Privilege Manager for Unix 7.2.1
Privilege Manager for Unix 7.2.1
Release Notes
07 March 2022, 17:28
These release notes provide information about the Privilege Manager for Unix release.
Topics:
About this release
Privilege Manager for Unix protects the full power of root from potential misuse or abuse. With Privilege Manager for Unix there is no need to worry about anyone deleting critical files, modifying file permissions or databases, reformatting disks, or doing more subtle damage. Privilege Manager for Unix enables you to define a security policy that stipulates who has access to which root functions, as well as when and where they can perform those functions. It controls access to existing programs as well as purpose-built utilities that run common system administration tasks. At the administrator's request, Privilege Manager for Unix can protect sensitive data from network monitoring by encrypting the root commands or sessions it controls, including control messages and input keyed by users while running commands through Privilege Manager for Unix.
Privilege Manager for Unix 7.2.1 is a patch release that includes Resolved issues.
NOTE: Beginning with version 7.0, Privilege Manager for Unix supports only Linux-based systems for Privilege Manager for Unix policy servers.
End of support notice
After careful consideration, One Identity has decided to cease the development of the Management Console for Unix (MCU). Therefore, the MCU will enter limited support for all versions on April 1, 2021. Support for all versions will reach end of life on Nov 1, 2021.
As One Identity retires the MCU, we are building its feature set into modern platforms starting with Software Distribution and Profiling. Customers that use the MCU to deploy Authentication Services and Safeguard for Sudo can now use our Ansible collections for those products, which can be found at Ansible Galaxy.
New features in Privilege Manager for Unix 7.2.1:
-
Privilege Manager for Unix is shipped with OpenSSL shared objects since version 7.0. Due to recent high severity fixes in the OpenSSL library, the shipped shared objects have been upgraded to version 1.1.1m, which include the corresponding fixes.
-
The text of the End-user license agreement (EULA) has been updated. Users must accept the updated EULA upon installing this product.
See also:
The following is a list of issues addressed in this release.
Table 1: Resolved Issues
Fixed updating the /etc/services file during policy server configuration.
In some cases, after unconfiguring the policy server, the policy server could leave entries belonging to Privilege Manager daemons in /etc/services file and the policy server configuration could result in having multiple entries. |
287684 |
Fixed issue when orphaned pmmasterd processes hang indefinitely due to network disconnect.
If the policy server disconnects from the network while there is an open sudo session on a client, there is a chance that the pmmasterd process handling that client connection never terminates. This issue has been fixed by enabling SO_KEEPALIVE socket option on the socket by default. It can be disabled by setting the 'masterkeepalive' configuration option to 'NO' in the pm.settings product configuration file. |
288722 |
On the relatively new Fedora 35, pmlogsearch failed to return search results.
pmlogsearch did not previously support "protected regular" security hardening option (which is enabled by default on the Fedora 35 server). This resulted the tool to run on error and search results to become empty. |
296543 |
Fixed issue when audit trail files stored on the policy server could not be transmitted to an SPS logserver.
When the connection between the Safeguard for Sudo policy server and an SPS logserver is interrupted, IO logs are cached on the policy server if the policy server is not in 'enforced' mode. Later on, when the connection is restored, the cached trails can be sent to the SPS logserver by running the pmauditsrv send command. This caused critical error on SPS side, the received trails became corrupt, and data loss could happen. |
296550 |
Linux packages now ship with native service files for systemd.
To work on older systems as well, our packages provide sysv init scripts for service maintenance.
Newer linux distributions however may not provide compatibility with these by default: some additional packages need to be installed for that (for example systemd-sysvinit / initscripts). Now these additional packages are not needed any more. Note that sysv init scripts are still provided, and distributions without systemd remains supported (like RHEL 6). |
298900 |
Improved git-svn handling.
Prior to git-svn 1.8 it is not possible to query the version number without a working repository. In order to make the user interface more convenient, we postponed the version check until it is necessary. Because of this it is less likely to get warnings about missing or incompatible programs, however with this change the dependency is less obvious. |
300197 |
Fixed a race condition between pmmasterd and pmlogsrvd.
There is a rare race condition between pmlogsrvd and pmmasterd when they both access the same event in the database. From now on pmlogsrvd detects such a situation and solves the problem by restarting the affected database operation. |
300333 |
The following table provides a list of supported platforms for Privilege Manager for Unix clients.
Table 2: Linux supported platforms — server and client
Amazon Linux |
AMI, 2 |
x86_64 |
CentOS Linux |
6, 7, 8 |
Current Linux architectures: s390x, PPC64, PPC64le, x86, x86_64, AARCH64 |
Debian |
Current supported releases |
x86_64, x86, AARCH64 |
Fedora Linux |
Current supported releases |
x86_64, x86, AARCH64 |
OpenSuSE |
Current supported releases |
x86_64, x86, AARCH64 |
Oracle Enterprise Linux (OEL) |
6, 7, 8 |
Current Linux architectures: s390x, PPC64, PPC64le, x86, x86_64, AARCH64 |
Red Hat Enterprise Linux (RHEL) |
6, 7, 8 |
Current Linux architectures: s390x, PPC64, PPC64le, x86, x86_64, AARCH64 |
SuSE Linux Enterprise Server (SLES)/Workstation |
11 SP4, 12, 15 |
Current Linux architectures: s390x, PPC64, PPC64le, x86, x86_64, AARCH64 |
Ubuntu |
Current supported releases |
x86_64, x86, AARCH64 |
Table 3: Unix and Mac supported platforms — client
Apple MacOS |
10.15 or later |
x86_64, ARM64 |
FreeBSD |
12.x, 13.x |
x32, x64 |
HP-UX |
11.31 |
PA, IA-64 |
IBM AIX |
6.1 TL9, 7.1 TL3, 7.2 |
Power 4+ |
Oracle Solaris |
10 8/11 (Update 10), 11.x |
SPARC, x64 |