Endpoint Privilege Management for Unix and Linux 26.1
🆕 Features
Secure default X509 certificates for all EPM-UL TLS communication
Prior to v26.1.0, a customer could forego the use of their own certificates in favor of EPM-UL’s default self-signed certificates.
Starting with v26.1.0, EPM-UL establishes a per-installation Public Key Infrastructure (PKI).
- The first (primary/license) server generates a self-signed Root Certificate Authority (Root CA) certificate, which becomes the trust anchor for the entire installation.
- Policy and log servers that can act as registration servers each receive a Subordinate CA certificate signed by the Root CA (or by another subordinate CA), and all servers and client endpoints receive individual CA-signed certificates for use in TLS communication.
- Certificate and hostname validation are now fully enforced for connections using these new certificates.
Note that the new EPM-UL Public Key Infrastructure is only used in cases when the customer doesn’t use their own certificates for secure EPM-UL communication.
For more information, see Install EPM-UL using your own certificates and X509 certificates.
✨ Enhancements
Improved mixed-version IV negotiation when connecting to multiple policy servers
In v25.1.6, the new secure communication protocol is tried first, and the old protocol is tried as a fallback. Previously, when multiple policy servers were configured, all servers would be tried with the new protocol before any were retried with the old protocol, introducing significant latency. Now, for each server in the list, the new protocol is tried first and, if it fails, the old protocol is tried before moving on to the next server.pbreplay -Z/-X: use log-server timestamps for start and end time
When replaying an iolog with pbreplay -Z (or -X), both the starttime and endtime fields are now taken from the log server, preventing cases where a clock skew on the client caused the end time to appear before the start time.
pbdbutil REST ACL profile display order changed to alphabetical
pbdbutil --rest -L --listaclprofiles now lists ACL profiles in alphabetical order instead of access priority-based order.
ACA: improved symlink handling and rule behavior
When following a symlink, the ACA rules now consider rules matching the first file in the symlink chain that has an applicable rule, rather than only the final resolved file. The final file in the chain is now also included in the audit record to aid administrators in writing correct rules.
pbmasterd.socket and pblogd.socket: added `TriggerLimitBurst=0`
TriggerLimitBurst=0 has been added to the [Socket] section of /etc/systemd/system/pbmasterd.socket and /etc/systemd/system/pblogd.socket to remove the limit on how often these socket units may be activated, preventing unexpected connection refusals under high load.
Preserve ACLs when regenerating REST appkeys
pbadmin --rest -g now updates the existing appkey record in place, preserving all existing ACLs. Previously, regenerating an appkey always created a new record and discarded any previously configured ACLs.
RNS: list soft-deleted hosts with `pbdbutil --svc`
pbdbutil --svc -L/-l commands now support an additional l or L flag to include hosts and service groups that have been marked as deleted (deleted=1) in the registry name service database. This assists support in diagnosing constraint violation errors.
Store exit status of Reject and Shell commands in the SQLite eventlog database
The exit status of Reject and Shell command events is now stored in the exitstatus column of the SQLite eventlog database, making these events filterable via REST just like Accept events.
Dependency of binaries on `/lib64/libcrypt.so.1` (packages)
The fix for the libcrypt.so.1 dependency (creating a symlink to libcrypt.so.2 when the former is absent) has been extended to package-based installers, in addition to pbinstall-based installations.
REST API to delete eventlog records from the eventlog database
A new REST call allows deletion of a group of events (e.g., before a certain date). Deleting an eventlog entry that has an associated iolog can optionally delete the corresponding iolog. An endtime attribute has also been added to the REST event filter/search endpoint.
Remove spurious “ypcat is not in the path” warning from installers
The warning message 'ypcat' is not found on the PATH has been removed from the pbinstall and package installers. This message was not an error and did not affect the installation outcome, but caused confusion — particularly for SaaS customers.
pbregister returns the EPM-UL version of the registry name server
pbregister now reports the EPM-UL version of the Registry Name Server it is communicating with. This allows the installer and administrators to adapt settings and installation options based on the server version. If no version is returned, the server is assumed to be older than v26.1.0.
pbadmin: empty string or “none” no longer accepted as a re-key target
pbadmin -k '' and pbadmin -k none previously allowed a root user to decrypt any encrypted database file by providing an empty string or the literal word none as the replacement key file. These values are now rejected; a valid key file path must be specified when re-keying an encrypted database.
REST key and credential databases are now always encrypted
pbrstkeys.db, pbelkcred.db, and pbsiemcred.db are now always stored encrypted. Previously, when dbencryption or restkeyencryption was set to none, these databases were written without encryption. They now fall back to encryption using an EPM-UL internal master key when the configured encryption is none. Existing unencrypted databases are automatically re-keyed on upgrade.
Upgrade 3rd party libraries
All 3rd party libraries are upgraded to the latest available version:
- OpenSSL 3.0.19
- Curl 8.19.0
- OpenLDAP 2.6.13
- Kerberos (krb5) 1.22.2
- jansson 2.15.0
- libedit 20251016-3.1
- libevent 2.1.12
- libxml2 2.15.2
- SQLite 3.51.3
- unixODBC 2.3.14
Issues resolved
| Description | Resolution |
|---|---|
| pbregister -C no longer generates certificates with negative serial numbers | Certificates generated by pbregister -C could previously produce negative serial numbers approximately half the time. Serial numbers are now guaranteed to be positive. |
| pbencode core dumps with “Strdup null” error when displaying the policy | Running pbencode without arguments to display the policy no longer produces a 3304.01 Strdup null error. This regression was introduced in v25.1.6. |
| pbvi/pbnvi fails with “undefined symbol: stdscr” on SLES 15 | pbvi and pbnvi no longer fail with a symbol lookup error (undefined symbol: stdscr) on SLES 15. |
| EPM-UL RPM GPG key file corrected | The RPM-GPG-KEY-PMUL file shipped with EPM-UL packages now contains the correct GPG key corresponding to the RSA/SHA256 signing key introduced in v25.1.6. The v25.1.6 ISO inadvertently contained the older key from v24.1.4. |
| ACA: pbrun hangs on AIX 7.3 with simple command and policy | pbrun with an ACA policy no longer hangs on AIX 7.3. The root cause was a failure to read the ACA policy due to a lock error on file descriptor 0, which caused the ACA process to exit and left pbrun waiting indefinitely. |
| pbless core dumps (or hangs) when navigating a large file | pbless no longer segfaults or hangs when opening a large file (approximately 2 MB or more) and using the G (go to end) followed by g (go to beginning) navigation commands. This regression was introduced in v25.1.6. |
| Compatibility: old pblocald (v9.4.5) cannot connect to v25.1.6+ clients | Old pblocald binaries (version 9.4.5 and similar legacy releases) can now connect to PMUL v26.1.0 and v25.1.6 policy servers. The new IV negotiation introduced in v25.1.6 has been made backward compatible with these older clients. |
| Setting “Configure systemd” to “no” fails on RHEL 9+ where /etc/init.d does not exist | On RHEL 9 and later, /etc/init.d does not exist. When pbinstall was instructed not to configure systemd, it attempted to fall back to SysV init, which failed on RHEL 9+. The installer now correctly uses socket/service mode (similar to pblighttpd/pbconfigd) when init.d is unavailable. |
| Policy authentication functions segfault when PAM support is not enabled | The EPM-UL policy authentication functions submitconfirmuser(), getuserpasswd(), and runconfirmuser() no longer segfault or dump core when PAM support is not enabled in the build. |
| sudo wrapper: short options -V and -v mapped to wrong long options | The EPM-UL sudo wrapper’s -V (--version) and -v (--validate) short options are now correctly associated with their corresponding long options, matching the behavior of the real sudo. |
| Command-line install of bare license+log server missing expected pb.settings entries | Installing a bare license + log server via command line no longer results in missing pb.settings entries that caused subsequent pbrun attempts to fail. |
| pbregister segfaults on Solaris 11 x86 due to SSL library conflict | pbregister v23.1.2 and later no longer segfaults on Solaris 11 x86 when OpenSSL 3.0 is installed on the system, due to a conflict between the system and EPM-UL SSL libraries. |
| pbinstall: eventlogrotate setting value not retained after upgrade | When upgrading an existing installation where eventlogrotate is set to a custom value (e.g., size 10M), pbinstall -b no longer resets it to the commented-out default #eventlogrotate. |
