flag (list) as shown below:
[root@centos7 etc]# pbdbutil --cfg -l
38
© 2016. BeyondTrust Software, Inc. Common Criteria Guide
{"version":1,"pathname":"/etc/pb.conf","deleted":0,"created":"2016-04-21 11:34:15"}
{"version":1,"pathname":"/etc/pb.settings","deleted":0,"created":"2016-04-21
11:34:09"}
[root@centos7 etc]#
A detailed transaction log of additions, updates and deletions can be shown using the change event log as follows:
pbdbutil --evt -s '{ "taxonomy" : "chgmgt" }'
The same data can be shown broken out using the ‘Printable’ switch to make each event easier to read:
pbdbutil --evt -P -s '{ "taxonomy" : "chgmgt" }'
Below is an example audit record showing settings file being updates:
"hostname": "centos7.demo.corp",
"evtname": "file_import",
"service": "pbdbutil9.2.0-08",
"who": "root",
"severity": 16,
"utc": "2016-04-26 21:43:18",
"progname": "pbdbutil9.2.0-08",
"version": "9.2.0-08",
"arch": "x86_64_linuxA",
"data": {
"fname": "/etc/pb.settings",
"version": 6,
"msg": "New example comment added",
"sid": 9354,
"pid": 4761,
"uid": 0
Below is an example command to show the differential between V5 (the old version) and V6 (the new version) with an addition of a comment line highlighted below:
[root@centos7 etc]# pbdbutil --cfg -D /etc/pb.settings -V5:6
*** /tmp/.pbdiff_Ja9ruT 2016-04-26 21:47:31.351401559 -0400
--- /tmp/.pbdiff_DczUEd 2016-04-26 21:47:31.350401541 -0400
***************
*** 5,10 ****
--- 5,11 ----
# daemons: /usr/sbin
# pbinstall: /BT/powerbroker/v9.2/pbx86_64_linuxA-9.2.0-08/install/pbinstall
# TMPDIR: /tmp/beyondtrust_pbinstall
39
© 2016. BeyondTrust Software, Inc. Common Criteria Guide
+ # Comment added for change event tracking example
kerberos no
#mprincipal pbmasterd
#lprincipal pblocald
For a detailed breakdown of the data types and data that is stored in the change management database, please see Appendix B: Change Management Event Log Fields.
40
© 2016. BeyondTrust Software, Inc. Common Criteria Guide
Configuration Files
Used During Testing/Creation of Supplementary Guide.
Policy Files
The following files were used during the testing of PowerBroker for Unix & Linux to ensure that all the requirements laid out in the common criteria template were met by the solution. These files are environment specific and should be used as examples only.
Note: If communication to the Master Host and its policy is unavailable, the default action is to deny all pbrun requests.
Example File Index:
Root Policy (pb.conf)
Main Policy (pbul_policy.conf)
Functions (pbul_functions.conf)
LDAP Policy (ldap.conf)
RADIUS Policy (pam_radius_auth.conf)
RADIUS PAM Config (pbul_pam_radius)
Root Policy File (/etc/pb.conf)
include '/etc/pb/pbul_policy.conf';
#include '/etc/pb/pbul_gui.conf';
#ldap_open("cc-powerbroker-ldap");
Main Policy File (pbul_policy.conf)
include '/etc/pb/pbul_functions.conf';
#===========================================================================
# Copyright 2013 by BeyondTrust Software International, Inc.
# All rights reserved.
# pbul_policy.conf
# Version: 1.0
#
# This default role-based policy is provided as a simple default policy for
PowerBroker.
# For each of role defined, you can add additional users, commands and hosts to the
lists pre-defined for each role.
#
# It contains the following roles:
41
© 2016. BeyondTrust Software, Inc. Common Criteria Guide
#
# Helpdesk role:
# Enabled by default, when invoking "pbrun helpdesk" it allows any user in
HelpdeskUsers (default 'root')
# to initiate a Helpdesk Menu as 'root' on any host in HelpdeskHosts (default
submithost only)
# Helpdesk Menu of actions comprising
# - List of processes (ps -ef)
# - Check if a machine is up (ping <host>)
# - List current users on this host (who -H)
# - Display Host's IP settings (ifconfig -a)
#
# PBTest:
# Enabled by default, for all users on all hosts, "pbrun pbtest" allows
checking connectivity and policy.
#
# Controlled Shells:
# Enabled by default, allows users in ControlledShellUsers (by default the
submituser),
# for runhosts in ControlledShellHosts (by default only submithost), to
enable iologging for pbksh/pbsh.
# iologs are created by default in "/tmp/pb.<user>.<runhost>.<YYYY-MM-
DD>.[pbksh|pbsh].XXXXXX"
# This role has a list of commands (empty by default) to elevate privileges
for, as well as
# a list of commands (empty by default) to reject.
#
# Admin role:
# Enabled by default, allows users in AdminUsers (by default 'root') to run
any command on runhosts in AdminHosts
# (by default only submithost)
#
# Demo role:
# Disabled by default, allows users in DemoUsers (default all users) to run
commands in
# DemoCommands (default 'id' and 'whoami') as 'root' on any host in DemoHosts
(default all hosts)
#
#
# The policy ends by allowing all users to run any command as themselves without
any privilege escalation.
#
#
#TargetRunHostShortName = split(runhost, ".")[0];
42
© 2016. BeyondTrust Software, Inc. Common Criteria Guide
TargetRunHostShortName = "CC-PowerBroker-RunHost";
runhost = "10.0.2.24";
TargetSubmitHostShortName = split(submithost, ".")[0];
#
# This enables "HelpDesk role", which allows any user in HelpdeskUsers (default
'root') to initiate a Helpdesk Menu as 'root'
# on any host in HelpdeskHosts (default submithost only)
# By default this role is enabled. To disable this set EnableHelpdeskRole to false
below.
#
#EnableHelpdeskRole = true;
#HelpdeskUsers = {"root"};
#HelpdeskHosts = {submithost, TargetSubmitHostShortName};
#HelpdeskRole();
#
# This enables a command 'pbtest', when invoked with pbrun, allows to check
connectivity and policy.
# By default this role is enabled. To disable this set EnablePBTest to false
#
EnablePBTest = true;
PBTest();
#
# This enables "ControlledShell role", which turn on iologging for any user in
ControlledShellUsers (default all users)
# on any host in ControlledShellHosts (default all run hosts) when running pbksh
and pbsh.
# By default, this role is enabled. To disable this set EnableControlledShellRole
to true below.
#
# Two variables are defined for this role:
# List variable ControlledShellRejectedCmds - List of rejected commands (empty by
default)
# If you want any specific command to be rejected during the pbksh/pbsh session,
add the command to the list below
# For example:
# ControlledShellRejectedCmds = {"rm", "mv"};
#
# List variable ControlledShellPrivilegedCmds - List of commands to elevate
privileges for (empty by default)
# If you want any specific command to be rejected during the pbksh/pbsh session,
add the command to the list below
43
© 2016. BeyondTrust Software, Inc. Common Criteria Guide
# For example:
# ControlledShellPrivilegedCmds = {"id", "reboot"};
#
#
EnableControlledShellRole = true;
#ControlledShellUsers = {user};
#ControlledShellHosts = {runhost, TargetRunHostShortName};
#ControlledShellRejectedCmds = {};
#ControlledShellPrivilegedCmds = {};
#ControlledShellRole();
#
# This enables "Admin role", which allows root (or any user in AdminUsers) to run
any command on the current host (or any host in AdminHosts)
# By default this role is enabled. To disable this set EnableAdminRole to false
below.
#
EnableAdminRole = true;
AdminUsers = {"root"};
AdminHosts = {submithost};
AdminRole();
#
# This enables "Demo role", which allows any user in DemoUsers (default all users)
to run commands in DemoCommands (default 'id' and 'whoami') as 'root'
# on any host in DemoHosts (default all hosts)
# By default, this role is disabled. To ensable this set EnableDemoRole to true
below.
#
# IMPORTANT: note that ANY command in the list of DemoCommands will run as 'root'.
#
#EnableDemoRole = false;
#DemoUsers = {user};
#DemoCommands = {"id", "whoami"};
#DemoHosts = {runhost, TargetRunHostShortName};
#DemoRole();
# If here, the user will only have the permissions to run commands as itself on the
submithost.
#if ( submithost == runhost || pbclientmode == 'pbssh' )
#{
# SetRunEnv(runuser, false);
44
© 2016. BeyondTrust Software, Inc. Common Criteria Guide
# accept;
#}
EnableCCRole = true;
CCUsers = {user};
PrivlidgedLDAPUsers = {"tester","othertester"};
PrivlidgedRadiusUsers = {"beyondtrustuser","beyondtrustuser2"};
LDAPCommands = {"vi", "gedit","rm","chmod","cat","kill"};
RadiusCommands = {"cat","top","ps","kill"};
FileCommands = {"vi", "gedit", "rm", "cat"};
CCHosts = {runhost, TargetRunHostShortName, submithost, TargetSubmitHostShortName};
CCRole();
Functions Policy File (pbul_functions.conf)
# Copyright 2013 by BeyondTrust Software International, Inc.
# All rights reserved.
# pbul_functions.conf
# Version: 1.0
#
# Procedures used in pbul_policy.conf
#
#
# The procedure SetRunEnv sets the run environtment for a particular
# runuser. The procedure accepts one argument, the runuser.
# To call the procedure procedure:
# SetRunEnv("root");
#
function SetRunEnv(RunUserName, SetRunCommand) {
runuser = RunUserName;
rungroup = "!g!";
rungroups = {"!G!"};
runcwd = "!~!";
setenv("SHELL", "!!!");
setenv("HOME", "!~!");
setenv("USER", RunUserName);
setenv("USERNAME", RunUserName);
setenv("LOGNAME", RunUserName);
setenv("PWD", runcwd);
setenv("PATH", "/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin");
45
© 2016. BeyondTrust Software, Inc. Common Criteria Guide
keepenv("SHELL", "HOME", "USER", "USERNAME", "LOGNAME", "PWD", "PATH");
SetRunEnv=runuser;
if ( SetRunCommand == true )
{
# Setting runcommand to basename(command) forces 'command' path to be part
of PATH.
# and prevents the user cannot execute a command from a different path.
runcommand=basename(command);
}
if ( runuser == 'root' )
runsecurecommand=true;
}
#
# Procedure PBTest:
# This is a debugging test that can test the network connectivity and host name
resolution.
# Invocation: pbrun pbtest
#
procedure PBTest(){
if ( EnablePBTest && basename(command) == "pbtest" ) {
SetRunEnv(user, true);
print(" clienthost:", clienthost);
print("clienthostip:", ipaddress(clienthost));
print(" host:", host);
print(" hostip:", ipaddress(host));
print(" masterhost:", masterhost);
print("masterhostip:", ipaddress(masterhost));
print(" runhost:", runhost);
print(" runhostip:", ipaddress(runhost));
print(" submithost:", submithost);
print("submithostip:", submithostip);
print(" requestuser:", requestuser);
print(" runuser:", runuser);
print(" user:", user);
# policysetenv("LDAPCONF","/etc/ldap.conf");
connid=ldap_initialize("ldap://10.42.215.124",3);
if(length(connid)<1){
print("Can't connect to LDAP server");
reject("");
}
46
© 2016. BeyondTrust Software, Inc. Common Criteria Guide
print("echo","Policy and network connections are OK.");
result = ldap_bind(connid,"cn=CCTL Tester, cn=Users, dc=ccmstest,
dc=com","Pa55w*rd");
unset("Pa55w*rd");
if(result!=0){
print("Can't bind to LDAP server");
reject("");
}
search = ldap_search(connid,"cn=Computers, dc=ccmstest, dc=com",
"subtree", "cn="+submithost,{},0);
if(ldap_entry_count(search)==0)
{
print("This user does not have the proper permissions");
ldap_unbind(connid);
reject("");
}
print(search);
ldap_unbind(connid);
# result = getuserpasswdpam("beyondtrustuser", "pbul_pam_radius", "Please
enter radius Password: ");
# if(result!=true){
# print("Can't authenticate radius user");
# reject("");
# }
# runcommand="echo";
# runargv = {"echo","Policy and network connections are OK."};
# #runuser="root";
accept;
}
}
#
# Procedure AdminRole:
# If 'EnableAdminRole' is enabled, it allows any user in AdminUsers list to run any
command on hosts in AdminHosts
#
procedure AdminRole()
{
if ( EnableAdminRole && user in AdminUsers && (submithost in AdminHosts) &&
basename(command) == "passwd" )
{
47
© 2016. BeyondTrust Software, Inc. Common Criteria Guide
SetRunEnv("root", false);
accept;
}
}
#
# Procedure DemoRole:
# If 'EnableDemoRole' is enabled, it allows any user in DemoUsers (default all
users) to run commands in DemoCommands (default 'id' and 'whoami') as 'root'
#
#procedure DemoRole()
#{
# if ( EnableDemoRole && user in DemoUsers && (runhost in DemoHosts ||
TargetRunHostShortName in DemoHosts) && basename(command) in DemoCommands )
# {
# SetRunEnv("root", true);
# accept;
# }
#}
procedure CCRole()
{
if ( EnableCCRole && user in CCUsers && (runhost in CCHosts ||
TargetRunHostShortName in CCHosts || submithost in CCHosts))
{
AuthType= input("Authenticate as an LDAP or RADIUS user: ");
if(AuthType=="LDAP"||AuthType=="ldap"){
policysetenv("LDAPCONF","/etc/ldap.conf");
connid=ldap_initialize("ldap://10.42.215.124",3);
if(length(connid)<1){
print("Can't connect to LDAP server");
reject("");
}
print("Policy and network connections are OK.");
LDAPUser=input("Enter LDAP username: ");
Password=input("Enter LDAP password: ");
result = ldap_bind(connid,"cn="+LDAPUser+", cn=Users, dc=ccmstest,
dc=com",Password);
if(result!=0){
print("LDAP Authentication Failed");
reject("");
48
© 2016. BeyondTrust Software, Inc. Common Criteria Guide
}
#search = ldap_search(connid,"cn="+submithost+", cn=Computers,
dc=ccmstest, dc=com", "subtree", "cn="+submithost,{},0);
#if(ldap_entry_count(search)==0)
#{
# print("This user does not have the proper permissions");
# ldap_unbind(connid);
# reject("");
#}
if(LDAPUser in PrivlidgedLDAPUsers && basename(command) in LDAPCommands){
if(command in FileCommands){
if(argv[1]
=="/etc/file.file"||argv[1]=="/etc/pb.settings"){
SetRunEnv("root", true);
ldap_unbind(connid);
accept;
}else{
print("This user does not have the proper
permissions");
ldap_unbind(connid);
reject("");
}
}else if(command == "kill"){
if(argv[1] == "-9"&& user != "othertester"){
SetRunEnv("root", true);
ldap_unbind(connid);
accept;
}else{
print("This user does not have the proper
permissions");
ldap_unbind(connid);
reject("");
}
}else{
SetRunEnv("root", true);
ldap_unbind(connid);
accept;
}
}
else{
print("This user does not have the proper permissions");
49
© 2016. BeyondTrust Software, Inc. Common Criteria Guide
ldap_unbind(connid);
reject("");
}
ldap_unbind(connid);
}else if(AuthType=="RADIUS"||AuthType=="Radius"||AuthType=="radius"){
RadiusUser= input("Enter RADIUS username: ");
result = getuserpasswdpam(RadiusUser, "pbul_pam_radius","Enter radius
password below");
if(result!=true){
print("Radius Authentication Failed");
reject("");
}
if(RadiusUser in PrivlidgedRadiusUsers && basename(command) in
RadiusCommands){
if(command in FileCommands){
if(argv[1] =="/etc/file2.file2"){
SetRunEnv("root", true);
accept;
}else{
print("This user does not have the proper
permissions");
reject("");
}
}else if(RadiusUser=="beyondtrustuser2"){
SetRunEnv("root", true);
accept;
}else{
print("This user does not have the proper permissions");
reject("");
}
}
else{
print("This user does not have the proper permissions");
reject("");
}
}else{
print("Invalid Authentication Type");
reject("");
}
50
© 2016. BeyondTrust Software, Inc. Common Criteria Guide
}
}
#
# Procedure HelpdeskRole:
# If 'EnableHelpdeskRole' is enabled, it allows any user in HelpdeskUsers (default
'root') to run commands in a Helpdesk menu
#
procedure HelpdeskRole()
{
if ( command == 'helpdesk' )
{
if ( EnableHelpdeskRole == true )
{
if ( submithost != runhost && runhost !in HelpdeskHosts )
{
print("\nCannot execute this option for host", runhost);
reject;
}
if ( user in HelpdeskUsers )
{
do {
print("Welcome to HelpDesk Menu. This menu will allow you to:");
print(" 1. List of processes of a host");
print(" 2. Check if a host is up and running");
print(" 3. List current users logged in on a host");
print(" 4. Display Host's IP Settings");
print(" 5. Exit");
print("");
option=input("Please select an option [1-5]: ");
if ( option in {"1", "2", "3", "4"} )
{
if ( runhost != submithost )
thehost=runhost;
else
{
buf = "Please enter the hostname of the machine ["
+ submithost + "]: ";
thehost=input(buf);
if ( thehost == "")
thehost=submithost;
51
© 2016. BeyondTrust Software, Inc. Common Criteria Guide
}
if ( thehost in HelpdeskHosts )
{
switch (option)
{
case "1":
output=remotesystem(thehost, "root",
{"PATH=/bin:/usr/bin:/usr/sbin:"}, 20, "/tmp", "ps -ef", "");
if ( status == 0 )
printf("\nList of Processes of
%s:\n%s\n\n", thehost, output);
else
printf("\nAn error occured when getting
the list of processes of %s\n", thehost);
break;
case "2":
str="ping -c 1 " + thehost;
output=system(str);
if ( status == 0 )
printf("\nHost %s is up and
running\n\n", thehost );
else
printf("\nAn error occured when
checking if of %s\n", thehost);
break;
case "3":
output=remotesystem(thehost, "root",
{"PATH=/bin:/usr/bin:/usr/sbin:"}, 20, "/tmp", "who -H", "");
if ( status == 0 )
printf("\nList of active users on
%s:\n%s\n\n", thehost, output);
else
printf("\nAn error occured when getting
the list of active users on %s\n", thehost);
break;
case "4":
output=remotesystem(thehost, "root",
{"PATH=/bin:/usr/bin:/usr/sbin:"}, 20, "/tmp", "ifconfig -a", "");
if ( status == 0 )
printf("\nIP Settings of %s:\n%s\n\n",
thehost, output);
else
printf("\nAn error occured when getting
the IP Settings of %s\n", thehost);
52
© 2016. BeyondTrust Software, Inc. Common Criteria Guide
break;
}
}
else
{
print("\nCannot execute this option for host",
thehost);
}
}
} while ( option != "5" );
runcommand = "echo";
runargv = { "echo", "Exit Helpdesk menu"};
SetRunEnv(user, false);
accept;
}
else
reject("You do not have the permission to run this command on this
host");
}
else
reject("Helpdesk role is not enabled");
}
}
#
# Procedure ControlledShellRole:
# If 'ControlledShellRole' is enabled, it allows any user in ControlledShellUsers
(default all usersroot) when running on hosts
# in ControlledShellHosts (default all run hosts) to get iologged.
#
procedure ControlledShellRole()
{
if ( EnableControlledShellRole && user in ControlledShellUsers && (runhost in
ControlledShellHosts || TargetRunHostShortName in ControlledShellHosts) )
{
if ( pbclientmode == "shell start" )
{
iolog_dir = "/tmp" ;
iolog = iolog_dir + "/pb." + user + "." + split(runhost,".")[0] + "." +
sprintf("%d-%d-%d",year,month,day) + "." + basename(command) + ".XXXXXX";
print("Warning this session is being logged:", iolog);
accept;
53
© 2016. BeyondTrust Software, Inc. Common Criteria Guide
}
if ( pbclientmode == "shell command" )
{
if ( basename(command) in ControlledShellRejectedCmds )
reject("You do not have the permission to run this command on
this host");
if ( basename(command) in ControlledShellPrivilegedCmds )
SetRunEnv("root", true);
accept;
}
}
}
LDAP Authentication Policy File (ldap.conf)
SIZELIMIT 0
TIMELIMIT 15
DEREF never
#TLS_CIPHER_SUITE HIGH:MEDIUM:+SSLv3
TLS_CACERT /etc/openldap/ssl/ldapCA.pem
TLS_CERT /etc/openldap/ssl/Master.pem
TLS_KEY /etc/openldap/ssl/private.pem
TLS_REQCERT allow
URI ldaps://1.2.3.4
BASE dc=ldap,dc=com
RADIUS Authentication Policy File (pam_radius_auth.conf)
1.2.3.4:1812 shared_secret
RADIUS PAM Configuration File (pbul_pam_radius)
auth required /usr/lib/beyondtrust/pb/pam_radius_auth.so.1.3.17
conf=/etc/pam_radius_auth.conf
account required /usr/lib/beyondtrust/pb/pam_radius_auth.so.1.3.17
conf=/etc/pam_radius_auth.conf
password required /usr/lib/beyondtrust/pb/pam_radius_auth.so.1.3.17
conf=/etc/pam_radius_auth.conf
54
© 2016. BeyondTrust Software, Inc. Common Criteria Guide
Supported Platforms
The following list covers the Tested/Supported PowerBroker for Unix & Linux platforms used throughout the common criteria testing process to ensure compliance across a range of the PowerBroker for Unix & Linux supported platforms:
Vendor Operating System Version
IBM Aix V6.1 and V7.1
HP HP-UX 11i V3 (B.11.31) (PA-RISC 64-bit, Itanium 64-bit)
Oracle Solaris (Sparc) 11
Oracle Solaris (Intel) 11 64-bit
RedHat Linux (Intel) v6.x (64-bit)
RedHat Linux (Intel) v7.x (64-bit)
Ubuntu Linux (Intel) 13.4 (64-bit)
Ubuntu Linux (Intel) 14.4 (64-bit)
Additional Reference Material
Additional documents relating to the installation and use of PowerBroker for Unix & Linux include:
Product Documentation that ships with PowerBroker for Unix & Linux can be found in the following location:
PRODUCT ISO:\PBUL\Documentation
PowerBroker_Install_V9.1.pdf
PowerBroker Unix-Linux_Administration_V9.1.pdf
PowerBroker_Language_V9.1.pdf
55
© 2016. BeyondTrust Software, Inc. Common Criteria Guide
Appendix A: Event Log Fields
This appendix details all of the runtime event variables that are captured each time a command is processed by PowerBroker for Unix & Linux. Included in the following table is the name of each variable as stored in the pb.eventlog file, the data type of the captured variable, a description of the data that is stored in the given variable and the type from which the data is collected.
Variable Data type Definition Type
argc integer Argument count (items on the command line) Task Information
argv list List of the arguments to the requested command, including the name of the command
Task Information
bkgd integer The user requested the job run in the background and ignore HUP signals by using pbrun -b.
Task Information
browserhost string The hostname of the machine that connected to pbguid (usually the browser, possibly a proxy)
Task Information
browserip string The IP address of the machine that connected to pbguid (usually the browser, possibly a proxy)
Task Information
clienthost string The name of the client (submit) host as resolved on the client host
Task Information
clienthost_uuid string UUID of the client used for licensing Host identification
clienthost_uuid_created integer Flag if UUID is created by pbmasterd or pblocald Host identification
command string The command, without arguments, the user wishes to run Task Information
cwd string The user's current working directory Task Information
date string The date the request was started; year/month/day (e.g. "2005/6/17")
System
day integer Day of the month the request started (1-31) System
dayname string Day of the week the request started ("Mon", "Tue", "Wed", "Thu", "Fri", `"Sat", or "Sun")
System
env list A list of environment variables present when the user initiated the request
Task Information
event String Type of event e.g. Accept, Reject, Finish,Keystroke Logging
eventlog string The name of the file in which events are logged Logging
execute_via_su integer A flag to indicate if PBUL will use the 'su -' command to create a login shell for the secured task, thus allowing the login mechanism to setup the run environment, overriding the run environment that the policy on the master has set up. 0 = false, 1 = true
Task Information
exit_timestamp integer The date/time when a task finished, expressed in Unix time format (number of seconds since midnight, January 1, 1970 (UTC) )
Logging
exitdate string The date the requested command finished running Logging
exitstatus string How the request finished Logging
exittime String The time the requested command finished running (hours:minutes:seconds)
Logging
false integer The value of false, used for condition checking. Defaults to 0. System
56
© 2016. BeyondTrust Software, Inc. Common Criteria Guide
Variable Data type Definition Type
forbidkeyaction - obsolete
String Action when a forbidden key sequence is encountered; Obsolete, see keystrokestatus
Logging
forbidkeypatterns - obsolete
List Keystroke patterns to log; Obsolete, see keystroke Logging
group string The primary group to which the user belongs (e.g. "admin", "operators", "XXXproject")
Task Information
groups list A list of all the secondary groups to which a user belongs Task Information
host string The host on which the task is requested to execute Task Information
hour integer Hour the request started (0-23) System
i18n_date string The I18N date the request was started System
i18n_day string I18N Day of the month the request started System
i18n_dayname string I18N Day of the week the request started System
i18n_exitdate string The I18N date the requested command finished running Logging
i18n_exittime string The I18N time the requested command finished running Logging
i18n_hour string I18N Hour the request started System
i18n_minute string The I18N minute the request started System
i18n_month string The I18N month the request started System
i18n_time string The I18N time the command started System
i18n_year string The I18N year the request started System
iolog string The name of the file in which input, output and error output is logged
Logging
iolog_list list A list of the actual I/O log filename(s) that were created for the session.
Logging
iologtemplate string A character string that contains a file name template for use with the logmktemp function.
Logging
keystroke string The keystroke pattern in the input stream which triggered an action.
Logging
keystrokedate string The time when the keystroke pattern was matched. (e.g. "2005/6/17")
Logging
keystrokestatus string The action that was triggered when the keystroke pattern was detected in the input stream.
Logging
keystroketime string The date when the keystroke pattern was matched. (e.g. 14:01:14)
Logging
keystrokeunixtime integer The date/time when the keystroke pattern was matched, expressed in Unix time format (number of seconds since midnight, January 1, 1970 (UTC) )
Logging
lineinfile string The filename of the policy file that accepted or rejected the request
System
linenum integer The line number where the policy accepted or rejected the request
System
localmode integer The user requested the program replace pbrun instead of
starting a proxy session using pblocald, typically by
invoking pbrun with the -l option
Task Information
loghostip string IP address of the logserver Task Information
57
© 2016. BeyondTrust Software, Inc. Common Criteria Guide
Variable Data type Definition Type
lognopassword integer Controls whether non-echoed output (traditionally passwords) is logged
Logging
lognoreconnect integer PowerBroker optimizes its network traffic where possible (default).
System
logomit list A list of variable names to omit when logging to an eventlog or I/O log
Logging
logpid integer log daemon pid Logging
logport integer log daemon port number Logging
logretrylimit integer Controls the maximum number of log retries for a job. When the maximum number of failures is exceeded, the secured task terminates.
Logging
logretrylimit integer The maximum number of log failures allowed for a job before the secured task terminates. (formerly logmaximumfailures)
Logging
logservers list A list of log hosts for pblocald to use for event and I/O logging.
Run environment
logstderr integer If true error output is logged Logging
logstderrlimit integer How much error output is logged per consecutive stream Logging
logstdin integer If true input is logged Logging
logstdinlimit integer How much input is logged per consecutive stream Logging
logstdout integer If true output is logged Logging
logstdoutlimit integer How much output is logged per consecutive stream Logging
masterhost string The name of the machine running pbmasterd System
masterhostip string IP address of the master Task Information
masterlocale string The locale of the master host System
mastertimelimit number The number of seconds a master daemon is allowed to run after a request is accepted. At the end of this time period the master daemon terminates.
Run environment
mastertimeout number The number of seconds of idle time allowed after a request is accepted. If no activity is detected, the master daemon terminates.
Run environment
minute integer The minute the request started (0-59) System
month integer The month the request started (-1) System
nice integer The user's nice value at the time of the request Task Information
noreconnect integer PowerBroker optimizes its network traffic where possible (default).
System
optarg string The parameter for the last argument processed by a
getopt, getopt_long or getopt_long_only
function, or an empty string if none was found
Command Line Parsing
opterr integer Determines whether to print errors from the getopt,
getopt_long and getopt_long_only functions
Command Line Parsing
optimizedrunmode integer Optimized run mode allows pbrun to execute the secured task directly, instead of starting a proxy session using pblocald, thus using fewer resources. Optimized run mode is used automatically, when the submit host and the run host are the same host, and a logserver is used.
Task Information
58
© 2016. BeyondTrust Software, Inc. Common Criteria Guide
Variable Data type Definition Type
optind integer Contains the current argument list index for getopt,
getopt_long and getopt_long_only functions
Command Line Parsing
optopt string Contains the letter of the last option that had a problem in a getopt() function.
Command Line Parsing
optreset integer If set to true, optind will be set to 1, and the next call to
getopt, getopt_long or getopt_long_only will
start from the beginning of the argv list.
Command Line Parsing
optstrictparameters integer The getopt_long function provides strict intrepretation of argument parameters. In particular arguments with optional parameters are only accepted in the form --argument=parameter. Some non-compliant programs allow --argument parameter. To make getopt_long recognize the latter form, set optstrictparameters to false.
Command Line Parsing
origsolarisproject string Name of a the original Solaris project Task Information
outputredirect string Output stream PowerBroker policy prompts are directed to.
This can be stderr or stdout
System
passwordloggingprompts
list A list of possible password prompts that helps the lognopassword feature to recognize when to hide the non-echoed input when I/O logging in active.
Logging
pbclientcertificateissuer string The issuer string from the client (e.g. pbrun, pbguid,
pbksh, pbsh) program's certificate
System
pbclientcertificatesubject
string The subject string from the client (e.g. pbrun, pbguid,
pbksh, pbsh) program's certificate
System
pbclientkerberosname string The principal from the invoking client (e.g. pbrun, pbguid,
pbksh, pbsh) when Kerberos is active
System
pbclientkerberosuser string Contains the name of the client user’s principal when Kerberos is used
System
pbclientmode string The mode of the command invoking PowerBroker. System
pbclientname string The basename of the command invoking PowerBroker System
pbguidmachine string The machine type id from uname on the gui host Host identification
pbguidnodename string The nodename from uname on the gui host Host identification
pbguidrelease string The OS release from uname on the gui host Host identification
pbguidsysname string The system name from uname on the gui host Host identification
pbguidversion string The OS version from uname on the gui host Host identification
pbkshmachine string The machine type id from uname on the pbksh machine Host identification
pbkshnodename string The nodename from uname on the pbksh machine Host identification
pbkshrelease string The OS release from uname on the pbksh machine Host identification
pbkshsysname string The system name from uname on the pbksh machine Host identification
pbkshversion string The OS version from uname on the pbksh machine Host identification
pblocaldcertificateissuer string The issuer string from pblocald's certificate Host identification
pblocaldcertificatesubject
string The subject string from pblocald's certificate Host identification
pblocaldmachine string The machine type id from uname on the run host Host identification
59
© 2016. BeyondTrust Software, Inc. Common Criteria Guide
Variable Data type Definition Type
pblocaldnodename string The nodename from uname on the run host Host identification
pblocaldnoglob integer If true, pblocald skips metacharacter expansion on runargv
Run environment
pblocaldrelease string The OS release from uname on the run host Host identification
pblocaldsysname string The system name from uname on the run host Host identification
pblocaldversion string The OS version from uname on the run host Host identification
pblogdcertificateissuer string The issuer string from pblogd's certificate Host identification
pblogdcertificatesubject string The subject string from pblogd's certificate Host identification
pblogdmachine string The machine type id from uname on the log server Host identification
pblogdnodename string The nodename from uname on the log server Host identification
pblogdreconnection integer If true, pblogd initiates log reconnects when logmktemp() is used
System
pblogdrelease string The OS release from uname on the log server Host identification
pblogdsysname string The system name from uname on the log server Host identification
pblogdversion string The OS version from uname on the log server Host identification
pbmasterdcertificateissuer
string The issuer string from pbmasterd's certificate Host identification
pbmasterdcertificatesubject
string The subject string from pbmasterd's certificate Host identification
pbmasterdmachine string The machine type id from uname on the master host Host identification
pbmasterdnodename string The nodename from uname on the master host Host identification
pbmasterdrelease string The OS release from uname on the master host Host identification
pbmasterdsysname string The system name from uname on the master host Host identification
pbmasterdversion string The OS version from uname on the master host Host identification
pbrunmachine string The machine type id from uname on the submit host Host identification
pbrunnodename string The nodename from uname on the submit host Host identification
pbrunreconnection integer If true, pbrun initiates reconnections to pblocald System
pbrunrelease string The OS release from uname on the submit host Host identification
pbrunsysname string The system name from uname on the submit host Host identification
pbrunversion string The OS version from uname on the submit host Host identification
pbshmachine string The machine type id from uname on the pbsh machine Host identification
pbshnodename string The nodename from uname on the pbsh machine Host identification
pbshrelease string The OS release from uname on the pbsh machine Host identification
pbshsysname string The system name from uname on the pbsh machine Host identification
pbshversion string The OS version from uname on the pbsh machine Host identification
pbsshmachine string The machine type id from uname on the pbssh machine Host identification
pbsshnodename string The nodename from uname on the pbssh machine Host identification
pbsshrelease string The OS release from uname on the pbssh machine Host identification
pbsshsysname string The system name from uname on the pbssh machine Host identification
pbsshversion string The OS version from uname on the pbssh machine Host identification
pbulacapolicy list List of ACA permissions
pbversion string The version number for PowerBroker System
60
© 2016. BeyondTrust Software, Inc. Common Criteria Guide
Variable Data type Definition Type
pid integer The process ID number of the pbmasterd process System
ptyflags integer Flags used for pty settings - reserved for internal use System
requestuser string Name of requested runuser as specified in pbrun's -u argument
Task Information
rlimit_as number The maximum memory available to a process, in bytes, as a 32-bit number, or 2147483647 if unlimited or not supported by submit host. This is equivalent to vmem on some systems.
Task Information
rlimit_core number The maximum size of a core file as a 32-bit number, or 2147483647 if unlimited or not supported by submit host
Task Information
rlimit_cpu number The maximum CPU time, in seconds, as a 32-bit number, or 2147483647 if unlimited or not supported by submit host
Task Information
rlimit_data number The maximum data segement size as a 32-bit number, or 2147483647 if unlimited or not supported by submit host
Task Information
rlimit_fsize number The maximum file size as a 32-bit number, or 2147483647 if unlimited or not supported by submit host
Task Information
rlimit_locks number The maximum number of file locks as a 32-bit number, or 2147483647 if unlimited or not supported by submit host
Task Information
rlimit_memlock number The maximum bytes of virtual memory that can be locked as a 32-bit number, or 2147483647 if unlimited or not supported by the submit host
Task Information
rlimit_nofile number The maximum number of files that can be opened as a 32-bit number, or 2147483647 if unlimited or not supported by the submit host
Task Information
rlimit_nproc number The maximum number of process the user can run as a 32-bit number, or 2147483647 if unlimited or not supported by the submit host
Task Information
rlimit_rss number The maximum size of a process' resident segment (virtual pages) as a 32-bit number, or 2147483647 if unlimited or not supported by the submit host
Task Information
rlimit_stack number The maximum number of bytes in a process' stack as a 32-bit number, or 2147483647 if unlimited or not supported by the submit host
Task Information
runargv list The argument list for the request Run environment
runbkgd integer If true, HUP signals are ignored by the command when it is run
Run environment
runchroot string The directory to be the request's root ("/") directory Run environment
runcksum string Validate a file's checksum before execution Run environment
runcksumlist list A list of checksum values used to validate a file before execution.
Task Information
runcommand string The command, without arguments, that the request will run Run environment
runconfirmmessage string The prompt message to use when runconfirmuser is set. If not set this is "type in user's password"
Run environment
61
© 2016. BeyondTrust Software, Inc. Common Criteria Guide
Variable Data type Definition Type
runconfirmpasswdservice
string The runconfirmpasswdservice variable stores the name of the PAM password service which will be used to perform password authentication and account management for the user named by the runconfirmuser variable. It overrides pampasswordservice in pb.settings of the run host.
Run environment
runconfirmuser string The user name to password-validate on the run host Run environment
runcwd string The request's starting working directory Run environment
runeffectivegroup string The effective group (egid) for the request Run environment
runeffectiveuser string The effective user (euid) for the request Run environment
runenablerlimits number When true, use the runrlimit_* variables to set up ulimits for the secured task.
Run environment
runenv list A list of environment variables to set for a job when PowerBroker runs it
Run environment
runenvironmentfile string The value of environment file on run host Run environment
rungroup string The primary group to which the request will belong Run environment
rungroups list The list of secondary groups to which the request will belong Run environment
runhost string The host on which the request will execute Run environment
runlocale string The locale of the run host Run environment
runlocalmode integer If true, the program replaces pbrun rather than launching a separate session with pblocald.
Run environment
runmd5sum string Validate a file's md5 checksum before execution Run environment
runmd5sumlist list A list of md5 checksum used to validate a file checksum before execution.
Task Information
runnice integer The request's execution priority Run environment
runoptimizedrunmode integer Optimized run mode allows pbrun to execute the secured task directly, instead of starting a proxy session using pblocald, thus using fewer resources. Optimized run mode is used automatically, when the submit host and the run host are the same host, and a logserver is used.
Run environment
runpid number pid of pblocald Run environment
runptyflags integer Flags used internally for pty settings - reserved for internal use
Run environment
runrlimit_as number The maximum memory available to a process, in bytes, as a 32-bit number, or 2147483647 for unlimited
Run environment
runrlimit_core number The maximum size of a core file as a 32-bit number, or 2147483647 for unlimited
Run environment
runrlimit_cpu number The maximum CPU time, in seconds, as a 32-bit number, or 2147483647 for unlimited
Run environment
runrlimit_data number The maximum data segement size as a 32-bit number, or 2147483647 for unlimited
Run environment
runrlimit_fsize number The maximum file size as a 32-bit number, or 2147483647 for unlimited
Run environment
runrlimit_locks number The maximum number of file locks as a 32-bit number, or 2147483647 for unlimited
Run environment
62
© 2016. BeyondTrust Software, Inc. Common Criteria Guide
Variable Data type Definition Type
runrlimit_memlock number The maximum bytes of virtual memory that can be locked as a 32-bit number, or 2147483647 for unlimited
Run environment
runrlimit_nofile number The maximum number of files that can be opened as a 32-bit number, or 2147483647 for unlimited
Run environment
runrlimit_nproc number The maximum number of process the user can run as a 32-bit number, or 2147483647 for unlimited
Run environment
runrlimit_rss number The maximum size of a process' resident segment (virtual pages) as a 32-bit number, or 2147483647 for unlimited
Run environment
runrlimit_stack number The maximum number of bytes in a process' stack as a 32-bit number, or 2147483647 for unlimited
Run environment
runsecurecommand number When true (non-zero), check that the runcommand is
writable only by root or the runuser.
Run environment
runsolarisproject string Name of a Solaris project to associate the secured task with. Overrides the solarisproject specified on the pbrun commandline.
Run environment
runtimelimit number The number of seconds of that the job may execute Run environment
runtimeout number The number of seconds of idle time allowed before the request is terminated
Run environment
runtimeoutoverride number When true allows runtimeout to be overwritten Run environment
runumask integer The umask filter to determine file permissions (read, write, execute)
Run environment
runuser string The login name of the user that will run the request (for example, root)
Run environment
runutmpuser string The name of the user that will appear in utmp Run environment
selinux string If set, selinux is enabled System
shellallowedcommands list A list of commands that a PowerBroker shell may execute without further authorization or logging
Run environment
shellcheckbuiltins number If true, PowerBroker shells authorize and log shell builtins Run environment
shellcheckredirections number If true PowerBroker shells authorize and log shell I/O redirection requests
Run environment
shellforbiddencommands
list A list of commands which a PowerBroker shell should reject without further authorization or logging
Run environment
shelllogincludedfiles number If true, PowerBroker shells authorize and log files which shell scripts and profiles include (source)
Run environment
shellreadonly list A list of environment variables the PowerBroker shell sets read-only
Run environment
shellrestricted string Controls whether PowerBroker Servers shells run in restricted mode.
Run environment
shellretricted number When true, PowerBroker shells run in restricted mode. Run environment
solarisproject string Name of a Solaris project specified on the pbrun commandline.
Task Information
63
© 2016. BeyondTrust Software, Inc. Common Criteria Guide
Variable Data type Definition Type
status integer The exit status of the most recent command run by the system function; 0 (Unix default for success), non-0 (Anything other than the Unix default success value)
System
submithost string Name of the submitting (client) host machine as resolved on the master host
Task Information
submithostip string IP address of the submitting host machine as resolved on the master
Task Information
submitlocale string The locale of the submithost Task Information
submitpid number pid of pbrun or pbshells Task Information
submittimeout number Idle time, in seconds, that is allotted to the submitting user before the submit host terminates the current request.
Task Information
subprocuser string The user name under which all subprocesses of pbmasterd
will run. (i.e. commands run using the system function)
System
taskpid integer pid of the task Task Information
taskttyname string The runtime-generated ttyname of the secured task. Task Information
time string The time the command started; hours:minutes:seconds (e.g. "08:24:52")
System
timezone string A standardized representation of the time zone of the submit host
Task Information
true integer The value of true, used for condition checking. Defaults to 1. System
ttyname string The name of the tty device from which the user submits the request
Task Information
umask integer The user's umask value, which determines file permissions (read, write, execute) for newly created files
Task Information
uniqueid string A string guaranteed to be unique across the PB Servers system (that is, master host, submit host, run host and log host). Can be used as a unique indentification in the event log.
System
unixtimestamp integer The event accept/reject date/time, expressed in Unix time format (number of seconds since midnight, January 1, 1970 (UTC) )
Task Information
user string The login name of the user submitting a request Task Information
xwincookie string The xwincookie variable contains the X Windows Authentication cookie from the client and is available for logging.
Logging
xwindisplay string The xwindisplay variable contains the X Windows Authentication DISPLAY string from the client and is available for logging.
Logging
xwinforward integer The xwinforward variable controls whether PowerBroker will forward X Windows applications through to the client X Server.
Logging
xwinproto string The xwinproto variable contains the X Windows Authentication protocol from the client and is available for logging.
Logging
xwinreconnect integer The xwinreconnect variable contains how PowerBroker servers optimizes X Windows network traffic between pbrun
Logging
64
© 2016. BeyondTrust Software, Inc. Common Criteria Guide
Variable Data type Definition Type
and pblocald.
year integer The year the request started; CCYY (e.g. 2005) System
65
© 2016. BeyondTrust Software, Inc. Common Criteria Guide
Appendix B: Change Management Event Log Fields
This appendix details the contents of the Change Management events that are generated when the functionality is enabled within pb.settings, and files are managed within the pb.db facility.
Variable Data type Definition
hostname string The hostname that generated the change management event
evtname enumerated string Type of change management operation (see table below)
service string binary that was used that triggered the change management event
who string username of the user who called the management binary
severity integer bit field The severity of the logged information (see table below)
progname string
version string version of the software used that triggered the change management record
arch string Plaform/Architecture string of the host that triggered the change management record
data various Various data, usually base64 encoded JSON representing the data that changed
evtname
name description
registered host has successfully registered using Client Registration
file_import Configuration file version imported into pb.db
reg_del_profile Client Registration profile deleted
reg_put_profile Client Registration profile updated
rekey Database re-encrypted with new key
new_keyfile New encryption keyfile generated into the database
tag_file File tagged in set
untag_file File untagged in set
del_file File marked as deleted
encrypt_file File encrypted using pbencode
put Role Based policy updated
deleted Role Based policy deleted
transaction Role Based Policy transaction of records committed
force_rollback Role Based Policy transaction of records rolled back
import_table Role Based Policy imported
66
© 2016. BeyondTrust Software, Inc. Common Criteria Guide
severity
integer bit value type description
0x000 debug Debug message (currently not used)
0x010 information Informational message
0x020 alert Alert message
0x040 error Error message
0x080 critical Critical message
0x100 emergency Emergency message
67
© 2016. BeyondTrust Software, Inc. Common Criteria Guide
About BeyondTrust
BeyondTrust® is a global security company that believes preventing data breaches requires the right visibility to enable control over internal and external risks.
We give you the visibility to confidently reduce risks and the control to take proactive, informed action against data breach threats. And because threats can come from anywhere, we built a platform that unifies the most effective technologies for addressing both internal and external risk: Privileged Account Management and Vulnerability Management. Our solutions grow with your needs, making sure you maintain control no matter where your organization goes.
BeyondTrust's security solutions are trusted by over 4,000 customers worldwide, including over half of the Fortune 100. To learn more about BeyondTrust, please visit www.beyondtrust.com.