Endpoint Privilege Management for Unix & Linux 24.1.4 release notes
December 5, 2024
Requirements
Note
For more information, see
Enhancements
- openssl: 3.0.13
- curl: 8.7.1
- jansson: 2.14
- libedit: 20230828-3.1
- libevent: 2.1.12
- libxml2: 2.12.6
- sqlite: 3.45.3
- lighttpd: 1.4.75
- Openldap: 2.5.17
- Kerberos: 1.21.3
Added more detail to pbrun --debug=connect to provide more information on the progress of TLS handshake.
New option: --debug=tls
-
License database update performance improvement
Updates on license servers and policy server by using database transactions and disabling SQLite WAL journal mode.
-
license_put_sync performance improvements
Multiple entries for a given host in license write queue files are grouped and sent as a single update to license server.
-
Separate license check and license write queue file writes in pbmasterd
This improves the performance of pbrun and other PMUL clients.
-
Avoid writing multiple license write queue files for same host
When there were many ‘first time in a day’ requests at the same time, pbmasterd would write multiple write queue files for a single host. With this change, only one license write queue file is sufficient to update the lastupdated time in the license database.
-
Continue support for RHEL 7
-
Sudo Manager: Support for Ubuntu 24.04
The option to enable Registry Name Service no longer defaults to yes. When running pbinstall, the default answer to the question changed to no: Do you wish to utilize Registry Name Service? [no].
Promote already promoted host for a service group in RNS to fix dbsync and service cache update issues. Re-running promote command (pbdbutil --svc -p `service group` `host`) resets the dbsync history on the primary server.
pbdbutil --svc -p command:
- promotes host in pbsvc.db
- enables/disables dbsync
- resets dbsync history on required hosts
- updates svc cache updates on multiple hosts.
Removed dashes from pbclientnames, -pbsh and -pbksh. BIUL can parse policy when dashes are removed.
OpenSSL and libcurl libraries built by BeyondTrust are now loaded at the initialization of the PMUL processes to avoid possible conflicts when loading third-party libraries.
Issues resolved
| Description | Resolution |
|---|---|
| When a policy pull was requested from a cached client, a license write queue file was created for every pull. | We now check the lastupdated field in the license database, and only create the wq file if this field needs to be updated for this client. |
| REST/v2.0/license/clients verbose=1 takes too long. The BIUL Endpoints page times out. | The Endpoints page no longer time out. |
| Default values for List settings are returned as a string. | Default values for List settings are now returned as lists. |
| Filtering is not working when listing client/endpoint licenses through REST. | Updated REST services so values align with pbadmin. |
| When filtering auth events on event type (etype) you cannot set multiple event types using wildcards (for example “[AK]”). | Can now use wildcards in filtering. |
| Audit > Search and Replay data does not change from page to page. | Can now page through events. |
| Cached client waits too long before transitioning to cached mode. | Added improvements to the responsiveness of the cached client. |
| Running pbrun on a cached SaaS client with a disconnected NIC results in a 3003.01 error (cannot connect to a policy server). | The 3003.01 error message is no longer displayed and caching operates correctly. |
| If there was a problem processing a wq file, the error 3914.27 Failed to process WQ file /mnt/efs/opt/pbul/pbcached/incoming/
hostname
/wqfiles/
wq file name
- I/O error was displayed every 30 seconds. | We have now reduced the frequency of this error. |
| pbdbutil --scache -R --all is not updating clients when a new RNS server is promoted. | Clients are correctly updated.
New option --from is added to pbdbutil command to update client’s service cache database from a specified RNS server.
Usage: Issue below command from any RNS server.
pbdbutil --scache -R --all --from [RNS Primary/Secondary Server] |
| The number of keystroke events did not display when running the command:
pbadmin --wqstatus -T -P | Number of keystroke events now displays. |
| pbmasterd/pblogd **--rotate
file
ignores the
file
argument and always rotates the default eventlog. | The
file
argument is now respected. |
| Multiple memory corruption issues in ACA. | The memory findings have been resolved. |
| ACA launching ksh scripts emits an error #9 (bad file descriptor).
ACA requires two file descriptors, one for policy and one for two-way communications. | ACA now correctly handles file descriptors associated with launched ksh scripts. |
| ACA does not work in RHEL 8.10 for the yum command. | ACA now works correctly for the yum command in RHEL 8.10. |
| Service Cache DB fails to update on policy servers when primary license/registry is down. | Service cache DB now updates policy server. |
| On RHEL9, non-root NIS or AD users fails with message 8523 Client failure in SSL_connect() communicating with.…
This is due to SSL libraries conflict. | Now setting the defaults for loadssllibs and loadcurllibs to yes, which eliminates the error. |
| Failed to update Service Cache message during installation. | Now updating Service Cache messages. |
| SSL failures on Red Hat 9. | This is fixed by setting the defaults for loadssllibs and loadcurllibs to yes. |
| On Ubuntu 20 loading errors:
5723 Error loading library: /usr/lib/beyondtrust/pb/libcurl.so.4.8.0 | The libcurl.4.8.0.so** library now loads correctly. |
| Change the sentence about Client Registration Server option:
You have already selected to make this host a Registry Name Service Server is wrong. | Sentence changed to:
You have already selected to make this host the first License Server. |