Privilege Manager for Unix 7.2.3
Privilege Manager for Unix 7.2.3
Release Notes
21 April 2023, 11:08
These release notes provide information about the Privilege Manager for Unix release.
Topics:
About this release
Privilege Manager for Unix protects the full power of root from potential misuse or abuse. With Privilege Manager for Unix there is no need to worry about anyone deleting critical files, modifying file permissions or databases, reformatting disks, or doing more subtle damage. Privilege Manager for Unix enables you to define a security policy that stipulates who has access to which root functions, as well as when and where they can perform those functions. It controls access to existing programs as well as purpose-built utilities that run common system administration tasks. At the administrator's request, Privilege Manager for Unix can protect sensitive data from network monitoring by encrypting the root commands or sessions it controls, including control messages and input keyed by users while running commands through Privilege Manager for Unix.
Privilege Manager for Unix 7.2.3 is a patch release that includes Resolved issues.
NOTE: Beginning with version 7.0, Privilege Manager for Unix supports only Linux-based systems for Privilege Manager for Unix policy servers.
End of support notice
After careful consideration, One Identity has decided to cease the development of the Management Console for Unix (MCU). Therefore, the MCU will enter limited support for all versions on April 1, 2021. Support for all versions will reach end of life on Nov 1, 2021.
As One Identity retires the MCU, we are building its feature set into modern platforms starting with Software Distribution and Profiling. Customers that use the MCU to deploy Authentication Services and Safeguard for Sudo can now use our Ansible collections for those products, which can be found at Ansible Galaxy.
The following is a list of issues addressed in this release.
Table 1: Resolved Issues
pmsrvconfig --unconfig asks for the removal of the pm.settings file.
sudo /opt/quest/sbin/pmsrvconfig --unconfig will ask the user to delete the pm.settings file. |
280111 |
The commands pmjoin and pmsrvconfig will now recommend installing the security module selinux automatically if SELinux is in enforced or permissive mode. |
306219 |
Resolved an issue where unjoined clients were not removed from the license database.
Clients that were joined to a policy server could end up having multiple entries in the license database. This prevented the client from being fully removed at unjoin time as well as the client being listed multiple times in the output of pmlicense -uf and pmlicense -us. The pmlicence -R command can be used to remove these phantom entries if necessary after upgrading. |
385800 |
Fixed the piped output for pmrun command to work when SELinux is set to enforced mode. |
393733 |
Packages do not contain the sysv init script anymore on distributions where systemd is used.
Previously we shipped both sysv and systemd service files. This change was introduced to avoid issues observed on Suse and SLES where systemd-sysv compatibility is enforced and broken on default installations, preventing the service to get enabled. |
409691 |
Resolved an issue that prevented the configuration of Privilege Manager for Unix on RHEL 9 when the SELinux policy module from the Safeguard Authentication Services client package was also installed.
The issue occurred because the SELinux policy module from the Safeguard Authentication Services client package included rules that installed the files of Privilege Manager for Unix with incorrect security contexts. This prevented the successful configuration of the product on RHEL 9 when SELinux was in enforcing mode.
The issue was solved by updating the SELinux policy for Privilege Manager for Unix to include rules that explicitly label the package files with the proper security contexts. |
414363 |
The following table provides a list of supported platforms for Privilege Manager for Unix clients.
Table 2: Linux supported platforms — server and client
Amazon Linux |
AMI, 2 |
x86_64 |
CentOS Linux |
6, 7, 8, 9 |
Current Linux architectures: s390x, PPC64, PPC64le, x86, x86_64, AARCH64 |
Debian |
Current supported releases |
x86_64, x86, AARCH64 |
Fedora Linux |
Current supported releases |
x86_64, x86, AARCH64 |
OpenSuSE |
Current supported releases |
x86_64, x86, AARCH64 |
Oracle Enterprise Linux (OEL) |
6, 7, 8, 9 |
Current Linux architectures: s390x, PPC64, PPC64le, x86, x86_64, AARCH64 |
Red Hat Enterprise Linux (RHEL) |
6, 7, 8, 9 |
Current Linux architectures: s390x, PPC64, PPC64le, x86, x86_64, AARCH64 |
SuSE Linux Enterprise Server (SLES)/Workstation |
11 SP4, 12, 15 |
Current Linux architectures: s390x, PPC64, PPC64le, x86, x86_64, AARCH64 |
Ubuntu |
Current supported releases |
x86_64, x86, AARCH64 |
Table 3: Unix and Mac supported platforms — client
Apple MacOS |
10.15 or later |
x86_64, ARM64 |
FreeBSD |
12.x, 13.x |
x32, x64 |
HP-UX |
11.31 |
PA, IA-64 |
IBM AIX |
6.1 TL9, 7.1 TL3, 7.2 |
Power 4+ |
Oracle Solaris |
10 8/11 (Update 10), 11.x |
SPARC, x64 |
Before installing Privilege Manager for Unix 7.2.3, ensure that your system meets the following minimum hardware and software requirements.
NOTE: Beginning with version 7.2.3, Privilege Manager for Unix supports only Linux-based systems for Privilege Manager for Unix policy servers.
Table 4: Hardware and software requirements
Operating systems |
See Supported platforms to review a list of platforms that support Privilege Manager for Unix clients. |
Disk space |
80 MB of disk space for program binaries and manuals for each architecture.
Considerations:
- At a minimum, you must have 80 MB of free disk space. The directories in which the binaries are installed must have sufficient disk space available on a local disk drive rather than a network drive. Before you install Privilege Manager for Unix, ensure that the partitions that will contain /opt/quest have sufficient space available.
-
Sufficient space for the keystroke logs, application logs, and event logs. The size of this space depends on the number of servers, the number of commands, and the number of policies configured.
-
The space can be on a network disk drive rather than a local drive.
- The server hosting Privilege Manager for Unix must be a separate machine dedicated to running the pmmasterd daemon.
|
SSH software |
You must install and configure SSH client and server software on all policy server hosts.
You must enable access to SSH as the root user on the policy server hosts during configuration of the policy servers. Both OpenSSH 4.3 (and later) and Tectia SSH 6.4 (and later) are supported. |
Processor |
Policy Servers: 4 cores |
RAM |
Policy Servers: 8GB |
Upgrade and compatibility
Privilege Manager for Unix supports a direct upgrade installation from version 6.0 and higher. The Privilege Manager for Unix software in this release is provided using platform-specific installation packages. For more information on upgrading, see the One Identity Privilege Manager for Unix Administration Guide.
One Identity recommends that:
- You upgrade your policy server (Master) systems before agents, and that a policy server is run at the same or higher level than agents.
- All policy server systems and agents are upgraded to the latest version to take advantage of all new features.
The upgrade process will create symbolic links to ensure that your existing paths function correctly.
Use of the Privilege Manager for Unix clients (pmrun and pmshells) with a policy server in Sudo policy mode is not supported.