FAQ
|
Frequently Asked Questions (FAQ)
|
How does PowerBroker work?
PowerBroker uses a client/server architecture
and is comprised of three main programs. Users
submit their requests to run certain programs
through Symark PowerBroker's pbrun. A master
daemon examines each request, and either accepts
or rejects it based on information in PowerBroker's
configuration policy files. If the request is
accepted, a local daemon runs the application
program as the requested userid (e.g. root).
Which UNIX/Linux platforms does PowerBroker
support?
The current list of supported platforms can
be found in the
PowerBroker README document.
Does PowerBroker permit authorized users to
switch to another userid without entering the
password?
Yes. This is easily handled by PowerBroker's
security policy files.
What are these security policy files?
Security policy files are basically rule-based
constraints files which grants access based
on time of day, machine, userid, etc. so users
can be assigned expanded privileges in a controlled
environment. The security policy file supports
a wide range of programming functions (if, else,
case), string/parsing (strip, atoi, basename),
and other functions.
Can PowerBroker limit which users can switch
to root if the root password is known?
No. PowerBroker's function is to allow root
(or another userid) access without revealing
the password.
How involved is the installation process?
A PowerBroker installation is quick, easy and
non-intrusive. No kernel modification and no
system reboot is required. No binaries are replaced.
Program settings and file locations are selected
from an installation menu.
Does PowerBroker include an automated method
for installation on designated systems?
Yes. After pre-defining responses, a 'batch'
job can be run on multiple machines. This is
especially easy from an NFS-mounted partition.
Can PowerBroker be centrally managed?
Yes. PowerBroker can be configured for centralized
management of its log files and security policy
files. Log files can be directed to a centralized
log server. For maximum security, the log host
and master host should be separate isolated
machines.
How is PowerBroker licensed?
PowerBroker is licensed by the number of PowerBroker
client connections to the PowerBroker master.
Does PowerBroker provide encryption/decryption,
digital signatures and/or certificates?
Yes. Network traffic is encrypted to guard against
network snooping or spoofing. Communication
between PowerBroker agents can be encrypted
using any of 28 well-known algorithms including
the U.S. Government standard, AES.
Will there be a problem for a user using SSH
(Secure shell) being delegated a command that
has to be run with PowerBroker?
No
Does PowerBroker provide Command Line Interfaces
(CLI) and Graphical User Interfaces (GUI) for
administrative functions?
Yes, the security policy files and settings
files can be managed with or without a GUI interface.
Does PowerBroker provide a scripting capability
to allow for instructions to be executed in
batch mode?
Yes
Does PowerBroker provide online help/man pages
for programs and utilities?
Yes
Can PowerBroker control a user's read, execute,
write, directory, utime, chown, chmod, secure,
delete and/or rename access to a file or directory?
Yes, though PowerBroker doesn't provide a full
ACL system.
Can PowerBroker control a user's read, execute,
write, directory, utime, chown, chmod, secure,
delete and/or rename access to a file or directory?
Yes, though unregistered programs could be executed
directly.
Can PowerBroker control which users can execute
a setuid/setgid program? Can these access permissions
be delegated to another user/group?
Yes
Can PowerBroker grant or deny a user access
to a file or directory depending on the program
being used?
Yes. Command line parsing is done prior to acceptance
and execution.
Can PowerBroker prevent a tampered-with setuid/setgid
program from being executed?
Yes. A checksum validation prior to execution
can be automatically performed.
Can PowerBroker restrict a user to which system
and/or devices on a system they can login from?
Yes
Can PowerBroker restrict a user login by day-of-week
and/or time-of-day?
Yes
Can PowerBroker limit which users, including
root, can switch to a particular userid, even
if that userid's password is known?
No. PowerBroker cannot prevent logins if the
password is known.
Does PowerBroker allow audit records from distributed
systems to be centrally collected?
Yes. A centralized log server can be specified.
Log files from different machines can also be
merged, provided they use the same encryption
type and encryption key.
Does PowerBroker ensure the integrity of the
audit files by prohibiting any user, including
root, from accessing the files?
Users can be restricted; root, however, cannot.
Does PowerBroker support referencing systems
by their individual names?
Yes. Machine name lookup via /etc/hosts, NIS,
or DNS.
Does PowerBroker support grouping systems together
to reference systems collectively? How is this
done?
Yes. Unix Netgroups are supported. Also, variable
names and lists can be created by the administrator.
Does PowerBroker support referencing systems
by the network they reside on?
Yes. IP addresses can be used.
Does PowerBroker support referencing systems
by matching a particular name pattern? How is
this done?
Yes. String manipulation functions are included
in the policy language, to parse machine names
from the 'submithost' or 'runhost'.
What happens if the PowerBroker master daemon
dies?
Symark recommends setting up at least one failover
master. Masters and failover masters hold identical
settings and security policy files.
Does PowerBroker support AES encryption?
Symark currently provides provides 28 different
encryption algorithms including the U.S. Government
standard, AES.
Technical Questions:
How much overhead does PowerBroker require?
A PowerBroker session (pbrun) is very much like
a telnet session as far as system I/O goes.
The security policy files are ASCII files and
use very little disk space. The log files, however,
will grow rapidly. There are two of them.
pb.eventlog. Command acceptance/rejection is
appended to this file. Estimate the growth at
100 lines of text appended to pb.eventlog for
every pbrun.
The
keystroke log. The size of this optional log
depends on how many pbrun sessions will be keystroke
logged, how long the user will be in that session,
and what commands they will be executing. The
keystroke logs by default log input, output
and standard error. It is a good idea to set
up a cron job or some other job scheduling software
to handle the log files daily. Technical Bulletin
pb003 discusses logging techniques and cleanup.
What is the recommended procedure to safely
upgrade from earlier versions?
Upgrade procedures and recommendations for various
versions of PowerBroker are detailed in the
PowerBroker Installation Guide. Large installations
may wish to automate software upgrades through
the use of PowerBroker's pbmakeremotetar script.
Can I customize the PowerBroker reject msg?
Yes. The format is reject [expression];. This
is documented in the "Executable Program Statements"
section of the PowerBroker Policy Language Manual.
This feature is only available with an explicit
'reject' statement within the policy. An implicit
'reject' occurs if processing terminates without
encountering an 'accept' statement and will
produce the standard message.
How do I control the PS1 prompt in a PB delegated
shell?
You can control any environment variable from
within a policy, i.e. setenv("PS1", host +"($PWD)
# ");
Can more than one user access the pb.settings
file via the web GUI? Is a lock put on the file
with the first access?
More than one person can access the file simultaneously.
There is no lock. The last save operation overwrites
any previous saves.
Can I use wildcards for usernames in policies?
Yes. PowerBroker supports the standard set of
shell-style wildcard searches , I.e. adminusers={"m*"};
. This is fully documented in the PowerBroker
Policy Language Manual.
Must absolute paths be used in pb.conf 'include'
statements, or can symbolic links be used?
Symbolic links are perfectly acceptable as are
relative paths.
(A list of error codes is available in the
PowerBroker
documentation set.)
