Policy
Policy List Dir
List all of the files in a given directory (without checking they are policy files). Some system directories cannot be listed for security.
GET https://pbuild:24351/REST/policies?appid=<appid>×tamp=<timestamp>&hmac=<hmac> &path=%2Fopt%2Fpbul%2Fpolicies
RESPONSE {
"dir": [
{
"path": "/opt/pbul/policies/pbul_policy.conf",
"type": "file",
"name": "pbul_policy.conf",
"size": 5345,
"mtime": "2018-11-02 16:36:23",
"where": "fs"
},
{
"path": "/opt/pbul/policies/pb.conf",
"type": "file",
"name": "pb.conf",
"size": 228,
"mtime": "2018-11-17 16:20:55",
"where": "fs"
},
{
"path": "/opt/pbul/policies/pbul_functions.conf",
"type": "file",
"name": "pbul_functions.conf",
"size": 11747,
"mtime": "2018-11-02 16:36:23",
"where": "fs"
}
]
}
Policy (Script) Get Lines
Get a script based policy file as ordered an array of lines, making line based modifications to the policy file easier.
GET https://pbuild:24351/REST/policies?appid=<appid>×tamp=<timestamp> &hmac=<hmac>&format=script&file=%2Fopt%2Fpbul%2Fpolicies%2Fpb.conf
RESPONSE {
"file": "/opt/pbul/policies/pb.conf",
"format": "script",
"lines": [
"result=getuserpasswd(user, \"Passwd for \"+user+\": \", 1, \"/opt/pbul/gp001\", 20);",
"printf(\"result=%d\\n\", result);",
"if (result == 0) ",
"reject;",
"else",
"accept;"
]
}
Policy (Script) Get Full File
Get the full script based policy file as a long string.
GET https://pbuild:24351/REST/policy?appid=<appid>×tamp=<timestamp> &hmac=<hmac>&format=script&file=%2Fopt%2Fpbul%2Fpolicies%2Fpb.conf
RESPONSE {
"file": "/opt/pbul/policies/pb.conf",
"format": "script",
"policy": "result=getuserpasswd(user, \"Passwd for \"+user+\": \", 1, \"/opt/pbul/gp001\", 20);\nprintf(\"result=%d\\n\", result);\nif (result == 0) \n reject;\nelse\n accept;\n"
}
Policies (CSV) Get All
Retrieves an array of CSV policies. Elements are generally strings or arrays of strings.
GET https://pbuild:24351/REST/policies?appid=<appid>×tamp=<timestamp> &hmac=<hmac>&format=csv&file=%2Fetc%2Fpb%2Fpb.csv
RESPONSE {"status":0,"file":"/etc/pb/pb.csv","format":"csv","policies":
[{"dateend":"none","enabled":"Active","verifyuser":0,"adgrps":
["PBSE\\pbqa","PBSE\\pbdev"],"datestart":"none","timeoutstop":"","hostsmatch":"1","args":
["0","0","0","0","0","0"],"lclgrps":["root","pbdev"],"subhosts":["ANY"],"adusers":[""],"type":"Accept","runcmds":
["","","","","",""],"hostlistsmatch":"1","runhosts":[""],"subcmds":
["bash","csh","ksh","ksh93","tcsh","sh"],"defineenv":0,"name":"Shell","timestart":"none","timeend":"none","keylog
":0,"preserveenv":0,"runas":["root","qareveal","PBSE\\qareveal","qareveal@pbse.lab"],"lcllusers":["ctaylor"]},
{"dateend":"none","enabled":"Active","verifyuser":0,"adgrps":
["PBSE\\pbqa","PBSE\\pbdev"],"datestart":"none","timeoutstop":"","hostsmatch":"1","args":
["0","0","0","0","0","0"],"lclgrps":["root","pbdev"],"subhosts":["ANY"],"adusers":[""],"type":"Accept","runcmds":
["","","","","",""],"hostlistsmatch":"1","runhosts":[""],"subcmds":
["bash","csh","ksh","ksh93","tcsh","sh"],"defineenv":0,"name":"FOO","timestart":"none","timeend":"none","keylog
":0,"preserveenv":0,"runas":["root","qareveal","PBSE\\qareveal","qareveal@pbse.lab"],"lcllusers":["ctaylor"]}, ...
Policy (CSV) Get (by name)
Retrieve a given named CSV policy.
GET https://pbuild:24351/REST/policy/BOO?appid=<appid>×tamp=<timestamp> &hmac=<hmac>&format=csv&file=%2Fetc%2Fpb%2Fpb.csv
RESPONSE {"status":0,"file":"/etc/pb/pb.csv","policy":
{"dateend":"none","enabled":"Active","verifyuser":0,"adgrps":
["PBSE\\pbqa","PBSE\\pbdev"],"datestart":"none","timeoutstop":"","hostsmatch":"1","args":
["0","0","0","0","0","0"],"lclgrps":["root","pbdev"],"subhosts":["ANY"],"adusers":[""],"type":"Accept","runcmds":
["","","","","",""],"hostlistsmatch":"1","runhosts":[""],"subcmds":
["bash","csh","ksh","ksh93","tcsh","sh"],"defineenv":0,"name":"BOO","timestart":"none","timeend":"none","keylog
":0,"preserveenv":0,"runas":["root","qareveal","PBSE\\qareveal","qareveal@pbse.lab"],"lcllusers":
["ctaylor"]},"format":"csv"}
Policy (CSV) Put (by name)
Put a given CSV policy, named on the URL.
PUT https://pbuild:24351/REST/policy/BOO?appid=<appid>×tamp=<timestamp> &hmac=<hmac>&format=csv&file=%2Fetc%2Fpb%2Fpb-tmp.csv
REQUEST {"policy":{"dateend":"none","enabled":"disabled","verifyuser":0,"adgrps":
["PBSE\\pbqa","PBSE\\pbdev"],"datestart":"none","timeoutstop":"","hostsmatch":"1","args":
["0","0","0","0","0","0"],"lclgrps":["root","pbdev"],"subhosts":["ANY"],"adusers":[""],"type":"Accept","runcmds":
["","","","","",""],"hostlistsmatch":"1","subcmds":["bash","csh","ksh","ksh93","tcsh","sh"],"runhosts":
[""],"defineenv":0,"name":"BOO","keylog":0,"timeend":"none","timestart":"none","preserveenv":0,"runas":
["root","qareveal","PBSE\\qareveal","qareveal@pbse.lab"],"lcllusers":["ctaylor"]}}RESPONSE {"status":0}
Policy (Script) Set New Policy File
Create a new (optionally empty) policy script file. Directory is limited by policydir if it is set.
POST https://pbuild:24351/REST/policy?appid=<appid>×tamp=<timestamp> &hmac=<hmac>&format=script&file=%2Fetc%2Fpb%2Ffoobar
REQUEST {"script":"accept;\n"}RESPONSE {"status":0,"file":"/etc/pb/foobar"}
Policy check (unsuccessful)
Checks policy in a similar manner to pbcheck.
GET https://pbuild:24351/REST/policies/check?appid=<appid>×tamp=<timestamp> &hmac=<hmac>&file=%2Fopt%2Fpbul%2Fpolicies%2FpbOLD.conf
RESPONSE {
"status": 8103,
"error": "8103.1 Error parsing policy file /opt/pbul/policies/pbOLD.conf, 3964 file /opt/pbul/policies/pbOLD.conf does not exist"
}
Policy check (successful)
Checks policy in a similar manner to pbcheck.
GET https://pbuild:24351/REST/policies/check?appid=<appid>×tamp=<timestamp> &hmac=<hmac>&file=%2Fetc%2Fpb%2Ftry
RESPONSE {"message":"Syntax check completed with no problems detected","status":0}
Policy check inline script (unsuccessful)
Checks inline script policy in a similar manner to pbcheck.
PUT https://localhost:24351/REST/policy/check?appid=<appid>×tamp=<timestamp>&hmac=<hmac>
REQUEST { "script" : "foobar\nbarfoo\n" }RESPONSE {"errors":[{"line":1,"file":"inline","msg":"syntax error, unexpected $end"},
{"line":1,"file":"inline","msg":"1167.2 Expected a statement"}],"status":8103,"error":"8103.1 Error parsing policy script"}
Policy check inline script (successful)
Checks inline script policy in a similar manner to pbcheck.
PUT https://localhost:24351/REST/policy/check?appid=<appid>×tamp=<timestamp>&hmac=<hmac>
REQUEST { "script" : "accept;" }RESPONSE{"message":"Syntax check completed with no problems detected"}
Get Policy file as attachment
Retrieves a full policy file as a binary attachment.
GEThttps://pbuild:24351/REST/policyfile?appid=<appid>×tamp=<timestamp> &hmac=<hmac>&file=%2Fetc%2Fpb%2Fpb.conf <binary attachment>
Role Based Policy Authentication
Test Role Based Policy authentication.
PUT https://localhost:24351/REST/policy/rbp/checkauth?appid=<appid>& timestamp=<timestamp>&hmac=<hmac>
Parameters
{ "rbp" : {"user" : "root", "submithost" : "pbuild", "command" : "/usr/bin/id", "runhost": "pbuild1", "pbclientmode": "pbrun" }}
The parameter node must contain at least user, submithost, and command, but may also contain any other Endpoint Privilege Management for Unix and Linux policy variable, used when matching roles. On a positive response, the info part of the JSON response is the role row that matched.
Positive Response
{
"result": {
"access": "allowed",
"iolog": "/tmp/admin_iolog_root_XXXXXX",
"userMessage": "hello root - risk 9\n",
"info": {
"name": "Admin",
"runuser": "root",
"runhost": "pbuild1",
"risk": 9,
"action": "A",
"iolog": "/tmp/admin_iolog_%user%_XXXXXX",
"message": "hello %user% - risk %pbrisklevel%",
"variables": null,
"auth": null,
"script": null,
"runcommand": ""
}
}
}Negative Response
{
"result": {
"access": "denied"
}
}