Administration programs

This section describes the EPM-UL system administration programs and their options.

pbdbutil, pbadmin

• Version 8.5.0 and earlier: pbdbutil not available.
• Version 9.0.0 and later: pbdbutil available.

Starting with version 9, EPM-UL uses database files for the storage of all the normal configuration files and scripts, plus data storage for a range of new facilities. The utility pbdbutil provides a command line tool to maintain all of these databases.

ℹ️

Note

Due to the evolving nature of the pbdbutil command, the name changed to pbadmin. To assist in the transition a symbolic link called pbadmin is now automatically created for your convenience.

The command has global options that are used to carry out maintenance tasks on all databases, and more specific options that allow maintenance of specified databases. Each group of database options have their own usage/help.

Usage

pbdbutil [<options>] [ <file> <file> ...]

Global options

Authentication options

Info options

License maintenance and statistics options

Setting/Configuration/Key options

Role based policy options

Client registration profile options

Management event options

REST keystore options

Sudo policy database options

Registry name service database options

Database synchronization options

Registry name service cache options

File integrity monitor options

Event log cache options

IO log cache options

IO log queue options

Integrated product options

Write queue status options

Global options

Setting/Configuration options

These options provide methods to import, maintain and export the settings, configuration and key files that were traditionally kept in files in EPM-UL. These files can now be imported into a database which provide versioning and change management, methods to retrieve, update, and save settings and configuration across the enterprise in a secure manner using the EPM-UL REST services.

These options need to be specified after the --cfg option.

Usage

pbdbutil --cfg [<options>] [ <file> <file> ...]

Descriptions

License management options

ℹ️

Note

These options are not available on EPM-L clients.

As of version 10.0, License Management is centralized and can be carried out on the primary license server using the command pbadmin.

This command line administration tool provides methods to update the license string, to list summary statistics and to retire clients to free up licenses.

All of the commands that list statistics can be run from any server that provides a service. All commands that update the database, such as updating the license itself or retiring clients, should be run on the primary license server:

Example

pbadmin --lic -u '{ "PBULPolClnts":200, "SudoPolClnts":200, "RBPClnts":200, "ACAClnts":1, "AKAClnts":0, "FIMClnts":0, "SOLRClnts":1, "Owner":"My Company Corp", "Comment":"Standard License for My Company", "AutoRetire":7, "Recycle":7, "Expires":"2018-03-01 00:00:00", "Terminates":"2019-03-01 00:00:00", "HostId":"7faf7681-4d42-4b69-00bfdad93b4a3dfb", "HMAC":"UtGE3tD6qK2UwutY3GFOqodjdq30pEDAW2cKb5/OaMc="}'

This command updates the installation with the license string provided by BeyondTrust to a standard license.

Usage

pbadmin --lic [<options>] ...

Sample commands

Authentication credential cache options

These options allow users of pbdbutil to cache credentials to facilitate working with remote services.

Usage

pbdbutil --auth [<options>] [ <file> <file> ...]

Auth options

Information options

These options provide various information about the current system configuration or status.

Usage

pbdbutil --info [<options>]

Info options

Role based policy options

ℹ️

Note

These options are not available on EPM-L clients.

The Role Based Policy is held in multiple tables. Each table refers to an individual entity with attributes, and is referenced by unique entity ids. Each entity is then linked together into a role. When retrieving, updating, or deleting entities, either the name or id can be used. The command line utility pbdbutil with the option --rbp can be used to retrieve (-g), update (-u), or delete (-d) entities.

When updating, complete entities including all its attributes need to be defined. The REST API uses the same JSON format and parameters, and use GET, PUT and DELETE respectively. There are also a number pseudo-attributes that allow the retrieval of lists based upon the parent grouping, these are:

• usergrpname: list User Lists which correspond to the specified User Group
• hostgrpname: list Host Lists which correspond to the specified Host Group
• cmdgrpname: list Command Lists which correspond to the specified Command Group
• tmdategrpname: list Time/Date Lists which correspond to the specified Time/Date Group
• rolename: list all lists which correspond to the specified Role Group

Usage

pbdbutil --rbp [<options>] [ <file> <file> ...]

Example

Sample use of the pbdutil --rbp when rbptransactions is set to yes.

pbdbutil --rbp -b -m "<message>"``pbdbutil --rbp -i <file>``pbdbutil --rbp -c

Example

List all of the User Groups whose name matches ug*

pbdbutil --rbp -g '{ "usergrp" : { "name" : "ug*" }}'
[{"id":1,"ug1":"name","description":"desc","disabled":0,"single":0,"type":"I","ext info":null}]

Example

List the User Group whose id=1

pbdbutil -g '{ "usergrp" : { "id" : "1" }}'
[{"id":1,"ug1":"name","description":"desc","disabled":0,"single":0,"type":"I","ext info":null}]

Record entities

usergrp, userlist, hostgrp, hostlist, cmdgrp, cmdlist, tmdategrp, tmdatelist, role, roleusers, roleghost, rolecmds, roletmdates

Entities can be listed by attributes name and id, and entity specific attribute names rolename, usergrpname, hostgrpname, cmdgrpname, tmdategrpname.

Example

-g '{ "role" : { "name" : "*" }} ' Display all Roles
-g '{ "usergrp" : { "name" : "n*" }}' Display all User Groups which match "n*"
-g '{ "userlist" : { "name" : "usergrp1" }} ' Display group membership for usergrp by name
-g '{ "roleusers" : { "rolename" : "role1" }}' Display list of usergrps assigned to role
-g '{ "rolehosts" : { "id" : 1 }} ' Display list of hostgrps assigned to role id 1

Descriptions

User group examples

Host group examples

Command examples

Time/Date examples

Role examples

ℹ️

Note

For more information on the -bsetting in the Endpoint Privilege Management/etc/pb.settings configuration file, see Role Based Policy.

Client registration options

ℹ️

Note

These options are not applicable to EPM-L.

These options provide methods to create, maintain, export, and import role-based policies into EPM-UL, used with the --rbp option.

Usage

pbdbutil --reg [<options>] [ <file> <file> ...]

Client registration database options

These options provide methods to define and maintain Client Registration profiles, used to simplify the registration of hosts within the Endpoint Privilege Management enterprise.

"<-g|--get>" "{ param }"

Example

Retrieve Client Registration profile using the specified name:

-g ’{ "name" : "default" }

    {"type":"settings","fname":"/etc/pb.settings"}
    {"type":"certificate","to":"/etc/${prefix}pbrest.pem${suffix}"}
    {"type":"save","sname":"networkencryption"}
    {"type":"save","sname":"restkeyencryption"}
    {"type":"save","sname":"sslservercertfile"}
{"type":"save","sname":"sslserverkeyfile"}

"<-u|--update>" "{ param }"

Examples

Update the specified Client Registration profile:

-u ’{ "name" : "prof1", [{"type":"settings",
    "fname":"/etc/pb.mysettings"},
{"type":"save","sname":"networkencryption"} ]’

"<-d|--delete>" "{ param }"

Example

Delete the specified Client Registration profile:

-d ’{ "name" : "prof1" }’

<-l|--list>

List all the Client Registration profiles.

<-n|--new>

Create and initialize the Client Registration database.

RNS options

These options allow the maintenance and interrogation of the Registry Name Services.

Usage

pbdbutil --svc [<options>] [ <file> <file> ...]

Example

Recreate the Registry Name Service Database

# pbdbutil --svc -N --force

Example

List Service Groups from Registry Name Service Database

# pbdbutil -P --svc -l

Result:

{
    "svcgid": 1,
    "svcgname": "registry_name_svc",
    "svc": "registry",
    "updated": "2016-06-09 15:42:33",
    "deleted": 0
}
{
    "svcgid": 2,
    "svcgname": "dfl_pb_policy_svc",
    "svc": "pbpolicy",
    "updated": "2016-06-09 15:42:33",
    "deleted": 0
}
{
    "svcgid": 3,
    "svcgname": "dfl_log_svc",
    "svc": "logsvr",
    "updated": "2016-06-09 15:42:33",
    "deleted": 0
}
{
    "svcgid": 4,
    "svcgname": "dfl_sudo_policy_svc",
    "svc": "sudopolicy",
    "updated": "2016-06-09 15:42:33",
"deleted": 0
}

Example

List primary and secondary servers within the Service Groups

# pbdbutil -P --svc -l -l

Result:

{
    "svcgid": 1,
    "svcgname": "registry_name_svc",
    "svc": "registry",
    "updated": "2016-06-14 10:43:14",
    "deleted": 0,
    "svcs": [
{
    "svcgid": 1,
    "hostid": 1,
    "role": "primary",
    "created": "2016-06-14 10:43:14",
    "updated": "2016-06-14 09:43:14",
    "deleted": 0,
    "cn": "pbuild",
    "uuid": "969ecab2-93d8-4322-a8cf-6314457053bb",
    "fqdn": "pbuild",
    "addrs": [
    {
    "family": 4,
    "port": 24351,
    "addr": "192.168.16.138"
    }
    "tnlzone": 0
    }
    ]
    }
    {
    "svcgid": 2,
    "svcgname": "dfl_pb_policy_svc",
    "svc": "pbpolicy",
    "updated": "2016-06-14 10:43:14",
    "deleted": 0
    }
    {
    "svcgid": 3,
    "svcgname": "dfl_log_svc",
    "svc": "logsvr",
    "updated": "2016-06-14 10:43:14",
    "deleted": 0
    }
    {
    "svcgid": 4,
    "svcgname": "dfl_sudo_policy_svc",
    "svc": "sudopolicy",
    "updated": "2016-06-14 10:43:14",
    "deleted": 0
}

Example

Retrieve specified Service Group

pbdbutil --svc -g '{ "svcgname" : "registry_name_svc" }'

Result:

{"svcgid":1,"svcgname":"registry_name_svc","svc":"registry","updated":"2016-06-06 16:56:53","deleted":0}

Example

Retrieve Specified Host by "cn"

pbdbutil --svc -g '{ "cn" : "pbuild" }'

Result:

{"addrs":[{"family":4,"addr":"192.168.16.138","port":24351}],"cn":"pbuild","uuid":"969ecab2-93d8-4322-a8cf-6314457053bb","$

Example

Retrieve Specified Host by "uuid"

pbdbutil --svc -g '{ "uuid" : "969ecab2-93d8-4322-a8cf-6314457053bb" }'

Result:

{"addrs":[{"family":4,"addr":"192.168.16.138","port":24351}],"cn":"pbuild","uuid":"969ecab2-93d8-4322-a8cf-6314457053bb","$

Example

Retrieve Host Entry for the Primary of the Specified Service Group

pbdbutil --svc -g '{ "primary" : "registry_name_svc" }'

Result:

{"svcgid":1,"svcgname":"registry_name_svc","svc":"registry","updated":1465228621,"deleted":0,"hostid":1,"role":"primary","$

Example

Retrieve Host Information for Specified Host

pbdbutil --svc -L pbuild

Result:

{"fqdn":"pbuild","cn":"pbuild","uuid":"969ecab2-93d8-4322-a8cf-6314457053bb","addrs":[{"addr":"192.168.16.138","family":4,$

Example

List All Hosts

# pbdbutil -P --svc -L

Result:

{
"hostid": 1,
"cn": "pbuild",
"uuid": "969ecab2-93d8-4322-a8cf-6314457053bb",
"fqdn": "pbuild",
"addrs": [
{
"family": 4,
"port": 24351,
"addr": "192.168.16.138"
}
],
"tnlzone": 0,
"updated": 1465897394,
"deleted": 0
}
{
"hostid": 4,
"cn": "pbtest",
"uuid": "969ecab2-93d8-4322-a8cf-6314457053bf",
"fqdn": "pbtest",
"addrs": [
{
"family": 4,
"port": 24351,
"addr": "192.168.16.184"
}
],
"tnlzone": 0,
"updated": 1465898703,
"deleted": 0
}

Example

Add a Specified Host ("cn" Common Name and "uuid" Are Required)

# pbdbutil --svc -u '{ "cn" : "pbtest" , "uuid" : "969ecab2-93d8-4322-a8cf-6314457053bf" }'

Example

Add New Service Group

# pbdbutil --svc -u '{  "svcgname" : "foobar", "svc" : "logsvr" }'

Example

Add Host to Service Group

# pbdbutil --svc -u '{ "svcgname" : "foobar", "cn" : "pbtest" }'

Example

Delete Host

# pbdbutil --svc -d '{ "cn" : "pbtest" }'

Example

Add Host to Service Group as Primary Server

# pbdbutil --svc -u '{ "svcgname" : "foobar", "cn" : "pbtest", "role" : "primary" }'

Example

Delete Host When It Is a Primary

# pbdbutil --svc -d '{ "cn" : "pbtest" }'

4011.01 Host is a primary server. Please reassign primary before deleting host from service group, or use force on the $.

Example

Delete the Service Group

# pbdbutil --svc -d '{ "svcgname" : "foobar" }' --force

Example

Promote a Host That Is Currently a Secondary Server to a Primary Server

# pbdbutil --svc -p foobar pbtest

Management event options

These options provide methods to create, maintain, export, and import role-based policies into EPM-UL.

Usage

• pbdbutil --evt [] [ ...]
• -s { json param }: Search Management event records
• Record entities: hostname, evtname, service, by, severity, before/after/then progname, version, arch, taxonomy

Records can be searched using the above entities and are matched as wildcards.

Example

-s '{ "taxonomy" : "chgmgt" } 'Display all Change Management Events``-s '{ "taxonomy" : "chgmgt", "hostname" : "host1" } ' Display all Change Management Events for host1

Description

Example

Retrieve all change management events

-S '{ "taxonomy" : "chgmgt" }'
{"hostname" : "pbuild", "evtname" : "file_import", "service" : "pbdbutil9.0.0-01_debug", "who" : "ctaylor", "severity" : 16, "progname" : "pbdbutil9.0.0-01_debug", "version" : "9.0.0-01_debug", "arch" : "x86_64_ linuxA", "data" : {"msg" : "foo, bar", "fname" : "/opt/pbul/policies/pb.conf, conf","version" : 4, "sid" : 4995, "pid" : 31976, "uid" : 0}, "utc" : "2014-11-1109 : 19 : 28"}
{"hostname" : "pbuild", "evtname" : "tag_file", "service" : "pbdbutil9.0.0- 01_debug", "who" : "ctaylor", "severity" : 16, "progname" : "pbdbutil9.0.0- 01_debug", "version" : "9.0.0-01_debug", "arch" : "x86_64_linuxA", "data" :{"fname" : "/opt/pbul/policies/pb.conf", "tag" : "foo", "version" : -1, "sid" : 4995,"pid" : 31979, "uid" : 0}, "utc" : "2014-11-11 09 : 19 : 30"}

Example

Retrieve change management events for host1 only

-S '{ "taxonomy" : "chgmgt" , "hostname" : "host1" }'

REST keystore options

Usage

pbdbutil --rest [<options>] [ <file> <file> ...]

Database synchronization options

These options allow the interrogation of Database Synchronization status on primary servers.

Usage

pbdbutil --dbsync [<options>] [ <file> <file> ...]

Registry Name Service Cache Options

Each host has a Registry Name Service Cache that holds the Service Group information that is applicable to them.

These options allow the retrieval of information and options to re-initialize the Registry Name Service Cache database.

Usage

pbdbutil --scache [<options>] [ <file> <file> ...]

Elasticsearch credential management

The pbdbutil settings outlined here support Elasticsearch credential management.

The options available with the pbdbutil tool are also available in the EPM-UL REST API.

ℹ️

Note

For more information, see Elasticsearch Logstash API Calls.

Usage

pbdbutil --elkcred [<options>]

Test a credential

To test a credential independently of /etc/pb.settings, add the elkinstances JSON attribute, as shown here:

Example

# pbdbutil --elkcred -t '{"id": "elastic_token", "type": "token", "username": "jeff", \
"password": "<password>", "endpoint": "/_security/oauth2/token", \
"elkinstances": "elasticsearch=https://elksite.us-east-1.aws.found.io"}' -P
{
   "results": [
      {
         "token-request": {
            "url": "https://elksite.us-east-1.aws.found.io/_security/oauth2/token",
            "curlcode": "0 (No error)",
            "httpcode": "200 (OK)"
         },
         "test-request": {
            "url": "https://elksite.us-east-1.aws.found.io/?pretty",
            "curlcode": "0 (No error)",
            "httpcode": "200 (OK)"
         }
      }
   ]
}

The format of the elkinstances value is the same as it would be in /etc/pb.settings.

Use -P to make the output more readable. As is the case with an existing credential, an attempt to test a prospective credential of type token or apikey against a Logstash instance fails.

poldbg

ℹ️

Note

These options are not applicable to EPM-L.

Description

Policy language debugging can be enabled, disabled, and reviewed using the poldbg option.

With this command:

• List policy debugging entries to identify and resolve issues that may have occurred in a policy.
• Specify users whose policy is debugged, and specify the amount of time that debugging is enabled for that user and policy.
• Run pbrun command and review the debugging information.

ℹ️

Note

Policy debugging is only available for if statements and switch case statements.

Syntax

Run to list debugging policy entries.

--poldbg -l

Run to identity users who can debug entries. You can also designate how long the user has access.

--poldbg -u

Run to view and print a clean output of events for policy debugging in JSON-equivalent format.

pbadmin -P --evt -s '{taxonomy" : policydbg" }'

Run to view and print events for policy debugging in a CSV-type format.

pbadmin -C --evt -s '{taxonomy" : policydbg" }'

Example

pbadmin --poldbg -u rjones 2h

In this example, the user rjones is specifically allowed to debugging access for two hours.

Example

pbadmin -C --evt -s '{taxonomy" : policydbg", "rowid" : 3 }'

In this example, the events are going to be provided in a CSV-type format in which the information specifically in row three is expanded.

Integrated product options

These options provide options to configure the Integrated Products Queue database.

Usage

pbdbutil --intprod [<options>] [ <file> <file> ...]

Policy and log caching options

These options support the policy and log caching feature introduced in EPM-UL version 23.1.

Usage

pbdbutil --remotecache [<options>]

Options supported on a client

Options supported on a policy server

Example

List client policy versions in a human-friendly format.

pbdbutil --remotecache --list-versions -P

I/O logfile queue options

These options allow users to maintain the database that queues the I/O logfile names for indexing to ElasticSearch.

Usage

pbdbutil --iologidx[<options>]

When an iolog is started, pblogd (or pbmasterd) adds that iolog to the logfile queue with a pblogd_status of started and retry set to never. When the iolog file is closed in a normal fashion, the pblogd_status is set to finished. During the time that pblogd is active, it periodically sends a heartbeat.

When an iolog is not properly closed (pbrun killed or network issues, for example), the heartbeat is used with the iologactionqueuetimelimit keyword to artificially set the pblogd_status to finished, so that iolog can be processed for ElasticSearch or iologcloseaction.

When an iolog is being processed for ElasticSearch or iologcloseaction, the proc_status is set to processing. When ElasticSearch or iologcloseaction has successfully completed, the proc_status is set to finished. When ElasticSearch reports a recoverable error, or iologcloseaction returns -1, the iolog is re-queued by setting lastupdated to now, setting retry (now + iologactionretry minutes), and incrementing the retries.

Example

Delete all queued I/O log file names

pbdbutil –-iologidx -d \*

I/O logfile cache options

These options allow users to maintain the database that caches the I/O logfile names for use with BeyondInsight for Unix & Linux.

Usage

pbdbutil --iocache [<options>]

Display cached list of I/O log files:

Remove I/O log file entries from the logfile cache database:

-d '{param…}']

Where the { param… } argument is formatted JSON parameters:

• {"path":"pattern"}: glob wildcard for logfile path
• {"loghost":"host1"}: Filter by loghost name
• {"submithost":"host2"}: Filter by submithost name
• {"runhost":"host3"}: Filter by runhost name
• {" submituser":"user1"}: Filter by submituser name
• {"runuser":"user2"}: Filter by runuser name
• {"runcmd":"command"}: Filter by run command
• {"from":""}: Filter I/O logs created on or after this date/time
• {"to":"<yyyy-mm-dd HH:MM"}: Filter I/O logs created on or before this date/time
• {"start":}: Specify record offset (number) when limiting output
• {"len":}: Specify number of rows when limiting output

Migrate I/O log location cache database (Upgrades only):

-n [--force]

Migrates pre-v10.3.1 I O log location cache database to the new database configuration.

Migration is automatically done during an upgrade via pbinstall. Running this manually is typically not necessary unless circumstances prevented the automatic migration during the upgrade. The optional --force skips backup of the original/obsolete I/O log cache database if it already has been backed up by other methods.

Where the { param } argument is formatted JSON with parameters:

• "path":"pattern": glob wildcard for logfile path
• "loghost":"host2": loghost name
• "submithost":"host1": Filter by submithost name
• "runhost":"host1": Filter by runhost name
• "submituser":"user1": Filter by submituser name
• "runuser":"user1": Filter by submituser name
• "runcmd":"cmd": Filter by runcmd name
• "from":"": Filter by logfiles opened on or after this date/time
• "to":" HH:MM": Filter by logfiles opened on or before this date/time
• "start":: Specify record offset (number) when limiting output
• "len":: Specify number of rows when limiting output

File Integrity Monitor options

These options provide maintenance for the File Integrity Monitor database, and options for the client to run an integrity check.

Usage

pbdbutil --fim [<options>] [ <file> <file> ...]

Options for FIM client

Options for FIM server database management

Event logfile cache options

These options allow users to query and maintain the database that caches the event logfile names for use with BeyondInsight for Unix & Linux.

Usage

pbdbutil --evtcache [<options>]

Display cached list of event log files:

Where the { param } argument is formatted JSON parameters:

• {"path":""}: glob wildcard for logfile path
• {"runhost":""}: Filter by runhost name
• {"loghost":""}: Filter by loghost name
• {"from":""}: Filter by event logs active on or after this date/time
• {"to":"<yyyy-mm-dd HH:MM"}: Filter event logs active on or before this date/time
• {"start":}: Specify record offset (number) when limiting output
• {"len":}: Specify number of rows when limiting output

Remove event log file entries from the logfile cache database:

-d '{param…}'

Where the { param… } argument is formatted JSON parameters:

• {"path":"pattern"}: glob wildcard for logfile path
• {"loghost":"host2"}: Filter by loghost name
• {"from":""}: Filter event logs active on or after this date/time
• {"to":"<yyyy-mm-dd HH:MM"}: Filter event logs active on or before this date/time

Policy and log caching options

These options support the policy and log caching feature introduced in EPM-UL version 23.1.

Usage

pbdbutil --remotecache [<options>]

Options supported on a client

Options supported on a policy server

Example

List client policy versions in a human-friendly format.

pbdbutil --remotecache --list-versions -P

Write queue status options

Starting in EPM-UL 22.3, report on and summarize the content of write queue files using new options added to the pbadmin command. The files are created when the message router is offline or when write queue records cannot be written to a log server’s event log.

Usage

pbadmin --wqstatus [<options>]

Options

Examples

Example

pbdbutil --wqstatus -l

[root@dev-test ~]# pbdbutil --wqstatus -l /opt/pbul/msgrouter/wq_0003 -P
[
   {
      "file": "/opt/pbul/msgrouter/wq_0003",
      "created": "2022-09-02 14:01:22",
      "count": 2,
      "completed": 0,
      "pending": 0,
      "notprocessed": 2
   }
]

Example

pbdbutil –wqstatus -ll

[root@dev-test ~]# pbdbutil --wqstatus -ll /opt/pbul/msgrouter/wq_0003 -P
[
   {
      "file": "/opt/pbul/msgrouter/wq_0003",
      "created": "2022-09-02 14:01:22",
      "count": 2,
      "completed": 0,
      "pending": 0,
      "notprocessed": 2,
      "numaccept": 1,
      "numreject": 0,
      "numfinish": 1,
      "numkeystroke": 0,
      "numiologclose": 0,
      "numiologcache": 0,
      "records": [
         {
            "type": "event log",
            "length": 686,
            "wqstatus": "notprocessed",
            "event": "Finish",
            "uniqueid": "0a64a8e963120c883D37",
            "timestamp": "2022-09-02 14:00:52"
         },
         {
            "type": "event log",
            "length": 8615,
            "wqstatus": "notprocessed",
            "event": "Accept",
            "uniqueid": "0a64a8e963120ded3F1F",
            "timestamp": "2022-09-02 14:06:37"
         }
      ]
   }
]

Example

pbdbutil --wqstatus -T

[root@dev-test ~]# pbdbutil --wqstatus -T -P
{
   "files": 5,
   "records": 31,
   "completed": 0,
   "pending": 0,
   "notprocessed": 31,
   "numaccept": 19,
   "numreject": 0,
   "numfinish": 7,
   "numkeystroke": 0,
   "numiologclose": 3,
   "numiologcache": 2,
   "first": "2022-09-02 14:00:40",
   "last": "2022-09-02 14:36:31"
}

pbbench

The pbbench program tests installation and network configuration. If pbbench detects an error, an error message is printed to stdout. If no errors are detected, pbbench returns silently. pbbench generates a report that includes information about the tests that were performed, the results of the tests, and any errors that were encountered.

pbbench checks for very old versions of EPM-UL (prior to v2.0) by looking for /etc/pb.ports and /etc/pb.masters and reports a warning if these are found. The HTML GUI version of pbbench does not check for the EPM-UL pre-v2 files.

You can use the --skip-* options (such as --skip-inetd and --skip-logs) to prevent pbbench from performing those tests. However, the --skip-logs, --skip-gui, and --skip-sync options do not prevent pbbench from testing the connections to those hosts. To suppress the connection tests to these hosts, you must specify the --skip-connect option as well. This option suppresses connection tests for all host types.

To conduct connection tests only, use the -l (for log host connection tests) or -m (for policy server host connection tests) options. These options can be specified individually or together, for a single specified host name or IP address, or for all configured log hosts or policy server hosts. For both of these options, current output messages are skipped, and a single message is issued to stdout containing the version of the connected EPM-UL daemon (or connection failed). The exit status is zero if the specified host (or every configured policy server/log host) is successfully contacted. The exit status is non-zero if any policy server/log host cannot be contacted.

Syntax

• Version 3.5 and earlier: long command options not supported.
• Version 4.0 and later: long command options supported.

pbbench [options]
    -e, --stderr
    -E, --errors
    -l, --logServerTest=[host_name|IP_address|SRV lookup|\`external program\`]
    -m,--masterServerTest=[host_name|IP_address|SRV lookup|\`external program\`]
    -V, --verbose
        --no-timeouts
        --skip-connect
        --skip-inetd
        --skip-old
        --skip-logs
        --skip-gui
        --skip-path
        --skip-shells
    --skip-sync
pbbench –v | --version
pbbench --help

Arguments

Files

• /etc/inetd.conf
• /opt/pbul/policies/pb.conf
• /etc/pb.key
• /etc/pb.masters
• /etc/pb.ports
• /etc/pb.settings
• /etc/pbmasters
• /etc/resolv.conf
• /etc/services
• /etc/syslog.conf
• /etc/xinetd.conf DNS
• mc NIS NIS+
• PBexternal pbrun
• SMF
  • Version 3.5 and earlier: Solaris SMF not supported.
  • Version 3.5.4 and later: Solaris SMF supported.

Example

Run pbbench redirect output to the file pbbench.output rather than standard error:

pbbench > pbbench.output

📘

For more information, see pbcheck, pbsync, pbsyncd.

pbcall

The pbcall program is used for two purposes. To test, on the local machine, what a given function call would do, and to allow an Endpoint Privilege Management for Unix and Linux policy language function to be executed from the command line.

Syntax

pbcall –policy-function-name args …

Arguments

Files

None

Example

Using the stat() function:

pbcall –stat /etc

This command returns, on the screen, the results of a call to the stat call. Using this program from an EPM-UL session, you can execute a command such as:

list = system("/usr/local/bin/pbrun –h "+submithost+
" /usr/local/bin/pbcall –stat /etc");
statresult = split(list,",");

This command gives the same results as:

statresult = stat("/etc")

except that it is executed on the local machine as opposed to the policy server host. Multiple EPM-UL functions can be called at the one time:

pbcall –gethome user1 –getname user1

The output is put on different lines.

Lists need to be specified within quotation marks. For example:

pbcall –search "{a,b,c}" a

Strings can be quoted using single quotation marks or double quotation marks.

pbcheck

The pbcheck program processes a policy file and produces a report of syntax or language problems, or an entitlement report. The policy server daemon (pbmasterd) reports any policy file errors to a log file; however, pbcheck should be used to detect errors before you install a policy file on a live system.

With no options, pbcheck performs a run-check on the policy file that is specified in your settings file.

ℹ️

Note

The -c option to check licenses has been retired. Use pbadmin --lic -l for this purpose.

With the -e option, pbcheck produces an entitlement report in CSV format. The output data contains the columns submithost, user, command, argv, runhost, runuser, runcommand, and runargv. When a field has no value, the entitlement report displays an empty string for that field.

The policy file must first be syntactically correct, so you should run pbcheck to check the policy syntax before running pbcheck -e. Because pbcheck -e processes the policy without arguments, you should ensure that the logic of the policy works even if no argument is passed to it.

With the -U, -C, or -H options, pbcheck produces a formatted text entitlement report that is sorted by user, command, or host, respectively. If more than one of these options is specified, then each of the reports is produced, one after the other. Using the -x or --csv2 option, you can export the entitlement data to Microsoft® Excel CSV format.

In CSV format, the resulting data is presented as comma-separated values and contains ASCII-formatted information for the following (in this order):

• Submit host
• User
• Command
• Argv
• Accept/reject/error text
• Run host
• Run user
• Run command
• Run argv
• Iolog (yes/no): Not displayed when detail level is low
• Policy file name: Not displayed when detail level is low
• Policy line number: Not displayed when detail level is low
• Policy Server host: Displayed only when detail level is high
• Dependencies: Displayed only when detail level is high
• Constraints: Semi-colon separated. Displayed only when detail level is high

The fields displayed in this format are displayed as empty quotation marks ("") if they were not specified in the policy; this means they could be any value.

If a field contains Can not evaluate soft … expression in the output, it means the policy was setting the corresponding variable to a value that can be evaluated only at runtime (when running pbrun), such as argv, date, time, and so on.

With the option -H, each submit host is displayed on the top, followed by as many lines as necessary containing the other fields in the same order as above (except the submit host field).

Example

Host: <submithost>
<submitUser> <command> <argv> <Accept/Reject/Error Text> <runHost> <runUser>
   <runCommand> <runArgv> <iolog> <policyName> <policyLineNumber> <masterHost>
   <dependency> <constraints>

With the option -U, each user is displayed on the top, followed by as many lines as necessary containing the other fields in the same order as above (except the user field).

Example

User: <user>
<submitHost> <command> <argv> <Accept/Reject/Error Text> <runHost> <runUser>
   <runCommand> <runArgv> <iolog> <policyName> <policyLineNumber> <masterHost>
   <dependency> <constraints>

With the option -C, each command is displayed on the top, followed by as many lines as necessary containing the other fields in the same order as above (except the command field).

Example

Command: <command>
<submitHost> <submitUser> <argv> <Accept/Reject/Error Text> <runHost>
   <runUser> <runCommand> <runArgv> <iolog> <policyName> <policyLineNumber>
   <masterHost> <dependency> <constraints>

The fields displayed in -H, -U, and -C are displayed as if they were not specified in the policy, and means they could have any value.

The fields iolog, policyname, and policyLineNumber are not displayed if detail level is low, and the fields masterhost, dependency, and constraints are displayed only when detail level is high.

The entitlement report mechanism uses a temporary work file before creating the final report. This temporary file is created in the $TMPDIR directory. If the TMPDIR environment variable is not set (or is set to /tmp/), the workfile is written in the /tmp directory.

ℹ️

Note

Temporary files that are owned by root in /tmp are a potential vulnerability. We recommend you set TMPDIR=/var or some other appropriate directory where normal users do not have write access.

Policies that use looping constructs which modify the iterating variable within the loop do not work correctly. Policies that test the contents of argv or runargv may produce incomplete results.

Policies that use data that is known only at an actual run-time (such as the date and argv variables) produce incomplete results. In these cases, warnings and errors use the term soft when referring to variables that cannot be fully evaluated.

If a policy contains conditions that are based on external data sources or on external files that are generated at run time, the entitlements are evaluated as if the conditions are true. The last column (displayed when the --detail option is set to High), Constraint, shows that each row is displayed when a condition is accepted. For example, if the policy checks whether a user belongs to a certain netgroup before accepting the command, the report shows the command for this user as accepted; the Constraint field shows the condition that the user belongs to the netgroup. At runtime, a particular user listed in the report might actually not be part of that netgroup, and therefore gets rejected.

The constraint option enables you to limit the report by using any valid EPM-UL policy language expression.

Example

-c "user=='dba'" -c "host in {'A', 'B'}"

This limits the report to dba privileges on hosts A and B.

Most user defined functions are not properly processed for entitlement reporting.

pbcheck evaluates a limited set of functions in a constraint when those functions are used against the output variables submithost, user, command, runhost, runuser, and runcommand. The supported functions are basename(), tolower(), and toupper().

Examples of constraints whose function calls are evaluated are:

• basename(command) in Allowed_Cmds
• tolower(user) in Allowed_Users
• toupper(submithost) in Allowed_Hosts

All other functions are not evaluated, and do not show actual values for the affected output field.

Example

The following policy does not produce specific values in the command field:

gsub("^.*/", "", command) in Allowed_Cmds

It does, however, insert that whole constraint in the command field for informational purposes.

ℹ️

Note

The -b (--nobasename) option for pbcheck has been deprecated because pbcheck now evaluates the basename() function.

Syntax

• Version 3.5 and earlier: long command options not supported.
• Version 4.0 and later: long command options supported.

pbcheck [options] [command [arguments]]
   -f, --file=file_name
   -h, --host=host_name
   -r, --run
   -s, --syntax
   -t, --type
   -x, --csv2
   -p, --policydir=directory
   -L, --showlists[=listname [,listname]...]
   -S, --showduplicates
pbcheck [options] [-c constraint [-c constraint]...] [command [arguments]]
   -f, --file=file_name
   -p, --policydir=directory
      -e,--entitlement [=abridged|standard|extended| exhaustive]
      -b, --nobasename
      -l, --uselistnames[=columnname[,columnname]...]
   --maxchildren <number>
   --maxloopchildren <number>
   -U, --user_report
   -H, --host_report
   -C, --command_report
   -D, --detail[=low|medium|high]
   -d, --display_headers
   -A, --accepted
   -R, --rejected
   -I, --rejected_implicit
   -c, --constraint=expression
   -x, --csv2
pbcheck -v | --version
pbcheck --help

Arguments

Files

EPM-UL policy file

Example

Perform a syntax check of the user-specified configuration file pb.mainconfig located in /etc

pbcheck –f /etc/pb.mainconfig

📘

For more information, see pbkey, pblocald, pbmasterd, pbpasswd, pbprint, pbreplay, pbsum.

pbencode

pbencode reads a file and encrypts it using the encryption key that is specified on the command line or in the settings file. The encrypted result is displayed on the standard output.

⚠️

Important

pbencode should be used only on files that are backed up. There is no way to decrypt a file after it has been encrypted.

Syntax

• Version 3.5 and earlier: long command options not supported.
• Version 4.0 and later: long command options supported.

pbencode [options]
   -f, -–file=file_name
   -E, --encryptiontype=policy|report|settings
pbencode –v | --version
pbencode –h | --help

Arguments

Files

The files used may appear on the command line.

Example

pbencode -f /opt/pbul/policies/pb.conf -E policy > /etc/pb.conf.enc

Encodes the policy file with the encryption type and key that is specified in the settings file and places the result in /etc/pb.conf.enc.

📘

For more information, see pbkey.

pbkey

The pbkey program generates an encryption key that is suitable for any of the Endpoint Privilege Management encryption algorithms and stores it in a file that is specified on the command line or in the settings file. If pbrun, pbmasterd, or pblocald find the file /etc/pb.key, then they use it to encrypt data that is sent to the other programs.

If encryption is used, then the EPM-UL programs use the key that is specified in the settings file to encrypt local data and network traffic.

For network traffic, the contents of this file must be the same on all machines that are running EPM-UL for requests to execute. The file should be owned by root and have permissions set so that only root can read or write the file.

Syntax

• Version 3.5 and earlier: long command options not supported.
• Version 4.0 and later: long command options supported.
• Version 8.5 and later: -F option added.

pbkey [options]
    -f, --keyfile=key_file_name
-F, --seckeyfile=key_file_name
pbkey –v | --version
pbkey –h | --help

Arguments

Files

Example

Executing the command generates a new key and puts it into the file /etc/pb.key:

pbkey /etc/pb.key

📘

For more information, see pbcheck, pblocald, pbmasterd, pbpasswd, pbreplay, pbsum.

pbless

Version 4.0.0 and later: pbless setting available.

The pbless pager is similar to the less pager. It has been modified so that it can be used securely with the Endpoint Privilege Management for Unix and Linux programs. Security is enhanced by the following features:

• pbless must be started with a full path name specified for the file to be read.
• The user cannot access any files other than the one that is specified at startup time.
• The user is not allowed to spawn any processes.

This program, when used in conjunction with Endpoint Privilege Management for Unix and Linux, allows users to access a specific file as root but not to access other root functions.

Syntax

pbless fullpathname

Arguments

fullpathname

File to display

Files

None

Example

Display the contents of the file called filename:

pbless filename

📘

For more information, see pbrun.

pblocald

pblocald is the local daemon that runs programs, when instructed, by the appropriate policy server daemon. A socket-listener process (typically inetd, xinetd, Solaris SMF, or pblocald -d) starts pblocald. pblocald checks the command line arguments (-m or --accept_masters), the acceptmasters setting in the settings file, or the netgroup pbacceptmasters to determine the policy server hosts from which it accepts requests.

Requests from policy server daemons that are not in this list are refused. pblocald logs all diagnostic messages in the log file that is specified by the -e command line argument or by the pblocaldlog setting.

Changes that are made to the pb.settings file after the pblocald daemon is started will not affect the operation of the daemon. If you change the pb.settings file, then you must restart the daemon for the changes to take effect. If you do not restart the daemon, then the daemon continues to operate using a snapshot of the pb.settings file that was cached at the time the daemon was started.

Syntax

• Version 3.5 and earlier: long command options not supported.
• Version 4.0 and later: long command options supported.

pblocald [options]
   -a, --syslog_accepts
   -m, --accept_masters=host_list
   -d, --daemon
   -D, --debug=<level>
   -e, --error_log=log_file_name
   -f, --foreground
   -i, --info <argument placeholder characters>
   -p, --port=port_number
   -s, --syslog
   -V, --check_version
pblocald –v | --version
pblocald --help

Arguments

Files

The /etc/pb.settings file that contains a list of valid acceptmasters hosts.

📘

For more information, see pbcheck, pbkey, pbmasterd, pbpasswd, pbreplay, pbrun.

pblog

The pblog program selectively displays entries from an event log. Each time a job is accepted, rejected, or completed, or a keystroke action event occurs, an entry is appended to the event log file. The event log file is specified by the “authevt=” label in eventdestinations setting or the eventlog setting in the settings file, or by the eventlog variable in the EPM-UL policy file. By default, the eventlog variable is set to /var/log/pb.eventlog, /usr/log/pb.eventlog, /var/adm/pb.eventlog, or /usr/adm/pb.eventlog, depending on the operating system.

With no command line arguments, pblog reads and displays all entries in the default event log file. You can specify a different event log with the -f or --eventlog argument. You can specify a decryption key file with the -k or --keyfile argument.

Syntax

• Version 3.5 and earlier: long command options not supported.
• Version 4.0 and later: long command options supported.

pblog [options]
    -a, --accept_format=expression
    -c, --constraint=expression
    -d, --dump
    -e, --finish_format=expression
    -f, --eventlog=file name
     --db
        --ff
        --odbc
    -i, --keystroke_format=expression
    -k, --keyfilefile_name
    -l, --verbose
    -o, --dbout=file name>
    -O, --odbcout=<dsn>
       -D, --diff
    -p, --all_formats=expression
    -q, --quiet
    -r, --reject_format=expression
    -t, --tail
pblog –X|--xml [options]
    -c, --constraint=<expression>
    -F, --field_list=field_names
    -f, --eventlog=file_name
    -k, --keyfile=file_name
pblog –C|--csv[options]
    -c, --constraint=expression
    -F, --field_list=field_names
    -f, --eventlog=file_name
    -H, --csv_header
    -k, --keyfile=file_name
    -S, --csv_separator
pblog  -J, --json  
-P, --pretty
pblog –v|--version
pblog --help

Arguments

📘

For more information about syntax to specify multiple encryption algorithms and files, see eventlogencryption.

Default output expressions

Accept Dump:

sprintf('%s %s %s %s %s@%s -> %s@%s\\n\\t%s', uniqueid, event, date, time, user, submithost, runuser, runhost, join(runargv))

Reject Dump:

sprintf('%s %s %s %s %s@%s\\n\\t%s', uniqueid, event, date, time, user, submithost, join(argv))

End/Finish Dump:

sprintf('%s %s %s', uniqueid, event, exitstatus)

Accept:

sprintf('%s %s %s %s@%s -> %s@%s\\n\\t%s\\n\\t%s', event, date, time, user, submithost, runuser, runhost, join(runargv), exitstatus)

Reject:

sprintf('%s %s %s %s@%s\\n\\t%s', event, date, time, user, submithost, join(argv))

End/Finish:

sprintf('%s %s %s', uniqueid, event, exitstatus)

Keystroke:

sprintf('%s %s %s %s %s', event, keystrokestatus, keystrokedate, keystroketime, keystroke)

Read an event log

Example

If pb.settings file has:

#eventdestinations
eventlog /var/log/pb.eventlog

pblog with no arguments reads the flat file event log specified in the eventlog setting:

# pblog

Example

If pb.settings file has:

eventdestinations    authevt=db
eventlog    /var/log/pb.eventlog.db

pblog with no arguments reads the SQLite DB event log specified in the eventlog setting:

# pblog

Example

Read a SQLite DB event log whose path is specified in the event log setting:

# pblog

Example

Read a specific SQLite DB event log:

# pblog -f /path/to/mypb.eventlog.db --db

Example

Read a specific flat file event log

# pblog -f /path/to/mypb.eventlog.flat --ff

Example

Read an ODBC type event log:

# pblog -f  MyDSN --odbc

In this case, odbc.ini and odbcinidir files located in the directory specified in odbcinidir setting (default /etc/pbul/etc) will be read to get the connection information to the MySQL or Oracle database.

📘

For more information, see the default values listed in eventlog.

Copy event log records

If multiple targets for authorized events are defined in eventdestinations, or if you want to copy event log records from one event log file to another, the options -o (output to SQLite database) or -O (output to ODBC database) can be used. This only copies the event log records with a uniqueid that does not exist in the destination.

Example

Copy from a flat file to a SQLite database:

# pblog --ff -f /var/log/pb.eventlog.flat -o /var/log/pb.eventlog.db

Example

Copy records from a flat file to the ODBC database:

# pblog --ff -f /var/log/pb.eventlog.flat -O MyDSN

Where MyDSN is the ODBC Data Source Name whose connection information to the MySQL or Oracle database is configured in the odbc.ini/odbcinst.ini files (see odbcinidir setting).

Example

Copy records from a SQLite database to the ODBC database:

# pblog --db -f /var/log/pb.eventlog.db -O MyDSN

Where MyDSN is the ODBC Data Source Name whose connection information to the MySQL or Oracle database is configured in the odbc.ini/odbcinst.ini files.

📘

For more information, see odbcinidir.

Report difference between event log destinations:

If multiple event destinations were used, and you want to report on records that might be in one destination but not another, you can use -o, -O with -D option:

Example

Report differences between event log records in a flat file versus a SQLite database:

# pblog --ff -f /var/log/pb.eventlog.flat -o /var/log/pb.eventlog.db -D
uniqueid,etype,epoch
ac1420215df2ac3604C5,Reject,2020/02/20 13:08:06
ac1420215df2ac3604C7,Accept,2020/02/20 13:08:06
ac1420215df2ac3604C7,Finish,2020/02/20 13:08:54
ac1420215df2ac3704C9,Accept,2020/02/20 13:08:07
ac1420215df2ac3704C9,Finish,2020/02/20 13:08:55

Example

Report differences between event log records in a flat file versus a MySQL database:

# pblog --ff -f /var/log/pb.eventlog.flat -O MyDSN -D
uniqueid,etype,epoch
ac1420215df2ac3604C5,Reject,2020/02/20 13:08:06
ac1420215df2ac3604C7,Accept,2020/02/20 13:08:06
ac1420215df2ac3604C7,Finish,2020/02/20 13:08:54
ac1420215df2ac3704C9,Accept,2020/02/20 13:08:07
ac1420215df2ac3704C9,Finish,2020/02/20 13:08:55

Example

Report differences between event log records in a SQLite database versus an Oracle database:

# pblog --db -f /var/log/pb.eventlog.db -O oracle -D
uniqueid,etype,epoch
ac1420215df2ac6d04EC,Reject,2020/02/20 13:09:01
ac1420215df2ac6d04EE,Accept,2020/02/20 13:09:01
ac1420215df2ac6d04EE,Finish,2020/02/20 13:09:49
ac1420215df2ac6d04F1,Accept,2020/02/20 13:09:01
ac1420215df2ac6d04F1,Finish,2020/02/20 13:09:49

Dumping records in JSON format

Starting with v10.3.0, the option -J has been added to display the event log records in JSON format. Combine with -P to enhance readability.

Example

# pblog --db -f /var/log/pb.eventlog.db -J -P

📘

For more information, see pbmasterd.

pblogd

pblogd is the log server daemon that records event and I/O logs as directed by other Endpoint Privilege Management for Unix and Linux programs. A socket-listener process (typically inetd, xinetd, or pblogd -d) starts pblogd.

Changes that are made to the pb.settings file after the daemon is started do not affect the operation of the daemon. If you change the pb.settings file, then you must restart the daemon for the changes to take effect. If you do not restart the daemon, then the daemon continues to operate using a snapshot of the pb.settings file that is cached at the time the daemon is started.

Syntax

• Version 3.5 and earlier: long command options not supported.
• Version 4.0 and later: long command options supported.

pblogd [options]
   -a, --syslog_accepts
   -d, --daemon
   -D, --debug=<level>
   -e, --error_log=log_file_name
   -f, --foreground
   -i, --info <argument placeholder characters>
   -p, --port=port_number
   -r, --syslog_rejects
   -s, --syslog
pblogd –v | --version
pblogd --help

Arguments

Files

📘

For more information, see pbcheck, pbkey, pbmasterd, pblocald, pbpasswd, pbreplay, pbrun, pbsum.

pblogarchive

• Version 8.5 and earlier: pblogarchive not available.
• Version 9.0 and later: pblogarchive available.

pblogarchive is the log archiving utility that can archive I/O logs and event logs from the original logserver onto an archive host.

It is installed on hosts configured as log servers and policy servers. It must be called from a host containing the event logs or I/O logs to be archived.

You must be logged in as root to use pblogarchive.

Syntax

pblogarchive [options]
   -e, --eventlog [filepathname]
   -E, --eventlogbase "<shell pattern>"
   -i, --iolog <filepathname>
   -I, --iologbase "<shell pattern>"
   -s, --serverinfo <archivehost>
   -l, --list[e|i]
pblogarchive -v | --version
pblogarchive -h | --help

Arguments

Example

Archives the event log named by the eventlog setting in pb.settings:

pblogarchive -e

Example

Archives a specific event log:

pblogarchive --eventlog=/var/log/my90pb.eventlog_20150512_161106

Example

Archive multiple event logs using a filename shell pattern:

pblogarchive -E "/var/log/my90pb.eventlog_2015*"

Example

Archive a specific I/O log:

pblogarchive -i /var/log/iolog/my90iolog.7ZSa1y

Example

Archive multiple I/O logs using a filename shell pattern:

pblogarchive -I "/var/log/iolog/my90iolog.7*"

Example

Archive an event log to a specific archive host (override settings file):

Example

List event log location as recorded by the log tracking database:

#pblogarchive -le

List of Event Logs:

Orig_Logserver,Date_Created_UTC,Date_Archived_UTC,Orig_Path,Current_Host,Current_Path

dev-erolnd-01.unix.ca.com,2015-05-2802:49:21,-,/var/log/ABCac90pb.eventlog,dev-erolnd-01.unix.ca.com,/var/log/ABCac90pb.eventlog

dev-erolnd-01.unix.ca.com,2015-05-28 02:48:00,2015-05-28
02:48:00,/var/log/ABCac90pb.eventlog,dev-erolnd-01.unix.ca.com,/var/log/ABCac90pb.eventlog_20150527_194800

dev-erolnd-01.unix.ca.com,2015-05-28 02:43:01,2015-05-28
02:44:34,/var/log/ABCac90pb.eventlog,dev-erolnd-01.unix.ca.com,/opt/ARCHIVELOGS3/eventlog/dev-erolnd-01.unix.ca.com/ABCac90pb.eventlog_20150527_194433

Example

List I/O log location as recorded by the log tracking database:

# pblogarchive -li

List of IO Logs:

Orig_Logserver,Date_Created_UTC,Unique_Id,Partial_Id,Orig_Path,Current_Host,Current_Path
dev-erolnd-01.unix.ca.com,2018-09-18 18:25:53,ac1420205ba1435717DE,1,/var/log/pbsudo/dev-eolog-08.unix.ca.com/pbsudo.iolog.kAWJLT,dev-erolnd-02.unix.ca.com,/opt/iolog/dev-eolog-08.unix.ca.com/testuser/20180918/pbsudo.iolog.kAWJLT.ac1420205ba1435717DE

pbmasterd

The policy server daemon, pbmasterd, is the EPM-UL decision-maker. pbmasterd receives secured task requests from pbrun, pbksh, and pbsh and evaluates them according to the policy that is written in the configuration file that is specified in the settings file or /opt/pbul/policies/pb.conf. If the request is accepted, then pbmasterd directs either the client or pblocald to run the request in a controlled account such as root.

Policy server daemons should reside on a secure machine and are started from a socket-listener process (typically inetd, xinetd, or pbmasterd).

pbmasterd expects to find the configuration file in the policyfile setting in the settings file (default /opt/pbul/policies/pb.conf) on the host where pbmasterd resides. There may be more than one policy server daemon on different hosts for redundancy or to serve multiple networks.

pbmasterd logs all diagnostic messages in a log file that is specified by the pbmasterdlog setting or the -e command line argument.

Changes that are made to the pb.settings file after the daemon is started do not affect the operation of the daemon. If you change the pb.settings file, then you must restart the daemon for the changes to take effect. If you do not restart the daemon, then the daemon continues to operate using a snapshot of the pb.settings file that was cached at the time the daemon was started.

Syntax

• Version 3.5 and earlier: long command options not supported.
• Version 4.0 and later: long command options supported.

pbmasterd [options]
   -a, --syslog_accepts
   -d, --daemon
   --disable_optimized_runmode
   -D, --debug=<level>
   -e, --error_log=log_file_name
   -f, --foreground
   -i, --info <argument placeholder characters>
   -p, --port=port
   -r, --syslog_rejects
   -s, --syslog
   -V, --check_version
pbmasterd –v | --version
pbmasterd --help

Arguments

Files

/opt/pbul/policies/pb.conf (EPM-UL configuration file.)

📘

For more information, see pbcheck, pbkey, pblocald, pbpasswd, pbprint, pbreplay, pbrun, pbsum, Enable Debug Trace Logging for pbsh and pbksh.

pbmg

Version 4.0.0 and later: pbmg setting available.

The pbmg editor is similar to the mg editor. mg is a small version of GNU emacs with GNU-style emacs key bindings. The pbmg version has been modified so that it can be used securely with the Endpoint Privilege Management for Unix and Linux programs. Security is enhanced by the following features:

• pbmg must be started with a full path name specified for the file to be opened.
• The user cannot access any files other than the one that is specified at startup time.
• The user is not allowed to spawn any processes.

This program, when used with EPM-UL, allows users to access a specific file as root, but not other root functions or files.

Syntax

pbmg fullpathname

Arguments

Files

None

Example

Displays the contents of the fullpathname file for editing.

pbmg fullpathname

📘

For more information, see pbrun.

pbnvi

Version 4.0.0 and later: pbnvi setting available.

The pbnvi editor is similar to the standard vi editor. It is modified so it can be used securely with the EPM-UL programs. The user cannot access any files other than the ones that are specified at startup time. The user is also not allowed to spawn any processes.

This program, when used with EPM-UL, can allow users to access a specific file as root, but not access other root functions or files.

The edited file is written back to the same path. If this path has been changed by an external process, then the file is written to the new location to which the path now refers. Whenever pbnvi is run from Endpoint Privilege Management for Unix and Linux, the arguments should be checked to ensure that the user could not change the path and introduce a security hole.

Syntax

pbnvi fullpathname

Arguments

Files

None

Example

Display the contents of the fullpathname file for editing:

pbnvi fullpathname

📘

For more information, see pbrun.

pbpasswd

Version 10.3.0: pbpasswd deprecated. pbpasswd functionality is supported through the pbadmin program.

pbpasswd generates an encrypted password that can be used by the getstringpasswd() function in the configuration file. When you run pbpasswd, specify a password with the -i option or provide it on standard input. If standard input is a tty, then the program asks you to type the password twice; otherwise, it reads the raw password from standard input.

The program then writes the encrypted version of the password to the file that is specified by the -o option, or prints it on standard output.

Syntax

• Version 3.5 and earlier: long command options not supported.
• Version 4.0 and later: long command options supported.

pbpasswd [options]
   -i, --password=password
   -o, --output=filename
pbpasswd –v | --versions
pbpasswd --help

Arguments

Files

None

Example

Encrypts the string FELIX and place the encrypted result in the file /tmp/pbpasswd.out:

pbpasswd –i FELIX –o /tmp/pbpasswd.out

Example

In this example, the string FELIX is hashed and displayed. The first line shows the command that was entered and the second line shows the hashed string.

pbpasswd –i FELIX
0123m68dg5.87

Example

This example prompts for a new password, encrypts it, and displays the result in the standard output. The first line shows the command tat was entered, and the next two lines prompt for the password and prompt for the password to be retyped. The final two lines display the result of the hashed string.

pbpasswd
Enter Password:
Retype Password:
The encrypted password is:
4567j68gf5.88

📘

For more information, see pbcheck, pbmasterd, pbrun.

pbping

• Version 6.2 and earlier: pbping not available.
• Version 7.0 and later: pbping available.

The pbping program is BeyondTrust Endpoint Privilege Management’s client connectivity health check utility. pbping, run from a policy server daemon, checks connectivity to licensed clients’ pblocald daemon. When run without options, pbping checks connectivity to all licensed clients.

Syntax

pbping [options]
   -h, --host host_name|IP_address
   --csv
pbping -v, --version
pbping --help

Arguments

Files

None

Example

Checks the status of all client hosts and return the results in comma-separated values format:

pbping --csv

Example

Checks the status of host1:

pbping -h host1:

📘

For more information, see pbcheck, pblocald, pbmasterd.

pbprint

The pbprint program is used to format a configuration file. It reads the specified file and sends the formatted information to standard output. pbprint ignores incoming white space and places white space, indentation, and line breaks in the appropriate places. Except for line breaks that are added at the ends of statements, the program attempts to preserve line breaks from the original file as much as possible.

Syntax

• Version 3.5 and earlier: long command options not supported.
• Version 4.0 and later: long command options supported.

pbprint [options]
   -f, --input=file_name
pbprint –v | --version
pbprint --help

Arguments

Files

None

Example

Print the policy file:

pbprint

ℹ️

Note

If the installation is prefixed and/or suffixed, then the prefixed and/or suffixed configuration file is printed.

Example

Print the policy file at the specified path:

pbprint -f <pathtofilename>

Example

Print the policy file at the specified path:

pbprint --input=<pathtofilename>

📘

For more information, see pbcheck.

pbregister

Registers an EPM-UL client or secondary server to the primary license server.

The command line utility provides a method of retrieving default configuration and required data files from the primary license server to aid the initial install of the service.

ℹ️

Note

Pbregister is primarily used by Endpoint Privilege Management for Unix and Linux installer. We highly recommend that its direct use should be made under the guidance of BeyondTrust Technical Support.

Syntax

• Version 9.0 and earlier: pbregister options not supported.
• Version 10.0.1 and later: pbregister options supported.

Usage

pbregister <options...>

Arguments

pbreplay

pbreplay replays the contents of an I/O log file for an active or completed session.

If you set the iolog variable to a unique path name in a policy file, then EPM-UL logs all of the input and output from the secured task to an I/O log file.

The input and output for the secured task can be logged to a file in /usr/adm with a file name, such as pb.jqpublic.ksh.a05998, that can be examined later using pbreplay. The name of the I/O log is a unique temporary file name that is generated by the logmktemp() function in the configuration file.

Example

This is an example of such a filename:

iolog=mktemp("/usr/adm/pb." + user + . + basename(command) +".XXXXXX");

ℹ️

Note

EPM-UL sets the permissions on the I/O log file so that only root can read the file. No other user can examine the contents of the I/O log files. You must be logged in as root to use pbreplay on these files. You can also use EPM-UL to delegate this privilege to the appropriate people.

Starting in version 9.4.0, when a user requests to replay an archived IO log, pbreplay makes a REST GET request for a copy of the archived logfile from the Log Archive Storage Server. The copy of the file is saved to a temporary file for use by pbreplay. When pbreplay exits, this temporary file is removed.

pbreplay has four main ways of replaying an iolog:

• Interactively: The viewer interactively controls the speed of viewing the iolog.
• Raw: The entire iolog is replayed at computer speed. The raw terminal control codes are interpreted by the terminal (resulting in visually correct output that is not easily searched via grep).
• Processed: The entire iolog is replayed at computer speed. The terminal control codes are interpreted by pbreplay (resulting in output that is searchable).
• Policy variables: The values of EPM-UL policy variables are printed.

Interactive syntax

pbreplay [ -ao | -ax ] [ -h ] [ -t <date format> ] <iolog filename>

Raw syntax

pbreplay <[ -I | -i | -o | -e ]> [ [-ao | -ax | -am ] ] [ -h ] [ -m ] [ -t <date format> ]

Processed syntax

pbreplay -O [--regex <regex expression> [--ignore-case ] [ -c <constraint expression> ] [ -p <format expression> ] ] <iolog filename>

pbreplay -O [--regex <regex expression> [--ignore-case ] [ -c <constraint expression> ] [ -p <format expression> ] --files <glob pattern>]

Solr or Elasticsearch indexing syntax

ℹ️

Note

As of version 23.1, Solr is deprecated. EPM-UL no longer supports installing Solr, but features that use an existing Solr installation will continue to work.

pbreplay -X [-T]
pbreplay -Z [-T]

Policy variable only syntax

pbreplay -av <iolog filename>

The -O option by itself produces searchable output by processing the terminal control codes in a virtual screen, then produces output based on that virtual screen. This feature is intended to search shell sessions delegated by pbrun, for shell command entries. Searching for data within a CURSES application is not supported. The goal of being able to search for shell commands that the user enters is problematic. stdin is not used, since it can contain shell history recall and editing commands that the shell can process, but for which Endpoint Privilege Management has no context. This mechanism works on the stdout data stream which should normally contain the resulting command with editing completed. This is easily defeated, however, by turning echo off.

This has several limitations:

• This means that the output has newline characters when the screen width is reached, which does not accurately represent a shell command entry that wraps across the screen from one line to the next.
• Typeahead is another problem. If the user begins typing the command before the shell prompt is output, the first few characters of the command entry are not contiguous with the rest of the command.
• Termcap data for a given terminal is actually different across different platforms. For example, the vt100 left arrow is very different between Solaris and HP-UX. It may be necessary to replay I/O logs on the same operating system as they were generated from.
• Large window sizes require more memory and processing time.
• For I/O logs that have no TERM environment variable (cron jobs, for example), the xterm TERM is used.
• Terminal commands that do not directly affect the screen data or the cursor position are ignored (for example: reverse video, dim, bright, blinking, underlined).

Given the limitations, this output is suitable for processing via grep, awk, perl, etc. If initial searches fail to find the offending pattern, try searches allowing for typeahead, and try searching for commands that turn echo off.

The --regex option enables built-in searching via the standard regcomp mechanism.

This uses POSIX Extended Regular Expression syntax. Substring addressing of matches is not supported. The match-any-character operators don't match a newline. The match-beginning-of-line operator (^) matches the empty string immediately after a newline, and the match-end-of-line operator ($) matches the empty string immediately before a newline.

ℹ️

Note

Since this feature works on output (not stdin), the beginning of line for command entry is typically a shell prompt.

The following options require both -O and --regex:

• --ignore-case: Ignores case during the regex comparison.
• -c : Allows the search to be limited to I/O logs whose policy variables meet the criteria specified in the constraint expression (for example, the search can be limited to I/O logs for a specific runhost, or specific submituser).
• -p : Allows the output to be customized.
• --files : Allows multiple files to be searched. The glob mechanism supports the question mark symbol (?) matching any single character, the asterix (*) matching any string, and character classes, ranges, and complementation within square brackets ([ and ]).
• The -X option processes the terminal control codes in the same way as -O, then sends the data to Solr or Elasticsearch for indexing. Whether the data is sent to Elasticsearch or Solr depends on whether a correct Elasticsearch or Solr configuration is configured in /etc/pb.settings. If both Elasticsearch and Solr are configured correctly, then Elasticsearch takes precedence and data will only be sent there.
• The -Z option processes the terminal control codes in the same way as -O and -X, and creates XML data, without sending that data to Solr. The JSON message can be displayed on the console. If -Z is set and /etc/pb.settings is correctly configured to send iologs to Elasticsearch, then the data is rendered on the console in JSON format. Otherwise, if /etc/pb.settings is configured correctly for Solr, then the data is rendered in XML format. As with -X, if both Elasticsearch and Solr are configured correctly, then Elasticsearch takes precedence and the data is presented on the console in JSON.

Syntax

• Version 3.5 and earlier: long command options not supported.
• Version 4.0 and later: long command options supported.

pbreplay [options] I/O_log_name
    --history
    --history2
    --history3
    --hideshellstartup 
    --nolinenumbers--markshellstartup 
    --showall
    -am, --map_printable
    -ao, --map_octal
    -av, --variables
    -ax, --map_hex
    -aX
    -e, --show_stderr
    -h, --header
    -i, --show_raw_stdin
    -I, --show_translated_stdin
    -k, --keyfile=key_file
    -m, --more
    -o, --show_stdout
    -A --audit
    -t, --timestamp[=format]
pbreplay -O [options] [I/O_log_name]
    -R, --regex <regular expression>
    --files <file glob pattern>
    -c <constraint expression>
-p <format expression>
pbreplay <--sendindex | -X> [options] [I/O_log_name]
pbreplay <--index | -Z> [options] [I/O_log_name]
pbreplay --forward
pbreplay –v | --version
pbreplay --help

Arguments

The ACA Audit report lists file related libc/system calls and whether those calls were allowed or blocked via ACA.

Prior to EPM-UL 9.4, the output was similar to:

Fri Nov 11 12:02:41 2016:    7115    1    owner   9    execve /usr/bin/id
Fri Nov 11 12:02:41 2016:    7115    1    read    9    fopen  /etc/passwd
Fri Nov 11 12:02:41 2016:    7115    1    read    9    fopen  /etc/group

Starting with EPM-UL 9.4, the output is changed to:

Fri Nov 11 2016 12:02:41 PM [ 7115] Allowed exec /usr/bin/id
Fri Nov 11 2016 12:02:41 PM [ 7115] Allowed read /etc/passwd
Fri Nov 11 2016 12:02:41 PM [ 7115] Allowed read /etc/group

And with additional loglevels:

Fri Nov 11 2016 12:08:36 PM [ 7359] Allowed read /etc/group TAG:DEFAULT dev:64768 ino:2107740 mode:100644 uid:0 gid:0
Fri Nov 11 2016 12:08:37 PM [ 7368] Allowed exec /usr/bin/head ARGV:[head /etc/passwd] TAG:DEFAULT
    ENV: LOGNAME=jsmith
    ENV: PWD=/home/jsmith
ENV: HISTSIZE=1000

The ACA history report derives shell history from the ACA I/O log, and produces a report similar to a shell’s history command:

# pbreplay --history   aca.iolog.log.aZTkfJ
    1 Info     working directory set to: /home/jsmith
    2 Allowed  date
    3 Allowed  id
4 Allowed  head /etc/passwd

-O Optional. Non-interactive. Produces searchable output by interpreting tty commands such as , , and . This option is useful for redirecting the data to a file or piping to another program. For example, the output can be piped to grep to search for specific words or sequences. This option also allows direct searching via the --regex option.

-O arguments

-X arguments

-Z arguments

The following table shows the keyboard keys that can be used with pbreplay in interactive mode to emulate the Unix/Linux pager:

Keyboard keys used with pbreplay in interactive mode

Files

I/O log file

Example

pbreplay /usr/adm/pb.jqpublic.ksh.a05998

Entering the command above produces output similar to the following:

Start of log =========================================
    2005/09/08 15:16:07 [email protected] -> [email protected] ksh
    Commands:
    g - go to start,
    G - go to end,
    Space - go to next input
    <CR> or <NL> - go to next newline,
    s - skip to next time marker
    u - undo,
    t - display time, r - redraw from start, q/Q – quit
    v - dump variables, <BS> or <DEL> - backup to last position
    c – continuous slow speed replay, f - find, k – find time stamp
h or ? - display this help message

You can navigate the I/O log file by pressing the space key (next input character), the carriage return or newline key (newline), or the s character, which shows you what happened each second. Alternatively, you can back up through the log file by pressing the Backspace or Delete key. You can quickly go to the start or end of the log file using g or G, respectively. Display the time of an action at any point in the log file using t, redraw the log file using r, and undo your last action using u. You can also display all of the environment variables that were in use at the time the log file was created using v. Use q or Q to quit pbreplay.

Example

pbreplay -O /var/log/pbul/iolog.aaaaaa
pbreplay -O --regex 'passwd' /var/log/pbul/iolog.aaaaaa
pbreplay -O --regex 'passwd' --files '/var/log/PBLOGS*/iolog.*'
pbreplay -O --regex "passwd" --files "/var/log/pbul.iolog.*" \
    -c "runhost=='hostabc.beyondtrust.com'" -c "date=='2012/04/10'"
pbreplay -O --regex 'passwd' --files '/var/log/PBLOGS*/iolog.*' \
-p "sprintf('%s %s %s %s\n', basename(iolog), user, runhost, regexmatch)"

📘

For more information, see man regcomp, man glob(7), pbcheck, pbkey, pblocald, pbmasterd, pbpasswd, pbrun, pbsum.

pbreport

• Version 3.5 and earlier: pbreport not available.
• Version 4.0 and later: pbreport available.

pbreport extracts data from the event logs and optionally generates one or more reports based on the extracted data as specified in the named report file. The report file is an XML file that contains the extraction and reporting specifications, and is typically configured using the event log reporting feature of pbguid, the Endpoint Privilege Management for Unix and Linux Web GUI.

Syntax

pbreport [options] report-file
   -i, --info
   -k, --keyfile=file_name
   -s, --suppress
   -t, --temp
   -V, --verbos
pbreport –v | --version
pbreport –h | --help

Arguments

Files

Report set file

Example

pbreport /temp/report.set

📘

For more information, see pblog.

pbrun

pbrun requests that a secure task be run in a controlled environment. The user prefixes the command line with pbrun.

Example

pbrun backup /usr/dev/dat

pbrun checks the settings file for a submitmasters entry or the netgroup @pbsubmitmastersto determine the policy server daemon to which it should send the request. If the policy server daemon accepts the request, then it directs a local daemon to start the task request on the run host.

Syntax

• Version 3.5 and earlier: long command options not supported.
• Version 4.0 and later: long command options supported.

pbrun [options] command [command_arguments]
   -b, --background
   -d, --debug=connect
   -d, --debug=log=<level>
   -d, --debug=mlog=<level>
   -d, --debug=glog=<level>
   -d, --debug=llog=<level>
   -d, --debug=time
   -d, --debug=ttime
   --disable_optimized_mode
   -h, --host=run_host
   -l, --local_mode
   -n, --null_input
   -p, --pipe_mode
   --solarisproject projectname
   -u, --user=request_user
   --testmaster=master_host
   -X
pbrun –v | --version
pbrun --help

Arguments

Files

/etc/pb.settings (Local EPM-UL submithost settings.)

Example

pbrun –h runhost uname -a

📘

For more information, see pbcheck, pblocald, pblog, pbmasterd, pbpasswd, pbreplay, pbsum, pb.settings file, Debug Trace Logging, xwinforward, xwinreconnect

pbssh

• Version 6.0.1 and earlier: pbssh program not available.
• Version 6.1 and later: pbssh program available.

Using EPM-UL policy and the pbssh program, you can control access to, and activities on, SSH-managed devices. The pbssh program is similar to the pbrun program, except that it uses the SSH protocol (or, optionally, the telnet protocol) to connect to devices that do not have EPM-UL installed on them; such devices can include Windows computers and certain network devices.

You must specify the -h option (to indicate the host name of the target device), and the -u option (to indicate the user name with which to log into the device). To execute a command on the target device, use the -C option. You may also optionally use the -P (--port) option to specify a particular port for the SSH connection.

If you have a Password Safe appliance, the EPM-UL can be configured to automatically obtain the device password from Password Safe. To do so, the following EPM-UL settings must be specified on the submit host:

• pkrunfile
• pk_cert (or the --pk_cert option)
• pk_servers (or the --pk_servers option)
• pbsshshell (optional)

If you do not have a Password Safe appliance, then pbssh prompts the user for the password. The user is also prompted under these circumstances:

• The Password Safe appliance is not available.
• The Endpoint Privilege Management for Unix and Linux settings are not specified or not correctly specified.
• The --skip_pkrun option is specified on the pbrun command line.
• The --telnet option is specified on the pbrun command line.

The --domain option has two purposes, both of which are related to Password Safe:

• If you need to log into a host using a domain account, then you use the --domain option defines the domain from which Password Safe should obtain the domain account password.
• If the --user option defines a user account, and you want to use a Password Safe managed account alias in place of the actual managed system name, then you use the --domain option to specify the managed system alias.

ℹ️

Note

Unlike pbrun, pbssh does not require a command to be specified. Consequently, the Endpoint Privilege Management for Unix and Linux policy function basename() always returns pbssh. In the Endpoint Privilege Management for Unix and Linux policy, to determine the command that was specified, parse the argv list.

Syntax

pbssh [options] command [command_arguments]
   -c, --pk_cert
   -C, --command
   -d, --debug=connect
   -d, --debug=time
   -d, --debug=ttime
   -D, --domain
   -h, --host=run_host
   -k, --skip_pk
   -K, --pk_servers
   -P, --port=ssh_port
   -r, --pk_reset_password
   -T, --telnet
   -u, --user=request_user
pbssh –v | --version
pbssh --help

Arguments

Files

/etc/pb.settings Local EPM-UL submithost settings

Example

pbssh –h runhost -u jjones -C "dir /w"

📘

For more information, see Connections to SSH-Managed Devices.

pbsum

pbsum prints the checksum of one or more files. The checksum can be used in a policy configuration file to check the requested program’s integrity. If anyone has modified the program and thereby changes the checksum, the secured task is refused. The string that is produced by pbsum can be used to set the value of the runmd5sum variable in the Endpoint Privilege Management for Unix and Linux policy configuration file.

Syntax

• Version 3.5 and earlier: long command options not supported.
• Version 4.0 and later: long command options supported.

pbsum file_names
pbsum -m | --md5 file_names
pbsum –v | --version
pbsum --help

Arguments

Files

None

Example

pbsum /etc/pb.settings file
pbsum -m /etc/pb.settings /bin/ls

📘

For more information, see pbcheck, pbkey, pblocald, pbmasterd, pbpasswd, pbreplay, pbrun.

pbsync

• Version 4.0 and earlier: pbsync not available.
• Version 5.0 and later: pbsync available.

The pbsync command starts the log synchronization process. The command takes as an input one or more log servers, port numbers, and log file names, and uses that information to synchronize the network logs. This component is referred to as the client.

On the first execution of this feature, the complete event logs are transferred from the failover log servers to the primary log server; event log files are merged there into one log file to make auditing easier.

pbsync can request the following:

• That event logs from different log servers be merged
• That partial I/O logs from different log servers be merged into one I/O log
• That merged logs be sent to the client

⚠️

Important

To successfully merge encrypted I/O logs, all log servers must use the same encryption algorithm and key. For more information, see iologencryption.

In EPM-UL version 6.0 and later, the log synchronization server (pbsyncd) uses the eventlog setting in its own pb.settings file to determine the location of the event log file when it receives a pbsync -l request. This change can cause errors when merging pre-version 6.0 event logs if the eventlog setting on the log synchronization server does not match the eventlog setting on the requesting client host. To ensure that pre-version 6.0 event logs are found by the log synchronization server, use pbsync with the -L option.

Syntax

pbsync [options]
pbsync -v|--version
pbsync --help

Arguments

Command line responses

Files

None

Example

Executing the following causes pbsync to look for the file pattern /var/adm/pb.user1, collect the logs, and synchronize them:

pbsync -i /var/adm/pb.user1

Example

Executing the following synchronizes the log files on machines dart and aji:

pbsync -L dart:/var/log/pb.eventlog:6298 -L aji:/var/adm/pb.eventlog:6298

📘

For more information, see pbsyncd.

pbsyncd

• Version 4.0 and earlier: pbsyncd not available.
• Version 5.0 and later: pbsyncd available.

The pbsyncd server listens for log synchronization requests from one or multiple pbsync clients.

pbsyncd is started as a stand-alone service or daemon from the command line or startup scripts, preferably running on each system that is also running pblogd (for log synchronization) or pbmasterd (for policy updates). A new TCP port is required to accept requests. The default port is 24350. This component is referred to as the server.

Log synchronization: When the server receives a synchronization request, it checks its own pb.settings file to determine the event log file name (as specified in the eventlog keyword) to retrieve. If the eventlog keyword is not specified, then the server uses the event log file name that is specified in the request.

Changes that are made to the pb.settings file after the daemon is started do not affect the operation of the daemon. If you change the pb.settings file, then you must restart the daemon for the changes to take effect. If you do not restart the daemon, then the daemon continues to operate using a snapshot of the pb.settings file that was cached at the time the daemon was started.

If pbsyncd detects an error, then an error message is logged in the server’s diagnostic log file. For log synchronization, the client can request the following:

• That event logs from different log servers be merged
• That partial I/O logs from different log servers be merged into one I/O log
• That merged logs be sent to the client

Syntax

pbsyncd [options]
pbsyncd -v|--version
pbsyncd --help

Arguments

Command line responses

Files

None

Example

Entering the following starts the daemon and specifies /var/log/syncserver.log as the output error file:

pbsyncd -d -p 24345 -e /var/log/syncserver.log

📘

For more information, see pblog, pbsync.

pbumacs

pbumacs is an editor similar to umacs. umacs is a small version of emacs with gosling-style emacs key bindings.

pbumacs has been modified so that it can be used securely with the Endpoint Privilege Management for Unix and Linux programs.

Security has been enhanced with the following features:

• pbumacs must be started with a full path name specified.
• The user cannot access any files other than the one that is specified at startup time.
• The user is not allowed to spawn any processes.

This program, when used with Endpoint Privilege Management for Unix and Linux, can allow users to access a specific file as root, but not other root functions or files.

Syntax

pbumacs fullpathname

Arguments

Files

None

Example

Executing this command displays the contents of the file called fullpathname for editing:

pbumacs fullpathname

📘

For more information, see pbrun.

pbuvqrpg

• Version 3.5 and earlier: pbuvqrpg not available.
• Version 4.0 and later: pbuvqrpg available.

pbuvqrpg is a licensed utility from UV Software’s Vancouver Utilities set. It is used internally to generate text-based reports from a description file that is created by the Endpoint Privilege Management for Unix and Linux pbreport program.

Syntax

pbuvqrpg

Arguments

Not published

📘

For more information, see pblog, pbreport.

pbversion

• Version 5.1.2 and earlier: pbversion not available.
• Version 5.2 and later: pbversion available.

pbversion reports the binary file version numbers and optionally reports installed components of Endpoint Privilege Management for Unix and Linux. This non-interactive utility can be run on any machine and provides a list of the version numbers for all known Endpoint Privilege Management for Unix and Linux binary files. Installations are identified using the prefix and suffix arguments or the default installation if a prefix and/or suffix is not specified.

Only root can run pbversion. Prior to v8.0 pbversion can only be run from the installation directory and it should not be moved from the installation directory because it is dependent on Endpoint Privilege Management for Unix and Linux installer scripts.

With v8.0 and later, pbversion is available as part of the installed binaries after the install (located in the admin directory which is /usr/sbin by default).

pbversion does not report on Endpoint Privilege Management for Unix and Linux versions prior to v4.0 because the binary version arguments were not available previously. Also, it does not report on binary version for executable files pbnvi or pbuvqrpg because the version argument does not display the binary version.

Syntax

pbversion [options]
   -p prefix
   -s suffix
   -c
pbversion -v
pbversion -h

Arguments

Example

Display the binary versions for the installation using the prefix my along with the Endpoint Privilege Management for Unix and Linux installation components by executing the following:

./pbversion -p my -c

📘

For more information, see pbinstall, pbuninstall.

pbvi

• Version 4.0.0 and later: pbvi setting available.

Description

The pbvi editor is similar to the standard vi editor. It has been modified so that it can be used securely with the Endpoint Privilege Management for Unix and Linux programs. Security is enhanced with the following features:

• pbvi must be started with a full path name specified.
• The user cannot access any files other than the one that is specified at startup time.
• The user is not allowed to spawn any processes.

This program, when used with EPM-UL, allows users to access a specific file as root, but not access other root functions or files.

The edited file is written back to the same path. If this path changed by an external process, then the file is written to the new location to which the path refers. Whenever pbvi is run from Endpoint Privilege Management for Unix and Linux, the arguments should be checked to ensure that the user cannot change the path and no security hole is introduced.

Syntax

pbvi fullpathname

Arguments

Files

None

Example

To display the contents of the file called fullpathname for editing, enter the following:

pbvi fullpathname

📘

For more information, see pbrun .