Policy

List all of the files in a given directory (without checking they are policy files). Some system directories cannot be listed for security.

GET https://pbuild:24351/REST/policies?appid=<appid>&timestamp=<timestamp>&hmac=<hmac>
&path=%2Fopt%2Fpbul%2Fpolicies
RESPONSE {
  "dir": [
  {
    "path": "/opt/pbul/policies/pbul_policy.conf",
    "type": "file",
    "name": "pbul_policy.conf",
    "size": 5345,
    "mtime": "2018-11-02 16:36:23",
    "where": "fs"
  },
  {
    "path": "/opt/pbul/policies/pb.conf",
    "type": "file",
    "name": "pb.conf",
    "size": 228,
    "mtime": "2018-11-17 16:20:55",
    "where": "fs"
  },
  {
    "path": "/opt/pbul/policies/pbul_functions.conf",
    "type": "file",
    "name": "pbul_functions.conf",
    "size": 11747,
    "mtime": "2018-11-02 16:36:23",
    "where": "fs"
  }
  ]
 }

Get a script based policy file as ordered an array of lines, making line based modifications to the policy file easier.

GET https://pbuild:24351/REST/policies?appid=<appid>&timestamp=<timestamp>
&hmac=<hmac>&format=script&file=%2Fopt%2Fpbul%2Fpolicies%2Fpb.conf
RESPONSE {
  "file": "/opt/pbul/policies/pb.conf",
  "format": "script",
  "lines": [
      "result=getuserpasswd(user, \"Passwd for \"+user+\": \", 1, \"/opt/pbul/gp001\", 20);",
      "printf(\"result=%d\\n\", result);",
      "if (result == 0) ",
      "reject;",
      "else",
      "accept;"
  ]
}

Get the full script based policy file as a long string.

GET https://pbuild:24351/REST/policy?appid=<appid>&timestamp=<timestamp>
&hmac=<hmac>&format=script&file=%2Fopt%2Fpbul%2Fpolicies%2Fpb.conf
RESPONSE {
  "file": "/opt/pbul/policies/pb.conf",
  "format": "script",
  "policy": "result=getuserpasswd(user, \"Passwd for \"+user+\": \", 1, \"/opt/pbul/gp001\", 20);\nprintf(\"result=%d\\n\", result);\nif (result == 0) \n  reject;\nelse\n  accept;\n"
}

Retrieves an array of CSV policies. Elements are generally strings or arrays of strings.

GET https://pbuild:24351/REST/policies?appid=<appid>&timestamp=<timestamp>
&hmac=<hmac>&format=csv&file=%2Fetc%2Fpb%2Fpb.csv
RESPONSE {"status":0,"file":"/etc/pb/pb.csv","format":"csv","policies":
[{"dateend":"none","enabled":"Active","verifyuser":0,"adgrps":
["PBSE\\pbqa","PBSE\\pbdev"],"datestart":"none","timeoutstop":"","hostsmatch":"1","args":
["0","0","0","0","0","0"],"lclgrps":["root","pbdev"],"subhosts":["ANY"],"adusers":[""],"type":"Accept","runcmds":
["","","","","",""],"hostlistsmatch":"1","runhosts":[""],"subcmds":
["bash","csh","ksh","ksh93","tcsh","sh"],"defineenv":0,"name":"Shell","timestart":"none","timeend":"none","keylog
":0,"preserveenv":0,"runas":["root","qareveal","PBSE\\qareveal","qareveal@pbse.lab"],"lcllusers":["ctaylor"]},
{"dateend":"none","enabled":"Active","verifyuser":0,"adgrps":
["PBSE\\pbqa","PBSE\\pbdev"],"datestart":"none","timeoutstop":"","hostsmatch":"1","args":
["0","0","0","0","0","0"],"lclgrps":["root","pbdev"],"subhosts":["ANY"],"adusers":[""],"type":"Accept","runcmds":
["","","","","",""],"hostlistsmatch":"1","runhosts":[""],"subcmds":
["bash","csh","ksh","ksh93","tcsh","sh"],"defineenv":0,"name":"FOO","timestart":"none","timeend":"none","keylog
":0,"preserveenv":0,"runas":["root","qareveal","PBSE\\qareveal","qareveal@pbse.lab"],"lcllusers":["ctaylor"]}, ...

Retrieve a given named CSV policy.

GET https://pbuild:24351/REST/policy/BOO?appid=<appid>&timestamp=<timestamp>
&hmac=<hmac>&format=csv&file=%2Fetc%2Fpb%2Fpb.csv
RESPONSE {"status":0,"file":"/etc/pb/pb.csv","policy":
{"dateend":"none","enabled":"Active","verifyuser":0,"adgrps":
["PBSE\\pbqa","PBSE\\pbdev"],"datestart":"none","timeoutstop":"","hostsmatch":"1","args":
["0","0","0","0","0","0"],"lclgrps":["root","pbdev"],"subhosts":["ANY"],"adusers":[""],"type":"Accept","runcmds":
["","","","","",""],"hostlistsmatch":"1","runhosts":[""],"subcmds":
["bash","csh","ksh","ksh93","tcsh","sh"],"defineenv":0,"name":"BOO","timestart":"none","timeend":"none","keylog
":0,"preserveenv":0,"runas":["root","qareveal","PBSE\\qareveal","qareveal@pbse.lab"],"lcllusers":
["ctaylor"]},"format":"csv"}

Put a given CSV policy, named on the URL.

PUT https://pbuild:24351/REST/policy/BOO?appid=<appid>&timestamp=<timestamp>
&hmac=<hmac>&format=csv&file=%2Fetc%2Fpb%2Fpb-tmp.csv
REQUEST {"policy":{"dateend":"none","enabled":"disabled","verifyuser":0,"adgrps":
["PBSE\\pbqa","PBSE\\pbdev"],"datestart":"none","timeoutstop":"","hostsmatch":"1","args":
["0","0","0","0","0","0"],"lclgrps":["root","pbdev"],"subhosts":["ANY"],"adusers":[""],"type":"Accept","runcmds":
["","","","","",""],"hostlistsmatch":"1","subcmds":["bash","csh","ksh","ksh93","tcsh","sh"],"runhosts":
[""],"defineenv":0,"name":"BOO","keylog":0,"timeend":"none","timestart":"none","preserveenv":0,"runas":
["root","qareveal","PBSE\\qareveal","qareveal@pbse.lab"],"lcllusers":["ctaylor"]}}
RESPONSE {"status":0}

Create a new (optionally empty) policy script file. Directory is limited by policydir if it is set.

POST https://pbuild:24351/REST/policy?appid=<appid>&timestamp=<timestamp>
&hmac=<hmac>&format=script&file=%2Fetc%2Fpb%2Ffoobar
REQUEST {"script":"accept;\n"}
RESPONSE {"status":0,"file":"/etc/pb/foobar"}

Checks policy in a similar manner to pbcheck.

GET https://pbuild:24351/REST/policies/check?appid=<appid>&timestamp=<timestamp>
&hmac=<hmac>&file=%2Fopt%2Fpbul%2Fpolicies%2FpbOLD.conf
RESPONSE {
  "status": 8103,
  "error": "8103.1 Error parsing policy file /opt/pbul/policies/pbOLD.conf, 3964 file /opt/pbul/policies/pbOLD.conf does not exist"
}

Checks policy in a similar manner to pbcheck.

GET https://pbuild:24351/REST/policies/check?appid=<appid>&timestamp=<timestamp>
&hmac=<hmac>&file=%2Fetc%2Fpb%2Ftry
RESPONSE {"message":"Syntax check completed with no problems detected","status":0}

Checks inline script policy in a similar manner to pbcheck.

PUT https://localhost:24351/REST/policy/check?appid=<appid>&timestamp=<timestamp>&hmac=<hmac>
REQUEST { "script" : "foobar\nbarfoo\n" }
RESPONSE {"errors":[{"line":1,"file":"inline","msg":"syntax error, unexpected $end"},
{"line":1,"file":"inline","msg":"1167.2 Expected a statement"}],"status":8103,"error":"8103.1 Error parsing policy script"}

Checks inline script policy in a similar manner to pbcheck.

PUT https://localhost:24351/REST/policy/check?appid=<appid>&timestamp=<timestamp>&hmac=<hmac>
REQUEST { "script" : "accept;" }
RESPONSE{"message":"Syntax check completed with no problems detected"}

Retrieves a full policy file as a binary attachment.

GEThttps://pbuild:24351/REST/policyfile?appid=<appid>&timestamp=<timestamp>
&hmac=<hmac>&file=%2Fetc%2Fpb%2Fpb.conf <binary attachment>

Test Role Based Policy authentication.

PUT https://localhost:24351/REST/policy/rbp/checkauth?appid=<appid>&
timestamp=<timestamp>&hmac=<hmac>

Parameters

{ "rbp" : {"user" : "root", "submithost" : "pbuild", "command" : "/usr/bin/id", "runhost": "pbuild1", "pbclientmode": "pbrun" }}

The parameter node must contain at least user, submithost, and command, but may also contain any other Privilege Management for Unix and Linux policy variable, used when matching roles. On a positive response, the info part of the JSON response is the role row that matched.

Positive Response
{
  "result": {
    "access": "allowed",
    "iolog": "/tmp/admin_iolog_root_XXXXXX",
    "userMessage": "hello root - risk 9\n",
    "info": {
      "name": "Admin",
      "runuser": "root",
      "runhost": "pbuild1",
      "risk": 9,
      "action": "A",
      "iolog": "/tmp/admin_iolog_%user%_XXXXXX",
      "message": "hello %user% - risk %pbrisklevel%",
      "variables": null,
      "auth": null,
      "script": null,
      "runcommand": ""
    }
  }
}
Negative Response
{
  "result": {
    "access": "denied"
  }
}