Privilege Manager for Unix 7.2
Privilege Manager for Unix 7.2
20 December 2021, 11:47
These release notes provide information about the Privilege Manager for Unix release.
About this release
Privilege Manager for Unix protects the full power of root from potential misuse or abuse. With Privilege Manager for Unix there is no need to worry about anyone deleting critical files, modifying file permissions or databases, reformatting disks, or doing more subtle damage. Privilege Manager for Unix enables you to define a security policy that stipulates who has access to which root functions, as well as when and where they can perform those functions. It controls access to existing programs as well as purpose-built utilities that run common system administration tasks. At the administrator's request, Privilege Manager for Unix can protect sensitive data from network monitoring by encrypting the root commands or sessions it controls, including control messages and input keyed by users while running commands through Privilege Manager for Unix.
Privilege Manager for Unix 7.2 is a patch release that includes Resolved issues.
NOTE: Beginning with version 7.0, Privilege Manager for Unix supports only Linux-based systems for Privilege Manager for Unix policy servers.
End of support notice
After careful consideration, One Identity has decided to cease the development of the Management Console for Unix (MCU). Therefore, the MCU will enter limited support for all versions on April 1, 2021. Support for all versions will reach end of life on Nov 1, 2021.
As One Identity retires the MCU, we are building its feature set into modern platforms starting with Software Distribution and Profiling. Customers that use the MCU to deploy Authentication Services and Safeguard for Sudo can now use our Ansible collections for those products, which can be found at Ansible Galaxy.
New features in Privilege Manager for Unix 7.2 :
One Identity provides newer format rpm packages, which can be installed on RHEL 8 that is switched to FIPS compliant mode as well.
You can manage policies using the Git workflow. The pmgit utility is a tool that can mediate version control operations between Subversion (SVN) and Git version control systems. For more information, see Managing policies in Git in the Administration Guide.
You can stream event logs and keystroke (IO) logs from a client to a sudo log audit server (or compatible server) that implements the sudo logsrv protocol. This feature is disabled by default. Enable the recording service through configuring the policy server with pmsrvconfig or by editing pm.settings. For more information, see Audit server logging in the Administration Guide.
All packages shipped by One Identity are now signed. You can verify that the packages you download has been created by One Identity and not by a malicious intermediate. For more information, see Verifying package signature in the Administration Guide.
The following is a list of issues addressed in this release.
Table 1: Resolved Issues
The pmlogsearch command started on a primary policy server was not able to return results about iologs which has been stored on secondary policy servers.
Fixed pmlogsearch to search inside iologs stored on secondary policy servers. For the fix to work, both the primary and the secondary policy server needs to be upgraded. The problem only affects the search functionality, there is no data loss, previously stored data will be searchable after applying upgrade.
A corrupt temporary event log file could cause pmlogsrvd log storing to stuck, continuously reporting syslog error messages.
Now if a temporary event log file gets corrupted anyhow, it will be moved to the evcache "refused" subdirectory and only one error message per file appears in the syslog.
The following is a list of issues, including those attributed to third-party products, known to exist at the time of release.
Table 2: General known issues
|No audit trail when offline log is sent to policy server.
When the pmbash tool tries to run a command, the command cannot run on the Apple MacOS M1 ARM64 architecture, because the bash and the product cannot link the libraries together.
The reason is that the Apple package is compiled with the ARM64 ABI set, but Apple uses the ARM64e ABI set. The dynamic library linker cannot link the ARM64e set with the ARM64 set. This issue is going to be fixed in the next release.