Using PowerBroker for root delegation

You can choose the PowerBroker root delegation tool when configuring a Unix authentication record. Just configure the "pb.conf" file to allow the user account provided in the Unix authentication record to execute commands with root access on the hosts to be scanned.

 

What PowerBroker version is supported?

PowerBroker supports multiple Unix/Linux platforms. The following technology platforms have been verified for successful PowerBroker integration with our security service: Red Hat Ent Linux v3, v4, and v5.x, SUSE Linux Ent Server 9, 10, and 11, HP-UX 11i v1, v2, and v3, IBM AIX v5.x and 6.x, SUN Solaris 8, 9, and 10, VMware ESX 3.x and 4.x, Mac OS X 10.x.

 

What credentials should I use?

Are "run hosts" supported?

How does root delegation work?

 

pb.conf file

You must include "runuser = root" in the pb.conf file. If this entry is commented out, then authentication with root access will fail.

Recommended pb.conf settings:

We use "qualys" to refer to the PowerBroker user created for scanning with our service.

- Constrain "qualys" to PowerBroker requests to just "su -". This way the production policy does not permit the "qualys" user to issue just any privileged command.

- Make sure the "qualys" user gets delegated the system "su" binary. We set the PATH environment variable in the policy to manage this. So even when the user types in "pbrun /a/b/c/mine/su -" or points their PATH to a special directory that has an "su" executable, PowerBroker will delegate the correct system "su" binary.

- Make sure that the policy delegates "su -" to the "qualys" user, and not "su - oracle" or other forms of "su" requests to some other privileged user.

- Enable logging in your iolog file. Point the "iolog" variable to a directory that exists in the PowerBroker loghost. This iolog file can provide the validating information showing that your application executed only the commands it needed and at the same time potentially provide you with a "debugging" mechanism should your application not run correctly. For debugging purposes, the iolog file can be used to replay a PowerBroker session using this command: pbreplay <log file>

- Make use of a more secure policy to delegate "su -".

 

Samples

Check out these PowerBroker pb.conf file samples to learn about configuration settings.

Sample 1 - Delegate "su_" using user "qualys"

Sample 2 - Validate the user info from an external source

Sample 3 - Control the size of the iolog file

Sample 4 - Log only the input stream and limit captured data to 10K