Installation preparation

This section lists the items that you need to plan for and be aware of before starting the installation.

To install PMUL for Amazon Linux 2023, RHEL 8 and 9, ARM64, and RHEL9 PPC64 le, you must first install libcrypt.so.1. Install the libxcrypt-compat package using RPM or yum install.

Pre-installation checks

pbulpreinstall.sh performs some basic preinstallation checks such as:

Checks hostname resolution and DNS and name services resolution to verify that the default ports are not in use.
Checks for sufficient disk space.
Reports technical support-related information such as the operating system, NIC information, gateway, and super daemon status. If Endpoint Privilege Management for Unix and Linux is already installed, the Endpoint Privilege Management for Unix and Linux roles such as submithost, runhost, policy perver, logserver, and pbx are reported.

This script has an optional -t argument, which initiates a time verification check. This check simply validates that the host's time is within 60 seconds of the time specified. The time specified must be UTC, in the format 20130827154130, such as:

date -u '+%Y%m%d%H%M%S'

This script has an optional -f argument, which causes pbulpreinstall.sh to produce machine readable output intended for the BeyondInsight for Unix & Linux installation console.

Prior to installation, the pbulpreinstall.sh script is located in the Endpoint Privilege Management for Unix and Linux distribution in the following directory powerbroker///install. After installation, this script is installed in the '$inst_admin' directory. /usr/sbin is the default.

Obtain a license validation key

You need a license string, provided by your BeyondTrust sales representative, to install Endpoint Privilege Management for Unix and Linux.

The primary license server host performs the license resolution functions and is the only EPM-UL host type that requires a license key. For a policy server host to accept a task, the primary license server must have a current valid license key. The distribution includes a temporary license key with a two month expiration date from the date of the installation.

If installing using pbinstall, the license key may be configured during installation using the license installation menu item. After the installation is complete, the license can also be added using the pbadmin --lic -u command.

Obtain root access

Installation of the Endpoint Privilege Management for Unix and Linux product requires root access.

Plan EPM-UL hosts

An Endpoint Privilege Management for Unix and Linux installation includes several host types, each of which performs specific functions. Prior to installation, you need to determine which host type needs to be placed on the individual machines in your environment.

Endpoint Privilege Management for Unix and Linux must be installed separately on each machine running any type of Endpoint Privilege Management for Unix and Linux host.

Select license servers

Determine the hosts to use as license servers.

These are the machines that resolve licenses for EPM-UL.
The license server host is the only host that require a license key. They store and maintain the product license, parameters, and usage information.
The first installation of EPM-UL becomes the primary license server. Subsequent license server installations obtain their data when the primary license server performs synchronization.

Select submit hosts

Determine the machines to use as submit hosts.

These are the machines where pbrun is installed and run.
pbrun is the EPM-UL utility used to submit secure tasks that might run on the same or different hosts.
At minimum, one submit host must be available to process monitored task requests.

Select run hosts

Determine the machines to use as run hosts.

These are the machines where pblocald, pbsh, and pbksh are installed and run.
pblocald is the daemon process that executes secure tasks. At minimum, one run host must be available to process accepted task requests.
Multiple EPM-UL components can be installed on a single machine. For example, it is possible for a single physical machine to serve as a submit host, policy server host, run host, log host, and log sync host.

Select policy server hosts

Determine the machines to use as policy server hosts.

pbmasterd is installed and run on the policy server host. pbmasterd is the daemon process that accepts or rejects all tasks submitted by submit hosts, and if accepted, authorizes a specific run host to execute each task.
Policy files reside on the host (by default /opt/pbul/policies/pb.conf from v9.4.3+ and /etc/pb.conf prior to v9.4.3). Any policy files referenced by include statements are also in the policy file.
There must be at least one policy server host. We recommend that a second, failover policy server host also be installed and have the same policy files as the primary policy server host to provide redundancy.
Depending on the size of your environment and the volume of tasks run through the Endpoint Privilege Management for Unix and Linux system, it may be desirable to add additional policy server hosts. Add policy server hosts during the initial installation or afterwards.

Select log hosts

Using a log host to record event and I/O logs is optional. If a log host is not used, pbmasterd and pblocald are responsible for logging activities.

To use this feature, determine the machine (or machines) to use as log hosts.

This machine is where pblogd is installed and run.
As with policy server hosts, multiple log hosts are recommended to provide redundancy. When there is a log host failover, the log synchronization utilities in EPM-UL can be used to resynchronize the log entries.
The load on the log hosts varies with the amount of logging . I/O logs require greater resources on the log hosts. Additional log hosts can be added to your environment during installation or afterwards, as needed.

Enable log synchronization host

Log synchronization enables a log host, or a policy server host that is acting as a log host, to participate in log synchronization.

Install the log synchronization component on any log host or policy server host that may participate in log synchronization.
Log synchronization should be installed on each log or policy server host if you are installing primary and failover log hosts, or are installing policy server hosts that are acting as log hosts.
If log synchronization is used, then one or more machines need to have the ability to initiate log synchronization.

EPM-UL utilities

Using the Endpoint Privilege Management for Unix and Linux utilities is optional.

Utilities are secured versions of vi, nvi, mg, umacs, and less.
Utilities can only be installed where an EPM-UL run host is installed.

EPM-UL Shells

Using the Endpoint Privilege Management for Unix and Linux shells is optional.

Shells are secured versions of the Korn Shell and the Borne Shell.
Shells can be installed only on a machine where an EPM-UL submit host is installed.

Select port numbers

You need to decide whether to use the default port numbers or to specify your own.

Endpoint Privilege Management for Unix and Linux uses the following default port numbers:


pbmasterd	24345
pblocald	24346
pblogd	24347
pbsyncd	24350
pbrestport	24351

If you decide to change the port number defaults, be sure to choose port numbers that do not conflict with those already in use. See /etc/services. Also, if present and active, review the services NIS map. Endpoint Privilege Management for Unix and Linux port numbers must use the non-reserved system ports. The allowed port numbers are 1024 to 65535.

Select installation directories

Decide whether to use the Endpoint Privilege Management for Unix and Linux default installation directories or to specify your own. Specifying your own installation directories allows for Endpoint Privilege Management for Unix and Linux optimization of the local installation.

Select syslog

Using syslog is optional. Determine if the policy server host, run host, submit host, log sync host, and/or log host should generate syslog records when system error conditions are encountered.

Select encryption

By default, Endpoint Privilege Management for Unix and Linux installs with AES-256 encryption; however, a number of encryption technologies are supported.

Firewalls

Endpoint Privilege Management for Unix and Linux can be used in a firewall environment with special configuration.

Use NIS

Endpoint Privilege Management for Unix and Linux can use NIS to provide configuration services for EPM-UL settings. Netgroups can be defined for:

Accept policy servers (pbacceptmaster)
Submit policy servers (pbsubmitmasters)
Log host (pblogservers)

NIS can also be used to provide port lookup information for the EPM-UL components. If NIS is running in your environment, consider using EPM-UL netgroups and port definitions.

Verify proper TCP/IP operation

Endpoint Privilege Management for Unix and Linux uses TCP/IP as its communication protocol. Therefore, it is essential that TCP/IP be working correctly before installation.

Use programs such as ping, netstat, route, or traceroute to verify correct TCP/IP operation among all hosts that will have Endpoint Privilege Management for Unix and Linux components installed.

Verify network host information

Ensure that each network host knows the names and addresses of all other network hosts. Network host information is generally stored in the /etc/hosts file on each network host machine or in the NIS maps or DNS files on a server.

Each submit host should resolve all of the policy server host names correctly. Each policy server host should resolve all submit, run, GUI, and log host names correctly. The resolution must work correctly in both directions: name-to-IP address and IP address-to-name.

After installation, the pbbench utility generates warnings for any host name resolution issues on a host where Endpoint Privilege Management components are installed.