REST calls and parameters
Authentication
Authentication (unsuccessful)
Invalid authentications can occur because of incorrect appid, appkey, invalid HMAC calculation, or invalid pbrest keystore.
GET https://pbuild:24351/REST/setting/policydir?appid=<appid>×tamp=<timestamp>&hmac=<hmac>
RESPONSE {"error":"8119 Invalid Authentication for appId 'myappid' from 192.168.16.128","status":8119}
Settings
Get settings
Get all of the settings from pb.settings (or equivalent). Each setting has one of 4 distinct types:
- String
- Boolean
- List of Strings
- altsubmitmasters: Has a special list of Endpoint Privilege Management for Unix and Linux objects.
GET https://pbuild:24351/REST/settings?appid=<appid>×tamp=<timestamp>&hmac=<hmac
RESPONSE {"status":0,"settings":[{"values":["8da3e912","83099374","52adfcae","27825f05"],
"description":"Validation","name":"validation","type":3},
{"description":"Licensing Data to Save","name":"licensedata","value":"datenodename","type":2}, ...
Get setting
Gets an individual setting as specified on the URL.
GET https://pbuild:24351/REST/setting/submitmasters?appid=<appid>×tamp=
<timestamp>&hmac=<hmac>
RESPONSE {"setting":[{"values":["pbuild","pbuild2","pbuild3"],"description":"Submit
Policy Servers","name":"submitmasters","type":3}],"status":0}
Put setting
Put (modify) a setting into the pb.settings file. The type needs to correspond to the original setting type.
PUT https://pbuild:24351/REST/setting/warnuseronerror?appid=<appid>×tamp
=<timestamp>&hmac=<hmac>
REQUEST {"setting":{"name":"warnuseronerror","value":"no","type":1}}
RESPONSE {"status":0}
Get settings file as attachment
Retrieves the whole pb.settings file as a binary attachment.
GET https://pbuild:24351/REST/settingsfile?appid=<appid>×tamp=
<timestamp>&hmac=<hmac>&file=%2Fetc%2Fpb.settings <binary attachment>
Post setting
Verifies settings are sent.
POST https://localhost:24351/REST/settings/verify -d '{ "settings": [ { "disabled": false, "name": "lockfiletimeout", "value": "xyz" }, { "disabled": false, "name": "pbresttimeskew", "value": "60abc" } ] }'
If settings data is sent to verify:
{
"settings": [
{
"disabled": false,
"name": "lockfiletimeout",
"value": "xyz"
},
{
"disabled": false,
"name": "pbresttimeskew",
"value": "60abc"
}
]
}
Notice the invalid values for both (appended "xx" to the port numbers.The result:
{
"status": 3949,
"error": "3949 setting pbresttimeskew (60abc) must have a numeric value between -1 and 30000000",
"settings": [
{
"disabled": false,
"name": "lockfiletimeout",
"value": "xyz",
"error": {
"value": "xyz",
"min": -1,
"max": 30000000,
"emsg": "3949 setting lockfiletimeout (xyz) must have a numeric value between -1 and 30000000"
}
},
{
"disabled": false,
"name": "pbresttimeskew",
"value": "60abc",
"error": {
"value": "60abc",
"min": -1,
"max": 30000000,
"emsg": "3949 setting pbresttimeskew (60abc) must have a numeric value between -1 and 30000000"
}
}
]
}
License
List client license information
List client host details
Optional argument:verbose=0|1
GET https://pbuild:24351/pbrest/REST/v2.0/license/clients?appid=<appid>×tamp=
<timestamp>&hmac=<hmac>
Without verbose:
RESPONSE { "clients" : [ {"lid":123, "uuid":"66fd4906-81c9-4739-8a27-308546af90ae",
"fqdn":"myhost1.com", "addr" : "[ {\"family\": 4, \"port\" : 5678, \"addr\" : "192.168.1.1" }]", "lastupdated" : "2017-08-01", "retired" : "2017-08-01", "recycle" : "2017-09-01" }]}
With verbose:
RESPONSE { "clients" : [
{"lid":123, "uuid":"66fd4906-81c9-4739-8a27-308546af90ae", "fqdn":"myhost1.com", "addr" : "[ {\"family\": 4, \"port\" : 5678, \"addr\" : \"192.168.1.1\" }]", "lastupdated" : "2017-08-01", "retired" : "2017-08-01", "recycle" : "2017-09-01", "stats" : [ { "lid" : 123, "svc" : "pbpolicy", "firstupdated" : "2017-01-01", "lastupdated" : "2017-10-01"},{ "lid" : 123, "svc" : "sudopolicy", "firstupdated" : "2017-01-01", "lastupdated" : "2017-11-01"},{ "lid" : 123, "svc" : "fim", "firstupdated" : "2017-01-01", "lastupdated" : "2017-11-21"}] }]}
List client host details
Optional argument:verbose=0|1
GET https://pbuild:24351/pbrest/REST/v2.0/license/clients/<host>?appid=<appid>
×tamp=<timestamp>&hmac=<hmac>
RESPONSE
As above, but only for one specified host.
List client host (wildcard) details
Optional argument: verbose=0|1
GET https://pbuild:24351/pbrest/REST/v2.0/license/clients?appid=<appid>×tamp=
<timestamp>&hmac=<hmac>&hostname=<wildcard>
RESPONSE
As above, but only for wildcarded hosts.
List service license information
List all service records
Optional argument:verbose=0|1
GET https://pbuild:24351/pbrest/REST/v2.0/license/svc?appid=<appid>×tamp=
<timestamp>&hmac=<hmac>
Without verbose:
RESPONSE {"stats" : [ {"attr" : "PBULPolClnts", "cnt" : 800},{"attr" : "SudoPolClnts", "cnt" : 800},{"attr" : "ACAClnts", "cnt" : 800}]}
With verbose:
RESPONSE {"stats" : [ { "lid" : 123, "attr" : "PBULPolClnts", "firstupdated" : "2017-01-01", "lastupdated" : "2017-10-01"},{ "lid" : 123, "attr" : "SudoPolClnts", "firstupdated" : "2017-01-01", "lastupdated" : "2017-11-01"},{ "lid" : 123, "attr" : "ACAClnts", "firstupdated" : "2017-01-01", "lastupdated" : "2017-11-21"}] }]}
List specified service records
Optional argument:verbose=0|1
GET https://pbuild:24351/pbrest/REST/v2.0/license/svc/<svctype>?appid=<appid>×tamp=
<timestamp>&hmac=<hmac>
Without verbose:
RESPONSE {"stats" : [ {"attr" : "PBULPolClnts", "cnt" : 800}]}
With verbose:
RESPONSE {"stats" : [ { "lid" : 123, "attr" : "PBULPolClnts", "firstupdated" : "2017-01-01", "lastupdated" : "2017-10-01"}]}
Get license record
Optional argument:verbose=0|1
GET https://pbuild:24351/pbrest/REST/v2.0/license?appid=<appid>×tamp=<timestamp>&hmac=<hmac>
RESPONSE { "license" : { "PBULPolClnts":100, "SudoPolClnts":0, "RBPClnts":100, "ACAClnts":100, "AKAClnts":0, "FIMClnts":10, "SOLRClnts":2, "Expires":"2018/12/25 23:59:00",
"Terminates":"2019/03/25 23:59:00", "HostId":"6fce4d59-7359-4c7e-a793-90f3989214a0", "Owner":"My Company PLC", "Comment":"This is the PBUL license for My Company",
"AutoExpiry": 90, "Recycle": 30, "HMAC":"skSUgmkZ491x6Bzul2g5wg1/WsY6WbFUwMB8kT3zmro="}}
Put license record
PUT https://pbuild:24351/pbrest/REST/v2.0/license?appid=<appid>×tamp=<timestamp>&hmac=<hmac>
Args
{ "whoami" : "root", "license" : { "PBULPolClnts":100, "SudoPolClnts":0, "RBPClnts":100, "ACAClnts":100, "AKAClnts":0, "FIMClnts":10, "SOLRClnts":2, "Expires":"2018/12/25 23:59:00",
"Terminates":"2019/03/25 23:59:00", "HostId":"6fce4d59-7359-4c7e-a793-90f3989214a0", "Owner":"My Company PLC", "Comment":"This is the PBUL license for My Company",
"AutoExpiry": 90, "Recycle": 30, "HMAC":"skSUgmkZ491x6Bzul2g5wg1/WsY6WbFUwMB8kT3zmro="}}
Failure
RESPONSE {"status": 3828,"error": "3828.41 Failed to update License - Invalid argument"}
Retire client record
PUT https://pbuild:24351/pbrest/REST/v2.0/license/retire?appid=<appid>×tamp=
<timestamp>&hmac=<hmac>
By UUID
{ "whoami" : "root", "retire" : { "uuid" : "…" }}
By FQDN
{ "whoami" : "root", "retire" : { "fqdn" : "…" }}
By List
{ "whoami" : "root", "retire" : [ {"uuid" : "…" },{"uuid" : "…" }]}
RESPONSE {"status" : 0}
Process licensing write queues and send them to the primary license server:
PUT put_sync cd /usr/lib/beyondtrust/pb/rest/sbin
./pbconfigd --call '{ "appid" : "appid", "appkey" : "866bfc75-72d2-4dcf-9b08-4dbd9474a493", "request" : {"content_type" : "application/json", "method" : "GET", "uri" : "/v2/license/put_sync" }}'
RESPONSE Status: 200
Content-type: application/json
{"status":0}
Retrieve licensing statistics from the primary license server and write them to the local pblicense.db:
GET get_sync cd /usr/lib/beyondtrust/pb/rest/sbin
./pbconfigd --call '{ "appid" : "appid", "appkey" : "866bfc75-72d2-4dcf-9b08-4dbd9474a493", "request" : {"content_type" : "application/json", "method" : "GET", "uri" : "/v2/license/get_sync" }}'
RESPONSE Status: 200
Content-type: application/json
{"status":0}
Policies
Policy list dir
List all of the files in a given directory (without checking they are policy files). Some system directories cannot be listed for security.
GET https://pbuild:24351/REST/policies?appid=<appid>×tamp=<timestamp>&hmac=<hmac>
&path=%2Fopt%2Fpbul%2Fpolicies
RESPONSE {
"dir": [
{
"path": "/opt/pbul/policies/pbul_policy.conf",
"type": "file",
"name": "pbul_policy.conf",
"size": 5345,
"mtime": "2018-11-02 16:36:23",
"where": "fs"
},
{
"path": "/opt/pbul/policies/pb.conf",
"type": "file",
"name": "pb.conf",
"size": 228,
"mtime": "2018-11-17 16:20:55",
"where": "fs"
},
{
"path": "/opt/pbul/policies/pbul_functions.conf",
"type": "file",
"name": "pbul_functions.conf",
"size": 11747,
"mtime": "2018-11-02 16:36:23",
"where": "fs"
}
]
}
Policy (script) get lines
Get a script based policy file as ordered an array of lines, making line based modifications to the policy file easier.
GET https://pbuild:24351/REST/policies?appid=<appid>×tamp=<timestamp>
&hmac=<hmac>&format=script&file=%2Fopt%2Fpbul%2Fpolicies%2Fpb.conf
RESPONSE {
"file": "/opt/pbul/policies/pb.conf",
"format": "script",
"lines": [
"result=getuserpasswd(user, \"Passwd for \"+user+\": \", 1, \"/opt/pbul/gp001\", 20);",
"printf(\"result=%d\\n\", result);",
"if (result == 0) ",
"reject;",
"else",
"accept;"
]
}
Policy (script) get full file
Get the full script based policy file as a long string.
GET https://pbuild:24351/REST/policy?appid=<appid>×tamp=<timestamp>
&hmac=<hmac>&format=script&file=%2Fopt%2Fpbul%2Fpolicies%2Fpb.conf
RESPONSE {
"file": "/opt/pbul/policies/pb.conf",
"format": "script",
"policy": "result=getuserpasswd(user, \"Passwd for \"+user+\": \", 1, \"/opt/pbul/gp001\", 20);\nprintf(\"result=%d\\n\", result);\nif (result == 0) \n reject;\nelse\n accept;\n"
}
Policies (CSV) get all
Retrieves an array of CSV policies. Elements are generally strings or arrays of strings.
GET https://pbuild:24351/REST/policies?appid=<appid>×tamp=<timestamp>
&hmac=<hmac>&format=csv&file=%2Fetc%2Fpb%2Fpb.csv
RESPONSE {"status":0,"file":"/etc/pb/pb.csv","format":"csv","policies":
[{"dateend":"none","enabled":"Active","verifyuser":0,"adgrps":
["PBSE\\pbqa","PBSE\\pbdev"],"datestart":"none","timeoutstop":"","hostsmatch":"1","args":
["0","0","0","0","0","0"],"lclgrps":["root","pbdev"],"subhosts":["ANY"],"adusers":[""],"type":"Accept","runcmds":
["","","","","",""],"hostlistsmatch":"1","runhosts":[""],"subcmds":
["bash","csh","ksh","ksh93","tcsh","sh"],"defineenv":0,"name":"Shell","timestart":"none","timeend":"none","keylog
":0,"preserveenv":0,"runas":["root","qareveal","PBSE\\qareveal","[email protected]"],"lcllusers":["ctaylor"]},
{"dateend":"none","enabled":"Active","verifyuser":0,"adgrps":
["PBSE\\pbqa","PBSE\\pbdev"],"datestart":"none","timeoutstop":"","hostsmatch":"1","args":
["0","0","0","0","0","0"],"lclgrps":["root","pbdev"],"subhosts":["ANY"],"adusers":[""],"type":"Accept","runcmds":
["","","","","",""],"hostlistsmatch":"1","runhosts":[""],"subcmds":
["bash","csh","ksh","ksh93","tcsh","sh"],"defineenv":0,"name":"FOO","timestart":"none","timeend":"none","keylog
":0,"preserveenv":0,"runas":["root","qareveal","PBSE\\qareveal","[email protected]"],"lcllusers":["ctaylor"]}, ...
Policy check (unsuccessful)
Checks policy in a similar manner to pbcheck.
GET https://pbuild:24351/REST/policies/check?appid=<appid>×tamp=<timestamp>
&hmac=<hmac>&file=%2Fopt%2Fpbul%2Fpolicies%2FpbOLD.conf
RESPONSE {
"status": 8103,
"error": "8103.1 Error parsing policy file /opt/pbul/policies/pbOLD.conf, 3964 file /opt/pbul/policies/pbOLD.conf does not exist"
}
Policy check (successful)
Checks policy in a similar manner to pbcheck.
GET https://pbuild:24351/REST/policies/check?appid=<appid>×tamp=<timestamp>
&hmac=<hmac>&file=%2Fetc%2Fpb%2Ftry
RESPONSE {"message":"Syntax check completed with no problems detected","status":0}
Policy
Policy (CSV) get (by name)
Retrieve a given named CSV policy.
GET https://pbuild:24351/REST/policy/BOO?appid=<appid>×tamp=<timestamp>
&hmac=<hmac>&format=csv&file=%2Fetc%2Fpb%2Fpb.csv
RESPONSE {"status":0,"file":"/etc/pb/pb.csv","policy":
{"dateend":"none","enabled":"Active","verifyuser":0,"adgrps":
["PBSE\\pbqa","PBSE\\pbdev"],"datestart":"none","timeoutstop":"","hostsmatch":"1","args":
["0","0","0","0","0","0"],"lclgrps":["root","pbdev"],"subhosts":["ANY"],"adusers":[""],"type":"Accept","runcmds":
["","","","","",""],"hostlistsmatch":"1","runhosts":[""],"subcmds":
["bash","csh","ksh","ksh93","tcsh","sh"],"defineenv":0,"name":"BOO","timestart":"none","timeend":"none","keylog
":0,"preserveenv":0,"runas":["root","qareveal","PBSE\\qareveal","[email protected]"],"lcllusers":
["ctaylor"]},"format":"csv"}
Policy (CSV) put (by name)
Put a given CSV policy, named on the URL.
PUT https://pbuild:24351/REST/policy/BOO?appid=<appid>×tamp=<timestamp>
&hmac=<hmac>&format=csv&file=%2Fetc%2Fpb%2Fpb-tmp.csv
REQUEST {"policy":{"dateend":"none","enabled":"disabled","verifyuser":0,"adgrps":
["PBSE\\pbqa","PBSE\\pbdev"],"datestart":"none","timeoutstop":"","hostsmatch":"1","args":
["0","0","0","0","0","0"],"lclgrps":["root","pbdev"],"subhosts":["ANY"],"adusers":[""],"type":"Accept","runcmds":
["","","","","",""],"hostlistsmatch":"1","subcmds":["bash","csh","ksh","ksh93","tcsh","sh"],"runhosts":
[""],"defineenv":0,"name":"BOO","keylog":0,"timeend":"none","timestart":"none","preserveenv":0,"runas":
["root","qareveal","PBSE\\qareveal","[email protected]"],"lcllusers":["ctaylor"]}}
RESPONSE {"status":0}
Policy (script) set new policy file
Create a new (optionally empty) policy script file. Directory is limited by policydir if it is set.
POST https://pbuild:24351/REST/policy?appid=<appid>×tamp=<timestamp>
&hmac=<hmac>&format=script&file=%2Fetc%2Fpb%2Ffoobar
REQUEST {"script":"accept;\n"}
RESPONSE {"status":0,"file":"/etc/pb/foobar"}
Policy check inline script (unsuccessful)
Checks inline script policy in a similar manner to pbcheck.
PUT https://localhost:24351/REST/policy/check?appid=<appid>×tamp=<timestamp>&hmac=<hmac>
REQUEST { "script" : "foobar\nbarfoo\n" }
RESPONSE {"errors":[{"line":1,"file":"inline","msg":"syntax error, unexpected $end"},
{"line":1,"file":"inline","msg":"1167.2 Expected a statement"}],"status":8103,"error":"8103.1 Error parsing policy script"}
Policy check inline script (successful)
Checks inline script policy in a similar manner to pbcheck.
PUT https://localhost:24351/REST/policy/check?appid=<appid>×tamp=<timestamp>&hmac=<hmac>
REQUEST { "script" : "accept;" }
RESPONSE{"message":"Syntax check completed with no problems detected"}
Role based policy authentication
Test Role Based Policy authentication.
PUT https://localhost:24351/REST/policy/rbp/checkauth?appid=<appid>&
timestamp=<timestamp>&hmac=<hmac>
Parameters
{ "rbp" : {"user" : "root", "submithost" : "pbuild", "command" : "/usr/bin/id", "runhost": "pbuild1", "pbclientmode": "pbrun" }}
The parameter node must contain at least user, submithost, and command, but may also contain any other Endpoint Privilege Management for Unix and Linux policy variable, used when matching roles. On a positive response, the info part of the JSON response is the role row that matched.
Example
Positive response:
{
"result": {
"access": "allowed",
"iolog": "/tmp/admin_iolog_root_XXXXXX",
"userMessage": "hello root - risk 9\n",
"info": {
"name": "Admin",
"runuser": "root",
"runhost": "pbuild1",
"risk": 9,
"action": "A",
"iolog": "/tmp/admin_iolog_%user%_XXXXXX",
"message": "hello %user% - risk %pbrisklevel%",
"variables": null,
"auth": null,
"script": null,
"runcommand": ""
}
}
}
Example
Negative response:
{
"result": {
"access": "denied"
}
}
Policyfile
Get policy file as attachment
Retrieves a full policy file as a binary attachment.
GEThttps://pbuild:24351/REST/policyfile?appid=<appid>×tamp=<timestamp>
&hmac=<hmac>&file=%2Fetc%2Fpb%2Fpb.conf <binary attachment>
IO logs
I/O log get
Retrieves an I/O log file. Output can be limited by len and start parameters so that individual parts of the log can be retrieved in chunked form.
GET https://pbuild:24351/REST/iolog?appid=<appid>×tamp=<timestamp>
&hmac=<hmac>&file=%2Ftmp%2Fiolog.root.ckYxun
RESPONSE {"bytes":5832,"start":-1,"status":0,"file":"/tmp/iolog.root.ckYxun","len":0,"log":[{"time":1386255179},
{"cols":80,"cmd":"CMD_WINCH","rows":24},{"time":1386255179},
{"blob":"G10wO2N0YXlsb3JAcGJ1aWxkOi9ob21lL2N0YXlsb3IHG1s/MTAzNGhbcm9vdEBwYnVpbGQgY3RheWxvcl0jI
A==","cmd":"stdout","blen":64},{"time":1386255180},{"blob":"bA==","cmd":"stdin","blen":1},
{"time":1386255180},{"blob":"bA==","cmd":"stdout","blen":1},{"time":1386255180},
{"blob":"cw==","cmd":"stdin","blen":1},{"time":1386255180},{"blob":"cw==","cmd":"stdout","blen":1},
{"time":1386255181},{"blob":"DQ==","cmd":"stdin","blen":1},{"time":1386255181},
{"blob":"DQo=","cmd":"stdout","blen":2},{"time":1386255181}, ...
I/O log list dir
List all the files in a given directory (without checking if they are I/O logs). Filter can be specified as a regular expression to filter output. Some system directories cannot be listed for security.
GET https://pbuild:24351/REST/iolog?appid=<appid>×tamp=<timestamp>&hmac=<hmac>&path=%2Ftmp
RESPONSE {"dir":
[{"name":"iolog.root.XXXXXX","mtime":1386252738,"path":"/tmp/iolog.root.XXXXXX","size":4928},{"name":".8.0.0-
04.debug.60505","mtime":1386332287,"path":"/tmp/.8.0.0-04.debug.60505","size":850},
{"name":"pbcheck.log","mtime":1386076851,"path":"/tmp/pbcheck.log","size":94},
{"name":"iolog.root.jVruz1","mtime":1386255133,"path":"/tmp/iolog.root.jVruz1","size":5032},{"name":".8.0.0-
04.debug.42263","mtime":1386335007,"path":"/tmp/.8.0.0-04.debug.42263","size":46},{"name":".8.0.0-
04.debug.42219","mtime":1386334929,"path":"/tmp/.8.0.0-04.debug.42219","size":835},
{"name":"iolog.root.0HEKM5","mtime":1386256245,"path":"/tmp/iolog.root.0HEKM5","size":4979}, ...
I/O log get variables
Retrieves the log variables from the specified I/O log.
GET https://pbuild:24351/REST/iolog/variables?appid=<appid>×tamp=<timestamp>
&hmac=<hmac>&file=%2Ftmp%2Fiolog.root.ckYxun
RESPONSE {"status":0,"log":{"umask":18,"masterlocale":"en_US","nice":0,"rungroup":"root","eventlog":"/var/log/800pb.eventlog","loghostip":"192.168.16.138","masterhostip":"192.168.16.138","rlimit_fsize":- 1,"pbmasterdsysname":"Linux","optopt":"","time":"14:52:58","submithost":"pbuild","event":"Accept","pblogdversion":"#1 SMP Wed Oct 16 18:37:12 UTC 2013","false":0,"runrlimit_core":0,"year":2013,"groups":
[],"pbversion":"8.0.0-06","pbmasterdversion":"#1 SMP Wed Oct 16 18:37:12 UTC
2013","host":"pbuild","optind":1,"pbmasterdnodename":"pbuild","rlimit_cpu":-1,"logservers":[],"runrlimit_ memlock":65536,"runbkgd":0,"rcsworkgroup":"tramboyoPBULMasterBeyondTrustWorkgroup","rungroups":[],"logserverlocale":"en_US","runeffectiveuser":"root","pbrunmachine":"x86_64","runtimeout":0,"month":12,"dayname":"Thu","pbrunnodename":"pbuild","runoptimizedrunmode":1,"iolog":"/tmp/iolog.root.XXXXXX","submitlocale":"en_GB.UTF-8","runrlimit_
nofile":1024,"optarg":"","cwd":"/home/ctaylor","runrlimit_cpu":-1,"date":"2013/12/05", ...
Get I/O log file as attachment
GET https://pbuild:24351/REST/iologfile?appid=<appid>×tamp=<timestamp>
&hmac=<hmac>&file=%2Ftmp%2Fiolog.root <binary attachment>
I/O log search
Search a list of logs, specified with a glob style wildcard parameter file, for the query string . This is a similar format to the SOLR search string where you have a regular expression query, with keyword:value values. For example stdout:.*inittab searches for any I/O logs that incorporate the word inittab in the output. All of the standard keyword values that can be extracted from I/O logs can be used in the search criteria. Regular expression matches are not made across newlines.
GET https://pbuild/REST/iolog/search?appid=<appid>×tamp=<timestamp>
&hmac=<hmac>&file=%2ftmp%2fiolog%2a&query=stdout%3a%2e%2apbrest%2e
RESPONSE {"iologs":["/tmp/iolog.root.LNRRnt","/tmp/iolog.root.XXXXXX"],"status":0}
I/O log get replay
Retrieves and interprets an I/O log file ready to be output by a GUI. Terminal emulation can be overidden using the parameter term, and the output can be limited by len and start parameters so that individual parts of the log can be retrieved in chunked form.
GET https://pbuild:24351/REST/iolog/replay?appid=<appid>×tamp=<timestamp>
&hmac=<hmac>&file=%2Ftmp%2Fiolog.root.ckYxun
RESPONSE {"status":0,"file":"/tmp/iolog-root.HxV7YJ","term":"xterm","start":-1,"len":0,"bytes":10676,"log":
[{"type":"token","name":"sz","values":[44,125]},{"type":"text","time":1398357936,"value":"[root@pbuild tmp]# "},
{"type":"text","time":1398357937,"value":"l"},{"type":"text","time":1398357937,"value":"s"},
{"type":"token","name":"absx","values":[0]},{"type":"token","name":"nel"},
{"type":"text","time":1398357937,"value":"beyondtrust_pbinstall"},{"type":"token","name":"htab","values":[1]},
{"type":"token","name":"htab","values":[1]},{"type":"token","name":"htab","values":[1]},
{"type":"token","name":"htab","values":[1]},{"type":"text","time":1398357937,"value":" img2c.8.5.0-01.debug.31350 img2c.8.5.0-01.debug.31548"},{"type":"token","name":"absx","values":[0]},
{"type":"token","name":"nel"},{"type":"text","time":1398357937,"value":"beyondtrust_Solrinstall.prompt_log"},
{"type":"token","name":"htab","values":[1]},{"type":"token","name":"htab","values":[1]},
{"type":"text","time":1398357937,"value":" img2c.8.5.0-01.debug.31359 img2c.8.5.0-01.debug.31557"},
{"type":"token","name":"absx","values":[0]},{"type":"token","name":"nel"},
{"type":"text","time":1398357937,"value":"beyondtrust_Solrinstall.prompt_log.ctime.Dec_5_14:15 img2c.8.5.0-01.debug.31368 iolog-root.HxV7YJ"},{"type":"token","name":"absx","values":[0]},{"type":"token","name":"nel"},
{"type":"text","time":1398357937,"value":"beyondtrust_Solrinstall.prompt_log.ctime.Dec_5_14:16 img2c.8.5.0-01.debug.31377 keyring-4E6Ccd"},{"type":"token","name":"absx","values":[0]},{"type":"token","name":"nel"},
{"type":"text","time":1398357937,"value":"beyondtrust_Solrinstall.prompt_log.ctime.Dec_5_14:18 img2c.8.5.0-01.debug.31386 keyring-IAzgb5"},{"type":"token","name":"absx","values":[0]},{"type":"token","name":"nel"},
{"type":"text","time":1398357937,"value":"beyondtrust_Solrinstall.prompt_log.ctime.Dec_5_14:21 img2c.8.5.0-01.debug.31395 keyring-qafDnO"},{"type":"token","name":"absx","values":[0]},{"type":"token","name":"nel"},
{"type":"text","time":1398357937,"value":"gedit.ctaylor.233387052"},{"type":"token","name":"htab","values":[1]},
{"type":"token","name":"htab","values":[1]},{"type":"token","name":"htab","values":[1]},
{"type":"token","name":"htab","values":[1]},{"type":"text","time":1398357937,"value":" img2c.8.5.0-01.debug.31404 keyring-sQMK20"},{"type":"token","name":"absx","values":[0]},{"type":"token","name":"nel"},
{"type":"text","time":1398357937,"value":"gedit.root.2441861592"},{"type":"token","name":"htab","values":[1]},
{"type":"token","name":"htab","values":[1]},{"type":"token","name":"htab","values":[1]}, ...
I/O log cached list
If you chose to install the Log Cache database for use with PowerBroker Server Management Console, the log host creates and maintains a database to cache the names, locations, and other pertinent information about I/O logs. You can retrieve the list of cached I/O log information using the following calls. Options are provided to filter and sort the output based on certain criteria. Output can also be limited by len and start parameters so that individual parts of the log can be retrieved in chunked form.
GET https://pbuild/REST/iolog/list?appid=<appid>×tamp=<timestamp>&hmac=<hmac>
RESPONSE {"result":[{"uniqueid":"ac14202058221f4b116C","partnum":1,"createtime":1478631243787,"loghost":"uni.beyondtrust.com","logpath":"/var/log/pbiolog_SEPI7FJ5b","submithost":"uni.beyondtrust.com","submituser":"root","runhost":"uni.beyondtrust.com","runuser":"root","runcmd":"rm"},{"uniqueid":"ac14202058221fb9118E","partnum":1,"createtime":1478631354266,"loghost":"uni.beyondtrust.com","logpath":"/var/log/pbiolog_SEPWd7Drt","submithost":"uni.beyondtrust.com","submituser":"root","runhost":"uni.beyondtrust.com","runuser":"root","runcmd":"passwd"}]}
Filters
To retrieve the cached I/O log list filtered by the log path name, use the REST GET HTTP method with a URL similar to https://…/list?path, specifying a glob wildcard.
Example
https://pbuild/REST/iolog/list?appid=<appid>×tamp=<timestamp>&hmac=<hmac>&path=%2fvar%2flog%2f%2apb%5fiolog%2a
To retrieve the cached list of I/O log containing events on or after the given date/time, use the REST GET HTTP method with a URL similar to https://…/list?from, specifying date/time in the yyyy-mm-dd HH:MM format.
Example
https://pbuild/REST/iolog/list?appid=<appid>×tamp=<timestamp>&hmac=<hmac>&from=2016%2d11%2d02+18%3a00
To retrieve the cached list of I/O log containing events on or before the given date/time, use the REST GET HTTP method with a URL similar to https://…/list?to, specifying date/time in the yyyy-mm-dd HH:MM format.
Example
https://pbuild/REST/iolog/list?appid=<appid>×tamp=<timestamp>&hmac=<hmac>&to=2016%2d11%2d02+18%3a00
To retrieve the cached I/O log list filtered by runhost, use the REST GET HTTP method with a URL similar to https://…/list?runhost, specifying a runhost.
Example
https://pbuild/REST/iolog/list?appid=<appid>×tamp=<timestamp>&hmac=<hmac>&runhost=uni%2ebeyondtrust%2ecom
To retrieve the cached I/O log list filtered by submithost, use the REST GET HTTP method with a URL similar to https://…/list?submithost, specifying a submithost.
Example
https://pbuild/REST/iolog/list?appid=<appid>×tamp=<timestamp>&hmac=<hmac>&submithost=uni%2ebeyondtrust%2ecom
To retrieve the cached IO log list filtered by submituser, use the REST GET HTTP method with a URL similar to https://…/list?submituser, specifying a submituser.
Example
https://pbuild/REST/iolog/list?appid=<appid>×tamp=<timestamp>&hmac=<hmac>&submituser=root
To retrieve the cached I/O log list filtered by runuser, use the REST GET HTTP method with a URL similar to https://…/list?runuser, specifying a runuser.
Example
https://pbuild/REST/iolog/list?appid=<appid>×tamp=<timestamp>&hmac=<hmac>&runuser=root
To retrieve the cached I/O log list filtered by runcommand, use the REST GET HTTP method with a URL similar to https://…/list?runcmd, specifying a runcommand.
Example
https://pbuild/REST/iolog/list?appid=<appid>×tamp=<timestamp>&hmac=<hmac>&runcmd=rm
To retrieve the cached I/O log list limited by an offset and number of records, use the REST GET HTTP method with a URL similar to https://…/list?path, specifying start and/or len parameters.
Example
https://pbuild/REST/iolog/list?appid=<appid>×tamp=<timestamp>&hmac=<hmac>&start=10&len=5
Event logs
Get event destinations
Retrieve a list of the current Event Log destinations. This details only the current settings and includes all the current options. A "null" or "false" attribute is taken as disabled.
GET https://<host>:24351/REST/v2.0/events/destinations?appid=<appid>×tamp=<timestamp>&hmac=<hmac>
pbrestcall -a <appid> -k <key> -l -X GET https://<host>:24351/REST/v2/events/destinations
Response
{"destinations":
{"db": "/var/log/pb.eventlog.db",
"ff": "/tmp/pb.eventlog",
"prog": null,
"odbc": "MySQL",
"syslog": false
}
}
Event log get
Retrieves the specified event log.
GET https://<host>:24351/REST/v2.0/events?appid=<appid>×tamp=<timestamp>&hmac=<hmac>
pbrestcall -a <appid> -k <key> -l -X GET https://<host>:24351/REST/v2/events
Response
{"events": [
{
"recnum": 2,
"uniqueid": "c0a8108a5d0cce5b7239",
"etype": "A",
"epoch":"2019-06-21 18:03:52",
"submituser": "root",
"submithost": "pbuild",
"runuser": "root",
"runhost": "pbuild",
"runcommand": "id",
"exitstatus": null
}
]
}
Filtered/paged events
Retrieve events from the data source, providing paging and filter attributes. This will work slowly on flat-file event files as each event is searched from the first to the limit (or end) sequentially. However, it should be instantaneous on database and ODBC sources.
| Value | Description |
|---|---|
| from | Match events after/from (in time_t epoch or YYYY/MM/DD or full "YYYY/MM/DD HH:MM:SS" format) |
| to | Match events before/to (in time_t epoch or YYYY/MM/DD or full "YYYY/MM/DD HH:MM:SS" format) |
| start | When eventlog is a database (db, odbc), it is the start recnum record. The recnum is returned by previous calls or can be any known value. For a flatfile eventlog, this filter returns the events after ‘start’ number of events. |
| end | The end recnum record. The recnum is returned by previous calls or can be any known value. |
| offset | When the eventlog is a database, the filter offset retrieves the events after ‘offset’ number of events. When the eventlog is a flat file, offset is the position in the file and should be the end of an event. Offsets for a flatfile can be known from previous calls. It is optional, but greatly speeds up retrieval, if provided. |
| verbose=0|1 | By default, only the common attributes are returned. However, if verbose is set (verbose=1) the complete event is returned. Default=0 |
| limit | Limit on records returned. The default is set to 32768, or 512 if verbose is set, to stop massive data results being returned by default. |
| order | Attribute to retrieve the data in. For example, epoch to get records in date order, or recnum to retrieve in logged order. Applicable only when eventlog is a database. |
| orderdirection=asc|desc | Attribute specifying "asc" or "desc" ordering. Applicable only when eventlog is a database. |
| dump=0|1 | When set (dump=1), retrieves accept and finish events separately. Default value: dump=0 Filter available from EPM-UL version 21.1 |
| uniqueid, etype, runhost, submithost, runuser,submituser, runcommand, exitstatus | etype=[A|R|K] for ‘A’ccept, ‘R’eject and ‘K’eystroke events respectively. [runhost|submithost|runuser|submituser|runcommand|exitstatus] = These are the wildcard matched attributes to filter the events based on a value specified. Example: pbrestcall -a <appid> -k <key> -l -X GET https\://<host>:24351/REST/v2/events etype=[A|R|K] runhost|submithost|runuser|submituser|runcommand|exitstatus]=<value>Finish events can be retrieved only when dump=1pbrestcall -a <appid> -k <key> -l -X GET https\://<host>:24351/REST/v2/events etype=F dump=1 runhost|submithost|runuser|submituser|runcommand|exitstatus]=<value> |
recnum is returned for every retrieved record and can be used as the next start. Flat-file searching also returns offset which can be used in next requests.
To fetch events in batches, use offset attribute for database type eventlog and use start attribute for a flatfile.
If you know the file offset of previous record for a flatfile eventlog, you can mention offset= to get next set of events in flatfile type of eventlog, otherwise use start= to fetch the events in batches. File offset for a flatfile eventlog can be known from previous REST calls.
Example
In an eventlog database, to fetch the 3rd batch of events with a batchsize of 100, use the API as below.
pbrestcall -a <appid> -k <key> -l -X GET https://<host>:24351/REST/v2/events offset=200 limit=100
In a flatfile eventlog, to fetch the 3rd batch of events with the batch size of 100, use the API as below.
pbrestcall -a <appid> -k <key> -l -X GET https://<host>:24351/REST/v2/events start=200 limit=100
Following is the syntax of a REST call with all the attributes and filters,
pbrestcall -a <appid> -k <key> -l -X GET
https://<host>:24351/REST/v2/events order=<field> orderdirection=[asc|desc] limit=<number_of_rows> start=<start_recnum> end=<end_recnum> offset=<offset> from=<from_date> to=<to_date> verbose=[1|0] dump=[1|0] etype=[A|R|K|F] [runhost|submithost|runuser|submituser|runcommand|exitstatus]=<*>
Other attributes include format, file and dsn. Following section describes more about them.
List events by eventdestination
For SQLite DB
GET https://<host>:24351/REST/v2/events?appid=<appid>×tamp=<timestamp>&hmac=<hmac>&format=db
pbrestcall -a <appid> -k <key> -l -X GET https://<host>:24351/REST/v2/events format=db
or nothing since that is the default.
To retrieve events from a specific SQLite database file,
GET https://<host>:24351/REST/v2/events?appid=<appid>×tamp=<timestamp>&hmac=<hmac>&format=db&file=<file>
pbrestcall -a <appid> -k <key> -l -X GET https://<host>:24351/REST/v2/events format=db file=<file>
For ODBC
You must set the DSN.
GET https://<host>:24351/REST/v2/events?appid=<appid>×tamp=<timestamp>&hmac=<hmac>&format=odbc&dsn=<DSN>
pbrestcall -a <appid> -k <key> -l -X GET
https://<host>:24351/REST/v2/events format=odbc dsn=<DSN>
For flat file
You must set the file name.
GET https://<host>:24351/REST/v2/events?appid=<appid>×tamp=<timestamp>&hmac=<hmac>&format=ff&file=<file>
pbrestcall -a <appid> -k <key> -l -X GET https://<host>:24351/REST/v2/events format=ff file=<file>
You can also use an old version of API with limited filters for a flat file.
GET https://pbuild:24351/REST/events?appid=<appid>×tamp=<timestamp>&hmac=<hmac>
RESPONSE {"time":0,"events":[{"runuser":"root","id":"c0a8108a52775f9781521","time":"08:49:27","masterhost":"pbuild","submithost":"pbuild","event":"Accept","argv":["typeset","x","SHELL","PATH","HOME"],"runhost":"pbuild","date":"2013/11/04","user":"root","exitstatus":"local
shellbuiltin","runargv":["typeset","-x","SHELL","PATH","HOME"]},{"runuser":"root","id":"c0a8108a528ce1a0462F","time":"16:21:52","masterhost":"pbuild","submithost":"pbuild","event":"Reject","argv":["bash"],"runhost":"pbuild","date":"2013/11/20","user":"root","exitstatus":"","runargv":["bash"]},{"runuser":"root","id":"c0a8108a5285f5d350FE","time":"10:22:11","masterhost":"pbuild","submithost":"pbuild","event":"Accept","argv":["pbguid","policy"],"runhost":"pbuild","date":"2013/11/15","user":"root","exitstatus":"Authorized","runargv":["pbguid","policy"]},{"runuser":"ctaylor","id":"c0a8108a528ce3414793","time":"16:28:49","masterhost":"pbuild","submithost":"pbuild","event":"Accept","argv":["CSV","ctaylor","udev","bash#csh"],"runhost":"192.168.16.138","date":"2013/11/20","user":"ctaylor","exitstatus":"Command finished with exit status 0","runargv":["echo",""]}, ...
To enable the filtering of events, parameters can be passed to this REST endpoint.
| accept=0 | 1 | (default=1) Return Accept events |
| reject=0 | 1 | (default=1) Return Reject events |
| keystroke=0 | 1 | (default=1) Return events that resulted in an IO Log |
These three filters are combined logically "OR" and should all be specified to limit the return of events.
File integrity monitoring (FIM)
FIM - get config
Retrieve the specified FIM configuration policy.
GET https://server1:24351/REST/fim/configs?appid=<appid>×tamp=<timestamp>&hmac=<hmac>
RESPONSE {"name":"default","cfg":{"predefs":{"bin":{"all":{"ino":true,"mode":true,"uid":true,"gid":true,"own":"root","pmask":"022","size":true,"mtime":true,"ctime":true,"hash":true,"risk":10}},"sysconf":{"exec":{"ino":true,"mode":true,"uid":true,"gid":true,"pmask":"022","size":true,"mtime":true,"ctime":true,"hash":true,"risk":10},"script":{"ino":true,"mode":true,"uid":true,"gid":true,"pmask":"022","size":true,"mtime":true,"ctime":true,"hash":true,"risk":10},"dev":{"uid":true,"gid":true,"mode":true,"risk":10},"other":{"ino":true,"mode":true,"uid":true,"gid":true,"pmask":"002","size":true,"mtime":true,"ctime":true,"risk":6}},"log":{"all":{"uid":true,"gid":true,"mode":true,"pmask":"002","mtime_later":true,"ctime_later":true,"risk":4}}},"include":[{"path":"/etc/*","chk":"sysconf","recurse":true,"xdev":true,"follow":false},{"path":"/proc","chk":"log","recurse":false},{"path":"/mnt","chk":"log","recurse":false},{"path":"/etc/mtab","chk":"log","recurse":false},{"path":"/etc/motd","chk":"log","recurse":false},{"path":"/etc/passwd","chk":"log","recurse":false},{"path":"/etc/shadow","chk":"log","recurse":false},{"path":"/boot/*","chk":"sysconf","recurse":true,"xdev":true,"follow":false},{"path":"/bin/*","chk":"bin","recurse":true,"xdev":true,"follow":false},{"path":"/var/log/*","chk":"log","recurse":true,"xdev":true,"follow":false},{"path":"/var/adm/*","chk":"log","recurse":true,"xdev":true,"follow":false}],"exclude":["/root/.*sh_history","/home/*","/etc/pb.db"]}}
FIM - list configuration assignments
List all of the FIM configuration policies.
GET https://server1:24351/REST/fim/assigm?appid=<appid>×tamp=<timestamp>&hmac=<hmac>
RESPONSE {"name":"default","hostname":"pbuild","lastupdated":"2016-11-14 16:17:08"}
FIM - get configuration assignment for host
Get the name of the currently assigned configuration policy.
GET https://server1:24351/REST/fim/config/host?appid=<appid>×tamp=<timestamp>
&hmac=<hmac>&hostname=<hostname>
GET https://server1:24351/REST/fim/config/host?appid=<appid>×tamp=<timestamp>
&hmac=<hmac>&name=<name>
RESPONSE {"name":"default","hostname":"pbuild","lastupdated":"2016-11-14 16:17:08"}
FIM - list reports
List the FIM reports.
GET https://server1:24351/REST/fim/reports?appid=<appid>×tamp=<timestamp>&hmac=<hmac>
RESPONSE [{"uuid":"d897e8d5-d854-450a-be83-faeef2d52dae","rundate":"2016-11-14 19:43:41","updated":0,"deleted":false,"new":3332,"total":3332,"policy":0,"max_risk":10,"name":"default","host":"pbtest"}]
FIM - get report
Retrieve the specified report.
GET https://server1:24351/REST/fim/report?appid=<appid>×tamp=<timestamp>
&hmac=<hmac>&uuid=<uuid>
RESPONSE {"uuid":"8511cd6f-f21e-4832-ba2a-33b2c483012f","rundate":26860624,"updated":1,"deleted":0,"new":0,"total":1,"policy":0,"max_risk":6,"name":"default","host":"pbuild","rpt":[{"after":{"mtime":"2016-11-15 13:20:16","ctime":"2016-11-15 13:20:16","ino":544386,"dev":2051,"file":"foo"},"path":"/etc","before":{"mtime":"2016-11-04 16:14:03","ctime":"2016-11-04 16:14:03","ino":544386,"dev":2051,"file":"foo"},"risk":6,"change":"updated"}]}
FIM - put configuration
Put the specified configuration policy.
PUT https://server1:24351/REST/fim/config?appid=<appid>×tamp=<timestamp>&hmac=<hmac>
REQUEST { JSON config }
RESPONSE { "status" : 0}
FIM - assign configuration
Assign the specified host to the named configuration policy.
PUT https://server1:24351/REST/fim/assign?appid=<appid>×tamp=<timestamp>&hmac=<hmac>
REQUEST { "name" : "<configname>", "hostname" : "<hostname>" }
RESPONSE { "status" : 0}
FIM - delete config
Delete the specified policy configuration.
DELETE https://server1:24351/REST/fim/config?appid=<appid>×tamp=<timestamp>
&hmac=<hmac>&name=<name>
FIM - delete report
Delete the specified FIM report.
DELETE https://server1:24351/REST/fim/report?appid=<appid>×tamp=<timestamp>&hmac=<hmac
Key file
Key get
Gets the specified pb.key file as a base64 encoded string.
GET https://pbuild:24351/REST/key?appid=<appid>×tamp=<timestamp>&hmac=<hmac>
RESPONSE {"keyfile":
{"blob":"A8EumiklyZHh2yhJ/VeUXI1117r7WlXKuOkr/MtHY2fjqTB8q0/h0/rpsoJZrRJGmwvYiODH/uLIpfh2srZ01meA
p1tIypUCWzLOp4Wmnfu4MWI7GtLYQnQbFjhm0jI3mrY8IDo0IusULmXTh7GCjYtS78Ypj3S2RZYQ2WNWZtoKtC2/Psv
+svTU9/Sj7K+Wna6zFvTnwqVTkdy8rOQ+kGDoBrZV0QbVowD2jWnGQjNjdne/w4mSdnX5BMATCe93laKbr4c+6MV
97S/HW9HUu/bxG7pf+XcovaX6d7WPRJYGVQP/GLJ6LER34MRpsuGJf3dMA4jvRGTPKue685pi41FyvIhacPKWBHBcD
e3mmIDlfoU7zzJy3k5hGlOEYAroAC/iBSjLQqIv4pTJr1FG95ko8T/DsVigg1VuFiB1VZg45FODzQy2sm5FHu47828kthvO
n30HXZBFFug2z7qcmohRGnKHHh9QSRzzy0GoaDs/+DTKljOAtwHXkzKBGLdyKRO068kk6xN9EafHWxq69zJ8v5nBZRL
8aOKn/4341UlLGsmPEtf+bNxJ7Wtlfw3pt3FSidC3ikButt3giM1dD42qYp2YYa19U7kNxCl+UiYK7EUJD7JI26MM/WiA3
uWCtkrz6iSnMxIZhhpYxV4OjPFBNJg3entziObCw8DVzkthPmYA+biXh05gnpUV7pSvg0XrefJ6/dXWLNoSoQD/znsFab
GzX/tRWu1CNVqtlCW8nPzJD6gNFieWMavniipolDza+9Gdo9Sw1tFZyRip/ZZ56jvhnCKmOS8xOhfXx2cO5kXwpBoBto8
FCrkiwjCi3f3YDz/RrNCSpvWSgJN88MnNCXJRWy+cyQu7c/MQcwu+ySK1g0tqUhTLgKCj7RwnGXrsUBu0F4WI9q6VCp
vfXDvnGCwsEwoyEnKMsMKGR30q6fMOtN+npq0zFLvnaAjtIqg0AxP4aHe6b6PLR/eftBt92EoyY6TbN+FsthUyjRTSbwh
lVnGs/29lWemUJ4PJss5FVBKoX5dKptivUDyjvChG7RQl/UuUzPtVvDr1C/oGPOf8VBT1jlg19s9w6GioofgoxW+/tGISwC
zQYgKkvNrAOLTTIGS2x/1WAxCZFCZ74bffP/bsopnDxTD+QzMrIBrQf0x9HdXC6vZPJvOdYIBCACp2fcwFE5aZ8y9o+gH3
cia2L0G5rO7xEvIFp64xLKpBwCR0yJXg0uwjIr1aWHk7BVUKUDeISH1KSyuZQwMskgaGtIZcPyyTmSnxYKIGHQnP854F4
4/4FLeDwnfiMGABN3WjOFvg9PvKcTJsa/0OUF4yw/oW7vGKaiJqG7bz0dsS0FRW/nQ3XSvUQ5p7oFX7","blen":1026}
,"status":0}
Key set
Sets the specified pb.key to the base64 encoded string.
PUT https://pbuild:24351/REST/key?appid=<appid>×tamp=<timestamp>
&hmac=<hmac>&file=%2Fetc%2Fpb%2Ftmp.key
REQUEST{"blob":"WFP8yHAhyy2KSub1I34/azYmZeDHi3V1C+9H1nlmCthxqFD3B7ByQV8V3dCYP5N6S2nbIIHOWQ+emfzi5BS
YUxwRUqkS7dy5FnaquMVyIVFl1ehyqDufH38n33XOyN6dJJptcQS9bmlyoGT3IUrkyGlU6sHAN2k3HIDK4xDwu+wpgn
I8lLOQni6A2n4Hg7FHUcuvhtQG1D0XThE7qs1bEx4gb3o8ONR+dUMvvDpe40Sr6LCV8Lj3C8ixN1c8eqlMyxnUZr266J
5otWz+XCj44BhDndikJqwIucNADo50jnZL6leUmfdS+5xoFip1UmrBzsdhpYf9H/Uo5zmICMJjko+4VDaYTBhCmbEH63
MaQ6kXef3NstyUa4js7Xw6nzbJ2n2aXkQd0HFccSa1pMMpFdB8v9VBgdKpAATq5lbAwqREfO+LbEfNLtWvtKs9X/F36
3rI8dYCIyHqfz62sSFEqDcFuXKkp1HTagZL9tYk55LtS+mbFiDq7VVnpTBGaIL29Y+G3sSt/Stz2sUh7Fpjy3D3OIgpmynJhNj
ehmULOrjm6Rv1aFvNILzBLKV63HhgMzYJ+FzcV9X9HEHWXAdfwrYNx+KGPqmyD8Prd6RSIX9gJUBks0VPfdmoEshS
W5iCXoStyPPGNQ1fFECXQK69Pdrqr3LTm3L2Lu0uQnNTBTfvdull+goGKiAFfJAY6kLOH5UTyC1CwZZkLI5Xb8EJ8nPT1
Ru5VBXI3f0XHf97UFiKeCLzC2ewW1sV09NFqrtQG0Ie6uEsXJoSul2/l96bB5A50zd8DVgnt57PO8g09Y7hYkItyFFPNk5
UtAL+86BxlZFTbyiooCwHwrZbp9hBjAYhz84U7eKuPxVFKzL/Z9A3lwFMvdibPFwL+I2KWOED9b90wmQsC+RJZ7rm2x
JVF5O1D0ETm2Ot7vXIy5Kka2UAkLJPUpQtLPAVAnbwBRHZ71j+D9UAczWth1YUmRPcKNNnvRfj+grtvBb63oOouCUg
ZxPXSJfJ+b7Hwghi84ZTbxrSAZt2VRgUxO1uSP0aogT9fllH7fuMjCtGPMsvBFgg/QvEwz10PEeY1DY8W5zVa1lQMxflbBQ
JOQ+7iZLwG/pWnxo04tBYYE5mxbt3AL9KHK9AIMx8e/vqSeu7cxJo2PAjnkEp+R1Q6gjprRCDl9f0zQNV4IhRFFJ3eItF7
p0O3WS1iCPNATmpu+ZpYYeChCJltL3+W8Tk8AsLCMTweZoJugFBKZ8fQR6WlPG6mzD98jgbet8czjpGpjzA4l","blen":1
026}
RESPONSE {"status":0}
Key new
Creates a new specified pb.key file and generates random contents.
POST https://pbuild:24351/REST/key?appid=<appid>×tamp=<timestamp>
&hmac=<hmac>&file=%2Fetc%2Fpb%2Ftmp.key
REQUEST {}
RESPONSE {"status":0}
Get key file as attachment
Retrieves the specified pb.key file as a binary attachment.
GET https://pbuild:24351/REST/keyfile?appid=<appid>×tamp=<timestamp>
&hmac=<hmac>&file=%2Fetc%2Fpb.key
Registry name service (RNS)
Registry name service cache update
Retrieves all the Registry Name Service Database updates for this host since lastupdated.
GET https://RNS_Server:24351/REST/service/svccache?appid=<appid>×tamp=<timestamp>
&hmac=<hmac>&uuid=<uuid>&lastupdated=<num>
RESPONSE {"services":[{"svcgname":"registry_name_service","svc":1,"cn":"pbuild","uuid":"7d4504dd-b64f-453c-9a12-53a079a8d4ff","fqdn":"pbuild","addrs":[{"family":4,"addr":"192.168.16.138","port":24351}],"role":4,"sorder":1,"lastupdated_usec":1479140226550825},{"svcgname":"dflt_pbpolicy_service","svc":2,"cn":"pbuild","uuid":"7d4504dd-b64f-453c-9a12-53a079a8d4ff","fqdn":"pbuild","addrs":[{"family":4,"addr":"192.168.16.138","port":24351}],"role":4,"sorder":1,"lastupdated_usec":1479140226572396},{"svcgname":"dflt_log_service","svc":4,"cn":"pbuild","uuid":"7d4504dd-b64f-453c-9a12-53a079a8d4ff","fqdn":"pbuild","addrs":[{"family":4,"addr":"192.168.16.138","port":24351}],"role":4,"sorder":1,"lastupdated_usec":1479140226597899},{"svcgname":"dflt_sudopolicy_service","svc":8,"cn":"pbuild","uuid":"7d4504dd-b64f-453c-9a12-53a079a8d4ff","fqdn":"pbuild","addrs":[{"family":4,"addr":"192.168.16.138","port":24351}],"role":4,"sorder":1,"lastupdated_usec":1479140226627291},{"svcgname":"dflt_fim_service","svc":128,"cn":"pbuild","uuid":"7d4504dd-b64f-453c-9a12-53a079a8d4ff","fqdn":"pbuild","addrs":[{"family":4,"addr":"192.168.16.138","port":24351}],"role":4,"sorder":1,"lastupdated_usec":1479140226674180},{"svcgname":"dflt_logarch_service","svc":32,"cn":"pbuild","uuid":"7d4504dd-b64f-453c-9a12-53a079a8d4ff","fqdn":"pbuild","addrs":[{"family":4,"addr":"192.168.16.138","port":24351}],"role":4,"sorder":1,"lastupdated_usec":1479140226701934},{"svcgname":"dflt_pbpolicy_service","svc":2,"cn":"pbtest","uuid":"024352a4-d4d0-48d2-bdcc-76ec429632f7","fqdn":"pbtest","addrs":[{"family":4,"port":24351,"addr":"192.168.16.184"}],"role":1,"sorder":0,"lastupdated_usec":1479152447772617},{"svcgname":"dflt_log_service","svc":4,"cn":"pbtest","uuid":"024352a4-d4d0-48d2-bdcc-76ec429632f7","fqdn":"pbtest","addrs":[{"family":4,"port":24351,"addr":"192.168.16.184"}],"role":1,"sorder":0,"lastupdated_usec":1479152447774991},{"svcgname":"dflt_fim_service","svc":128,"cn":"pbtest","uuid":"024352a4-d4d0-48d2-bdcc-76ec429632f7","fqdn":"pbtest","addrs":[{"family":4,"port":24351,"addr":"192.168.16.184"}],"role":2,"sorder":2,"lastupdated_usec":1479152505459492}]}
Registry name service - get service group info
Retrieves Service Group information from the Registry Name Service Database.
GET https://RNS_Server:24351/REST/service/svcgrp?appid=<appid>×tamp=<timestamp>&hmac=<hmac>
RESPONSE [{"svcgid":1,"svcgname":"registry_name_service","svc":"registry","updated_usec":"2016-11-14 16:17:06","deleted":false},
{"svcgid":2,"svcgname":"dflt_pbpolicy_service","svc":"pbpolicy","updated_usec":"2016-11-14 16:17:06","deleted":false},
{"svcgid":3,"svcgname":"dflt_log_service","svc":"logsvr","updated_usec":"2016-11-14 16:17:06","deleted":false},
{"svcgid":4,"svcgname":"dflt_sudopolicy_service","svc":"sudopolicy","updated_usec":"2016-11-14 16:17:06","deleted":false},
{"svcgid":5,"svcgname":"dflt_Solr_service","svc":"Solr","updated_usec":"2016-11-14 16:17:06","deleted":false}
{"svcgid":6,"svcgname":"dflt_logarch_service","svc":"logarchive","updated_usec":"2016-11-14 16:17:06","deleted":false},
{"svcgid":7,"svcgname":"dflt_beyondinsight_service","svc":"beyondinsight","updated_usec":"2016-11-14 16:17:06","deleted":false},
{"svcgid":8,"svcgname":"dflt_fim_service","svc":"fim","updated_usec":"2016-11-14 16:17:06","deleted":false}]
Registry name service - get registry name service host and service group info
Retrieves Registry Name Service Host and Services information.
GET https://RNS_Server:24351/REST/service/svchost/name?appid=<appid>×tamp=<timestamp>
&hmac=<hmac>&cn=<cn>&svcgname=<svcgname>
RESPONSE [{"svcgid":1,"svcgname":"registry_name_service","svc":"registry","updated_usec":"2016-11-14 16:17:06","deleted":false,"svcs":[{"svcgid":1,"hostid":1,"role":"primary","sorder":1,"created_usec":"2016-11-14 16:17:06","updated_usec":"2016-11-14 16:17:06","cn":"pbuild","uuid":"7d4504dd-b64f-453c-9a12-53a079a8d4ff","fqdn":"pbuild","addrs":[{"family":4,"addr":"192.168.16.138","port":24351}],"tnlzone":0,"deleted":0}]},
{"svcgid":2,"svcgname":"dflt_pbpolicy_service","svc":"pbpolicy","updated_usec":"2016-11-14 16:17:06","deleted":false,"svcs":[{"svcgid":2,"hostid":1,"role":"primary","sorder":1,"created_usec":"2016-11-14 16:17:06","updated_usec":"2016-11-14 16:17:06","cn":"pbuild","uuid":"7d4504dd-b64f-453c-9a12-53a079a8d4ff","fqdn":"pbuild","addrs":[{"family":4,"addr":"192.168.16.138","port":24351}],"tnlzone":0,"deleted":0}]},
{"svcgid":3,"svcgname":"dflt_log_service","svc":"logsvr","updated_usec":"2016-11-14 16:17:06","deleted":false,"svcs":[{"svcgid":3,"hostid":1,"role":"primary","sorder":1,"created_usec":"2016-11-14 16:17:06","updated_usec":"2016-11-14 16:17:06","cn":"pbuild","uuid":"7d4504dd-b64f-453c-9a12-53a079a8d4ff","fqdn":"pbuild","addrs":[{"family":4,"addr":"192.168.16.138","port":24351}],"tnlzone":0,"deleted":0}]},
{"svcgid":4,"svcgname":"dflt_sudopolicy_service","svc":"sudopolicy","updated_usec":"2016-11-14 16:17:06","deleted":false,"svcs":[{"svcgid":4,"hostid":1,"role":"primary","sorder":1,"created_usec":"2016-11-14 16:17:06","updated_usec":"2016-11-14 16:17:06","cn":"pbuild","uuid":"7d4504dd-b64f-453c-9a12-53a079a8d4ff","fqdn":"pbuild","addrs":[{"family":4,"addr":"192.168.16.138","port":24351}],"tnlzone":0,"deleted":0}]},
{"svcgid":5,"svcgname":"dflt_Solr_service","svc":"Solr","updated_usec":"2016-11-14 16:17:06","deleted":false},
{"svcgid":6,"svcgname":"dflt_logarch_service","svc":"logarchive","updated_usec":"2016-11-14 16:17:06","deleted":false,"svcs":[{"svcgid":6,"hostid":1,"role":"primary","sorder":1,"created_usec":"2016-11-14 16:17:06","updated_usec":"2016-11-14 16:17:06","cn":"pbuild","uuid":"7d4504dd-b64f-453c-9a12-53a079a8d4ff","fqdn":"pbuild","addrs":[{"family":4,"addr":"192.168.16.138","port":24351}],"tnlzone":0,"deleted":0}]},
{"svcgid":7,"svcgname":"dflt_beyondinsight_service","svc":"beyondinsight","updated_usec":"2016-11-14 16:17:06","deleted":false},
{"svcgid":8,"svcgname":"dflt_fim_service","svc":"fim","updated_usec":"2016-11-14 16:17:06","deleted":false,"svcs":[{"svcgid":8,"hostid":1,"role":"primary","sorder":1,"created_usec":"2016-11-14 16:17:06","updated_usec":"2016-11-14 16:17:06","cn":"pbuild","uuid":"7d4504dd-b64f-453c-9a12-53a079a8d4ff","fqdn":"pbuild","addrs":[{"family":4,"addr":"192.168.16.138","port":24351}],"tnlzone":0,"deleted":0},{"svcgid":8,"hostid":2,"role":"secondary","sorder":2,"created_usec":"2016-11-14 19:41:45","updated_usec":"2016-11-14 19:40:47","cn":"pbtest","uuid":"024352a4-d4d0-48d2-bdcc-76ec429632f7","fqdn":"pbtest","addrs":[{"family":4,"port":24351,"addr":"192.168.16.184"}],"tnlzone":-1,"deleted":0}]}]
Registry name service - get registry name service group and role information
Retrieves Registry Name Service Group and Role information.
GET https://RNS_Server:24351/REST/service/svchost/role?appid=<appid>×tamp=<timestamp>
&hmac=<hmac>&role=<role>&svcgname=<svcgname>
RESPONSE {"svcgid":1,"svcgname":"registry_name_service","svc":"registry","updated_usec":"2016-11-14 16:17:06","deleted":false,"svcs":[{"svcgid":1,"hostid":1,"role":"primary","sorder":1,"created_usec":"2016-11-14 16:17:06","updated_usec":"2016-11-14 16:17:06","cn":"pbuild","uuid":"7d4504dd-b64f-453c-9a12-53a079a8d4ff","fqdn":"pbuild","addrs":[{"family":4,"addr":"192.168.16.138","port":24351}],"tnlzone":0,"deleted":0}]}
Registry name service - get registry name service host information
Retrieves Registry Name Service Group and Role information.
GET https://RNS_Server:24351/REST/service/host/name?appid=<appid>×tamp=<timestamp>
&hmac=<hmac>&cn=<cn>
GET https://RNS_Server:24351/REST/service/host/uuid?appid=<appid>×tamp=<timestamp>
&hmac=<hmac>&uuid=<uuid>
GET https://RNS_Server:24351/REST/service/host/fqdn?appid=<appid>×tamp=<timestamp>
&hmac=<hmac>&fqdn=<fqdn>
RESPONSE {"hostid":1,"cn":"pbuild","uuid":"7d4504dd-b64f-453c-9a12-53a079a8d4ff","fqdn":"pbuild","addrs":[{"family":4,"addr":"192.168.16.138","port":24351}],"tnlzone":0,"updated_usec":"2016-11-14 16:17:06","deleted":false}
Registry name service - delete service group
Delete the specified Service Group.
DELETE https://Primary_RNS_Server:24351/REST/service/svcgrp?appid=<appid>×tamp=<timestamp>
&hmac=<hmac>&svcgname=<svcgname>
Registry name service - delete service host
Delete the specified host from the specified Service Group.
DELETE https://Primary_RNS_Server:24351/REST/service/svchost?appid=<appid>×tamp=<timestamp>
&hmac=<hmac>&svcgname=<svcgname>&cn=<cn>
Registry name service - delete host
Delete the specified host from the Registry Name Service.
DELETE https://Primary_RNS_Server:24351/REST/service/host?appid=<appid>×tamp=<timestamp>&hmac=<hmac>&cn=<cn>
Registry name service - delete host completely from RNS setup
Delete specified host from the Registry Name service and delete the host entry from the service database.
DELETE https://Primary_RNS_Server:24351/REST/service/host?appid=<appid>×tamp=<timestamp>&hmac=<hmac>&cn=<cn>&remove=true
Registry name service - put service group
Add/Update the specified Service Group.
PUT https://Primary_RNS_Server:24351/REST/service/svcgrp?appid=<appid>×tamp=<timestamp>&hmac=<hmac>
REQUEST { "svc" : { "svcgname" : "<svcgname>", "svc" : "<svc>" }}
RESPONSE { "status" : 0}
Registry name service - put service group host
Assign the specified host as a given role within the specified Service Group.
PUT https://Primary_RNS_Server:24351/REST/service/svchost?appid=<appid>×tamp=<timestamp>&hmac=<hmac>
REQUEST { "svc" : { "svcgname" : "<svcgname>", "cn" : "<cn>", "role" : "<role>" }}
RESPONSE { "status" : 0}
Registry name service - put host
Add/Update the named host in Registry Name Service.
PUT https://server1:24351/REST/service/host?appid=<appid>×tamp=<timestamp>&hmac=<hmac>
REQUEST { "svc" : { "cn" : "<cn>", "fqdn" : "<fqdn>", "uuid", "<uuid>" } }
RESPONSE { "status" : 0}
Registry name service - promote
Promote the specified server (for example, server1) in registry name service group to primary.
PUT https://server1:24351/REST/service/promote?appid=<appid>×tamp=<timestamp>&hmac=<hmac>
REQUEST {"svcgname" : "<svcgname>"}
RESPONSE { "status" : 0}
Note
REST request is sent to server being promoted.
Promote the specified server to primary with its service group.
PUT https://Primary_RNS_Server:24351/REST/service/promote?appid=<appid>×tamp=<timestamp>&hmac=<hmac>
REQUEST {"svcgname" : "<svcgname>", "cn" : "<cn>" }
RESPONSE { "status" : 0}
Sync
REST call to set a file to be synchronized within a service group. This is the same as pbadmin –cfg -A .
Set to sync
pbrestcall -a <appid> -k <appkey> -l -X PUT https://<host>:<restport>/REST/v1/cfg/sync -d '{"file":"<file>", "svcs":["<servicegroup>"]}'
Example
pbrestcall -a admin -k d39cf6ea-e292-4c59-b60a-2d9650eb9cad -l -X PUT https://localhost:29106/REST/v1/cfg/sync -d '{"file":"/opt/pbul/policies/myfile", "svcs":["dflt_pbpolicy_service"]}'
Import
pbrestcall -a <appid> -k <appkey> -l -X PUT https://<host>:<restport>/REST/v1/cfg/import -d '{"file":"<filename>"}'
Example
pbrestcall -a admin -k d39cf6ea-e292-4c59-b60a-2d9650eb9cad -l -X PUT https://localhost:29106/REST/v1/cfg/import -d '{"file":"/opt/rnspbul/policies/myfile”}'
If file already exists, use force:
pbrestcall -a <appid> -k <appkey> -l -X PUT https://<host>:<restport>/REST/v1/cfg/import -d '{“force”:1, "file":"<filename>"}'
Role based policy database manipulation
The functionality developed to manipulate the Role Based Policy Database was written with both the Command Line utility (pbdbutil), the policy server (pbmasterd) and the REST interface in mind. Functions use JSON objects to specify records to retrieve, update and delete.
To retrieve the entire Role Based Policy database, use the REST GET HTTP method, and specify a URL similar to https:// … /policies/rbp.
To retrieve individual Role Based Policy entities, use the REST GET HTTP method with a URL similar to https:// … /policy/rbp/ and specify a parameter of either name= or id=.
Example
https:// … /policy/rbp/usergrp?.....name=ugrp1
To import a new Role Based Policy database, use the REST PUT HTTP method with a URL similar to https:// … /policies/rbp and specify the complete database, in the appropriate format, in the BODY data.
To update specific Role Based Policy entities, use the REST PUT HTTP method with a URL similar to https:// … /policy/rbp/ and specify the entity, in the appropriate format, in the BODY data.
To delete specific Role Based Policy entities, the developer should use the REST DELETE HTTP method with a URL similar to https:// … /policy/rbp/ and specify a parameter of either name= or id=.
To begin a Role Based Policy Change Transaction, use the REST PUT HTTP method with a URL similar to https:// … /policy/rbp/begin.
To commit a Role Based Policy Change Transaction, use the REST PUT HTTP method with a URL similar to https:// … /policy/rbp/commit.
To rollback a Role Based Policy Change Transaction, use the REST PUT HTTP method with a URL similar to https:// … /policy/rbp/rollback.
To retrieve a Role Based Policy Change Transaction details, use the REST GET HTTP method with a URL similar to https:// … /policy/rbp/transaction.
Role Based Policy - Miscellaneous Calls
Retrieve RBP version list
GET https://pbuild:24351/pbrest/REST/v2.0/policy/rbp/list?appid=<appid>×tamp=<timestamp>
&hmac=<hmac>
RESPONSE { "rbp": [{ "version": 1, "who": "ctaylor", "why": "New data",
"created": 1529322345} ] }
Retrieve entitlement "raw" data
GET https://pbuild:24351/pbrest/REST/v2.0/policy/rbp/entitlement?appid=<appid>
×tamp=<timestamp>&hmac=<hmac>
Optional arguments
- submituser=
- runuser=
- submithost=
- runhost=
- command=
RESPONSE {
"results": [
{
"id": 1,
"name": "Admin",
"tag": null,
"description": "Super users and admins",
"rorder": 1,
"action": "allowed",
"iolog": true,
"auth": false,
"script": false,
"message": false,
"submitusers": {
"Admins": {
"description": "Admin users",
"list": [
"root",
"admin"
]
}
},
"submithosts": {
"All Hosts": {
"description": "All Hosts",
"list": [
"*"
]
}
},
"runusers": {
"Admins": {
"description": "Admin users",
"list": [
"root",
"admin"
]
},
"Users": {
"description": "Normal Users",
"list": [
"user*"
]
}
},
"runhosts": {
"All Hosts": {
"description": "All Hosts",
"list": [
"*"
]
}
},
"commands": {
"User Commands": {
"description": "Common UNIX Commands",
"list": [
{ "cmd": "/bin/ls","runcommand": "" },
{ "cmd": "/bin/ls *","runcommand": "" },
{ "cmd": "/usr/bin/ls","runcommand": "" },
{ "cmd": "/usr/bin/ls *","runcommand": ""},
{ "cmd": "/bin/cat *","runcommand": ""},
{ "cmd": "/usr/bin/cat *","runcommand": "" }
]
}
},
"time/dates": {
"Any Time": {
"description": "Any Time",
"list": [
{
"dotw": {
"mon": [
15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15,
15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15 ]
],
"tue": [
15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15,
15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15 ]
],
"wed": [
15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15,
15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15 ]
],
"sun": [
15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15,
15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15 ]
],
"thu": [
15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15,
15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15 ]
],
"fri": [
15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15,
15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15 ]
],
"sat": [
15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15,
15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15 ]
]
}
}
]
}
}
}
]
}
Retrieve entitlement report
GET https://pbuild:24351/pbrest/REST/v2.0/policy/rbp/entrpt?appid=<appid>
×tamp=<timestamp>&hmac=<hmac>
Optional arguments
- submituser=
- runuser=
- submithost=
- runhost=
- command=
- wrap=number of columns
RESPONSE {
"entitlement": "Endpoint Privilege Management for Unix and Linux Role Based Policy Entitlement Report - Level 1\n----------------------------------------------------------------------------\nDate/Time: 2018-06-18 09:14:48\nUser: *\nBelongs to the following Roles: \n Admin,users\n======================================================================\nRole Order: 1\nName: Admin\nDescription: Super users and admins\nAction: allowed\nTag: \nMembership: Admins\n\nSubmit Host(s): Any PBUL Host\nRun Host(s): Any PBUL Host\n\nCommands may be executed as user(s): root,admin,user*\n\nPlease use the '-u' flag to select user at run time.\neg: pbrun -u runuser command [arguments]\n\nUser may request the following commands using pbrun:\n/bin/find *,/usr/bin/ls,/bin/ls,/bin/cat *,/bin/ls *,/usr/bin/ls *,/usr/bin/rm *,\n/usr/bin/cat *,/usr/bin/find *,/sbin/shutdown *,/bin/more *,/bin/id,/usr/bin/more *,\n/usr/bin/mount *,/bin/ln *,/bin/mount *,/bin/rm *,/usr/sbin/shutdown *,\n/usr/bin/ln *,/usr/bin/id,/sbin/ifconfig *,/usr/sbin/ifconfig *\n\n\n======================================================================\nRole Order: 4\nName: users\nDescription: Normal users\nAction: allowed\nTag: \nMembership: Users\n\nSubmit Host(s): build.company.com,staging.company.com,nfs.company.com\nRun Host(s): build.company.com,staging.company.com,nfs.company.com\n\nCommands will execute as user: user*\n\nUser may request the following commands using pbrun:\n/usr/bin/ls,/bin/find *,/bin/ls,/bin/cat *,/bin/ls *,/usr/bin/rm *,/usr/bin/ls *,\n/usr/bin/cat *,/usr/bin/find *,/bin/id,/bin/more *,/usr/bin/more *,/bin/ln *,\n/bin/rm *,/usr/bin/ln *,/usr/bin/id\n\n\n"
}
Client registration
Create client registration profile
Create or update a client profile. The format of these profiles are detailed below.
PUT https://pbuild:24351/REST/register?appid=<appid>×tamp=<timestamp>&hmac=<hmac>
RESPONSE { "status" : 0 }
Retrieve client registration profile
Retrieve a client profile so that the client install can action the profile:
GET https://pbuild:24351/REST/register?appid=<appid>×tamp=<timestamp>&hmac=<hmac>&profile=profile1
RESPONSE {"status": 0, "profile": [{"type": "settings", "fname": "/etc/pb.settings"}, {"sname": "networkencryption", "type": "save"}, {"sname": "restkeyencryption", "type": "save"}, {"sname": "sslservercertfile", "type": "save"}]}
Retrieve client registration profile file attachment
Retrieve a client profile so that the client install can action the profile:
GET https://pbuild:24351/REST/register/file?appid=<appid>×tamp=<timestamp>
&hmac=<hmac>&fname=%2fetc%2fpb%2esettings&index=0
RESPONSE
File attachment or {"status": 8110}
Retrieve list of client registration profiles
Retrieve a list of client profiles that match the given profile wildcard:
GET https://pbuild:24351/REST/register/profiles?appid=<appid>×tamp=<timestamp>
&hmac=<hmac>&profile=prof%2A
RESPONSE {"status": 0, "profiles": [{"type": "settings", "fname": "/etc/pb.settings"}, {"sname": "networkencryption", "type": "save"}, {"sname": "restkeyencryption", "type": "save"}, {"sname": "sslservercertfile", "type": "save"}]}
Delete client registration profile
Retrieve a client profile so that the client install can action the profile:
DELETE https://pbuild:24351/REST/register?appid=<appid>×tamp=<timestamp>&hmac=<hmac>&profile=profile1
RESPONSE { "status" : 0 }
Solr
Note
As of version 23.1, Solr is deprecated. EPM-UL no longer supports installing Solr, but features that use an existing Solr installation will continue to work.
Solr get
Retrieves Solr search results based on the supplied criteria.
GET https://pbuild:24351/REST/Solr?appid=<appid>×tamp=<timestamp>&hmac=<hmac>&query=*%3A*
RESPONSE {"status":0,"iologs":[{"runuser":"root","endtime":"2013-12-
05T15:20:18Z","id":"c0a8108a52a099b0586F","_version_":1453595633085579264,"starttime":"2013-12-
05T15:20:16Z","replay_link":"http://pbuild:25348/iolog?file=/tmp/iolog.root.NMNzvX&foreground=White&background=Black&pause=1000&inputhistory=5&fontsize=10&submitButton=View+I/O+Log","runcommand":"bash","name":"/tmp/iolog.root.N
MNzvX","runhost":"pbuild","user":"root","runargv":"bash"},{"runuser":"root","endtime":"2013-12-
05T14:52:13Z","id":"c0a8108a52a0931d5541","_version_":1453669846119088128,"starttime":"2013-12-
05T14:52:13Z","replay_link":"http://pbuild:25348/iolog?file=/tmp/iolog.root.jVruz1&foreground=White&background=Black&pause=1000&inputhistory=5&fontsize=10&submitButton=View+I/O+Log","runcommand":"bash","name":"/tmp/iolog.root.jVru
z1","runhost":"pbuild","user":"root","runargv":"bash"},{"runuser":"root","endtime":"2013-12-
05T14:53:02Z","id":"c0a8108a52a0934a558B","_version_":1453669852501770240,"starttime":"2013-12-
05T14:52:58Z","replay_link":"http://pbuild:25348/iolog?file=/tmp/iolog.root.ckYxun&foreground=White&background=Black&pause=1000&inputhistory=5&fontsize=10&submitButton=View+I/O+Log","runcommand":"bash","name":"/tmp/iolog.root.ckYx
un","runhost":"pbuild","user":"root","runargv":"bash
Elasticsearch Logstash API calls
The EPM-UL REST API includes commands to manage credentials for Elasticsearch and Logstash implementations.
Similar commands are also available with the pbdbutil CLI tool. privilege management for u
elkcred
Retrieves a single credential. Retrieve the credential associated with the passed ID. The password is not displayed.
GET
pbrestcall -X GET https://host:24351/REST/elkcred/id
PUT
Add or update a single credential. The JSON object passed in the -d argument must include, as a minimum, the ID and type fields. Other added fields depend on the credential type. The response indicates success or failure.
pbrestcall -X … https://host:24351/REST/elkcred -d ‘{..}’
DELETE
Remove a single credential:
pbrestcall -X … DELETE https://host:24351/REST/elkcred/id
The response indicates success or failure.
elkcreds
GET
Retrieve all credentials:
pbrestcall -X GET … https://host:24351/REST/elkcreds
The response lists all credentials, including their ID values. The passwords are not displayed.
elkcredtest
GET
Test the connectivity of a credential that exists in the credential store:
pbrestcall -X GET … https://host:24351/REST/elkcredtest/id
Tests the credential set in the URL (as ID) against all URLs configured in the elkinstances value in /etc/pb.settings. Other settings in that file (other than elkcredential) are applied as well.
Results are reported as an array of findings per URL in elkinstances.Because authenticating by token or API key can generate two HTTP requests, a test performed against a credential of one of these types probes two distinct URLs, as shown in the results given below:
[user@host]$ pbrestcall -l -X GET -a <app> -k <key> \
https://localhost:24351/REST/elkcredtest/elastic_token
{
"results": [
{
"token-request": {
"url": "https://elkhost:9200/_security/oauth2/token",
"curlcode": "0 (No error)",
"httpcode": "200 (OK)"
},
"test-request": {
"url": "https://elkhost:9200/?pretty",
"curlcode": "0 (No error)",
"httpcode": "200 (OK)"
}
}
]
}
In this case, the data reported in the token-request object is the response to an attempt to acquire the token, and the result reported in the test-request object corresponds to the use of that token to authenticate against the URL specified in the test-request.
Note
Tests of token and apikey credentials against Logstash instances will fail.
POST
This can be used to test a credential that might not yet be in the credential store:
pbrestcall -X POST .. https://host:24351/REST/elkcredtest -d { .. }
The supplied POST data must be in the same format as specified for the three authentication types documented earlier. Using those data formats, a credential is tested against the URLs in the elkinstances value in /etc/pb.settings, and the test applies all other ELK-related settings from that file.
To test a credential completely independently of /etc/pb.settings, add an elkinstances element to the POST data:
{ .., "elkinstances": "elasticsearch=https://elkhost:9200" }
Java Implementation
Full Java example sources are provided to allow developers to quickly interface with the Endpoint Privilege Management for Unix and Linux REST API. The sources are developed with JDK 7 and Eclipse and an example project is provided in the examples/java/PBULAPI directory (use import project from the Eclipse menu). We recommend JUnit 4 be installed and configured to run the provided test suite.
- org/json/* contains the www.json.org simple java JSON implementation, and is included verbatim.
- com/beyondtrust/pbul/* contains all of the example code to call the REST API, including:
- PBULException: An exception used throughout the whole package.
- PBULsession: Keeps the session information to implement the REST API, including the host URI, application ID, and key. It is used by the objects below to setup and call the REST API.
- PBULutil: Provides miscellaneous methods required by the implementation.
- PBULtype, PBULarray and PBULobject: Types defined to provide the data types required to access the settings file.
- PBULevents: Provides access to the event logs.
- PBULiologs: Provides access to I/O logs, including listing, searching, and retrieving.
- PBULkey: Provides access to retrieve and create pb.key files.
- PBULlicense: Provides details of the licensing on the host.
- PBULpolicy: Provides two main methods to access the policy files, whether they are normal pb scripts, or CSV format.
- PBULSolr: Provides a front-end to the SOLR option provided in Endpoint Privilege Management for Unix and Linux 8.
- The test folder provides a complete test suite containing test cases that call each of the provided methods and can also be used as examples.
Updated 5 days ago