When the PowerBroker root delegation tool is enabled in a Unix authentication record and properly configured on target hosts, the scanning engine can log in to target hosts using a lower-privileged user account (password entered in the Unix authentication record) and perform scan tests with the elevated privileges of the superuser (root). The service supports scanning "run hosts", not "submit hosts".
For successful integration of your PowerBroker environment with our security service, please edit the pb.conf file settings for your policy as recommended below.
In the descriptions below, the "qualys" user refers to the PowerBroker user created for our security scanning service. To use this account for authenticated scans of Unix hosts, you enter this user's credentials in a Unix authentication record.
Required setting:
• You must include "runuser = root" in the pb.conf file. If this entry is commented out, then authentication with root access will fail.
Recommended settings:
• Constrain "qualys" to PowerBroker requests to just "su -". This way the production policy does not permit the "qualys" user to issue just any privileged command.
• Make sure the "qualys" user gets delegated the system “su” binary. We set the PATH environment variable in the policy to manage this. So even when the user types in “pbrun /a/b/c/mine/su -“ or points their PATH to a special directory that has an “su” executable, PowerBroker will delegate the correct system “su” binary.
• Make sure that the policy delegates “su -“ to the "qualys" user, and not “su - oracle” or other forms of “su” requests to some other privileged user.
• Enable logging in your iolog file. Point the “iolog” variable to a directory that exists in the PowerBroker loghost. This iolog file can provide the validating information showing that your application executed only the commands it needed and at the same time potentially provide you with a “debugging” mechanism should your application not run correctly. For debugging purposes, the iolog file can be used to replay a PowerBroker session using this command: pbreplay <log file>
• Make use of a more secure policy to delegate "su -".
See samples below for further information.
The policy below delegates "su -" using the hardcoded user "qualys".
# verify that the user
is "qualys" and the request is "su -"
if (user == "qualys"
&& basename(command) == "su" &&
argc == 2 && argv[1] == "-") {
# set the user runtime properties of the delegated command
and PATH
runuser = "root";
setenv("PATH", "/bin:/usr/bin:/sbin:/usr/bin");
# capture the resulting session in an iolog file
# note: the path to the iolog file might need to be customized
iolog = "/var/log/pb.iolog." + user + "."
+ basename(command) + "." +
strftime("%y%m%d.%H%M%S");
# accept this authorized "su" command
accept;
}
The sample below validates the “user” information from an “external” source such as a text file instead of a hardcoded policy entry.
# define a list of "authorized
users"
authorized_users_list
= split(readfile("/etc/pb/authorized_qualsys_account"), "\n");
# verify that the submitting user is one of many authorized users and the
request is "su -"
if (user in authorized_users_list && basename(command) == "su"
&&
argc == 2 && argv[1] == "-") {
# set the user runtime properties of the delegated command
and PATH
runuser = "root";
setenv("PATH", "/bin:/usr/bin:/sbin:/usr/bin");
runcommand = basename(command);
# capture the resulting session in an iolog file
# note: the path to the iolog file might need to be customized
iolog = "/var/adm/pb.iolog." + user + "."
+ basename(command) + "." +
strftime("%y%m%d.%H%M%S");
# accept this authorized "su" command
accept;
}
To control the "size” of the iolog file, you can add the policy variable “logstdoutlimit”. Add the following under the "iolog" entry in the policy.
# put upperbound limits
on the size of the captured data
logstdinlimit = 5000;
logstdoutlimit = 5000;
logstderrlimit = 5000;
If the requirement is to log only the input stream and at the same time put an upper bound of 10K on the captured data, add the following under the "iolog" entry in the policy.
# only capture data from
standard input and cap the captured data to 10K
logstdout = false;
logstderr = false;
logstdinlimit = 10000;