PowerBroker for Unix & Linux

DOCUMENTATION PowerBroker for Unix & Linux Common Criteria – Supplementary Guide Table of Contents Executive Summary .................................
60 downloads 0 Views 2MB Size
DOCUMENTATION

PowerBroker for Unix & Linux Common Criteria – Supplementary Guide

Table of Contents Executive Summary .................................................................................... 4 High Level Product Architecture ......................................................................................... 4

Assumptions ............................................................................................... 4 Installation .................................................................................................. 5 1 Pre-Installation Checks ......................................................................................................................... 5 2 Product Installation ............................................................................................................................... 5 3 Encryption ............................................................................................................................................. 6 4 PB.Settings ........................................................................................................................................... 6 5 Define Policy ......................................................................................................................................... 9 6 Configure Desired Auditing ................................................................................................................... 9 7 Start issuing commands ..................................................................................................................... 11

Encryption Settings ................................................................................... 11 enforcehighsecurity ...........................................................................................................12

Controlling Commands ............................................................................. 12 Conditional Command Processing ............................................................ 13 Requesting User ..................................................................................................................................... 13 Requesting Hostname ............................................................................................................................ 13 Time of Request...................................................................................................................................... 13

Remote Host Execution ............................................................................ 14 PowerBroker for Unix & Linux Auditing ..................................................... 14 Event Audit Records ................................................................................. 15 Audit Record Inclusion/Exclusion .............................................................. 17 Logomit .............................................................................................................................17

Event Record Format ................................................................................ 18 Session Recording .................................................................................... 23 Session Recording Example ..................................................................... 25 PBLogD Logging Process ......................................................................... 26 Audit Record Breakdown .......................................................................... 27 Common Criteria Guide

© 2016. BeyondTrust Software, Inc. 2

Server Tracking Audit Information ............................................................. 36 Additional Audit Functions and Change Management ............................... 37 Configuration Files .................................................................................... 40 Policy Files .............................................................................................................................................. 40

Root Policy File (/etc/pb.conf) ...........................................................................................40 Main Policy File (pbul_policy.conf) ....................................................................................40 Functions Policy File (pbul_functions.conf) ........................................................................44 LDAP Authentication Policy File (ldap.conf)......................................................................53 RADIUS Authentication Policy File (pam_radius_auth.conf) .............................................53 RADIUS PAM Configuration File (pbul_pam_radius) ........................................................53

Supported Platforms ................................................................................. 54 Additional Reference Material ................................................................... 54 Appendix A: Event Log Fields ................................................................... 55 Appendix B: Change Management Event Log Fields ................................ 65 About BeyondTrust ................................................................................... 67

Common Criteria Guide

© 2016. BeyondTrust Software, Inc. 3

Executive Summary PowerBroker for Unix & Linux has undergone Common Criteria testing. This document contains details that are relevant to a number of items in the security target, including platforms tested, encryption methods used and common configuration settings required to complete the testing. High Level Product Architecture

The BeyondTrust PowerBroker UNIX® + Linux® Edition v9 is compliant to the following protection profiles: 

Standard Protection Profile for Enterprise Security Management Access Control, Version 2.1, 24 October 2013 (pp_esm_ac_v2.1) with no additional optional SFRs.



Standard Protection Profile for Enterprise Security Management Policy Management, Version 2.1, 24 October 2013 (pp_esm_pm_v2.1) and includes the additional optional SFRs: FAU_SEL.1, and FMT_MTD.1.

Assumptions The evaluated configuration includes several assumptions and requirements that must be met by the intended environment for the installed BeyondTrust PowerBroker UNIX® + Linux® Edition v9. These are as follows: 

The TOE will use cryptographic primitives provided by the Operational Environment to perform cryptographic services.



The TOE will be able to establish connectivity to other ESM products to share security data.



The TOE will receive policy data from the Operational Environment.

Common Criteria Guide

© 2016. BeyondTrust Software, Inc. 4



The Operational Environment will provide mechanisms to the TOE that reduce the ability for an attacker to impersonate a legitimate user during authentication.



The TOE will receive reliable time data from the Operational Environment.



The TOE will receive identity data from the Operational Environment.



There will be one or more competent individuals assigned to install, configure, and operate the TOE.

Installation The process for installing PowerBroker for Unix & Linux and configuring the tool to meet the common criteria standards should be performed in the following manner: 1 Pre-Installation Checks The following items are either required or highly recommend before installation is performed: o o o o o o o

Bi-Direction Name Resolution using DNS Use of a Super Daemon (such as inetd/xinetd is recommend) Disable all firewalls until a working configuration has been achieved Disable SELinux (if appropriate) until a working configuration has been achieved Ensure the correct installation package is selected for the target system Ensure enough free space is available to complete the installation Root permissions are required to perform the installation

2 Product Installation When PowerBroker for Unix & Linux is configured with Kerberos, SSL, LDAP, or CURL it requires the appropriate third-party libraries. The PowerBroker for Unix & Linux installation provides Kerberos, SSL, LDAP, or CURL libraries that are designed to work with PowerBroker for Unix & Linux. The Common Criteria evaluated configuration requires that the PowerBroker for Unix & Linux third-party libraries be installed. Install the required components. At a minimum a Policy Server, Log Server, Submit Host and Run Host will be required. If performing an install for the first time, all components may be selected using option 1 after running the pbinstall.sh installation utility. For example, initiate the installation located in the platform specific location, /powerbroker/v9.1/pbx86_64_linuxA-9.2.0-08/install/pbinstall o o o

Skip the client registration option Press enter to continue Select your preferred editor (default vi)

Common Criteria Guide

© 2016. BeyondTrust Software, Inc. 5

Select option 1 and change the value to ‘YES’ as shown:

Press C to continue and complete the installation. Additional components can be selectively installed on additional servers as required.

“The administrative commands are restricted to authenticated users with root access. The TOE includes a pre-defined administrative role with root access: the Admin role (also referred to as AdminUsers). Administrators can define additional roles using policies for users to manage the TOE or portions of the TOE in addition to the AdminUsers role; however this is not within the scope of the evaluation.”

For more information, refer to PowerBroker_Install_V9.1.pdf guide referenced in the Additional Reference Material. 3 Encryption Fresh installations of PowerBroker for Unix & Linux will default to the highest levels and be fully compatible with the Common Criteria requirements. This can be checked post installation. Confirm the enforcehighsecurity keyword is set to Yes in the /etc/pb.settings file. For more information, see Encryption Settings in this document.

4 PB.Settings Every host where PBUL is installed (Submit Host, Run Host, Master, Log Server, etc..) will have a file located in ‘/etc’ by default named pb.settings. This is a core configuration file used for almost all aspects of the production Common Criteria Guide

© 2016. BeyondTrust Software, Inc. 6

configuration and operation. You can check the settings on any host if you are logged on as root or have root lever privileges by issuing the ‘cat /etc/pb.settings’ command. The following is an example of the top of a typical pb.settings file: # Installation date: Fri Mar 4 16:37:21 EST 2016 # Location of: # user programs: /usr/local/bin # admin programs: /usr/sbin # daemons: /usr/sbin # pbinstall: /tmp/pbul/powerbroker/v9.2/pbx86_64_linuxA-9.2.0-08/install/pbinstall # TMPDIR: /tmp/beyondtrust_pbinstall kerberos no #mprincipal pbmasterd #lprincipal pblocald #gprincipal pblogd #sprincipal pbsyncd #keytab /etc/krb5.keytab #shortnamesok no allownonreservedconnections yes #minlisteningport 1025 #maxlisteningport 65535 #minoutgoingport 1025 #maxoutgoingport 65535 pbrestport 24351 pblocaldlog /var/log/pblocald.log pblogdlog /var/log/pblogd.log pbmasterdlog /var/log/pbmasterd.log pbguidlog /var/log/pbguid.log eventlog /var/log/pb.eventlog syslog yes #pbrunlog none #pbsshlog none facility LOG_AUTHPRIV policyfile /etc/opt/pbul/pb.conf passwordlogging never policydir /etc warnuseronerror yes #secureoutput no masterport 24345 localport 24346 guiport 24348 submitmasters masterhostname.example.com randomizesubmitmasters no acceptmasters masterhostname.example.com #masterdelay 500 #logserverdelay 500 rejectnullpasswords no allowlocalmode yes logservers masterhostname.example.com syncport 24350 #logresynctimermin 15 pbsyncdlog /var/log/pbsyncd.log

Common Criteria Guide

© 2016. BeyondTrust Software, Inc. 7

pbsynclog /var/log/pbsync.log #ssl no #tcpkeepalive no kshlog /var/log/pbksh.log shlog /var/log/pbsh.log #validateclienthostname no #validatemasterhostname no #allowremotejobs yes pam yes pampasswordservice powerbroker #pamsessionservice none pamsuppresspbpasswprompt no #yes #no libpam /lib64/libpam.so.0.82.2 #pamsetcred no recordunixptysessions yes #syslogsessions no #guidefaults none #pblocaldcommand none rootshelldefaultiolog /pbshell.iolog #localsocketdir none #runsecurecommand no transparentfailover yes pbsshshell /bin/sh Although the pb.settings file contains many critical settings, the defaults will suffice for most installations and on new installations will default to the most secure settings. There are a few settings however that either must be set or are commonly changed. The most important of these are the server names/IP’s used to check the policy and record the log data. These settings are referred to as the submitmasters, acceptmasters and logservers. The settings can have as many entries as desired and are simply separated by a comma. Alternatively, you can also specify DNS SVR records in order to locate service providing hosts: submitmasters acceptmasters logservers

masterhostname.example.com masterhostname.example.com masterhostname.example.com, masterhostname2.example.com

To see the current selected ports for the product, you may grep for key words against the pb.settings file. Below is an example of how to view all of the ports used for various communications during the product’s normal operation: # cat /etc/pb.settings |grep port #minlisteningport 1025 #maxlisteningport 65535 #minoutgoingport 1025 #maxoutgoingport 65535 pbrestport 24351 masterport 24345 localport 24346 logport 24347 guiport 24348 syncport 24350 rcswebsvcport 443 solrport 8443 Common Criteria Guide

© 2016. BeyondTrust Software, Inc. 8

5 Define Policy After the first server has been installed in demo mode, all components required to make the system operational will have been installed. In addition, default policy files will also have been created, with the root policy file located here: /etc/pb.conf Additional policy files are merged to form a complete sample policy file using the following include files: include '/etc/pb/pbul_policy.conf'; include '/etc/pb/pbul_functions.conf'; For details on how the policy files function, see the following sections in this document: Controlling Commands Conditional Command Processing Additional Authentication Remote Host Execution The policy files and other configuration files defined when this document was created are also included in this document: Configuration Files Used During Testing Note: The included example files may be used to perform testing in other lab environments, however most PowerBroker for Unix & Linux policy and configuration files contain environmental specific information, such as IP addresses, user and host names. Care should be taken to ensure any reference policy is properly adapted for your environment. Care should also be taken to ensure that any copy/paste activities do not warp the policy and/or configuration files by introducing unsupported characters or clipping sections of the file during transfer. For more information, refer to PowerBroker_Language_V9.1.pdf guide referenced in Additional Reference Material. 6 Configure Desired Auditing As detailed later in this document, ‘Eventlog’ auditing is on by default when issuing commands via PowerBroker for Unix & Linux. See item 6 about issuing commands. This document contains a number of dedicated sections around how auditing and logging works. The defaults however are as follows: Located on the Log Server: /var/log/pb.eventlog

Located on the Log Server: iologging directory = /tmp

Note: File names will be generated in line with the policy when iologging is turned on. For details on how the auditing functions in PowerBroker for Unix & Linux work, refer to the following sections in this document: PowerBroker for Unix & Linux Auditing Event Audit Records Audit Record Inclusion/Exclusion Event Record Format Common Criteria Guide

© 2016. BeyondTrust Software, Inc. 9

Session Recording Session Recording Example PBLogD Logging Process Audit Record Breakdown For more information, refer to PowerBroker_Administration_V9.1.pdf guide referenced in Additional Reference Material.

Common Criteria Guide

© 2016. BeyondTrust Software, Inc. 10

7 Start issuing commands The last thing to do is start issuing commands. For PowerBroker for Unix & Linux, commands are invoked using the pbrun command. Here are some commands you can use with the default policies. pbrun pbtest pbrun whoami pbrun bash pbrun helpdesk The sample policies are well documented and can be easily modified to allow different user, host and commands to be controlled. For more information, refer to PowerBroker_Administration_V9.1.pdf guide referenced in Additional Reference Material.

Encryption Settings During Common Criteria testing, PowerBroker for Unix & Linux was installed and configured with the "enforcehighsecurity" and "ssl" both enabled. This switches PowerBroker for Unix & Linux into FIPS 140-2 mode and are the mandatory security settings for normal operation of the solution to meet common criteria certification. The secure protocols are provided by NIST-validated cryptographic mechanisms are included in the operational environment. The TOE relies on 3rd party FIPS capable OpenSSL 1.0.2a in conjunction with the TOEs FIPS mode (that disables non FIPS algorithms). Customers should choose their own validated FIPS validated Object Module and link that with the provided FIPS capable OpenSSL v1.0.2a. The combination of the FIPS validated Object Module linked with the FIPS capable OpenSSL provide key management, random bit generation, encryption/decryption, digital signature and cryptographic hashing and keyed-hash message authentication features in support of higher level cryptographic protocols, including TLS and HTTP over TLS. Testing by the CCTL included the installation and use of the OpenSSL FIPS Object Module SE v2.0.12, CMVP Certificate #2398. To enable compliance with US government regulations, and specifically FIPS 140-2, the encryption in PowerBroker for Unix & Linux has been updated. Many of the older, less secure encryption algorithms have been deprecated, and when high security is enforced, they are disabled completely. When new PowerBroker for Unix & Linux clients are installed, the pb.setting "enforcehighsecurity" and "ssl" are both enabled. This switches PowerBroker for Unix & Linux into FIPS 140-2 mode. All encryption algorithms are FIPS 140-2 compliant, and it will not communicate, encrypt or decrypt any data that isn't encrypted in AES-128, AES192, AES-256 or TripleDes (3DES). If a customer is installing version 9 of PowerBroker for Unix & Linux from scratch high security mode is recommended. During the installation, install option 129 should set to Yes to force the installation to use the settings required for common criteria certification compliance: 129. Enforce High Security Encryption: Enabling High Security will enforce configuration to adhere to FIPS 140‐2 security. Non‐FIPS compatible encryption and hashing algorithms will be disabled. SSL running in strict FIPS mode will be enabled, enhancing the security of the installation. This will provide a setting in /etc/pb.settings [enforcehighsecurity]

Common Criteria Guide

© 2016. BeyondTrust Software, Inc. 11

enforcehighsecurity This will enforce the use of more secure configuration, including using SSL for communications, FIPS 140‐2 compliant symmetric encryption algorithms, an enhanced Pseudo Random Number Generator, and the use of the enhanced pb.key format. Only encryption algorithms that are accredited by FIPS 140‐2 can be used for network and file encryption (i.e. aes‐ 128, aes‐192, aes‐256 and tripledes). All others are deprecated. Once this has been enabled the following pb.settings need to be configured: ssl yes ssloptions requiressl sslservercertfile /etc/pbssl.pem sslserverkeyfile /etc/pbssl.pem sslpbruncipherlist HIGH:!MD5:@STRENGTH sslservercipherlist HIGH:!MD5:@STRENGTH sslcountrycode US sslprovince AZ ssllocality Phoenix sslorgunit Security sslorganization BeyondTrust Example enforcehighsecurity yes Default enforcehighsecurity no Used on Policy Server hosts Submit hosts Run hosts

Controlling Commands Standard functionality in PowerBroker for Unix & Linux allows for commands to be whitelisted (run with higher privileges) and blacklisted (denied from running). This also allows new commands to be created to control everything on a system, including management of PowerBroker for Unix & Linux itself. For example, if your master policy file is located in /etc and is named pb.conf, you would need to be ‘root’ on the policy server to edit that policy file. if( basename(command) == “editpolicy” ) { runcommand = "vi"; runargv = split("vi /etc/pb.conf"); runuser = "root"; accept;

Common Criteria Guide

© 2016. BeyondTrust Software, Inc. 12

}

The above example can be altered to control administrative operations in PowerBroker for Unix & Linux such as the ability to view the event log using the pblog command: if( basename(command) == “pblog” ) {

Or replaying a recorded session using the pbreplay command: if( basename(command) == “pbreplay” ) {

Conditional Command Processing PowerBroker for Unix & Linux can perform an almost endless list of additional checks before allowing a command to be processed. Conditional processing statements such as IF and CASE can be used to leverage hundreds of variables as part of the decision making process before a command is allowed to run, elevated and in what way, or rejected. Some of the command checks include: 

Requesting User



Requesting Hostname



Time of Request

Requesting User Checking the username of the user making the command request: if (user == “requesting user name) { * Allow/Disallow Processing Policy * }

Requesting Hostname Checking the hostname where the command is being requested from: if (submithost == “requesting hostname) { * Allow/Disallow Processing Policy * }

Time of Request There are many more options available for validating the date/time/day of a request. Some of the out of the box variables include: date = "2015/11/05" day = 5 dayname = "Wed" hour = 13 i18n_date = "11/05/2015" i18n_day = "05" i18n_dayname = "Tue" Common Criteria Guide

© 2016. BeyondTrust Software, Inc. 13

i18n_exitdate = "11/05/2015" i18n_exittime = "01:34:34 PM" i18n_hour = "13" i18n_minute = "34" i18n_month = "01" i18n_time = "01:34:33 PM" i18n_year = "2015" minute = 34 month = 11 year = 2015 Checking using these variables with And, Or and TimeBetween operators allow for tight control over when a command may or may not be accepted. For example, if you want to allow certain commands to only be executed over a weekend (or block certain commands over a weekend) you could use the dayname variable as follows: if (dayname == “Sat” || dayname == “Sun”) { * Allow/Disallow Processing Policy * }

Remote Host Execution The remote host execution feature of PowerBroker for Unix & Linux is available from the command line: ‘pbrun –h remote_host_name command’ Can also be used to allow the policy file to be edited from any system. The run host can also be specified with a fixed name or a variable in the policy when using the runhost setting: runhost = "remote_system_name";

PowerBroker for Unix & Linux Auditing PowerBroker for Unix & Linux has two main forms of audit capability: 

Event Log - The Event Log can be compared to taking a photograph of a command request being processed by the application. It will record all the details of the request regardless if the request is approved or rejected at that moment in time. Event log auditing is always on and cannot be turned off.



Session Recording - Session Recording is different from an event log record in that it more closely resembles a video recording of the user’s activity. A session recording may be from the moment a user logs on to the system until the time they log off. Or can be more focused to down to an individual command, such as a user’s interactive vim session editing a systems hosts file. Session Recording is optional and can be invoked on a single user, single host, single command, during certain periods of time, and so on. It is possible to perform session recording as much or as little as desired.

Session Recording is PowerBroker for Unix & Linux method of ‘Selective Auditing’ in the solution. That is to say that these audit records (session recordings) are only generated ‘on-demand’ where stated in the policy.

Common Criteria Guide

© 2016. BeyondTrust Software, Inc. 14

For example, you can conditional process statements such as: If the User is…. If the requesting user belongs to group X…. If the host where the command is being executed is in the following list…. If the day is a weekend day…. And so on. The list of conditional processing statements can be as long and complex as the policy creator wishes. Example Conditional Statement:

Session Recording Example:

if (user == “requesting user name) { * Optionally turn on Session Recording Process Command * }

printf("Command accepted by: %s\n", masterhost); print("Warning this session is being logged:", iolog); iolog = "/iologs/" + sprintf("%d-%d-%d",month,day,year) + "." + logtime + "." + split(runhost,".")[0] + "." + user + "." + basename(command) + "."; # + ".XXXXXX"; setenv("IOLOG", "done");

Event Audit Records Every time a command is submitted to PowerBroker for Unix & Linux an event log record is generated regardless of if the event is accepted or rejected. The basic format of an event includes the four W’s: Who, What, Where and When: Accept 2015/11/05 11:08:35 [email protected] -> [email protected] by svr1centos63.demo.corp whoami Command finished with exit status 0

Reject 2015/11/05 11:08:37 [email protected] by svr1centos63.demo.corp kill Request rejected by pbmasterd on svr1centos63.demo.corp.

Each event has well over 100 different fields recorded each time a command is processed. In addition, custom data derived during the processing of the policy when a command is executed can also be added to the event log. The event log can be view using the ‘pblog’ command. The user will need root level privileges to view the event log, but these rights can be delegated using PowerBroker for Unix & Linux as described later in this document. Physical storage for log records (internal and external) is provided by the operational environment. The amount of audit data which can be stored is dependent upon on the amount of disk space available on the server hosting pblogd. The same applies for logs exported to external log servers. The TOE includes options for log file management, i.e. log file rotation and archiving based on time and/or size. Additionally, to help prevent loss of space on the file system for audit logs; space on the log host can be controlled and the system can be configured to fail over to the next log server with the logreservedfilesystems and logreservedblocks settings. The logreservedfilesystems and logreservedblocks settings enable the administrator to control free space on the logreservedfilesystems file systems, and cause an immediate failover if the log host’s free space falls below Common Criteria Guide

© 2016. BeyondTrust Software, Inc. 15

logreservedblocks. If the number of free 1-KB blocks falls below logreservedblocks on any of the file systems that are specified in any of the logreservedfilesystems on the log host, then the log daemon immediately refuses any new requests, causing an immediate failover. The same happens on the Policy Server host if you are not using a log server. If the free space in any of the file systems containing /var/log or /usr/log falls below 10,000 blocks, then new requests are rejected. Requests that are already in progress are allowed to continue. If there are no Log Servers (including the Master Host) capable of recording an event (e.g., no disk space is available), the TOE itself would fail and therefore stop. Detailed information about additional logging options, including log file management and log file rotation can be found in the reference information guides listed below. Refer to PowerBroker Unix-Linux_Administration_V9.1.pdf, Event Logging for more information about the event log. Refer to PowerBroker Unix-Linux_Administration_V9.1.pdf, PBLog for more information on viewing the event log.

Common Criteria Guide

© 2016. BeyondTrust Software, Inc. 16

Audit Record Inclusion/Exclusion The event log is always on by default and every command issued generates an event log entry. See Appendix A: Event Log Fields. If however you want to implement selective auditing, i.e. to disable certain items being entered into the event log, anywhere in the policy file you may use the LogOmit function. If used globally, then selected items will be excluded from all event log records. However the LogOmit function can be used in certain rules allowing item level omissions to occur only when certain conditions are met, i.e. for certain users, certain commands or certain hosts. Refer to PowerBroker_Language_V9.1.pdf, LOGOMIT for more information about this function. Logomit Data Type List Description The logomit variable specifies which PowerBroker for Unix & Linux user‐defined variables to omit from the event log. Use this variable to reduce the disk space that is used by the event log. Metacharacter patterns can be used. By default, this variable is undefined, which means that all PowerBroker for Unix & Linux variables are written to the event log. Syntax logomit = list;

In addition, at any time from within the policy, event logging can be disabled. Although not recommended due to a major reduction in security provided by the solution, you can globally disable the eventlog from writing any records with the following statement inside the policy file: eventlog = "/dev/null"; A more selective method allows for the eventlog to be disabled based on statement inside the policy file. if (condition) { # normal policy processing . . eventlog = "/dev/null"; accept; (or reject;) } For example, to disable the eventlog for the whoami command, but still allow the command to run, the follow policy code will disable the eventlog for this command only: If (basename(command)==”/usr/bin/whoami”) { eventlog = “/dev/null”; accept; }

Common Criteria Guide

© 2016. BeyondTrust Software, Inc. 17

Event Record Format See Appendix A: Event Log Fields for a detailed list of all default fields included in each event log entry. To provide an example of the amount of data collected in each event record, this is a single accepted command: Accept 2015/11/05 11:27:02 [email protected] -> [email protected] by svr1centos63.demo.corp whoami Command finished with exit status 0 AdmGroup = "LinuxAdmins" AuditGroup = "Audit" LocalGroup = "LocalGroup" PBgroups = {"root"} PolicyServer = "svr1centos63.demo.corp" PwrUsers = {"root", "dba"} StdGroup = "LinuxUsers" StdUsers = {"Ray", "Dan", "Sam", "Amy", "Lee", "demo1", "demo7", "demo8", "demo9", "oracle", "OracleDBA", "c1kpadmin"} argc = 1 argv = {"whoami"} bkgd = 0 clienthost = "svr1centos63.demo.corp" clienthost_uuid = "02ceb4bf-90c7-4374-93c9-5811d34ed58f" clienthost_uuid_created = 0 command = "whoami" commandset = {"whoami", "id", "top", "who", "cal", "cat", "ssh"} cwd = "/root" date = "2015/11/05 " day = 5 dayname = "Tue" env = {"HOSTNAME=svr1centos63", "TERM=xterm", "SHELL=/bin/bash", "HISTSIZE=1000", "SSH_CLIENT=192.168.0.155 63282 22", "QTDIR=/usr/lib64/qt-3.3", "QTINC=/usr/lib64/qt-3.3/include", "SSH_TTY=/dev/pts/1", "USER=root", "LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=4 0;33;01:or=40;31;01:mi=01;05;37;41:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st= 37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.lzma=0 1;31:*.tlz=01;31:*.txz=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31: *.lz=01;31:*.xz=01;31:*.bz2=01;31:*.tbz=01;31:*.tbz2=01;31:*.bz=01;31:*.tz=01;31:*. deb=01;31:*.rpm=01;31:*.jar=01;31:*.rar=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31: *.7z=01;31:*.rz=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35: *.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;3 5:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01 ;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v =01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb =01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf= 01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.axv=01;35:*.anx=01;35:*.ogv =01;35:*.ogx=01;35:*.aac=01;36:*.au=01;36:*.flac=01;36:*.mid=01;36:*.midi=01;36:*.m ka=01;36:*.mp3=01;36:*.mpc=01;36:*.ogg=01;36:*.ra=01;36:*.wav=01;36:*.axa=01;36:*.o

Common Criteria Guide

© 2016. BeyondTrust Software, Inc. 18

ga=01;36:*.spx=01;36:*.xspf=01;36:", "MAIL=/var/spool/mail/root", "PATH=/usr/lib64/qt3.3/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin", "PWD=/root", "JAVA_HOME=/usr/lib/jvm/jre-1.6.0-openjdk.x86_64/", "LANG=en_US.UTF8", "KDE_IS_PRELINKED=1", "KDEDIRS=/usr", "SSH_ASKPASS=/usr/libexec/openssh/gnomessh-askpass", "HISTCONTROL=ignoredups", "SHLVL=1", "HOME=/root", "LOGNAME=root", "QTLIB=/usr/lib64/qt-3.3/lib", "CVS_RSH=ssh", "SSH_CONNECTION=192.168.0.155 63282 192.168.0.160 22", "LESSOPEN=|/usr/bin/lesspipe.sh %s", "G_BROKEN_FILENAMES=1", "_=/usr/local/bin/pbrun"} event = "Accept" eventlog = "/var/log/pb.eventlog" execute_via_su = 0 exitdate = "2015/11/05 " exitstatus = "Command finished with exit status 0" exittime = "11:27:02" false = 0 group = "root" groups = {"root"} host = "svr1centos63.demo.corp" hour = 11 i18n_date = "11/05/2015" i18n_day = "05" i18n_dayname = "Tue" i18n_exitdate = "11/05/2015" i18n_exittime = "11:27:02 AM" i18n_hour = "11" i18n_minute = "27" i18n_month = "11" i18n_time = "11:27:02 AM" i18n_year = "2015" iolog = "" iolog_part = 1 lineinfile = "/etc/opt/pbul/pb.conf" linenum = "311" localmode = 0 logdversion = "9.1.0-08" loghostip = "127.0.0.1" lognopassword = 1 logpid = 18997 logport = "24347" logserver_utcoffset = "-5.00" logserverlocale = "en_US" logservers = {"svr1centos63"}

Common Criteria Guide

© 2016. BeyondTrust Software, Inc. 19

logstderr = 1 logstdin = 1 logstdout = 1 master_utcoffset = "-5.00" masterdversion = "9.1.0-08" masterhost = "svr1centos63.demo.corp" masterhostip = "127.0.0.1" masterlocale = "en_US" minute = 27 month = 1 nice = 0 noexec = 0 optarg = "" opterr = 1 optimizedrunmode = 1 optind = 1 optopt = "" optreset = 1 optstrictparameters = 1 passwordloggingprompts = {"Password", "password", "Passwd", "passwd"} pbclientmode = "run" pbclientname = "pbrun" pblogdmachine = "x86_64" pblogdnodename = "svr1centos63" pblogdrelease = "2.6.32-358.6.1.el6.x86_64" pblogdsysname = "Linux" pblogdversion = "#1 SMP Tue Apr 23 19:29:00 UTC 2013" pbmasterdmachine = "x86_64" pbmasterdnodename = "svr1centos63" pbmasterdrelease = "2.6.32-358.6.1.el6.x86_64" pbmasterdsysname = "Linux" pbmasterdversion = "#1 SMP Tue Apr 23 19:29:00 UTC 2013" pbrisklevel = 0 pbrunmachine = "x86_64" pbrunnodename = "svr1centos63" pbrunrelease = "2.6.32-358.6.1.el6.x86_64" pbrunsysname = "Linux" pbrunversion = "#1 SMP Tue Apr 23 19:29:00 UTC 2013" pbulacapolicy = {"file default all", "file /tmp/banned/* !all|log=9", "file /scripts/* all|log=9", "file /sbin/reboot !exec|log=9", "file /sbin/shutdown !exec|log=9", "file /usr/bin/reboot !exec|log=9", "file /usr/bin/shutdown

Common Criteria Guide

© 2016. BeyondTrust Software, Inc. 20

!exec|log=9", "file /etc/shadow !all", "file /usr/bin/* all|log=9", "file /usr/sbin/* all|log=9", "file /bin/* all|log=9", "file /sbin/* all|log=9"} pbversion = "9.1.0-08" pid = 18984 ptyflags = 7 rcsworkgroup = "BeyondTrust Workgroup" rejectnullpasswords = 0 requestuser = "root" rlimit_as = -1 rlimit_core = 0 rlimit_cpu = -1 rlimit_data = -1 rlimit_fsize = -1 rlimit_locks = -1 rlimit_memlock = 65536 rlimit_nofile = 1024 rlimit_nproc = 7784 rlimit_rss = -1 rlimit_stack = 10485760 rule = 3 runargv = {"whoami"} runbkgd = 0 runcommand = "whoami" runcwd = "/root" runeffectiveuser = "root" runenablerlimits = 0 runenv = {"HOSTNAME=svr1centos63", "TERM=xterm", "SHELL=/bin/bash", "HISTSIZE=1000", "SSH_CLIENT=192.168.0.155 63282 22", "QTDIR=/usr/lib64/qt-3.3", "QTINC=/usr/lib64/qt-3.3/include", "SSH_TTY=/dev/pts/1", "USER=root", "LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=4 0;33;01:or=40;31;01:mi=01;05;37;41:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st= 37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.lzma=0 1;31:*.tlz=01;31:*.txz=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31: *.lz=01;31:*.xz=01;31:*.bz2=01;31:*.tbz=01;31:*.tbz2=01;31:*.bz=01;31:*.tz=01;31:*. deb=01;31:*.rpm=01;31:*.jar=01;31:*.rar=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31: *.7z=01;31:*.rz=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35: *.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;3 5:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01 ;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v =01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb =01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf= 01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.axv=01;35:*.anx=01;35:*.ogv =01;35:*.ogx=01;35:*.aac=01;36:*.au=01;36:*.flac=01;36:*.mid=01;36:*.midi=01;36:*.m ka=01;36:*.mp3=01;36:*.mpc=01;36:*.ogg=01;36:*.ra=01;36:*.wav=01;36:*.axa=01;36:*.o ga=01;36:*.spx=01;36:*.xspf=01;36:", "MAIL=/var/spool/mail/root", "PATH=/usr/lib64/qt3.3/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin", "PWD=/root", "JAVA_HOME=/usr/lib/jvm/jre-1.6.0-openjdk.x86_64/", "LANG=en_US.UTF-

Common Criteria Guide

© 2016. BeyondTrust Software, Inc. 21

8", "KDE_IS_PRELINKED=1", "KDEDIRS=/usr", "SSH_ASKPASS=/usr/libexec/openssh/gnomessh-askpass", "HISTCONTROL=ignoredups", "SHLVL=1", "HOME=/root", "LOGNAME=root", "QTLIB=/usr/lib64/qt-3.3/lib", "CVS_RSH=ssh", "SSH_CONNECTION=192.168.0.155 63282 192.168.0.160 22", "LESSOPEN=|/usr/bin/lesspipe.sh %s", "G_BROKEN_FILENAMES=1", "_=/usr/local/bin/pbrun"} rungroup = "root" rungroups = {"root"} runhost = "svr1centos63.demo.corp" runlocalmode = 0 runnice = 0 runoptimizedrunmode = 1 runpid = 18982 runptyflags = 7 runrlimit_as = -1 runrlimit_core = 0 runrlimit_cpu = -1 runrlimit_data = -1 runrlimit_fsize = -1 runrlimit_locks = -1 runrlimit_memlock = 65536 runrlimit_nofile = 1024 runrlimit_nproc = 7784 runrlimit_rss = -1 runrlimit_stack = 10485760 runsolarisproject = "" runtimeout = 0 runtimeoutoverride = 0 runumask = 18 runuser = "root" solarisproject = "" status = 0 submithost = "svr1centos63.demo.corp" submithostip = "127.0.0.1" submitlocale = "en_US.UTF-8" submitpid = 18982 subprocuser = "root" taskpid = 18995 taskttyname = "/dev/pts/2" testmaster = 0 time = "11:27:02" timezone = "EST"

Common Criteria Guide

© 2016. BeyondTrust Software, Inc. 22

true = 1 ttyname = "/dev/pts/1" umask = 18 uniqueid = "7f000001568beed64A28" unixtimestamp = 1452011222 user = "root" xwinforward = 0 year = 2015

Session Recording Session recording is enabled in a PowerBroker for Unix & Linux policy. Session recording can be enabled per command, per user, per host, during specific time frames, groups of these items or any other variable that can be referenced on the system during a command request. As described in the PowerBroker for Unix & Linux Auditing section, this type of auditing is optional whereby the Policy Creator/Administrator can selectively choose which commands, users, hosts, actions, times and so on are recorded. Session recording is only invoked when using the iolog command in the policy outlined below. Auditing this type of data is optional and not within the scope of the Common Criteria evaluation and has not been tested.

Common Criteria Guide

© 2016. BeyondTrust Software, Inc. 23

Data Type String Description The iolog variable contains the absolute path specification for the current I/O log file. The default value for this variable is undefined, which does no I/O logging. The iolog file can log standard input, standard output, and standard error information that is associated with the current task request. Syntax iolog = string; Valid Values A string that contains the absolute path specification for the current iolog file. The default value is undefined. Example iolog = "/var/log/sample.log"; The location and name of a recorded session can be configured in the policy. For example, you can use variables which are configured or set during normal PowerBroker for Unix & Linux operations to build the path location and name of the file for the recording. Example: logtime=strftime("%H:%M"); iolog = "/iologs/" + sprintf("%d-%d-%d",month,day,year) + "." + logtime + "." + split(runhost,".")[0] + "." + user + "." + basename(command) + ".";

# + ".XXXXXX";

setenv("IOLOG", "done"); print("Warning this session is being logged:", iolog);

Recorded sessions can be viewed using the ‘pbreplay’ command. The user will need root level privileges to view the event log, but these rights can be delegated using PowerBroker for Unix & Linux as described later in this document. Refer to PowerBroker Unix-Linux_Administration_V9.1.pdf, iolog for more information about turning on and the creation of the session recordings. Refer to PowerBroker Unix-Linux_Administration_V9.1.pdf, pbreplay for more information on viewing session recording.

Common Criteria Guide

© 2016. BeyondTrust Software, Inc. 24

Session Recording Example Now we can combine these two features to control who can edit the policy, audit the entire editing session of the policy and also have the audit event records. if( basename(command) == “editpolicy” ) { logtime=strftime("%H:%M"); iolog = "/iologs/" + sprintf("%d-%d-%d",month,day,year) + "." + logtime + "." + split(runhost,".")[0] + "." + user + "." + basename(command) + ".";

# + ".XXXXXX";

setenv("IOLOG", "done"); print("Warning this session is being logged:", iolog); runcommand = "vi"; runargv = split("vi /etc/pb.conf"); runuser = "root"; accept; }

This will allow for the following command: pbrun editpolicy

(or pbrun –h hostname editpolicy)

Which will generate an event log record: Accept 2015/11/05 12:33:55 [email protected] -> [email protected] by svr1centos63.demo.corp vi /etc/pb.conf Command finished with exit status 0

And produce a session recording on the logging server in the /iologs folder with the current date, time, hostname, username and command (editpolicy) combined to make the file name.

Common Criteria Guide

© 2016. BeyondTrust Software, Inc. 25

PBLogD Logging Process The ‘ps’ command can be used to look for running instances of ‘pblogd’ (PowerBroker for Unix & Linux logging daemon). [root@ systemname ~]# ps -ef |grep pblogd root 21415 root:/bin/bash root

1

21417 15921

0 15:39 ?

00:00:00 pblogd -i demo1@svr3centos63 26394

0 15:39 pts/1

00:00:00 grep pblogd

You may also use the ‘pbbench’ command to make sure that any/all configured log servers are [root@ systemname ~]# pbbench -l svr1centos63.demo.corp:port=24347 OK 9.1.0-08

[root@systemname ~]# cat /var/log/messages |grep pblogd Jan 5 15:43:47 svr1centos63 xinetd[2092]: START: pblogd pid=21453 from=::ffff:127.0.0.1 Jan 5 15:43:47 svr1centos63 xinetd[2092]: EXIT: pblogd status=0 pid=21453 duration=0(sec)

All of the above commands being executed as root can be delegated using the policy and pbrun as described above.

Common Criteria Guide

© 2016. BeyondTrust Software, Inc. 26

Audit Record Breakdown The Standard Protection Profile for Enterprise Security Management Access Control and the Standard Protection Profile for Enterprise Security Management Policy Management requires the audit generation for specific security functional requirements as identified in the security target. Not all audit records identified in the security target are applicable since the BeyondTrust PowerBroker UNIX + Linux Edition V9 is both a policy management product and an access control product. Examples of the applicable audit records and their format are identified below.

Component ESM_ACD.1

Event Creation or modification of policy

Additional Information Unique policy identifier

Example Audit The audit record entry records the creation or modification of the policy. The policy is identified as /etc/pb/pbul_functions.conf". "hostname":"pbul-qa-aix61-01.unix.symark.com", "evtname": "file_import", "service":"pbdbutil9.1.0-08", "who":"root", "severity":16, "utc":"2015-12-07 14:59:11", "progname":"pbdbutil9.1.0-08", "version":"9.1.0-08", "arch":"rs6000_aixC", "data":{ "fname":"/etc/pb/pbul_functions.conf", "msg":"Innitial import", "version":1, "sid":8978524, "pid":10420340, "uid":0} Audit Record Location: Configuration Database

ESM_ACT.1 [ESM_PM]

Transmission of policy to Access Control products

Destination of policy

Policies are not transmitted, instead policies are stored centrally and requests are made against the central policy. Requests from the Submit Host (the Access control portion of the TOE) are transmitted to the Master Host (the Policy Management portion of the TOE). If the task is ACCECPTED by the policy, the Master Host transmits the secure task to the Run Host (the Access control portion of the TOE). The event log captures the entire process in the Event Log Accept record. The ACCECPT record captures the identification of the requesting user and each TOE component is identified. Portions of the ACCEPT Event Log entry is provided below. The information in the Event Log entry provides the identification of the information ('Accept' command), the destination (submithostip '10.0.2.20', runhost 'CC-PowerBroker-RunHost', and Master Host

Common Criteria Guide

© 2016. BeyondTrust Software, Inc. 27

Component

Event

Additional Information

Example Audit masterhost '10.0.2.11'). The Name of the policy in effect (lineinfile '/etc/pb/pbul_functions.conf') verifies that the latest and correct policy is in effect. Name of User Requesting the Privileged Command 'SUDO_USER=cctester' cwd '/home/cctester' Submit Host Identification TargetSubmitHostShortName 'CC-PowerBroker-Client' submithost 'CC-PowerBroker-Client' submithostip '10.0.2.20' clienthost '10.0.2.20' Run Host Identification pblocaldnodename 'CC-PowerBroker-RunHost' runhost 'CC-PowerBroker-RunHost' Master Host Identification pbmasterdnodename 'CC-PowerBroker-Master2' masterhost '10.0.2.11' masterhostip '10.0.2.11' Type of Command event 'Accept' Requested Elevated Command command 'whoami' Successful Execution of the Command event 'Finish' exitdate '2016/06/27' exitstatus 'Command finished with exit status 0' Location of the Audit Record eventlog '/var/log/pb.eventlog' Name of the Policy in Effect lineinfile '/etc/pb/pbul_functions.conf' Audit Record Location: Event Log

ESM_EAU.2 [ESM_PM]

All use of the authenticatio

None

The ACCEPT Event Log record below captures the successful authentication of “root” via the browser interface GUI.

Common Criteria Guide

© 2016. BeyondTrust Software, Inc. 28

Component

Event

Additional Information

Example Audit

n mechanism Accept 2015/12/07 15:50:04 root pbul-qa-hpux11v3-01.unix.symark.com root 172.20.31.66 pbul-qa-hpux11v3-01.unix.symark.com /usr/sbin/pbguid log Authorized Audit Record Location: Event Log FAU_GEN.1

Start-up of the audit functions;

None

Dec 8 11:33:08 pbul-qa-hpux11v3-01 inetd[3821]: pblogd/tcp: Added service, server /usr/sbin/pblogd Audit Record Location /var/log/syslog (on Linux) /var/adm/syslog (on Unix)

FAU_GEN.1

Shut-down of the audit functions

None

Dec 8 11:39:18 pbul-qa-hpux11v3-01 inetd[3821]: Going down on signal 15 Audit Record Location /var/log/syslog (on Linux) /var/adm/syslog (on Unix)

FAU_SEL.1 [ESM_AC]

All modifications to audit configuration

None

The audit record below captures the audit configuration modified by the “logomit” command. "hostname": "pbul-qa-aix61-01.unix.symark.com", "evtname": "file_import", "service": "pbdbutil9.2.0-08", "who": "root", "severity": 16, "utc": "2016-05-24 17:17:48", "progname": "pbdbutil9.1.0-08", "version": "9.1.0-08", "arch": "rs6000_aixC", "data": { "fname": "/etc/pb.conf", "msg": "Logomit Added", "version": 3, "sid": 6226020, "pid": 4718624, "uid": 0} Audit Record Location: Configuration Database

FAU_SEL_EXT. 1 [ESM_PM]

All modifications to audit configuration

None

The audit record below captures the audit configuration modified by the “logomit” command. "hostname": "pbul-qa-aix61-01.unix.symark.com",

Common Criteria Guide

© 2016. BeyondTrust Software, Inc. 29

Component

Event

Additional Information

Example Audit "evtname": "file_import", "service": "pbdbutil9.2.0-08", "who": "root", "severity": 16, "utc": "2016-05-24 17:17:48", "progname": "pbdbutil9.1.0-08", "version": "9.1.0-08", "arch": "rs6000_aixC", "data": { "fname": "/etc/pb.conf", "msg": "Logomit Added", "version": 3, "sid": 6226020, "pid": 4718624, "uid": 0} Audit Record Location: Configuration Database

FAU_STG_EXT. 1 [ESM_PM], [ESM_AC]

FCO_NRR.2 [ESM_AC]

Establishmen t and disestablishm ent of communicatio ns with audit server

Identification of audit server

The invocation of the nonrepudiation service

Identification of the information, the destination, and a copy of the evidence provided

The audit record captures the establishment of communication with the pblogd audit server. Dec 8 11:33:08 pbul-qa-hpux11v3-01 inetd[3821]: pblogd/tcp: Added service, server /usr/sbin/pblogd Audit Record Location: Configuration Database Policies are not transmitted, instead policies are stored centrally and requests are made against the central policy. Requests from the Submit Host (the Access control portion of the TOE) are transmitted to the Master Host (the Policy Management portion of the TOE). If the task is ACCECPTED by the policy, the Master Host transmits the secure task to the Run Host (the Access control portion of the TOE). The event log captures the entire process in the Event Log Accept record. The ACCECPT record captures the identification of the requesting user and each TOE component is identified. Portions of the ACCEPT Event Log entry is provided below. The information in the Event Log entry provides the identification of the information ('Accept' command), the destination (submithostip '10.0.2.20', runhost 'CC-PowerBroker-RunHost', and Master Host masterhost '10.0.2.11'). A copy of the evidence provided is verified by the successful execution of the command (event 'Finish', exitdate '2016/06/27' exitstatus 'Command finished with exit status 0'). Name of User Requesting the Privileged Command 'SUDO_USER=cctester' cwd '/home/cctester'

Common Criteria Guide

© 2016. BeyondTrust Software, Inc. 30

Component

Event

Additional Information

Example Audit Submit Host Identification TargetSubmitHostShortName 'CC-PowerBroker-Client' submithost 'CC-PowerBroker-Client' submithostip '10.0.2.20' clienthost '10.0.2.20' Run Host Identification pblocaldnodename 'CC-PowerBroker-RunHost' runhost 'CC-PowerBroker-RunHost' Master Host Identification pbmasterdnodename 'CC-PowerBroker-Master2' masterhost '10.0.2.11' masterhostip '10.0.2.11' Type of Command event 'Accept' Requested Elevated Command command 'whoami' Successful Execution of the Command event 'Finish' exitdate '2016/06/27' exitstatus 'Command finished with exit status 0' Location of the Audit Record eventlog '/var/log/pb.eventlog' Name of the Policy in Effect lineinfile '/etc/pb/pbul_functions.conf' Audit Record Location: Event Log

FDP_ACC.1(1), (2)[ESM_AC]

Any changes to the enforced policy or policies

Identification of Policy Management product making the change

The audit record captures the policy "/etc/pb/pbul_functions.conf" modification. "hostname":"pbul-qa-spsol11-01.unix.symark.com", "evtname":"file_import", "service":"pbdbutil9.1.0-08", "who":"root", "severity":16, "utc":"2015-12-07 15:21:17", "progname":"pbdbutil9.1.0-08",

Common Criteria Guide

© 2016. BeyondTrust Software, Inc. 31

Component

Event

Additional Information

Example Audit "version":"9.1.0-08", "arch":"sparc_solarisD", "data":{ "version":2, "fname":"/etc/pb/pbul_functions.conf", "msg":"Policy Changed", "sid":15438, "pid":15484, "uid":0} Audit Record Location: Configuration Database

FDP_ACF.1(1), (2) [ESM_AC]

All requests to perform an operation on an object covered by the SFP

Subject identity, object identity, requested operation

Portions of the ACCEPT Event Log entry is provided below. The information in the Event Log entry provides the identification of the information ('Accept' command), the destination (submithostip '10.0.2.20', runhost 'CC-PowerBroker-RunHost', and Master Host masterhost '10.0.2.11'). The Name of the policy in effect (lineinfile '/etc/pb/pbul_functions.conf') verifies that the latest and correct policy is in effect. The subject “cctester” is requesting access to run the elevated command 'whoami'. Name of User Requesting the Privileged Command 'SUDO_USER=cctester' cwd '/home/cctester' Submit Host Identification TargetSubmitHostShortName 'CC-PowerBroker-Client' submithost 'CC-PowerBroker-Client' submithostip '10.0.2.20' clienthost '10.0.2.20' Run Host Identification pblocaldnodename 'CC-PowerBroker-RunHost' runhost 'CC-PowerBroker-RunHost' Master Host Identification pbmasterdnodename 'CC-PowerBroker-Master2' masterhost '10.0.2.11' masterhostip '10.0.2.11' Type of Command event 'Accept' Requested Elevated Command

Common Criteria Guide

© 2016. BeyondTrust Software, Inc. 32

Component

Event

Additional Information

Example Audit command

'whoami'

Successful Execution of the Command event 'Finish' exitdate '2016/06/27' exitstatus 'Command finished with exit status 0' Name of the Policy in Effect lineinfile '/etc/pb/pbul_functions.conf' Audit Record Location: Event Log FMT_MOF.1 [ESM_PM], [ESM_AC]

All modifications to TSF behavior

None

The audit record captures the policy "/etc/pb/pbul_functions.conf" modification. “hostname":"pbul-qa-hpux11v3-01.unix.symark.com", "evtname": "file_import", "service": "pbdbutil9.1.0-08", "who": "root", "severity": 16, "utc":"2015-12-07 16:09:25", "progname": "pbdbutil9.1.0-08", "version": "9.1.0-08", "arch": "ia64_hpuxA", "data":{ "version" :1, "fname": "/etc/pb/pbul_functions.conf", "msg": "Policy Modified", "sid": 23198, "pid":24697, "uid": 0} Audit Record Location: Configuration Database

FMT_SMF.1 [ESM_PM], [ESM_AC]

Use of the management functions

Management function performed

The audit record captures the management function of the creation of the "/etc/pb/pbul_functions.conf" policy. "hostname":"pbul-qa-spsol11-01.unix.symark.com", "evtname":"file_import", "service":"pbdbutil9.1.0-08", "who":"root", "severity":16, "utc":"2015-12-07 15:15:21", "progname":"pbdbutil9.1.0-08", "version":"9.1.0-08", "arch":"sparc_solarisD",

Common Criteria Guide

© 2016. BeyondTrust Software, Inc. 33

Component

Event

Additional Information

Example Audit "data":{ "msg":"New Policy Created", "fname":"/etc/pb/pbul_functions.conf", "version":7 ,"sid":15438, "pid":15469, "uid":0} Audit Record Location: Configuration Database

FMT_SMR.1 [ESM_PM]

Modifications to the members of the management roles

None

This is an audit record from importing the policy file, thus applying the policy. The policy file is what controls who can perform the management functions. "hostname":"pbul-qa-aix61-01.unix.symark.com", "evtname":"file_import", "service":"pbdbutil9.1.0-08", "who":"root", "severity":16, "utc":"2015-12-07 14:59:11", "progname":"pbdbutil9.1.0-08", "version":"9.1.0-08", "arch":"rs6000_aixC", "data":{ "fname":"/etc/pb/pbul_functions.conf", "msg":"Innitial import", "version":1, "sid":8978524, "pid":10420340, "uid":0} Audit Record Location: Configuration Database

FPT_FLS_EXT. 1 [ESM_AC]

FTP_ITC.1 [ESM_AC]

Failure of communicatio n between the TOE and Policy Management product

Identity of the Policy Management product, reason for the failure

Dec 4 12:34:36 pbul-qa-spsol11-01 pbmasterd9.1.0-08: [ID 702911 auth.error] [14388] 8540.2 client on pbul-qa-hpux11v301.unix.symark.com is not SSL enabled

All use of trusted channel functions

Identity of the initiator and target of the trusted channel

The ACCEPT Event Log entry captures the use of the trusted channel functions. Portions of the ACCEPT Event Log entry are provided below that are applicable to this audit requirement. These two fields are in the Event Log entry identifies the initiator and target of the trusted channel. The IP address of the remote LDAP server and the user attempting to authenticate over the trusted channel to LDAP are recorded.

Audit Record Location: /var/log/pbmasterd.log (on Linux) /var/adm/pbmasterd.log (on Unix)

Common Criteria Guide

© 2016. BeyondTrust Software, Inc. 34

Component

Event

Additional Information

Example Audit

LDAPServer LDAPUser

“10.42.215.74” “tester”

Portions of the ACCEPT Event Log entry are provided below that are applicable to this audit requirement. The fields are in the Event Log entry identifies the internal TOE component communications. The identity of the initiator and the targets for the trusted channel are recorded. Name of User Requesting the Privileged Command 'SUDO_USER=cctester' cwd '/home/cctester' Submit Host Identification TargetSubmitHostShortName 'CC-PowerBroker-Client' submithost 'CC-PowerBroker-Client' submithostip '10.0.2.20' clienthost '10.0.2.20' Run Host Identification pblocaldnodename 'CC-PowerBroker-RunHost' runhost 'CC-PowerBroker-RunHost' Master Host Identification pbmasterdnodename 'CC-PowerBroker-Master2' masterhost '10.0.2.11' masterhostip '10.0.2.11' Type of Command event 'Accept' Successful Execution of the Command event 'Finish' exitdate '2016/06/27' exitstatus 'Command finished with exit status 0' Location of the Audit Record eventlog '/var/log/pb.eventlog' Name of the Policy in Effect lineinfile '/etc/pb/pbul_functions.conf'

Common Criteria Guide

© 2016. BeyondTrust Software, Inc. 35

Component

Event

Additional Information

Example Audit Audit Record Location: Event Log

FTP_TRP.1 [ESM_PM]

All attempted uses of the trusted path functions

Identification of user associated with all trusted path functions, if available

Portions of the ACCEPT Event Log entry are provided below that are applicable to this audit requirement. The Event Log entry records the identification of the user associated with the trusted path function. Accept 2015/12/07 15:50:04 root CC-PowerBroker-Client root CC-PowerBroker-Master CC-PowerBroker-Master /usr/sbin/pbguid log Authorized Audit Record Location: Event Log

Server Tracking Audit Information All event log entries and each individual recorded session contains a set of headers that audit details about the Log Server, where you can track information such as the server name, IP address, SSL Cert info, version, time zone and more: pblogdcertificateissuer = "/C=US/ST=AZ/L=Phoenix/O=BeyondTrust/OU=PowerBroker/CN=centos7.demo.corp" pblogdcertificatesubject = "/C=US/ST=AZ/L=Phoenix/O=BeyondTrust/OU=PowerBroker/CN=centos7.demo.corp" pblogdmachine = "x86_64" pblogdnodename = "centos7.demo.corp" pblogdrelease = "3.10.0-229.11.1.el7.x86_64" pblogdsysname = "Linux" pblogdversion = "#1 SMP Thu Aug 6 01:06:18 UTC 2015" eventlog = "/var/log/pb.eventlog" iolog = "/var/log/pbsudo/centos7-client.demo.corp-pbsudo-io.XXXXXX" iolog_list = {"centos7.demo.corp:/var/log/pbsudo/centos7-client.demo.corp-pbsudoio.joZema"} iolog_part = 1 logdversion = "9.2.0-08" loghostip = "192.168.0.163" lognopassword = 1 logpid = 17259 logport = "24347" logserver_utcoffset = "-4.00" logserverlocale = "en_US.UTF-8" logservers = {"centos7.demo.corp"}

Common Criteria Guide

© 2016. BeyondTrust Software, Inc. 36

logstderr = 1 logstdin = 1 logstdout = 1

In addition, each event log entry and each recorded session contains the audit entry header, information on any/all components that participated in the action. This includes the Submit Host, the Run Host, the Master Host (Policy Server) and the Log Host (Logging Server). Here is an example of the information contained in the headers: host = "centos7-client.demo.corp" clienthost = "centos7-client.demo.corp" clienthost_uuid = "83c2c51d-0e38-481f-970a-8a03b057835d" clienthost_uuid_created = 0 loghostip = "192.168.0.163" masterhost = "centos7.demo.corp" masterhostip = "192.168.0.163" runhost = "centos7-client.demo.corp" submithost = "centos7-client.demo.corp" submithostip = "192.168.0.164"

Additional Audit Functions and Change Management An optional feature exists in PowerBroker for Unix & Linux to move key configuration, settings and policy files to a version controlled database, including auditing of activities such as the creation of new files and version changes in controlled files. To enable the configuration database, the administrator needs to import a file (any file, but preferably an important control file such as pb.conf or pb.settings) using the pbdbutil command, with the --cfg parameter and -i flag to initiate an import. IMPORTANT: Before moving any files into the configuration database, if change tracking is required, ensure the following two lines are added to the end of the pb.settings file first: changemanagementevents

yes

eventdb

/etc/pbevents.db

Change management is not enforced or enabled by default, but is required to meet the requirements outlined in the Common Criteria requirements document. When any file is added to the configuration database using the pbdbutil command, PowerBroker for Unix & Linux will automatically handle the creation of the database and appropriate configuration for version control and file tracking. For example, to take /etc/pb.settings and /etc/pb.conf under management, enter the following commands: [root@centos7 etc]# pbdbutil --cfg -i /etc/pb.settings {"fname":"/etc/pb.settings","version":1} [root@centos7 etc]# pbdbutil --cfg -i /etc/pb.conf {"fname":"/etc/pb.conf","version":1}

The imported files that are being managed can then be viewed using the -l flag (list) as shown below: [root@centos7 etc]# pbdbutil --cfg -l

Common Criteria Guide

© 2016. BeyondTrust Software, Inc. 37

{"version":1,"pathname":"/etc/pb.conf","deleted":0,"created":"2016-04-21 11:34:15"} {"version":1,"pathname":"/etc/pb.settings","deleted":0,"created":"2016-04-21 11:34:09"} [root@centos7 etc]#

A detailed transaction log of additions, updates and deletions can be shown using the change event log as follows: pbdbutil --evt -s '{ "taxonomy" : "chgmgt" }'

The same data can be shown broken out using the ‘Printable’ switch to make each event easier to read: pbdbutil --evt -P -s '{ "taxonomy" : "chgmgt" }'

Below is an example audit record showing settings file being updates: "hostname": "centos7.demo.corp", "evtname": "file_import", "service": "pbdbutil9.2.0-08", "who": "root", "severity": 16, "utc": "2016-04-26 21:43:18", "progname": "pbdbutil9.2.0-08", "version": "9.2.0-08", "arch": "x86_64_linuxA", "data": { "fname": "/etc/pb.settings", "version": 6, "msg": "New example comment added", "sid": 9354, "pid": 4761, "uid": 0

Below is an example command to show the differential between V5 (the old version) and V6 (the new version) with an addition of a comment line highlighted below: [root@centos7 etc]# pbdbutil --cfg -D /etc/pb.settings -V5:6 *** /tmp/.pbdiff_Ja9ruT 2016-04-26 21:47:31.351401559 -0400 --- /tmp/.pbdiff_DczUEd 2016-04-26 21:47:31.350401541 -0400 *************** *** 5,10 **** --- 5,11 ---#

daemons: /usr/sbin

#

pbinstall: /BT/powerbroker/v9.2/pbx86_64_linuxA-9.2.0-08/install/pbinstall

#

TMPDIR: /tmp/beyondtrust_pbinstall

Common Criteria Guide

© 2016. BeyondTrust Software, Inc. 38

+ #

Comment added for change event tracking example

kerberos

no

#mprincipal

pbmasterd

#lprincipal

pblocald

For a detailed breakdown of the data types and data that is stored in the change management database, please see Appendix B: Change Management Event Log Fields.

Common Criteria Guide

© 2016. BeyondTrust Software, Inc. 39

Configuration Files Used During Testing/Creation of Supplementary Guide.

Policy Files The following files were used during the testing of PowerBroker for Unix & Linux to ensure that all the requirements laid out in the common criteria template were met by the solution. These files are environment specific and should be used as examples only. Note: If communication to the Master Host and its policy is unavailable, the default action is to deny all pbrun requests. Example File Index: 

Root Policy (pb.conf)



Main Policy (pbul_policy.conf)



Functions (pbul_functions.conf)



LDAP Policy (ldap.conf)



RADIUS Policy (pam_radius_auth.conf)



RADIUS PAM Config (pbul_pam_radius)

Root Policy File (/etc/pb.conf) include '/etc/pb/pbul_policy.conf'; #include '/etc/pb/pbul_gui.conf'; #ldap_open("cc-powerbroker-ldap");

Main Policy File (pbul_policy.conf) include '/etc/pb/pbul_functions.conf';

#=========================================================================== # Copyright 2013 by BeyondTrust Software International, Inc. # All rights reserved. # pbul_policy.conf # Version: 1.0 # # This default role-based policy is provided as a simple default policy for PowerBroker. # For each of role defined, you can add additional users, commands and hosts to the lists pre-defined for each role. # # It contains the following roles:

Common Criteria Guide

© 2016. BeyondTrust Software, Inc. 40

# # Helpdesk role: # Enabled by default, when invoking "pbrun helpdesk" it allows any user in HelpdeskUsers (default 'root') # to initiate a Helpdesk Menu as 'root' on any host in HelpdeskHosts (default submithost only) #

Helpdesk Menu of actions comprising

#

- List of processes (ps -ef)

#

- Check if a machine is up (ping )

#

- List current users on this host (who -H)

#

- Display Host's IP settings (ifconfig -a)

# # PBTest: # Enabled by default, for all users on all hosts, "pbrun pbtest" allows checking connectivity and policy. # # Controlled Shells: # Enabled by default, allows users in ControlledShellUsers (by default the submituser), # for runhosts in ControlledShellHosts (by default only submithost), to enable iologging for pbksh/pbsh. # iologs are created by default in "/tmp/pb....[pbksh|pbsh].XXXXXX" # This role has a list of commands (empty by default) to elevate privileges for, as well as #

a list of commands (empty by default) to reject.

# # Admin role: # Enabled by default, allows users in AdminUsers (by default 'root') to run any command on runhosts in AdminHosts #

(by default only submithost)

# # Demo role: # Disabled by default, allows users in DemoUsers (default all users) to run commands in # DemoCommands (default 'id' and 'whoami') as 'root' on any host in DemoHosts (default all hosts) # # # The policy ends by allowing all users to run any command as themselves without any privilege escalation. # # #TargetRunHostShortName = split(runhost, ".")[0];

Common Criteria Guide

© 2016. BeyondTrust Software, Inc. 41

TargetRunHostShortName = "CC-PowerBroker-RunHost"; runhost = "10.0.2.24"; TargetSubmitHostShortName = split(submithost, ".")[0];

# # This enables "HelpDesk role", which allows any user in HelpdeskUsers (default 'root') to initiate a Helpdesk Menu as 'root' # on any host in HelpdeskHosts (default submithost only) # By default this role is enabled. To disable this set EnableHelpdeskRole to false below. # #EnableHelpdeskRole = true; #HelpdeskUsers = {"root"}; #HelpdeskHosts = {submithost, TargetSubmitHostShortName}; #HelpdeskRole();

# # This enables a command 'pbtest', when invoked with pbrun, allows to check connectivity and policy. # By default this role is enabled. To disable this set EnablePBTest to false # EnablePBTest = true; PBTest();

# # This enables "ControlledShell role", which turn on iologging for any user in ControlledShellUsers (default all users) # on any host in ControlledShellHosts (default all run hosts) when running pbksh and pbsh. # By default, this role is enabled. To disable this set EnableControlledShellRole to true below. # # Two variables are defined for this role: # List variable ControlledShellRejectedCmds - List of rejected commands (empty by default) # If you want any specific command to be rejected during the pbksh/pbsh session, add the command to the list below # For example: # ControlledShellRejectedCmds = {"rm", "mv"}; # # List variable ControlledShellPrivilegedCmds - List of commands to elevate privileges for (empty by default) # If you want any specific command to be rejected during the pbksh/pbsh session, add the command to the list below

Common Criteria Guide

© 2016. BeyondTrust Software, Inc. 42

# For example: # ControlledShellPrivilegedCmds = {"id", "reboot"}; # # EnableControlledShellRole = true; #ControlledShellUsers = {user}; #ControlledShellHosts = {runhost, TargetRunHostShortName}; #ControlledShellRejectedCmds = {}; #ControlledShellPrivilegedCmds = {}; #ControlledShellRole();

# # This enables "Admin role", which allows root (or any user in AdminUsers) to run any command on the current host (or any host in AdminHosts) # By default this role is enabled. To disable this set EnableAdminRole to false below. # EnableAdminRole = true; AdminUsers = {"root"}; AdminHosts = {submithost}; AdminRole();

# # This enables "Demo role", which allows any user in DemoUsers (default all users) to run commands in DemoCommands (default 'id' and 'whoami') as 'root' # on any host in DemoHosts (default all hosts) # By default, this role is disabled. To ensable this set EnableDemoRole to true below. # # IMPORTANT: note that ANY command in the list of DemoCommands will run as 'root'. # #EnableDemoRole = false; #DemoUsers = {user}; #DemoCommands = {"id", "whoami"}; #DemoHosts = {runhost, TargetRunHostShortName}; #DemoRole();

# If here, the user will only have the permissions to run commands as itself on the submithost. #if ( submithost == runhost || pbclientmode == 'pbssh' ) #{ #

SetRunEnv(runuser, false);

Common Criteria Guide

© 2016. BeyondTrust Software, Inc. 43

#

accept;

#}

EnableCCRole = true; CCUsers = {user}; PrivlidgedLDAPUsers = {"tester","othertester"}; PrivlidgedRadiusUsers = {"beyondtrustuser","beyondtrustuser2"}; LDAPCommands = {"vi", "gedit","rm","chmod","cat","kill"}; RadiusCommands = {"cat","top","ps","kill"}; FileCommands = {"vi", "gedit", "rm", "cat"}; CCHosts = {runhost, TargetRunHostShortName, submithost, TargetSubmitHostShortName}; CCRole();

Functions Policy File (pbul_functions.conf) # Copyright 2013 by BeyondTrust Software International, Inc. # All rights reserved. # pbul_functions.conf # Version: 1.0 # # Procedures used in pbul_policy.conf #

# # The procedure SetRunEnv sets the run environtment for a particular # runuser. The procedure accepts one argument, the runuser. # To call the procedure procedure: #

SetRunEnv("root");

# function SetRunEnv(RunUserName, SetRunCommand) { runuser = RunUserName; rungroup = "!g!"; rungroups = {"!G!"}; runcwd = "!~!"; setenv("SHELL", "!!!"); setenv("HOME", "!~!"); setenv("USER", RunUserName); setenv("USERNAME", RunUserName); setenv("LOGNAME", RunUserName); setenv("PWD", runcwd); setenv("PATH", "/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin");

Common Criteria Guide

© 2016. BeyondTrust Software, Inc. 44

keepenv("SHELL", "HOME", "USER", "USERNAME", "LOGNAME", "PWD", "PATH"); SetRunEnv=runuser; if ( SetRunCommand == true ) { # Setting runcommand to basename(command) forces 'command' path to be part of PATH. # and prevents the user cannot execute a command from a different path. runcommand=basename(command); } if ( runuser == 'root' ) runsecurecommand=true; }

# # Procedure PBTest: # This is a debugging test that can test the network connectivity and host name resolution. # Invocation: pbrun pbtest # procedure PBTest(){ if ( EnablePBTest && basename(command) == "pbtest" ) { SetRunEnv(user, true); print("

clienthost:", clienthost);

print("clienthostip:", ipaddress(clienthost)); print("

host:", host);

print(" print("

hostip:", ipaddress(host)); masterhost:", masterhost);

print("masterhostip:", ipaddress(masterhost)); print(" print(" print("

runhost:", runhost); runhostip:", ipaddress(runhost)); submithost:", submithost);

print("submithostip:", submithostip); print(" requestuser:", requestuser);

#

print("

runuser:", runuser);

print("

user:", user);

policysetenv("LDAPCONF","/etc/ldap.conf"); connid=ldap_initialize("ldap://10.42.215.124",3); if(length(connid)