System variables
System variables contain information that pertains to all EPM task requests.
date
Data type
String, read-only
Description
The date variable contains the current date, taken from the policy server host, in YYYY/MM/DD format.
Valid values
A string that contains a date, in YYYY/MM/DD format, from the policy server host.
day
Data type
Integer, read-only
Description
The day variable contains the current date, taken from the policy server host, in DD format.
Valid values
An integer that contains a value from 1 - 31 (inclusive) from the policy server host. This is a read-only variable and therefore has no default value.
dayname
Data type
String, read-only
Description
The dayname variable contains the current day of the week, as a three-character abbreviation, taken from the policy server host.
Valid values
A character string from the policy server host that contains one of the following values: Mon, Tue, Wed, Thu, Fri, Sat, or Sun.
false
Data type
Boolean, read-only
Description
The false variable is a read-only variable with a predefined value of 0.
Many program statements rely upon conditional tests to determine what program statement should be executed next. The if statement is an example of this. Conditional tests evaluate to either a true value or a false value.
In the Security Policy Scripting Language, a true value is represented by any positive, non-zero integer, but is usually represented by the integer value 1. A 0 represents false.
Because true and false values are used so frequently within security policy files, the variable true may be used in place of a numeric value 1 and the variable false may be used in place of a 0 value when evaluating a conditional expression or initializing a variable.
Valid values
0. Constant, cannot be changed.
For more information, see true.
hour
Data type
Integer, read-only
Description
The hour variable contains the current hour, taken from the policy server host, in HH format.
Valid values
An integer ranging from 0 to 23 (inclusive) from the policy server host.
i18n_date
Data type
UTF-8 encoded string, read-only
Description
The i18n_date variable contains the current date, taken from the policy server host. It is formatted according to the operating system’s locale settings.
Valid values
A UTF-8 encoded string that contains a date.
i18n_day
Data type
UTF-8 encoded string, read-only
Description
The i18n_day variable contains the current date, taken from the policy server host. It is formatted according to the operating system’s locale settings.
Valid values
A UTF-8 encoded string that contains a day value.
i18n_dayname
Data type
UTF-8 encoded string, read-only
Description
The i18n_dayname variable contains the current day of the week, taken from the policy server host. It is formatted according to the operating system’s locale settings.
Valid values
A UTF-8 encoded string that contains a value for the day of the week.
i18n_hour
Data type
UTF-8 encoded string, read-only
Description
The i18n_hour variable contains the current hour, taken from the policy server host. It is formatted according to the operating system’s locale settings.
Valid values
A UTF-8 encoded string that contains an hour value.
i18n_minute
Data type
UTF-8 encoded string, read-only
Description
The i18n_minute variable contains the minute portion of the current time, taken from the policy server host. It is formatted according to the operating system’s locale settings. The month, day, date, and year variables can be used together to determine the current date, per the policy server host. The hour and minute variables can be used together to determine the current time, per the policy server host.
Valid values
A UTF-8 encoded string that contains a minute value.
i18n_month
Data type
UTF-8 encoded string, read-only
Description
The i18n_month variable contains the current month, taken from the policy server host. It is formatted according to the operating system’s locale settings. The month, day, date, and year variables can be used together to determine the current date per the policy server host. The hour and minute variables can be used together to determine the current time per the policy server host.
Valid values
A UTF-8 encoded string that contains the month value
i18n_time
Data type
UTF-8 encoded string, read-only
description
The i18n_time variable contains the current time, taken from the policy server host. It is formatted according to the operating system’s locale settings.
Valid values
A UTF-8 encoded string that contains the current time.
i18n_year
Data type
UTF-8 encoded string, read-only
description
The i18n_year variable contains the current year, taken from the policy server host. It is formatted according to the operating system’s locale settings.
Valid values
A UTF-8 encoded string that contains a year value.
i18n_year
Data type
UTF-8 encoded string, read-only
description
The i18n_year variable contains the current year, taken from the policy server host. It is formatted according to the operating system’s locale settings.
Valid values
A UTF-8 encoded string that contains a year value.
lineinfile
Data type
String, read-only
description
The lineinfile variable contains the file name of the security policy file that triggers the accept or reject condition for the current task request. Note that only the file name, rather than the entire path specification, is contained in this variable.
Valid values
A character string that contains the name of the security policy file in which an accept or reject event was triggered for the current task request.
This variable appears only in the event log.
linenum
Data type
Integer, read-only
description
The linenum variable identifies the specific line number, within a security policy file, that triggers the accept or reject event for the current task request. This number is a line number within the security policy file identified by lineinfile.
Valid values
An positive integer. This variable appears only in the event log.
lognoreconnect
Data type
Boolean, modifiable
description
The lognoreconnect variable controls how Endpoint Privilege Management for Unix and Linux optimizes network traffic between pblogd and pblocald, and pblocald and pbrun. This optimization involves reconnecting pblocald directly to pblogd and pbrun, thus bypassing pbmasterd for log-related I/O streams.
When set to true, all pblocald to pblogd communications are routed through pbmasterd, as is pbrun to pblocald communications.
In Optimized Run Mode, this has no affect.
Syntax
lognoreconnect = boolean;
Valid values
| true | Disable optimization. |
| false | Enable optimization. This value is the default. |
Example
lognoreconnect = false;
For more information, see noreconnect.
masterhost
Data type
String, read-only
description
The masterhost variable contains the fully qualified name of the policy server host machine (that is, the machine that is running pbmasterd).
Valid values
A string that contains the fully qualified name of the policy server host.
For more information, see host, submithost, and submithostip.
minute
Data type
Integer, read-only
description
The minute variable contains the minute portion of the current time, taken from the policy server host, in MM format. The month, day, date, and year variables can be used together to determine the current date, per the policy server host. The hour and minute variables can be used together to determine the current time, per the policy server host.
Valid values
An integer that ranges from 0 - 59 inclusive.
month
Data type
Integer, read-only
description
The month variable contains the current month, taken from the policy server host, in MM format. The month, day, date, and year variables can be used together to determine the current date per the policy server host. The hour and minute variables can be used together to determine the current time per the policy server host.
Valid values
An integer ranging from 1 - 12, inclusive.
noreconnect
Data type
Boolean, modifiable
Description
The noreconnect variable controls how EPM optimizes network traffic between pbrun and pblocald. This optimization involves reconnecting pbrun directly to pblocald, thus bypassing pbmasterd for I/O stream processing.
Syntax
noreconnect = boolean;
Valid values
| true | Disable optimization. |
| false | Enable optimization. This value is the default. |
Example
noreconnect = true;
For more information, see lognoreconnect .
optimizedrunmode
Run version
runoptimizedrunmode
Note
This run variable does not apply to pbssh. If it is present in the policy, it does not have any effect on pbssh and is ignored.
Data type
Boolean. optimizedrunmode is read-only. runoptimizedrunmode is modifiable.
description
optimizedrunmode indicates whether the task can be executed using Endpoint Privilege Management for Unix and Linux's optimized run mode feature. A value of true indicates that optimized run mode has not been disabled for this task by command line switch or Endpoint Privilege Management for Unix and Linux settings.
Setting runoptimizedrunmode to false can be used to prevent a task from being executed using Endpoint Privilege Management for Unix and Linux's optimized run mode feature.
Note
If optimized run mode is disabled in the policy server host’s settings file, the submit host’s settings file, or by a command line option on either pbrun or pbmasterd, then setting runoptimizedrunmode to true has no effect.
Syntax
runoptimizedrunmode = Boolean;
Valid values
| true | Non-zero. Enable optimized run mode. |
| false | Zero. Disable optimized run mode. |
Example
runoptimizedrunmode = false;
For information about optimized run mode and related settings, see the Endpoint Privilege Management for Unix and Linux User Guide.
outputredirect
Data type
String, modifiable
description
The outputredirect variable determines whether Endpoint Privilege Management for Unix and Linux prompt output is written to the standard error stream (stderr) or to the standard output stream (stdout). The main use for this feature is to allow prompts to appear on the user’s monitor even if it is running in a pipeline. When run in a pipeline, prompts normally go to that pipeline. By setting outputredirect, you can force the output to the monitor.
Syntax
outputredirect = string;
Valid values
| stderr | Write EPM-UL prompt output to the standard error file. |
| stdout | Write EPM-UL prompt output to the standard output file. |
The default value is empty.
Example
outputredirect = "stderr";
For more information, see iolog, logstderr, logstderrlimit, logstin , logstdout, and logstdoutlimit.
pbclientcertificateissuer
Data type
String, read-only
description
This variable contains the issuer line from the client program (pbrun). This variable is available only while the policy is running.
Valid values
A string that contains the certificate issuer line from the client program.
For more information, see pblocaldcertificateissuer, pblogdcertificateissuer, pbmasterdcertificateissuer, and pbclientcertificatesubject.
pbclientcertificatesubject
Data type
String, read-only
description
pbclientcertificatesubject contains the subject line from the client program (pbrun). This variable is available only when the policy is running.
Valid values
A string that contains the certificate subject line from the client program.
For more information, see pblocaldcertificatesubject, pblogdcertificatesubject, and pbmasterdcertificatesubject
pbclientkerberosuser
Data type
String, read-only
description
pbclientkerberosuser contains the name of the client (pbrun) user’s principal when Kerberos is used.
Valid values
A string that contains the name of the client user’s principal.
pbclientmode
Data type
String, read only
description
pbclientmode specifies the specific mode for a request. It is set as shown in the following table.
| How Invoked | pbclientmode Value |
|---|---|
| pbrun | run |
| pbssh | pbssh |
| pbksh or pbsh startup | shell start |
| Shell built-in from pbksh or pbsh | shell builtin |
| Command from shell command line or argument | shell command |
| Redirection in a shell command (<, >, or >>) | shell redirect |
Valid values
A string as described above.
Example
if (pbclientmode == "shell start") shellcheckbuiltins = true;
else if (pbclientmode == "shell redirect" && argv[1] == "/dev/null")
reject;
For more information, see shellallowedcommands, shellcheckbuiltins, shellcheckredirections, shellforbiddencommands, shellreadonly, and shelllogincludefiles.
pbclientname
Data type
String, read-only
description
The pbclientname variable contains the name of the Endpoint Privilege Management for Unix and Linux component from which the current task request originated.
Valid values
| pbrun | The current task request originated from pbrun. |
| pbsh | The current task request originated from the pbsh EPM-UL shell. |
| pbksh | The current task request originated from the pbksh EPM-UL shell. |
pblogdreconnection
Data type
Boolean, modifiable
description
This variable affects the formation of the reconnection between pblogd and pblocald.
- If the value is missing or false, then pblogd listens for connections that are initiated by pblocald under the control of pbmasterd.
- If pblogdreconnection is set to true, then pblocald listens for connections that are initiated by pblogd under the control of pbmasterd.
There is no read-only version of this variable.
Syntax
pblogdreconnection = boolean;
Valid values
| true | pblocald listens for connections that are initiated by pblogd under the control of pbmasterd. |
| false | pblogd listens for connections that are initiated by pblocald under the control of pbmasterd. This value is the default. |
Example
pblogdreconnection = true;
For more information, see pbrunreconnection, runeffectivegroup, and runeffectiveuser.
pbrunreconnection
Data type
Boolean, modifiable
description
This variable affects the formation of the reconnection between pbrun and pblocald.
- If the value is missing or false, then pbrun listens for connections that are initiated by pblocald under the control of pbmasterd.
- If pbrunreconnection is set to true, pblocald listens for connections that are initiated by pbrun under the control of pbmasterd.
There is no read-only version of this variable.
Syntax
pbrunreconnection = boolean;
Valid values
| true | pblocald listens for connections that are initiated by pbrun under the control of pbmasterd. |
| false | pbrun listens for connections that are initiated by pblocald under the control of pbmasterd. This value is the default. |
Example
pbrunreconnection = true;
For more information, see pblogdreconnection, runeffectivegroup, and runeffectiveuser.
pbversion
Data type
String, read-only
description
The pbversion variable contains the version number of Endpoint Privilege Management for Unix and Linux that is being run.
Valid values
A string that contains the Endpoint Privilege Management for Unix and Linux version number.
pid
Data type
Integer, read-only
description
The pid variable contains the Unix or Linux process ID number for pbmasterd on the policy server host.
Valid values
An integer that represents the pbmasterd process ID.
For more information, see masterhost.
ptyflags
Data type
Internal, read-only
description
Reserved for internal use.
status
Data type
Integer, read-only
description
The status variable contains the return code from the last system() command that was run by the policy.
Valid values
An integer that contains the return code from a call to the system() function. The value before the first system () call is undefined.
submittimeout
Data type
Integer
Description
This variable specifies the idle time, in seconds, that is allotted to the submitting user before the submit host terminates the current request.
Note
The submittimeout variable is not honored in local mode.
Syntax
submittimeout = number;
Valid values
| positive integer | Enables idle checking; specifies the idle time in seconds. |
| 0 or negative integer | Disables idle checking. This value is the default. |
Example
Here the submitting user is allotted 300 seconds before the request is terminated.
submittimeout = 300;
For more information, see runtimeout.
subprocuser
Data type
String, modifiable
description
The subprocuser variable contains the user name under which all policy server host (that is, pbmasterd) subprocesses run (for example, commands that are run using the system() function). By default, all policy server host sub-processes run as root.
Syntax
subprocuser = string;
Valid values
A string that specifies a user name. The default value is root.
Example
subprocuser = "user";
time
Data type
String, read-only
description
The time variable contains the current time, taken from the policy server host in HH:MM:DD format (for example, 08:24:52).
Valid values
A string containing the current time in HH:MM:SS format.
true
Data type
Boolean, read-only
description
The true variable is a read-only variable with a predefined value of 1.
Many program statements rely upon conditional tests to determine what program statement should be executed next. The if statement is an example of this. Conditional tests generally evaluate to either a true or false value. In the Security Policy Scripting Language, any positive, non-zero integer can represent a true value, but 1 is normally used. A 0 represents a false value.
Because true and false values are frequently used when creating security policy files, the variable true may be used in place of a numeric value 1 and the variable false may be used in place of a 0 value when evaluating a conditional expression or initializing a variable.
Valid values
1. Constant, cannot be changed.
For more information, see false.
uniqueid
Data type
String, read-only
description
The uniqueid variable contains a 12-character or longer string that is guaranteed to be unique across the entire Endpoint Privilege Management for Unix and Linux system (policy server host, submit host, run host and log host). This value is used to guarantee a unique identification in the event log files and can be used to generate unique file names.
Valid values
A 12-character or longer string value that is unique across the entire EPM-UL system.
Example
iolog="usr/adm/pblog" + uniqueid;
For more information, see masterhost.
year
Data type
Integer, read-only
Description
The year variable contains the current year, taken from the policy server host, in YYYY format.
Valid values
An integer that contains a year in YYYY format.
Updated 5 days ago