Endpoint Privilege Management for Unix and Linux 25.1.6
October 30, 2025
✨ Enhancements
Security improvements
Added security improvements for REST calls and services
- HMAC message signing now incorporates the full resource URI for all HTTP requests and the bodies of PUT or POST requests to minimize the potential for HMAC token replay attacks.
- The REST requests allowed at the EPM-UL components (client & server) are now restricted to a small subset of calls. Furthermore, the REST requests for scheduled tasks can only be used by the component from which the request was issued.
- Enforce ACLs or ACL profiles when creating REST keys. Existing “appids” with no acls will be updated to admin permission on upgrade.
- The files accessed by applicable REST calls are now validated, and granular path restrictions are added to the internal REST appid used in the product.
- We are now using Authenticated Encryption with Associated Data algorithms from TLS 1.3 as a pattern to exchange a per-session key.
Added protection to the application-layer cryptographic traffic encryption between EPM-UL components
The initialization vector message sent within EPM-UL components now includes random data for added protection.
Secured the permissions on pbksh/pbsh binaries
The pbksh and pbsh binaries on endpoints have been secured by removing read permissions for non-root users.
Performance improvements
Improved SQLite eventlog performance by updating eventlog schema
The performance of search of an eventlog database has been greatly improved by changing the eventlog table schema. The existing eventlog databases need to be migrated to the new schema using “pblog –migratedb” option.
Eventlog: Keystroke event filtering improvements
Filterable columns of eventlog records for “keystroke” events are now populated, allowing event filtering improvements for keystroke events
Eventlog: Migrate SQLite eventlog database from older versions to newer versions
An eventlog database created prior to v25.1.6 can be migrated to the new, improved schema by using the command “pblog –migrated <old_eventlog_db> -o <new_eventlog_db>
Multiple performance improvements in RBP
- Enhance REST RBP DELETE endpoint to allow deletion of multiple RBP entities to improve performance
- Improve list performance
- Improve RBP transaction performance issues
Other enhancements
The option --sqldebug=level is added to add additional SQLite debug logs to pbadmin.log. Use for troubleshooting.
Added a check to determine if a host is the primary RNS server or not. The command outputs:
- “yes”, if this server is a primary for requested service type.
- “no”, if this server is NOT a primary for requested service type.
- “unknown - ”, otherwise.
pbinstall shows a "4028.01 Permission denied" message on a non-primary policy server
pbinstall now only imports the RBP policy on the primary policy server.
Multiple encryption support: allow "none" to be used as part of list of encryptions
When specifying multiple encryptions in “networkencryption”, you can now use “none” as one of the valid encryptions.
EPM-UL RPM packages still contain hashes and signatures using the SHA1 and DSA algorithm
The Linux RPM packages are now signed with RSA/SHA256 signature.
When randomizesubmitmasters or randomizelogservers is enabled, the entire host list should be randomized
When randomizelogservers is set to yes, all servers listed are shuffled before trying them in order. This ensures that the same server is not always tried after the first one fails.
"uniqueid" used in eventlog records is not unique across hosts
The field “uniqueid” in the eventlog record is always unique on a specific host. However, in certain rare situations “uniqueid” was the same across different machines. We are now generating a “uniqueid” that is unique across hosts as well.
Set the 'pblight' account to have a locked password and the shell set to /sbin/nologin
During the installation, when the default ‘pblight’ account is created, the account is now created with no shell, and a locked password.
Install with SELinux in enforcing mode: when installing binaries, use "semanage fcontext" to make the binary context permanent
When SELinux was enabled and set to “enforcing”, the SELinux context of EPM-UL files is now set permanently and will not revert back after a restart.
Change permissions of pblighttpd.log from 755 to 600
The log file pblighttpd.log is now created with the proper file permissions, only writable and readable by ‘root’.
pbmakeremotetar & pbremoteinstall are no longer supported
pbmakeremotetar & pbremoteinstall are no longer supported and are removed from EPM-UL tar files and packages.
Remove “.BeyondTrustCreated” entry from list of files in the policy directory
When listing the policy files in BIUL (or using the restcall to list policy files), the internal, hidden file “.BeyondTrustCreated” is no longer listed.
Dependency of binaries on /lib64/libcrypt.so.1
EPM-UL binaries rely on "/lib64/libcrypt.so.1". However, libcrypt.so.1 has been deprecated in RHEL 9, but still exists on RHEL 8. In this release, if the library is not installed on the RHEL machine, EPM-UL installation creates a symlink named libcrypt.so.1 to libcrypt.so.2 if the latter exists and the former does not exist.
Updated the EPM-UL REST GET /policy/rbp/transaction
Updated the EPM-UL REST GET /policy/rbp/transaction endpoint to retrieve the current changes outstanding in the RBP transaction log.
Enhance REST client license endpoint to include pagination and sorting
Updated the parameters used to calculate pagination. This helps to filter results when many are returned.
Case insensitive searching in Microsoft Entra ID
Added support for case insensitive matching when searching Entra ID users and groups.
Upgrade of 3rd party libraries
Upgrade all 3rd party libraries to the latest.
- OpenSSL 3.0.17
- Curl 8.15.1
- OpenLDAP 2.5.17
- Kerberos (krb5) 1.21.3
- jansson 2.14.1
- libedit 20230828-3.1
- libevent 2.1.12
- libxml2 2.14.5
- SQLite 3.50.3
- unixODBC 2.3.12
Platform support
- Client-only support on AIX, Solaris & Linux PowerPC:
- Starting with v25.1.6, EPM-UL no longer supports EPM-UL servers on the supported AIX, Solaris and Linux PowerPC. The installation only allows the “clients” (submit/runhost, pbshells, pbssh, utilities) to be installed on these platforms.
- Additional supported platform:
- RHEL and OEL 10: RedHat Enterprise Linux v10 and Oracle Linux v10 are now officially supported.
- Platforms no longer supported:
- RHEL v7 and Oracle Linux v7.x are no longer a supported platform
- SLES 12
- SLES 15 SP2/SP1
- AIX 7.2
- HPUX (all releases)
🛠️ Issues resolved
RNS (Registry Name Service)
| Description | Resolution |
|---|---|
| Constraint violation during EPM-UL installation (with BIUL). | Valid constraint violation errors (adding host with conflicting UUID and incorrect cn) now display detailed messages showing the existing UUID entry in the database. |
After a dbsync to secondary RNS, pbdbutil --cfg displays date and deleted fields differently. | In the output of pbdbutil –cfg -lll, the format of the date field “created” is now displayed in a human readable string, and not in epoch. Also, the “deleted” field shows true/false instead of 0/1. These issues were introduced in v24.1.4. |
After dbsync to secondary RNS, pbdbutil --cfg -l shows blank pathname. | In the output of pbdbutil –cfg -l, the pathname is no longer blank and shows the correct path/file name. This issue was introduced in v24.1.4. |
ACA
| Description | Resolution |
|---|---|
| EPM-UL does not recognize ACA default rule when action/permission argument has “!”. | The ACA policy where the default rule has "!" in it: “aca('file', 'default', '!all|log=2');” is now properly recognized as being the default rule. |
When ACA is enabled, the ksh/ksh93 kornshell interpreter does not get the ACA rules in RHEL 9. | Panic error Failed to restore PWD upon exiting subshell [Permission denied] no longer displays when ACA rules applied. |
Using mv to rename files not blocked on RedHat 7+. | Moving and unlinking files is now properly blocked on all RedHat versions when using the ACA rule in the policy to block “unlink” (mv) of a file, example: “aca('file','/root/file','all|!write|!unlink','protect shadow');” |
ACA rules not passed to ksh interpreter from the #! line. | Fixed closed file descriptor issues that caused seek and audit problems. |
| ACA does not run script interpreter through policy. | When ACA is requested to exec a script, the interpreter shell in the script (#!” is now also run through the ACA policy. |
pbcheck displays ACA error: “policy not enabled.” | Running pbcheck on a policy with ACA statements, and when the product is licensed to use ACA, no longer fails with an error. |
RBP (Role-Based Policy)
| Description | Resolution |
|---|---|
Policy server should not match roles that are not committed when rbptransactions are in use. | When rbptransactions is enabled, and a transaction is not committed yet, the role matching will no longer use the uncommitted changes into consideration. |
| Policy match does not consider role order when matching roles with single host with full hostname vs roles with regexp in their runhost list | Role order is now considered correctly when hostnames or regex host lists are used. |
Policy doesn’t match proper role when runuser differs between single and list. | Fixed incorrect match logic between single and list runuser roles. |
| Performance degradation when processing large role-based policies. | Optimized performance on the client (pbrun). |
Commands containing % rejected, causing no role match. | Fixed issue rejecting commands with %. |
The whoami and in-transaction flags were not set correctly if the database is only being opened for reading. RBP transactions retrieve the wrong data to the transaction holder. | The whoami parameter and in-transaction flags were updated to account for the read-only scenario. |
REST API
| Description | Resolution |
|---|---|
Scheduled tasks do not consider pbresttimeout timeout value. | The scheduled process now uses pbresttimeout as task timeout instead of using libcurl’s default timeout which is 2 minutes.This fixes issues such as - The scheduler process took a long time to finish dbsync, svccache_updates etc when one of the servers configured for dbsync is not reachable. |
REST endpoint /policies/check did not fully validate syntax. | Now performs full syntax validation on policy scripts. |
| REST Eventlog request fails to list all events in large databases. | When listing all events of a large eventlog, without using any filter, the GUI hangs and eventually errors. |
REST /v2.0/events returns incorrect results when filtering with underscores. | Fixed an issue when parameters are specified to filter events retrieved from the REST/v2.0/events endpoint, results were incorrect if the parameter uses underscores. |
| REST RBP DELETE endpoint fails to delete userlist, hostlist, cmdlist and tmdatelist entities | DELETE now correctly deletes entities as expected. |
| Memory leaks in RBP REST services. | Multiple memory leaks fixed. |
REST /REST/settings omits disabled settings with no default values. | Now lists disabled settings without defaults. |
Only the first value in restssloptions processed. | The restssloptions keyword now supports multiple values, and all specified values are correctly processed and applied. |
Other
| Description | Resolution |
|---|---|
pbdbutil --rbp -e -V n returns usage error. | Command now correctly exports the specified version. |
pbrun --di fails when ssloptions=allownonssl is set to "allownonssl" | pbrun –di no longer fails if ssloptions is set to allownonssl. This issue was introduced in v24.1.4. |
pbping core dumps when connecting to host with mismatched pb.key. | pbping no longer core dumps when issuing a “pbping ” where the issuing host and remotehost don’t have the same keyfile in networkencryption. |
pbrun -e does not show % in command. | The role-based policy entitlement reporting, pbrun -e, now shows commands that have a ‘%’ in them. |
pbbench fails on license server. | An issue was introduced in v24.1.4, where running pbbench on a license server was failing and displaying errors “ERROR: service '' - Invalid argument”. This is now fixed. |
pbreplay utility could crash with a segmentation fault when processing IO logs that have no output records. | pbreplayno longer segfaults when replaying IO logs with no output. |
pbreplay output and indexing issues. | pbreplay indexing (and -O, and -Z) are now displaying stdout data when the data is not followed by a newline. |
| IO logs in cached mode cannot be replayed. | IO logs can now be found and replayed correctly. |
pbdbutil --cfg -g * doesn't return disabled settings with no default values | Disabled settings with no default values are now listed in the Settings list. |
pbconfigd restarts when using large RBP policies. | Fixed instability issue with large policy handling. |
PBShells error 3912.88 Failed to change owner and group to root for /opt/pbul/pbcached/iologs | On a cached client with no network connection, when pbksh/pbsh is issued by a non-root user, the ownership and group permissions of the directory /opt/pbul/pbcached/iologs are now correctly set to root. |
| Installer displays: “policypubcertfile/policykeyfile not auto-generated.” | When installing a client on a host, the warning messages “policypubcertfile/policykeyfile not auto-generated" are now eliminated. |
| Unable to install cached client on SuSE 15. | The installation of a cached client on SuSe 15 no longer fails due to missing /etc/inittab on SuSE 15. |
| ELK integration not working in 24.1.4-03. | Addressed an issue where ELK integration breaks starting from build 3 on RHEL 9.5, affecting REST services and Elasticsearch connectivity. |
pblogd endless loop when PAM is enabled and password prompt fails. | A PAM enabled installation of EPM-UL that involves pblocald for delegation that authorizes a command where the policy has iologging using an account that prompts (for password that has aged or an account whose password is expired) no longer causes pblogd to loop endlessly. |
⏰Deprecation notices
- pbmakeremotetar is no longer supported
- Removed defunct keyword pbcachedchunksize from pbinstall
