BoKS Manager 7 - HelpSystems · BoKS Manager 7.1 - Release Notes Page 3 BoKS Manager 7.1 Release Notes Revision: 11 Go to top Oracle Oracle Solaris 11 on SPARC & x64 Oracle Solaris

BoKS Manager 7.1 BoKS Manager 7.1 Release Notes

Revision: 11

• Important Notes

• Supported Platforms

• End-of-life Information

• What’s New

• What’s Changed

• Fixed Issues

• Known Issues

• Revision History

• Getting Support And Service

BoKS Manager 7.1 Release NotesFirst published: 2017-05-31 Updated: 2018-12-11

This document contains information about BoKS Manager 7.1 from Fox Technologies.

It includes the following sections:

• Important Notes

• Supported Platforms

• End-of-life Information

• What’s New

– Access Route Enhancements

– User Account Enhancements

– Full IPv6 Support

– Integrated BoKS Password Manager

– Keystroke Logging for BoKS SSH Access

– BoKS Non-Privileged Editor

• What’s Changed

– Major Changes

– Minor Changes

• Fixed Issues

• Known Issues

BoKS Manager 7.1 - Release Notes Page 1

BoKS Manager 7.1 Release Notes Revision: 11

• Revision History

• Getting Support And Service

Important Notes

• All new and modified features, and fixed issues, described in this document are fixed or modified in relation to the release BoKS Manager version 7.0.

• Terminology: “Access Routes” are now referred to in program interfaces and documentation as “Access Rules”. When working with Access Rules via the BoKS CLI, it is recommended to use the new CLI program boksrule.

• Note that support for the following is included in this version of BoKS but is deprecated, meaning it may not be supported and may be removed in future versions.

– BoKS Desktop functionality, including user virtual cards

– xRBAC functionality

– Safeword authentication

– BoKS ServerControl for Windows

• When you upgrade to BoKS 7.1 the default setting for handling keystroke logging is “local”. If you have applied hotfix HFBM-0173 in your BoKS 7.0 domain and have the global default set to “remote”, it is reset to “local” when you upgrade.You can set the global default to “remote” using the command bksdef -g remote. Note, however, that remote logging in large BoKS environments can negatively impact domain performance.

• Authentication using Safeword 2003 and 2008 tokens is not supported in this release as these products are scheduled for end-of-life in November 2017.

• The BoKS Manager 7.1 Administration Guide has been updated (revision 5, 2018-09-11) with information on ports used for IPv4 and IPv6 and BoKS discovery protocol in version 7.1. For more information see the section “Port Assignment Basics” in the revised Administration Guide.

Supported Platforms

BoKS Manager 7.1 is supported on the following platforms:

Table 1: Supported Platforms

Vendor Platform Comments

IBM IBM AIX 7.1, 7.2

IBM AIX 6.1 Server Agent only.

Page 2 BoKS Manager 7.1 - Release Notes


Go to top

Oracle Oracle Solaris 11 on SPARC & x64

Oracle Solaris up to and including v 11.3 is supported. Oracle Solaris 11.4 is not supported.

Oracle Solaris 10 on SPARC & x64

SPARC package is Server Agent only.

Oracle Enterprise Linux 7 on x64

Support for this platform is included in the package for Red Hat EL 7.0.

Oracle Enterprise Linux 6 on x64

Server Agent only.Support for this platform is included in the package for Red Hat EL 6.0.

Red Hat Red Hat Enterprise Linux 7 on x64, PowerPC (Little Endian)

PowerPC package is for Server Agent only.

Red Hat Enterprise Linux 6 on x64

SUSE SUSE Linux Enterprise Server 12 on x64

SUSE Linux Enterprise Server 12 on zSeries

Server Agent only.

SUSE Linux Enterprise Server 11 on x64 and zSeries

Server Agent only.

CentOS CentOS 7 on x64 CentOS 7 support included in the BoKS Manager package for Red Hat Enterprise Linux 7 on x64

CentOS 6 on x64 CentOS 6 support included in the BoKS Manager package for Red Hat Enterprise Linux 6 on x64

Debian Debian 9 on x64 Server Agent only.

Debian 8 on x64 and x86 Server Agent only.

Debian 7 on x64 Server Agent only.

HPE HP-UX 11 v3 on Itanium Server Agent only.

HPE Linux 8 Server Agent only.

Ubuntu Ubuntu 14 on x64 Server Agent only.

Ubuntu 16 on x64 Server Agent only.

Table 1: Supported Platforms

Vendor Platform Comments



End-of-life Information

• For information on the end-of-life schedule for this release, please see the BoKS Knowledge Base at https://community.helpsystems.com.

What’s New

New features in this release. Note that the features described here are new in BoKS Manager as compared to the BoKS Manager 7.0 release.

For more detailed information on each feature, see the BoKS Manager 7.1 Administration Guide and Installation Guide, and where appropriate, BoKS man pages for relevant CLI programs.

Note: The old BoKS Administration GUI is no longer included in this release of BoKS Manager.

Access Route Enhancements

The BoKS access control mechanism has been enhanced, with BoKS access rules (the new name for access routes) managed using a new CLI program, boksrule. Enhancements include:

• New unique access rule ID (ARID) that is included in audit log messages

• Ability to modify access rules

• Ability to time limit access rules using start and expiration dates

• Ability to add a comment for access rules

• Ability to copy access rules to another user or user class

A new CLI program, boksrule, has been added for management of Access Rules for both users and User Classes. The programs ttyadmin and routeadm are still included and support the new enhancements in this version, however these programs are deprecated and may not be supported in future versions.

For more information, see the BoKS Manager 7.1 Administration Guide and the BoKS man page boksrule.

User Account Enhancements

The following BoKS user account enhancements are included in BoKS Manager 7.1:

• Never expiring user accounts - it is possible to add BoKS user accounts that do not have an expiration date.

• Never expiring passwords - it is possible to add BoKS user accounts with a never-expiring password.

• Date for manual block - the date an account was manually blocked is registered in BoKS and can be viewed in FCC.


https://community.helpsystems.com


• Account creation time and account block time - the date an account was created and blocked is registered in BoKS and can be viewed in FCC.

Full IPv6 Support

Internal BoKS protocols have been updated to support IPv6. If your Master and Replicas are running BoKS Manager 7.1, those hosts and BoKS 7.1 Server Agents in the domain can have IPv6 primary IP addresses. BoKS 7.0 hosts can only have IPv4 addresses for their primary IP addresses, but can have IPv6 secondary IP addresses. Hosts running older versions of BoKS can only have IPv4 addresses, both primary and secondary.

Non-BoKS hosts in the domain can have an IPv6 primary IP address.

Integrated BoKS Password Manager

The BoKS Password Manager product is now integrated into BoKS Manager, with support for backend functions included in the BoKS Master installation and a new Graphical User Interface for password checkout based on FoxT Control Center technology.

For more information, see the BoKS Manager Administration Guide and the FoxT Control Center online help system.

Keystroke Logging for BoKS SSH Access

Access rules that include the ssh_sh access method can be configured to be keystroke logged. This enables you to record in forensic detail user activity in interactive SSH sessions. Note that this is not supported for SSH rules with chroot specified.

BoKS Non-Privileged Editor

A new function has been added that allows you to give users access to create, view and edit files on BoKS-protected hosts as other users without having their privileges elevated to the other user. The BoKS non-privileged editor ensures that users cannot escape to a shell as the to-user, is controlled using the new EDIT access method, and is run by end-users with the boksedit program.

For more information, see the BoKS Manager Administration Guide and the FoxT Control Center online help system.

List Days Since Last User Authentication (RFE #12419)

You can now list the number of days since a user last authenticated in BoKS using the following CLI commands:

lsbks -a

This includes the date of the last authentication in the verbose listing (the “Last activity” parameter).

lsbks -DQ

This lists the days since last authentication.

For methods where fromuser authentication is used, both to- and from-user accounts are updated when a user authenticates.



Go to top

What’s Changed

Changed features in this release. Note that the features described here are changed in BoKS Manager as compared to the BoKS Manager 7.0 release. This section includes detailed descriptions for major changes and a table listing minor changes in this release.

For more detailed information on each feature, see the BoKS Manager 7.1 Administration Guide and Installation Guide, FoxT Control Center online help system and where appropriate, BoKS man pages for relevant CLI programs.

Major Changes

BoKS Performance Enhancements

Enhancements to BoKS performance include:

• Speedup of clntd send bridge on Master

• udsqd can support more than 1024 simultaneous connections from server agents

• boks_master speedup of logout messages

• boks_servc speedup of host cache lookup

• Replica notifications sent to Master immediately

• boks_drainmast read lock on database

BoKS AD Bridge Enhancements

Enhancements to the BoKS AD Bridge function include:

• One-to-many mapping from AD to BoKS accounts

• Speedup of adsync (~factor of 5)

• authadm calls boks_servc instead of boks_master to get all users with authenticators

• Configuration to use iUPN or eUPN for BoKS Kerberos principal name

suexec Noexec Option

A new option for suexec access rules, suexec_noexec, can be used to prevent programs started by suexec from running system exec commands and thus executing other programs in turn.

Support for Multiple Encrypted Keystroke Logging CAs

In previous versions of BoKS Manager, it was only supported to have one Encrypted Keystroke Logging CA. In BoKS Manager 7.1 and later, it is supported to have multiple Encrypted Keystroke Logging CAs in the system at the same time to allow renewal of the Encrypted Keystroke Logging CA when required.



New keystroke logs will be encrypted with the CA certificate with the longest expiration date. Old CAs should be kept in BoKS to allow decryption of old keystroke logs.

For details of changes to CLI programs this involves, see “Minor Changes” on page 7.

OpenSSH Upgrade

The version of OpenSSH used in BoKS has been upgraded from version 6.1p1 to version 7.3p1 in this version of BoKS Manager.

Other Removed Functionality

The following deprecated functionality previously included in the product has also been removed from this version:

• The ability to change your password at the password prompt by typing:oldpassword#newpassword#newpassword

has been removed. Note that this also means that the “#” character is now allowed in user passwords.

Minor Changes

The following table lists in detail minor changes to CLI programs, variables and configuration parameters.

Table 2: Minor changes

Program / Function Change

ldapauth When you have applied the hotfix HFBM-0234 on the BoKS Master, it is supported to use the ldapauth authentication method with access methods BCCAS and PWMGR.

SELinux The BoKS SELinux policy files are now provided as an external RPM that can be applied if you are using SELinux. Separate RPMs are available for download from the FoxT customer support website for separate Red Hat Linux versions.

bksdef / ENV / lsbks BoKS Manager 7.1 includes new flags for controlling update of tables LOGIN and USERVAR. Updating of these tables is turned on by default, but you can turn updating off to enhance BoKS performance in large deployments. These flags are managed by bksdef via new options --update-loginout-stats and --track-logged-in-users.For example you can disable updating of login and logout stats with the command:bksdef --update-loginout-stats disableWhen running boks_bru on a pre-7.0 database dump, the ENV-variables FTP_UPDATE_LOGINTIME and SFTP_UPDATE_LOGINTIME are dropped. The ENV-variable DONT_UPDATE_LOGINTIME has been marked as deprecated. lsbks now does not show last login/out when update-loginout-stats is unset. Greetings when logging in has been changed to not print last login etc when flags are unset.



ENV The KSL_MAXAGE ENV variable is now set to 7 days when installing BoKS 7.1. When upgrading from 7.0, KSL_MAXAGE is set to seven days unless it was already set in the 7.0 database. The comment for KSL_MAXAGE in the man page for ENV.4 has been updated to reflect the change.

ENV / showmaster There are some new and modified ENV variables in connection with the enhanced load-balancing function in BoKS Manager 7.1 (see also Fixed Issue #9564).

New variables• BRIDGE_SERVC_R_MAX_TIME and BRIDGE_SERVC_S_MAX_TIMEThese parameters are used to force the servc-receive-bridge on Replicas and servc-send-bridge on Server Agents respectively to close down connections after a maximum connection time.

• BRIDGE_SERVC_S_MAX_RESP and BRIDGE_SERVC_S_MIN_WAITThese variables control how long the Server Agent will wait for replies to the UDP probe messages sent out to Replicas.

Modified variables

• BRIDGE_IDLE_TIMEOUT_<service>The default value for this parameter is changed from 30 seconds to 10 seconds.

• BRIDGE_QUEUE_DELAY, BRIDGE_QUEUE_HIGH and BRIDGE_QUEUE_LOWThese variables only affect load balancing operation of pre-7.1 Server Agents that don't have the load-balancing hotfix installed and are thus using the old load-balancing algorithm.

The showmaster command has been updated with new options to list multiple Replicas when invoked with the -s option, see showmaster(1B).

ENV / authentication The new ENV variable LOCAL_CACHE_AUTH can be used to configure that answers to authentication calls are cached for 2 minutes (default) on the host before servc is asked to authenticate again. This can improve performance in large BoKS environments.

AD Bridge The new parameter USETLS is added to the adsync.cfg configuration file.If set to Y, adds -ZZ to the ldapsearch command to force it to use TLS. The adsync operation will fail if it does not work to use TLS.See USETLS in the BoKS man page adsync.cfg for more information on how to set up TLS.





ENV / AD Bridge This feature applies if you are using Active Directory with sites:If the parameter ADKRB5CONF is set to "on" in $BOKS_etc/ENV on a Server Agent, boks_adkrb5conf will be kept running as a daemon. It will find out which AD servers are located closest to this Server Agent and update krb5.conf(5) with this information. This makes kerberos clients prioritize the use of KDCs in the same site, improving authentication performance. See the boks_adkrb5conf(8) man page for more information.

ENV The ENV variable SFTP_UPDATE_LOGINTIME is ignored if a Server Agent is running in a domain where the Master/Replica are running BoKS 7.1 or later. Since BoKS Manager 7.1 includes user lastactivity time, updating last login for non-login services is not needed.

bokslicense Updated some error messages for greater clarity, program now also returns an error when the summary function fails to communicate with BoKS.

kerberos / bksdef New option, “bksdef -U enable” to allow short UPNs (without @REALM) to mapkerberos program.

fingerprint The fingerprint CLI program is replaced by the bokscertfingerprint program.

groupadm New option -S to list the users a Unix group is assigned directly to. For more information see the BoKS man page groupadm. (RFE #12322).

client_upgrade client_upgrade now saves and restores the $BOKS_var/ssh_userpubkeys file (used as registry for which ssh pubkeys are provisioned by BoKS).

kslogview New options -B <started by> to filter keystroke logs based on what program started them and and -m to display keystroke log metadata.

ssh-agent $BOKS_bin/ssh-agent is now set to group "sshd" and mode ---x--s--x, on all platforms.The group "sshd" is chosen because it is created (if needed) for privilege separation so it exists everywhere, and should be empty.

kslog / BoKS audit log The kslog LID is added at the end of successful ssh login audit logs if kslog is enabled (". LID=<lid>").

Installation At new installs of the BoKS Master, the Master will be registered in the BoKS database with the Fully Qualified Domain Name (FQDN) to reduce the risk of a hostname mismatch in the certificate-based authentication used for FoxT Control Center connections.

sshpkadm Supported user SSH public key fingerprint hash formats are extended to include SHA512 fingerprints in addition to SHA1 fingerprints supported in earlier BoKS versions.BoKS 7.1 hosts will use SHA512 fingerprints when in a BoKS 7.1 Master/Replica domain and SHA1 fingerprints when in a pre-7.1 Master/Replica domain.





mkbks, modbks, bccasd, ENV man page

It is now permitted to have a period (.) in usernames for Unix type users. Note that you can configure the allowed characters using the BoKS ENV variable LOGIN_SPECIAL_CHARS. See the BoKS man page ENV for details. (RFE #13012).

keystroke logging A new global setting can be used to set whether keystroke data is logged to local files or logged remotely:bksdef -g { local | remote } is used to select whether the global default is local or remote.Additionally you can set the behavior for individual access rules using the flags “ksllocal” and “kslremote”.Note that, while as in BoKS Manager 7.0 the default setting for the domain is to log remotely, in BoKS 7.1 the default setting is local. You can change the default using the bksdef program.

ENV A new ENV variable has been added named SERVC_EXTERNAL_REQ_DISABLE. This can be set to stop boks_servc on the BoKS Master from accepting external requests. This can be useful in large BoKS environments to stop Server Agents from connecting to boks_servc on the Master. (RFE #12877).

hostadm / hostprereg The flag -e has been added to hostadm to set/modify/remove tmpdir setting used by boksedit/boksview.-e flag also added to hostprereg, used the same way and for the same purpose.For details, see the BoKS man pages hostadm & hostprereg.

kerberospw A new helper binary, $BOKS_lib/kerberospw is added that makes it possible to authenticate with kerberos password in bccasd for access to the FoxT Control Center GUI.

boksauth The boksauth CLI has been modified so that it is no longer possible to display user password hashes via servc calls. The hash string is overwritten with ‘*’.

lserrlog lserrlog -m now writes one message per line without blank lines in-between (and still without “long messages”) (RFE #12293).

ENV file For clarity, some settings have been added to the BoKS ENV file on the Master / Replicas with their default values:• DRAINMAST_TRL_BATCH_MAX with default setting 600.• TRANSACTIONLOG_SIZE_KB with default setting 3000.• DRAINMAST_TRL_BATCH_DATA_MAX with default setting 60.• BRIDGE_CACHE_SIZE - the optimum setting for the variable is

dependent on the number of hosts in the BoKS domain - see the ENV man page for more information and advice on setting this variable and details of other variables.

hostadm Support for the DTHOST host type is removed. When you restore the database after upgrade, hosts of type DTHOST are converted to type NONBOKSHOST if the host has at least one IP-address assigned. If the host does not have any IP-address assigned it is deleted from the BoKS database.





uninstall A new option to the BoKS uninstall program, -n, prevents the program from creating a backup of the BoKS database.

boksinfo In order to provide more information for SELinux installations, if SELinux is permissive or enabled boksinfo:• does tail ~5000 /var/log/audit/audit.log to audit.txt

in OS catalog in result.• does grep AVC | tail ~5000 /var/log/audit/audit.log to audit_AVC.txt in OS catalog in result.

boksinfo In a Solaris environment with multiple zones running, the ps listing produced by boksinfo, ps-boks.txt, now only shows information for the current zone where boksinfo was run. (RFE #12804).

Hook script configuration, ssm_hook_config

Changes to hook script configuration - the hook script configuration file $BOKS_etc/ssm_hook_config is now called $BOKS_etc/hook_script.cfg. The individual scripts for different actions $BOKS_etc/ssm_* can now be named arbitrarily, and can be configured in hook_script.cfg. They should be configured with full path. Examples are provided in $BOKS_etc/hook_examples/, for example hook_hostadd.sh.The sample script $BOKS_lib/???usr_nisp has been removed.Support for $BOKS_etc/post_rmbks, $BOKS_lib/post_mkhome and $BOKS_lib/pre_mkhome has been removed. This functionality is now configured in the hook_script.cfg file.The -H flag (do not run hook scripts) for mkbks, rmbks and modbks has been removed.Hook scripts are now run when adding / modifying / deleting hosts using hostadm.

ENV file Support for the BoKS ENV variable BRIDGE_ADDRESS has been removed.

ENV file Support for the BoKS ENV variables BRIDGE_SERVC_R_DECRYPT_ERROR_MAX and BRIDGE_SERVC_R_DECRYPT_ERROR_TIME has been removed. The corresponding parameters are now fixed at 10 errors and 10 minutes respectively.Note that these parameters are only relevant if you run BoKS 6.5.2 or earlier Server Agents in your BoKS domain.

cacreds New option to the cacreds program: -C, which makes cacreds print out the certificate in PEM format.

bcasstaddr Added support for BoKS server discovery via IPv6 local-link multicast IPv6 multicast is enabled by default (similar to IPv4 broadcast) but can be disabled with the keyword DONT_MULTICAST in the $BOKS_etc/bcastaddr file. Multicast group id 42594 is used. (42594 is FoxT's Private Enterprise Number, IANA-PEN)

cadm The cadm option “-h host” is only allowed to be executed on the BoKS Master to avoid hostname mismatches that may occur if this option were to be run on a Replica or Server Agent.





bccas The bccas expression syntax has the following additions:• "in?" : like "in", but the first parameter is a "glob" pattern to match,

analogous to "=?".• "in~" : like "in", but the first parameter is a regular expression,

analogous to "=~".The use cases for these are mainly in the ABAC configuration, e.g. match: "\"HR*\" in? $userClasses".

ENV file The BoKS ENV variable LOG_AUTH_SERVER, which has been obsolete since the new logging infrastructure introduced in BoKS 7.0, has been removed along with all references to it.

lh New option to the lh program: -b <hostname>, to look up host addresses in DNS for BoKS internal scripts.

kslogadm Changes made to sub-commands in connection with support for multiple Encrypted Keystroke Logging CAs:setpsw -> addcert:• When the first certificate is added the KSL Administrator password is

set. When adding new certificates, the KSL Administrator password is verified with the hash stored in TAB SYS and the VC PIN is encrypted with the same password.

• New option -q. If adding a certificate when another certificate already has been added, a confirmation to continue is prompted for. The -q option will prevent the confirmation.

• Added test to check if the specified SKI is from an existing KSL Encryption certificate.

chpsw:• When changing the password, the VC PIN for all stored KSL

Encryption certificates will be re-encrypted using the new password.• Removed the -s ski option. See above.

rmpsw -> rmcert:• No changes except for the name change.

listcert:• New sub-command, which will list the SKI of all configured KSL

Certificates.• New option, -n, which also presents the cert's DN.





boks_pkcs7 Changes made to the program in connection with support for multiple Encrypted Keystroke Logging CAs:• When encrypting a KSL log file, the SKI and the DNAME are added

after the "-----END PKCS7-----" line. This is for simplifying decryption when multiple KSL Encryption certificates exists.

• When decrypting a KSL log file, the SKI and DNAME found at the end of the log file are used for finding the correct VC file and the correct encrypted PIN from the database.

• When decrypting older logs (without the SKI and DNAME). All VC's for the configured KSL certificates will be tried starting with the one with the longest validity.

Event Management System (EMS)

BoKS EMS event path changed for password hash regeneration. When a user password is set in the form of a password hash as when importing local passwords from a host or importing passwords from LDAP the result is that the user will have an incomplete set of password hashes.At the next successful password authentication BoKS will generate the missing hashes from the clear text password entered. If BoKS EMS is enabled the hash regeneration will create an EMS event. Earlier the password hash regeneration used the same event label as a password change event, "change". The event label for the hash regeneration has been changed in BoKS 7.1 to "rehash" so that it is possible to distinguish it from a real password change, see eventd.cfg (5).

lsbks lsbks -a now displays password checkout enabled status yes/no or via display option ‘T’, lsbks -DT.‘T’ can also be used as selection criteria for users with password checkout enabled, lsbks -VT.

bksdef / Event Management System (EMS)

beksdef -a enables/ disables the new SYS_EMS_PWM_ENABLE ENV variable. If this is enabled, EMS will only work for password updates for users with password checkout enabled. This makes i possible to use this mechanism as a replacement for the password update hook in previous Password Manager versions without the overhead penalty of activating EMS for all events.

modbks, lsbks Supported has been added for storing the date and comment for manual blocking of user accounts:• New optional option for modbks: -b, for specifying a block comment.

Can only be used together with -B, block user.• The log message generated when a user is blocked has been updated

to also include the comment, if specified.• lsbks -a and lsbks -DB output is changed to also show the

block date and block comment if the user is manually blocked.

ttyadmin The obsolete options -T and -N have been removed for ttyadmin.Note that the ttyadmin program is deprecated and may not be supported in future versions. The new program boksrule is recommended for working with Access Rules.





mkbks, modbks The flag no_account_expiration has been added for mkbks and modbks.If set for an account, the account does not expire. On version 7.1 Server Agents, information in the shadow file or similar will be updated to reflect this.Older Server Agents cannot process this information, so in this case the expiration date in shadow or similar will be set to the year 2038. Also the options -A and -D can now be used for WINDOM and WINLOC type users, but only for the flags “blocked” and “no_account_expiration”.lsbks will show “no_expire” in listings that list when an account expires if the “no_account_expiration” flag is set.

mkbks, modbks In the CLI, normally a user is blocked and unblocked using modbks -B/-U.However it was also possible to do mkbks/modbks -D everything to block a user and modbks -A everything to unblock. As everything is not an intuitive name for this flag, the command now also accepts the flag blocked.

mkbks, modbks The flag no_password_expiration has been added for mkbks/modbks.If set for an account, the account’s password does not expire. On 7.1 Server Agents, information in shadow file or similar will be updated to reflect this.Older Server Agents cannot process this information, so in this case the expiration date in shadow/similar will be set to year 2038.This flag can be set for UNIX and WINLOC type users.

BoKS CA The BoKS internal CA now by default issues certificates with SHA-256 signatures.This is a configuration option in the file $BOKS_etc/ca/ca_int/ca_int.cfg.

lsbks The output format for lsbks has been updated for listings that include information about user Access Rules (options -aT).

Audit logging Relaying BoKS audit messages to an external syslog server over TCP, but without TLS is now done using RFC5424 format messages instead of RFC5425 format. To force use of RFC5425 format messages, set BLOGSD_SYSLOG_USERFC5425=on in the BoKS Master’s ENV file.

Audit logging Support has been added for relaying log messages to an external syslog server via UDP.





Go to top

Fixed Issues

Issues that have been fixed in this release.

BoKS auto-registration BoKS auto-registration communication now also supports TLS 1.2 in addition to SSL 3.0 supported in earlier BoKS versions. Default configuration is to allow both TLS 1.2 and SSL 3.0 to be compatible with earlier BoKS versions.SSL 3.0 support can be disabled if backward compatibility is not needed, see ENV(4B) AUTOREGISTERD_TLSVER variable and boks_autoregister(1B).

BoKS bridge communications

The old hardcoded value of 5 for the backlog parameter to the listen()system call is now by default 128 and can be modified using the ENV parameter BRIDGE_LISTEN_BACKLOG_servc (see the BoKS ENV manpage for more detail).

AD Bridge The new BoKS ENV variable KERBEROS_PRINCIPAL_NOCASE, if set to on, makes servc’s Kerberos Principal (UPN) to BoKS user mapping treat UPN case insensitively.

ENV The new BoKS ENV variable SSH_KRB_OK_AS_DELEGATE, if set to on, makes the BoKS SSH client respect the ok-as-delegate flag in a kerberos service ticket for a remote host and only consider delegating the TGT to the host if the flag is set. The default setting for this is off.

ENV The boks_csspd ENV configuration variables CSSPD_SERVC_NQUE and CSSPD_SERVC_QUE are no longer supported.

CSSP server The CSSP server can now support multiple SSL/TLS protocol versions. The default is now TLS 1.2 (used by latest BoKS SSH Client). Old versions of BoKS Desktop still require SSL 3.0 There is a new CSSP server configuration variable named CSSPD_TLSVER.The default CSSP server cipher suite list is changed to:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA

pgrpadmin The prgrpadmin program has new options for dealing with programs and options containing spaces, -p and -O. The -Z option has been marked for deprecation. For more information, see the BoKS man page prgrpadmin.

hosts and Host Groups It is no longer possible to add a host with the same name as a Host Group, and vice versa.

ENV New ENV variables added for improved domain communication performance:• BRIDGE_ACCEPT_MASTER_IPS

• BRIDGE_CLNTD_S_MAX_CONNECT_RETRY_MINUTES

• BRIDGE_CLNTD_S_MAX_SOCKETS

For more information see the BoKS man page ENV.





Table 3: Fixed Issues in BoKS Manager 7.1

Issue # Title Description

#9564, #13069, #13107

LOAD-BALANCING ENHANCEMENTS

Limitations in the design of load-balancing in the domain needed to be addressed to help with performance issues including issues with sftp and file transfer.

#9602, #13417

adgroup MAN PAGE ERRORS

The usage statement in the man page for adgroup did not include all options, for example not including “adroup -l -u <user class>” to list all User Classes propagated to Active Directory.

#9363, #12258

BoKS DOES NOT HANDLE SIGFREEZE AND SIGTHAW ON SOLARIS

During Solaris LDOM live migration, lack of handling of SIGFREEZE and SIGTHAW caused the BoKS daemons on the source LDOM to be killed meaning they had to be restarted manually.

#9076, #12270

boks_sshd PERFORMANCE ON x86/x86_64 ARCHITECTURES

The BoKS versions of the ssh and sshd programs do not achieve the same performance as the OS native versions of ssh/sshd on x86/x86_64 architectures.

#9349, #12991

sudo DOES NOT WORK ON CERTAIN PLATFORMS

sudo was disabled via PAM when BoKS was active on Debian 7 and 8, SuSE 12, and Ubuntu 12 and 14.

#9547, #13360

kslog LOG FILES IN UNEXPECTED LOCATION

kslog log files where the checksum couldn't be verified could end up directly under $BOKS_var/kslog instead of in $BOKS_var/kslog/error/<host>/.

#8827, #12097, #12743

ldapusersync.pl CANNOT IMPORT SSHA PASSWORD HASHES

The ldapusersync.pl script for LDAP user synchronization was not able to import SSHA password hashes.

#8892, #11052

adsync.pl DOES NOT HANDLE FAILURE OF mkbks PROPERLY

The adsync.pl script for AD Bridge did not report the status back correctly to the calling routine if for any reason commands sent to mkbks failed.

#9428, #12087

adjoin EXITS WITHOUT ERROR MESSAGE

adjoin failed on SIGPIPE if the remote side closed the connection unexpectedly, but did not give an error message to indicate that an issue had occurred.

#9463, #13154

ldapauth USERS PROMPTED FOR PASSWORD CHANGE

BoKS users with LDAP authentication set were wrongly prompted to change their password when their BoKS password expiration date passed.

#8707, #11951

bremotever DOCUMENTATION LACKING INFORMATION

The documentation for the bremotever file, both the man page and the relevant parts of the BoKS Manager documentation set, did not mention that all IP addresses, both primary and secondary, for a host must be listed in the file.

#8889, #11390

BoKS MAY OCCASIONALLY KILL UNRELATED PROCESSES

In rare cases BoKS could kill unrelated (non-BoKS) processes.



#9518, #13282

bokslicense SHOULD CHECK IF BoKS IS RUNNING

The bokslicense program requires that BoKS is running but the error messages returned by the program when BoKS was not running were unclear and did not help to diagnose the problem.

#8357, #10830

boksdiag INPUT VALIDATION

The boksdiag command only performed minimal input validation, checking that the minimum number of arguments were given but not checking any other input.

#9023, #12278

UPGRADE ON NEW MASTER FAILS

When upgrading BoKS and changing the Master it is not possible to import the license if the new Master is not in the database and the new Master cannot be added since default license does not allow it.

#9296, #12782

POSSIBLE TO VIEW UNIX CRYPT PASSWORD HASH

The BoKS CLI command boksauth allows the root user on BoKS Server Agents to view the UNIX crypt password hash of other users on the same host via the boks_servc "user-data" function even if the local password database is configured to use a stronger hash algorithm.

#9406, #12931

resetFailedLogins REQUIRES TOO MANY ADDITIONAL PERMISSIONS

The ABAC checking for the resetFailedLogins function also required the user to be allowed to list and add/remove a user's Unix groups, which was not relevant for the request.

#8922, #12201

boks_autoregisterd SHOULD SET NODEKEY BEFORE UPDATING HOST GROUPS

When an auto registered host comes back up and is registered in the database by boks_autoregisterd, the host is added to Host Groups before the nodekey is set. This causes the host to be marked as down in the bridge_clntd_s since password file updates are spooled to the batch queue, but cannot be delivered.

#9072, #12310

CVE-2016-3115 SSH X11 FORWARDING SECURITY VULNERABILITY

Multiple CRLF injection vulnerabilities in session.c in sshd in OpenSSH before 7.2p2 allow remote authenticated users to bypass intended shell-command restrictions via crafted X11 forwarding data, related to the (1) do_authenticated1 and (2) session_x11_req functions.This CVE is only valid for OpenSSH up to 7.1p2. BoKS Manager 7.1 uses OpenSSH 7.3p1.

#9067, #12144, #12142

VULNERABILITIES IN SSH CLIENT

2 vulnerabilities related to ssh client:• CVE-2016-0777: Malicious ssh server may extract

information from freed memory in ssh client, e.g. private key.

• CVE-2016-0778: Malicious ssh server may cause heap buffer overflow in ssh client

These CVEs are only valid for OpenSSH up to 7.1p2. BoKS Manager 7.1 uses OpenSSH 7.3p1.

#9417, #12673

CANNOT ADD MASTER BACK WITH REPLICAS

An issue with BoKS licensing meant that if you removed the Master and tried to add it again using hostadm, this did not work if the domain included Replicas.





#9165, #12543

REPLICAS REPORTED AS DOWN DUE TO LOG REPLICATION FAILURE

A log replication failure on x86 64bit platforms could lead the “boksdiag list” command to erroneously report a Replica’s status as “Down”.

#9285, #12742

boks_bru IMPORT FAILURE When importing the database from a BoKS 6.7 Master with boks_bru, the following error is displayed if BoKS is not running:“bokslogadm: Failed to open file for reading: /var/opt/boksm/run/blogs”

#9094, #12110

NO UDP SUPPORT FOR LOG RELAYING

When relaying BoKS audit logs to an external syslog server, only TCP was supported and it was not possible to use UDP.

#9022, #12294

MISLEADING boks_bru ERROR MESSAGE

When importing a database in BoKS 7.0 and the database contained correct info but /etc/hosts had the wrong ip address, the output from boks_bru did not reflect the problem causing the issue.

#9445, #12280

RESTORE OF DB FAILS IF MASTER ADDRESS NOT IN HOSTS FILE

Importing the BoKS database into a new Master using boks_bru failed if the Master was defined in the /etc/hosts file with the loop-back address rather the correct IP address.

#9423, #13110

convert DOES NOT LOG ACTIONS PERFORMED

The convert utility did not explicitly log to the BoKS audit log what actions it performed, e.g. what host types it changed from and to.

#9204, #11078

cadm -a EXIT CODES DO NOT REFLECT ERRORS

If the command “cadm -a” encountered errors such as the ServerAgent not responding or the file name provided not supporting the operation, it did not return an appropriate exit code.

#8427, #11501

-O OPTION WITH ad* COMMANDS DOES NOT GIVE HELPFUL ERROR

When you ran the command “ad* -O” (eg adjoin, adgroup) and specify the base DN instead of RDN which is required for the -O argument, no helpful error pointing this out was returned.

#9499, #13217

adsync DOES NOT PROPERLY HANDLE MISSING AD GROUPS

If a group mapped to a User Class in BoKS was missing from AD, adsync terminated and did not propagate users to BoKS.

#9364, #12272

passwd -F DOES NOT CHECK THAT USER EXISTS

When you run the BoKS passwd -F command it does not check that the user exists so the command accepts misspelt user names, for example, without error.

#8518, #11654

CVE-2015-5600 OpenSSH keyboard-interactive authentication brute force vulnerability (MaxAuthTries bypass).This issue is fixed by the upgraded OpenSSH version in BoKS 7.1.

#8490, #7069, TFS100725-2510165

suexec ROUTES WITH SPACE IN PROGRAM NAME

suexec routes with a space in the program name did not distinguish between program names and program arguments and could lead to unauthorized programs being executed.





#8323, #10146

CVE-2014-2532 sshd in OpenSSH before 6.6 does not properly support wildcards on AcceptEnv lines in sshd_config, which allows remote attackers to bypass intended environment restrictions by using a substring located before a wildcard character.This issue is fixed by the upgraded OpenSSH version in BoKS 7.1.

#8322, #10144

CVE- 2014-2653 The verify_host_key function in sshconnect.c in the client in OpenSSH 6.6 and earlier allows remote servers to trigger the skipping of SSHFP DNS RR checking by presenting an unacceptable HostCertificate.This issue is fixed by the upgraded OpenSSH version in BoKS 7.1.

#9489, #13206

boks_bru SILENT EXIT WHEN SAVEFILES ARE MISSING

If $BOKS_etc/savefiles or $BOKS_var/savefiles are missing, boks_bru aborts with exit 1. No error message is produced.

#9471, #7267, TFS091116-175130

INVALID REASON FOR PASSWORD CHECKOUT NOT LOGGED

No log entry was created in the BoKS audit log when a user tried to check out a password but was prevented from doing so because they provided an invalid reason for the checkout.

#9451, TFS110420-012573

WILDCARDS IN PROGRAM GROUP NOT DOCUMENTED IN MAN PAGE

The man page for the "pgrpadmin" command does note state if/how wildcards and regular expressions can be used.The following text is now added to the man page:In the program part, you can only use * (matches any string) and ? (matches any character) as wildcards. Neither of them will match the directory separator.

#9381, TFS130308-014121

logadm LACKING INPUT VALIDATION

The BoKS command “logadm -h host -opt” lacks validation of the entered hostname.

#9378, TFS090727-143015

CANNOT DEBUG passwd WITH bdebug

On PAM platforms it was not possible to debug trace the PAM module functions called via the passwd command using bdebug.

#9376, TFS 110406-012535

WRONG ERROR MESSAGE FOR PASSWORD CHANGE

When a user attempts to change their password and the chosen new password is too similar to the username, the wrong error may be returned, i.e. “Password does not differ enough from the previous one”.

#9365, #12285

hgrpadm -a DOES NOT CHECK THE NAME LENGTH

There is proper input validation when a new Host Group is created with “hgrpadm -A -g group” and when changing the name with “hgrpadm -M -n newname”.However if a new Host Group is created with “hgrpadm -a -g group -m member” the name length check is not done.

#9341 boksinfo DOES NOT LIST PRIMARY KSL SERVERS

The boksinfo program did not include the list of primary KSL servers configured. It now includes this information.





#9104, TFS101028-012069

ERROR IN MAN PAGE bcastaddr

The BoKS man page bcastaddr lacked clarity in some points and erroneously stated that empty lines and comments are forbidden in the file.

#9103, #12494

LOGS HAVE WRONG SEVERITY

Three log labels related to keystroke logging server configuration had the severity “notice” when they should have had the severity “information”.

#8885, #12194

OPTION -g WRONGLY DOCUMENTED IN MAN PAGES FOR modbks/mkbks

From BoKS 7.0, the modbks and mkbks commands only accept a numeric GID for the option “-g primary-group”, but this had not been updated in the man pages for the programs.

#8746, #11997

UPGRADE DOESN’T CREATE ECDSA KEYS FOR SSH

Upgrading to BoKS Manager 6.7 using the upgrade_client program does not create the ECDSA keys needed for SSH.

#8727, #9602, TFS130311-014124

DEFAULT DOMAIN CHANGE INVALIDATES ACCESS ROUTES

Changing the default domain using the bksdef program can cause valid Access Routes to not be matched, blocking access that should be authorized.

#8447, #11494

UPDATE PASSWORD FILE FROM SERVER AGENT

It was not possible to update a password file entry for one or more users from within a BoKS Server Agent. You can now provide a user login name as argument to option -P to unconditionally update the password file entry for user.

#8419, #10932

boksinfo DOES NOT COLLECT AD BRIDGE DATA

The boksinfo utility does not collect the krb5.conf, adsync.log and adsyncerr.log files to provide information about the AD Bridge function. This has been added to boksinfo.

#8292, #9594, TFS130305-014115

ERROR IN MAN PAGE classadm

The man page for classadm wrongly implies that user class comment can only be added at creation.

#8282, #9737, TFS130618-014275

INSTALL SCRIPT FAILS WITH RETURN CODE OF 0

When the setup script encounters a problem it does not return a non-zero code to the install program, meaning install does not exit.

#8268, #11334

lsbks PERFORMANCE ISSUES IN BoKS 6.7

Running lsbks commands is slower in BoKS 6.7 than BoKS 6.5 when it comes to listing secondary UNIX groups.

#8251, #11398

LDAP SYNC CAUSES UNNECESSARY PASSWORD UPDATES

When importing user passwords as a password hash from LDAP only one of the password hash formats supported by BoKS is set.

#9480, #13208

RENAME HOST GROUP DOES NOT RENAME ALL NEEDED ELEMENTS IN DB

If a user with an SSH public key in the BoKS database is member of a Host Group that is renamed, the key to SSH public key data in the database is not renamed, causing the key data to be lost while a record exists indicating the user has a key assigned.





#9484, #13049, #13168

boks_bccasd RUNS OUT OF MEMORY PROCESSING LARGE LOG FILES

Reading very large audit log files in FCC or the WSI might cause the process boks_bccasd to run out of memory.

#13147 WRONG PERMISSIONS ON FILE /opt/boksm/bin/ssh-agent

The program $BOKS_bin/ssh-agent has different mode and group settings than the system's program ssh-agent on Red Hat Linux 6 systems.

#9305, #12853

SCP CONNECTION FAILS WITH FTL

A bug in the File Transfer Logging (FTL) code of boks_sshd may cause file transfers with scp to fail with a "Lost connection" message and exit code = 1.The bug can also result in a hanging scp connection.

#9410, #13072

SUEXEC WITHOUT SAFEPATH DOES SAME CHECKS AS WITH SAFEPATH

suexec in BoKS 7.0 does more checking without the safepath modifier set than it did in BoKS 6.7. Thus programs that were executed using suexec in BoKS 6.7 may fail to execute on BoKS 7.0 Server Agents.

#9454, #13057

REPLICA MAY SOMETIMES FAIL TO NOTIFY MASTER

A Replica marked as down may in some cases fail to notify the BoKS Master to check its status so it is not brought into sync again.

#9387, #13038

WRONG PERMISSIONS ENFORCED ON authorized_keys

When managing (adding or removing) SSH public keys for users, the file permissions on the authorized_keys file are unconditionally changed to mode 0644, making it world readable.

#9401, #12950

KSLOG ISSUES It is not possible to change the default setting for keystroke log transmission from remote, which can cause large amounts of network traffic in large deployments.In addition klsog daemons are incorrectly linked to non-threaded libraries, causing large amounts of error messages.

#9351, #12956

bokslogview AND AUDIT LOG FORWARDING ISSUES

Unusually long audit log messages might get stuck in the log relay queues on the Master and Replicas and bokslogview (and bccasd) fails to parse audit log lines with SD values ending with an escaped \, e.g. "user\\".

#9340, #12953

UPDATE BATCH SIZE AND CONTENT IMPACT ON REPLICATION

Master to Replica replication is adversely impacted by the way update batch size and contents are handled.

#9307, #12833

suexec FAILS TO EXECUTE TARGET PROGRAM

With SELinux activated, the suexec program fails to execute the target program because it tries to run it in the wrong SELinux domain.

#9324, #12881

suexec ARBITRARY COMMAND EXECUTION

SUEXEC access routes with the suexec_touserenv modifier can allow arbitrary command execution.

#9314, #12882

PWD UPDATES SLOW WHEN MANY KSLOG FILES FETCHED

Password update performance suffers when many keystroke log files are fetched.





#9256, #12816

suexec DOES NOT LOG LID WHEN kslog IS ENABLED

The BoKS suexec command does not log the kslog Log ID (LID) in suexec audit log entries when kslog is enabled. This makes it difficult to match a suexec audit log entry to a specific kslog log file.

#9300, #12816

MASTER CAN COMMUNICATE WITH HOSTS IN ANOTHER DOMAIN.

If you have a BoKS domain, then install a second BoKS Master using the same ports and import the database from the domain or know the nodekeys for the hosts in the domain, then add the hosts to the second Master, that Master can communicate with the machines in the domain.

#9288, #12828

bokslogadm NOT ROTATING THE LOG FILE

The BoKS log server blogsd fails to move the audit log file to the backup directory if this directory is on a different mounted file system. It also fails to read the configured log and backup log directories correctly in some circumstances.

#8534, #11684

UPDATE FAILURE ON RED HAT WITH SELINUX

BoKS fails to update the passwd and shadow files if some SELinux components are not installed on the system.

#9277, #12650

BCCAS / WSI COMMUNICATION STOPS FUNCTIONING

The BoKS admin server boks_bccasd intermittently fails to read requests from the Web Services Interface (WSI). There is also an issue with requests containing "..." in the data, causing boks_bccasd to stop reading prematurely.

#9227, #12375, #12715

ISSUES IN groupadm PROGRAM

• When you list Unix/Posix groups registered in BoKS with “groupadm -l -n name” or “groupadm -l -i gid” and multiple matching entries are found, the list of groups reported is empty.

• Running “groupadm -s” in combination with “-i gid” does not function correctly.

• The exit code from “groupadm -l” and “groupadm -s” does not reflect the success status correctly.

#9199, #12464

adsync DOMAIN CONTROLLER SELECTION SUB-OPTIMAL

The selection of Domain Controller by the adsync program can sometimes be sub-optimal, resulting in performance degradation if data is retrieved from a remote site.

#9202, #12675

KSLOG PRODUCING TOO MUCH OUTPUT DATA

Keystroke logging on levels 1 and 2 could produce more logs of output than was intended (level 1 should produce no log of output).

#9185, #12614

INCORRECT HANDLING OF PROFILE FILES

If a user's home directory is located on an nfs-mounted area exported with root squash, boks_clntd will remove any customized lines in profile files if mkhome is executed for the user.





#9170, #12486

CORE DUMP IN pam_boks.so.1 AT XDM LOGIN

Multiple problems have been found in the BoKS PAM module for X-login sessions:• On some platforms an X-login session can result in a

core dump if the PAM variable PAM_TTY is not set.• The BoKS PAM module can fail in extracting the

X-display number for remote X-login sessions when the remote peer address is an IPv6 address. This will result in an erroneous X-display number being used in audit logs and bwho command output. It can also affect operation of the BoKS X-lock screen lock.

#9181, #12622

authadm list COMMAND PERFORMANCE IMPACT

The 'authadm list' command, which is executed by adsync every time it runs, reads the entire authenticator table via the boks_master process, negatively impacting performance.

#9174, #12469

SSH DOES NOT SUPPORT OK-AS-DELEGATE FLAG

The ssh client program does not honor the ok-as-delegate flag set in Kerberos service tickets by Active Directory. This means the program may delegate a TGT ticket granting ticket to the remote side even if the ok-as-delegate flag is not set.

#9159, #12544

boks_drainmast USES WRITE LOCK OF DATABASE

The boks_drainmast process uses a write lock on the database even though it only reads, and in some cases generates more psw updates to the clntd send bridge than needed.

#9156, #12556

UPN CASE SENSITIVE IN BoKS

The UPN is handled as case sensitive in BoKS but case insensitive in Active Directory, which can lead to discrepancies and authentication failures.

#9145, #11803

groupadm LISTING ON REPLICAS

The groupadm command does not allow listings to be done on Replicas.

#9155, #12526

DELAY REGISTERING REPLICA

Queued batched messages on a Replica could make it take a long time to register on the Master.

#9150, #12495

SLOW REPLICA PERFORMANCE

servc authentication performance decreases after some time due to caching and lookup issues.

#9137, #12545

BoKS MASTER PROCESS SLOW READING TAB_LOGIN

The boks_master process spends a lot of time reading TAB_LOGIN to find entries to remove, impacting the performance of the process.

#9073, #12363

“SYN FLOOD” MESSAGES ON servc RECEIVE PORT

On a very heavily-loaded Replica with lots of Server Agents connecting, messages about SYN flooding on the servc receive port can appear.

#8262, #8306, #11390

BoKS MAY OCCASIONALLY KILL UNRELATED PROCESSES

In rare cases BoKS could kill unrelated (non-BoKS) processes.

#9087, #12428, #12396 , #12424

RAW LOG FORMAT SET WHEN UPGRADING, FCC CANNOT SHOW LOGS

BoKS uses 'raw' log format after upgrade from pre-7.0 database and FoxT Control Center fails to display raw logs.





#9083, #12069

SUPPORT FOR SHA512 PSW HASH ON AIX

The SHA512 password hash is not supported on IBM AIX. This password hash is now supported as long as the appropriate patch from IBM is installed.

#9063, #12411

hostadm -n SEGMENTATION VIOLATION

The host rename operation (hostadm -n new-name) intermittently causes a segmentation violation and dumps core.

#9073, #12363

boks_udsqd SIMULTANEOUS CONNECTION LIMIT

The number of simultaneous connections that boks_udsqd can handle is limited to 1024. This can be a problem on the BoKS Master and Replicas in very large BoKS domains.

#9331, #12259

SUEXEC FAILS IF TOUSER PROCESSES EXCEED FROMUSER LIMIT

If the touser currently has more processes running than the limit for the fromuser, suexec can fail because of this.

#9071, #12288

boks_bru MAY FAIL TO RESTORE LARGE DATABASES

When restbase is run from boks_bru to restore a database it may fail to restore a large database because it runs out of shared memory.

#8888, #12091

SECURID ON RHEL 7.2 WITH SELINUX ENABLED

Authentication with SecurID tokens does not work correctly on RHEL 7.2 with SELinux enabled.

#8887, #12183

BoKS SYSLOG INTEGRATION & UDP SUPPORT

Messages sent to a syslog server without TLS support are sent in RFC5425 format but need to be in RFC5424 format, and UDP support is lacking for relaying log messages to a syslog server.

#9068, #11985

MULTIPLE CORRECTIONS IN boks_upgrade

Multiple fixes in the boks_upgrade program:• 8784 - boks_upgrade is unable to upgrade 6.5.4 to

6.7 on Solaris 11• 8798 - Semantic bug in boks_upgrade_upgrade if

repeated• 8803 - boks_upgrade setup may uncompress

sshcore.tar.Z

#8612, #11849

SSH FTL DOES NOT LOG FILE ACCESS AND MODIFICATION CORRECTLY

Uploading a file with the WinSCP client triggers a bug in boks_sshd and the sftp-server, making the WinSCP client hang or produce an "Invalid response message type error".

#9074, #12058

INCREASE clntd SEND BRIDGE PERFORMANCE

The clntd send bridge has an array of sockets for keeping track of connections to clients. Currently the size is only 40. Increasing the size should increase overall performance of the bridge.

#8642 BCCAS SYNTAX ENHANCEMENTS

The bccas expression syntax has been enhanced to allow more flexibility in filtering in ABAC queries, e.g. match: "\"HR*\" in? $userClasses".

#8765, #11938

MULTIPLE SSH SHARED SESSIONS FAIL

When using a shared SSH master session with multiple slave sessions, one or more slave sessions may fail when calling servc for authorization or logging.





#8726, #11974

BATCH PROCESSING STALLS ON MASTER

Batch processing of files can stall if there is any problem with one file and files may be deleted.

#8423, #11501

adjoin CAN’T CONTACT LDAP SERVER

adjoin failed on hosts with the error “adjoin: Can’t contact LDAP server” if cldap fails to any one server.

#8572, #11717

listUnixGroups WITH LARGE NUMBER OF UNIX GROUPS

When the chosen candidate host in a Host Group has more than 1023 Unix groups, the admin server function listUnixGroups stops responding.

#8571, #11780

SERVC AUTH WITH INTERNAL LOGGING CORRUPT LOG ENTRY

Authentication with internal server logging (LOG=<prog>), mainly used by BoKS Application Agents, fails because of a log formatting error.

#8565, #11718

BoKS AD BRIDGE SSO FAILURE

The BoKS AD bridge did not allow passwordless logins from a Windows host using PuTTY.

#8541, #11660

SUEXEC ALLOWS PASSWORD CHANGE OF TARGET ACCOUNT

The SUEXEC program allowed users to change the password of the target account non-interactively.

#8284, #11349

PERIOD IN USER CLASS NAME

It was not possible to add a period or dot in a User Class name, where it was flagged as an illegal character.

#11494 SYNCHING OUT-OF-SYNC USER ACCOUNTS

There was no way to request an update of the local password file from within a Server Agent when the queue of password file on updates on the Master is large.

#8253, #15544

KSLOG FILE STUCK IN QUEUE

The KSLOG file could get stuck in a queue waiting for kslfd processing.

#9075, #11709

AD BRIDGE ENHANCEMENTS

Enhancements to the AD Bridge functionality including one-to-many user mappings and performance enhancements.

#8250,TFS11292

UID CHANGE IN AD DOES NOT AFFECT USERNAME IN BoKS

When using AD bridge, a change in the UID attribute in AD did not result in a change of the username in BoKS. I.e. changes to the UID attribute were ignored for existing users.Now, with ALLOWUIDCHANGE=Y in the adsync.cfg file, changes to UID attribute changes name of user in BoKS, and with ALLOWUIDCHANGE=N in the adsync.cfg file, changes to UID attribute do not change name of user in BoKS.

#8341,TFS141028-015188

routeadm CAN ASSIGN ACCESS ROUTE TO NON-EXISTING USER CLASS

The routeadm command accepted assignment of an Access Route to a User Class that didn’t exist.

#8342,TFS10525,TFS141111-015215

REFERENCES TO APPLPATH STILL IN PRODUCT

BoKS Manager included references to the parameter APPLPATH in some places in the product.





Go to top

#8349,TFS10557

LOGGING AND AUTH OF SSH CONNECTIONS WHEN SUBSYSTEMS IN USE

If using a sub-system other than sftp, the audit log entry was created using a null pointer instead of a pointer to an SSH authentication type string, e.g. sftp. This could also result in a core dump on some platforms.Also when using a sub-system other than sftp, boks_sshd used SSH_SH as the authentication method instead of the more natural SSH_EXEC.

#8350 POSSIBLE TO ADD HOST AND HOST GROUP WITH IDENTICAL NAMES

It was possible to add a host and a Host Group in BoKS with identical names, leading to confusion when, for example, provisioning Unix groups.

#8367,TFS10868

SUEXEC WITH SECURID AUTHENTICATION STOPPED RESPONDING

The BoKS securid program did not set close-on-exec flag on file pipe descriptors, causing suexec access with SecurID authentication to stop responding.

#8429, #8271

SELINUX ENFORCING WITH OFFLINE SUPPORT PREVENTS CONSOLE LOGIN

On Red Hat Linux 6 & 7, when SElinux is in enforcing mode and the host is configured for BoKS offline login support, console login does not work for either root or non-root users.

#8277, #8192, #15544

REMOTE KEYSTROKE LOG LIMITATION

The current implementation of the remote keystroke logging service in BoKS 7.0 has a limit of approximately 500 simultaneous sessions per Replica server.In BoKS 7.1, this limit can be changed by setting BOKS_INIT_NFD to a higher value in $BOKS_etc/ENV.

#8420, #11038

ERROR MESSAGE FOR pgrpadmin -d NOT DESCRIPTIVE

The error message displayed when attempting to delete a program group that was a member of another group or in use in an access rule did not report what group or access rule was affected.

#8205, #8285

ENV var PORT_RANGE CAUSES FATAL ERROR

The ENV variable PORT_RANGE, when set, causes the boks_bridge process to exit and write the following error to the BoKS error log:FATAL ERROR: ENV:PORT_RANGEIncorrect, Success (0)

#8091, #8422

adgroup, adjoin CANNOT FIND DOMAIN CONTROLLER

On AIX 7.1, and Solaris 10 and 11, adgroup and adjoin fail to automatically locate the domain controller.

#7724, #8345

CONNECTION TO syslog SHUTS DOWN WITH ERROR

If BoKS is set up to log using TLS to an external rsyslogd, an error log similar to the following will appear in syslog every time BoKS is stopped:netstream session <ID> will be closed due to error





Known Issues

Issues identified in this release, with workarounds where appropriate.

NOTE: The addition of support for non-crypt Unix password hashes makes it possible to use longer password lengths than 8 characters. However, be aware that different services may impose limits on password length that are outside the control of BoKS Manager. For more details, see the Administration Guide.

Table 4: Known Issues in BoKS Manager 7.1


#14443 RED HAT 7.5 KERBEROS CONFIGURATION ISSUE

On Red Hat 7.5, a change has been made so that application configuration snippets in /etc/krb5.conf.d/ are now automatically read in existing configurationsPreviously, Kerberos did not automatically add support for the /etc/krb5.conf.d/ directory to existing configurations. This update modifies existing configurations to include the appropriate includedir line pointing to /etc/krb5.conf.d/.

Including this line in the /etc/krb5.conf file causes issues with any app using krb5 libraries older than 1.15.x, which includes BoKS 7.1. This can cause AD authentication to stop functioning.

#9642 AUTO-ESCAPED CHARACTERS IN NEW CERTIFICATES CAUSE FCC TO STOP RESPONDING

When creating a new certificate, using any character that is automatically escaped causes FoxT Control Center to stop responding.When reloading the page, the certificate is then displayed correctly, but with added characters. The following characters have been found to be auto-escaped:\<>";#=leading space (not whitespace, just a space)trailing space (once again, just a space).

#9638 SU WITH use_frompsw MAY FORCE TO-USER PASSWORD CHANGE

When a user performs SU using an Access Rule with use_frompsw set, the user is forced to change the to-user password if the to-user has the “force password change” flag set.



#8381 BoKS DOES NOT LOG FILE TRANSFERS WHEN USING WinSCP

When running a WinSCP file transfer no file transfer is logged even if the BoKS ENV variable BOKS_SSH_FTL is enabled. This is because the boks_ftl_init function receives NULL from the WinSCP client.

#8039, #8391

BoKS kinit FAILS ON SOLARIS WITH ksh

If run on a Solaris machine in the ksh shell, the BoKS kinit command stops responding after prompting for the password.WORKAROUND: Either use the system’s native kinit command, or use another shell than ksh.

#8136, #8407

HOST VIRTUAL CARD ISSUES WITH LOG FORWARDING DAEMON

If a Master where fccsetup has been run to create a host Virtual Card (VC) for the host does not have a FQDN in the BoKS database, the certificate in the VC will likely have been created with FQDN in the DN component in the certificate.If this Master is later converted to a Replica, the log forwarding daemon (boks_blogrd) will fail to connect to the Master. The solution to this is to either rename the host to have FQDN in the BoKS database, or to issue a new host VC to the host.

#5586, #8410, TFS120514-013475

HOSTNAME MAPPING TO EXTERNAL NETWORK ADDRESS MUST EXIST PRIOR TO BOKS INSTALLATION

RedHat Linux by default maps the hostname to the loopback address 127.0.0.1 in the /etc/hosts file at installation even if an external network address is configured for the machine.Similarly, SuSE Linux can append 127.0.0.2 to /etc/hosts for the hostname, Debian uses 127.0.1.1, and Ubuntu adds “127.0.0.1 hostname” to /etc/hosts. For BoKS to be installed correctly, the /etc/hosts file must map the external network address to the hostname registered on the BoKS Master and the loopback address 127.0.0.1, 127.0.0.2 or 127.0.1.1 must NOT be mapped to the hostname registered in BoKS. Before installing BoKS, check the /etc/hosts file and correct it if necessary to meet this requirement.

#8102, #8402

SOME DEBIAN telnetd VERSIONS CAUSE ISSUES WITH BoKS

On Debian, some versions of telnetd cause authentication issues with BoKS, therefore to avoid issues ensure that you have openbsd-inetd and telnetd installed.

#7828 REXEC NOT SUPPORTED FOR IPv6 ON LINUX

Using rexec to log in to a BoKS-protected server with an IPv6 address is not supported for Linux-based platforms.However it is supported for Oracle Solaris and IBM AIX.

#7729 AIX: NATIVE SSH DOES NOT FUNCTION WHEN BoKS PROTECTION ACTIVE

On IBM AIX, when BoKS protection is active on an AIX host, the native system SSH implementation does not function correctly and should not be used.





#7720 DEBIAN & UBUNTU VERSIONS ASSUME DEFAULT inetd IS USED

Although on Debian and Ubuntu you can select which inetd daemon to use, for example you can use xinetd instead of the standard default openbsd-inetd, the BoKS Manager 7.1 version built for these platforms only works with the system default openbsd-inetd. If you have configured the system to use any other daemon, BoKS does not function correctly.

#7719 PROMPTING AND TEXT DISPLAY ISSUES WITH X LOGIN ON UBUNTU

When logging in using X (unity) on Ubuntu, a user is normally always selected and a prompt is displayed requesting e.g. password. If the authentication method for that user changes, this is not reflected in the prompt.WORKAROUND: Select another user, then the first user again.In addition, text messages from BoKS are truncated and shown for a very short time.WORKAROUND: There is no workaround to this issue. This is caused by a limitation in the Ubuntu X-login client.

#7717 STANDARD SYSTEM SCREENLOCK DOES NOT PROMPT FOR SECURITY PIN

On Debian and Ubuntu, the standard screensaver (gnome screensaver) runs as the user logged in, and so cannot determine how the user authenticated when logging in, so will ask for password to unlock the screen even if e.g. an RSA SecurID token was used to log in.WORKAROUND: Configure the system to use the BoKS screenlock program xdl, which is located in the directory $BOKS_bin/X11.

#6265, TFS130204-014042

INCORRECT MESSAGE FROM FILMON

If a file being monitored by BoKS file monitoring is removed during a scan, but recreated when filmon processes the old database to discover e.g. files that have been removed, filmon incorrectly reports that the actual monitoring configuration has changed and the file in question is no longer being monitored.

#6123, #8348, TFS120809-013704

LIMITATIONS IN modbks -G FUNCTIONALITY

The command modbks -G, used to change the Host Group part of a user account, has some limitations including lack of support for wildcard members added to Host Groups and lack of support to handle users with the same login name in different Host Groups.

#6127, TFS110706-012754

BoKS FILE MONITORING ISSUES

This report includes two issues where BoKS file monitoring does not function as expected:1. If a "top level" directory or file which is specified in the

file monitoring configuration file is missing on the host, filmon fails with an error rather than logging the discrepancy and continuing with the scan.

2. If a "sub level" file or directory is missing, filmon returns the same error message but continues scanning without, however, logging the discrepancy.





#6115, #8331, TFS090821-141531, TFS100725-2510213

BROKEN DNS ENTRY CAUSES ACCESS ROUTES NOT TO FUNCTION

If a host has a broken DNS entry, so that its IP address can be mapped to a name, but the name cannot be mapped back to an IP address, Access Routes to the host that contain an IP address definition do not function correctly even if the variable HOSTUNKNOWNADDRESSOK is set to "on", in which case it might be expected that the Access Route would treat the host as an unknown host.

#6114, TFS120510-013451

FULL DISK CAN CAUSE CORRUPTED ENV FILE

In the event of a disk becoming full on a running system, certain operations can cause the BoKS ENV file to become corrupted, for example bdebug and BoKS activation / deactivation operations.

#5750, TFS120723-013671

adjoin DOES NOT DETECT IF HOST ALREADY JOINED TO KERBEROS SERVER

It is possible to join a host to an additional Active Directory even when it is already joined to another Kerberos server. This should be avoided as it could lead to unforeseen authentication behavior and is not a supported configuration.

#061017-112910

PAM-BASED X-LOGIN ACCESS CONTROL MAY FAIL ON FIRST LOGIN ATTEMPT AFTER BoKS ACTIVATION/DEACTIVATION

PAM-based X-login using dtlogin/gdm/kdm/xdm is locked to a PAM configuration when displaying the login dialog and waiting for a login attempt.When BoKS is activated/deactivated the changed PAM configuration does not take effect until AFTER the first login attempt following a BoKS activation/deactivation.On the first login attempt after activation/deactivation the login may fail with an error message, or the user may be allowed to log in even if access should NOT be allowed according to BoKS access control rules.WORKAROUND: To avoid this issue, FoxT recommends always restarting the X Windows system after you activate or deactivate BoKS protection.

#5120 'CANNOT READ KEYTAB FILE' ERROR WITH SSH KERBEROS AUTHENTICATION

ssh login with Kerberos authentication fails and the boks_errlog file contains the message "cannot read keytab file".WORKAROUND: This error can be avoided by ensuring that the server uses the Fully-Qualified Domain Name as hostname. If the server uses a shorter version of the hostname, the OpenSSH daemon does not find the local key in the keytab file, since this is named after the FQDN.

#061023-132719, #9456

BoKS DOES NOT START PROPERLY IF INSTALLED WITH A VERY LONG PATH

The BoKS base install paths (that have the default settings /opt/boksm, /etc/opt/boksm and /var/opt/boksm) should not be set to a path that is longer than 128 characters.





Go to top

Revision History

Revision: 11

TFS041014-155307

FILES MUST BE TRANSFERRED MANUALLY AFTER UPGRADING REPLICA

After you upgrade a Replica, or reinstall BoKS Manager on a Replica for any other reason, you must manually transfer a number of files to the Replica by running the following command on the Master:BoKS# push_files <replica_name>This ensures that the Replica has all the required files in the event that it must be converted to a Master. For details, see the BoKS man page push_files.

TFS070921-083246

boks_upgrade HOTFIX INSTALL CANNOT DISTINGUISH PATCH LEVEL ON TARGET HOSTS

When installing hotfixes remotely with boks_upgrade it is not possible to limit the installation to only hosts running a specific BoKS patch level. For example, if a hotfix intended for BoKS version 6.7.0 is installed using boks_upgrade and the target is a Host Group containing both 6.7.0 and 6.7.1 hosts, the boks_upgrade program will try to install the hotfix on all the hosts in the Host Group.

CANNOT CHANGE PASSWORD HASH ALGORTIHM CONFIGURATION WHEN BoKS IS ACTIVE

On Redhat Enterprise Linux 6, the password hash algorithm configuration can be changed via the utility /usr/bin/system-config-authentication. Changing the password hash algorithm configuration updates the parameter "crypt_style" in file /etc/libuser.conf, see libuser.conf(5) and the password hash option to the pam_unix.so modules in /etc/pam.d/system-auth-ac, see pam_unix(8).When BoKS protection is active, /etc/pam.d/system-auth-ac is a soft- link to /etc/pam.d..org/system-auth-ac and this apparently prevents /usr/bin/system-config-authentication from updating the password hash option of the pam_unix.so module.Although the pam_unix module is not used for authentication when BoKS protection is active, it is important that the password hash option is correctly configured because this configuration is also used by BoKS to select hash algorithm when provisioning user accounts to the machine.WORKAROUNDS:ALT 1. Deactivate BoKS protection before changing the password hash algorithm with /usr/bin/system-config-authentication.ALT 2. Edit the password hash algorithm configuration manually using a text editor in the files /etc/libuser.conf and /etc/pam.d/system- auth-ac.





Date of this revision: 2018-12-11

Revision history:

Go to top

Getting Support And Service

If you have a question about a specific item in this document, refer to the case number or title listed at the start of the item when you place your technical support call.

• Fox Technologies, company, products and sales ~ https://www.helpsystems.com

• Technical support login ~ Portal login via https://community.helpsystems.com© 2018 Fox Technologies, a HelpSystems Company. All rights reserved

Table 5: Revision History

Rev No Date Comments

1 2017-05-31 First version.

2 2017-06-13 Added information about ADKRB5CONF variable to Minor Changes.

3 2017-06-19 Added support for SuSE Linux Enterprise Server 12 on zSeries(Server Agent only).

4 2017-06-26 Added support for Ubuntu 16 (Server Agent only).

5 2017-08-18 Revised description of changes to hook script configuration in “Minor Changes”.

6 2018-02-13 Added platform support for Debian 8 on x86 and Suse 11 on zLinux (BoKS Server Agent only).

7 2018-04-09 Added platform support for Debian 9 (BoKS Server Agent only).

8 2018-05-25 Added known issue about changes to kerberos configuration in RHEL 7.5, and information about ldapauth support for BCCPS and PWMGR access methods.

9 2018-09-11 Added information about updated ports to the BoKS Manager 7.1 Administration Guide.

10 2018-09-19 Information about the end-of-life schedule is now published in the BoKS Knowledge Base.

11 2018-12-11 Added information about platform support on Solaris 11.


Documents

BoKS Manager 7 - HelpSystems · BoKS Manager 7.1 - Release Notes Page 3 BoKS Manager 7.1 Release Notes Revision: 11 Go to top Oracle Oracle Solaris 11 on SPARC & x64 Oracle Solaris