Documentation

SecureAuth (Arculix) push notification for Endpoint Privilege Management for Unix and Linux

Suggest Edits

This guide describes the steps to set up Arculix push notifications (to mobile) for EPM-UL managed elevation requests.

Overview

Arculix by SecureAuth allows BeyondTrust customers to deploy passwordless continuous authentication for Endpoint Privilege Management for Unix and Linux (EPM-UL), while providing a flexible and frictionless user experience.

When Unix & Linux users require access to privileged commands or files, elevation requests can be approved with a mobile phone and the Arculix It’sMe App available for Android and Apple.

ℹ️

Note

You need a working test user with the Arculix mobile app to receive the Push notification. For more information, see the Arculix Mobile app user guide.

Configure EPM-UL policy

A Role-Based Policy is required for the configuration described in this guide. However the Policy Script used could also be used for Server-Based Policy, but this is beyond the scope of this guide.

ℹ️

Note

Some of the steps listed in this section refer to the use of our BeyondInsight for Unix & Linux (BIUL) application. For more information, see the BeyondInsight Unix & Linux User Guide.

You must first configure an Endpoint Privilege Management for Unix and Linux (EPM-UL) Role-Based Policy, using the BeyondInsight for Unix & Linux (BIUL) application.

In the steps that follow, we will use a simplistic example based on a Database Admin Use Case to demonstrate how the integration works.

Create group of allowed commands

We need to create a group of allowed commands. You will allow for the modification of a configuration file, and also some test commands. The Command and Executed parameter entries set in this example are as below:

  • dbconfig, vi /etc/database/db.config
  • id, /usr/bin/id
  • vi /etc/database/*, (leave blank)
  • whoami, /usr/bin/whoami

Create a DatabaseAdmins role

Create a role called DatabaseAdmins. The parameters set in the example are as follows:

  • Role Name: DatabaseAdmins
  • Description: Database Admins
  • Policy: Enabled
  • Action: Accept
  • Entitlement Reporting: Enabled
  • Role Risk level: 0
  • Request Type: Any

Assign test user to DBA Commands group

Assign a working test user to the DBA Commands group that you created. The parameters set in the example are as follows:

  • Allowed Submit User(s): beyondtrust.demo
  • Allowed Run User(s): root
  • Allowed Commands: DBA Commands
  • Allowed Submit Host(s): All Hosts
  • Allowed Run Host(s): All Hosts
  • Allowed Time Periods: Any Time

Messages

Optionally, you can enable some messages. The Accept and Reject Messages script set in the example is as follows:

1 '%event%' event generated by %rbprole%.

2 Processed by %masterhost%.

3 Session recorded to %iolog%.

Script policy

You need to create a Script Policy to allow for the interaction with Arculix and the push notification on the user’s mobile app. See the script policy example below.

# Arculix API service account – Oauth Client Credentials
client_id = "123456"
client_secret = "abc123"

print("Processed by:",masterhost);
print("Accepted by : ",lineinfile);
PublicIP=system("/usr/bin/curl -s http://whatismyip.akamai.com/");
print("Your Public IP Address : "+PublicIP);

username = user+"@arculix.xyz";
print("Privileged Command - Arculix Push Request for Username = "+username);

Arculix_StepUp=system("curl 'https://dev.eguardian.io/oauth/token' --silent -X POST -H 'Content-Type: application/json' -d '{\"grant_type\": \"client_credentials\",\"client_id\": \""+client_id+"\",\"client_secret\": \""+client_secret+"\",\"scope\": \"public\"}'");

Arculix_Token = substr (Arculix_StepUp,18,854);

Arculix_Push=system("curl 'https://dev.eguardian.io/api/integration/v2/authn' --silent -X POST -H 'Authorization: Bearer "+Arculix_Token+"' -H 'Content-Type: application/json' -d '{\"credential_type\": \"password_less_login\",\"auth_credentials\": {\"username\": \""+username+"\"},\"type\": \"Event Check\",\"message\": \"BeyondTrust Step Up Auth Request\",\"event\": \"Continuous-Auth\",\"auth_factor\": [\"push\"]}'");

Arculix_Channel = substr (Arculix_Push,54,42);

pushSubmit = input ("Please press ENTER key when Push notification is accepted on mobile with Arculix App");

print("We are now confirming that you Accepted the Push Request with mobile");

Arculix_Status_Response=system("curl 'https://dev.eguardian.io/api/integration/v2/authn/"+Arculix_Channel+"/status' --silent -X GET -H 'Authorization: Bearer "+Arculix_Token+"'");

Arculix_Status = substr (Arculix_Status_Response, 108,8);
print("Arculix Push Request - Status = "+Arculix_Status);

if(Arculix_Status == "approved"){print("Push Request Approved"); pushComplete = input ("Press the ENTER key to execute your command"); accept;}
else{print("Push Request REJECTED, your command has been rejected"); reject;}

User experience

Here is a sample scenario of an attempt to modify a database configuration file.

beyondtrust.demo is limited to readonly access to the file and cannot modify the Port parameter. The action is a privileged action and requires an elevation request.

When beyondtrust.demo prefixes the command with pbrun, the role’s Policy Script is executed.

beyondtrust.demo receives a push notification on a mobile app.

Once beyondtrust.demo approves the push request, you can press the ENTER key to allow the Policy Script to verify that the request status is approved.

Now beyondtrust.demo is authorized to modify the file and change the Port number.

However, if beyondtrust.demo rejects the request, or leaves the push request in a pending state, the command is rejected.

Updated 5 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.