Role Based Policy Entitlement Reports

Endpoint Privilege Management for Unix and Linux v10.1.0 introduced Role Based Policy Entitlement Reports. These reports are available to the user from the pbrun command using -e, or to the administrator as an overall report using pbdbutil --rbp -R. To provide a comprehensive report on what users can access commands on which hosts, and when they are allowed to run them.

pbdbutil: Role Based Policy Options

The pbdbutil Role Based Policy options introduced in Endpoint Privilege Management for Unix and Linux v10.1.0 are described below.

pbdbutil --rbp [<options>] [ <file> <file> ...]
-R { json param } Report user entitlements from the database
-R Add option to display commands
-R Add option to display time/date restrictions
-R Add option to display additional role options
-E { json param } List user entitlements data from the database
where { json param } is one or more of:
"submituser" : "user1" Specify submit user or wildcard
"submithost" : "host1" Specify submit host or wildcard
"runuser" : "user1" Specify run user or wildcard
"runhost" : "host1" Specify run host or wildcard
"command" : "command" Specify command or wildcard

pbrun Options

Endpoint Privilege Management for Unix and Linux v10.1.0 introduced the following options that are available only when Role Based Policy is enabled:

pbrun -e Return the entitlement report for the current user at level 1.
pbrun -e 1 Return the entitlement report for the current user at level 1.
pbrun -e 4 Return the entitlement report for the current user at level 4.
pbrun --entitlement=4 Return the entitlement report for the current user at level 4.

Examples of Entitlement Reports

Level 1 Report
======================================================================
Endpoint Privilege Management for Unix and Linux Role Based Policy Entitlement Report - Level 1
----------------------------------------------------------------------------
Date/Time: 2018-06-18 09:07:23
User: root
Belongs to the following Roles:
Admin
======================================================================
Role Order: 1
Name: Admin
Description: Super users and admins
Action: allowed
Tag:
Membership: Admins
Submit Host(s): Any PBUL Host
Run Host(s): Any PBUL Host
Commands may be executed as user(s): root,admin,user*
Please use the '-u' flag to select user at run time.
eg: pbrun -u runuser command [arguments]
User may request the following commands using pbrun:
/bin/find *,/usr/bin/ls,/bin/ls,/bin/cat *,/bin/ls *,/usr/bin/ls *,/usr/bin/rm *,
/usr/bin/cat *,/usr/bin/find *,/sbin/shutdown *,/bin/more *,/bin/id,/usr/bin/more *,
/usr/bin/mount *,/bin/ln *,/bin/mount *,/bin/rm *,/usr/sbin/shutdown *,
/usr/bin/ln *,/usr/bin/id,/sbin/ifconfig *,/usr/sbin/ifconfig *
Level 2 Report
======================================================================
Endpoint Privilege Management for Unix and Linux Role Based Policy Entitlement Report - Level 2
----------------------------------------------------------------------------
Date/Time: 2018-06-18 09:07:28
User: root
Belongs to the following Roles:
Admin
======================================================================
Role Order: 1
Name: Admin
Description: Super users and admins
Action: allowed
Tag:
Risk: 1
Membership: Admins
Submit Host(s): Any PBUL Host
Run Host(s): Any PBUL Host
Commands may be executed as user(s): root,admin,user*
Please use the '-u' flag to select user at run time.
eg: pbrun -u runuser command [arguments]
User may request the following commands using pbrun:
Command Group: User Commands
Description: Common UNIX Commands
/bin/ls executes: /bin/ls
/bin/ls * executes: /bin/ls *
/usr/bin/ls executes: /usr/bin/ls
/usr/bin/ls * executes: /usr/bin/ls *
/bin/cat * executes: /bin/cat *
/usr/bin/cat * executes: /usr/bin/cat *
/bin/find * executes: /bin/find *
/usr/bin/find * executes: /usr/bin/find *
/bin/more * executes: /bin/more *
/usr/bin/more * executes: /usr/bin/more *
/bin/rm * executes: /bin/rm -i $*
/usr/bin/rm * executes: /usr/bin/rm -i $*
/bin/ln * executes: /bin/ln *
/usr/bin/ln * executes: /usr/bin/ln *
/bin/id executes: /bin/id
/usr/bin/id executes: /usr/bin/id
Command Group: Admin Commands
Description: Common Superuser Commands
/sbin/shutdown * executes: /sbin/shutdown *
/usr/sbin/shutdown * executes: /usr/sbin/shutdown *
/bin/mount * executes: /bin/mount *
/usr/bin/mount * executes: /usr/bin/mount *
/sbin/ifconfig * executes: /sbin/ifconfig *
/usr/sbin/ifconfig * executes: /usr/sbin/ifconfig *
Level 3 Report
======================================================================
Endpoint Privilege Management for Unix and Linux Role Based Policy Entitlement Report - Level 3
----------------------------------------------------------------------------
Date/Time: 2018-06-18 09:07:30
User: root
Belongs to the following Roles:
Admin
======================================================================
Role Order: 1
Name: Admin
Description: Super users and admins
Action: allowed
Tag:
Risk: 1
Membership: Admins
Submit Host(s): Any PBUL Host
Run Host(s): Any PBUL Host
Commands may be executed as user(s): root,admin,user*
Please use the '-u' flag to select user at run time.
eg: pbrun -u runuser command [arguments]
User may request the following commands using pbrun:
Command Group: User Commands
Description: Common UNIX Commands		
/bin/ls executes: /bin/ls
/bin/ls * executes: /bin/ls *
/usr/bin/ls executes: /usr/bin/ls
/usr/bin/ls * executes: /usr/bin/ls *
/bin/cat * executes: /bin/cat *
/usr/bin/cat * executes: /usr/bin/cat *
/bin/find * executes: /bin/find *
/usr/bin/find * executes: /usr/bin/find *
/bin/more * executes: /bin/more *
/usr/bin/more * executes: /usr/bin/more *
/bin/rm * executes: /bin/rm -i $*
/usr/bin/rm * executes: /usr/bin/rm -i $*
/bin/ln * executes: /bin/ln *
/usr/bin/ln * executes: /usr/bin/ln *
/bin/id executes: /bin/id
/usr/bin/id executes: /usr/bin/id
Command Group: Admin Commands
Description: Common Superuser Commands
/sbin/shutdown * executes: /sbin/shutdown *
/usr/sbin/shutdown * executes: /usr/sbin/shutdown *
/bin/mount * executes: /bin/mount *
/usr/bin/mount * executes: /usr/bin/mount *
/sbin/ifconfig * executes: /sbin/ifconfig *
/usr/sbin/ifconfig * executes: /usr/sbin/ifconfig *
Date and Time restrictions for Role 'Admin':
Time/Date Group: Any Time
Description: Any Time
Monday: 01:00am to 12:14pm
Tuesday: 01:00am to 12:14pm
Wednesday: 01:00am to 12:14pm
Thursday: 01:00am to 12:14pm
Friday: 01:00am to 12:14pm
Saturday: 01:00am to 12:14pm
Sunday: 01:00am to 12:14pm
Level 4 Report
======================================================================
Endpoint Privilege Management for Unix and Linux Role Based Policy Entitlement Report - Level 4
----------------------------------------------------------------------------
Date/Time: 2018-06-18 09:07:32
User: root
Belongs to the following Roles:
Admin
======================================================================
Role Order: 1
Name: Admin
Description: Super users and admins
Action: allowed
Tag:
Risk: 1
Membership: Admins
Submit Host(s): Any PBUL Host
Run Host(s): Any PBUL Host
Commands may be executed as user(s): root,admin,user*
Please use the '-u' flag to select user at run time.
eg: pbrun -u runuser command [arguments]
User may request the following commands using pbrun:
Command Group: User Commands
Description: Common UNIX Commands
/bin/ls executes: /bin/ls
/bin/ls * executes: /bin/ls *
/usr/bin/ls executes: /usr/bin/ls
/usr/bin/ls * executes: /usr/bin/ls *
/bin/cat * executes: /bin/cat *
/usr/bin/cat * executes: /usr/bin/cat *
/bin/find * executes: /bin/find *
/usr/bin/find * executes: /usr/bin/find *
/bin/more * executes: /bin/more *
/usr/bin/more * executes: /usr/bin/more *
/bin/rm * executes: /bin/rm -i $*
/usr/bin/rm * executes: /usr/bin/rm -i $*
/bin/ln * executes: /bin/ln *
/usr/bin/ln * executes: /usr/bin/ln *
/bin/id executes: /bin/id
/usr/bin/id executes: /usr/bin/id
Command Group: Admin Commands
Description: Common Superuser Commands
/sbin/shutdown * executes: /sbin/shutdown *
/usr/sbin/shutdown * executes: /usr/sbin/shutdown *
/bin/mount * executes: /bin/mount *
/usr/bin/mount * executes: /usr/bin/mount *
/sbin/ifconfig * executes: /sbin/ifconfig *
/usr/sbin/ifconfig * executes: /usr/sbin/ifconfig *
Date and Time restrictions for Role 'Admin':
Time/Date Group: Any Time
Description: Any Time
Monday: 01:00am to 12:14pm
Tuesday: 01:00am to 12:14pm
Wednesday: 01:00am to 12:14pm
Thursday: 01:00am to 12:14pm
Friday: 01:00am to 12:14pm
Saturday: 01:00am to 12:14pm
Sunday: 01:00am to 12:14pm
Additional Role Options:
Additional Authentication Required: no
Session Recording Enabled: yes
Extended Script Policy: no
Custom accept/reject message: no
Level 1 Report with Command Filter
pbdbutil -P --rbp -R '{ "command":"/usr/bin/*"}'
======================================================================
Endpoint Privilege Management for Unix and Linux Role Based Policy Entitlement Report - Level 1
----------------------------------------------------------------------------
Date/Time: 2018-06-18 09:09:10
User: *
Belongs to the following Roles:
Admin,users
======================================================================
Role Order: 1
Name: Admin
Description: Super users and admins
Action: allowed
Tag:
Risk: 1
Membership: Admins
Submit Host(s): Any PBUL Host
Run Host(s): Any PBUL Host
Commands may be executed as user(s): root,admin,user*
Please use the '-u' flag to select user at run time.
eg: pbrun -u runuser command [arguments]
User may request the following commands using pbrun:
/usr/bin/ls,/usr/bin/mount *,/usr/bin/ls *,/usr/bin/cat *,/usr/bin/find *,
/usr/bin/rm *,/usr/bin/ln *,/usr/bin/more *,/usr/bin/id
======================================================================
Role Order: 4
Name: users
Description: Normal users
Action: allowed
Tag:
Membership: Users
Submit Host(s): nfs.company.com,build.company.com,staging.company.com
Run Host(s): nfs.company.com,build.company.com,staging.company.com
Commands will execute as user: user*
User may request the following commands using pbrun:
/usr/bin/ls,/usr/bin/ls *,/usr/bin/find *,/usr/bin/cat *,/usr/bin/ln *,
/usr/bin/rm *,/usr/bin/more *,/usr/bin/id
Level 4 Report with Command Filter
======================================================================
Endpoint Privilege Management for Unix and Linux Role Based Policy Entitlement Report - Level 4
----------------------------------------------------------------------------
Date/Time: 2018-06-18 09:09:26
User: *
Belongs to the following Roles:
Admin,users
======================================================================
Role Order: 1
Name: Admin
Description: Super users and admins
Action: allowed
Tag:
Risk: 1
Membership: Admins
Submit Host(s): Any PBUL Host
Run Host(s): Any PBUL Host
Commands may be executed as user(s): root,admin,user*
Please use the '-u' flag to select user at run time.
eg: pbrun -u runuser command [arguments]
User may request the following commands using pbrun:
Command Group: Admin Commands
Description: Common Superuser Commands
/usr/bin/mount * executes: /usr/bin/mount *
Command Group: User Commands
Description: Common UNIX Commands
/usr/bin/ls executes: /usr/bin/ls
/usr/bin/ls * executes: /usr/bin/ls *
/usr/bin/cat * executes: /usr/bin/cat *
/usr/bin/find * executes: /usr/bin/find *
/usr/bin/more * executes: /usr/bin/more *
/usr/bin/rm * executes: /usr/bin/rm -i $*
/usr/bin/ln * executes: /usr/bin/ln *
/usr/bin/id executes: /usr/bin/id
Date and Time restrictions for Role 'Admin':
Time/Date Group: Any Time
Description: Any Time
Monday: 01:00am to 12:14pm
Tuesday: 01:00am to 12:14pm
Wednesday: 01:00am to 12:14pm
Thursday: 01:00am to 12:14pm
Friday: 01:00am to 12:14pm
Saturday: 01:00am to 12:14pm
Sunday: 01:00am to 12:14pm
Additional Role Options:
Additional Authentication Required: no
Session Recording Enabled: yes
Extended Script Policy: no
Custom accept/reject message: no
======================================================================
Role Order: 4
Name: users
Description: Normal users
Action: allowed
Tag:
Risk: 1
Membership: Users
Submit Host(s): build.company.com,nfs.company.com,staging.company.com
Run Host(s): build.company.com,nfs.company.com,staging.company.com
Commands will execute as user: user*
User may request the following commands using pbrun:
Command Group: User Commands
Description: Common UNIX Commands
/usr/bin/ls executes: /usr/bin/ls
/usr/bin/ls * executes: /usr/bin/ls *
/usr/bin/cat * executes: /usr/bin/cat *
/usr/bin/find * executes: /usr/bin/find *
/usr/bin/more * executes: /usr/bin/more *
/usr/bin/rm * executes: /usr/bin/rm -i $*
/usr/bin/ln * executes: /usr/bin/ln *
/usr/bin/id executes: /usr/bin/id
Date and Time restrictions for Role 'users':
Time/Date Group: Working Week
Description: Working Week
Monday: 01:00am to 12:14pm
Tuesday: 01:00am to 12:14pm
Wednesday: 01:00am to 12:14pm
Thursday: 01:00am to 12:14pm
Friday: 01:00am to 12:14pm
Saturday: none
Sunday: none
Additional Role Options:
Additional Authentication Required: no
Session Recording Enabled: no
Extended Script Policy: no
Custom accept/reject message: no