0% found this document useful (0 votes)

61 views692 pages

Pmul Policy Language

Uploaded by

byron7cueva

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

61 views692 pages

Pmul Policy Language

Uploaded by

byron7cueva

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 692

Endpoint Privilege Management for

Unix and Linux 23.1.2

Policy Language Guide

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC:8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Table of Contents
Endpoint Privilege Management for Unix and Linux policy language 20
Sample policy files 20
Endpoint Privilege Management for Unix and Linux overview 21

Components 21
Task processing 22
Create policy files 24
Default policy 25
Role-Based Policy database schema 27
User groups 28
Host groups 29
Command groups 30
Time/date groups 31
Roles 33
Role "Auth" attribute 35
Role Based Policy, change management events 38
Role-Based Policy Entitlement reports 40
Policy file format 52
Variable scope 53
Syntax checking 54

Environment variable processing considerations 55

Security Policy Scripting Language definition 56
Variables and data types 56
Variables 56
Variable scope 56
Variable data types 57
Constants 60
Operators 61
Arithmetic operators 63
Logical operators 69
Relational operators 71
Special operators 74

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 2

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Expressions 78
Program statements 79
accept statement 81
Assignment statement 83
break statement 85
continue statement 86

do-while statement 87
for statement 88
C-style for statement 90
for-in statement 91
if statement 92
include statement 93
readonly statement 95
reject statement 96
switch statement 99
while statement 101
Non-executable program statements 102
Functions and procedures 103
Other programming considerations 105
Format commands 106
Regular expression patterns 110
Wildcard search characters 112

Special characters 113

Endpoint Privilege Management for Unix and Linux variables 114
Task information variables 115
argc 121
Data type 122
argv 123
Run version 124
bkgd 125
Run version 126
clienthost 127
command 128

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 3

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

cwd 130
Run version 131
env 132
Run version 133
execute_via_su 134
Data type 135

group 137
Run version 138
groups 140
Run version 141
host 143
Run version 144
localmode 146
logaccept_utc 148
logcksum 149
logfinish_utc 151
logkeystroke_utc 152
logpid 153
Data type 154
logreject_utc 155
logserver_utcoffset 156
logservers 158

Data type 159

master_utcoffset 160
mastertimelimit 162
mastertimeout 163
nice 164
noexec 165
Data type 166
optimizedrunmode 167
pblocaldnoglob 169
Data type 170
pbrisklevel 171

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 4

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type 172

pidmessage 173
Data type 174
requestuser 175
rlimit_as 176
rlimit_core 178

rlimit_cpu 180
rlimit_data 182
rlimit_fsize 184
rlimit_locks 186
rlimit_memlock 188
rlimit_nofile 190
rlimit_nproc 192
rlimit_rss 194
rlimit_stack 196
runfinish_utc 198
runstart_utc 199
false 200
Data type 201
hour 202
Data type 203
i18n_date 204

Data type 205

i18n_day 206
Data type 207
i18n_dayname 208
Data type 209
i18n_hour 210
Data type 211
i18n_minute 212
Data type 213
i18n_month 214
Data type 215

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 5

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

selinux 216
runchroot 217
Data type 218
runcksum 220
Data type 221
runcksumlist 222

Data type 223

runconfirmmessage 224
Data type 225
runconfirmpasswdservice 226
Data type 227
runconfirmuser 228
Data type 229
runeffectivegroup 230
Data type 231
runeffectiveuser 232
Data type 233
runenablerlimits 234
runmd5sum 236
Data type 237
runmd5sumlist 238
Data type 239

runenvironmentfile 240
runpamsessionservice 241
Data type 242
runpamsetcred 243
Data type 244
runpid 245
Data type 246
runptyflags 247
runsecurecommand 248
runtimelimit 249
runtimeout 251

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 6

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type 252

runutmpuser 253
Data type 254
shellallowedcommands 255
shellcheckbuiltins 256
shellcheckredirections 257

shellforbiddencommands 258
shelllogincludefiles 259
shellreadonly 260
shellrestricted 261
solarisproject 263
submithost 265
Data type 266
submithostip 267
Data type 268
submitpid 269
Data type 270
taskpid 271
Data type 272
taskttyname 273
Data type 274
timezone 275

Data type 276

ttyname 277
Data type 278
umask 279
user 280
Run version 281
Command line parsing variables 282
optarg 283
opterr 284
optind 285
optopt 286

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 7

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

optreset 287
optstrictparameters 288
Logging variables 289
event 290
Data type 291
eventlog 292

Data type 293

exitdate 294
Data type 295
exitstatus 296
Data type 297
exittime 298
Data type 299
forbidkeyaction 300
Data type 301
forbidkeypatterns 302
Data type 303
i18n_exitdate 304
Data type 305
i18n_exittime 306
Data type 307
iolog 308

Data type 309

logmaximumfailures 310
Data type 311
lognopassword 312
Data type 313
logomit 314
Data type 315
logstderr 316
Data type 317
logstderrlimit 318
Data type 319

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 8

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

logstdin 320
Data type 321
logstdinlimit 322
Data type 323
logstdout 324
Data type 325

logstdoutlimit 326
Data type 327
passwordloggingprompts 328
System variables 330
date 332
Data type 333
day 334
Data type 335
dayname 336
Data type 337
false 338
Data type 339
hour 340
Data type 341
i18n_date 342
Data type 343

i18n_day 344
Data type 345
i18n_dayname 346
Data type 347
i18n_hour 348
Data type 349
i18n_minute 350
Data type 351
i18n_month 352
Data type 353
i18n_time 354

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 9

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type 355

i18n_year 356
Data type 357
lineinfile 358
Data type 359
linenum 360

Data type 361

lognoreconnect 362
Data type 363
masterhost 364
Data type 365
minute 366
Data type 367
month 368
Data type 369
noreconnect 370
Data type 371
outputredirect 372
Data type 373
pbclientcertificateissuer 374
Data type 375
pbclientcertificatesubject 376

Data type 377

pbclientkerberosuser 378
Data type 379
pbclientmode 380
pbclientname 382
Data type 383
pblogdreconnection 384
Data type 385
pbrunreconnection 386
Data type 387
pbversion 388

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 10

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type 389

pid 390
Data type 391
ptyflags 392
Data type 393
status 394

Data type 395

submittimeout 396
Data type 397
subprocuser 398
Data type 399
time 400
Data type 401
true 402
Data type 403
uniqueid 404
Data type 405
year 406
Data type 407
Host identification variables 408
masterlocale 411
runlocale 412

submitlocale 413
pbguidmachine 414
pbguidnodename 415
pbguidrelease 416
pbguidsysname 417
pbguidversion 418
pbkshmachine 419
pbkshnodename 420
pbkshrelease 421
pbkshsysname 422
pbkshversion 423

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 11

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

pblocaldcertificateissuer 424
Data type 425
pblocaldcertificatesubject 426
Data type 427
pblocaldmachine 428
Data type 429

pblocaldnodename 430
Data type 431
pblocaldrelease 432
Data type 433
pblocaldsysname 434
Data type 435
pblocaldversion 436
Data type 437
pblogdcertificateissuer 438
Data type 439
pblogdcertificatesubject 440
Data type 441
pblogdmachine 442
Data type 443
pblogdnodename 444
Data type 445

pblogdrelease 446
Data type 447
pblogdsysname 448
Data type 449
pblogdversion 450
Data type 451
pbmasterdcertificateissuer 452
Data type 453
pbmasterdcertificatesubject 454
Data type 455
pbmasterdmachine 456

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 12

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type 457

pbmasterdnodename 458
Data type 459
pbmasterdrelease 460
Data type 461
pbmasterdsysname 462

Data type 463

pbmasterdversion 464
Data type 465
pbrunmachine 466
Data type 467
pbrunnodename 468
Data type 469
pbrunrelease 470
Data type 471
pbrunsysname 472
Data type 473
pbrunversion 474
Data type 475
pbshmachine 476
pbshnodename 477
pbshrelease 478

pbshsysname 479
pbshversion 480
X11 session capture variables 481
Built-in functions and procedures 484
Advanced control and audit 485
Important considerations 486
aca 488
enablesessionhistory 492
Date and time functions 494
datecmp 495
Description 496

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 13

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

strftime 497
Description 498
timebetween 499
Description 500
File and path functions 501
access 502

basename 503
Description 504
dirname 505
Description 506
logmktemp 507
mktemp 508
stat 510
Format and conversion functions 512
atoi 513
Description 514
sprintf 515
Description 516
Input/output functions and procedures 517
fprintf 518
input 519
Description 520

inputnoecho 521
Description 522
print 523
Description 524
printf 526
Description 527
printnnl 528
Description 529
printvars 530
Description 531
readfile 532

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 14

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

syslog 533
LDAP functions 535
ldap_attributes 537
ldap_bind 538
ldap_dn2ufn 539
ldap_entry_count 540

ldap_explodedn 541
ldap_firstentry 543
ldap_getdn 544
ldap_getvalues 545
ldap_init 546
ldap_nextentry 547
ldap_open 548
ldap_search 549
ldap_unbind 551
List functions 552
append 553
Description 554
insert 556
Description 557
join 558
Description 559

length 560
Description 561
range 562
Description 563
replace 564
Description 565
search 567
Description 568
split 569
Description 570
Miscellaneous functions and procedures 572

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 15

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

egrep 573
fgrep 574
glob 575
Description 576
grep 577
iologcloseaction 578

iologcloseactionrunhost 580
Description 581
ipaddress 583
isset 584
Description 585
policytimeout 586
Description 587
quote 589
Description 590
remotesystem 591
runtimewarn 593
Description 594
runtimewarnlog 595
Description 596
system 597
unset 599

Description 600
NIS functions 601
innetgroup 602
inusernetgroup 603
Policy environment functions and procedures 604
getlistsetting 605
Description 606
getnumericsetting 607
Description 608
getstringsetting 609
Description 610

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 16

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

getyesnosetting 611
Description 612
policygetenv 613
policysetenv 614
policyunsetenv 615
String functions 616

charlen 617
Description 618
gsub 619
Description 620
length 621
Description 622
pad 623
Description 624
sub 625
Description 626
substr 627
Description 628
tolower 629
Description 630
toupper 631
Description 632

Task control procedures 633

setkeystrokeaction 634
Description 635
Task environment functions and procedures 637
keystrokeactionprofile 638
Description 639
getenv 640
Description 641
keepenv 642
Description 643
setenv 644

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 17

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Description 645
unsetenv 646
Description 647
Command line parsing functions 648
getopt 649
Description 650

getopt_long 652
Description 653
getopt_long_only 655
Description 656
User and password functions 658
getfullname 659
getgroup 660
getgrouppasswd 661
getgroups 662
gethome 663
getshell 664
getstringpasswd 665
getuid 666
getuserpasswd 667
ingroup 669
submitconfirmuser 670

PAM policy functions 672

submitconfirmuserpam 674
Persistent variable functions and procedures 676
listpersistentvars 677
Description 678
setpersistentvar 679
Description 680
getpersistentvarint 681
Description 682
getpersistentvarstring 683
Description 684

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 18

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

getpersistentvarlist 685
Description 686
delpersistentvar 687
Description 688
Glossary 689

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 19

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Endpoint Privilege Management for Unix and Linux policy

language

IMPORTANT!

This guide applies to both Endpoint Privilege Management for Unix and Linux (EPM-UL) and Endpoint Privilege Management for
Linux (EPM-L). Content that doesn't apply to EPM-L is noted as such.

This guide provides detailed information regarding the security policy file programming language for the BeyondTrust Endpoint Privilege
Management for Unix and Linux (EPM-UL) software. This language is used to create security policy files that are used by EPM-UL to:

l Control the tasks a user or group of users may perform

l Control the systems from which a task may be submitted
l Control the systems from which a task may be run
l Determine when a specific task may be run (day and time)
l Determine where a task may be run from
l Determine if secondary security checks, such as passwords or checksums, are required to run a task
l Determine if one or more supplemental security programs are run before a task is started

Note: This guide assumes that you have a basic understanding of Unix or Linux system administration and some experience
with a scripting or other computer language. We recommend that you have experience in these areas before you attempt to
create or modify security policy files.

Note: Endpoint Privilege Management for Unix and Linux or EPM-UL, refers to the product formerly known as PowerBroker
for Unix and Linux. Endpoint Privilege Management for Linux or EPM-L, refers to the new SaaS (cloud) product.

Note: Specific font and line spacing conventions are used to ensure readability and to highlight important information, such as
commands, syntax, and examples.

Sample policy files

When you receive the EPM-UL install media, there are sample EPM-UL policy files in the /examples folder. These sample policy files
include detailed explanations of what they do. You can use these files to learn how policy files are typically written for various scenarios. A
readme_samples text file in that directory includes a brief description of each sample file.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 20

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Endpoint Privilege Management for Unix and Linux overview

To write effective security policy files, it is helpful to understand how Endpoint Privilege Management for Unix and Linux works. A typical
configuration consists of the following primary components: pbrun, pbmasterd, pblocald, and pblogd. Each of these components is
described below. It is possible to install all of these components on a single machine or distribute them among different machines. For
optimal security, the Policy Server host and log hosts should be separate machines that are isolated from normal activity.

Components
As shown in the figure below, the machine from which a task is submitted is referred to as the submit host. The machine on which security
policy file processing takes place is referred to as the policy server host. The machine on which a task actually executes is referred to as
the run host. The machine on which event log records and I/O logs are written is referred to as the log host. (Although we highly
recommend the use of pblogd, it is an optional component.)

How Endpoint Privilege Management for Unix and Linux works

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 21

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Task processing
There are two types of task requests:

l Secured task: Requests must undergo security validation processing before they can be run. Endpoint Privilege Management for
Unix and Linux must process these tasks.
l Unsecured tasks: No security validation processing. These tasks do not represent a potential threat to the system and so do not
fall under a company’s security policy implementation. The operating system handles unsecured tasks. Endpoint Privilege
Management for Unix and Linux is not involved in the processing of unsecured tasks.

Secured task submission to SSH-managed devices - pbssh

Secured tasks can also be submitted through pbssh. pbssh is the Endpoint Privilege Management component used to access SSH-
managed devices where Endpoint Privilege Management is not installed (routers, firewalls, Windows devices, or Unix/Linux devices
where Endpoint Privilege Management is not installed). pbssh connects to the target device using the SSH configuration.

Task submission - pbrun

All secured tasks must be submitted through pbrun, the Endpoint Privilege Management for Unix and Linux component that receives task
requests. A separate pbrun process starts for each submitted secured task request. Any task that needs to undergo Endpoint Privilege
Management for Unix and Linux security processing (that is, a secured task) must be submitted through pbrun. A company’s security
policy implementation may be compromised if the use of pbrun for secured tasks is not enforced.

Note: pbrun must be installed on any machine from which a user can submit a secured task request.

Security policy file processing - pbmasterd

pbmasterd is responsible for applying the security rules as defined in the security policy files that make up a company’s network security
policy. In other words, pbmasterd performs security verification processing to determine if a request is accepted (that is, allowed to
execute) or rejected (that is, not allowed to execute), based on the logic in the security policy files. If a request is rejected, then the result is
logged and processing terminates. If a request is accepted, then it is immediately passed to pblocald for execution.
If the pblogd component (below) is not used, then pbmasterd waits for the pblocald process to complete. If pblogd is used, then
pbmasterd terminates after the request is passed to pblocald. A separate pbmasterd process starts for each secured task request that
is submitted.

Note: During security verification processing, the first "accept" or "reject" condition that is encountered causes security policy
file processing to terminate immediately. No further security verification processing is performed.

Task execution - pblocald

pblocald is normally responsible for executing task requests that have passed security verification processing and have been accepted
by pbmasterd on the run host (when the run host is a different host than the submit host). After a task request is accepted, it is
immediately passed from pbmasterd to pblocald. By default, pblocald executes the task request as the user that is specified in the
policy variable runuser. This is typically a privileged user such as root, a database administrator, or a web server adminstrator. All task
input and output information is piped back to pbrun.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 22

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

In addition, pblocald logs pertinent task information to the Endpoint Privilege Management for Unix and Linux Event Log using
pbmasterd or pblogd. This depends on how Endpoint Privilege Management for Unix and Linux is deployed. The run host can also
record task keystroke information to an Endpoint Privilege Management for Unix and Linux I/O log and again through pbmasterd or
pblogd. Again, this depends on how Endpoint Privilege Management for Unix and Linux has been deployed.

Task execution - pbrun

When the run host and submit host are on the same machine, pbrun can directly execute a secured task. This optimizes out the extra
network connections to pblocald.

Logging - pblogd
pblogd is responsible for writing event and I/O log records. pblogd is an optional Endpoint Privilege Management for Unix and Linux
component. If pblogd is not installed, then pbmasterd writes log records directly to the appropriate log files rather than passing them off
to pblogd.
In addition, without pblogd installed, pbmasterd must wait for the pblocald process to complete. If the pblogd component is used, then
pbmasterd normally terminates when task execution starts and pblocald sends its log records directly to pblogd.
Using pblogd optimizes Endpoint Privilege Management for Unix and Linux processing by:

l Centralizing the writing of log records in a single, dedicated component

l Eliminating the need for the pbmasterd process to wait for task execution to complete

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 23

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Create policy files

A security policy file is a collection of instructions that define the system security rules that Endpoint Privilege Management for Unix and
Linux applies during task verification processing. These instructions are written using Endpoint Privilege Management for Unix and Linux
Security Policy Scripting Language.
The default name of the primary Endpoint Privilege Management for Unix and Linux security policy file is pb.conf. This file is analogous to
the main() function in a C program. It is possible to add Security Policy Scripting Language statements directly to pb.conf or to use
security policy subfiles. Security policy subfiles are separate, individual security policy files invoked at runtime using the include
statement (using the syntax include "subfilename";).

Note: We strongly recommend that you use security policy subfiles.

Conceptually, the include statement can be thought of as a placeholder.

At run time, Endpoint Privilege Management for Unix and Linux replaces include statements with the actual contents of the specified
include file. This process occurs in computer memory and does not alter the physical files in any way.
The use of security policy subfiles enables you to organize a site’s security policy implementation in a modular fashion. Using this method,
each security policy subfile can focus on a specific area of security policy implementation. This compartmentalizes security policy
implementation, making it much easier to maintain and enhance over time.
A common way to organize security profile files is by type of user and system access requirements.
root should own the security policy files and their permissions should be set to 400 or 600. Place the files in the same directory (we
recommend /opt/pbul/policies) for convenience. The /opt/pbul/policies directory is the default location. A different directory can be
specified with the policydir setting in the pb.settings file. To insure security policy file integrity, Endpoint Privilege Management for Unix
and Linux does not process a security policy file if users other than root has security permissions that allow them to modify or delete the
file. In other words, only root should have read/write permissions for these files, and the directories in which these files are stored should
have security permissions that prevent users other than root from reading, modifying, or deleting them.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 24

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Security policy files are usually created with a standard text editor. They are saved as plain text files. By default, Endpoint Privilege
Management for Unix and Linux uses a .conf file name suffix for security policy files, but this is not a requirement.
When naming security policy files, any file suffix may be used, or the suffix may be omitted. Starting with v9.0, a new Role Based Policy
mechanism has been implemented that allows administrators to maintain their policy in a database with an option 'change management'
functionality.

Default policy
Starting with version 8.0, a default policy is installed by default if an existing policy does not exist. The files pbul_policy.conf and pbul_
functions.conf are created in a /opt/pbul/policies directory (from v9.4.3+ and in /etc/pb prior to v9.4.3) by default. pbul_policy.conf are
then included in the main policy (by default /opt/pbul/policies/pb.conf from v9.4.3+ and /etc/pb.conf prior to v9.4.3).
This default policy contains the following roles:

Helpdesk role
Enabled by default, when invoking pbrun helpdesk it allows any user in HelpdeskUsers (default root) to initiate a helpdesk menu as root
on any host in HelpdeskHosts (default submithost only). The helpdesk menu of actions contains:

l List of processes (ps -ef)

l Check if a machine is up (ping <host>)
l List current users on this host (who -H)
l Display host's IP settings (ifconfig -a)

PBTest
Enabled by default, for all users on all hosts, pbrun pbtest allows checking connectivity and policy.

Controlled shells
Enabled by default, allows users in ControlledShellUsers (by default the submituser), for runhosts in ControlledShellHosts (by default
only submithost), to enable iologging for pbksh/pbsh. iologs are created by default in "/tmp/pb.<user>.<runhost>.<YYYY-MM-DD>.
[pbksh|pbsh].XXXXXX". This role has a list of commands (empty by default) to elevate privileges for, as well as a list of commands
(empty by default) to reject.

Admin role
Enabled by default, allows users in AdminUsers (by default root) to run any command on runhosts in AdminHosts (by default only
submithost).

Demo role
Disabled by default, allows users in DemoUsers (default all users) to run commands in DemoCommands (default id and whoami) as
root on any host in DemoHosts (default all hosts).
The policy ends by allowing all users to run any command as themselves without any privilege escalation.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 25

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

This policy is meant to be used as a starting point for your own policy. You can enable or disable any of the roles listed above by simply
setting the corresponding "Enable<rolename>Role" to true or false. Or you can completely delete the policy and use your own. If you
choose to continue with the default policy as a starting point, you can add more users, hosts and commands to the various lists used for
each role, for example you can take ControlledShellRole further by adding users to ControlledShellUsers, and hosts to
ControlledShellHosts, and commands to ControlledShellRejectedCmds and ControlledShellPrivilegedCmds.

Splunk role
Disabled by default. If enabled, only when pbrun is invoked, enables iologging (creating iologs in /pbiologs), sets default ACA rule,
enables aca session history and sets iologcloseaction to a script sending records to Splunk.

Sudo role
Disabled by default, allows users in SudoUsers (only root, by default) to run any command on runhosts defined in SudoHosts (default
submithosts).
This serves as a demo policy for the sudo wrapper which requires policy modification before it is installed. It illustrates what changes to
start with to make all the sudo wrapper options available.

For more information on the sudo wrapper, see "Sudo Wrapper" in the Endpoint Privilege Management for Unix and Linux
Administration Guide at https://www.beyondtrust.com/docs/privilege-management/unix-linux/admin/index.htm.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 26

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Role-Based Policy database schema

Role Based Policy has been implemented to simplify the definition of policy for administrators. Policies are kept within structured records
in a database, simplifying maintenance, decreasing system load, increasing throughput, and providing a comprehensive REST API to
integrate policy management with existing customer systems and procedures, including simplified bulk import/export of data. Once the
customers' data is held within the Role Based Policy database it is much easier to provide management information, such as user
entitlement reports. The policy data is grouped into users, hosts, commands, time/dates and roles detailed in the schema below.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 27

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

User groups
User groups define groups of users and/or wildcard patterns that match usernames:

CREATE TABLE usergrp (

id INTEGER PRIMARY,
name TEXT UNIQUE,
description TEXT,
disabled INTEGER CHECK(disabled BETWEEN 0 AND 1), -- 0=enabled, 1=disabled
type CHAR(1) CHECK (type IN ('I','E')), -- I=internal, E=external
extinfo TEXT -- external lookup info
);
CREATE TABLE userlist (
id INTEGER REFERENCES usergrp(id),
user TEXT, -- "glob" wildcard
PRIMARY KEY(id,user)
);

Each user group has multiple user list entries that specify names, wildcards, or both, that match both submit and run user names when
matched by the role.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 28

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Host groups
Host groups define groups of hosts, wildcard patterns, or both, that match hostnames:

CREATE TABLE hostgrp (

id INTEGER PRIMARY,
name TEXT UNIQUE,
description TEXT,
disabled INTEGER CHECK(disabled BETWEEN 0 AND 1), -- 0=enabled, 1=disabled
type CHAR(1) CHECK (type IN ('I','E')), -- I=Internal, E=external
extinfo TEXT -- external lookup info
);
CREATE TABLE hostlist (
id INTEGER REFERENCES hostgrp(id),
host TEXT, -- "glob" wildcard
PRIMARY KEY(id,host)
);

Each host group has multiple host list entries that specify names and/or wildcards that match both submit and run host names when
matched by the role.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 29

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Command groups
Command groups define groups of commands, wildcard patterns, or both, that match commands:

CREATE TABLE cmdgrp (

id INTEGER PRIMARY,
name TEXT UNIQUE,
description TEXT,
disabled INTEGER CHECK(disabled BETWEEN 0 AND 1)-- 0=enabled, 1=disabled
);
CREATE TABLE cmdlist (
id INTEGER REFERENCES cmdgrp(id),
cmd TEXT, -- "glob" wildcard
rewrite TEXT, -- new command (see below)
PRIMARY KEY(id,cmd)
);

Each command group has multiple command list entries that specify commands and/or wildcards that match the submitted command
name when matched by the role, and a rewrite column to rewrite the command that is executed. The rewrite is in a similar format to
Bourne/Bash shell arguments, for example, $0, $1, $*, $#etc. Rewrite uses the original command to substitute arguments into the new
rewritten command.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 30

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Time/date groups
Time/date groups define groups of times/dates and/or wildcard patterns that match times/dates:

CREATE TABLE tmdategrp (

id INTEGER PRIMARY,
name TEXT UNIQUE,
description TEXT,
disabled INTEGER CHECK(disabled BETWEEN 0 AND 1)-- 0=enabled, 1=disabled
);

CREATE TABLE tmdatelist (

id INTEGER REFERENCES tmdategrp(id),
tmdate TEXT, -- json format - see below
PRIMARY KEY(id,tmdate)
);

Each time/date group has multiple time/date list entries that specify times/dates, wildcards, or both, that match the submitted command
name when matched by the role, and a rewrite column to rewrite the command that is executed. Each individual time/date is specified in
JSON format, and can be one of two different formats:

l From/To specific date range: both from and to are specified in epoch seconds:

'{ "range" : { "from" : 1415851283, "to": 1415887283 }}'

l Day of the week: each day is specified as an array of hours.

Each hour is a number representing 15 minute intervals defined as a binary mask:

1 1 1 1
^ 0 to 14 minutes of the hour
^-- 15 to 29 minutes of the hour
^---- 30 to 44 minutes of the hour
^------ 45 to 59 minutes of the hour
Therefore the values range from 0 to 15:
'{
"mon" : [0,0,0,0,0,0,0,15,15,15,15,15,15,15,15,15,15,15,3,0,0,0,0,0,0],
"tue" : [0,0,0,0,0,0,0,15,15,15,15,15,15,15,15,15,15,15,3,0,0,0,0,0,0],
"wed" : [0,0,0,0,0,0,0,15,15,15,15,15,15,15,15,15,15,15,3,0,0,0,0,0,0],
"thu" : [0,0,0,0,0,0,0,15,15,15,15,15,15,15,15,15,15,15,3,0,0,0,0,0,0],
"fri" : [0,0,0,0,0,0,0,15,15,15,15,15,15,15,15,15,15,15,3,0,0,0,0,0,0],
"sat" : [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],
"sun" : [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
}'

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 31

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 32

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Roles
Roles are the entities that tie all the other entities together to define a role.

CREATE TABLE role (

id INTEGER PRIMARY,
name TEXT UNIQUE,
rorder INTEGER, -- rule order for matching
description TEXT,
disabled INTEGER CHECK(disabled BETWEEN 0 AND 1), -- 0=enabled, 1=disabled
risk INTEGER CHECK(risk >= 0),
action CHAR(1) CHECK (action IN ('A','R')), -- A=Accept, R=Reject
iolog TEXT, -- iolog template
script TEXT -- pbparse script
tag TEXT DEFAULT NULL -- Arbitrary tag that will allow grouping of roles
comment TEXT DEFAULT NULL -- Arbitrary comment field that can contain anything
message TEXT DEFAULT NULL -- Accept/reject message (templated)
variables TEXT DEFAULT NULL -- Contains JSON formatted Policy Script variables to set
(templated)
varmatch TEXT DEFAULT NULL -- Contains JSON formatted Policy Script variables to match
auth TEXT DEFAULT NULL -- Contains JSON formatted array of authentication methods (templated)
rpt INTEGER DEFAULT 1 -- 1=on, 0=off, include Role in Entitlement Report
);
CREATE TABLE roleusers (
id INTEGER REFERENCES role(id),
users INTEGER REFERENCES usergrp(id),
type CHAR(1) CHECK (type IN ('S','R')), -- S=Submit, R=Run User
PRIMARY KEY (id,users,type)
);
CREATE TABLE rolehosts (
id INTEGER REFERENCES role(id),
hosts INTEGER REFERENCES hostgrp(id),
type CHAR(1) CHECK (type IN ('S','R')), -- S=Submit, R=Run User
PRIMARY KEY (id,hosts,type)
);
CREATE TABLE rolecmds (
id INTEGER REFERENCES role(id),
cmds INTEGER REFERENCES cmdgrp(id),
PRIMARY KEY (id,cmds)
);
CREATE TABLE roletmdates (
id INTEGER REFERENCES role(id),
tmdates INTEGER REFERENCES tmdategrp(id),
PRIMARY KEY (id,tmdates)
);

Each role has multiple users, hosts, commands and time/dates. When the Policy Engine matches against roles, complete records are
selected from the database as fully populated roles, sorted by the role attribute rorder. Once the first record has been matched, the
attributes of the role are applied to the session, and the Policy Engine accepts or rejects the session. The iolog template is the normal
script format log file, for example /var/log/io_ log.XXXXXX. The script is a full Endpoint Privilege Management for Unix and Linux script
that is called if the role has been accepted. This script can carry out extra processing to authorize the session (and can therefore override
the accept/reject status with an implicit command), and can carry out extended environment configuration as would normal Endpoint
Privilege Management for Unix and Linux script.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 33

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 34

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Role "Auth" attribute

A new column holding a JSON formatted configuration provides the flexibility of the multiple authentication methods that script policy
currently employs. The applicable functions are then called by Role Based Policy authorization functions in a similar way as the script
based policy.
A new database column, formatted in JSON format provides extra authentication options. The column is a JSON array of methods that are
called in order, and REJECT when the first one fails. Each array element is a JSON object with a method and attributes:

{"method" : "getstringpasswd", "passwd" : <string>, "prompt":"<string>", message":"<string>",

"rejectMessage":"<string>", "tries":<num>}

passwd Base64 encoded SHA256 password to match

prompt The prompt string

message Message to display if the authentication fails

rejectMessage The Reject message that is logged against the event

tries The number of password attempts

{"method" : "getuserpasswd", "user":<string>, "fname" : <string>, "prompt":"<string>",

message":"<string>", "rejectMessage":"<string>", "tries":<num>, "period" : <num>}

user Username to check

fname The unique filename used to cache the password authentication

prompt The prompt string

message Message to display if the authentication fails

rejectMessage The Reject message that is logged against the event

tries The number of password attempts

period The maximum duration before the user has to reauthenticate

{"method" : "getuserpasswdpam", "user":<string>, "service" : <string>, "fname" : <string>,

"prompt":"<string>", message":"<string>", "rejectMessage":"<string>", "tries":<num>, "period" :
<num>}

user Username to check

service The PAM service string

fname The unique filename used to cache the password authentication

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 35

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

prompt The prompt string

message Message to display if the authentication fails

rejectMessage The Reject message that is logged against the event

tries The number of password attempts

period The maximum duration before the user has to reauthenticate

{"method" : "submitconfirmuser", "user":<string>, "fname" : <string>, "prompt":"<string>",

message":"<string>", "rejectMessage":"<string>", "tries":<num>, "period" : <num>}

user Username to check

fname The unique filename used to cache the password authentication

prompt The prompt string

message Message to display if the authentication fails

rejectMessage The Reject message that is logged against the event

tries The number of password attempts

period The maximum duration before the user has to reauthenticate

{"method" : "submitconfirmuserpam", "user":<string>, "service" : <string>, "fname" : <string>,

"prompt":"<string>", message":"<string>", "rejectMessage":"<string>", "tries":<num>, "period" :
<num>}

user Username to check

service The PAM service string

fname The unique filename used to cache the password authentication

prompt The prompt string

message Message to display if the authentication fails

rejectMessage The Reject message that is logged against the event

tries The number of password attempts

period The maximum duration before the user has to reauthenticate

There are also three other variables (namely runconfirmuser, runconfirmmessage, runconfirmpasswdservice) that affect
reauthentication. However, because these are policy script variables as opposed to functions, these are implemented in a similar way. In
this respect, these variables should be set in the Variables column, and are templated in a similar manner.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 36

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Example:

{ "runconfirmuser" : "%user%" }

Matching variables for a role

A JSON formatted column allows the matching of roles based on variables submitted by the client, for example pbclientmode. Matched
values are wildcarded using normal glob(3) rules.
The format of the object is similar to:

{ "varmatch" : { "pbclientmode" : "pbrun", "year" : "201[678]" }}

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 37

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Role Based Policy, change management events

There are two different approaches to maintaining the Role Based Policy database. The first, simple method is to access the tables using
pbdbutil at the command line. Each change is individual, and instantaneous, and is immediately live. Although for smaller organizations
this is adequate, larger organizations have a more controlled procedural access method.
Role Based Policy database change transactions can be enabled using the pb.setting rbptransactions. Once enabled, before changes
can be made, the administrator must begin a change transaction, specifying a reason why the change is being made. This is logged and
the whole Role Based Policy database is then locked for update - only that administrator can continue to make changes. These changes
will NOT be mirrored in the live authorization process and can continue to be made by that administrator alone, and when completed can
be committed or rolled back. Once the changes are committed they are all applied to the database as one update, and a change
management event is generated. If the changes are rolled back, they are discarded and nothing changes.
If, for whatever reason, a change transaction is begun, and the administrator leaves it open and fails to close the transaction, any other
administrator with access can force the rollback of the changes. Once again, this requires a reason specifying, and logs a change
management event. The change transactions are necessary once the GUI policy updates are implemented to force database integrity.
See the section below for Change Transaction Command Line options.
To enable the logging of change management events each client needs the pb.setting changemanagementeventsm yes and log
servers will need to defined the eventdb <path> and need the REST pbrest service running.
The following settings are used and need to be set when Role Based Policy and Change management is implemented and used:

policydb <path>
l The path to the Role Based Policy Database.
l There is no default for this setting.

pbresturi <string>
l The partial REST url string between the hostname and /REST.
l There is no default for this setting.

pbrestport <port#>
l The REST port.
l Default value is the base port + 6.

rolebasedpolicy <yes/no>
l Enabled/Disable Role Based Policy checking.
l The default is no.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 38

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

eventdb <path>
l The path to the Change Management Event Database.
l There is no default for this setting.

rbptransactions <yes/no>
l Enable the use of Role Based Policy Transactions to ensure integrity.
l The default is no.

changemanagementevents <yes/no>
l Enable/Disable the logging of Change Management Events when maintaining databases.
l The default is no.

pbresttimeskew <num>
l The maximum time in seconds that hosts are mis-matched by (it is recommended that the customer uses a time synchronization
service).
l The default is 60 seconds.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 39

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Role-Based Policy Entitlement reports

Endpoint Privilege Management for Unix and Linux v10.1.0 introduced Role Based Policy Entitlement reports. These reports are available
to the user from the pbrun command using -e, or to the administrator as an overall report using pbdbutil --rbp -R. They provide a
comprehensive report on what users can access commands on which hosts, and when they are allowed to run them.

pbdbutil: Role-Based Policy options

The pbdbutil role-based policy options introduced in Endpoint Privilege Management for Unix and Linux v10.1.0 are described below.

pbdbutil --rbp [<options>] [ <file> <file> ...]

-R { json param } Report user entitlements from the database
-R Add option to display commands
-R Add option to display time/date restrictions
-R Add option to display additional role options
-E { json param } List user entitlements data from the database
where { json param } is one or more of:
"submituser" : "user1" Specify submit user or wildcard
"submithost" : "host1" Specify submit host or wildcard
"runuser" : "user1" Specify run user or wildcard
"runhost" : "host1" Specify run host or wildcard
"command" : "command" Specify command or wildcard

pbrun options
Endpoint Privilege Management for Unix and Linux v10.1.0 introduced the following options that are available only when Role Based
Policy is enabled:

pbrun -e Returns the entitlement report for the current user at level 1.

pbrun -e 1 Returns the entitlement report for the current user at level 1.

pbrun -e 4 Returns the entitlement report for the current user at level 4.

pbrun --entitlement=4 Returns the entitlement report for the current user at level 4.

Example:

Level 1 report
======================================================================
Endpoint Privilege Management for Unix and Linux Role Based Policy Entitlement Report -
Level 1
----------------------------------------------------------------------------
Date/Time: 2018-06-18 09:07:23
User: root
Belongs to the following Roles:
Admin

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 40

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

======================================================================
Role Order: 1
Name: Admin
Description: Super users and admins
Action: allowed
Tag:
Membership: Admins
Submit Host(s): Any PBUL Host
Run Host(s): Any PBUL Host
Commands may be executed as user(s): root,admin,user*
Please use the '-u' flag to select user at run time.
eg: pbrun -u runuser command [arguments]
User may request the following commands using pbrun:
/bin/find *,/usr/bin/ls,/bin/ls,/bin/cat *,/bin/ls *,/usr/bin/ls *,/usr/bin/rm *,
/usr/bin/cat *,/usr/bin/find *,/sbin/shutdown *,/bin/more *,/bin/id,/usr/bin/more *,
/usr/bin/mount *,/bin/ln *,/bin/mount *,/bin/rm *,/usr/sbin/shutdown *,
/usr/bin/ln *,/usr/bin/id,/sbin/ifconfig *,/usr/sbin/ifconfig *
======================================================================

Example:

Endpoint Privilege Management for Unix and Linux Role Based Policy Entitlement Report -
Level 2
----------------------------------------------------------------------------
Date/Time: 2018-06-18 09:07:28
User: root
Belongs to the following Roles:
Admin
======================================================================
Role Order: 1
Name: Admin
Description: Super users and admins
Action: allowed
Tag:
Risk: 1
Membership: Admins
Submit Host(s): Any PBUL Host
Run Host(s): Any PBUL Host
Commands may be executed as user(s): root,admin,user*
Please use the '-u' flag to select user at run time.
eg: pbrun -u runuser command [arguments]
User may request the following commands using pbrun:
Command Group: User Commands
Description: Common UNIX Commands
/bin/ls executes: /bin/ls
/bin/ls * executes: /bin/ls *
/usr/bin/ls executes: /usr/bin/ls
/usr/bin/ls * executes: /usr/bin/ls *
/bin/cat * executes: /bin/cat *

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 41

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

/usr/bin/cat * executes: /usr/bin/cat *

/bin/find * executes: /bin/find *
/usr/bin/find * executes: /usr/bin/find *
/bin/more * executes: /bin/more *
/usr/bin/more * executes: /usr/bin/more *
/bin/rm * executes: /bin/rm -i $*
/usr/bin/rm * executes: /usr/bin/rm -i $*
/bin/ln * executes: /bin/ln *
/usr/bin/ln * executes: /usr/bin/ln *
/bin/id executes: /bin/id
/usr/bin/id executes: /usr/bin/id
Command Group: Admin Commands
Description: Common Superuser Commands
/sbin/shutdown * executes: /sbin/shutdown *
/usr/sbin/shutdown * executes: /usr/sbin/shutdown *
/bin/mount * executes: /bin/mount *
/usr/bin/mount * executes: /usr/bin/mount *
/sbin/ifconfig * executes: /sbin/ifconfig *
/usr/sbin/ifconfig * executes: /usr/sbin/ifconfig *

Example:

Level 3 report
======================================================================
Endpoint Privilege Management for Unix and Linux Role Based Policy Entitlement Report -
Level 3
----------------------------------------------------------------------------
Date/Time: 2018-06-18 09:07:30
User: root
Belongs to the following Roles:
Admin
======================================================================
Role Order: 1
Name: Admin
Description: Super users and admins
Action: allowed
Tag:
Risk: 1
Membership: Admins
Submit Host(s): Any PBUL Host
Run Host(s): Any PBUL Host
Commands may be executed as user(s): root,admin,user*
Please use the '-u' flag to select user at run time.
eg: pbrun -u runuser command [arguments]
User may request the following commands using pbrun:
Command Group: User Commands
Description: Common UNIX Commands
/bin/ls executes: /bin/ls
/bin/ls * executes: /bin/ls *

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 42

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

/usr/bin/ls executes: /usr/bin/ls

/usr/bin/ls * executes: /usr/bin/ls *
/bin/cat * executes: /bin/cat *
/usr/bin/cat * executes: /usr/bin/cat *
/bin/find * executes: /bin/find *
/usr/bin/find * executes: /usr/bin/find *
/bin/more * executes: /bin/more *
/usr/bin/more * executes: /usr/bin/more *
/bin/rm * executes: /bin/rm -i $*
/usr/bin/rm * executes: /usr/bin/rm -i $*
/bin/ln * executes: /bin/ln *
/usr/bin/ln * executes: /usr/bin/ln *
/bin/id executes: /bin/id
/usr/bin/id executes: /usr/bin/id
Command Group: Admin Commands
Description: Common Superuser Commands
/sbin/shutdown * executes: /sbin/shutdown *
/usr/sbin/shutdown * executes: /usr/sbin/shutdown *
/bin/mount * executes: /bin/mount *
/usr/bin/mount * executes: /usr/bin/mount *
/sbin/ifconfig * executes: /sbin/ifconfig *
/usr/sbin/ifconfig * executes: /usr/sbin/ifconfig *
Date and Time restrictions for Role 'Admin':
Time/Date Group: Any Time
Description: Any Time
Monday: 01:00am to 12:14pm
Tuesday: 01:00am to 12:14pm
Wednesday: 01:00am to 12:14pm
Thursday: 01:00am to 12:14pm
Friday: 01:00am to 12:14pm
Saturday: 01:00am to 12:14pm
Sunday: 01:00am to 12:14pm

Example:

Level 4 report
======================================================================

Role Based Policy Entitlement Report - Level 4

----------------------------------------------------------------------------
Date/Time: 2018-06-18 09:07:32
User: root
Belongs to the following Roles:
Admin
======================================================================
Role Order: 1
Name: Admin
Description: Super users and admins
Action: allowed

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 43

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Tag:
Risk: 1
Membership: Admins
Submit Host(s): Any PBUL Host
Run Host(s): Any PBUL Host
Commands may be executed as user(s): root,admin,user*
Please use the '-u' flag to select user at run time.
eg: pbrun -u runuser command [arguments]
User may request the following commands using pbrun:
Command Group: User Commands
Description: Common UNIX Commands
/bin/ls executes: /bin/ls
/bin/ls * executes: /bin/ls *
/usr/bin/ls executes: /usr/bin/ls
/usr/bin/ls * executes: /usr/bin/ls *
/bin/cat * executes: /bin/cat *
/usr/bin/cat * executes: /usr/bin/cat *
/bin/find * executes: /bin/find *
/usr/bin/find * executes: /usr/bin/find *
/bin/more * executes: /bin/more *
/usr/bin/more * executes: /usr/bin/more *
/bin/rm * executes: /bin/rm -i $*
/usr/bin/rm * executes: /usr/bin/rm -i $*
/bin/ln * executes: /bin/ln *
/usr/bin/ln * executes: /usr/bin/ln *
/bin/id executes: /bin/id
/usr/bin/id executes: /usr/bin/id
Command Group: Admin Commands
Description: Common Superuser Commands
/sbin/shutdown * executes: /sbin/shutdown *
/usr/sbin/shutdown * executes: /usr/sbin/shutdown *
/bin/mount * executes: /bin/mount *
/usr/bin/mount * executes: /usr/bin/mount *
/sbin/ifconfig * executes: /sbin/ifconfig *
/usr/sbin/ifconfig * executes: /usr/sbin/ifconfig *
Date and Time restrictions for Role 'Admin':
Time/Date Group: Any Time
Description: Any Time
Monday: 01:00am to 12:14pm
Tuesday: 01:00am to 12:14pm
Wednesday: 01:00am to 12:14pm
Thursday: 01:00am to 12:14pm
Friday: 01:00am to 12:14pm
Saturday: 01:00am to 12:14pm
Sunday: 01:00am to 12:14pm
Additional Role Options:
Additional Authentication Required: no
Session Recording Enabled: yes
Extended Script Policy: no
Custom accept/reject message: no

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 44

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Level 1 report, with "command" filter

pbdbutil -P --rbp -R '{ "command":"/usr/bin/*"}'
======================================================================
Endpoint Privilege Management for Unix and Linux Role Based Policy Entitlement Report -
Level 1
----------------------------------------------------------------------------
Date/Time: 2018-06-18 09:09:10
User: *
Belongs to the following Roles:
Admin,users
======================================================================
Role Order: 1
Name: Admin
Description: Super users and admins
Action: allowed
Tag:
Risk: 1
Membership: Admins
Submit Host(s): Any PBUL Host
Run Host(s): Any PBUL Host
Commands may be executed as user(s): root,admin,user*
Please use the '-u' flag to select user at run time.
eg: pbrun -u runuser command [arguments]
User may request the following commands using pbrun:
/usr/bin/ls,/usr/bin/mount *,/usr/bin/ls *,/usr/bin/cat *,/usr/bin/find *,
/usr/bin/rm *,/usr/bin/ln *,/usr/bin/more *,/usr/bin/id
======================================================================
Role Order: 4
Name: users
Description: Normal users
Action: allowed
Tag:
Membership: Users
Submit Host(s): nfs.company.com,build.company.com,staging.company.com
Run Host(s): nfs.company.com,build.company.com,staging.company.com
Commands will execute as user: user*
User may request the following commands using pbrun:
/usr/bin/ls,/usr/bin/ls *,/usr/bin/find *,/usr/bin/cat *,/usr/bin/ln *,
/usr/bin/rm *,/usr/bin/more *,/usr/bin/id

Example:

Level 4 report with "command" filter

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 45

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Admin,users
======================================================================
Role Order: 1
Name: Admin
Description: Super users and admins
Action: allowed
Tag:
Risk: 1
Membership: Admins
Submit Host(s): Any PBUL Host
Run Host(s): Any PBUL Host
Commands may be executed as user(s): root,admin,user*
Please use the '-u' flag to select user at run time.
eg: pbrun -u runuser command [arguments]
User may request the following commands using pbrun:
Command Group: Admin Commands
Description: Common Superuser Commands
/usr/bin/mount * executes: /usr/bin/mount *
Command Group: User Commands
Saturday: 01:00am to 12:14pm
Description: Common UNIX Commands
/usr/bin/ls executes: /usr/bin/ls
/usr/bin/ls * executes: /usr/bin/ls *
/usr/bin/cat * executes: /usr/bin/cat *
/usr/bin/find * executes: /usr/bin/find *
/usr/bin/more * executes: /usr/bin/more *
/usr/bin/rm * executes: /usr/bin/rm -i $*
/usr/bin/ln * executes: /usr/bin/ln *
/usr/bin/id executes: /usr/bin/id
Date and Time restrictions for Role 'Admin':
Time/Date Group: Any Time
Description: Any Time
Monday: 01:00am to 12:14pm
Tuesday: 01:00am to 12:14pm
Wednesday: 01:00am to 12:14pm
Thursday: 01:00am to 12:14pm
Friday: 01:00am to 12:14pm
Saturday: 01:00am to 12:14pm
Sunday: 01:00am to 12:14pm
Additional Role Options:
Additional Authentication Required: no
Session Recording Enabled: yes
Extended Script Policy: no
Custom accept/reject message: no
======================================================================
Role Order: 4
Name: users
Description: Normal users
Action: allowed
Tag:
Risk: 1

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 46

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Membership: Users
Submit Host(s): build.company.com,nfs.company.com,staging.company.com
Run Host(s): build.company.com,nfs.company.com,staging.company.com
Commands will execute as user: user*
User may request the following commands using pbrun:
Command Group: User Commands
Description: Common UNIX Commands
/usr/bin/ls executes: /usr/bin/ls
/usr/bin/ls * executes: /usr/bin/ls *
/usr/bin/cat * executes: /usr/bin/cat *
/usr/bin/find * executes: /usr/bin/find *
/usr/bin/more * executes: /usr/bin/more *
/usr/bin/rm * executes: /usr/bin/rm -i $*
/usr/bin/ln * executes: /usr/bin/ln *
/usr/bin/id executes: /usr/bin/id
Date and Time restrictions for Role 'users':
Time/Date Group: Working Week
Description: Working Week
Monday: 01:00am to 12:14pm
Tuesday: 01:00am to 12:14pm
Wednesday: 01:00am to 12:14pm
Thursday: 01:00am to 12:14pm
Friday: 01:00am to 12:14pm
Saturday: none
Sunday: none
Additional Role Options:
Additional Authentication Required: no
Session Recording Enabled: no
Extended Script Policy: no
Custom accept/reject message: no

Example:

Level 4 report with "command" filter

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 47

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Membership: Admins
Submit Host(s): Any PBUL Host
Run Host(s): Any PBUL Host
Commands may be executed as user(s): root,admin,user*
Please use the '-u' flag to select user at run time.
eg: pbrun -u runuser command [arguments]
User may request the following commands using pbrun:
Command Group: Admin Commands
Description: Common Superuser Commands
/usr/bin/mount * executes: /usr/bin/mount *
Command Group: User Commands
Saturday: 01:00am to 12:14pm
Description: Common UNIX Commands
/usr/bin/ls executes: /usr/bin/ls
/usr/bin/ls * executes: /usr/bin/ls *
/usr/bin/cat * executes: /usr/bin/cat *
/usr/bin/find * executes: /usr/bin/find *
/usr/bin/more * executes: /usr/bin/more *
/usr/bin/rm * executes: /usr/bin/rm -i $*
/usr/bin/ln * executes: /usr/bin/ln *
/usr/bin/id executes: /usr/bin/id
Date and Time restrictions for Role 'Admin':
Time/Date Group: Any Time
Description: Any Time
Monday: 01:00am to 12:14pm
Tuesday: 01:00am to 12:14pm
Wednesday: 01:00am to 12:14pm
Thursday: 01:00am to 12:14pm
Friday: 01:00am to 12:14pm
Saturday: 01:00am to 12:14pm
Sunday: 01:00am to 12:14pm
Additional Role Options:
Additional Authentication Required: no
Session Recording Enabled: yes
Extended Script Policy: no
Custom accept/reject message: no
======================================================================
Role Order: 4
Name: users
Description: Normal users
Action: allowed
Tag:
Risk: 1
Membership: Users
Submit Host(s): build.company.com,nfs.company.com,staging.company.com
Run Host(s): build.company.com,nfs.company.com,staging.company.com
Commands will execute as user: user*
User may request the following commands using pbrun:
Command Group: User Commands
Description: Common UNIX Commands
/usr/bin/ls executes: /usr/bin/ls

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 48

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

/usr/bin/ls * executes: /usr/bin/ls *

/usr/bin/cat * executes: /usr/bin/cat *
/usr/bin/find * executes: /usr/bin/find *
/usr/bin/more * executes: /usr/bin/more *
/usr/bin/rm * executes: /usr/bin/rm -i $*
/usr/bin/ln * executes: /usr/bin/ln *
/usr/bin/id executes: /usr/bin/id
Date and Time restrictions for Role 'users':
Time/Date Group: Working Week
Description: Working Week
Monday: 01:00am to 12:14pm
Tuesday: 01:00am to 12:14pm
Wednesday: 01:00am to 12:14pm
Thursday: 01:00am to 12:14pm
Friday: 01:00am to 12:14pm
Saturday: none
Sunday: none
Additional Role Options:
Additional Authentication Required: no
Session Recording Enabled: no
Extended Script Policy: no
Custom accept/reject message: no

Level 4 report with "command" filter

======================================================================
Endpoint Privilege Management for Unix and Linux Role Based Policy Entitlement Report -
Level 4
----------------------------------------------------------------------------
Date/Time: 2018-06-18 09:09:26
User: *
Belongs to the following Roles:
Admin,users
======================================================================
Role Order: 1
Name: Admin
Description: Super users and admins
Action: allowed
Tag:
Risk: 1
Membership: Admins
Submit Host(s): Any PBUL Host
Run Host(s): Any PBUL Host
Commands may be executed as user(s): root,admin,user*
Please use the '-u' flag to select user at run time.
eg: pbrun -u runuser command [arguments]
User may request the following commands using pbrun:
Command Group: Admin Commands
Description: Common Superuser Commands
/usr/bin/mount * executes: /usr/bin/mount *
Command Group: User Commands
Saturday: 01:00am to 12:14pm

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 49

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Description: Common UNIX Commands

/usr/bin/ls executes: /usr/bin/ls
/usr/bin/ls * executes: /usr/bin/ls *
/usr/bin/cat * executes: /usr/bin/cat *
/usr/bin/find * executes: /usr/bin/find *
/usr/bin/more * executes: /usr/bin/more *
/usr/bin/rm * executes: /usr/bin/rm -i $*
/usr/bin/ln * executes: /usr/bin/ln *
/usr/bin/id executes: /usr/bin/id
Date and Time restrictions for Role 'Admin':
Time/Date Group: Any Time
Description: Any Time
Monday: 01:00am to 12:14pm
Tuesday: 01:00am to 12:14pm
Wednesday: 01:00am to 12:14pm
Thursday: 01:00am to 12:14pm
Friday: 01:00am to 12:14pm
Saturday: 01:00am to 12:14pm
Sunday: 01:00am to 12:14pm
Additional Role Options:
Additional Authentication Required: no
Session Recording Enabled: yes
Extended Script Policy: no
Custom accept/reject message: no
======================================================================
Role Order: 4
Name: users
Description: Normal users
Action: allowed
Tag:
Risk: 1
Membership: Users
Submit Host(s): build.company.com,nfs.company.com,staging.company.com
Run Host(s): build.company.com,nfs.company.com,staging.company.com
Commands will execute as user: user*
User may request the following commands using pbrun:
Command Group: User Commands
Description: Common UNIX Commands
/usr/bin/ls executes: /usr/bin/ls
/usr/bin/ls * executes: /usr/bin/ls *
/usr/bin/cat * executes: /usr/bin/cat *
/usr/bin/find * executes: /usr/bin/find *
/usr/bin/more * executes: /usr/bin/more *
/usr/bin/rm * executes: /usr/bin/rm -i $*
/usr/bin/ln * executes: /usr/bin/ln *
/usr/bin/id executes: /usr/bin/id
Date and Time restrictions for Role 'users':
Time/Date Group: Working Week
Description: Working Week
Monday: 01:00am to 12:14pm
Tuesday: 01:00am to 12:14pm
Wednesday: 01:00am to 12:14pm

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 50

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Thursday: 01:00am to 12:14pm

Friday: 01:00am to 12:14pm
Saturday: none
Sunday: none
Additional Role Options:
Additional Authentication Required: no
Session Recording Enabled: no
Extended Script Policy: no
Custom accept/reject message: no

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 51

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Policy file format

In most cases, the order of the instructions in a security policy file is not important. The user’s security requirements determine the rules
that the file contains.

User-written functions and procedures

To help simplify security policy implementation, the Endpoint Privilege Management for Unix and Linux Security Policy Scripting
Language enables the security administrator to write custom functions and procedures (that is, user-written functions and procedures).

Note: For the remainder of this discussion, the term "function" refers to both user-written functions and procedures. The
differences between the two are discussed in "Functions and procedures" on page 103.

Think of functions as stand-alone units of security code that perform specific programming tasks. After a function is written, the function
can be invoked from within any security policy file to perform its specific task or function. It is a good idea to write functions for repetitive
programming tasks. Doing so enables the policy instructions to be written once and utilized in multiple places.
Another benefit of using functions is that any needed changes can be made
in only one place. By centralizing the logic for a repetitive type task in one
place (that is, a single function), all of the security policy files that call the
function automatically benefit from any updates that are made to the
function. The following figure illustrates the basic structure of a function.
When a user-written function is used within a security policy file, the code
for that function is placed at the top of the security policy file that first
references it. In other words, the overall structure of a security policy file is
all user-written functions first, followed by security policy code.

A good way to manage and organize user-written functions is to logically group all functions that perform similar types of tasks in a security
policy file. Now, add include statements for each of these sub files to the beginning of the pb.conf file. These include statements should
come before anything else. When this is done, the functions that are contained within these sub files can be called from within any security
policy file.

For more information on creating functions and procedures, see "Functions and procedures" on page 103.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 52

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Variable scope
Security policy variables are global. In other words, after a variable has been implicitly defined, it can be referenced from any security
policy file. The use of a variable is not limited to the security policy file in which it was implicitly defined (that is, used for the first time).
If a variable is implicitly created in one security policy file and referenced by another, both files access and modify the same variable.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 53

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Syntax checking
Always check the syntax of a security policy file before putting it into production. If a request encounters a security policy file syntax error,
then the task that causes the error is immediately rejected. The Reject event is logged in the Endpoint Privilege Management for Unix and
Linux event log.
Syntax checking is done with pbcheck, an Endpoint Privilege Management for Unix and Linux utility program. It performs two functions:

l Security policy file syntax validation

l Simulates security processing for test task requests to determine if that task request would be accepted or rejected during
production processing

For more information on how to use pbcheck, see the Endpoint Privilege Management for Unix and Linux Administration
Guide at https://www.beyondtrust.com/docs/privilege-management/unix-linux/index.htm.

Policy debugging
Policies can be debugged via the pbadmin --poldbg command.

For more information, see the Endpoint Privilege Management for Unix and Linux Administration Guide at
https://www.beyondtrust.com/docs/privilege-management/unix-linux/index.htm.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 54

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Environment variable processing considerations

As discussed earlier, it is possible to install pbrun, pbmasterd, pblocald, and/or pblogd on different machines (that is, the submit host,
policy server host, run host, and log host may represent different physical machines). When this is the case, each of these separate
machines can have its own set of users, groups, and environment variables, which can differ from host to host.

Note: If pbrun, pbmasterd, and/or pblocald are installed on different machines, then the environment variables on those
machines can contain different values.

For instance, a user might have one home directory on the submit host and another on the run host. In another example, a user group list
on policy server host can be different from the same user group list on the run host. This situation might arise if the policy server host is not
an NIS client or has fewer entries in its /etc/passwd file.
As shown in the following figure, security policy file processing always takes place on the policy server host machine, while task execution
takes place on the run host machine. When the policy server host and run host represent different machines, by default, it is the user and
group information on the policy server host machine that is accessed during security profile file processing. If it is necessary to access
users or groups only on the run host machine, then special pass-through values must be used. When these values are encountered during
security profile file processing, pbmasterd passes through the value to the run host machine to be resolved when the task is run.

Note: The execute_via_su mechanism enables the runhost's environment for the runuser, overriding the run environment
that the policy on the policy server has set up. Note also that the runenvironmentfile feature can also be used to add runhost
specific environment variables.

For more detailed information on using pass-through values, see "Task information variables" on page 115.

Support for multiple-byte character sets

The Endpoint Privilege Management for Unix and Linux policy language supports the processing of UTF-8 encoded multiple-byte
character strings. In addition, several variables (indicated by i18n_ in their names) format UTF-8 encoded date and time values according
to the operating system’s locale settings.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 55

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Security Policy Scripting Language definition

The Security Policy Scripting Language is an interpreted programming language. Its syntax is similar to the C language. Like C, it is case-
sensitive. This chapter contains detailed information about using the Endpoint Privilege Management for Unix and Linux Security Policy
Scripting Language.

Variables and data types

A variety of variables and data types are available in the Endpoint Privilege Management for Unix and Linux Security Policy Scripting
Language. These are described in the following sections.

Variables
Predefined system variables store both system and task-specific information. These variables are a valuable resource to the Security
Administrator because they can be accessed and manipulated from within security policy files with the Security Policy Scripting Language.
The information in these variables can play a critical role in determining whether a task request should be accepted or rejected. System
variables can also be used to set runtime properties, including logging options, for a specific task request.
In addition to predefined system variables, the Security Administrator can create and manipulate user-defined variables to assist with
security policy file processing. User-defined variables are implicitly defined, meaning the interpreter automatically allocates storage for a
user-defined variable the first time that variable is referenced. In the Endpoint Privilege Management for Unix and Linux Security Policy
Scripting Language, there is no need to formally declare a variable before using it. Consequently, the language does not provide a
mechanism for explicitly defining a variable type. A variable’s type is implicitly defined by the information that is stored in that variable.
After a variable has stored a specific type of information, it cannot store information of a different data type.
Observe the following rules when creating user-defined variables:

l Variable names can be any length.

l The first character of a variable name must be a letter or an underscore character. The remaining characters can be letters,
numerals, or underscores.
l Variable names are case sensitive. For example, the variable names currentuser and CurrentUser represent two different and
unique variables.

Example:

MyVariable = "123"; # Create a user-defined variable.

LoopCounter = 1; # Create a user-defined variable.
_CurrentUser = "Tom"; # Create a user-defined variable.
runuser = "SysAdm"; # Set a predefined system variable.

Variable scope
With the exception of function parameters, all variables are global in scope. (In this context, the function name inside a function behaves
like a function parameter.) This means that if a user-defined variable is implicitly defined in a security policy file and referenced in another
security policy file, both files access the same variable.
Function parameters, also called function arguments, do not work differently from other variables. Function argument storage for a
specific security policy function is deleted when that security policy function completes execution.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 56

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Variable data types

The data type, or type of information that is stored in a variable, determines the type of operations you can perform on the variable.
Endpoint Privilege Management for Unix and Linux supports the following data types:

l Character strings
l Integers
l LDAP connections
l LDAP messages
l List of character strings

Character string
The character string, or string, data type is a sequence of zero or more characters, enclosed by single or doublequotation marks. It is
important to note that arithmetic functions cannot be performed on character strings. For instance, the character string "123" cannot be
used in an arithmetic operation although it contains numeric characters. As another example, the character string "12" is not the same as
the number "12". A value that is enclosed in quotation marks is always stored as a character string. In other words, the Security Policy
Scripting Language interpreter treats numeric values and numeric character strings differently. They are not interchangeable.
The following table lists character string examples and how they are interpreted.

Example Interpreted As

"abc" Character string

"" Empty character string

"0123456789" Numeric character string

'abc' Character string

Integer
Integers are numeric values used to perform arithmetic operations. It is important to note that the value 12, which is a numeric value, is not
the same as the value "12", which is a character string. The Security Policy Scripting Language interpreter treats numeric values and
numeric character strings differently. They are not interchangeable.
The integer data type can store any integer value (that is, the set of both positive and negative whole numbers). An octal number (base 8)
is specified by prefixing the octal value with a leading zero (for example, 022). A hexadecimal number (base 16) is specified by preceding
the hexadecimal value with "0x" (for example, 0x5A).
The following table lists the valid integer characters.

Basic Valid Characters

Octal 0, 1, 2, 3, 4, 5, 6, 7

Decimal 0, 1, 2, 3, 4, 5, 6, 7, 8, 9

Hexadecimal 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, A, B, C, D, E, F

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 57

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

The policy language does not support fractional (or floating-point) values. Integer values cannot include characters such as commas,
dollar signs, or decimal points.
The integer values 0 and 1 have special meaning within the Security Policy Scripting Language. The integer value of 0 represents the
Boolean false value. The integer value of 1 is represents the Boolean true value.
The following table provides several examples on the use of integer variables.

Example Result

RejectCount = 0; Sets RejectCount to 0

UserLimit = 10; Sets UserLimit to 10

OctNumber = 022; Sets an octal variable to 18

HexNumber = 0x7a; Sets an integer to a hexadecimal value of 122

For more information on Boolean values, see "Boolean true and false variables" on page 105.

LDAP connection
The LDAP connection is a special data type that is used solely for passing parameters to and from the Endpoint Privilege Management for
Unix and Linux LDAP functions.

For more information on Endpoint Privilege Management for Unix and Linux LDAP functions, see "LDAP functions" on page
535.

LDAP message
The LDAP message is a special data type. It is used only to pass parameters to and from the Endpoint Privilege Management for Unix and
Linux LDAP functions.

For more information on Endpoint Privilege Management for Unix and Linux LDAP functions, see "LDAP functions" on page
535.

List of character strings

A list of character strings, also called a list, is an ordered group of character strings, separated by commas and surrounded by curly braces
{}. It has the syntax:

{ string-one, string-two, …}
An empty list is represented as { }
Assignment to a list has the syntax:
name = { string-one, string-two, …}

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 58

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Assignment to an element of a list can be done by:

name[1] = "string-three"

Think of a list as a one-dimensional array consisting of zero or more elements (refer to the example). A list can contain only character
string data (that is, a list cannot contain integer values, LDAP related types, or other lists).
Individual list elements are accessed using an index number. Square brackets enclose the index number and postfix the list name (see the
following example).

Index numbering starts at 0. This means that the first element in a list has an index of 0, the second element has an index of 1, and so on.
For example, the fifth element in a list has an index number of 4.

Example:

UserList = {"JWhite", "BSmith", "CDent"};

results in the following:

UserList[0] is "JWhite"
UserList[1] is "BSmith"
UserList[2] is "CDent"

Example: Assume the following:

TrustedUsers = {"JWhite", "BSmith");

User1 = TrustedUsers [0];
User2 = TrustedUsers [1];
MyString = { "a", "b", "c" }[1];

In this list,

User1 = TrustedUsers [0]; sets User1 to "JWhite"

User2 = TrustedUsers [1]; sets User2 to "BSmith"
MyString = { "a", "b", "c" }[1]; sets MyString = "b"

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 59

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Constants
A constant is a value that is not modified during security policy file execution. The following table contains examples of the different
constant types.

Constant Type Examples

Integer Constant 12, 54, -100, 08, 0x1a

List Constant {"user1", "user2", "user3"}

String Constants "12", "ABCD"

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 60

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Operators
An operator is a symbol that performs a specific mathematical, relational, or logical function. The Security Policy Scripting Language
supports the types of operators that are listed in the following table.

Operator Type Symbols

Arithmetic Operators , /, +, -, %, ++, --, +=, -=, =, /=, %=

Logical Operators &&, ||, !

Relational Operators >, >=, <, <=, ==, !=

Special Operators ( ), [ ], +, ?:, in, ,

Every operator has an intrinsic precedence order associated with it. The precedence order determines the evaluation order for
expressions containing more than one operator. The operator with the highest precedence evaluates first. In most cases, operators of the
same precedence are evaluated left to right. The following table lists the operator precedence.

Precedence Operator Associativity

Highest {} Left to right

( )[] Left to right

in Left to right

!++-- Right to left

- (unary) Left to right

*/% Left to right

+- Left to right

<><=>= Left to right

==!= Left to right

&& Left to right

|| Left to right

?: Right to left

=+=-=*=/=%= Right to left

Lowest , Left to right

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 61

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Example: Following the rules of operator precedence, the statement

5 + 6 - 3 * 4 + 8 / 4

is resolved as:

Step 1: 3*4 = 12
Step 2: 8/4 = 2
Step 3: 5 + 6 - (12) + (2)
Result: 1

Modifying the operator precedence order as shown here can change the result produced in the example above.

(5 + 6 - 3) * (4 + 8) / 4

The statement is resolved as follows:

Step 1: 5 + 6 -3 = 8
Step 2: (4 + 8) = 12
Step 3: 8 * 12 / 4
Result: 24

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 62

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Arithmetic operators
The Endpoint Privilege Management for Unix and Linux Security Policy Scripting Language supports the arithmetic operators shown in the
following table.

Operator Description

++ Prefix autoincrement

-- Prefix autodecrement

++ Postfix autoincrement

-- Postfix autodecrement

* Multiplication

/ Division

% Modulus

+ Addition

- Subtraction

+= Addition self assignment

-= Subtraction self assignment

*= Multiplication self assignment

/= Division self assignment

%= Modulus self assignment

The subtraction, addition, multiplication and division operators perform arithmetic operations. The default evaluation order for arithmetic
operators is:

l Multiplication, division, and modulus division, left to right

l Addition and subtraction, left to right

Example:

result = 6 * 4 / 2 - 4 + 2;

result contains the integer value 10.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 63

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Prefix autoincrement operator

Description

The prefix autoincrement operator (++) adds one to a variable and returns the result.

Example:

a = 3;
b = ++a;

In this example, both a and b are equal to 4.

Prefix autodecrement operator

Description

The prefix autodecrement operator (--) subtracts one from a variable and returns the result.

Example:

a = 3;
b = --a;

In this example, both a and b are equal to 2.

Postfix autoincrement operator

Description

The postfix autoincrement operator (++) returns the value of a variable and adds one to the variable.

Example:

a = 3;
b = a++;

In this example, a is equal to 4 and b is equal to 3.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 64

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Postfix autodecrement operator

Description

The postfix autodecrement operator (--) returns the value of a variable and subtracts one from the variable.

Example:

a = 3;
b = a--;

In this example, a is equal to 2 and b is equal to 3.

Addition operator

Description

The addition operator ( + ) adds two numbers.

Example:

result = 5 + 3;

Subtraction operator

Description

The subtraction operator ( - ) subtracts two numbers.

Example:

result = 5 - 3;

Multiplication operator

Description

The multiplication operator ( * ) multiplies two numbers.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 65

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Example:

result = 5 * 3;

Division operator

Description

The division operator ( / ) divides two numbers.

Example:

result = 5 / 3;

Modulus operator

Description

The modulus operator ( % ) returns the remainder of integer division.

Example:

result = 5 % 3;

In this example, result contains the integer value 2. Dividing 5 by 3 yields a result of 1 and a remainder of 2. The reminder
portion of the answer, in this case 2, becomes the result of the modulus division operation.

Addition self-assignment operator

Description

The addition self-assignment operator (+=) adds a value to a variable and stores the result in the variable.

Example:

a += 3;

In this example, 3 is added to a and the result is stored in a.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 66

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Subtraction self-assignment operator

Description

The subtraction self-assignment operator (-=) subtracts a value from a variable and stores the result in the variable.

Example:

a -= 4;

In this example, 4 is subtracted from a and the result is stored in a.

Multiplication self-assignment operator

Description

The multiplication self-assignment operator (*=) multiplies a variable by a value and stores the result in the variable.

Example:

a *= 5;

In this example, a is multiplied by 5 and the result is stored in a.

Division self-assignment operator

Description

The division self-assignment operator (/=) divides a variable by a value and stores the result in the variable.

Example:

a /= 6;

In this example, a is divided by 6 and the result is stored in a.

Modulus self-assignment operator

Description

The modulus self-assignment operator (%=) divides a variable by a value and stores the modulus in the variable.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 67

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Example:

a %= 5;

In this example, a is divided by 5 and the remainder is stored in a.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 68

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Logical operators
The Endpoint Privilege Management for Unix and Linux Security Policy Scripting Language supports a standard set of logical operators.

Operator Action

AND
In Endpoint Privilege Management for Unix and Linux versions 3.2 and earlier, logical expressions containing the &&
&& operator are evaluated before determining the result.
Beginning with Endpoint Privilege Management for Unix and Linux version 3.5, logical expressions containing the &&
operator stop evaluation when a false value is found.

OR
In Endpoint Privilege Management for Unix and Linux versions 3.2 and earlier, logical expressions containing the ||
|| operator are evaluated before determining the result.
Beginning with Endpoint Privilege Management for Unix and Linux version 3.5, logical expressions containing the ||
operators stop evaluation when a true value is found.

! NOT

AND operator

Description

The AND operator ( && ) considers the relationship between two values. Both values must be true for a true result to be returned. If both
values are true, an integer value of 1 (true) is returned. Otherwise, an integer value of 0 (false) is returned.
In Endpoint Privilege Management for Unix and Linux 3.2 and earlier, all parts of logical expressions containing && operators are
evaluated before determining the result.
Beginning with Endpoint Privilege Management for Unix and Linux 3.5, logical expressions containing && operators are evaluated from
left to right until their truth can be determined (like in the C language).

Example:

if (UserOkay && Bkup) accept;

If both UserOkay and Bkup are non-zero, the current task request is accepted.

OR operator

Description

The OR operator ( || ) considers the relationship between two values. At minimum, one of the two values must be true for a true result to
be returned. If either the first or second value is true, an integer value of 1 (true) is returned. Otherwise, an integer value of 0 (false) is

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 69

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

returned.
In Endpoint Privilege Management for Unix and Linux 3.2 and earlier, all parts of logical expressions that contain || operators are
evaluated before determining the result.
Beginning with Endpoint Privilege Management for Unix and Linux 3.5, logical expressions that contain || operators are evaluated from left
to right until their truth can be determined (like in the C language).

Example:

if (UserOkay || Bkup) accept;

If either UserOkay or Bkup are non-zero, the current task request is accepted.

NOT operator

Description

The NOT operator ( ! ) takes the inverse of a value. If a value is false, an integer value of 1 (true) is returned. Otherwise, an integer value
of 0 (false) is returned.

Example:

if (!UserOkay) reject;

If UserOkay is equal to 0, the current task request is rejected.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 70

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Relational operators
The Endpoint Privilege Management for Unix and Linux Security Policy Scripting Language supports a standard set of relational
operators.

Operator Description

== Equal To

> Greater Than

>= Greater Than or Equal To

< Less Than

<= Less Than or Equal To

!= Not Equal To

Equal To operator

Description

The Equal operator ( == ) compares two values. If the first value is equal to the second value, an integer value of 1 (true) is returned.
Otherwise, an integer value of 0 (false) is returned.

Example:

if (UserCount == 10) reject;

If UserCount is equal to 10, the current task request is rejected.

Greater Than operator

Description

The Greater Than ( > ) operator compares two values. If the first value is greater than the second value, an integer value of 1 (true) is
returned. Otherwise, an integer value of 0 (false) is returned.

Example:

if (UserCount > 10) reject;

If UserCount is greater than 10, the current task request is rejected.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 71

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Greater Than or Equal To operator

Description

The Greater Than or Equal To ( >= ) operator compares two values. If the first value is greater than or equal to the second value, then an
integer value of 1 (true) is returned. Otherwise, an integer value of 0 (false) is returned.

Example: In this example, if UserCount is greater than or equal to 10, then the current task request is rejected.

if (UserCount >= 10) reject;

Less Than operator

Description

The Less Than operator ( < ) compares two values. If the first value is less than the second value, an integer value of 1 (true) is returned.
Otherwise, an integer value of 0 (false) is returned.

Example:

if (UserCount < 10) reject;

If UserCount is less than 10, the current task request is rejected.

Less Than or Equal To operator

Description

The Less Than or Equal operator ( <= ) compares two values. If the first value is less than or equal to the second value, an integer value
of 1 (true) is returned. Otherwise, an integer value of 0 (false) is returned.

Example:

if (UserCount <= 10) accept;

If UserCount is less than or equal to 10, the current task request is accepted.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 72

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Not Equal To operator

Description

The Not Equal To operator ( != ) compares two values. If the first value is not equal to the second value, an integer value of 1 (true) is
returned. Otherwise, an integer value of 0 (false) is returned.

Example:

if (UserCount != 10) reject;

If UserCount is not equal to 10, the current task request is rejected.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 73

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Special operators
The Endpoint Privilege Management for Unix and Linux Security Policy Scripting Language supports the special operators.

Operator Description

+ Concatenation

[] List index

in List member

() Precedence (that is, parentheses)

?: Ternary conditional

, Evaluates terms from left to right; returns the value of the last expression

Concatenation operator

Description

The Concatenation operator + is used to concatenate a series of one or more strings. It should not be confused with the Addition
operator used in arithmetic expressions. Although both of these operators are represented by the + symbol, the Addition operator works
only on integer values.
The Concatenation operator concatenates, or appends, one item to another item. If a series of strings are concatenated, they are
returned in a newly created string.

Example:

FirstName = "Sandy";
LastName = "White";
UserName = FirstName + " " + LastName;

UserName would contain the character string "Sandy White".

List Index operator

Description

The List Index operator [ ], also referred to as square brackets, is used to specify a list element index number. The value of a specific list
element is returned.
The first element in a list always has an index number of 0, and the second list element has an index of 1, etc. The general formula for
calculating an index number is index number = element number - 1.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 74

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Example:

UserList = {"Adm1", "Adm2", "Adm3", "Adm4", "Adm5"};

CurrentUser = UserList[3];

CurrentUser contains the character string "Adm4".

Example:

UserList[1] = "Adm10";
Userlist[1] is set to "Adm10".

List Member operator

Description

This list member operator, in, searches the specified list for the given string. If the string is present in the list, the result is true (1). If the
string is not present, it returns false (0). Shell-style wildcards can be used in the string argument. The syntax for using this operator is
result = string in list;

Example:

AdminList = {"Adm1", "Adm2", "Adm3", "root", "sys"};

runuser = (user == "sysadmin")? "root" : "sys";
test1 = "Adm1" in AdminList; # True
test2 = "sys" in AdminList; # True – matches sys in AdminList
test3 = "system" in AdminList; # False
test4 = "Adm" in AdminList; # False – only a partial match
# single character

Each string is tested to see if it is a member of a list.

Precedence operator

Description

The Precedence operator ( ), also referred to as parentheses, is used to modify the default operator precedence. In other words,
parenthesis characters force a specific expression evaluation order.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 75

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Example:

result = (6 + 4) * 2 - 4;

result contains the integer value 16.

Example:

result = 6 + 4 * 2 - 4;

The Precedence operators are removed, and the result contains the integer value 10.

Ternary Conditional operator

Description

The Ternary operator, represented by ?:;, is a special operator that provides a compact alternative to if statements where only an
expression is required.
The Ternary operator has the syntax:

result = condition ? if-true-expression : if-false-expression;

The ternary operator works as follows:

l If condition evaluates to true, then the if-true-expression is returned.

l If condition evaluates to false, then the if-false-expression is returned.

The Ternary operator can be used as an alternative to simple if statements. The condition corresponds to the if condition. The if-true-
expression corresponds to the assignment in the true part of the if statement, and the if-false-expression corresponds to the else part of
the if statement.

Example:

runuser = (user == "sysadmin") ? "root" : "sys";

If user is equal to sysadmin, then root is returned. Otherwise, sys is returned.

Another way to accomplish the same thing would be to use the following if statement:

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 76

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

if (user == "sysadmin")
runuser = "root";
else
runuser = "sys";

Comma operator

Description

The Comma operator (,) causes expressions to be evaluated from left to right and returns the value of the last expression. This operator is
primarily used in loops.

Example:

for (a=0, b=1, c=2; a < 0 ; a++) <any statement>;

The Comma ( , ) operator causes the assignment of the three variables a, b, and c at a spot which looks for a single
expression.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 77

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Expressions
An expression is a combination of constants, variables, and operators. Expressions are evaluated according to operator precedence
rules. Most expressions follow the general rules of Algebra in regards to operator precedence.

Example:

TotalTasks = RejectedCount + AcceptedCount;

In Endpoint Privilege Management for Unix and Linux 3.2 and earlier, expressions and variables could not be used interchangeably.
Beginning with Endpoint Privilege Management for Unix and Linux 3.5+, assignments can be performed anywhere expressions are found.

For more information on operator precedence, see "Constants" on page 60.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 78

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Program statements
There are two types of program statements in the Endpoint Privilege Management for Unix and Linux Security Policy Scripting Language,
executable and non-executable.

Executable program statements

Executable program statements allow security administrators to define and implement security rules. These types of statements have two
major functions:

l Set the environment in which security profile files run

l Control the logic flow within security policy files

The following table summarizes the executable program statements:

Statement Description

Terminates security policy file processing and passes control to pblocald.

accept Version 4.0 and earlier: statements do not support ACL.
Version 5.0 and later: statements support ACL.

Assignment Used to assign a value to a variable.

Terminates the processing of cases within a loop and exits the loop.
break Version 3.2 and earlier: statements are limited to ending a case clause in a switch statement.
Version 3.5 and later: statements are expanded for use within loops.

continue Allows the remaining loop body to be skipped. Returns to the next iteration of the loop.

do-while Creates do-while loops which follow the C language syntax.

for C-style for. Used to create for loops which follow the C language syntax.

for-in Creates loops that execute the loop body for each element in an argument list.

function Stand-alone subroutines that are used to modularize a company’s security policy file.

Determines which program statement to execute next based on whether an expression is true or
if
false.

include Passes the flow of control to another file.

procedure Stand-alone subroutines used to modularize a company’s security policy files.

readonly Freezes the value of a variable so it cannot be changed by a security policy file.

Immediately terminates security policy file checking and cancels the current job request before it can
execute.
reject
Version 4.0 and earlier: statements do not support ACL.
Version 5.0 and later: statements support ACL.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 79

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

switch Provides a way to execute a specific set of program statements based on an expression value.

while Builds while loops which follow the C language syntax.

Type your executable program statements in lowercase because the Security Policy Scripting Language interpreter is case sensitive. For
example, the word If is recognized as a variable name by the interpreter whereas the word if is recognized as an executable program
statement.
Some general rules for creating program statements are as follows:

l Terminate program statements with a semicolon.

l A single statement can be multiple lines.
l Multiple statements can be included on one line if each statement terminates with a semicolon.
l Enclosing groups of program statements within curly brackets creates a compound statement. Each statement within the group
must terminate with a semicolon.

Executable program statements have a special meaning to the Security Policy Scripting Language interpreter. Therefore, you cannot use
them for other purposes. For instance, using an executable program statement as a variable name generates an error.
Many administrators desire a nonprogrammatic way of using Endpoint Privilege Management for Unix and Linux. To accomplish this goal,
the Endpoint Privilege Management for Unix and Linux policy language was extended in Endpoint Privilege Management for Unix and
Linux version 5.0 to include an Access Control List structure. This structure extends the accept and reject statements to provide a
simple nonprogrammatic way of specifying access data. It can be used exclusively to provide control, or it can be used in combination with
the rest of the Endpoint Privilege Management for Unix and Linux policy language to provide greater control.

For more information, see the following:

l "Expressions" on page 78
l "Functions and procedures" on page 103

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 80

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

accept statement
l Version 4.0 and earlier: accept statement does not support ACL.
l Version 5.0 and later: accept statement supports ACL.

Description

When an accept statement is encountered, security policy file processing terminates immediately, pblocald starts, and the secured task
is executed by pblocald.

Syntax

All versions:

accept;

Version 5.0 and later:

accept [from ["user"][, ["submithost"][, ["command"]

[, ["runhost"]]]]] [when conditional-expression]
[with optional-statements-before-execution];

Definition

l user is a user name, list of user names, or left blank to imply any user.
l submithost is a submit host name, list of submit hosts, or left blank to imply any submit host.
l command is a command, list of commands, or left blank to imply any command.
l runhost is a run host, list of run hosts, or left blank to imply any run host.
l conditional-expression is an expression that evaluates true or false.
l optional-statements-before-execution is one or more Endpoint Privilege Management for Unix and Linux Policy Language
statements that executes before the requested command is executed. For multiple statements, separate each statement with a
comma.

Examples

All versions:

Example:

if (user == "HelpDesk1") accept;

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 81

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

If user is equal to HelpDesk1, the task is accepted and allowed to execute. Security policy file processing immediately
terminates. pblocald starts, and the information is sent from the policy server for pblocald to start the executable specified in
the variable runcommand. It is run by pblocald with the arguments specified in the runargv variable and run as the user
specified in the runuser variable. Other run variables can be set.

Version 5.0 and later:

Example: Accept all commands for user1 from any submit host and for any run host:

accept from "user1";

Example: Accept all commands for user1 when the request comes from submit host host1 for any run host:

accept from "user1", "host1";

Example: Accept the date command from user1 from any submit host and for any run host:

accept from "user1",,"date";

Example: Accept all commands from user3, from any submit host and for any run host, when the time is between 9:00 A.M.
and 5:00 P.M.:

accept from "user3" when timebetween(900, 1700);

Example: Accept a sh command from user1 or user3, from any submit host and for any run host, and turn on I/O logging:

accept from {"user1", "user3"},,"sh" with iolog = "/var/log/pb.iolog.sh";

Example: Accept all commands from all users, from any submit host and for any run host, when the time is between 9:00 A.M.
and 5:00 P.M.:

accept when timebetween(900, 1700);

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 82

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Assignment statement
Description

An assignment statement assigns a value to a variable. An assignment can be used whenever an expression is expected, and multiple
assignments can be done in a single statement.
In Endpoint Privilege Management for Unix and Linux 3.2 and earlier, assignments are not expressions and cannot be cascaded.

Beginning with Endpoint Privilege Management for Unix and Linux 3.5+, assignments are expressions and can be cascaded anywhere an
expression occurs.

Syntax

list[n] = expression;

An expression can be a constant, variable, or complex equation.

var1 = var2 = var3 ... = value;

var1, var2, and var3 are assigned values.

Example:

IntegerString = "1234";
StringList = {"User1", "User2", "User3"};
Counter = 1;
TotalUsers = 5;
CurrentUsers = 3;
InactiveUsers = TotalUsers - CurrentUsers;
userString = user;
runuser = "root";
list1 = {"a1", "a2", "a3"};
list2 = list1;
list2[0] = "l1"

The following occurs:

InactiveUsers is set to 2 (5 – 3)
userString = user; sets userString to the submitting user.
runuser = "root"; sets runuser to root.
list2[0] = "l1" causes list1 to still be {"a1", "a2", "a3"}, list2 has the value of
{"l1", "a2", "a3"}

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 83

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Example:

a = b = c = d = 0;

The variables a, b, c, and d are cascaded and assigned the same value (0).

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 84

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

break statement
Description

The break statement exits loops and terminates cases. In Endpoint Privilege Management for Unix and Linux 3.2 and earlier, the break
statement is used only to end a case clause in a switch statement.
Beginning with Endpoint Privilege Management for Unix and Linux 3.5, the break statement is used within loops as well as to end a clause
in a switch statement.

Syntax

break;

Example:

for (a = 1 ; a <= 10; a++) {

if (a > 5) break;
print (a);
}

The statement prints the numbers between 1 through 5.

For more information, see the following:

l "continue statement" on page 86

l "do-while statement" on page 87
l "for statement" on page 88
l "for-in statement" on page 91
l "while statement" on page 101

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 85

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

continue statement
Description

The continue statement is used in the body of a C-style for, while, or do-while statement to skip the rest of statements in the body.

Syntax

continue;

Example:

for (a = 1 ; a <= 10; a++) {

if (a % 2 != 0) continue;
print (a);
}

The statement prints the even numbers between 1 and 10.

For more information, see the following:

l "break statement" on page 85

l "do-while statement" on page 87
l "for statement" on page 88
l "for-in statement" on page 91
l "while statement" on page 101

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 86

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

do-while statement
Description

The C-style do-while statement is used to execute a loop. The body that follows the while statement can be a single statement or set of
statements inside braces ( { and } ). This statement is executed as follows:

1. The body is executed.

2. If a break statement is encountered in the body, the loop terminates.
3. The test expression is evaluated.
4. If the test expression is false (0), the loop terminates.
5. If the test expression is true (non-zero), steps 1 through 4 are repeated until a break statement is encountered or the test
expression becomes false.

The body is always executed at least once.

Syntax

do body while (test_expression);

Example:

a = 1;
do print(a++);
while (a <= 10);

The statement prints the numbers 1 through 10.

For more information, see the following:

l "break statement" on page 85

l "continue statement" on page 86
l "for statement" on page 88
l "for-in statement" on page 91
l "while statement" on page 101

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 87

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

for statement
Description

The for statement provides a mechanism to loop through or to repeat a series of program statements. In Endpoint Privilege Management
for Unix and Linux 2.8 and earlier, the for statement always terminates with an end statement. This is no longer necessary in Endpoint
Privilege Management for Unix and Linux 3.0+.

Syntax

for ControlValue = StartValue to StopValue [step Increment]

{executable program statements}

The for statement works in the following manner:

1. The first time through the for statement, ControlValue is set to StartValue.
2. ControlValue is immediately compared to StopValue.
3. After an execution of the for statement has been completed and all associated program statements have been executed,
StartValue is incremented by the step value.
4. If a step value is not specified, a default step value of 1 is used. ControlValue is again compared to StopValue and the result of
this comparison determines if the for statement executes again.

The comparison of ControlValue to StopValue works as follows:

1. When the Increment value is positive, the for statement is executed as long as ControlValue <= StopValue evaluates to true.
2. When the Increment value is negative, the for statement is executed as long as ControlValue >= StopValue evaluates to true.
3. When the Increment value is 0, the for statement executes forever. An accept or reject is required to break out of the loop.
4. If an Increment is not specified, 1 is used as the increment value.

Note: The for statement loop condition is tested at the top of the loop, and there is no guarantee the for loop will execute.

Example: In the for statement

for LoopCounter = 0 to 10 step 1

{counter = counter + 1;
counter2 = counter2 + 2;
}

The statement continues to loop as long as LoopCounter is less than or equal to 10.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 88

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Example:

for LoopCounter = 0 to -5 step -1

{counter = counter + 1;
counter2 = counter2 + 2;
}

The for statement continues to loop as long as LoopCounter is greater than or equal to -5.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 89

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

C-style for statement

Description

The C-style for statement is used to execute a loop. The body which follows the for statement can be either a single statement or set of
statements inside braces ( { and } ). This statement executes as follows:

1. The start_expression is evaluated.

2. The test_expression is evaluated.
3. If the test_expression is false (0), execution ends.
4. If the test_expression is true (non-zero), the body is executed.
5. If a break statement is encountered in the body, the loop terminates.
6. The step_expression is evaluated.

Repeat steps 2 through 6 until the test_expression is false, or a break statement is encountered.
If the test_expression is false the first time it is tested, then the step expression and body are not executed.

Syntax

for (start_expression; test_expression; step_expression ) body

Example:

for (a=1; a <= 5; a+=1) print(a);

The statement prints the numbers from 1 to 5 until the test expression is false.

For more information, see the following:

l "break statement" on page 85

l "continue statement" on page 86
l "do-while statement" on page 87
l "for statement" on page 88
l "for-in statement" on page 91
l "while statement" on page 101

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 90

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

for-in statement
Description

The for-in statement is used to execute a loop for each element in a list. The body that follows the list can be either a single statement, or
set of statements inside braces ( { and } ). This statement executes as follows:

1. A variable is set to the first or next element of the list.

2. The body executes. If a break statement is encountered in the body, the loop terminates.
3. Steps 1 and 2 are repeated while there are elements left in the list or until a break statement is encountered.

When the loop is complete, the variable contains the last value assigned to it.

Syntax

for variable in list body;

Example:

for name in {"one", "two", "three"}

print(name);

The statement prints each element in the list.

For more information, see the following:

l "break statement" on page 85

l "continue statement" on page 86
l "do-while statement" on page 87
l "for statement" on page 88
l "while statement" on page 101

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 91

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

if statement
Description

The if statement is used to make a decision based on whether an expression evaluates to true or false. The decision determines what
program statement is executed next. When expression evaluates to a non-zero value (true), the executable program statement
immediately following the expression executes. When expression evaluates to 0 (false), the executable program statement immediately
following the else statement is executed. When the chosen executable statement finishes, control flows to the next statement after the if
statement. The else component of the if statement is optional.
Only one executable program statement can be inserted after the if expression or else statement. If multiple executable program
statements are required, enclose them in curly braces {} to make a single compound statement.

Syntax

if (expression)
executable program statement;
else
executable program statement;

Example:

# Make an accept or reject decision based on

# CurrentUserType
if (CurrentUserType == 1)
{
# if CurrentUserType is equal to 1, do these statements
RunCheck = true;
accept;
}else
{
# if CurrentUserType is not equal to 1, perform these statements:
RunCheck = false;
reject;
}

For more information, see "switch statement" on page 99.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 92

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

include statement
Description

The include statement is very powerful. It enables a security policy file to embed another security policy file called a security policy subfile.
When an include statement is encountered, the flow of control jumps to the included file. When the included file has completed execution,
the flow of control returns to the statement immediately following the include statement in the original file. The following figure
demonstrates this concept.

When specifying file-name, the specified file name must be either a string enclosed in quotation marks or a variable that contains a string.
If a relative or absolute path is not specified, Endpoint Privilege Management for Unix and Linux looks for the file in the default security
policy file directory. If a relative path name is specified, it is treated as relative to the security policy file directory that is specified in the
policydir setting in pb.settings.

Note: Not supported in Endpoint Privilege Management for Linux (EPM-L).

Syntax

include file-name;

where file-name can be a variable containing a string or a string constant enclosed in quotation marks.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 93

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Example:

include "/opt/pbul/policies/SupportStaffPolicies.conf";
include "/opt/pbul/policies/"+user+".conf";

Note: Use stat() to verify the existence of a file before adding an include statement that calls the file. Security policy subfile
specifications that contain a variable may not be checked by pbcheck when checking the including file.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 94

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

readonly statement
Description

The readonly statement freezes a variable. After a variable is marked as read only, a security policy file cannot change its value. In
essence, the variable ceases to behave as a variable and becomes a constant.
The readonly statement has a global scope.

Syntax

readonly { "variable1" [, "variable2", …] };

Example: Do not allow changes to the following variables:

readonly { "CurrentUser", "CurrentCommand", "TargetHost" };

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 95

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

reject statement
l Version 4.0 and earlier: reject statements do not support ACL.
l Version 5.0 and later: reject statements support ACL.

Description
The reject statement immediately terminates security policy file checking and cancels the current job request without allowing it to
execute. Depending on the parameters that are selected, the user sees a default message, custom reject message, or no message.
In Endpoint Privilege Management for Unix and Linux 5.0, the Endpoint Privilege Management for Unix and Linux policy language was
extended to include an Access Control List structure. This structure extends the accept statement to provide a simple nonprogrammatic
way of entering access data.

Syntax

Version 4.0 and earlier:

reject ["reject-text"];

Version 5.0 and later:

reject ["reject-text"] [from ["user"][, ["submithost"]

[, ["command"][, ["runhost"]]]]]
[when conditional-expression];

l reject-text is the text to display to the user.

reject statement display text

The reject statement has an optional reject-text expression in its argument. The meaning of the expression is as follows:

Not specifying a parameter results in the display of the default request rejected by Policy Server…
blank
message.

"" An empty string suppresses the default request rejected by Policy Server… message.

Replaces the default request rejected by Policy Server… message with a message specified by
"string"
string.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 96

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Examples

Version 4.0 and earlier:

Example:

if (user == "User1") reject;

If the current user is User1, reject the task request and immediately terminate security policy file processing.

Example:

reject;

The reject statement has no parameter, causing the default request rejected by Policy Server… message to appear.

Example:

reject "";

The reject statement used with the null ("") argument. This suppresses the default request rejected by Policy Server…
message.

Example:

reject "You may not do that";

The reject statement is used with string parameter "You may not do that", resulting in the message "You may not do that"
being displayed.

Version 5.0 and later:

Example:

reject from "user4";

Reject all commands from user4, from any submit host, and for any run host.

Example:

reject when timebetween (1700, 900);

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 97

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Reject all commands, from any user and any submit host, and for any run host, when the time is between 5:00 P.M. and 9:00
A.M.

Example:

reject "Permission denied" from {"user5", "user6"},,, "host5";

Reject all commands from user5 or user6, from any submit host, for run host host5, with the display message Permission
denied.

For more information, see "accept statement" on page 81.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 98

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

switch statement
Description

The switch statement provides a way to execute a specific set of program statements based on an expression value. Each set of program
statements has a value associated with them. A case statement represents this value. If the switch statement expression matches a case
statement, then the logic that is associated with that case statement executes.

When a switch expression-case statement match is found, execution begins at the statement immediately following the case statement.
Execution continues through each statement following the case statement until a break statement is encountered. The break statement
forces an immediate exit from the switch statement.
When a break statement is encountered, execution immediately jumps to the first statement following the end of the switch statement.
The break statement is optional.
If an expression / case statement match is not found, the logic associated with the default case executes. The default case is optional.

Note: The case labels must evaluate as strings.

Syntax

switch (string-expression)
{
case string1:
statement1a; [statement1b; …] [break;]
case string2:
statement2a; [statement2b; …] [break;]
default:
default-stmt1; [default-stmt2; …] [break;]
}

statement1a, statement1b, statement2a, statement2b, default-stmt1, and defaultstmt2 all represent executable program
statements.

Example: Check to see if the current user name is valid. Valid users are admin and helpdesk. If the user is not valid, reject
the request.

switch (user)
{
case "admin":
hostmachine = "AdminHost"; break;
case "helpdesk":
hostmachine = "HelpDeskHost";break;
default:
reject;
}

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 99

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

For more information, see "if statement" on page 92.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 100

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

while statement
Description

The while statement is used to execute a loop. The body that follows the while statement can be a single statement or set of statements
inside braces ( { and } ). This statement executes as follows:

1. The test_expression is evaluated.

2. If the test_expression is false (0), the loop terminates.
3. If the test_expression is true (non-zero), the body executes.
4. If a break statement is encountered in the body, the loop terminates.

Repeat steps 1 through 4 until the test_expression is false or a break statement is encountered.
If the test_expression is false the first time it is tested, the body is not executed.

Syntax

while (test_expression) body

Example:

a = 1;
while (a <= 10) {
print(a);
a += 1;
}

The statement prints the numbers 1 through 10 while a <=10.

For more information, see the following:

l "break statement" on page 85

l "continue statement" on page 86
l "do-while statement" on page 87
l "for statement" on page 88
l "for-in statement" on page 91

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 101

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Non-executable program statements

A non-executable program statement helps organize security policy files. Because non-executable program statements have a special
meaning to the Security Policy Scripting Language interpreter, they are not used for any other purpose. For instance, using a non-
executable program statement as a variable name generates an error.
The non-executable program statement consists of the Comment statement.

Comment statement

Description

Comment statements document the inner workings of individual security policy files. Comment text is nonexecutable code that is ignored
by the interpreter during execution.
Comment statements must begin with the # character and continue to the end of the current line. No end character is necessary. This type
of comment statement may not span multiple lines.

Syntax

# Comment text goes here.

Example:

# This is a comment statement

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 102

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Functions and procedures

The Security Policy Scripting Language supports both functions and procedures. Functions and procedures are stand-alone
subroutines that help modularize a company’s security policy files. Functions and procedures are programming building blocks that
execute specific tasks. These functions and procedures can be called whenever there is a need to perform that task. Functions and
procedures are especially useful for repetitive type tasks.
The difference between functions and procedures is that functions return values while procedures do not.

Endpoint Privilege Management for Unix and Linux functions and procedures do not support the same notion of scope as C functions. In
other words, after a variable is implicitly defined, any function can use it. Its use is global and not limited to the function where it was
originally defined.
If a variable is implicitly created in one function and referenced by another function, both functions can access and modify the same
variable. The same holds true for procedures.
Endpoint Privilege Management for Unix and Linux provides a number of built-in functions and procedures to help automate the process
of creating security policy files.
When adding user-written functions to a security policy file, the code for inline functions is placed at the top of the security policy file that
first uses the function. Beginning with Endpoint Privilege Management for Unix and Linux 3.0, end statements are no longer required for
functions, procedures, and loops. However, Endpoint Privilege Management for Unix and Linux still supports policy files that use end
statements.

For more information, see the following:

l "Built-in functions and procedures" on page 484

l On using user-written functions and procedures, see "User and password functions" on page 658

function statement

Description

A function name can be any length. Its name can consist of any alpha or numeric characters, but it must start with an alphabetic character
or an underscore.
The method of returning a value from a function is similar to that used in Pascal. The value is returned in a variable with the same name as
the function.
A function must return a value. Otherwise, an error occurs.

Syntax

function FunctionName (argument-list)

{
statements;
FunctionName = expression;
}

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 103

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Example:

function square (x)

{
square = x * x;
}

For more information, see "procedure statement" on page 104.

procedure statement

Description

A procedure name can be any length. It can consist of any alpha, underscore, or numeric characters, but it must start with an alphabetic
character or an underscore.
Procedures do not return a value. If a value is returned, an error occurs.

Syntax

procedure ProcedureName (argument-list)

{
statements;
}

Example:

procedure print_message(message)
{
print(message);
}

For more information, see "function statement" on page 103.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 104

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Other programming considerations

This section describes other programming considerations. These consist of:

l Boolean true and false variables

l Format commands
l Regular expression patterns
l Wildcard search characters
l Special characters

Boolean true and false variables

Many program statements rely upon conditional tests to determine the next program statement to execute. The if program statement is an
example.
Conditional tests generally evaluate to either a true or false value. Although any positive, non-zero integer can represent a true value, the
integer 1 is normally used. The integer 0 represents a false value.
The following are some Boolean true and false variable examples:

Example:

LoopControl = false; #sets LoopControl to 0

Example:

LoopControl = true; #sets LoopControl to 1

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 105

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Format commands
Format commands insert values into character strings known as variable substitution. These commands specify where to insert the
character string and how to format it. Format commands begin with a percent (%) sign followed by a format code. There are two categories
of format commands: Character format and Time format.

Character format commands

The sprintf() function AND fprintf and printf procedures use character format commands. The following table describes the commands.

Character Format Command

%d Decimal value

%i Integer value

%o Octal value

%s String of characters

%u Unsigned decimal value

%x Character hexadecimal value without a leading zero and with letters in lowercase (that is, 0x87a4)

%X Character hexadecimal value without a leading zero and with letters in uppercase (that is, 0X87A4)

%% Percent sign

Example: This demonstrates how character format commands work. Given the following character string,

I have x dogs, y cats, and z fish

The character format commands can be used to insert actual numeric values for x, y and z. This is done as follows:

printf ("I have %d dogs, %d cats, and %d fish", DogCount, CatCount,\FishCount);

DogCount, CatCount and FishCount are variables containing numeric values.

The interpreter sequentially replaces each format command with one of the provided variables.
The replacement is done in sequential order. The first format command gets the first variable, and the second format command gets the
second variable, etc.
Format commands can also use field modifiers to specify field width and whether to left justify a field.

Minimum field-width modifier

An integer placed between the percent sign and the command character determines the minimum width of a field. By default, the pad
character is a blank. To pad with zeros instead of spaces, place a zero before the minimum field-width specifier.
For example, %04d pads an integer value with zeros if the integer value is less than four digits in length.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 106

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Maximum field-width modifier

A decimal point, followed by a maximum field width determines the maximum width of a field. If the value is longer than the specified
maximum length, the value truncates on the right.
For example, %2.4d generates a field with a minimum length of two digits and a maximum length of four characters.

Left-Justification field modifier

By default, all output is right-justified. To left-justify a field, place a minus sign directly after the percent sign.
For example, %-2.4d generates a left-justified field with a minimum length of two digits and a maximum length of four digits.

Time format commands

The strftime() function uses time format commands. The following table describes the commands.

Note: Time format commands can vary based on the operating system. We recommend that you consult the strftime manual
pages for your local pbmasterd system.

Character Command

%a The abbreviated weekday name according to the current locale.

%A The full weekday name according to the current locale.

%b The abbreviated month name according to the current locale.

%B The full month name according to the current locale.

%c The preferred date and time representation for the current locale.

%C The century number (year/100) as a two-digit integer.

%d The day of the month as a decimal number (range 01 - 31).

%D Equivalent to %m/%d/%y.

%e Like %d, the day of the month as a decimal number, but space replaces a leading zero.

%E Modifier. Use alternative format.

%g Like %G but without the century, (that is, with a 2-digit year, 00-99).

The ISO 8601 year with century as a decimal number. The four-digit year that corresponds to the ISO week number
%G (see %V). This has the same format as %y except that if the ISO week number belongs to the previous or next year, that
year is used instead.

%h Equivalent to %b.

%H The hour as a decimal number using a 24-hour clock (00-23).

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 107

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

%I The hour as a decimal number using a 12-hour clock (01-12).

%j The day of the year as a decimal number (001-366).

%k The hour (24-hour clock) as a decimal number (0-23). A blank precedes single digits. See also %H.

%l The hour (12-hour clock) as a decimal number (1-12). A blank precedes single digits. See also %I.

%m The month as a decimal number (01-12).

%M The minute as a decimal number (00-59).

%n A new line character.

%O Modifier. Use alternative format.

Either AM or PM according to the given time value or the corresponding strings for the current locale. Noon is PM and
%p
midnight is AM.

%P Like %p but in lowercase: am or pm or a corresponding string for the current locale.

%r The time in AM or PM notation.

%R The time in 24-hour notation (%H:%M). For a version that includes seconds, see %T.

%s The number of seconds since the Epoch.

%S The second as a decimal number (00-61).

%t A tab character.

%T The time in 24-hour notation (%H:%M:%S).

%u The day of the week as a decimal (1-7) with Monday being 1.

The week number of the current year as a decimal number (00-53) starting with the first Sunday as the first day of week
%U
01.

The ISO 8601:1998 week number of the current year as a decimal number (01-53) where week 1 is the first week that
%V
has at least four days in the current year and Monday as the first day of the week.

%w The day of the week as a decimal (0-6) with Sunday being 0.

The week number of the current year as a decimal number (00-53) starting with the first Monday as the first day of week
%W
01.

%x The preferred date representation for the current locale without the time.

%X The preferred time representation for the current locale without the date.

%y The year as a decimal number without a century (00-99).

%Y The year as a decimal number including the century.

%z The time zone as hour offset from GMT.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 108

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

%Z The time zone name or abbreviation.

%+ The date and time in date(1) format.

%% A % character.

The time format commands work in the same manner as character format commands.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 109

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Regular expression patterns

The Endpoint Privilege Management for Unix and Linux Security Policy Scripting Language supports extended regular pattern matching.
Use these for pattern searches as well as forbidden and warning keystroke patterns.

For more information on regular expressions, see the following:

l "grep" on page 577
l "egrep" on page 573

Pattern Example Description

Matches any character.

abc.d Match the string abc followed by any single character then a d.

[] Defines the beginning and end of a character class.

[jJ]* Match an uppercase or lowercase j followed by any number of characters.

[a-z] Match any lowercase characters a through z.

^ Not character (when used inside square brackets).

[^a-z] Match any character except lowercase characters a through z.

* Match zero or more occurrences of the last pattern.

abc* Matches the string ab followed by zero or more c’s.

? Match zero or one occurrences of the last pattern.

abc? Match either ab or abc.

+ Match one or more occurrences of the last pattern.

abc+ Match the string ab followed by one or more c’s.

{m} Match exactly m occurrences of the last pattern.

abc{3} Match the string abccc.

{m,} Match m or more occurrences of the last pattern.

abc{3,} Match abccc, abcccc, etc.

{m,n} Match at least m, but no more than n, occurrences of the last pattern.

abc{3,5} Match abccc, abcccc, or abccccc.

() Group several characters or patterns together and treat as a single group.

a(bc)+ Match abc, abcbc, abcbcbc, and so forth.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 110

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

| Match either of two patterns.

ab|c Match either ab or ac.

^ Match beginning of line (when outside square brackets).

^abc Match abc only if it appears at the beginning of a line.

$ Match end of line.

abc$ Match abc only if it appears at the end of a line.

[:alnum:] Matches alphanumeric characters.

[:alpha:] Matches alpha characters.

[:blank:] Matches spaces or tabs.

[:boundary:] Matches a word’s boundaries.

[:cntrl:] Matches control characters.

[:digit:] Matches decimal digits.

[:graph:] Matches graphical characters.

[:lower:] Matches lowercase characters.

[:print:] Matches printable characters.

[:punct:] Matches punctuation marks.

[:space:] Matches any white space.

[:upper:] Matches uppercase characters.

[:xdigit:] Matches hexadecimal digits.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 111

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Wildcard search characters

The Endpoint Privilege Management for Unix and Linux Security Policy Scripting Language supports the standard set of shell-style,
wildcard search characters. These are used for searches by the in operator and for forbidden and warning keystroke patterns.

Character Example Description

* Matches any number of characters. Case is not considered.

j* Match j followed by any number of characters.

Match a string starting with j and ending with e, with any number of characters between j and
j*e
e.

? Matches any single character. Case is not considered.

j? Match j followed by any single character.

j?e Match a string starting with j and ending with e, with any single character between j and e.

[] Match characters. Case is considered.

[jJ]* Match upper or lowercase j followed by any number of characters.

[a-z] Match any lowercase characters a through z.

Not character.

[^a-z] Match any character except lowercase characters a through z.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 112

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Special characters
The Security Policy Scripting Language supports a standard set of special characters. Use special characters in place of characters that
are impossible to enter using the keyboard or have other meanings in policy language strings. These characters can be used in the same
way as any other single character, and they should be enclosed in either single or double quotation marks.

Character Command

\a Alert

\b Backspace

\n Newline

\r Carriage return

\t Tab character

\' Single quotation mark

\" Double quotation mark

\\ Backslash

Example:

Tab = '\t';

This sets the variable with the Tab character.

Example:

StringExample = "start a new line \n";

This adds a new line character at the end of the string.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 113

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Endpoint Privilege Management for Unix and Linux variables

Endpoint Privilege Management for Unix and Linux uses its own set of predefined variables to store information. These can be broken
down into the following general categories:

l Task information variables

l Command line parsing variables
l Logging variables
l System variables
l Host identification variables
l X11 session capture variables

The Endpoint Privilege Management for Unix and Linux variables are a valuable resource to security administrators because some of
them can be queried from within security policy files. The information in Endpoint Privilege Management for Unix and Linux variables can
play a critical role in determining whether a specific request should be accepted or rejected. Endpoint Privilege Management for Unix and
Linux variables can also be used to set run time properties for a task request.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 114

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Task information variables

Task information variables store information about a specific task request. Using the Security Policy Scripting Language, a security
administrator can query this information and use it to make security decisions about a task request. These values are logged in the event
logs and I/O logs.

Note: The run variables do not apply to pbssh. If these run variables are present in the policy, they do not have any effect on
pbssh and are ignored.

The following table lists these variables.

Task Information
Run Version of Variable Description
Variable

argc --- Number of arguments that are supplied with the current command.

argv runargv Argument values that are associated with the current command.

bkgd runbkgd Controls whether background command ignores HUP signals.

The name of the client (submit) host as resolved on the client host.
clienthost --- Version 3.5 and earlier: variable not available.
Version 4.0 and later: variable available.

command runcommand Name of the current command.

cwd runcwd Full path of the current working directory.

env runenv List of environment variables that are associated with the current task.

group rungroup Name of user’s primary group.

groups rungroups List of all groups the current user belongs to.

host runhost Name of the machine that the task executes on.

--- runhostip IP address of the run host.

Controls whether the secured task replaces pbrun on the submit host, for
local tasks. pblocald is not invoked.
localmode runlocalmode
Note: With the exception of pbsh and pbksh, localmode is
deprecated in favor of optimized run mode.

Log server UTC time, in 'YYYY-MM-DDTHH:MM:SS.000Z' format, when

logaccept_utc
logging accept

--- logcksum Indicates which checksum value is added to the event log.

Log server UTC time, in 'YYYY-MM-DDTHH:MM:SS.000Z' format, when

logfinish_utc
logging finish.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 115

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Log server UTC time, in 'YYYY-MM-DDTHH:MM:SS.000Z' format, when

logkeystroke_utc
logging keystroke events.

Log server UTC time, in 'YYYY-MM-DDTHH:MM:SS.000Z' format, when

logreject_utc
logging reject events.

logserver_utcoffset Log server timezone offset from UTC, in hours

master_utcoffset Policy server timezone offset from UTC, in hours

Specifies a time limit, between pbmasterd and pblocald, for a task request.
mastertimelimit Version 4.0 and earlier: variable not available.
Version 4.0 and later: variable available.

Specifies the amount of idle time in seconds, between pbmasterd and

pblocald.
mastertimeout
Version 4.0 and earlier: variable not available.
Version 4.0 and later: variable available.

A list of log hosts for pblocald to use for event and I/O logging.
--- logservers Version 3.5 and earlier: variable not available.
Version 4.0 and later: variable available.

nice runnice Nice values for the secured task.

optimizedrunmode runoptimizedrunmode Controls whether optimized run mode is allowed for this task.

--- pblocaldnoglob Stops pblocald from expanding arguments to the target program.

--- pbrisklevel Risk rating that is passed to BeyondInsight.

--- pidmessage Optional message to issue when a job starts.

requestuser --- The user that is specified in the pbrun -u argument.

Controls the maximum memory that is available to a process.

rlimit_as runrlimit_as Version 3.5 and earlier: variable not available.
Version 4.0 and later: variable available.

Controls the maximum size of a core file.

rlimit_core runrlimit_core Version 3.5 and earlier: variable not available.
Version 4.0 and later: variable available.

Controls the maximum size CPU time of a process.

rlimit_cpu runrlimit_cpu Version 3.5 and earlier: variable not available.
Version 4.0 and later: variable available.

rlimit_data runrlimit_data Controls the maximum size of a process’ data segment.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 116

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Version 3.5 and earlier: variable not available.

Version 4.0 and later: variable available.

Controls the maximum size of a file.

rlimit_fsize runrlimit_fsize Version 3.5 and earlier: variable not available.
Version 4.0 and later: variable available.

Controls the maximum number of file locks for a process.

rlimit_locks runrlimit_locks Version 3.5 and earlier: variable not available.

Version 4.0 and later: variable available.

Controls the maximum number of bytes of virtual memory that can be

locked.
rlimit_memlock runrlimit_memlock
Version 3.5 and earlier: variable not available.
Version 4.0 and later: variable available.

Controls the maximum number of files a user may have open at a given time.
rlimit_nofile runrlimit_nofile Version 3.5 and earlier: variable not available.
Version 4.0 and later: variable available.

Controls the maximum number of process a user may run at a given time.
rlimit_nproc runrlimit_nproc Version 3.5 and earlier: variable not available.
Version 4.0 and later: variable available.

Controls the maximum size of a process’ resident set (number of virtual

pages resident at a given time).
rlimit_rss runrlimit_rss
Version 3.5 and earlier: variable not available.
Version 4.0 and later: variable available.

Controls the maximum size of the process stack.

rlimit_stack runrlimit_stack Version 3.5 and earlier: variable not available.
Version 4.0 and later: variable available.

runhost time, in 'YYYY-MM-DDTHH:MM:SS.000Z' format, when request has

runfinish_utc
finished.

runhost utc time, in 'YYYY-MM-DDTHH:MM:SS.000Z' format, when request

runstart_utc
is received.

Indicates whether pbrun is confined by SELinux.

selinux Version 5.2 and earlier: variable not available.
Version 6.0 and later: variable available.

Name of the special file system root directory; see the chroot manual page
--- runchroot
for more information.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 117

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

--- runcksum Contains a checksum value for the current task.

--- runcksumlist Contains a list of checksum values for the current task.

--- runconfirmmessage Password prompt that is used by pblocald for a final verification of the user.

--- runconfirmuser Controls whether final verification requires a password.

--- runeffectivegroup Controls the effective group ID (egid) of the requested job.

--- runeffectiveuser Controls the effective user ID (euid) of the requested job.

When true, use the runrlimit_* variables to set up ulimits for the secured
task.
--- runenablerlimits
Version 3.5 and earlier: variable not available.
Version 4.0 and later: variable available.

Specifies an environment file that contains environment variables to be

incorporated into the run environment.
--- runenvironmentfile
Version 5.2 and earlier: variable not available.
Version 6.0 and later: variable available.

--- runptyflags Flags that are used internally for pty settings; reserved for internal use.

Checks that the runcommand is writable only by root or the runuser.

--- runsecurecommand Version 3.5 and earlier: variable not available.
Version 4.0 and later: variable available.

--- runmd5sum Contains an MD5 checksum for the current task.

--- runmd5sumlist Contains a list of MD5 checksum values for the current task.

--- runtimelimit The number of seconds that the job may execute.

--- runtimeout Maximum allowed idle time.

--- runutmpuser utmp user name.

Contains a list of strings that contain commands that may be run without any
further authorization.
--- shellallowedcommands
Version 3.5 and earlier: variable not available.
Version 4.0 and later: variable available.

If true, directs the shell to check shell built-in commands as if they were
standard commands
--- shellcheckbuiltins
Version 3.5 and earlier: variable not available.
Version 4.0 and later: variable available.

If true, directs the shell to authorize I/O redirections; if false, always allows
shellcheckredirections
I/O redirection.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 118

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Version 3.5 and earlier: variable not available.

Version 4.0 and later: variable available.

Contains a list of strings that specify commands for pbksh and pbsh to
reject without consulting an Endpoint Privilege Management for Unix and
Linux policy server daemon.
shellforbiddencommands
Version 3.5 and earlier: variable not available.

Version 4.0 and later: variable available.

Controls if the contents of included (sourced) shell scripts should be

recorded in the I/O logs.
shelllogincludefiles
Version 3.5 and earlier: variable not available.
Version 4.0 and later: variable available.

Contains a list of environment variables that pbsh and pbksh set to read-
only at startup time.
shellreadonly
Version 3.5 and earlier: variable not available.
Version 4.0 and later: variable available.

Controls whether Endpoint Privilege Management for Unix and Linux shells
run in restricted mode.
shellrestricted
Version 3.5 and earlier: variable not available.
Version 4.0 and later: variable available.

Specifies a Solaris project that the secured task should be associated with
on a Solaris 9 or higher runhost.
solarisproject runsolarisproject
Version 6.0 and earlier: variable not available.
Version 6.1 and later: variable available.

submithost --- Name of the machine from which the current request is submitted.

submithostip --- IP address of the machine from which the current request is submitted.

taskpid --- The PID of the secured task launched by pbrun.

Name of the tty device associated with the secured task.

This variable is only available after the secured task is launched and cannot
taskttyname --- be used in the policy. This is a read-only variable.
Version 6.2.0 and earlier: variable available.
Version 6.2.6 and later: variable available.

timezone --- Standard representation of timezone on submithost.

ttyname --- Name of the tty device from which the current request is submitted.

umask runumask The user’s umask values.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 119

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Specifies the user ID that is associated with the login name of the user that
user runuser
submitted the current task.

Within Endpoint Privilege Management for Unix and Linux, each secured task has its own set of task information variables. Other secured
task requests do not share the information in these variables.
Two copies of task information variables are created and maintained for each task request that Endpoint Privilege Management for Unix
and Linux processes. One set is read-only. These read-only variables contain the original, unmodified information about a task request.
The other set, known as run variables, have information identical to their corresponding read-only versions; however, their values can be
modified. The information in the modifiable variables is the information that Endpoint Privilege Management for Unix and Linux actually
uses to execute a request once it is accepted. The modifiable task information variables have the same names as their read-only
counterparts except they have the prefix run.

Note: These run variables do not apply to pbssh. If these run variables are present in the policy, they do not have any effect
on pbssh and are ignored.

There are some special pass-through values that are available for the run versions of some task information variables. These special
values are needed when the policy server host and run host represent different systems. In this scenario, processing some functions may
fail because the values for those variables need to be retrieved from the run host system rather than the policy server host. The following
functions are affected: gethome(), getgroup(), getgroups(), and getshell().

Value Description Example

!g! Returns the run user’s run group on run host. rungroup = "!g!";

!G! Returns all groups that the run user belongs to on run host. rungroups = {"!G!"};

!~! Returns the run user’s home directory on run host. runcwd = "!~!";

!!! Returns the run user’s default shell on run host. runcommand = "!!!";

For more information, see the following:

l On when and how to use special run variable values, "Environment variable processing considerations" on page 55
l On the gethome(), getgroup(), getgroups(), and getshell() functions, "Built-in functions and procedures" on page
484

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 120

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

argc

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 121

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
Integer, read-only

Description
The argc variable contains the number of arguments that are supplied with the current command. The command name is treated as an
argument. Thus, the actual number of user supplied arguments, not including the command name itself, is argc - 1.
There is not a run version of this variable.

Valid values
A positive integer.

For more information, see the following:

l "argv" on page 123

l "runargv" on page 124
l "command" on page 128
l "runcommand" on page 128

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 122

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

argv

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 123

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Run version
>

runargv

Note: This run variable does not apply to pbssh. If it is present in the policy, it does not have any effect on pbssh and is
ignored.

Data type
List. argv is read-only. runargv is modifiable.

Description
The argv and runargv variables contain the list of argument values that are associated with the current command. The first argument
value, with index 0, is the name of the command. Use the run version of this variable to change an argument value.

Syntax

runargv = list;

Valid values
A list in which the first element contains the name of the current command, as entered by the submitting user. The remaining list elements
contain the command arguments, as entered by the submitting user. argv is a read-only variable whose value comes from the pbrun
command line. The default value of runargv is the value of argv.

Example:

runargv = {"uname", "-a"};

For more information, see the following:

l "argc" on page 121

l "command" on page 128
l "runcommand" on page 128

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 124

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

bkgd

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 125

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Run version
>

runbkgd

Note: This run variable does not apply to pbssh. If it is present in the policy, it does not have any effect on pbssh and is
ignored.

Data type
Boolean. bkgd is read-only. runbkgd is modifiable.

Description
The bkgd and runbkgd variables indicate whether to run a task in the background with HUP signals ignored. Endpoint Privilege
Management for Unix and Linux sets both variables when the user executes pbrun with a -b switch. To change whether a task actually
runs in the background with HUP signals ignored, set the runbkgd variable.

Tip: In this context, the function name inside the function behaves like a function parameter.

When its parent process terminates, HUP refers to the hangup signal that is sent to a child process by the operating system. If the child
process was set to ignore HUP signals, the child process continues to run even though its parent process was terminated.

Tip: This feature can be useful for applications running in the background.

Syntax

runbkgd = boolean;

Valid values

true Ignore HUP signals.

false Do not ignore HUP signals.

bkgd is read-only and defaults to true when pbrun –b is used. Otherwise, it defaults to false. runbkgd defaults to the value of bkgd.

Example:

runbkgd = true;

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 126

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

clienthost
l Version 3.5 and earlier: clienthost variable is not available.
l Version 4.0 and later: clienthost variable is available.

Data type
String, read-only

Description
The name of the client (submit) host as resolved on the client host.

Valid values
A string as described above.

For more information, see the following:

l "host" on page 143

l "submithost" on page 265

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 127

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

command

Run version

runcommand

Note: This run variable does not apply to pbssh. If it is present in the policy, it does not have any effect on pbssh and is
ignored.

Data type
String. command is read-only. runcommand is modifiable.

Description
The command and runcommand variables contain the name of the current command request. If specified, command arguments are
stored in runargv and are not stored in command or runcommand. To change the current command, set the runcommand variable.

Note: Setting the run version of this variable also sets runargv[0]; however, setting runargv does not set runcommand.

Syntax

runcommand = string;

Valid values
A string containing the name of the current task request command as entered by the submitting user. command is a read-only variable.
runcommand defaults to the value of command.

Example:

runcommand = "/bin/ls";

For more information, see the following:

l "argc" on page 121

l "argv" on page 123

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 128

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

l "runargv" on page 124

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 129

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

cwd

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 130

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Run version
>

runcwd

Note: This run variable does not apply to pbssh. If it is present in the policy, it does not have any effect on pbssh and is
ignored.

Data type
String. cwd is read-only. runcwd is modifiable.

Description
The cwd and runcwd variables contain the full path of the working directory on the submit host from which the current task request is
being initiated. To cause the requested program to execute in a different directory on a run host, set the runcwd variable. Depending on
how Endpoint Privilege Management for Unix and Linux is deployed, submit host and run host might be different machines with different
directory structures.

Note: If Endpoint Privilege Management for Unix and Linux cannot set this variable and enforceRunCwd is set to No, the task
request runs in the /tmp directory on the run host.

Syntax

runcwd = string;

Valid values
A string specifying the run host working directory for the current task request. cwd is a read-only variable. Also, cwd is the directory from
which the command originated. runcwd defaults to cwd.

Example:

runcwd = "/home/username";

For more information, see "runchroot" on page 217.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 131

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

env

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 132

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Run version
>

runenv

Note: This run variable does not apply to pbssh. If it is present in the policy, it does not have any effect on pbssh and is
ignored.

Data type
List. env is read-only. runenv is modifiable.

Description
The env and runenv variables contain the name and value pairs of each Unix or Linux environment variable that is present when the
current task request is submitted. Each environment variable is stored as an element within env. Each of these elements has the format
NAME=Value, where NAME is the name of the environment variable and Value is the value that is stored in that variable.
The value of an environment variable is modified by setting runenv.
The getenv(), setenv, keepenv, and unsetenv functions and procedures can access the values within env.

Syntax

runenv = list of strings;

Valid values
A list in which each element has the format NAME=value where NAME is the name of the Unix or Linux environment variable and value is
the value stored in that variable. This list defaults to the run time environment of the pbrun command.

For more information, see the following:

l "getenv" on page 640

l "keepenv" on page 642
l "logomit" on page 314
l "setenv" on page 644
l "unsetenv" on page 646

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 133

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

execute_via_su

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 134

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
Boolean

Description
The run environment for the secured task is normally dictated by the Endpoint Privilege Management for Unix and Linux policy server
policy. It may be desirable to have the runhost dictate the run environment for the secured task. Endpoint Privilege Management for Unix
and Linux version 7.1 and above can use the su - command to create a login shell for the secured task, thus allowing the login mechanism
to setup the run environment. The Endpoint Privilege Management for Unix and Linux policy server host keyword execute_via_su in
/etc/pb.settings globally enables using su - to execute the secured task. This keyword can be overridden by the policy variable with the
same name execute_via_su. The execute_via_su variable's initial value is based on the keyword setting's value. When execute_via_
su is used, any run environment setup in the policy affect the execution of su - rather than the execution of the secured task. This includes
the use of runcwd, setenv(), keepenv(), etc., as well as !g!, !G!, etc. Entitlement reports do not indicate that su - is used, however the
Accept events in the event log show if su - was used to invoke the secured task. This feature does not work for runusers whose login is
disabled (for example, using /sbin/nologin or /bin/false).

Settings Keyword Policy Variable Result uses su -?

unset no

unset TRUE YES

FALSE no

unset no

No TRUE YES

FALSE no

unset YES

Yes TRUE YES

FALSE no

Valid values
l 0
l 1
l true
l false

Default

unset

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 135

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

For more information, see the following:

l "runcommand" on page 128

l "runuser" on page 281
l "runargv" on page 124
l "runenvironmentfile" on page 240
l "setenv" on page 644
l "keepenv" on page 642
l "Environment variable processing considerations" on page 55

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 136

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

group

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 137

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Run version
>

rungroup

Note: This run variable does not apply to pbssh. If it is present in the policy, it does not have any effect on pbssh and is
ignored.

Data type
String. group is read-only. rungroup is modifiable.
Description
The group and rungroup variables contain the name of the submitting user’s primary group. To temporarily change the submitting user’s
primary group, set the rungroup variable.

Note: If the rungroup does not exist on the run host, the run host refuses to execute the command.

Syntax

rungroup = string;

Valid values
A string that contains the name of the submitting user’s primary group. group is a read-only variable. The default value of rungroup
defaults to the value of group.

Example:

rungroup = "bin";

For more information, see the following:

l "groups" on page 140

l "rungroups" on page 141
l "getgroup" on page 660
l "getgrouppasswd" on page 661
l "getgroups" on page 662

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 138

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

l "innetgroup" on page 602

l "inusernetgroup" on page 603
l "runeffectivegroup" on page 230

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 139

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

groups

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 140

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Run version
>

rungroups

Note: This run variable does not apply to pbssh. If it is present in the policy, it does not have any effect on pbssh and is
ignored.

Data type
List. groups is read-only. rungroups is modifiable.

Description
The groups and rungroups variables contain the list of groups the submitting user belongs to. To temporarily modify the list of groups,
set the rungroups variable.
If one of the rungroups does not exist on the run host, the run host issues a warning before executing the command.

Syntax

rungroups = list;

Valid values
The groups variable contains the name of each group the submitting user belongs to on the submit host.
The value of the rungroups variable defaults to the value of the groups variable.

Example:

rungroups = {"bin", "wheel"};

For more information, see the following:

l "group" on page 137

l "rungroup" on page 138
l "getgroup" on page 660
l "getgrouppasswd" on page 661

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 141

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

l "getgroups" on page 662

l "innetgroup" on page 602
l "inusernetgroup" on page 603

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 142

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

host

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 143

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Run version
>

runhost

Note: This run variable does not apply to pbssh. If it is present in the policy, it does not have any effect on pbssh and is
ignored.

Data type
String. host is read-only. runhost is modifiable.

Description
submithost is the name of the machine that executed pbrun. host is the value that is passed to pbrun with the –h switch. If a –h switch is
not used, then the value of host is taken from submithost. If the value of runhost is not explicitly set in the policy, then its value comes
from host.
Setting runhost in the policy has no effect when the task is run in local mode (that is, when pbrun is executed with the -l option, or if the
runlocalmode policy variable is set to true).

Syntax

runhost = string;

Valid values
A string that contains the fully-qualified name of the run host machine. host is a read-only default value and is the name of the submit host.
The default value of runhost is the value of host.

Example:

runhost = "tad";

For more information, see the following:

l "ipaddress" on page 583

l "localmode" on page 146
l "runlocalmode" on page 146
l "masterhost" on page 364

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 144

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

l "pid" on page 390

l "requestuser" on page 175
l "runconfirmuser" on page 228
l "subprocuser" on page 398
l "submithost" on page 265
l "submithostip" on page 267
l "uniqueid" on page 404

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 145

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

localmode

Run version

runlocalmode

Note: This run variable does not apply to pbssh. If it is present in the policy, it does not have any effect on pbssh and is
ignored.

Data type
Boolean. localmode is read-only. runlocalmode is modifiable.

Description
The localmode and runlocalmode variables indicate if the submitting user specified that the current task request run in local mode.
When a task runs in local mode, pbmasterd returns control to pbrun rather than pblocald. After the task is accepted, pbrun replaces
itself with the current task request. The result is that localmode cannot be used with Advanced Control and Audit (ACA), and the current
task request is processed without the benefit of any further event logging (the exit status is not logged) or keystroke actions.
Regarding pbrun, the localmode mechanism is deprecated in favor of Optimized Run Mode, in which all features are available.
The Endpoint Privilege Management shells pbsh and pbksh normally operate in localmode. This can be disabled by setting
runlocalmode=false.
Endpoint Privilege Management for Unix and Linux sets the localmode variables when the user executes pbrun with a -l switch, or when
the runlocalmode variable is set to true in the policy.

Syntax

runlocalmode = boolean;

Valid values

true Run local mode. The default value is true if pbrun –l is used, false otherwise.

false Disable local mode.

localmode is a read-only variable with a value of true if pbrun –l is used, false otherwise.
runlocalmode defaults to localmode. If the allowlocalmode setting is false, then runlocalmode is set to read-only and has a value of
false.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 146

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Example:

runlocalmode = false;

For more information, see the following:

l "bkgd" on page 125

l "runbkgd" on page 126
l "noreconnect" on page 370
l pblocald in the Endpoint Privilege Management for Unix and Linux Administration Guide at
https://www.beyondtrust.com/docs/privilege-management/unix-linux/index.htm.
l "Task submission - pbrun" on page 22
l allowlocalmode in the Endpoint Privilege Management for Unix and Linux Administration Guide at
https://www.beyondtrust.com/docs/privilege-management/unix-linux/index.htm.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 147

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

logaccept_utc
l Version 22.1 and earlier: logaccept_utc variable not available.
l Version 22.1 and later: logaccept_utc variable available.

Data type
String, read-only

Description
The UTC time, in YYYY-MM-DDTHH:MM:SS.000Z format, when logging accept events.

Valid values
Any valid date and time.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 148

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

logcksum
l Version 7.5 and earlier: logcksum variable not available.
l Version 8.0 and later: logcksum variable available.

Data type
String, modifiable

Description
When runcksum, runcksumlist, runmd5sum, or runmd5sumlist are present in the policy, the run host verifies that the checksum of the
runcommand matches the values specified in those variables. The logcksum variable allows the checksum of the runcommand to be
recorded in the event log for analysis.
There is no read-only version of this variable.

Syntax

logcksum = string_value

Valid values

Save the runtime-generated application checksum in the chksum variable and record it in the event
cksum log. This is the value that would be compared to the runcksum or runcksumlist user-defined policy
variable (if available).

Save the runtime-generated application MD5 checksum in the md5sum variable and record it in the
md5 event log. This is the value that would be compared to the runmd5sum or runmd5sumlist user-
defined policy variable (if available).

all Record both runtime-generated checksum values (chksum and md5sum variables) in the event log.

Example:

logcksum = "cksum";

Example:

logcksum = "md5";

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 149

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Example:

logcksum = "all";

For more information, see the following:

l "runcksum" on page 220

l "runcksumlist" on page 222
l "runmd5sum" on page 236
l "runmd5sumlist" on page 238

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 150

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

logfinish_utc
l Version 22.1 and earlier: logfinish_utc variable not available.
l Version 22.1 and later: logfinish_utc variable available.

Data type
String, read-only

Description
The UTC time, in YYYY-MM-DDTHH:MM:SS.000Z format, when logging finish events.

Valid values
Any valid date and time.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 151

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

logkeystroke_utc
l Version 22.1 and earlier: logkeystroke_utc variable not available.
l Version 22.1 and later: logkeystroke_utc variable available.

Data type
String, read-only

Description
The UTC time, in YYYY-MM-DDTHH:MM:SS.000Z format, when logging keystroke events.

Valid values
Any valid date and time.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 152

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

logpid

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 153

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
Number, read-only

Description
The logpid variable contains the PID of the log server daemon logging the accept.
This read-only variable is not available during the processing of the policy, because it is created after the policy performs an accept. This
variable is available in the event log.
There is no run version of this variable.

Valid values
A number that contains a PID.
This is a read-only variable.

For more information, see the following:

l "pid" on page 390

l "runpid" on page 245
l "submitpid" on page 269
l "taskpid" on page 271

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 154

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

logreject_utc
l Version 22.1 and earlier: logreject_utc variable not available.
l Version 22.1 and later: logreject_utc variable available.

Data type
String, read-only

Description
The UTC time, in YYYY-MM-DDTHH:MM:SS.000Z format, when logging reject events.

Valid values
Any valid date and time.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 155

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

logserver_utcoffset
l Version 22.1 and earlier: logserver_utcoffset variable not available.
l Version 22.1 and later: logserver_utcoffset variable available.

Data type
String representing an integer, read-only

Description
The logserver timezone offset from UTC, in hours.

Valid values
-12 to 14

For more information, see the following:

l "date" on page 332

l "day" on page 334
l "dayname" on page 336
l "hour" on page 340
l "minute" on page 366
l "month" on page 368
l "year" on page 406
l "i18n_date" on page 342
l "i18n_day" on page 344
l "i18n_dayname" on page 346
l "i18n_hour" on page 348
l "i18n_minute" on page 350
l "i18n_month" on page 352
l "i18n_time" on page 354
l "i18n_year" on page 356
l "runstart_utc" on page 199
l "runfinish_utc" on page 198
l "logaccept_utc" on page 148
l "logreject_utc" on page 155

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 156

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

l "logkeystroke_utc" on page 152

l "logfinish_utc" on page 151
l "master_utcoffset" on page 160

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 157

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

logservers

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 158

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
List

Description
A list of log hosts for pblocald to use for event and I/O logging. The policy variable overrides the settings keyword when the logservers
keyword in the settings file is enabled. In other words,

/etc/pb.settings:
.
.
logservers name0
/opt/pbul/policies/pb.conf:
...logservers={"name1", "name2"};
...

The log servers that are used are name1 and name2.

Syntax

logservers = {list};

Example:

logservers = {"name1", "name2"};

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 159

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

master_utcoffset
l Version 22.1 and earlier: master_utcoffset variable not available.
l Version 22.1 and later: master_utcoffset variable available.

Data type
String representing an integer, read-only

Description
The policy server timezone offset from UTC, in hours.

Valid values
-12 to 14

For more information, see the following:

l "date" on page 332

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 160

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

l "logkeystroke_utc" on page 152

l "logfinish_utc" on page 151
l "logserver_utcoffset" on page 156

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 161

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

mastertimelimit
l Version 4.0 and earlier: mastertimelimit variable not available.
l Version 5.0.1 and later: mastertimelimit variable available.

Data type
Integer, modifiable

Description
The mastertimelimit variable specifies a time limit, in seconds, between pbmasterd and pblocald, for a task request. If the job does not
finish within the specified number of seconds, it is terminated.
mastertimelimit is similar to mastertimeout, but it is based on total time rather than idle time.
mastertimelimit is similar to runtimelimit, from the pbmasterd point of view, and is useful only when there is no log server.

Note: The mastertimelimit variable is not honored in local mode.

Syntax

mastertimelimit = number;

Valid values
l number: Enable time limit checking.
l 0: Disable time limit checking. This value is the default.

Example:

mastertimelimit = 3600;

For more information, see the following:

l "mastertimeout" on page 163

l "runtimelimit" on page 249
l "runtimeout" on page 251
l "submittimeout" on page 396

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 162

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

mastertimeout
l Version 4.0 and earlier: mastertimeout variable not available.
l Version 5.0.1 and later: mastertimeout variable available.

Data type
Integer, modifiable

Description
The mastertimeout variable specifies the amount of idle time, in seconds, between pbmasterd and pblocald. If the job is idle for the
specified number of seconds, then it is terminated. mastertimeout is similar to runtimeout, from the pbmasterd point of view, and is
useful only when there is no log server.

Note: The mastertimeout variable is not honored in local mode.

Syntax

mastertimeout = number;

Valid values
l number: Enable idle checking.
l 0: Disable idle checking. This value is the default.

Example:

runtimeout = 3600;

For more information, see the following:

l "mastertimelimit" on page 162

l "runtimelimit" on page 249
l "runtimeout" on page 251
l "submittimeout" on page 396

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 163

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

nice

Run version

runnice

Note: This run variable does not apply to pbssh. If it is present in the policy, it does not have any effect on pbssh and is
ignored.

Data type
Integer. nice is read-only. runnice is modifiable.

Description
The nice and runnice variables contain the nice value for the current task request. The nice value controls task execution priority. To
modify task execution priority, set runnice.

Syntax

runnice = number;

Valid values
An integer value that represents a task execution priority. This variable has no default value.

Example:

runnice = 20;

For more information, see the Unix or Linux manual page for the nice command.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 164

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

noexec

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 165

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
Integer. noexec is modifiable.

Description
This variable does not apply to pbssh. If it is present in the policy, and set to 1, pbrun, pblocald, pbsh, and pbksh will attempt to prevent
the secured task from performing an exec to launch a new program (for example, prevent vi's shell escape :!/bin/bash).
This mechanism uses the LD_PRELOAD or equivalent mechanism to load an Endpoint Privilege Management for Unix and Linux shared
library that intercepts the exec family of library calls.
The noexec feature requires Endpoint Privilege Management for Unix and Linux 8.5.0 runhosts. Any previous version of runhost silently
ignores the noexec feature.

Note: Care should be used when enabling noexec for shell scripts (these normally exec other programs).

Restrictions
l The noexec feature works only for binaries that are dynamically linked, on operating systems that support the LD_PRELOAD or
equivalent mechanism.
l The noexec feature supports setuid programs only on Linux and Solaris run hosts.
l The noexec feature cannot execute shell scripts that lack the #!/path/shell specification.
l The noexec feature currently does not support the Endpoint Privilege Management for Unix and Linuxexecute_via_su feature.
l HP-UX 11.11 requires linker patch PHSS_22535 or newer.

Syntax

noexec=1;

Valid values
Valid values are 0 and 1. This variable has default value of 0.

Example:

noexec=1;

For more information, see the Unix/Linux manual pages for the ld.so (Linux), ld.so.1 (Solaris), ld (HP-UX), and dld.sl (HP-
UX) commands.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 166

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

optimizedrunmode
l Version 4.0 and earlier: optimizedrunmode variable not available.
l Version 5.0 and later: optimizedrunmode variable available.
l Version 6.0 and later: runoptimizedrunmode variable available.

Run version

runoptimizedrunmode

Note: This run variable does not apply to pbssh. If it is present in the policy, it does not have any effect on pbssh and is
ignored.

Data type
Boolean. optimizedrunmode is read-only. runoptimizedrunmode is modifiable.

Description
optimizedrunmode indicates whether the task can be executed using Endpoint Privilege Management for Unix and Linux's optimized run
mode feature. A value of true indicates that optimized run mode has not been disabled for this task by command line switch or Endpoint
Privilege Management for Unix and Linux settings.
Setting runoptimizedrunmode to false can be used to prevent a task from being executed using Endpoint Privilege Management for
Unix and Linux's optimized run mode feature.

Note: If optimized run mode is disabled in the policy server host’s settings file, the submit host’s settings file, or by a command
line option on either pbrun or pbmasterd, then setting runoptimizedrunmode to true has no effect.

Syntax

runoptimizedrunmode = Boolean;

Valid values

true Non-zero. Enable optimized run mode.

false Zero. Disable optimized run mode.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 167

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Example:

runoptimizedrunmode = false;

For information about optimized run mode and related settings, see the Endpoint Privilege Management for Unix and Linux
Administration Guide at https://www.beyondtrust.com/docs/privilege-management/unix-linux/index.htm.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 168

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

pblocaldnoglob

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 169

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
Boolean, modifiable

Description
pblocaldnoglob stops pblocald from expanding arguments to the target program. By setting this variable to a non-zero value, you can
duplicate the way version Endpoint Privilege Management for Unix and Linux 2.6 and earlier pass arguments.
There is no read-only version of this variable.

Syntax

pblocaldglob = boolean;

Valid values

true Non-zero. Stop pblocald from expanding arguments to the target program.

false Zero. Allow pblocald to expand arguments to the target program. This setting is the default.

Example:

pblocaldnoglob = true;

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 170

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

pbrisklevel

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 171

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
Number, modifiable

Description
The pbrisklevel variable specifies a risk rating that is passed to BeyondInsight. The data is displayed in the BeyondInsight for Unix &
Linux grid and Agent Details grid.
There is no read-only version of this variable.

Syntax

pbrisklevel = number;

Valid values
l A whole number in the range of 0 - 9
o 9 means highest risk
o 0 means no risk

Default value
If pbrisklevel is not explicitly set in the policy, the risk level setting defaults to zero (0).

Example:

pbrisklevel = 3;

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 172

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

pidmessage

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 173

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
String, modifiable

Description
The pidmessage variable contains an optional string that causes the process ID of the task on the run host to print out at the start of the
task.
There is no read-only version of this variable.

Note: If Endpoint Privilege Management for Unix and Linux is running as local mode, it ignores pidmessage.

Syntax

pidmessage = string;

Valid values
Any string. The default value is empty.

Example: The following example produces output similar to This is job: sparky 9876 before the target command runs.

pidmessage = "This is job: ";

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 174

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

requestuser

Data type
String, read-only

Description
The requestuser variable contains the value that is specified by the pbrun –u argument. When a user runs pbrun with the –u username
option, the value is placed in requestuser. The policy then determines whether or not to honor the request. If the –u command option is
not used, then requestuser contains the same value as user.
There is no run version of this variable.

Valid values
A string as described above.

For more information, see the following:

l "Task submission - pbrun" on page 22

l "user" on page 280
l "runuser" on page 281

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 175

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

rlimit_as
l Version 3.5 and earlier: rlimit_as and runrlimit_as variables not available.
l Version 4.0 and later: rlimit_as and runrlimit_as variables available.

Run version

runrlimit_as

Note: This run variable does not apply to pbssh. If it is present in the policy, it does not have any effect on pbssh and is
ignored.

Data type
Number. rlimit_as is read-only, runrlimit_as is modifiable.

Description
These variables control the maximum memory available to a process in bytes as a 32-bit number. These variables are equivalent to
vmem on some systems. rlimit_as is the read-only value for the user who invokes Endpoint Privilege Management for Unix and Linux.
runrlimit_as is the modifiable value for the target secured task.

Note: To enable runrlimit_as functionality, set runenablerlimits to a value of 1.

Syntax

runrlimit_as = number;

Valid values
Vary according to platform.

Example:

runrlimit_as = 1000;

For more information, see the following:

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 176

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

l "rlimit_core" on page 178

l "rlimit_cpu" on page 180
l "rlimit_data" on page 182
l "rlimit_fsize" on page 184
l "rlimit_locks" on page 186
l "rlimit_memlock" on page 188
l "rlimit_nofile" on page 190
l "rlimit_nproc" on page 192
l "rlimit_rss" on page 194
l "rlimit_stack" on page 196
l "runrlimit_core" on page 178
l "runrlimit_cpu" on page 180
l "runrlimit_data" on page 182
l "runrlimit_fsize" on page 184
l "runrlimit_locks" on page 186
l "runrlimit_memlock" on page 188
l "runrlimit_nofile" on page 190
l "runrlimit_nproc" on page 192
l "runrlimit_rss" on page 194
l "runrlimit_stack" on page 196

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 177

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

rlimit_core
l Version 3.5 and earlier: rlimit_core and runrlimit_core variables not available.
l Version 4.0 and later: rlimit_core and runrlimit_core variables available.

Run version

runrlimit_core

Note: This run variable does not apply to pbssh. If it is present in the policy, it does not have any effect on pbssh and is
ignored.

Data type
Number. rlimit_core is read-only. runrlimit_core is modifiable.

Description
These variables control the maximum size of a core file in bytes as a 32-bit number. rlimit_core is the read-only value for the user who
invokes Endpoint Privilege Management for Unix and Linux. runrlimit_core is the modifiable value for the target secured task.

Note: To enable runrlimit_core functionality, set runenablerlimits to a value of 1.

Syntax

runrlimit_core = number;

Valid values
Vary according to platform.

Example:

runrlimitcore = 1000;

For more information, see the following:

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 178

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

l "rlimit_as" on page 176

l "rlimit_cpu" on page 180
l "rlimit_data" on page 182
l "rlimit_fsize" on page 184
l "rlimit_locks" on page 186
l "rlimit_memlock" on page 188
l "rlimit_nofile" on page 190
l "rlimit_nproc" on page 192
l "rlimit_rss" on page 194
l "rlimit_stack" on page 196
l "runrlimit_as" on page 176
l "runrlimit_cpu" on page 180
l "runrlimit_data" on page 182
l "runrlimit_fsize" on page 184
l "runrlimit_locks" on page 186
l "runrlimit_memlock" on page 188
l "runrlimit_nofile" on page 190
l "runrlimit_nproc" on page 192
l "runrlimit_rss" on page 194
l "runrlimit_stack" on page 196

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 179

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

rlimit_cpu
l Version 3.5 and earlier: rlimit_cpu and runrlimit_cpu variables not available.
l Version 4.0 and later: rlimit_cpu and runrlimit_cpu variables available.

Run version

runrlimit_cpu

Note: This run variable does not apply to pbssh. If it is present in the policy, it does not have any effect on pbssh and is
ignored.

Data type
Number. rlimit_cpu is read-only. runlimit_cpu is modifiable.

Description
These variables control the maximum size CPU time of a process in seconds as a 32-bit number. rlimit_cp is the read-only value for the
user who invokes Endpoint Privilege Management for Unix and Linux. runrlimit_cpu is the modifiable value for the target secured task.

Note: To enable runrlimit_cpu functionality, set runenablerlimits to a value of 1.

Syntax

runlimit_cpu = number;

Valid values
Vary according to platform.

Example:

runrlimit_cpu = 1000;

For more information, see the following:

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 180

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

l "rlimit_as" on page 176

l "rlimit_core" on page 178
l "rlimit_data" on page 182
l "rlimit_fsize" on page 184
l "rlimit_locks" on page 186
l "rlimit_memlock" on page 188
l "rlimit_nofile" on page 190
l "rlimit_nproc" on page 192
l "rlimit_rss" on page 194
l "rlimit_stack" on page 196
l "runrlimit_as" on page 176
l "runrlimit_core" on page 178
l "runrlimit_data" on page 182
l "runrlimit_fsize" on page 184
l "runrlimit_locks" on page 186
l "runrlimit_memlock" on page 188
l "runrlimit_nofile" on page 190
l "runrlimit_nproc" on page 192
l "runrlimit_rss" on page 194
l "runrlimit_stack" on page 196

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 181

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

rlimit_data
l Version 3.5 and earlier: rlimit_data and runrlimit_data variables not available.
l Version 4.0 and later: rlimit_data and runrlimit_data variables available.

Run version

runrlimit_data

Note: This run variable does not apply to pbssh. If it is present in the policy, it does not have any effect on pbssh and is
ignored.

Data type
Number. rlimit_data is read-only. runrlimit_data is modifiable.

Description
These variables control the maximum size of a process’ data segment as a 32-bit number. rlimit_data is the read-only value for the user
who invoked Endpoint Privilege Management for Unix and Linux. runrlimit_data is the modifiable value for the target secured task.

Note: To enable runrlimit_data functionality, set runenablerlimits to a value of 1.

Syntax

runrlimit_data = number;

Valid values
Vary according to platform.

Example:

runrlimit_data = 100;

For more information, see the following:

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 182

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

l "rlimit_as" on page 176

l "rlimit_core" on page 178
l "rlimit_cpu" on page 180
l "rlimit_fsize" on page 184
l "rlimit_locks" on page 186
l "rlimit_memlock" on page 188
l "rlimit_nofile" on page 190
l "rlimit_nproc" on page 192
l "rlimit_rss" on page 194
l "rlimit_stack" on page 196
l "runrlimit_as" on page 176
l "runrlimit_core" on page 178
l "runrlimit_cpu" on page 180
l "runrlimit_fsize" on page 184
l "runrlimit_locks" on page 186
l "runrlimit_memlock" on page 188
l "runrlimit_nofile" on page 190
l "runrlimit_nproc" on page 192
l "runrlimit_rss" on page 194
l "runrlimit_stack" on page 196

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 183

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

rlimit_fsize
l Version 3.5 and earlier: rlimit_fsize and runrlimit_fsize variables not available.
l Version 4.0 and later: rlimit_fsize and runrlimit_fsize variables available.

Run version

runrlimit_fsize

Note: This run variable does not apply to pbssh. If it is present in the policy, it does not have any effect on pbssh and is
ignored.

Data type
Number. rlimit_fsize is read-only. runrlimit_fsize is modifiable.

Description
These variables control the maximum size of a file in bytes as a 32-bit number. rlimit_fsize is the read-only value for the user who invokes
Endpoint Privilege Management for Unix and Linux. runrlimit_fsize is the modifiable value for the target secured task.

Note: To enable runrlimit_fsize functionality, set runenablerlimits to a value of 1.

Syntax

runrlimit_fsize = number;

Valid values
Vary according to platform.

Example:

runrlimit_fsize = 1000;

For more information, see the following:

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 184

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

l "rlimit_as" on page 176

l "rlimit_core" on page 178
l "rlimit_cpu" on page 180
l "rlimit_data" on page 182
l "rlimit_locks" on page 186
l "rlimit_memlock" on page 188
l "rlimit_nofile" on page 190
l "rlimit_nproc" on page 192
l "rlimit_rss" on page 194
l "rlimit_stack" on page 196
l "runrlimit_as" on page 176
l "runrlimit_core" on page 178
l "runrlimit_cpu" on page 180
l "runrlimit_data" on page 182
l "runrlimit_locks" on page 186
l "runrlimit_memlock" on page 188
l "runrlimit_nofile" on page 190
l "runrlimit_nproc" on page 192
l "runrlimit_rss" on page 194
l "runrlimit_stack" on page 196

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 185

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

rlimit_locks
l Version 3.5 and earlier: rlimit_locks and runrlimit_locks variables not available.
l Version 4.0 and later: rlimit_locks and runrlimit_locks variables available.

Run version

runrlimit_locks

Note: This run variable does not apply to pbssh. If it is present in the policy, it does not have any effect on pbssh and is
ignored.

Data type
Number. rlimit_locks is read-only. runrlimit_locks is modifiable.

Description
These variables control the maximum number of file locks for a process as a 32-bit number. rlimit_locks is the read-only value for the
user who invokes Endpoint Privilege Management for Unix and Linux. runrlimit_locks is the modifiable value for the target secured task.

Note: To enable runrlimit_locks functionality, set runenablerlimits to a value of 1.

Syntax

runrlimit_locks = number;

Valid values
Vary according to platform.

Example:

runrlimit_locks = 1000;

For more information, see the following:

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 186

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

l "rlimit_as" on page 176

l "rlimit_core" on page 178
l "rlimit_cpu" on page 180
l "rlimit_data" on page 182
l "rlimit_fsize" on page 184
l "rlimit_memlock" on page 188
l "rlimit_nofile" on page 190
l "rlimit_nproc" on page 192
l "rlimit_rss" on page 194
l "rlimit_stack" on page 196
l "runrlimit_as" on page 176
l "runrlimit_core" on page 178
l "runrlimit_cpu" on page 180
l "runrlimit_data" on page 182
l "runrlimit_fsize" on page 184
l "runrlimit_memlock" on page 188
l "runrlimit_nofile" on page 190
l "runrlimit_nproc" on page 192
l "runrlimit_rss" on page 194
l "runrlimit_stack" on page 196

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 187

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

rlimit_memlock
l Version 3.5 and earlier: rlimit_memlock and runrlimit_memlock variables not available.
l Version 4.0 and later: rlimit_memlock and runrlimit_memlock variables available.

Run version

runrlimit_memlock

Note: This run variable does not apply to pbssh. If it is present in the policy, it does not have any effect on pbssh and is
ignored.

Data type
Number. rlimit_memlock is read-only. runrlimit_memlock is modifiable.

Description
These variables control the maximum number of bytes of virtual memory that may be locked at a given time as a 32-bit number. rlimit_
memlock is the read-only value for the user who invokes Endpoint Privilege Management for Unix and Linux. runrlimit_memlock is the
modifiable value for the target secured task.

Note: To enable runrlimit_memlock functionality, set runenablerlimits to a value of 1.

Syntax

runrlimit_memlock = number;

Valid values
Vary according to platform.

Example:

runrlimit_memlock = 1000;

For more information, see the following:

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 188

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

l "rlimit_as" on page 176

l "rlimit_core" on page 178
l "rlimit_cpu" on page 180
l "rlimit_data" on page 182
l "rlimit_fsize" on page 184
l "rlimit_locks" on page 186
l "rlimit_nofile" on page 190
l "rlimit_nproc" on page 192
l "rlimit_rss" on page 194
l "rlimit_stack" on page 196
l "runrlimit_as" on page 176
l "runrlimit_core" on page 178
l "runrlimit_cpu" on page 180
l "runrlimit_data" on page 182
l "runrlimit_fsize" on page 184
l "runrlimit_locks" on page 186
l "runrlimit_nofile" on page 190
l "runrlimit_nproc" on page 192
l "runrlimit_rss" on page 194
l "runrlimit_stack" on page 196

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 189

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

rlimit_nofile
l Version 3.5 and earlier: rlimit_nofile and runrlimit_nofile variables not available.
l Version 4.0 and later: rlimit_nofile and runrlimit_nofile variables available.

Run version

runrlimit_nofile

Note: This run variable does not apply to pbssh. If it is present in the policy, it does not have any effect on pbssh and is
ignored.

Data type
Number. rlimit_nofile is read-only. runrlimit_nofile is modifiable.

Description
These variables control the maximum number of files a user may have open at a given time as a 32-bit number. rlimit_nofile is the read-
only value for the user who invokes Endpoint Privilege Management for Unix and Linux. runrlimit_ nofile is the modifiable value for the
target secured task.

Note: To enable runrlimit_nofile functionality, set runenablerlimits to a value of 1.

Syntax

runrlimit_nofile = number;

Valid values
Vary according to platform.

Example:

runrlimit_nofile = 1000;

For more information, see the following:

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 190

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

l "rlimit_as" on page 176

l "rlimit_core" on page 178
l "rlimit_cpu" on page 180
l "rlimit_data" on page 182
l "rlimit_fsize" on page 184
l "rlimit_locks" on page 186
l "rlimit_memlock" on page 188
l "rlimit_nproc" on page 192
l "rlimit_rss" on page 194
l "rlimit_stack" on page 196
l "runrlimit_as" on page 176
l "runrlimit_core" on page 178
l "runrlimit_cpu" on page 180
l "runrlimit_data" on page 182
l "runrlimit_fsize" on page 184
l "runrlimit_locks" on page 186
l "runrlimit_memlock" on page 188
l "runrlimit_nproc" on page 192
l "runrlimit_rss" on page 194
l "runrlimit_stack" on page 196

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 191

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

rlimit_nproc
l Version 3.5 and earlier: rlimit_nproc and runrlimit_nproc variables not available.
l Version 4.0 and later: rlimit_nproc and runrlimit_nproc variables available.

Run version

runrlimit_nproc

Note: This run variable does not apply to pbssh. If it is present in the policy, it does not have any effect on pbssh and is
ignored.

Data type
Number. rlimit_nproc is read-only. runrlimit_nproc is modifiable.

Description
These variables control the maximum number of process a user may run at a given time as a 32-bit number. rlimit_nproc is the read-only
value for the user who invokes Endpoint Privilege Management for Unix and Linux. runrlimit_ nproc is the modifiable value for the target
secured task.

Note: To enable runrlimit_nproc functionality, set runenablerlimits to a value of 1.

Syntax

runrlimit_nproc = number;

Valid values
Vary according to platform.

Example:

runrlimit_nproc = 1000;

For more information, see the following:

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 192

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

l "rlimit_as" on page 176

l "rlimit_core" on page 178
l "rlimit_cpu" on page 180
l "rlimit_data" on page 182
l "rlimit_fsize" on page 184
l "rlimit_locks" on page 186
l "rlimit_memlock" on page 188
l "rlimit_nofile" on page 190
l "rlimit_rss" on page 194
l "rlimit_stack" on page 196
l "runrlimit_as" on page 176
l "runrlimit_core" on page 178
l "runrlimit_cpu" on page 180
l "runrlimit_data" on page 182
l "runrlimit_fsize" on page 184
l "runrlimit_locks" on page 186
l "runrlimit_memlock" on page 188
l "runrlimit_nofile" on page 190
l "runrlimit_rss" on page 194
l "runrlimit_stack" on page 196

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 193

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

rlimit_rss
l Version 3.5 and earlier: rlimit_rss and runrlimit_rss variables not available.
l Version 4.0 and later: rlimit_rss and runrlimit_rss variables available.

Run version

runrlimit_rss

Note: This run variable does not apply to pbssh. If it is present in the policy, it does not have any effect on pbssh and is
ignored.

Data type
Number. rlimit_rss is read-only. runrlimit_rss is modifiable.

Description
These variables control the maximum size of a process’ resident set (number of virtual pages that are resident at a given time) as a 32-bit
number. rlimit_rss is the read-only value for the user who invokes Endpoint Privilege Management for Unix and Linux. runrlimit_rss is
the modifiable value for the target secured task.

Note: To enable runrlimit_rss functionality, set runenablerlimits to a value of 1.

Syntax

runrlimit_rss = number;

Valid values
Vary according to platform.

Example:

runrlimit_rss = 1000;

For more information, see the following:

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 194

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

l "rlimit_as" on page 176

l "rlimit_core" on page 178
l "rlimit_cpu" on page 180
l "rlimit_data" on page 182
l "rlimit_fsize" on page 184
l "rlimit_locks" on page 186
l "rlimit_memlock" on page 188
l "rlimit_nofile" on page 190
l "rlimit_nproc" on page 192
l "rlimit_stack" on page 196
l "runrlimit_as" on page 176
l "runrlimit_core" on page 178
l "runrlimit_cpu" on page 180
l "runrlimit_data" on page 182
l "runrlimit_fsize" on page 184
l "runrlimit_locks" on page 186
l "runrlimit_memlock" on page 188
l "runrlimit_nofile" on page 190
l "runrlimit_nproc" on page 192
l "runrlimit_stack" on page 196

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 195

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

rlimit_stack
l Version 3.5 and earlier: rlimit_stack and runrlimit_stack variables not available.
l Version 4.0 and later: rlimit_stack and runrlimit_stack variables available.

Run version

runrlimit_stack

Note: This run variable does not apply to pbssh. If it is present in the policy, it does not have any effect on pbssh and is
ignored.

Data type
Number. rlimit_stack is read-only. runrlimit_stack is modifiable.

Description
These variables control the maximum size the process stack in bytes as a 32-bit number. rlimit_stack is the read-only value for the user
who invokes Endpoint Privilege Management for Unix and Linux. runrlimit_stack is the modifiable value for the target secured task.

Note: To enable runrlimit_stack functionality, set runenablerlimits to a value of 1.

Syntax

runrlimit_stack = number;

Valid values
Vary according to platform.

Example:

runrlimit_stack = 1000;

For more information, see the following:

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 196

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

l "rlimit_as" on page 176

l "rlimit_core" on page 178
l "rlimit_cpu" on page 180
l "rlimit_data" on page 182
l "rlimit_fsize" on page 184
l "rlimit_locks" on page 186
l "rlimit_memlock" on page 188
l "rlimit_nofile" on page 190
l "rlimit_nproc" on page 192
l "rlimit_rss" on page 194
l "runrlimit_as" on page 176
l "runrlimit_core" on page 178
l "runrlimit_cpu" on page 180
l "runrlimit_data" on page 182
l "runrlimit_fsize" on page 184
l "runrlimit_locks" on page 186
l "runrlimit_memlock" on page 188
l "runrlimit_nofile" on page 190
l "runrlimit_nproc" on page 192
l "runrlimit_rss" on page 194

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 197

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

runfinish_utc
l Version 22.1 and earlier: runfinish_utc variable not available.
l Version 22.1 and later: runfinish_utc variable available.

Data type
String, read-only

Description
The UTC time, in YYYY-MM-DDTHH:MM:SS.000Z format, when the request has finished.

Valid values
Any valid date and time.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 198

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

runstart_utc
l Version 22.1 and earlier: runstart_utc variable not available.
l Version 22.1 and later: runstart_utc variable available.

Data type
String, read-only

Description
The UTC time, in YYYY-MM-DDTHH:MM:SS.000Z format, when request is received.

Valid values
Any valid date and time.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 199

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

false

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 200

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
Boolean, read-only

Description
The false variable is a read-only variable with a predefined value of 0.
Many program statements rely upon conditional tests to determine what program statement should be executed next. The if statement is
an example of this. Conditional tests evaluate to either a true value or a false value. In the Security Policy Scripting Language, a true
value is represented by any positive, non-zero integer, but is usually represented by the integer value 1. A 0 represents false.
Because true and false values are used so frequently within security policy files, the variable true may be used in place of a numeric
value 1 and the variable false may be used in place of a 0 value when evaluating a conditional expression or initializing a variable.

Valid values
0. Constant, cannot be changed.

For more information, see "true" on page 402.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 201

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

hour

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 202

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
Integer, read-only

Description
The hour variable contains the current hour, taken from the policy server host, in HH format.

Valid values
An integer ranging from 0 - 23 (inclusive) from the policy server host.

For more information, see the following:

l "date" on page 332

l "day" on page 334
l "dayname" on page 336
l "minute" on page 366
l "month" on page 368
l "time" on page 400
l "year" on page 406
l "i18n_date" on page 204
l "i18n_day" on page 206
l "i18n_dayname" on page 208
l "i18n_hour" on page 210
l "i18n_minute" on page 212
l "i18n_month" on page 214
l "i18n_time" on page 354
l "i18n_year" on page 356

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 203

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

i18n_date

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 204

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
UTF-8 encoded string, read-only

Description
The i18n_date variable contains the current date, taken from the policy server host. It is formatted according to the operating system’s
locale settings.

Valid values
A UTF-8 encoded string that contains a date.

For more information, see the following:

l "date" on page 332

l "day" on page 334
l "dayname" on page 336
l "hour" on page 340
l "minute" on page 366
l "month" on page 368
l "time" on page 400
l "year" on page 406
l "i18n_day" on page 206
l "i18n_dayname" on page 208
l "i18n_hour" on page 348
l "i18n_minute" on page 350
l "i18n_month" on page 352
l "i18n_time" on page 354
l "i18n_year" on page 356

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 205

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

i18n_day

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 206

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
UTF-8 encoded string, read-only

Description
The i18n_day variable contains the current date, taken from the policy server host. It is formatted according to the operating system’s
locale settings.

Valid values
A UTF-8 encoded string that contains a day value.

For more information, see the following:

l "date" on page 332

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 207

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

i18n_dayname

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 208

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
UTF-8 encoded string, read-only

Description
The i18n_dayname variable contains the current day of the week, taken from the policy server host. It is formatted according to the
operating system’s locale settings.

Valid values
A UTF-8 encoded string that contains a value for the day of the week.

For more information, see the following:

l "date" on page 332

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 209

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

i18n_hour

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 210

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
UTF-8 encoded string, read-only

Description
The i18n_hour variable contains the current hour, taken from the policy server host. It is formatted according to the operating system’s
locale settings.

Valid values
A UTF-8 encoded string that contains an hour value.

For more information, see the following:

l "date" on page 332

l "day" on page 334
l "dayname" on page 336
l "hour" on page 340
l "minute" on page 366
l "month" on page 368
l "time" on page 400
l "year" on page 406
l "i18n_date" on page 204
l "i18n_day" on page 206
l "i18n_dayname" on page 208
l "i18n_minute" on page 212
l "i18n_month" on page 214
l "i18n_time" on page 354
l "i18n_year" on page 356

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 211

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

i18n_minute

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 212

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
UTF-8 encoded string, read-only

Description
The i18n_minute variable contains the minute portion of the current time, taken from the policy server host. It is formatted according to the
operating system’s locale settings. The month, day, date, and year variables can be used together to determine the current date, per the
policy server host. The hour and minute variables can be used together to determine the current time, per the policy server host.

Valid values
A UTF-8 encoded string that contains a minute value.

For more information, see the following:

l "date" on page 332

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 213

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

i18n_month

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 214

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
UTF-8 encoded string, read-only

Description
The i18n_month variable contains the current month, taken from the policy server host. It is formatted according to the operating system’s
locale settings. The month, day, date, and year variables can be used together to determine the current date per the policy server host.
The hour and minute variables can be used together to determine the current time per the policy server host.

Valid values
A UTF-8 encoded string that contains the month value

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 215

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

selinux
l Version 5.2 and earlier: selinux variable not available.
l Version 6.0 and later: selinux variable available.

Data type
Integer, read-only

Description
The selinux variable indicates whether the pbrun client that is requesting the secured task is running confined in the SELinux
environment. This variable is not present when the submit host is not integrated with SELinux. You can use the isset() function to
determine if pbrun is running confined.

Valid values
An integer, as described above. If pbrun is running unconfined, the variable is not present.

Example:

if (isset("selinux")
{
print ("SELINUX: ", selinux);
}

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 216

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

runchroot

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 217

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
String, modifiable

Description
The runchroot variable contains the name of the user’s root directory. A secured task can access only those files that reside within that
root directory. To change the root directory for the current task, set runchroot.
There is no read-only version of this variable.

Note: This run variable does not apply to pbssh. If it is present in the policy, it does not have any effect on pbssh and is
ignored.

To use Endpoint Privilege Management for Unix and Linux with the directory that is specified in the runchroot variable, the following files
must be copied into that directory:

Files Target Directory

/etc/pb.settings runchroot/etc

Key files in /etc (if using Endpoint Privilege Management for

runchroot/etc
Unix and Linux encryption)

/usr/lib/symark/pb/* (if using Kerberos, SSL, or LDAP) runchroot/usr/lib/symark/pb

In addition, if the pbrunlog setting has a value, you must create a corresponding directory under the directory that is specified in
runchroot. For example, if pbrunlog is set to /var/log/pbrun.log, then create a runchroot/var/log directory.

Syntax

runchroot = string;

Valid values
A string that contains a valid absolute path specification. The default value is empty, which implies that the entire run host’s file system is
accessible.

Example:

runchroot = "/usr/local/newroot";

For more information, see the following:

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 218

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

l "cwd" on page 130

l "runcwd" on page 131

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 219

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

runcksum

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 220

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
String, modifiable

Description
The runcksum variable stores a checksum value. By default, runcksum is an empty string. Populate it by running the Endpoint Privilege
Management for Unix and Linux utility program pbsum, which generates application and file checksum values.
Use checksum values to determine if a file or application has changed by establishing a baseline checksum and then comparing that
baseline checksum against a checksum that is generated during security policy file processing. If the checksum values are different, then
the file or application has changed since generation of the baseline checksum, and Endpoint Privilege Management for Unix and Linux will
refuse to run it.
Application checksum values can be used to determine if a virus has infected an application or if the file has been changed.
There is no read-only version of this variable.

Note: This run variable does not apply to pbssh. If it is present in the policy, it does not have any effect on pbssh and is
ignored.

Syntax

runcksum = string;

Valid values
A string that contains a checksum value that is generated by pbsum. The default value is empty, which specifies no checksum checking.

Example:

runcksum = "2f9777ff";

For more information, see pbsum in the Endpoint Privilege Management for Unix and Linux Administration Guide at
https://www.beyondtrust.com/docs/privilege-management/documents/unix-linux/pmul-admin.pdf

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 221

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

runcksumlist

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 222

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
List

Description
The runcksumlist variable contains a list of checksum values. By default, runcksumlist is an empty list. Populate it by running the
Endpoint Privilege Management for Unix and Linux utility program pbsum, which generates application and file checksum values.
Use checksum values to determine if the target files or applications have changed by establishing baseline checksum values and then
comparing those baseline checksum values against a checksum that is generated during security policy file processing. If the checksum
value that was generated during security policy file processing does not match any of the values in runcksumlist, then the file or
application has changed since generation of the baseline checksum, and Endpoint Privilege Management for Unix and Linux refuses to
run it.
Application checksum values can be used to determine if a virus has infected an application or if the file has been changed.
There is no read-only version of this variable.

Note: This run variable does not apply to pbssh. If it is present in the policy, it does not have any effect on pbssh and is
ignored.

Syntax

runcksumlist = list of checksum values;

Valid values
A list of strings that represents checksum values generated by pbsum. The default value is empty, which specifies no checksum
checking.

Example:

runcksumlist={"b3b156bc", "59bf4a99"};

For more information, see the following:

l pbsum in the Endpoint Privilege Management for Unix and Linux Administration Guide at
https://www.beyondtrust.com/docs/privilege-management/documents/unix-linux/pmul-admin.pdf
l "runcksum" on page 220

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 223

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

runconfirmmessage

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 224

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
String, modifiable

Description
The runconfirmmessage variable contains the prompt that is displayed when the submitting user is required to enter a password. If a
prompt is not set in runconfirmmessage, then the following default prompt is used: type in the user's password.
The Endpoint Privilege Management for Unix and Linux variable runconfirmuser determines if a password is required.
There is no read-only version of this variable.

Syntax

runconfirmmessage = string;

Valid values
A string containing a user-password prompt. The default value is empty, which defaults to type in the user's password.

Example:

runconfirmmessage = "Please enter the password for pat";

For more information, see "runconfirmuser" on page 228.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 225

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

runconfirmpasswdservice

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 226

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
String, modifiable

Description
The runconfirmpasswdservice variable stores the name of the PAM password service which will be used to perform password
authentication and account management for the user named by the runconfirmuser variable. It overrides pampasswordservice in
pb.settings of the run host.
There is no read-only version of this variable.

Syntax

runconfirmpasswdservice = pam_password_service;

Valid values
A string that contains a name of a valid PAM password service that is present on the run host. There is no default value. If this variable is
not defined, the server setting pampasswordservice (if set) is used.

Example:

runconfirmpasswdservice = "pbul_pam_stack";

For more information, see the following:

l "runconfirmuser" on page 228

l "runhost" on page 144
l On pampasswordservice, Endpoint Privilege Management for Unix and Linux System Administration Guide at
https://www.beyondtrust.com/docs/privilege-management/unix-linux/index.htm

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 227

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

runconfirmuser

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 228

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
String, modifiable

Description
The runconfirmuser variable controls whether or not a user must correctly enter a password before the current task request is executed.
When this variable is set, the submitting user is prompted for the password that is associated with the run host user name that is set in this
variable.
The variable runconfirmmessage determines the password prompt that is displayed to the user after the policy is finished, but before the
run host starts the command request. When setting runconfirmuser, it is a good idea to set runconfirmmessage.
If the user fails in three attempts to submit the correct password, the secured task request is not executed. Because the secured task has
already been accepted, the Endpoint Privilege Management for Unix and Linux event log records an exit status of ConfirmUser
<username> failed.
There is no read-only version of this variable.

Note: This run variable does not apply to pbssh. If it is present in the policy, it does not have any effect on pbssh and is
ignored.

Syntax

runconfirmuser = user;

Valid values
A string that contains a user name that is present on the run host (as specified in the runhost variable), for which a password must be
supplied before the current task request can be run. The default value is empty, which indicates this password check will not be
performed.

Example:

runconfirmuser = "sandy";

For more information, see the following:

l "runconfirmmessage" on page 224

l "runhost" on page 144

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 229

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

runeffectivegroup

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 230

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
String, modifiable

Description
runeffectivegroup provides control over the effective group ID (egid) of the secured task. Setting this to a group name makes that group
the effective group for the task. If runeffectivegroup is not set, then the value of rungroup specifies the effective group.
Any change to the rungroup variable resets runeffectivegroup to the same value. If you want runeffectivegroup to be different from
rungroup, then set runeffectivegroup after rungroup.
There is no read-only version of this variable.

Note: This run variable does not apply to pbssh. If it is present in the policy, it does not have any effect on pbssh and is
ignored.

Syntax

runeffectivegroup = group;

Valid values
A string that contains a valid group name. The default value is the value of rungroup.

Example:

runeffectivegroup = "bin";

For more information, see the following:

l "pblogdreconnection" on page 384

l "pbrunreconnection" on page 386
l "rungroup" on page 138
l "runuser" on page 281

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 231

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

runeffectiveuser

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 232

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
String, modifiable

Description
runeffectiveuser provides control over the effective user ID (euid) of the requested job. Setting this variable to a user name makes that
user the effective user for the job. If it is not set, the value of runuser specifies the effective user.
Any change to the runuser variable resets runeffectiveuser to the same value. If you want runeffectiveuser to be different from
runuser, then set runeffectiveuser after runuser.
There is no read-only version of this variable.

Note: This run variable does not apply to pbssh. If it is present in the policy, it does not have any effect on pbssh and is
ignored.

Syntax

runeffectiveuser = string;

Valid values
A string containing a valid user name. The default value is the value of runuser.

Example:

runeffectiveuser = "bin";

For more information, see the following:

l "pblogdreconnection" on page 384

l "pbrunreconnection" on page 386
l "runeffectivegroup" on page 230

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 233

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

runenablerlimits
l Version 3.5 and earlier: runenablerlimits variable not available.
l Version 4.0 and later: runenablerlimits variable available.

Data type
Boolean

Description
This variable determines if the runrlimit variables are used on the run host. This variable must be set to a value of 1 to enable the
functionality of the following variables: rlimit_as, rlimit_core, rlimit_cpu, rlimit_data, rlimit_fsize, rlimit_locks, rlimit_memlock,
rlimit_nofile, rlimit_nproc, rlimit_rss, rlimit_stack.

Note: This run variable does not apply to pbssh. If it is present in the policy, it does not have any effect on pbssh and is
ignored.

Syntax

runenablerlimits = boolean;

Valid values

true Use the runrlimit_* values on the run host.

false Ignore the runrlimit_* values and use the run host native ulimits. The default is false.

Example:

runenablerlimits = true;

For more information, see the following:

l "rlimit_as" on page 176

l "rlimit_core" on page 178
l "rlimit_cpu" on page 180
l "rlimit_data" on page 182
l "rlimit_fsize" on page 184

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 234

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

l "rlimit_locks" on page 186

l "rlimit_memlock" on page 188
l "rlimit_nofile" on page 190
l "rlimit_nproc" on page 192
l "rlimit_rss" on page 194
l "rlimit_stack" on page 196

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 235

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

runmd5sum

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 236

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
String, modifiable

Description
The runmd5sum variable stores an MD5 checksum value. By default, runmd5sum is an empty string. Populate it by running the
Endpoint Privilege Management for Unix and Linux utility program pbsum -m <file names>, which generates the application and file MD5
checksum values.
Use checksum values to determine if a file or application has changed by establishing a baseline checksum and then comparing that
baseline checksum against a checksum that is generated during security policy file processing. If the checksum values are different, then
the file or application has changed since the generation of the baseline checksum, and Endpoint Privilege Management for Unix and Linux
refuses to run it.
Application checksum values can be used to determine if a virus has infected an application or if the file has been changed.
There is no read-only version of this variable.

Note: This run variable does not apply to pbssh. If it is present in the policy, it does not have any effect on pbssh and is
ignored.

Syntax

runmd5sum = string;

Valid values
A string containing a checksum value generated by pbsum. The default value is empty, which specifies no checksum checking.

Example:

runmd5sum = "dda5b3a11ac4e203190fbf0643722a05";

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 237

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

runmd5sumlist

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 238

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
List

Description
The runmd5sumlist variable contains a list of MD5 checksum values. By default, runmd5sumlist is an empty list. Populate it by running
the Endpoint Privilege Management for Unix and Linux utility program pbsum -m <file names>, which generates application and file MD5
checksum values.
Use MD5 checksum values to determine if the target files or applications have changed by establishing baseline checksum values and
then comparing those baseline checksum values against a checksum that is generated during security policy file processing. If the
checksum value that was generated during security policy file processing does not match any of the values in runmd5sumlist, then the
file or application has changed since generation of the baseline checksum, and Endpoint Privilege Management for Unix and Linux
refuses to run it.
Application MD5 checksum values can be used to determine if a virus has infected an application or if the file has been changed.
There is no read-only version of this variable.

Note: This run variable does not apply to pbssh. If it is present in the policy, it does not have any effect on pbssh and is
ignored.

Syntax

runmd5sumlist = list of checksum values;

Valid values
A list of string that represents MD5 checksum values generated by pbsum -m <file names>. The default value is empty, which specifies
no checksum checking.

Example:

runmd5sumlist={"478cd2ea4b868c459d3fcd3132b00853",
"38a0b33c1f5fa6a2ababf0ce386a2494"};

For more information, see the following:

l On pbsum, theEndpoint Privilege Management for Unix and Linux Administration Guide at
https://www.beyondtrust.com/docs/privilege-management/documents/unix-linux/pmul-admin.pdf.
l "runmd5sum" on page 236

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 239

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

runenvironmentfile
l Version 5.2 and earlier: runenvironmentfile not available.
l Version 6.0 and later: runenvironmentfile available.

Data type
String

Description
The runenvironmentfile variable enables you to specify the absolute path and file name of an environment file. Endpoint Privilege
Management for Unix and Linux can incorporate the environment variables that are specified in the environment file into the run
environment. These environment variables are applied on the run host after the Accept event has been logged.
The runenvironmentfile variable overrides the environmentfile setting in the pb.settings file on the run host.
There is no read-only version of this variable.
The environment file must consist of the following:

l Comment lines, which have a # character in the first non-whitespace position.

l Blank lines.
l Bourne shell compatible environment variable setting lines with the form NAME=VALUE.

Each line in the file must contain less than 1024 characters. Line continuation is not supported. This file must not contain any shell
commands or constructs other than the setting of environment variables. Comments must not appear on the same line as an environment
variable.

Syntax

runenvironmentfile = string;

Valid values
A string that contains the absolute path and file name of an environment file. The default value is empty.

Example:

runenvironmentfile = "/etc/environment";

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 240

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

runpamsessionservice

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 241

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
String, modifiable

Description
The runpamsessionservice variable stores the name of the PAM service which is used to perform account management and session
setup and teardown to manage task requests on a run host. It overrides pamsessionservice in pb.settings of the run host.
There is no read-only version of this variable.

Syntax

runpamsessionservice = pam_password_service;

Valid values
A string that contains a name of a valid PAM session service that is present on the run host. There is no default value. If this variable is not
defined, the run host’s pb.setting pamsessionservice (if set) is used.

Example:

runpamsessionservice = "pbul_pam_stack";

For more information, see the following:

l "runhost" on page 144

l On pamsessionservice, Endpoint Privilege Management for Unix and Linux Administration Guide at
https://www.beyondtrust.com/docs/privilege-management/unix-linux/index.htm

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 242

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

runpamsetcred

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 243

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
Integer, modifiable

Description
The runpamsetcred variable enables the pam_setcred() function, which is used to establish possible additional credentials of a user. It
overrides pamsetcred in pb.settings of the run host.
There is no read-only version of this variable.

Syntax

runpamsessionservice = pam_password_service;

Valid values

1 or true Enable pam_setcred().

0 or false Do not enable pam_setcred().

Example:

runpamsetcred = 1;

For more information, see the following:

l "runhost" on page 144

l On pamsetcred, Endpoint Privilege Management for Unix and Linux Administration Guide at
https://www.beyondtrust.com/docs/privilege-management/unix-linux/index.htm

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 244

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

runpid

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 245

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
Number, read-only

Description
The runpid variable contains the PID of the module processing the secured task. In the case of optimized run mode, this PID (for pbrun)
is the same as the submitpid. Otherwise, this contains the PID of pblocald.
This read-only variable is not available during the processing of the policy, because it is created after the policy performs an accept. This
variable is available in the event log.
There is no run version of this variable.

Valid values
A number that contains a pid.
This is a read-only variable.

For more information, see the following:

l "logpid" on page 153

l "pid" on page 390
l "submitpid" on page 269
l "taskpid" on page 271

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 246

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

runptyflags
l Version 3.5 and earlier: runptyflags not available.
l Version 4.0 and later: runptyflags available.

Data type
Internal

Description
Flags that are used internally for pty settings; reserved for internal use.

Note: This run variable does not apply to pbssh. If it is present in the policy, it does not have any effect on pbssh and is
ignored.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 247

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

runsecurecommand
l Version 3.5 and earlier: runsecurecommand variable not available.
l Version 4.0 and later: runsecurecommand variable available.

Data type
Boolean

Description
The runsecurecommand variable enables you to perform an extra check on the security of the requested command. This check helps
ensure that someone other than root or the runuser (for example, sys or oracle), could not have compromised the command.
When set to true, the run command and all directories above it are checked to see if anyone other than root or the run user has write
permission. If the command file or any of the directories above it are writable by anyone other than root or the runuser, then the run host
refuses to run the command. The runsecurecommand setting can be set to yes on the run host for the same effect.

Note: This run variable does not apply to pbssh. If it is present in the policy, it does not have any effect on pbssh and is
ignored.

Syntax

runsecurecommand = boolean;

Valid values

true Non-zero. Check that the runcommand is writable only by root or the runuser.

false Zero. No check is performed. The default is false.

Example:

runsecurecommand = true;

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 248

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

runtimelimit
l Version 3.5 and earlier: runtimelimit variable not available.
l Version 4.0 and later: runtimelimit variable available.

Data type
Integer, modifiable

Description
The runtimelimit variable specifies a time limit for a task request. If the job does not finish within the specified number of seconds, then it
is terminated. This is similar to runtimeout, but is based on total time rather than idle time.

Note: The runtimelimit variable is not honored in local mode.

Note: This run variable does not apply to pbssh. If it is present in the policy, it does not have any effect on pbssh and is
ignored.

Syntax

runtimelimit = number;

Valid values

positive number Enable time limit checking.

0 or negative number Disable time limit checking. This setting is the default.

Example:

runtimelimit = 3600;

For more information, see the following:

l "runtimeout" on page 251

l "submittimeout" on page 396
l "runtimewarn" on page 593

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 249

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

l "runtimewarnlog" on page 595

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 250

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

runtimeout

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 251

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
Integer, modifiable

Description
The runtimeout variable specifies the amount of idle time, in seconds, that the submitting user is allowed before the run host terminates
the current request. To change the idle time specification, set runtimeout.
There is no read-only version of this variable.

Note: The runtimeout variable is not honored in local mode.

Note: This run variable does not apply to pbssh. If it is present in the policy, it does not have any effect on pbssh and is
ignored.

Syntax

runtimeout = number;

Valid values

positive number Enable idle checking.

0 or negative number Disable idle checking. This setting is the default.

Example:

runtimeout = 600;

For more information, see the following:

l "runtimelimit" on page 249

l "submittimeout" on page 396
l On runtimeout and runtimeoutoverride, Endpoint Privilege Management for Unix and Linux Administration Guide at
https://www.beyondtrust.com/docs/privilege-management/unix-linux/index.htm

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 252

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

runutmpuser

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 253

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
String, modifiable

Description
The runutmpuser variable contains the User Id that appears in the utmp logs on the run host. By default, runutmpuser is set to the value
of the user variable. To change the name of the user that appears in utmp, set runutmpuser. If user does not exist on the run host, then
runutmpuser is set to the value of the runuser variable.
There is no read-only version of this variable.

Note: This run variable does not apply to pbssh. If it is present in the policy, it does not have any effect on pbssh and is
ignored.

Syntax

runutmpuser = string;

Valid values
A string that contains the utmp User Id. The default value is the value of the user variable.

Example:

runutmpuser = "root";

Example:

runutmpuser = "runuser";

For more information, see the following:

l "requestuser" on page 175

l "runuser" on page 281
l "user" on page 280

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 254

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

shellallowedcommands
l Version 3.5 and earlier: shellallowedcommands variable not available.
l Version 4.0 and later: shellallowedcommands variable available.

Data type
List

Description
This variable contains a list of strings that contain commands that may be run without any further authorization. Each element of the list
can contain either a command basename or absolute path. Shell template characters can be used at any point. This variable is used by
pbsh and pbksh at startup time.

Syntax

shellallowedcommands = list;

Valid values
A list of strings containing commands.

Example:

if (pbclientmode == "shell start")

shellallowedcommands = {"date", "/bin/df", "/usr/local/bin/*"};

For more information, see the following:

l "pbclientmode" on page 380

l "shellcheckbuiltins" on page 256
l "shellcheckredirections" on page 257
l "shellforbiddencommands" on page 258
l "shelllogincludefiles" on page 259
l "shellreadonly" on page 260

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 255

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

shellcheckbuiltins
l Version 3.5 and earlier: shellcheckbuiltins variable not available.
l Version 4.0 and later: shellcheckbuiltins variable available.

Data type
Boolean

Description
When set to true, this variable directs the shell to check shell built-in commands as if they were standard commands. This variable is used
by pbsh and pbksh at startup time.

Syntax

shellcheckbuiltins = boolean;

Valid values

true Endpoint Privilege Management for Unix and Linux shells authorize and log shell built-in commands.

Endpoint Privilege Management for Unix and Linux shells do not authorize or log shell built-in
false
commands.

Example:

shellcheckbuiltins = true;

For more information, see the following:

l "pbclientmode" on page 380

l "shellallowedcommands" on page 255
l "shellcheckredirections" on page 257
l "shellforbiddencommands" on page 258
l "shelllogincludefiles" on page 259
l "shellreadonly" on page 260

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 256

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

shellcheckredirections
l Version 3.5 and earlier: shellcheckredirections variable not available.
l Version 4.0 and later: shellcheckredirections variable available.

Data type
Boolean

Description
When set to true, this variable directs the shell to authorize I/O redirections (for example, <, >, >>). When this variable is set to false, I/O
redirection is always allowed. pbsh and pbksh use this variable at startup time.

Syntax

shellcheckredirections = boolean;

Valid values

Endpoint Privilege Management for Unix and Linux shells authorize and log shell I/O redirection
true
requests.

false Always allows I/O redirection.

Example:

shellcheckredirections = true;

For more information, see the following:

l "pbclientmode" on page 380

l "shellallowedcommands" on page 255
l "shellcheckbuiltins" on page 256
l "shellforbiddencommands" on page 258
l "shelllogincludefiles" on page 259
l "shellreadonly" on page 260

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 257

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

shellforbiddencommands
l Version 3.5 and earlier: shellforbiddencommands variable not available.
l Version 4.0 and later: shellforbiddencommands variable available.

Data type
List

Description
This variable contains a list of strings that specify commands that will be rejected by pbksh and pbsh without consulting an Endpoint
Privilege Management for Unix and Linux policy server daemon. Each element of the list can contain either a command basename or
absolute path. Shell template characters can be used at any point. This variable is used by pbsh and pbksh at startup time.

Syntax

shellforbiddencommands = list;

Valid values
A list of strings as described above.

Example:

if (pbclientmode == "shell start")

shellforbiddencommands = {"/etc/*", "/usr/sbin/*",
"format", "/sbin/umount"};

For more information, see the following:

l "pbclientmode" on page 380

l "shellallowedcommands" on page 255
l "shellcheckbuiltins" on page 256
l "shellcheckredirections" on page 257
l "shelllogincludefiles" on page 259
l "shellreadonly" on page 260

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 258

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

shelllogincludefiles
l Version 3.5 and earlier: shelllogincludefiles variable not available.
l Version 4.0 and later: shelllogincludefiles variable available.

Data type
Boolean

Description
This variable controls whether the contents of included (sourced) shell scripts should be recorded in the I/O logs.
This is effective only if I/O logging for the shell is enabled. This variable is used by pbsh and pbksh at startup time.

Syntax

shelllogincludefiles = boolean;

Valid values

Endpoint Privilege Management for Unix and Linux shells authorize and log files that shell scripts
true
and profiles include (source).

false Contents of included shell scripts are not recorded in I/O logs.

Example:

if (pbclientmode == "shell start") shelllogincludefiles = true;

For more information, see the following:

l "pbclientmode" on page 380

l "shellallowedcommands" on page 255
l "shellcheckbuiltins" on page 256
l "shellcheckredirections" on page 257
l "shellforbiddencommands" on page 258
l "shellreadonly" on page 260

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 259

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

shellreadonly
l Version 3.5 and earlier: shellreadonly variable not available.
l Version 4.0 and later: shellreadonly variable available.

Data type
List

Description
The variable shellreadonly contains a list of environment variables that pbsh and pbksh set to read-only at startup time. If the variable
does not exist at start up time, then its entry is ignored. pbsh and pbksh use this variable at startup time.

Syntax

shellreadonly = list;

Valid values
A list of environment variables.

Example:

if (pbclientmode == "shell start")

shellreadonly = {"PATH", "IFS", "SHELL", "ENV"};

For more information, see the following:

l "pbclientmode" on page 380

l "shellallowedcommands" on page 255
l "shellcheckbuiltins" on page 256
l "shellcheckredirections" on page 257
l "shellforbiddencommands" on page 258
l "shelllogincludefiles" on page 259

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 260

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

shellrestricted
l Version 3.5 and earlier: shellrestricted variable not available.
l Version 4.0 and later: shellrestricted variable available.

Data type
Boolean

Description
Controls whether Endpoint Privilege Management for Unix and Linux shells run in restricted mode. Restricted mode has the following
limitations:

l The cd command is disabled.

l The environment variables SHELL, ENV, and PATH are read-only.
l Command names cannot use absolute or relative paths.
l The -p option of the built-in command is disabled.
l I/O redirections (>, >|, >>, and <>) that create files are disabled.

Syntax

shellrestricted = boolean;

Valid values

true Runs Endpoint Privilege Management for Unix and Linux shells in restricted mode.

false Disables restricted mode. The default is false.

Example:

shellrestricted = true;

For more information, see the following:

l "shellallowedcommands" on page 255

l "shellcheckbuiltins" on page 256
l "shellcheckredirections" on page 257

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 261

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

l "shellforbiddencommands" on page 258

l "shelllogincludefiles" on page 259
l "shellreadonly" on page 260

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 262

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

solarisproject
l Version 6.0 and earlier: solarisproject not available.
l Version 6.1 and later: solarisproject available.

Run version

runsolarisproject

Note: This run variable does not apply to pbssh. If it is present in the policy, it does not have any effect on pbssh and is
ignored.

Data type
String, solarisproject is read-only. Runsolarisproject is modifiable.

Description
The solarisproject and runsolarisproject variables specify a Solaris project that the secured task should be associated with on a Solaris
9 or higher runhost. These variables initially contain the project specified on the pbrun commandline, or the empty string "" if not specified
on the pbrun commandline. If the project has not been specified (runsolarisproject equals ""), the default project (as defined by Solaris)
will be associated with the secured task. If set to a non-valid project name for the runuser, or specified for a non-Solaris runhost, the
secured task is not executed.

Valid values
A string containing a valid Solaris project on a Solaris runhost.

Example:

runsolarisproject group.acctng

Example:

runsolarisproject user.database

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 263

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Backwards Compatibility
Earlier versions of pbmasterd do not set the solarisproject and runsolarisproject variables; however, the policy can set the
runsolarisproject variable.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 264

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

submithost

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 265

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
String, read-only

Description
The submithost variable contains the name of the machine from which the current task request was submitted (that is, the submit host).
submithost is what the policy server considers the client name to be (based on the current submithost network interface).
The submithost and host and runhost variables are closely related. By default, the host and runhost variables are set to submithost,
unless the user requests a specific run host by using the -h argument of the pbrun command.
There is no run version of this variable.

Valid values
A string that contains the fully qualified name of the submit host machine. This is a read-only variable.

For more information, see the following:

l "host" on page 143

l "runhost" on page 144
l "ipaddress" on page 583
l "masterhost" on page 364
l "Task submission - pbrun" on page 22
l "pid" on page 390
l "subprocuser" on page 398
l "submithostip" on page 267
l "timezone" on page 275

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 266

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

submithostip

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 267

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
String, read-only

Description
The submithostip variable contains the IP address of the machine from which the current task request was submitted (that is, the submit
host).
There is no run version of this variable.

Valid values
A string that contains a valid IP address. This is a read-only variable.

For more information, see the following:

l "host" on page 143

l "ipaddress" on page 583
l "masterhost" on page 364
l "Task submission - pbrun" on page 22
l "pid" on page 390
l "runhost" on page 144
l "submithost" on page 265
l "subprocuser" on page 398
l "timezone" on page 275

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 268

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

submitpid

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 269

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
Number, read-only

Description
The submitpid variable contains the PID of the client (pbrun, pbsh, pbksh) submitting the task request.
This read-only variable is available during the processing of the policy, and in the event log.
There is no run version of this variable.

Valid values
A number that contains a PID.
This is a read-only variable.

For more information, see the following:

l "logpid" on page 153

l "pid" on page 390
l "runpid" on page 245
l "taskpid" on page 271

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 270

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

taskpid

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 271

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
Number, read-only

Description
The taskpid variable contains the PID of the secured task launched by pbrun, or the session associated with pbksh/pbsh if iologging is
on.
This variable is populated when the secured task is executed, and has no value until a session starts and therefore cannot be used in the
policy. This variable is shown in the Finish event of the eventlog only when a logserver is used. It can also be used in the new 7.0 syslog
formatting settings, syslogsession_start_format and ssyslogsession_finish_format.
For pbksh and pbsh, this variable is only populated if iologging is turned on.

Valid values
A number that contains a PID. This is a read-only variable.

Example: pb.settings:

syslogsession_finished_format "Endpoint Privilege Management for Unix and Linux finished

%command% pid:%taskpid% on %date% at %hour%:%minute%."

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 272

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

taskttyname

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 273

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
String, read-only

Description
The taskttyname variable contains the name of the TTY device (that is, the terminal) associated to the secured task launched by pbrun,
or the session associated with pbksh/pbsh if iologging is on.
This variable is populated when the secured task is executed, and has no value until a session starts and therefore cannot be used in the
policy. This variable is shown in the Finish event of the eventlog only when a logserver is used. It can also be used in the new 7.0 syslog
formatting settings, syslogsession_start_format and syslogsession_ finish_format.
For pbksh and pbsh, this variable is only populated if iologging is turned on.

Valid values
A string that contains a TTY name. This is a read-only variable.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 274

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

timezone

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 275

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
String, read-only

Description
The timezone variable contains a standard representation of the time zone on the machine from which the current task request was
submitted (that is, the submit host). The timezone variable is relevant for users working in a cross-platform environment in which that
submit host is a Sun machine that has its time zone set to a geographic region rather than the usual timezone file. Note that this variable
applies to Solaris installations. The format of the timezone variable is dependent upon the operating system configuration parameters.
There is no run version of this variable.

Valid values
A string that contains the standard representation of the time zone. The format of the timezone variable is dependent upon operating
system configuration parameters. This is a read-only variable.

For more information, see

l "submithost" on page 265

l "runstart_utc" on page 199
l "runfinish_utc" on page 198
l "logaccept_utc" on page 148
l "logreject_utc" on page 155
l "logkeystroke_utc" on page 152
l "logfinish_utc" on page 151
l "logserver_utcoffset" on page 156
l "master_utcoffset" on page 160

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 276

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

ttyname

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 277

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
String, read-only

Description
The ttyname variable contains the name of the TTY device (that is, the terminal) from which the current task request was submitted on the
submit host. If the client is running in pipe mode, then the value is null.
There is no run version of this variable.

Valid values
A string that contains a TTY name. This is a read-only variable.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 278

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

umask

Run version

runumask

Note: This run variable does not apply to pbssh. If it is present in the policy, it does not have any effect on pbssh and is
ignored.

Data type
Number. umask is read-only. runumask is modifiable.

Description
The umask and runumask variables contain umask values for the submitting user. The umask value determines the default file
permissions mask (read, write, execute) for newly created files. To change the umask values for the secured task, set runumask.

For more information on umask, refer to the Unix/Linux manual page for umask.

Syntax

runumask = number;

Valid values
A string value containing valid umask values for the submitting user. These variables have no default values. The pbrun command
environment initializes these variables.

Example:

runumask = 022;

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 279

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

user

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 280

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Run version
>

runuser

IMPORTANT!

This run variable does not apply to pbssh. If it is present in the policy, it could produce undesirable results.

Data type
String. user is read-only. runuser is modifiable.

Description
The user and runuser variables specify the user name that is associated with the login name of the user that submitted the current task
request (that is, the submitting user). By default, the current task runs under this user ID.
To change the user ID the current task runs under, set the runuser variable.

Syntax

runuser = string;

Valid values
A string that contains a valid user name on the run host. user is a read-only variable and therefore has no default value. The default value
of runuser is empty.

Example:

runuser = "root";

For more information, see the following:

l "requestuser" on page 175

l "runeffectivegroup" on page 230
l "runutmpuser" on page 253

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 281

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Command line parsing variables

These variables support the getopt(), getopt_long(), and getopt_long_only() policy language functions. These functions examine the
read-only task information variable env. The following table summarizes the command line parsing variables.

Variable Description

Contains the parameter for the last argument or an empty string if none was found.

optarg Version 3.5 and earlier: variable not available.

Version 4.0 and later: variable available.

Determines whether to print errors from the getopt(), getopt_long (), and getopt_long_only()
functions.
opterr
Version 3.5 and earlier: variable not available.
Version 4.0 and later: variable available.

Contains the current argument list index.

optind Version 3.5 and earlier: variable not available.
Version 4.0 and later: variable available.

Contains the letter of the last option that had a problem.

optopt Version 3.5 and earlier: variable not available.
Version 4.0 and later: variable available.

Set this to true to restart the getopt functions from the start. The next time a getopt function is
called, optind is set to 1.
optreset
Version 3.5 and earlier: variable not available.
Version 4.0 and later: variable available.

The getopt_long() function provides strict interpretation of argument parameters. In particular,

arguments with optional parameters are accepted only in the form --argument=parameter. Some
non-compliant programs allow --argument parameter. To make getopt_long() recognize the latter
optstrictparameters form, set optstrictparameters to false.
Version 3.5 and earlier: variable not available.
Version 4.0 and later: variable available.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 282

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

optarg
l Version 3.5 and earlier : optarg variable not available.
l Version 4.0 and later: optarg variable available.

Data type
Integer, read-only

Description
Used with getopt functions. Contains the parameter for the last argument or an empty string if none was found.

Valid values
A positive integer.

Example:

if (option == "f") filename = optarg;

For more information, see the following:

l "getopt" on page 649

l "getopt_long" on page 652
l "getopt_long_only" on page 655
l "opterr" on page 284
l "optind" on page 285
l "optopt" on page 286
l "optreset" on page 287

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 283

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

opterr
l Version 3.5 and earlier: opterr variable not available.
l Version 4.0 and later: opterr variable available.

Data type
Boolean

Description
Used with the getopt functions. Determines whether to display errors from these functions.

Valid values

true getopt function errors are displayed.

false getopt function errors are not displayed.

Example:

if (opterr == false) accept;

For more information, see the following:

l "getopt" on page 649

l "getopt_long" on page 652
l "getopt_long_only" on page 655
l "optarg" on page 283
l "optind" on page 285
l "optopt" on page 286
l "optreset" on page 287

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 284

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

optind
l Version 3.5 and earlier : optind variable not available.
l Version 4.0 and later: optind variable available.

Data type
Integer

Description
Used with getopt functions. Contains the current argument list index.

Syntax

optind = integer;

Valid values
An integer between 0 and argc.

Example:

if (optind < argc) accept;

For more information, see the following:

l "getopt" on page 649

l "getopt_long" on page 652
l "getopt_long_only" on page 655
l "optarg" on page 283
l "opterr" on page 284
l "optopt" on page 286
l "optreset" on page 287

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 285

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

optopt
l Version 3.5 and earlier: optopt variable not available.
l Version 4.0 and later : optopt variable available.

Data type
String, read-only

Description
Used with getopt functions. Contains the letter of the last option that had a problem.

Valid values
A string.

Example:

if (error) print ("Bad option", optopt);

For more information, see the following:

l "getopt" on page 649

l "getopt_long" on page 652
l "getopt_long_only" on page 655
l "optarg" on page 283
l "opterr" on page 284
l "optind" on page 285
l "optreset" on page 287

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 286

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

optreset
l Version 3.5 and earlier: optreset variable not available.
l Version 4.0 and later: optreset variable available.

Data type
Boolean

Description
Used with getopt functions. Set this to true to restart the getopt functions from the start. The next time a getopt function is called, optind
is set to 1.

Syntax

optreset = boolean;

Valid values

Sets optind to 1; the next call to getopt(), getopt_long(), or getopt_ long_only() starts from the
true
beginning of the argv list.

false getopt functions are not restarted from the beginning of the argv list.

Example:

optreset = true;

For more information, see the following:

l "getopt" on page 649

l "getopt_long" on page 652
l "getopt_long_only" on page 655
l "optarg" on page 283
l "opterr" on page 284
l "optind" on page 285
l "optopt" on page 286

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 287

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

optstrictparameters
l Version 3.5 and earlier: optstrictparameters variable not available.
l Version 4.0 and later: optstrictparameters variable available.

Data type
Boolean

Description
The getopt_long() function provides strict interpretation of argument parameters. In particular, arguments with optional parameters are
accepted only in the form --argument=parameter. Some non-compliant programs allow --argument parameter. To make getopt_long()
recognize the latter form, set optstrictparameters to false.

Syntax

optstrictparameters = boolean;

Valid values

true Allows getopt_long()'s strict interpretation of argument parameters. The default is true.

false Makes getopt_long() recognize --argument parameter specifications.

Example:

optstrictparameters = false;

For more information, see the following:

l "getopt" on page 649

l "getopt_long" on page 652
l "getopt_long_only" on page 655
l "optarg" on page 283
l "opterr" on page 284
l "optind" on page 285
l "optopt" on page 286
l "optreset" on page 287

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 288

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Logging variables
Logging variables store both system and task-specific information. Using the Security Policy Scripting Language, the security
administrator can query this information and use it to make security-related decisions about the current task request.
The following table summarizes the logging variables.

Variable Description

Specifies the type of Endpoint Privilege Management for Unix and Linux event that is currently
event
logged. This is a global variable.

Contains the absolute path specification for the current Endpoint Privilege Management for Unix and
eventlog
Linux event log.

exitdate Contains the completion date for the current task request.

exitstatus Contains the task completion code, also called the return code, for the current task request.

exittime Contains the time, in HH:MM:SS format, of completion for the current task request.

Obsolete. Defines the action taken when a forbidden key sequence is entered during the execution
forbidkeyaction
of the current request.

Obsolete. Defines the forbidden keystroke sequences, patterns, or both. An element in the
forbidkeypatterns
forbidkeypatterns list represents each forbidden keystroke pattern or sequence.

i18n_exitdate Contains the UTF-8 encoded completion date for the current task request.

i18n_exittime Contains the UTF-8 encoded completion time for the current task request.

iolog Contains that absolute path specification for the current I/O log file.

logmaximumfailures Controls the maximum number of log failures for a job.

Determines whether non-echoed input, such as passwords, is written to the I/O log file when I/O
lognopassword
logging is active.

Specifies which Endpoint Privilege Management for Unix and Linux variables to omit from the event
logomit
log. Use this user-defined variable to reduce the disk space that is used by the event log.

logstderr Specifies whether error output from the current task request is recorded in the I/O log.

Places a limit on the number of bytes from the standard error stream that Endpoint Privilege
logstderrlimit
Management for Unix and Linux writes to the I/O log at a time.

logstdin Specifies whether input from the current task request is logged to the I/O log.

Places a limit on the number of bytes from the standard input stream that Endpoint Privilege
logstdinlimit
Management for Unix and Linux writes to an I/O log at a time.

logstdout Specifies whether normal output from the current task request is logged to the I/O log.

Places a limit on the number of bytes from the standard output stream that Endpoint Privilege
logstdoutlimit
Management for Unix and Linux writes to the I/O log at a time.

passwordloggingprompts Specifies the password prompts to be recognized when the lognopassword variable is set.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 289

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

event

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 290

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
String

Description
The event variable specifies the type of Endpoint Privilege Management for Unix and Linux event that is currently logged. This is a global
variable.

Valid values

accept The current task request has passed security policy file validation criteria.

finish The task has completed execution.

keystroke The current task was terminated because of a forbidden keystroke pattern.

reject The current task request did not pass security policy file validation criteria and was not executed.

This variable appears only in the event log.

For more information, see Accept/Reject Logging in the Endpoint Privilege Management for Unix and Linux Administration
Guide at https://www.beyondtrust.com/docs/privilege-management/unix-linux/index.htm.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 291

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

eventlog

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 292

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
String

Description
The eventlog variable contains the absolute path specification for the current event log. The default value comes from the settings file or
depends on the operating system, but this policy variable always supercedes those other definitions. Any parent directory in the path is
automatically created.
Beginning in version 10.3.0, new event log formats, such as SQLite DB and ODBC, were introduced. However, the filename specified by
the eventlog variable in the policy is always created in the original proprietary flat file format.

Syntax

eventlog = <absolute filename >

Valid values
A string that contains the absolute path specification for the event log for the current secured task.

Example: In the following example, the path defined by the eventlog policy variable overrides the default value in the settings
file.

eventlog = '/var/log/pmul/hr001/pb.eventlog';

For more information, see the sections for the eventdestinations and eventlog settings keywords in the Endpoint Privilege
Management for Unix and Linux Administration Guide at https://www.beyondtrust.com/docs/privilege-management/unix-
linux/index.htm.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 293

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

exitdate

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 294

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
String, read-only

Description
The exitdate variable contains the completion date from the policy server for the current task request. The date is in YYYY/MM/DD format.

Valid values
A string that contains the task completion date, in YYYY/MM/DD format, for the current task request. This is a read-only variable and
appears only in the event log.

For more information, see the following:

l "exitstatus" on page 296

l "exittime" on page 298
l "i18n_exitdate" on page 304
l "i18n_exittime" on page 306

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 295

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

exitstatus

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 296

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
String, read-only

Description
The exitstatus variable contains the task completion code, also called the return code, for the current task request.

Valid values

"The command exited with a

Where x is the status code that is returned by the current task request.
status of x"

"Command caught signal ##

A signal that terminated the current task request.
(XXXX)"

The current task request terminated because it exceeded the maximum idle time. The runtimeout
"Idle Timeout Reached"
variable sets the maximum idle time.

"Exec failed" The command that is associated with the current task request was not found.

Endpoint Privilege Management for Unix and Linux was unable to execute the command that is
associated with the current task request. In this case, the exitstatus variable is undefined (that is, it
undefined
has a string length of 0). This status indicates that the task may still be running, or aborted due to a
network or other crash.

This variable appears only in the event log.

For more information, see the following:

l "exitdate" on page 294

l "exittime" on page 298
l "runtimeout" on page 251

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 297

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

exittime

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 298

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
String, read-only

Description
The exittime variable contains the completion time (that is, the time of day that the task completed), for the current task request, from the
policy server in HH:MM:SS format.

Valid values
A string that contains the completion time for the current task request, in HH:MM:SS format. This is a read-only variable and appears only
in the event log.

For more information, see the following:

l "exitdate" on page 294

l "exitstatus" on page 296
l "i18n_exitdate" on page 304
l "i18n_exittime" on page 306
l "runstart_utc" on page 199
l "runfinish_utc" on page 198
l "logaccept_utc" on page 148
l "logreject_utc" on page 155
l "logkeystroke_utc" on page 152
l "logfinish_utc" on page 151
l "logserver_utcoffset" on page 156
l "master_utcoffset" on page 160

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 299

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

forbidkeyaction

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 300

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
String

Description
Obsolete. The forbidkeyaction variable defines the action to take if a forbidden key sequence is entered during the execution of the
current request.

Syntax

forbidkeyaction = action;

Valid values

reject Immediately terminate the current task request.

ignore Take no action; continue with task processing.

Alert or any other string Log the event in the event log with the specified string and continue with task processing.

The default value is empty and no action is taken.

Example:

forbidkeyaction = "reject";

Example:

forbidkeyaction = "alert";

For more information, see the following:

l "forbidkeypatterns" on page 302

l "setkeystrokeaction" on page 634

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 301

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

forbidkeypatterns

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 302

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
List

Description
Obsolete. The forbidkeypatterns variable defines the forbidden keystroke sequences, patterns, or both. An element in the
forbidkeypatterns list represents each forbidden keystroke pattern or sequence.
Wildcard search characters, along with other special characters, can be used to create a keystroke sequence or pattern.
The Endpoint Privilege Management for Unix and Linux Security Policy Scripting Language supports the standard set of shell-style,
wildcard search characters. These are used for searches by the in operator and for forbidden and warning keystroke patterns.

Syntax

forbidkeypatterns = {"pattern1", "pattern2", "pattern3", ...};

Valid values
A list in which each element represents a forbidden keystroke sequence or pattern. This variable has no default value.

Example:

forbidkeypatterns = {"/bin/rm", "rm ", "xterm"};

For more information, see the following:

l "forbidkeyaction" on page 300

l "setkeystrokeaction" on page 634
l "Wildcard search characters" on page 112

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 303

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

i18n_exitdate

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 304

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
UTF-8 encoded string, read-only

Description
The i18n_exitdate variable contains the completion date from the policy server for the current task request. It is formatted according to the
operating system’s locale settings.

Valid values
A UTF-8 encoded string that contains the task completion date for the current task request. This read-only variable appears only in the
event log.

For more information, see the following:

l "exitstatus" on page 296

l "exittime" on page 298
l "i18n_exittime" on page 306

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 305

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

i18n_exittime

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 306

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
UTF-8 encoded string, read-only

Description
The i18n_exittime variable contains the completion time (that is, the time of day that the task completed), for the current task request. It is
formatted according to the operating system’s locale settings.

Valid values
A UTF-8 encoded string that contains the completion time for the current task request. This read-only variable appears only in the event
log.

For more information, see the following:

l "exitdate" on page 294

l "exitstatus" on page 296
l "i18n_exitdate" on page 304
l "runstart_utc" on page 199
l "runfinish_utc" on page 198
l "logaccept_utc" on page 148
l "logreject_utc" on page 155
l "logkeystroke_utc" on page 152
l "logfinish_utc" on page 151
l "logserver_utcoffset" on page 156
l "master_utcoffset" on page 160

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 307

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

iolog

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 308

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
String

Description
The iolog variable contains the absolute path specification for the current I/O log file. The default value for this variable is undefined, which
does no I/O logging. The iolog file can log standard input, standard output, and standard error information that is associated with the
current task request. Any parent directory in the path is automatically created.

Syntax

iolog = string;

Valid values
A string that contains the absolute path specification for the current iolog file. The default value is undefined.

Example:

iolog = "/var/log/sample.log";

For more information, see the following:

l "logmktemp" on page 507

l "mktemp" on page 508

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 309

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

logmaximumfailures

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 310

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
Integer

Description
Controls the maximum number of log failures for a job. When the maximum number of failures is exceeded, the secured task terminates.
The default is 25. If logmaximumfailures is set to 0, Endpoint Privilege Management for Unix and Linux will keep trying to log data no
matter how many failures occur.

Syntax

logmaximumfailures = non-negative-integer;

Valid values
0 to max_int.

Example:

logmaximumfailures = 20;

For more information, see the following:

l "eventlog" on page 292

l "iolog" on page 308
l "logservers" on page 158

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 311

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

lognopassword

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 312

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
Boolean

Description
The lognopassword variable determines whether non-echoed input, such as passwords, is written to the I/O log file when I/O logging is
active.
Starting with version 7.0.0, all input and output is logged until a password prompt is recognized on stdout. Password prompts to recognize
must be listed in the policy language list variable passwordloggingprompts which defaults to {"Password:", "password:", "Passwd:",
"passwd:"} for v7.0.0 to v7.5.0, and to {"Password", "password", "Passwd", "passwd"} for v7.5.1 and later.
After a password prompt is recognized, non-echoed stdin is not logged until a newline is received, or until input exceeds 80 characters.

Syntax

lognopasswd = boolean;

Valid values

true Do not log passwords (or other non-echoed input).

false Log all input keystrokes. This setting is the default.

The initial lognopassword value comes from the settings file. If passwordlogging is set to never, lognopassword is set to true and
becomes read-only.

Example:

lognopassword = true;

For more information, see "passwordloggingprompts" on page 328.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 313

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

logomit

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 314

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
List

Description
The logomit variable specifies which Endpoint Privilege Management for Unix and Linux user-defined variables to omit from the event
log. Use this variable to reduce the disk space that is used by the event log. Metacharacter patterns can be used. By default, this variable
is undefined, which means that all Endpoint Privilege Management for Unix and Linux variables are written to the event log. Beginning with
Endpoint Privilege Management for Unix and Linux 4.0, logomit can accept templates.

Syntax

logomit = list;

Valid values
A list in which each element names an Endpoint Privilege Management for Unix and Linux user-defined variable to omit from the event log.
The default value is undefined.

Example:

logomit = {"a", "b"};

For more information, see the following:

l "env" on page 132

l "runenv" on page 133

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 315

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

logstderr

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 316

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
Boolean

Description
The logstderr variable specifies whether error output from the current task request is logged to the I/O log. The default value is true.

Syntax

logstderr = boolean;

Valid values

true Log task error information from stderr. This value is the default.

false Do not log task error information from stderr.

Example:

logstderr = true;

For more information, see "logstderrlimit" on page 318.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 317

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

logstderrlimit

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 318

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
Integer

Description
The logstderrlimit variable places a limit on the number of bytes from the standard error stream that Endpoint Privilege Management for
Unix and Linux writes, at a time, to the I/O log. When data appears on any of the other channels, this variable is reset to zero. A value of 0
results in no limit to the amount of stderr data sent to the I/O log. To turn off the logging of task standard error data, set the logstderr
variable to false.

Syntax

logstderrlimit = number;

Valid values

integer An integer specifying the maximum number of bytes.

0 No limit on the number of bytes. This setting is the default.

Example:

logstderrlimit = 4096;

For more information, see "logstderr" on page 316.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 319

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

logstdin

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 320

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
Boolean

Description
The logstdin variable specifies whether input from the current task request is logged to the I/O log. The default value is true.

Syntax

logstdin = boolean;

Valid values

true Log task input information from stdin. This value is the default.

false Do not log task input information from stdin.

Example:

logstdin = false;

For more information, see "logstdinlimit" on page 322.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 321

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

logstdinlimit

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 322

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
Integer

Description
The logstdinlimit variable places a limit on the number of bytes from the standard input stream that Endpoint Privilege Management for
Unix and Linux writes, at a time, to the I/O log. When data appears on any of the other channels, the this variable is reset to zero. A value
of 0 has the effect of placing no limit on the amount of stdin data sent to the I/O log. To turn off the logging of standard input data to the I/O
log, set the logstdin variable to false.

Syntax

logstdinlimit = number;

Valid values

positive integer An integer specifying the maximum number of bytes.

0 No limit on the number of bytes. This value is the default.

Example:

logstdinlimit = 512;

For more information, see "logstdin" on page 320.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 323

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

logstdout

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 324

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
Boolean

Description
The logstdout variable specifies whether output from the current task request is logged to the I/O log. The default value is true.

Syntax

logstdout = boolean;

Valid values

true Log task output information from stdout. This value is the default.

false Do not log task output information from stdout.

Example:

logstdout = 1;

For more information, see "logstdoutlimit" on page 326.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 325

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

logstdoutlimit

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 326

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
Integer

Description
The logstdoutlimit variable places a limit on the number of bytes from the standard output stream that Endpoint Privilege Management
for Unix and Linux writes to the I/O log at a time. When data appears on any of the other channels, this variable is reset to zero. A value of
0 has the effect of placing no limit on the amount of stdout data sent to the I/O log. Set the logstdout variable to false to turn off the
logging of standard output data to the I/O log.

Syntax

logstdoutlimit = number;

Valid values

positive integer An integer specifying the maximum number of bytes.

0 No limit on the number of bytes. This value is the default.

Example:

logstdoutlimit = 200;

For more information, see "logstdout" on page 324.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 327

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

passwordloggingprompts
l Version 6.2 and earlier: passwordloggingprompts variable not available.
l Version 7.0 and later: passwordloggingprompts variable available.

Data type
List

Description
The passwordloggingprompts variable controls the lognopassword feature. When passwords should not be logged, all input and
output are logged until a password prompt is recognized on stdout. Password prompts to recognize must be listed in the
passwordloggingprompts variable. When a password prompt is recognized, non-echoed stdin is not logged until a newline is received,
or until input exceeds 80 characters.

Syntax

passwordloggingprompts = list;

Valid values
A list of character values.
The default list for v7.0.0 to v7.5.0 is {"Password:", "password:", "Passwd:", "passwd:"}.
The default list for v7.5.1 and later is {"Password", "password", "Passwd", "passwd"}.

Example: Set the list to a single prompt to recognize:

passwordloggingprompts = {"Enter ANY string:"};

Example: Set the list to three prompts to recognize:

passwordloggingprompts={"Enter ANY string:", "password:", "passwd:"};

Example: Append the prompt "Enter key:" to the list.

passwordloggingprompts={passwordloggingprompts,"Enter key:"};

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 328

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

For more information, see "lognopassword" on page 312.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 329

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

System variables
System variables contain information that pertains to all Endpoint Privilege Management for Unix and Linux task requests. The following
table summarizes the system variables.

Variable Description

date Contains the current date, taken from policy server host, in YYYY/MM/DD format.

day Contains the current date, taken from policy server host, in DD format.

Contains the current day of the week, as a three-character abbreviation for the day of the week,
dayname
taken from policy server host.

A read-only variable with a predefined value of 0. May be used in place of a 0 value when evaluating
false
a conditional expression or initializing a variable.

hour Contains the current hour, taken from policy server host, in HH format.

i18n_date Contains the UTF-8 encoded current date, taken from policy server host.

i18n_day Contains the UTF-8 encoded current day, taken from policy server host.

i18n_dayname Contains the UTF-8 encoded current day of the week, taken from policy server host.

i18n_hour Contains the UTF-8 encoded current hour, taken from policy server host.

i18n_minute Contains the UTF-8 encoded minute portion of the current time, taken from policy server host.

i18n_month Contains the UTF-8 encoded current month, taken from the policy server host.

i18n_time Contains the UTF-8 encoded current time, taken from the policy server host.

i18n_year Contains the UTF-8 encoded current year taken from the policy server host.

Contains the file name of the security policy file that triggers the accept or reject condition for the
lineinfile
current task request.

Identifies the specific line number, within a security policy file, that triggers the accept or reject event
linenum
for the current task request.

The lognoreconnect variable controls how Endpoint Privilege Management for Unix and Linux
lognoreconnect optimizes network traffic between pblogd and pblocald. This optimization involves reconnecting
pblocald directly to pblogd, thus bypassing pbmasterd for log related I/O streams.

Contains the fully qualified name of the policy server host machine (that is, the machine running
masterhost
pbmasterd).

minute Contains the minute portion of the current time, taken from policy server host, in MM format.

The month variable contains the current month, taken from the policy server host machine, in MM
month
format.

Controls how Endpoint Privilege Management for Unix and Linux optimizes network traffic between
noreconnect pbrun and pblocald. This optimization involves reconnecting pbrun directly to pblocald, thus
bypassing pbmasterd for I/O streams processing.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 330

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Indicates whether the policy server has optimized pblocald out of the connection.
optimizedrunmode Version 4.0 and earlier: variable not available.
Version 5.0 and later: variable available.

Determines if Endpoint Privilege Management for Unix and Linux prompt output is written to the
outputredirect
standard error stream (stderr) or the standard output stream (stdout).

pbclientcertificateissuer Contains the certificate issuer line from the client program.

pbclientcertificatesubject Contains the certificate subject line from the client program.

pbclientkerberosuser Contains the name of the client user’s principal when Kerberos is used.

Specifies the specific mode for a request.

pbclientmode Version 3.5 and earlier: variable not available.
Version 4.0 and later: variable available.

Contains the name of the Endpoint Privilege Management for Unix and Linux component from which
pbclientname
the current task request originated.

pblogdreconnection Affects the formation of the reconnection between pblogd and pblocald.

pbrunreconnection Affects the formation of the reconnection between pbrun and pblocald.

pbversion Contains the version of Endpoint Privilege Management for Unix and Linux that is being run.

pid An integer that represents the pbmasterd process ID.

ptyflags Reserved for internal use.

status Contains the return code from the last system command that was run by the policy.

Specifies the amount of idle time that the submitting user is allowed before the submit host
submittimeout
terminates the current request.

The subprocuser variable contains the user name under which all policy server host (that is,
subprocuser
pbmasterd) sub-processes run (for example, commands that are run using the system() function).

Contains the current time, taken from the policy server host, in HH:MM:DD format (for example,
time
08:24:52).

A read-only variable that has a predefined value of 1. May be used in place of a numeric value 1
true
when evaluating a conditional expression or initializing a variable.

Contains a 12-character or longer string that is guaranteed to be unique across the entire Endpoint
Privilege Management for Unix and Linux system (that is, policy server host, submit host, run host
uniqueid
and log host). Use this value to guarantee a unique identification in the event log files and to generate
unique filenames.

year Contains the current year taken from the policy server host, in YYYY format.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 331

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

date

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 332

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
String, read-only

Description
The date variable contains the current date, taken from the policy server host, in YYYY/MM/DD format.

Valid values
A string that contains a date, in YYYY/MM/DD format, from the policy server host.

For more information, see the following:

l "day" on page 334

l "dayname" on page 336
l "hour" on page 340
l "minute" on page 366
l "month" on page 368
l "time" on page 400
l "year" on page 406
l "i18n_date" on page 342
l "i18n_day" on page 344
l "i18n_dayname" on page 346
l "i18n_hour" on page 348
l "i18n_minute" on page 350
l "i18n_month" on page 352
l "i18n_time" on page 354
l "i18n_year" on page 356
l "runstart_utc" on page 199
l "runfinish_utc" on page 198
l "logaccept_utc" on page 148
l "logreject_utc" on page 155
l "logkeystroke_utc" on page 152
l "logfinish_utc" on page 151
l "logserver_utcoffset" on page 156
l "master_utcoffset" on page 160

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 333

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

day

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 334

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
Integer, read-only

Description
The day variable contains the current date, taken from the policy server host, in DD format.

Valid values
An integer that contains a value from 1 - 31 (inclusive) from the policy server host. This is a read-only variable and therefore has no default
value.

For more information, see the following:

l "date" on page 332

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 335

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

dayname

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 336

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
String, read-only

Description
The dayname variable contains the current day of the week, as a three-character abbreviation, taken from the policy server host.

Valid values
A character string from the policy server host that contains one of the following values: Mon, Tue, Wed, Thu, Fri, Sat, or Sun.

For more information, see the following:

l "date" on page 332

l "day" on page 334
l "hour" on page 340
l "minute" on page 366
l "month" on page 368
l "time" on page 400
l "year" on page 406
l "i18n_date" on page 342
l "i18n_day" on page 344
l "i18n_dayname" on page 346
l "i18n_hour" on page 348
l "i18n_minute" on page 350
l "i18n_month" on page 352
l "i18n_time" on page 354
l "i18n_year" on page 356
l "runstart_utc" on page 199
l "runfinish_utc" on page 198
l "logaccept_utc" on page 148
l "logreject_utc" on page 155
l "logkeystroke_utc" on page 152
l "logfinish_utc" on page 151
l "logserver_utcoffset" on page 156
l "master_utcoffset" on page 160

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 337

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

false

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 338

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
Boolean, read-only

Description
The false variable is a read-only variable with a predefined value of 0.
Many program statements rely upon conditional tests to determine what program statement should be executed next. The if statement is
an example of this. Conditional tests evaluate to either a true value or a false value.
In the Security Policy Scripting Language, a true value is represented by any positive, non-zero integer, but is usually represented by the
integer value 1. A 0 represents false.
Because true and false values are used so frequently within security policy files, the variable true may be used in place of a numeric
value 1 and the variable false may be used in place of a 0 value when evaluating a conditional expression or initializing a variable.

Valid values
0. Constant, cannot be changed.

For more information, see "true" on page 402.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 339

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

hour

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 340

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
Integer, read-only

Description
The hour variable contains the current hour, taken from the policy server host, in HH format.

Valid values
An integer ranging from 0 to 23 (inclusive) from the policy server host.

For more information, see the following:

l "date" on page 332

l "day" on page 334
l "dayname" on page 336
l "minute" on page 366
l "month" on page 368
l "time" on page 400
l "year" on page 406
l "i18n_date" on page 342
l "i18n_day" on page 344
l "i18n_dayname" on page 346
l "i18n_hour" on page 348
l "i18n_minute" on page 350
l "i18n_month" on page 352
l "i18n_time" on page 354
l "i18n_year" on page 356

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 341

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

i18n_date

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 342

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
UTF-8 encoded string, read-only

Description
The i18n_date variable contains the current date, taken from the policy server host. It is formatted according to the operating system’s
locale settings.

Valid values
A UTF-8 encoded string that con

For more information, see the following:

l "date" on page 332

l "day" on page 334
l "dayname" on page 336
l "hour" on page 340
l "minute" on page 366
l "month" on page 368
l "time" on page 400
l "year" on page 406
l "i18n_day" on page 344
l "i18n_dayname" on page 346
l "i18n_hour" on page 348
l "i18n_minute" on page 350
l "i18n_month" on page 352
l "i18n_time" on page 354
l "i18n_year" on page 356
l "runstart_utc" on page 199
l "runfinish_utc" on page 198
l "logaccept_utc" on page 148
l "logreject_utc" on page 155
l "logkeystroke_utc" on page 152
l "logfinish_utc" on page 151
l "logserver_utcoffset" on page 156
l "master_utcoffset" on page 160

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 343

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

i18n_day

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 344

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
UTF-8 encoded string, read-only

Description
The i18n_day variable contains the current date, taken from the policy server host. It is formatted according to the operating system’s
locale settings.

Valid values
A UTF-8 encoded string that contains a day value.

For more information, see the following:

l "date" on page 332

l "day" on page 334
l "dayname" on page 336
l "hour" on page 340
l "minute" on page 366
l "month" on page 368
l "time" on page 400
l "year" on page 406
l "i18n_date" on page 342
l "i18n_dayname" on page 346
l "i18n_hour" on page 348
l "i18n_minute" on page 350
l "i18n_month" on page 352
l "i18n_time" on page 354
l "i18n_year" on page 356
l "runstart_utc" on page 199
l "runfinish_utc" on page 198
l "logaccept_utc" on page 148
l "logreject_utc" on page 155
l "logkeystroke_utc" on page 152
l "logfinish_utc" on page 151
l "logserver_utcoffset" on page 156
l "master_utcoffset" on page 160

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 345

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

i18n_dayname

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 346

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
UTF-8 encoded string, read-only

Description
The i18n_dayname variable contains the current day of the week, taken from the policy server host. It is formatted according to the
operating system’s locale settings.

Valid values
A UTF-8 encoded string that c

For more information, see the following:

l "date" on page 332

l "day" on page 334
l "dayname" on page 336
l "hour" on page 340
l "minute" on page 366
l "month" on page 368
l "time" on page 400
l "year" on page 406
l "i18n_date" on page 342
l "i18n_day" on page 344
l "i18n_hour" on page 348
l "i18n_minute" on page 350
l "i18n_month" on page 352
l "i18n_time" on page 354
l "i18n_year" on page 356
l "runstart_utc" on page 199
l "runfinish_utc" on page 198
l "logaccept_utc" on page 148
l "logreject_utc" on page 155
l "logkeystroke_utc" on page 152
l "logfinish_utc" on page 151
l "logserver_utcoffset" on page 156
l "master_utcoffset" on page 160

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 347

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

i18n_hour

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 348

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
UTF-8 encoded string, read-only

Description
The i18n_hour variable contains the current hour, taken from the policy server host,. It is formatted according to the operating system’s
locale settings.

Valid values
A UTF-8 encoded string that contains an hour value.

For more information, see the following:

l "date" on page 332

l "day" on page 334
l "dayname" on page 336
l "hour" on page 340
l "minute" on page 366
l "month" on page 368
l "time" on page 400
l "year" on page 406
l "i18n_date" on page 342
l "i18n_day" on page 344
l "i18n_dayname" on page 346
l "i18n_minute" on page 350
l "i18n_month" on page 352
l "i18n_time" on page 354
l "i18n_year" on page 356
l "runstart_utc" on page 199
l "runfinish_utc" on page 198
l "logaccept_utc" on page 148
l "logreject_utc" on page 155
l "logkeystroke_utc" on page 152
l "logfinish_utc" on page 151
l "logserver_utcoffset" on page 156
l "master_utcoffset" on page 160

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 349

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

i18n_minute

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 350

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
UTF-8 encoded string, read-only

Valid values
A UTF-8 encoded string that contains a minute value.

For more information, see the following:

l "date" on page 332

l "day" on page 334
l "dayname" on page 336
l "hour" on page 340
l "minute" on page 366
l "month" on page 368
l "time" on page 400
l "year" on page 406
l "i18n_date" on page 342
l "i18n_day" on page 344
l "i18n_dayname" on page 346
l "i18n_hour" on page 348
l "i18n_month" on page 352
l "i18n_time" on page 354
l "i18n_year" on page 356
l "runstart_utc" on page 199
l "runfinish_utc" on page 198
l "logaccept_utc" on page 148
l "logreject_utc" on page 155
l "logkeystroke_utc" on page 152
l "logfinish_utc" on page 151
l "logserver_utcoffset" on page 156
l "master_utcoffset" on page 160

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 351

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

i18n_month

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 352

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
UTF-8 encoded string, read-only

Valid values
A UTF-8 encoded string that contains the month value.

For more information, see the following:

l "date" on page 332

l "day" on page 334
l "dayname" on page 336
l "hour" on page 340
l "minute" on page 366
l "month" on page 368
l "time" on page 400
l "year" on page 406
l "i18n_date" on page 342
l "i18n_day" on page 344
l "i18n_dayname" on page 346
l "i18n_hour" on page 348
l "i18n_minute" on page 350
l "i18n_time" on page 354
l "i18n_year" on page 356
l "runstart_utc" on page 199
l "runfinish_utc" on page 198
l "logaccept_utc" on page 148
l "logreject_utc" on page 155
l "logkeystroke_utc" on page 152
l "logfinish_utc" on page 151
l "logserver_utcoffset" on page 156
l "master_utcoffset" on page 160

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 353

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

i18n_time

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 354

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
UTF-8 encoded string, read-only

Description
The i18n_time variable contains the current time, taken from the policy server host. It is formatted according to the operating system’s
locale settings.

Valid values
A UTF-8 encoded string that contains the current time.

For more information, see the following:

l "date" on page 332

l "day" on page 334
l "dayname" on page 336
l "hour" on page 340
l "minute" on page 366
l "month" on page 368
l "time" on page 400
l "year" on page 406
l "i18n_date" on page 342
l "i18n_day" on page 344
l "i18n_dayname" on page 346
l "i18n_hour" on page 348
l "i18n_minute" on page 350
l "i18n_month" on page 352
l "i18n_year" on page 356
l "runstart_utc" on page 199
l "runfinish_utc" on page 198
l "logaccept_utc" on page 148
l "logreject_utc" on page 155
l "logkeystroke_utc" on page 152
l "logfinish_utc" on page 151
l "logserver_utcoffset" on page 156
l "master_utcoffset" on page 160

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 355

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

i18n_year

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 356

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
UTF-8 encoded string, read-only

Description
The i18n_year variable contains the current year, taken from the policy server host. It is formatted according to the operating system’s
locale settings.

Valid values
A UTF-8 encoded string that contains a year value.

For more information, see the following:

l "date" on page 332

l "day" on page 334
l "dayname" on page 336
l "hour" on page 340
l "minute" on page 366
l "month" on page 368
l "time" on page 400
l "year" on page 406
l "i18n_date" on page 342
l "i18n_day" on page 344
l "i18n_dayname" on page 346
l "i18n_hour" on page 348
l "i18n_minute" on page 350
l "i18n_month" on page 352
l "i18n_time" on page 354
l "runstart_utc" on page 199
l "runfinish_utc" on page 198
l "logaccept_utc" on page 148
l "logreject_utc" on page 155
l "logkeystroke_utc" on page 152
l "logfinish_utc" on page 151
l "logserver_utcoffset" on page 156
l "master_utcoffset" on page 160

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 357

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

lineinfile

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 358

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
String, read-only

Description
The lineinfile variable contains the file name of the security policy file that triggers the accept or reject condition for the current task
request. Note that only the file name, rather than the entire path specification, is contained in this variable.

Valid values
A character string that contains the name of the security policy file in which an accept or reject event was triggered for the current task
request.
This variable appears only in the event log.

For more information, see "linenum" on page 360.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 359

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

linenum

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 360

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
Integer, read-only

Description
The linenum variable identifies the specific line number, within a security policy file, that triggers the accept or reject event for the current
task request. This number is a line number within the security policy file identified by lineinfile.

Valid values
An positive integer. This variable appears only in the event log.

For more information, see "lineinfile" on page 358.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 361

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

lognoreconnect

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 362

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
Boolean, modifiable

Description
The lognoreconnect variable controls how Endpoint Privilege Management for Unix and Linux optimizes network traffic between pblogd
and pblocald, and pblocald and pbrun. This optimization involves reconnecting pblocald directly to pblogd and pbrun, thus bypassing
pbmasterd for log-related I/O streams.
When set to true, all pblocald to pblogd communications are routed through pbmasterd, as is pbrun to pblocald communications.
In Optimized Run Mode, this has no affect.

Syntax

lognoreconnect = boolean;

Valid values

true Disable optimization.

false Enable optimization. This value is the default.

Example:

lognoreconnect = false;

For more information, see "noreconnect" on page 370.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 363

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

masterhost

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 364

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
String, read-only

Description
The masterhost variable contains the fully qualified name of the policy server host machine (that is, the machine that is running
pbmasterd).

Valid values
A string that contains the fully qualified name of the policy server host.

For more information, see the following:

l "host" on page 143

l "runhost" on page 144
l "submithost" on page 265
l "submithostip" on page 267

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 365

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

minute

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 366

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
Integer, read-only

Description
The minute variable contains the minute portion of the current time, taken from the policy server host, in MM format. The month, day,
date, and year variables can be used together to determine the current date, per the policy server host. The hour and minute variables
can be used together to determine the current time, per the policy server host.

Valid values
An integer that ranges from 0 - 59 inclusive.

For more information, see the following:

l "date" on page 332

l "day" on page 334
l "dayname" on page 336
l "hour" on page 340
l "month" on page 368
l "time" on page 400
l "year" on page 406
l "i18n_date" on page 342
l "i18n_day" on page 344
l "i18n_dayname" on page 346
l "i18n_hour" on page 348
l "i18n_minute" on page 350
l "i18n_month" on page 352
l "i18n_time" on page 354
l "i18n_year" on page 356
l "runstart_utc" on page 199
l "runfinish_utc" on page 198
l "logaccept_utc" on page 148
l "logreject_utc" on page 155
l "logkeystroke_utc" on page 152
l "logfinish_utc" on page 151
l "logserver_utcoffset" on page 156
l "master_utcoffset" on page 160

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 367

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

month

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 368

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
Integer, read-only

Description
The month variable contains the current month, taken from the policy server host, in MM format. The month, day, date, and year variables
can be used together to determine the current date per the policy server host. The hour and minute variables can be used together to
determine the current time per the policy server host.

Valid values
An integer ranging from 1 - 12, inclusive.

For more information, see the following:

l "date" on page 332

l "day" on page 334
l "dayname" on page 336
l "hour" on page 340
l "minute" on page 366
l "time" on page 400
l "year" on page 406
l "i18n_date" on page 342
l "i18n_day" on page 344
l "i18n_dayname" on page 346
l "i18n_hour" on page 348
l "i18n_minute" on page 350
l "i18n_month" on page 352
l "i18n_time" on page 354
l "i18n_year" on page 356
l "runstart_utc" on page 199
l "runfinish_utc" on page 198
l "logaccept_utc" on page 148
l "logreject_utc" on page 155
l "logkeystroke_utc" on page 152
l "logfinish_utc" on page 151
l "logserver_utcoffset" on page 156
l "master_utcoffset" on page 160

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 369

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

noreconnect

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 370

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
Boolean, modifiable

Description
The noreconnect variable controls how EPM optimizes network traffic between pbrun and pblocald. This optimization involves
reconnecting pbrun directly to pblocald, thus bypassing pbmasterd for I/O stream processing.

Syntax

noreconnect = boolean;

Valid values

true Disable optimization.

false Enable optimization. This value is the default.

Example:

noreconnect = true;

For more information, see "lognoreconnect" on page 362.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 371

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

outputredirect

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 372

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
String, modifiable

Description
The outputredirect variable determines whether Endpoint Privilege Management for Unix and Linux prompt output is written to the
standard error stream (stderr) or to the standard output stream (stdout). The main use for this feature is to allow prompts to appear on the
user’s monitor even if it is running in a pipeline. When run in a pipeline, prompts normally go to that pipeline. By setting outputredirect,
you can force the output to the monitor.

Syntax

outputredirect = string;

Valid values

stderr Write Endpoint Privilege Management for Unix and Linux prompt output to the standard error file.

stdout Write Endpoint Privilege Management for Unix and Linux prompt output to the standard output file.

The default value is empty.

Example:

outputredirect = "stderr";

For more information, see the following:

l "iolog" on page 308

l "logstderr" on page 316
l "logstderrlimit" on page 318
l "logstdin" on page 320
l "logstdout" on page 324
l "logstdoutlimit" on page 326

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 373

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

pbclientcertificateissuer

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 374

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
String, read-only

Description
This variable contains the issuer line from the client program (pbrun). This variable is available only while the policy is running.

Valid values
A string that contains the certificate issuer line from the client program.

For more information, see the following:

l "pblocaldcertificateissuer" on page 424

l "pblogdcertificateissuer" on page 438
l "pbmasterdcertificateissuer" on page 452
l "pbclientcertificatesubject" on page 376

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 375

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

pbclientcertificatesubject

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 376

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
String, read-only

Description
pbclientcertificatesubject contains the subject line from the client program (pbrun). This variable is available only when the policy is
running.

Valid values
A string that contains the certificate subject line from the client program.

For more information, see the following:

l "pblocaldcertificatesubject" on page 426

l "pblogdcertificatesubject" on page 440
l "pbmasterdcertificatesubject" on page 454

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 377

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

pbclientkerberosuser

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 378

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
String, read-only

Description
pbclientkerberosuser contains the name of the client (pbrun) user’s principal when Kerberos is used.

Valid values
A string that contains the name of the client user’s principal.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 379

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

pbclientmode
l Version 3.5 and earlier: pbclientmode variable not available.
l Version 4.0 and later: pbclientmode variable available.

Data type
String, read only

Description
pbclientmode specifies the specific mode for a request. It is set as shown in the following table.

How Invoked pbclientmode Value

pbrun run

pbssh pbssh

pbksh or pbsh startup shell start

Shell built-in from pbksh or pbsh shell builtin

Command from shell command line or argument shell command

Redirection in a shell command (<, >, or >>) shell redirect

Valid values
A string as described above.

Example:

if (pbclientmode == "shell start") shellcheckbuiltins = true;

else if (pbclientmode == "shell redirect" && argv[1] == "/dev/null")
reject;

For more information, see the following:

l "shellallowedcommands" on page 255

l "shellcheckbuiltins" on page 256
l "shellcheckredirections" on page 257

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 380

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

l "shellforbiddencommands" on page 258

l "shellreadonly" on page 260
l "shelllogincludefiles" on page 259

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 381

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

pbclientname

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 382

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
String, read-only

Description
The pbclientname variable contains the name of the Endpoint Privilege Management for Unix and Linux component from which the
current task request originated.

Valid values

pbrun The current task request originated from pbrun.

The current task request originated from the pbshEndpoint Privilege Management for Unix and
pbsh
Linux shell.

The current task request originated from the pbkshEndpoint Privilege Management for Unix and
pbksh
Linux shell.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 383

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

pblogdreconnection

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 384

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
Boolean, modifiable

Description
This variable affects the formation of the reconnection between pblogd and pblocald. If the value is missing or false, then pblogd listens
for connections that are initiated by pblocald under the control of pbmasterd. If pblogdreconnection is set to true, then pblocald listens
for connections that are initiated by pblogd under the control of pbmasterd.
There is no read-only version of this variable.

Syntax

pblogdreconnection = boolean;

Valid values

true pblocald listens for connections that are initiated by pblogd under the control of pbmasterd.

pblogd listens for connections that are initiated by pblocald under the control of pbmasterd. This
false
value is the default.

Example:

pblogdreconnection = true;

For more information, see the following:

l "pbrunreconnection" on page 386

l "runeffectivegroup" on page 230
l "runeffectiveuser" on page 232

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 385

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

pbrunreconnection

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 386

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
Boolean, modifiable

Description
This variable affects the formation of the reconnection between pbrun and pblocald. If the value is missing or false, then pbrun listens
for connections that are initiated by pblocald under the control of pbmasterd. If pbrunreconnection is set to true, pblocald listens for
connections that are initiated by pbrun under the control of pbmasterd.
There is no read-only version of this variable.

Syntax

pbrunreconnection = boolean;

Valid values

true pblocald listens for connections that are initiated by pbrun under the control of pbmasterd.

pbrun listens for connections that are initiated by pblocald under the control of pbmasterd. This
false
value is the default.

Example:

pbrunreconnection = true;

For more information, see the following:

l "pblogdreconnection" on page 384

l "runeffectivegroup" on page 230
l "runeffectiveuser" on page 232

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 387

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

pbversion

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 388

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
String, read-only

Description
The pbversion variable contains the version number of Endpoint Privilege Management for Unix and Linux that is being run.

Valid values
A string that contains the Endpoint Privilege Management for Unix and Linux version number.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 389

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

pid

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 390

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
Integer, read-only

Description
The pid variable contains the Unix or Linux process ID number for pbmasterd on the policy server host.

Valid values
An integer that represents the pbmasterd process ID.

For more information, see "masterhost" on page 364.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 391

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

ptyflags

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 392

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
Internal, read-only

Description
Reserved for internal use.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 393

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

status

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 394

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
Integer, read-only

Description
The status variable contains the return code from the last system() command that was run by the policy.

Valid values
An integer that contains the return code from a call to the system() function. The value before the first system () call is undefined.

For more information, see "system" on page 597.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 395

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

submittimeout

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 396

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
Integer

Description
This variable specifies the idle time, in seconds, that is allotted to the submitting user before the submit host terminates the current
request.

Note: The submittimeout variable is not honored in local mode.

Syntax

submittimeout = number;

Valid values

positive integer Enables idle checking; specifies the idle time in seconds.

0 or negative integer Disables idle checking. This value is the default.

Example: Here the submitting user is allotted 300 seconds before the request is terminated.

submittimeout = 300;

For more information, see "runtimeout" on page 251.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 397

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

subprocuser

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 398

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
String, modifiable

Description
The subprocuser variable contains the user name under which all policy server host (that is, pbmasterd) subprocesses run (for
example, commands that are run using the system() function). By default, all policy server host sub-processes run as root.

Syntax

subprocuser = string;

Valid values
A string that specifies a user name. The default value is root.

Example:

subprocuser = "user";

For more information, see "system" on page 597.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 399

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

time

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 400

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
String, read-only

Description
The time variable contains the current time, taken from the policy server host in HH:MM:DD format (for example, 08:24:52).

Valid values
A string containing the current time in HH:MM:SS format.

For more information, see the following:

l "date" on page 332

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 401

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

true

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 402

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
Boolean, read-only

Description
The true variable is a read-only variable with a predefined value of 1.
Many program statements rely upon conditional tests to determine what program statement should be executed next. The if statement is
an example of this. Conditional tests generally evaluate to either a true or false value. In the Security Policy Scripting Language, any
positive, non-zero integer can represent a true value, but 1 is normally used. A 0 represents a false value.
Because true and false values are frequently used when creating security policy files, the variable true may be used in place of a numeric
value 1 and the variable false may be used in place of a 0 value when evaluating a conditional expression or initializing a variable.

Valid values
1. Constant, cannot be changed.

For more information, see "false" on page 338.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 403

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

uniqueid

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 404

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
String, read-only

Description
The uniqueid variable contains a 12-character or longer string that is guaranteed to be unique across the entire Endpoint Privilege
Management for Unix and Linux system (policy server host, submit host, run host and log host). This value is used to guarantee a unique
identification in the event log files and can be used to generate unique file names.

Example:

iolog="usr/adm/pblog" + uniqueid;

Valid values
A 12-character or longer string value that is unique across the entire Endpoint Privilege Management for Unix and Linux system.

For more information, see the following:

l "ipaddress" on page 583

l "masterhost" on page 364

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 405

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

year

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 406

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
Integer, read-only

Description
The year variable contains the current year, taken from the policy server host, in YYYY format.

Valid values
An integer that contains a year in YYYY format.

For more information, see the following:

l "date" on page 332

l "day" on page 334
l "dayname" on page 336
l "hour" on page 340
l "minute" on page 366
l "month" on page 368
l "time" on page 400
l "i18n_date" on page 342
l "i18n_day" on page 344
l "i18n_dayname" on page 346
l "i18n_hour" on page 348
l "i18n_minute" on page 350
l "i18n_month" on page 352
l "i18n_time" on page 354
l "i18n_year" on page 356
l "runstart_utc" on page 199
l "runfinish_utc" on page 198
l "logaccept_utc" on page 148
l "logreject_utc" on page 155
l "logkeystroke_utc" on page 152
l "logfinish_utc" on page 151
l "logserver_utcoffset" on page 156
l "master_utcoffset" on page 160

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 407

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Host identification variables

The host identification variables identify the characteristics of the Endpoint Privilege Management for Unix and Linux machines.
The following table summarizes these variables.

Variable Description

The locale setting on the policy server host.

masterlocale Version 6.0.1 and earlier: variable not available.

Version 6.1 and later: variable available.

The locale setting on the run host.

Version 6.0.1 and earlier: variable not available.
Version 6.1 and later: variable available.
runlocale

Note: This run variable does not apply to pbssh. If it is present in the policy, it does not
have any effect on pbssh and is ignored.

The locale setting on the submit host.

submitlocale Version 6.0.1 and earlier: variable not available.
Version 6.1 and later: variable available.

The machine type ID from uname on the GUI host.

pbguidmachine Version 3.5 and earlier: variable not available.
Version 4.0 and later: variable available.

The nodename from uname on the GUI host.

pbguidnodename Version 3.5 and earlier: variable not available.

Version 4.0 and later: variable available.

The operating system release from uname on the GUI host.

pbguidrelease Version 3.5 and earlier: variable not available.
Version 4.0 and later: variable available.

The system name from uname on the GUI host.

pbguidsysname Version 3.5 and earlier: variable not available.
Version 4.0 and later: variable available.

The operating system version from uname on the GUI host.

pbguidversion Version 3.5 and earlier: variable not available.
Version 4.0 and later: variable available.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 408

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

The machine type ID from uname on the pbksh machine.

pbkshmachine Version 3.5 and earlier: variable not available.
Version 4.0 and later: variable available.

The nodename from uname on the pbksh machine.

pbkshnodename Version 3.5 and earlier: variable not available.
Version 4.0 and later: variable available.

The operating system release from uname on the pbksh machine.

pbkshrelease Version 3.5 and earlier: variable not available.
Version 4.0 and later: variable available.

The system name from uname on the pbksh machine.

pbkshsysname Version 3.5 and earlier: variable not available.
Version 4.0 and later: variable available.

The operating system version from uname on the pbksh machine.

pbkshversion Version 3.5 and earlier: variable not available.
Version 4.0 and later: variable available.

pblocaldcertificateissuer The issuer string from the pblocald certificate.

pblocaldcertificatesubject The subject string from the pblocald certificate.

pblocaldmachine The machine type ID from uname on the run host.

pblocaldnodename nodename from uname on the run host.

pblocaldrelease The operating system release from uname on the run host.

pblocaldsysname The system name from uname on the run host.

pblocaldversion The operating system version from uname on the run host.

pblogdcertificateissuer The issuer string from the pblogd certificate.

pblogdcertificatesubject The subject string from the pblogd certificate.

pblogdmachine The machine type ID from uname on the log host.

pblogdnodename The nodename from uname on the log host.

pblogdrelease The operating system release from uname on the log host.

pblogdsysname The system name from uname on the log host.

pblogdversion The operating system version from uname on the log host.

pbmasterdcertificateissuer The issuer string from the pbmasterd certificate.

pbmasterdcertificatesubject The subject string from the pbmasterd certificate.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 409

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

pbmasterdmachine The machine type ID from uname on the policy server host.

pbmasterdnodename The nodename from uname on the policy server host.

pbmasterdrelease The operating system from uname on the policy server host.

pbmasterdsysname The system name from uname on the policy server host.

pbmasterdversion The operating system from uname on the policy server host.

pbrunmachine The machine type ID from uname on the submit host.

pbrunnodename The nodename from uname on the submit host.

pbrunrelease The operating system release from uname on the submit host.

pbrunsysname The system name from uname on the submit host.

pbrunversion The operating system version from uname on the submit host.

The machine type ID from uname on the pbsh machine.

pbshmachine Version 3.5 and earlier: variable not available.
Version 4.0 and later: variable available.

The nodename from uname on the pbsh machine.

pbshnodename Version 3.5 and earlier: variable not available.
Version 4.0 and later: variable available.

The operating system release from uname on the pbsh machine.

pbshrelease Version 3.5 and earlier: variable not available.
Version 4.0 and later: variable available.

The system name from uname on the pbsh machine.

pbshsysname Version 3.5 and earlier: variable not available.

Version 4.0 and later: variable available.

The operating system version from uname on the pbsh machine.

pbshversion Version 3.5 and earlier: variable not available.
Version 4.0 and later: variable available.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 410

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

masterlocale
l Version 6.0.1 and earlier: masterlocale variable not available.
l Version 6.1 and later: masterlocale variable available.

Data type
String, read-only

Description
The locale setting on the policy server host.

Valid values
A string that contains the locale setting (such as zh_CN.utf8) on the policy server host.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 411

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

runlocale
l Version 6.0.1 and earlier: runlocale variable not available.
l Version 6.1 and later: runlocale variable available.

Data type
String, read-only

Description
The locale setting on the run host.

Note: This run variable does not apply to pbssh. If it is present in the policy, it does not have any effect on pbssh and is
ignored.

Valid values
A string that contains the locale setting (such as zh_CN.utf8) on the run host.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 412

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

submitlocale
l Version 6.0.1 and earlier: submitlocale variable not available.
l Version 6.1 and later: submitlocale variable available.

Data type
String, read-only

Description
The locale setting on the submit host.

Valid values
A string that contains the locale setting (such as zh_CN.utf8) on the submit host.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 413

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

pbguidmachine
l Version 3.5 and earlier: pbguidmachine variable not available.
l Version 4.0 and later: pbguidmachine variable available.

Data type
String, read-only

Description
The machine type ID from uname on the GUI host.

Valid values
A string that contains the machine GUI host hardware from the uname command.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 414

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

pbguidnodename
l Version 3.5 and earlier: pbguidnodename variable not available.
l Version 4.0 and later: pbguidnodename variable available.

Data type
String, read-only

Description
The nodename from uname on the GUI host.

Valid values
A string that contains the GUI host name from the uname command.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 415

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

pbguidrelease
l Version 3.5 and earlier: pbguidrelease variable not available.
l Version 4.0 and later: pbguidrelease variable available.

Data type
String, read-only

Description
The operating release from uname on the GUI host.

Valid values
A string that contains the GUI host operating system version from the uname command.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 416

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

pbguidsysname
l Version 3.5 and earlier: pbguidsysname variable not available.
l Version 4.0 and later: pbguidsysname variable available.

Data type
String, read-only

Description
The system name from uname on the GUI host.

Valid values
A string that contains the GUI host operating system implementation string from the uname command.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 417

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

pbguidversion
l Version 3.5 and earlier: pbguidversion variable not available.
l Version 4.0 and later: pbguidversion variable available.

Data type
String, read-only

Description
The operating system version from uname on the GUI host.

Valid values
A string that contains the GUI host operating system version string from the uname command.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 418

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

pbkshmachine
l Version 3.5 and earlier: pbkshmachine variable not available.
l Version 4.0 and later: pbkshmachine variable available.

Data type
String, read-only

Description
The machine type ID from uname on the pbksh machine.

Valid values
A string that contains the machine hardware ID from the uname command.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 419

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

pbkshnodename
l Version 3.5 and earlier: pbkshnodename variable not available.
l Version 4.0 and later: pbkshnodename variable available.

Data type
String, read-only

Description
The nodename from uname on the pbksh machine.

Valid values
A string that contains the nodename from the uname command.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 420

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

pbkshrelease
l Version 3.5 and earlier: pbkshrelease variable not available.
l Version 4.0 and later: pbkshrelease variable available.

Data type
String, read-only

Description
The operating system release from uname on the pbksh machine.

Valid values
A string that contains the operating system version from the uname command.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 421

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

pbkshsysname
l Version 3.5 and earlier: pbkshsysname variable not available.
l Version 4.0 and later: pbkshsysname variable available.

Data type
String, read-only

Description
The system name from uname on the pbksh machine.

Valid values
A string that contains the operating system implementation string from the uname command.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 422

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

pbkshversion
l Version 3.5 and earlier: pbkshversion variable not available.
l Version 4.0 and later: pbkshversion variable available.

Data type
String, read-only

Description
The operating system version from uname on the pbksh machine.

Valid values
A string that contains the operating system version from the uname command.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 423

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

pblocaldcertificateissuer

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 424

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
String, read-only

Description
The issuer string from pblocald’s certificate. This value is stored in the event log, but is not available during policy execution.

Valid values
A string that contains pblocald’s certificate issuer line.

For more information, see the following:

l "pbclientcertificateissuer" on page 374

l "pblogdcertificateissuer" on page 438
l "pbmasterdcertificateissuer" on page 452

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 425

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

pblocaldcertificatesubject

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 426

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
String, read-only

Description
The subject string from the pblocald certificate. This value is stored in the event log, but is not available during policy execution.

Valid values
A string that contains the pblocald certificate subject line.

For more information, see the following:

l "pbclientcertificatesubject" on page 376

l "pblogdcertificatesubject" on page 440
l "pbmasterdcertificatesubject" on page 454

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 427

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

pblocaldmachine

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 428

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
String, read-only

Description
The machine type ID from uname on the run host. This value is stored in the event log, but is not available during policy execution.

Valid values
A string that contains the run host machine hardware from the uname command.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 429

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

pblocaldnodename

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 430

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
String, read-only

Description
The nodename from uname on the run host. This value is stored in the event log, but is not available during policy execution.

Valid values
A string that contains the run host node name from the uname command.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 431

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

pblocaldrelease

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 432

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
String, read-only

Description
The operating system release from uname on the run host. This value is stored in the event log, but is not available during policy
execution.

Valid values
A string that contains the run host operating system version from the uname command.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 433

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

pblocaldsysname

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 434

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
String, read-only

Description
The system name from uname on the run host. This value is stored in the event log, but is not available during policy execution.

Valid values
A string that contains the run host operating system implementation string from the uname command.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 435

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

pblocaldversion

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 436

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
String, read-only

Description
The operating system version from uname on the run host. This value is stored in the event log, but is not available during policy
execution.

Valid values
A string that contains the run host operating system version string from the uname command.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 437

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

pblogdcertificateissuer

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 438

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
String, read-only

Description
The issuer string from pblogd’s certificate. This value is stored in the event log, but is not available during policy execution.

Valid values
A string that contains the pblogd certificate issuer line.

For more information, see the following:

l "pbclientcertificateissuer" on page 374

l "pblocaldcertificateissuer" on page 424
l "pbmasterdcertificateissuer" on page 452

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 439

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

pblogdcertificatesubject

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 440

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
String, read-only

Description
The subject string from pblogd’s certificate. This value is stored in the event log, but is not available during policy execution.

Valid values
A string that contains the pblogd certificate subject line.

For more information, see the following:

l "pbclientcertificatesubject" on page 376

l "pblocaldcertificatesubject" on page 426
l "pbmasterdcertificatesubject" on page 454

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 441

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

pblogdmachine

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 442

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
String, read-only

Description
The machine type ID from uname on the log server. This value is stored in the event log, but is not available during policy execution.

Valid values
A string that contains the log host machine hardware from the uname command.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 443

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

pblogdnodename

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 444

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
String, read-only

Description
The nodename from uname on the log server. This value is stored in the event log, but is not available during policy execution.

Valid values
A string that contains the log host node name from the uname command.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 445

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

pblogdrelease

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 446

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
String, read-only

Description
The operating system release from uname on the log server. This value is stored in the event log, but is not available during policy
execution.

Valid values
A string that contains the log host operating system version from the uname command.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 447

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

pblogdsysname

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 448

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
String, read-only

Description
The system name from uname on the log server. This value is stored in the event log, but is not available during policy execution.

Valid values
A string that contains the log host operating system implementation string from the uname command.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 449

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

pblogdversion

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 450

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
String, read-only

Description
The operating system version from uname on the log server. This value is stored in the event log, but is not available during policy
execution.

Valid values
A string that contains the log host operating system version string level string from the uname command.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 451

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

pbmasterdcertificateissuer

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 452

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
String, read-only

Description
The issuer string from the pbmasterd certificate.

Valid values
A string that contains the pbmasterd certificate issuer line.

For more information, see the following:

l "pbclientcertificateissuer" on page 374

l "pblocaldcertificateissuer" on page 424
l "pblogdcertificateissuer" on page 438

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 453

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

pbmasterdcertificatesubject

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 454

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
String, read-only

Description
The subject string from the pbmasterd certificate.

Valid values
A string that contains the pbmasterd certificate subject line.

For more information, see the following:

l "pbclientcertificatesubject" on page 376

l "pblocaldcertificatesubject" on page 426
l "pblogdcertificatesubject" on page 440

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 455

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

pbmasterdmachine

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 456

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
String, read-only

Description
The machine type ID from uname on the policy server host.

Valid values
A string that contains the policy server host machine hardware from the uname command.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 457

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

pbmasterdnodename

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 458

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
String, read-only

Description
The node name from uname on the policy server host.

Valid values
A string that contains the policy server host node name from the uname command.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 459

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

pbmasterdrelease

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 460

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
String, read-only

Description
The operating system release from uname on the policy server host.

Valid values
A string that contains the policy server host operating system version from the uname command.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 461

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

pbmasterdsysname

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 462

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
String, read-only

Description
The system name from uname on the policy server host.

Valid values
A string that contains the policy server host operating system implementation string from the uname command.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 463

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

pbmasterdversion

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 464

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
String, read-only

Description
The operating system from uname on the policy server host.

Valid values
A string that contains the policy server host operating system version string level string from the uname command.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 465

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

pbrunmachine

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 466

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
String, read-only

Description
The machine type ID from uname on the submit host.

Valid values
A string that contains the submit host machine hardware ID from the uname command.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 467

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

pbrunnodename

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 468

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
String, read-only

Description
The node name from uname on the submit host.

Valid values
A string that contains the submit host node name from the uname command.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 469

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

pbrunrelease

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 470

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
String, read-only

Description
The operating system release from uname on the submit host.

Valid values
A string that contains the submit host operating system version from the uname command.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 471

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

pbrunsysname

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 472

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
String, read-only

Description
The system name from uname on the submit host.

Valid values
A string that contains the submit host operating system implementation string from the uname command.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 473

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

pbrunversion

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 474

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Data type
>
String, read-only

Description
The operating system version from uname on the submit host.

Valid values
A string that contains the submit host operating system version string from the uname command.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 475

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

pbshmachine
l Version 3.5 and earlier: pbshmachine variable not available.
l Version 4.0 and later: pbshmachine variable available.
l Version 3.5 and earlier: pbshmachine variable not available.
l Version 4.0 and later: pbshmachine variable available.

Data type
String, read-only

Description
The machine type ID from uname on the pbsh machine.

Valid values
A string that contains the pbsh host machine hardware ID from the uname command.

For more information, see the following:

l "pbshnodename" on page 477

l "pbshrelease" on page 478
l "pbshsysname" on page 479
l "pbshversion" on page 480

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 476

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

pbshnodename
l Version 3.5 and earlier: pbshnodename variable not available.
l Version 4.0 and later: pbshnodename variable available.

Data type
String, read-only

Description
The nodename from uname on the pbsh machine.

Valid values
A string that contains the pbsh host node name from the uname command.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 477

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

pbshrelease
l Version 3.5 and earlier: pbshrelease variable not available.
l Version 4.0 and later: pbshrelease variable available.

Data type
String, read-only

Description
The operating system release from uname on the pbsh machine.

Valid values
A string that contains the pbsh host operating system version from the uname command.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 478

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

pbshsysname
l Version 3.5 and earlier: pbshsysname variable not available.
l Version 4.0 and later: pbshsysname variable available.

Data type
String, read-only

Description
The system name from uname on the pbsh machine.

Valid values
A string that contains the pbsh host operating system implementation string from the uname command.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 479

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

pbshversion
l Version 3.5 and earlier: pbshversion variable not available.
l Version 4.0 and later: pbshversion variable available.

Data type
String, read-only

Description
The operating system version from uname on the pbsh machine.

Valid values
A string that contains the pbsh host operating system version string from the uname command.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 480

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

X11 session capture variables

The X11 variables are used to capture X Windows sessions.

xwincookie

Data type

String, read-only

Description

The xwincookie variable contains the X Windows Authentication cookie from the client and is available for logging.
There is no run version of this variable.

Valid values

A string

See also

xwindisplay, xwinproto, xwinforward, xwinreconnect

xwinproto

Data type

String, read-only

Description

The xwinproto variable contains the X Windows Authentication protocol from the client and is available for logging.
There is no run version of this variable.

Valid values

A string

See also

xwncookie, xwindisplay, xwinforward, xwinreconnect

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 481

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

xwindisplay

Data type

String, read-only

Description

The xwindisplay variable contains the X Windows Authentication DISPLAY string from the client and is available for logging.
There is no run version of this variable.

Valid values

A string

See also

xwncookie, xwinproto, xwinforward, xwinreconnect

xwinforward

Data type

Boolean, modifiable

Description

The xwinforward variable controls whether Endpoint Privilege Management for Unix and Linux will forward X Windows applications
through to the client X Server.

Syntax

xwinforward = Boolean;

Valid values

true Enable X Windows forwarding. This value is the default.

false Disable X Windows forwarding.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 482

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

See also

xwncookie, xwindisplay, xwinproto, xwinreconnect

xwinreconnect

Data type

Boolean, modifiable

Description

The xwinreconnect variable contains howEndpoint Privilege Management for Unix and Linux optimizes X Windows network traffic
between pbrun and pblocald. This optimization involves reconnecting pblocald directly to pbrun for X Windows forwarding, thus
bypassing pbmasterd for I/O streams.

Syntax

xwinreconnect = Boolean;

Valid values

true Enable reconnection between pbrun and pblocald. This value is the default.

false Disable reconnection between pbrun and pblocald.

See also

xwncookie, xwindisplay, xwinproto, xwinforward

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 483

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Built-in functions and procedures

The Security Policy Scripting Language provides built-in functions and procedures to help simplify security policy implementation. Built-in
functions and procedures are stand-alone subroutines that perform specific tasks. The difference between a function and a procedure is
that a function returns a value while a procedure does not.
Taking advantage of Endpoint Privilege Management for Unix and Linux built-in functions and procedures can dramatically speed the
implementation time of a company’s security policy implementation.

Endpoint Privilege Management for Unix and Linux built-in functions are divided into the following groups:

l Date and time functions

l File and path functions
l Format and conversion functions
l Input and output functions and procedures
l LDAP functions
l List functions
l Miscellaneous functions
l NIS functions
l Policy environment functions and procedures
l String functions
l Task control procedures
l Task environment functions and procedures
l User and password functions
l PAM policy functions
l Advanced Control and Audit (ACA) procedure

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 484

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Advanced control and audit

Advanced Control and Audit (ACA) provides the ability to control and audit file system activity. The ACA language targets specific actions,
such as open/read/write/exec, defines whether each action can or cannot be performed on a file, and can also specify the auditing level.
The files for each rule are specified using shell-style file patterns to match files.
ACA auditing requires iologging to be enabled for the session. If ACA statements are included in the policy and iologging is not enabled,
for versions prior to 10.3, the request proceeds with ACA controls, but without auditing. Beginning in 10.3, if all ACA statements have a log
level of 0 (zero), the task continues without logging as before. If any ACA statement contains a loglevel greater than zero, the requested
task is rejected with the error: "1008.02 ACA audit logging requires an iolog to be specified.". ACA only affects the targeted process and
child processes and poses no threat to the operating system as a whole. It can also be configured to not apply to specific child processes
to ensure that services can be restarted without ACA being applied.
Each specified action is intercepted and processed to determine if the action is allowed and if auditing is required. Where an audit level is
specified, the relevant data is sent back to the originating client to be written to an iolog. When ACA is enabled, the iolog contains both
iologging and auditing information. The pbreplay -A (--audit) command line option is used to display the audit records from an iolog.
When the allowed action is an execute action, the ACA policy is passed-on to the new child task to enable ACA policy to continue to be
enforced. This enables complete logging and control over a shell session. For example, Endpoint Privilege Management for Unix and
Linux can be configured to control a bash shell and allow execution of vi while allowing the user to shell escape to another bash shell or to
any other allowed program while still enforcing the ACA policy defined for vi and all subsequent executions.
ACA should not be used to audit daemons as this results in very large sets of audit data and network traffic and adds little to no security to
the non-interactive daemon. ACA rules can be specified to disable ACA for daemon launching mechanisms. In the case that a daemon
needs to be executed within an ACA controlled shell session and that session is subsequently terminated, the controlling pbrun or
pblocald forks a new process (owned by init) to continue processing ACA auditing.
ACA should also not be used on programs that manipulate logical volumes.
When processing symbolic links, each link in a link chain is evaluated against the ACA policy. If the requested permission is blocked in any
part of the chain, the requested permission is denied.
ACA errors such as the inability to read the ACA policy, inability to audit, or out of memory are logged to syslog and stderr. ACA also uses
pbrestcall to send any error messages to a policy or log server using the REST interface. This requires that the adminpath keyword is set
in the client’s pb.settings. On the log server running pbconfigd, the keyword eventdestinations must be used to send ACA errlog data to
syslog or to a database.

Example: pb.settings on the client

adminpath /usr/sbin

Example: pb.settings on the log server

eventdestinations errlog=syslog chgmgt=db

Example: To disable central logging, in the policy, set the variable pbulacacentrallogging to 0.

pbulacacentrallogging=0;

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 485

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Important considerations
The ACA is currently enabled for file-specific operations like stat, access, open, read, write, truncate, link, unlink, rename, chmod,
and chown. Socket and memory operations are not supported. Furthermore, the ACA does not restrict access to critical operating system
files, directories, and devices that are required for normal user activity.
For instance, read access to the following locations is protected: /proc, /dev/null, /dev/zero, /dev/tty, /dev/urandom, terminal, and time
zone data.

By default, ACA denies all actions. All allowed actions must be specified explicitly.

Example: If you only have the following ACA rule in the policy:

aca("file", "/etc/resolv.conf", "read");

Since there is no rule for any other actions, only read actions on /etc/resolv.conf are allowed, all other actions on all other files
are disallowed. With the above rule in the policy,

pbrun cat /etc/resolv.conf

works, however, the following actions fail even as root:

pbrun ls /var
pbrun cat /home/myfile

Note: Many simple commands may operate correctly because they perform operations the ACA does not intercept.
Commands such as id, date, pwd, and echo may not call any file-related functions such as open(), thus those commands
work even though it appears ACA should deny all access. Caching daemons may also affect whether the file-related function
calls are used. For example, nscd may cache user data from /etc/passwd, so id may function without read access to
/etc/passwd.

ACA allows for the provisioning of a rule to cover other actions not specifically matched by the file specifications in subsequent ACA calls.
It must be the first ACA rule in the policy. To define this rule you use unmatched as the filespec, this matches all files not matched by
other ACA commands.

Example:

aca( "file", "unmatched", "all", "DEFAULT Rule");

aca( "file", "/etc/*", "!all", "Protect /etc");

The first rule provides a default for the filesystem, allowing all access to all file actions and for all non-matched files, as long as
the runuser has the correct file permissions required. The second rule disallows all access, including read, write, rename,
chmod, truncate, and open on files in /etc.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 486

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Other considerations
l ACA does not apply to pbksh and pbsh.
l ACA has no control over stdin, stdout, or stderr, because they are opened before ACA begins processing.
l Creating links requires ACA read permissions for the existing file, and ACA link permissions for the new link.
l ACA recognizes Endpoint Privilege Management for Unix and Linux binaries to ensure that a permissions loop does not occur,
which is when a process running ACA tries to launch a process with ACA.
l The system fails to work properly if you add the ACA shared libraries to the system /ect/ld.so.preload or equivalent file. The ACA
shared libraries require policy data read from a file descriptor provided by the parent pbrun or pblocald. The system cannot
provide that file descriptor (or the EPM-UL ACA policy), so every binary executed fails.
l As of Endpoint Privilege Management for Unix and Linux 21.1.0, ACA no longer supports HP-UX PA-RISC binaries.
l ACA is disabled, by the operating system, on Linux for “Capabilities” enabled binaries (see man setcap).

When ACA is specified and an older client on versions 8.5 or below performs an Optimized Run Mode (ORM) request, the policy server
rejects requests.
ACA rules are processed within a secured task after pbrun has executed that secured task. For example, If an ACA rule denies execution
of vi, but normal policy allows vi, and the secured task is vi (e.g. pbrun vi), pbrun will execute vi, then that vi process and its children cannot
exec a new vi process (vi can shell out to a prompt but that shell cannot run vi). Certain ACA operations do take place before executing the
initial secured task, such as determining the binary type, whether it is affected by Linux “capabilities” or is setuid on AIX or HP-UX.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 487

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

aca

Description
Trap file system related library calls, such as open/read/write/exec, allow, disallow, and audit the calls and specify actions that can or
cannot be performed on a file using shell style file patterns to match files. It also specifies an auditing level.

Note: Not supported in Endpoint Privilege Management for Linux (EPM-L).

Syntax

aca( control_type, filespec, action permissions and auditing [, tag]);

Arguments

controle_type Currently always set to file filespec. Shell style file specification which matches one or more files.

The shell style specification includes wildcards * and ?, character classes where [ and ] delineate a class,
and ! being the first character in the class negates the other characters in the class, ranges in a class where
- between two characters define the range. A - at the beginning or end of a class matches the -, and a ] at
the beginning of a class matches a ]. (See 'man 7 glob' on Linux.) Wildcards, ranges, and classes may
appear within any path or file name portion of the filespec, however it must start with a /. For example,
*/whoami will not work.
Filespecs that begin with a slash / will match all slashes only with a slash (for example, will not match with
wildcard expression such as *, ?, or [...]). Fully specifying all the slashes in a path protects against, for
example, /usr/*/bin/date from matching /usr/local/directory1/evil/date.
Filespecs that begin with * will allow wildcards to match any slash in the path. This allows for example,
*/reboot to match /usr/bin/reboot, /usr/sbin/reboot, /bin/reboot, /sbin/reboot, and
/usr/local/bin/reboot.

filespec The special filespec unmatched is used to match all files not matched by other filespecs that have been
defined.
Prior to version 10.3.0, default was used with filespec in the policy. In version 10.3.0 and later, unmatched
is used in place of default. For backward compatibility, default will continue to work.

Note: /tmp/banned/* matches files and sub-directories within /tmp/banned, However, access
to the directory itself still works. /tmp/banned/ disables the whole directory and all contents.

Other than "unmatched", the ACA filespec definitions are processed in the order they were defined, and the
first match is used; subsequent matches are ignored.

For more information, see "Important considerations" on page 486.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 488

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

l One or more of the following action names, separated by the pipe | symbol.
l Spaces are not allowed in permissions.
l The appearance of an action name enables that action.
action permissions
and auditing l Preceding the action name with a ! is used to disallow the action.
l Each action name may be followed by an optional loglevel, specified as :log=[0-9] before the pipe.
l The final |log=level applies to action names that do not have individual loglevels. This allows
different loglevels for each action name for a given filespec.

Tag An optional text string used to arbitrarily group, organize, or identify output in the ACA reports.

Action Description

all Allow all permissions. The all permission must precede any other permissions.

For a normal file, this allows read(). For a directory with read and execute bits set for the runuser, this allows
chdir() and opendir(). Note that this affects the ability to open a file or directory with read permissions,
however read()s are not intercepted nor audited.

read
Note: Prior to version 9.4, stat() calls were trapped and audited as part of the "read"
permissions.
Starting in 9.4, stat() calls are no longer trapped nor audited.

For a normal file, this allows open() with create or update, and write(). For a directory, this allows mkdir().
write Note that this affects the ability to open a file with write permissions, however write()s are not intercepted
nor audited.

unlink For a normal file, this allows unlink(). For a directory, this allows rmdir().

mknod This allows mknod()

exec Allows execution of non-setuid programs that use shared libraries.

Allows execution of setuid binaries on platforms that support LD_PRELOAD with setuid binaries. Not
execsetuid
supported on AIX and HP-UX.

execstatic Allows execution of statically linked binaries (disables ACA for that process and any children)

Disables ACA, upon an exec, for the specified file pattern; and any children of that process. The disable
disable
permission should not be used with the unmatched filespec.

chmod Allows changing of rwx permissions and the sticky bit.

chmodpriv Allows changing of setuid and setgid permissions

chown Allows changing of setuid and setgid permissions

link Allows creation of hard and soft links using link()

owner Allows above operation only if runuser is the file owner

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 489

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

log=level Audits access at the specified level (0-9)

l Loglevel zero , or no log=level specified, specifies that no auditing (logging) of the call is performed.
l Loglevel 1 performs the minimal auditing, recording only the call, permission, and path.
l LogLevel 2 indicates that exec calls will additionally log the argv, and open calls for read, write, or both will additionally log the
device/inode/mode/uid/gid of the file.
l LogLevel 3 indicates that exec calls will additionally log the environment supplied.

ACA can derive a shell’s command history by logging additional information. This is enabled with the procedure enablesessionhistory().

Interactions of exec, execstatic, execsetuid:

l exec means execution of a dynamically linked non-setuid not setgid binary is allowed.
l execstatic means execution of a statically linked non-setuid not setgid binary is allowed.
l execsetuid means execution of a dynamically linked setuid/setgid binary is allowed but not a nonsetuid/setgid binary.
l execstatic|execsetuid means any setuid binary or any static binary including a setuid static binary, a setuid dynamic binary, or a
static binary.
In other words, this allows execution of any non-dynamic binary.

l exec|execstatic|execsetuid allows any execution.

AIX and HP-UX do not support LD_PRELOAD or equivalent for setuid/setgid programs. Similarly, Linux does not support LD_PRELOAD
for programs with capabilities assigned. Beginning in EPM-UL 21.1.0, when an ACA controlled process (e.g. a shell) attempts to exec a
setuid/setgid or capabilities-enabled binary (on the affected operating system), a warning is issued to the user, and (if configured) sent to
the log server’s eventdestination for errlog. ACA is disabled, and the setuid/setgid/capability program is executed. PMUL ACA Policy
should be written to disable ACA, or deny execution for each specific setuid/setgid/capability binary, thus avoiding the warning message,
and assuring proper security for setuid/setgid/capability binaries.

Example: Example to deny execution:

aca("file","/bin/su","all|!execsetuid|!exec|log=2");

Example: Example to allow execution with ACA disabled:

aca("file","/bin/su","execsetuid|disable|log=2");

Return values
None

Examples

Allows all access to all files not matched by

aca( "file", "unmatched", "all|log=1"); other AC rules, auditing every action at level
1.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 490

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Disables access of files and subdirectories

aca("file", "/bin/*", "!all"); within /bin, however access to /bin for ls, etc,
is still allowed

Disables all access of /bin and its files and

aca("file", "/bin/", "!all"); subdirectories. ls, etc, are also not allowed.
Auditing is not enabled.

Allows exec for all files in /bin. Disallows all

aca("file", "/bin/*", "!all|exec:log=2"); other actions for those files. Audits the execs
at level 2

aca("file", "/bin/umount", "!all|log=9"); Ignored due to above /bin/* pattern

aca('file','unmatched','all:
log=1|exec:log=2|execstatic:log=2|
execsetuid:log=2','DEFAULT');

aca('file','/sbin/*','all: log=1|!write:log=2|exec:log=2|execstatic:
log=2|execsetuid:log=2', 'Protect sbin files');

Disable ACA for Linux lvm (note there are

aca("file", "/sbin/lvm", "all|disable|log=2");
more to disable)

aca("file", "/sbin/service", "all|disable|log=2"); Disable ACA for Linux daemon mechanism

aca("file", "/etc/init.d/*", "all|disable|log=2"); ; Disable ACA for Linux daemon mechansim

When an audit log is requested but not set in

aca("file", "...", "...log=2"); the rule, a message is displayed that an iolog
must be set in the rule.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 491

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

enablesessionhistory

Description
The enablesessionhistory() procedure is used to set the internal read-only variable pbulacasessionhistory. This is used for iologged,
ACA controlled shell sessions (for example, bash). The enablesessionhistory() procedure takes a Boolean argument. Values of 1 or
true will enable session history. Values of 0 or false will disable session history.

When enabled, the ACA preload library will audit additional information for the secured task (presumably a shell), giving pbreplay the
ability to interpret the shell "history", within certain limitations.
Note that iolog must be set, and ACA must be enabled with at least one aca(. . . ) statement.
ACA normally exits when it encounters certain errors. When ACA is used only for session history, and no files or operations are blocked,
an optional parameter can be used to cause ACA to continue when those errors are encountered. This results in the task being allowed to
continue, however the session history recorded will be incomplete.
The relevant portion of the policy should be similar to:

aca("file", "default", "all");

enablesessionhistory( true, true);
iolog=<file>;

Note: Not supported in Endpoint Privilege Management for Linux (EPM-L).

Known limitations
This mechanism cannot capture or reproduce:

l Shell internals, such as if/then/else, while, math, variable setting or testing

l Which builtin was used
l 2>&1 redirection and ordering
l Complex redirection
l Exact quoting of argv
l (complex) | (pipelines)
l Exact shell history numbering

This feature adds the new --history option to pbreplay, to replay the shell’s "history" from the aca iolog. The --history option cannot be
used in conjunction with the -A option).

Syntax

enablesessionhistory( enable_history [, continue_on_error] );

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 492

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Arguments

enable_history Required Boolean true or 1 to enable or false or 0 to disable.

continue_on_error Optional true or 1 to enable or false or 0 to disable. Defaults to false.

Example

enablesessionhistory( true );
enablesessionhistory( true, true );

See also

aca()

For more information about pbreplay, see the Endpoint Privilege Management for Unix and Linux Administration Guide at
https://www.beyondtrust.com/docs/privilege-management/unix-linux/index.htm.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 493

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Date and time functions

These functions perform operations and comparisons on dates and times. The following table summarizes the date and time functions.

Function Description

datecmp() Compares two dates and returns the results of the comparison

Formats the current date and time, as defined on the Policy Server host, per the supplied format
strftime()
string

Determines if the current time, as defined on Policy Server host, is between time1 and time2,
timebetween()
inclusive

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 494

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

datecmp

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 495

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Description
The datecmp() function compares two dates and returns the results of the comparison.
The two input parameters, date1 and date2, contain the date strings to compare. These fields should have the format YYYY/MM/DD,
where:

A year numeric character string such as 2001. If the specified year is only two digits, then that value
YYYY is automatically concatenated with 19 to form a year between 1900 and 1999, inclusive. For
example, if the value 01 is supplied for year, the actual year value is processed as 1901.

MM Month between 1 and 12 inclusive

DD Day between 1 and 31 inclusive.

Use the forward slash character (/) as a field separator. Zeros or spaces can be used as leading pad characters for the year, month, or
day.

Syntax

result = datecmp (date1, date2);

Arguments

date1 Required. Character string containing a date formatted as YYYY/MM/DD

date2 Required. Character string containing a date formatted as YYYY/MM/DD

Return values

Negative Integer A negative integer is returned if date1 is less than date2 (date1 < date2).

0 Zero is returned if date1 is equal to date2 (date1 == date2).

Positive Integer A positive integer is returned if date1 is greater than date2 (date1 < date2).

Example
In the example,

date1 = "2001/01/21";
result = datecmp (date1, "2002/01/21");

datecmp compares the value in date1 against the date January 21, 2002. The result is returned in result. Because date1 contains the
date 2001/01/21, the result of datecmp is a negative integer because date1 is less than date2.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 496

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

strftime

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 497

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Description
The strftime() function formats the current date and time, as defined on Policy Server host, per the supplied format string.

For more information on how to create a format string, see Time Format Commands.

Note that different operating systems may provide different options for their own native strftime() function. Consult your operating
system’s strftime() manual page for more information.

Syntax

result = strftime (formatstring);

Arguments

Required. Character string that contains the format command characters that specify how the current
formatstring
date should be formatted

Return values
strftime() returns a formatted character string containing the current date and time from the Policy Server host.

See also

date, day, dayname, hour, minute, month, time, year

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 498

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

timebetween

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 499

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Description
>
The timebetween() function determines whether the current time, as defined on the Policy Server host, is between time1 and time2,
inclusive.
The time1 and time2 parameters contain integer time values. These time values should be specified in military time (HHMM) format,
where:

HH A number from 0 to 23, inclusive, that represents the hour

MM A number between 0 to 59, inclusive, that represents the minutes

If time2 < time1, the comparison crosses the midnight boundary.

Syntax

result = timebetween (time1, time2);

Arguments

time1 Required. An integer containing a time value formatted as HHMM

time2 Required. An integer containing a time value formatted as HHMM

Return values

true The current time is between time1 and time2 or the current time is equal to either time1 or time2.

false The current time is either less time1 or greater than time2.

Example
In the example,

result = timebetween (1100, 1500);

the following times set result as follows:

l 08:00 result set to false

l 11:00 result set to true
l 12:30 result set to true
l 15:00 result set to true
l 15:01 result set to false

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 500

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

File and path functions

File and path functions are used to verify, return, and generate information about directories, file paths, names, and file names. The
following table summarizes the file and path functions.

Function Description

access() Verifies the existence of a path and/or file

basename() Returns the file name portion of a path

dirname() Returns the directory portion of a path

logmktemp() Generates a unique file name on the log host

mktemp() Generates a unique file name on the Policy Server host

stat() Returns information about a directory or file

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 501

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

access

Description
The access() function verifies the existence of a path and/or file on the Policy Server host. path should contain a fully qualified name,
starting with a forward slash character (/).

Note: Not supported in Endpoint Privilege Management for Linux (EPM-L).

Syntax

result = access (path);

Arguments
path Required. String that contains the name of the path and/or file to verify.

Return values

true The directory or file exists on the Policy Server host.

false The directory or file does not exist on the Policy Server host.

Example
In the example,

result = access ("/tmp/user.txt");

result contains true if /tmp/user.text exists on Policy Server host. result contains false if /tmp/user.text does not exist on the Policy
Server host and is not accessible to the superuser.

See also

logmktemp(), mktemp(), stat()

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 502

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

basename

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 503

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Description
The basename() function returns the file name portion from the provided path. basename actually works by searching the provided string
for the rightmost token. A forward slash character (/) delimits tokens. basename ignores any number of trailing slash characters.
For example, given the string /one/two/three, basename returns the rightmost token, which in this case is three.
Given the string /one/two/, basename would ignore the trailing slash and return two.

Syntax

result = basename (path);

Arguments
path Required. Character string containing a file path and file name.

Return values
result contains the rightmost token (that is, the file name) of the supplied character string (that is, the path name). An empty character
string ("") is returned if no token is found.

Example:

result = basename ("/var/adm/pblog.txt");

In this example, result contains the file name pblog.txt.

For more information, see "dirname" on page 505.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 504

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

dirname

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 505

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Description
The dirname() function returns the path component of path. dirname() searches the provided string for the rightmost token and returns
everything but the rightmost token. Tokens are delimited with the forward slash character (/). dirname ignores all trailing slashes.
For example, given the string /one/two/three, dirname returns everything but the rightmost token. In this example, result contains
/one/two/.
Given the string /one/two/three/, dirname ignores the tailing slash and result contains /one/two.

Syntax

result = dirname (path);

Arguments

path Required. Character string that contains a path and file name

Return values
result contains the contents of path, minus the rightmost token (that is, the file name). If a token is not found, a . is returned.

Example
In the example,

result = dirname ("/var/adm/pblog.txt");

result contains the directory /var/adm/.

See also

basename()

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 506

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

logmktemp

Description
The logmktemp() function returns a file name that is guaranteed to be unique on the log host.
This function requires a full path template. Do not save Iologs to temp directories.

Note: Not supported in Endpoint Privilege Management for Linux (EPM-L).

Syntax

result = logmktemp (template);

Arguments

Required. Character string that contains a file name template. Within template, characters forming a
unique identifier replace six trailing X characters. Many, but not all, user systems require precisely six
template
X characters, which must be the trailing characters. Five X character ss, or X character ss in the
middle of a template, might work on some systems, but this behavior is not guaranteed.

Return values
result contains the generated file name. If a unique file name cannot be generated from template, then result contains a blank character
string ("").

Example
In this example,

result = logmktemp ("/var/adm/iolog.XXXXXX");

result contains the file name /var/adm/iolog.XXXXXX, where XXXXXX is replaced by a unique identifier that is generated by the
operating system.

See also

mktemp(), stat()

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 507

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

mktemp

Description
The mktemp() function returns a file name that is guaranteed to be unique on the Policy Server host.

Note: Not supported in Endpoint Privilege Management for Linux (EPM-L).

Syntax

result = mktemp (template);

Arguments

Return values
result contains the generated file name. If a unique file name cannot be generated from template, result contains a blank character string
("").

Example
In the example,

result = mktemp ("/var/adm/iologXXXXXX");

result contains the file name /var/adm/iolog.XXXXXX, where XXXXXX is replaced by a unique identifier that is generated by the
operating system.

Note: In order to have an I/O log created in this manner, the iolog variable must be set to the result of logmktemp(). For
example:

iolog = logmktemp("/var/adm/iolog.XXXXXX");

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 508

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

See also

logmktemp(), stat()

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 509

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

stat

Description
The stat() function returns general information, from the operating system, about the requested file or directory on the policy server host.
result contains an empty list (that is, with length equal to 0) if the specified file or directory is not found. The length() function can be used
to determine whether result is empty.

Note: Not supported in Endpoint Privilege Management for Linux (EPM-L).

Syntax

result = stat (path);

Arguments
path Required. Character string containing a path and/or file name.

Return values
result is a list that contains file and/or directory information. Each element in the list contains a different piece of information, as shown
below. Each list element is a character string. An empty list is returned (that is, with list length equal to 0) if the specified file or directory
does not exist. If result is empty, then the specified path or file was not found.
result elements:

l result [0] = file size

l result [1] = file owner
l result [2] = file group
l result [3] = file permissions
l result [4] = file access time
l result [5] = file creation time
l result [6] = file modification time
l result [7] = file access date
l result [8] = file creation date
l result [9] = file modification date
l result [10] = file access time in seconds
l result [11] = file creation time in seconds
l result [12] = file modification time in seconds
l result [13] = inode number
l result [14] = device number

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 510

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Example:

result = stat ("/etc");

In the example, result might contain the following elements:

result [0] = 7144

result [1] = bin
result [2] = bin
result [3] = 755
result [4] = 101
result [5] = 101
result [6] = 101
result [7] = 1970/01/01
result [8] = 1970/01/01
result [9] = 1970/01/01
result [10] = 1
result [11] = 1
result [12] = 1
result [13] = 20
result [14] = 2

For more information, see the following:

l "access" on page 502

l "length" on page 560

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 511

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Format and conversion functions

The following table summarizes the format and conversion functions.

Function Description

atoi() Converts a character string to an integer value

sprintf() Formats the supplied arguments and returns them as a single character string

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 512

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

atoi

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 513

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Description
The atoi() function converts a character string to an integer value.

Syntax

result = atoi (string);

Arguments

string Required. Character string that contains the numeric character string to convert to an integer value.

Return values
result contains the converted integer value.

Example
In this example,

result = atoi ("123");

result contains the integer value 123.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 514

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

sprintf

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 515

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Description
The sprintf() function creates a character string by formatting the supplied arguments according to the formatting commands in a format
control string. The resulting character string is returned in result.
The format control string controls the formation of the character string that is returned in result. It consists of two types of information:
actual content and format command characters. The format command characters are used to insert and format the supplied arguments.
The number of format command characters in the format control string must match the number of supplied arguments. In other words, if
there are three formatting commands in the format control string, then three function arguments must be supplied. Otherwise, an error is
generated.

For more information on format command characters, see Format Commands.

Syntax

result = sprintf (controlstring [,expression1, …]);

Arguments

Required. Character string that contains the format control string that is used to generate the
controlstring
formatted string.

expression1 - Optional. Character string and integer values to substitute into the format control string.

Return values
result contains the formatted character string.

Example
In this example,

result = sprintf ("System administrator Ids: %s %s %s", "Adm1", "Adm2", "Adm3");

the character string System administrator Ids: Adm1 Adm2 Adm3 is assigned to result.

See also

fprintf, print(), printf, syslog

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 516

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Input/output functions and procedures

The following table summarizes Endpoint Privilege Management for Unix and Linux’s input/output functions and procedures.

Function/ Procedure Description

fprintf() Formats and appends a character string to a file

input() Prompts the user for a single line of input

Similar to the input() function, inputnoecho() prompts the user for a single line of input, but does not
inputnoecho()
display the input on the screen as it is entered

Displays a single line of information on the user’s screen. The line terminates with the newline
print()
character.

printf() Displays a formatted character string on the user’s screen

Similar to the print procedures, printnnl displays a single line of information on the user’s screen,
printnnl()
but the line is not terminated with the newline character

printvars() Prints all Endpoint Privilege Management for Unix and Linux variables to the user’s terminal

readfile() Returns the entire contents of a file in a character string

syslog() Writes a formatted message to the syslog facility

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 517

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

fprintf

Description
The fprintf procedure is similar to the print procedure, except that the created formatted character string is appended to a file, rather than
being displayed at the user’s terminal.

See the discussion on printf for a more detailed discussion on how to create use format command characters within the format control
string.

Note: Not supported in Endpoint Privilege Management for Linux (EPM-L).

Syntax

fprintf (filename, controlstring [,expression1, …]);

Arguments

Required. Character string that contains the name of a file. A fully qualified path name, starting with a
filename
forward slash character (/).

controlstring Required. The character string, including format command characters, that is written to filename.

Optional. Values to substitute into controlstring, based on the specified format command
expression1...
characters.

Return values
Because fprintf is a procedure, no return value is set.

Example
In this example,

fprintf ("/var/adm/pblog.txt", "System administrator Ids: %s %s %s", "Adm1", "Adm2", "Adm3");

the character string System administrator Ids: Adm1 Adm2 Adm3 is appended to the file /var/adm/pblog.txt.

See also

print, printf, sprintf(), syslog

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 518

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

input

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 519

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Description
The input() function prompts the user for a single line of input. There is no default prompt. If the user attempts to enter more than a single
line of input, then the excess input is ignored.

Syntax

result = input (prompt);

Arguments
prompt Required. Character string that contains the prompt displayed to the user.

Return values
result is a character string that contains the single line of input that is typed by the user.

Example:

result = input ("Please enter your first and last name:");

In this example, the prompt Please enter you first and last name: is displayed to the user. The resulting input is stored in
result.

For more information, see the following:

l "inputnoecho" on page 521

l "readfile" on page 532

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 520

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

inputnoecho

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 521

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Description
The inputnoecho() function prompts the user for a single line of input. There is no default prompt. It ignores excess input if the user
supplies more than one line of input.
The inputnoecho() function works like the input() function, except that the input that is typed by the user is not shown on the terminal.
This function is useful when prompting the user for a password or other types of confidential information.

Syntax

result = inputnoecho (prompt);

Arguments
prompt Required. Character string containing the prompt displayed to the user.

Return values
result is a character string that contains the single line of input that is typed by the user.

Example:

result = inputnoecho ("Please enter your first and last name:");

In this example, the prompt Please enter you first and last name: is displayed to the user. The resulting input is stored in
result.

For more information, see "input" on page 519.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 522

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 523

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Description
The print procedure writes one or more expressions to the user’s terminal as a single line. The line terminates with a newline character. A
comma separates each argument. If an integer is supplied as an argument, then its value is automatically converted to a character string.
If a list is supplied, then it prints as a series of quoted strings with the entire series between braces.
The print and printnnl procedures work in the same manner. The only difference is that print terminates the generated character string
with a newline character, whereas printnnl does not.

Syntax

print (expression1 [, expression2, …]);

Arguments

expression1 Required. A value that is displayed to the user.

expression2, … Optional. Additional values that are displayed to the user.

Return values
Because print is a procedure, no return value is set.

Example
In the first example,

print ("Your task request has been accepted.", "Thank you.");

writes the following to the user's terminal:

Your task request has been accepted. Thank you.

This line terminates with a newline character.

The second example,

TrustedUsers = {"JWhite", "TBrown", "SBlack"};

print ("The trusted users are:", TrustedUsers);

writes the following on the user’s terminal:

The trusted users are: {"JWhite", "TBrown", "SBlack"}

This line terminates with a newline character.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 524

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

See also

fprintf, outputredirect, printf, printnnl, sprintf(), syslog

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 525

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

printf

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 526

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Description
The printf procedure creates a character string by formatting the supplied arguments according to the formatting commands in a format
control string. The resulting character string is written to the user’s terminal.
The format control string controls the generation of the character string that is written to the user’s terminal. It consists of two types of
information: actual content and format command characters. The format command characters are used to insert and format the supplied
arguments. The number of format command characters in the format control string must match the number of supplied arguments. In
other words, if there are three formatting commands in the format control string, then three function arguments are needed. Otherwise, an
error is generated.

For more information on format command characters, see Format Commands.

Syntax

printf (controlstring [,arugment1, …]);

Arguments

Required. Character string that contains the format control string that is used to generate the
controlstring
formatted string that is returned in result

argument1 … Optional. Character strings and/or integer values to substitute into the formatted string

Return values
Because printf is a procedure, no return value is set.

Example
In this example,

printf ("System administrator Ids: %s %s %s\n", "JWhite", "TWhitman", "EPipes");

the following string is printed:

System administrator Ids: JWhite TWhitman EPipes

See also

fprintf, outputredirect, print, sprint(), syslog

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 527

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

printnnl

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 528

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Description
The printnnl procedure writes one or more expressions to the user’s terminal as a single line. The line does not terminate with a new line
character. A space separates each argument.
The print and printnnl procedures work in the same manner. The only difference being that print terminates the generated character
string with a newline character, whereas printnnl does not.

Syntax

printnnl (expression1 [, expression2, …]);

Arguments

expression1 Required. An expression that contains the information to display to the user

expression2 … Optional. Additional expressions to display to the user.

Return values
Because printnnl is a procedure, no return value is set.

Example
In the example below,

printnnl ("Your task request has been accepted."); print ("Thank you.");

writes the following to the user's terminal:

Your task request has been accepted. Thank you.

The text that is printed by printnnl is not terminated with a newline character, so the text that is printed with print appears on the same
line.

See also

fprintf, outpuredirect, print, printf, sprintf(), syslog

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 529

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

printvars

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 530

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Description
The printvars procedure prints all user and EPM variables to the user’s terminal. This function is often useful when debugging security
policy files.

Syntax

printvars();

Arguments
There are no arguments.

Return values
Because printvars is a procedure, no return value is set.

Example:

printvars();

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 531

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

readfile

Description
The readfile() function returns the contents of a file in a character string. Any file type can be processed. The entire file is placed in a single
character string. The length() function can be used to determine the length of the returned character string.

Additionally, readfile checks whether the file passed as argument is in the configuration database (/etc/pb.db), and if it is, reads the file
from the database. If the file is not in the database, readfile reverts to check if the file is in the filesystem.

Note: Not supported in Endpoint Privilege Management for Linux (EPM-L).

Syntax

readfile (filename);

Arguments
filename Required. Character string that contains the complete path and file name of the file to read.

Return values
Character string that contains the contents of the specified file.

Example:

result = readfile ("/var/adm/pblog.txt");

If the /path/file is imported to the config database, then readfile gets the file from the config database:

# pbadmin –cfg -i /path/file

For more information, see the following:

l "length" on page 560

l "split" on page 569

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 532

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

syslog

Description
The syslog procedure enables you to send diagnostic messages to the syslog facility. It creates a character string by formatting the
supplied arguments according to the formatting commands in a format control string. The resulting character string is written to the
system’s syslog.

The format control string controls the formation of the character string that is written to the system’s syslog facility. It consists of two types
of information: actual content and format command characters. The format command characters are used to insert and format the
supplied arguments. The number of format command characters in the format control string must match the number of supplied
arguments. In other words, if there are three formatting commands in the format control string, then three function arguments are required.
Otherwise, an error is generated.
Starting with version 7.0.0, as an alternate to the use of syslog() function in the policy, you can use the settings syslog_accept_format,
syslog_reject_format, syslogsession_start_format, syslogsession_start_fail_format, and syslogsession_finished_format in the
pb.settings file. These settings format syslog messages for Accept and Reject events, and the session events Start, Finish, and Start_
Fail.

For more information about these settings, see Customized Syslog Formatting in the Endpoint Privilege Management for Unix
and Linux Administration Guide at https://www.beyondtrust.com/docs/privilege-management/unix-linux/index.htm.

For more information on format command characters, see "Format commands" on page 106.

Note: Not supported in Endpoint Privilege Management for Linux (EPM-L).

Syntax

syslog (controlstring [,expression1, …]);

Arguments

Required. Character string that contains the control string that is used to generate the formatted
controlstring
string that is passed to the syslog facility

expression1 … Optional. Expressions to substitute into the formatted string

Return values
Because syslog is a procedure, no return value is set.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 533

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Example
In this example,

syslog ("System administrator Ids: %s %s %s", "Adm1", "Adm2", "Adm3");

the message

System Administrator Ids: Adm1 Adm2 Adm3

is written to syslog (the syslog daemon, typically syslogd, and Endpoint Privilege Management for Unix and Linux must be configured
for this to work).

See also

fprintf, print, printf, sprintf(), PowerBroker syslog setting

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 534

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

LDAP functions
Endpoint Privilege Management for Unix and Linux LDAP support is based on the LDAP version 2 API, as defined in RFC 1823. Specific
parts of the LDAP API are mapped to a series of Endpoint Privilege Management for Unix and Linux functions.
The following table summarizes the Endpoint Privilege Management for Unix and Linux LDAP functions.

Function Description

ldap_attributes() Returns the attributes that are associated with an LDAP entry.

ldap_bind() Binds an open LDAP connection to a user.

ldap_dn2ufn() Converts a DN to a user-friendly naming format.

ldap_entry_count() Returns the number of entries that are returned by an LDAP search.

ldap_explodedn() Returns the components of a DN in a list.

ldap_firstentry() Returns the first entry that is returned by a search.

ldap_getdn() Returns the DN of an LDAP entry.

ldap_getvalues() Returns values that are associated with an LDAP entry.

Connects to an LDAP server.

ldap_init() Version 3.5 and earlier: function available.
Version 4.0 and later: function deprecated.

ldap_nextentry() Returns the next entry that is returned by a search.

ldap_open() Opens a connection to an LDAP server.

ldap_search() Opens a connection to an LDAP server.

ldap_search() Searches an LDAP tree.

ldap_unbind() Unbinds and disconnects a connection from an LDAP directory.

Perform an LDAP search

The general process for performing an LDAP search is outlined below.

1. Use the ldap_open() function to establish an LDAP server connection.

2. Bind the LDAP server connection to the user by using the ldap_bind() function.
3. Use the function ldap_search() to search an LDAP directory.
4. Use the ldap_entry_count() function to determine the number of entries that were found by the query.
5. Loop through the entries that were found by the query by using the ldap_firstentry() and ldap_ nextentry() functions.
6. Use the function ldap_attributes() to obtain a list of attributes that are available for an entry.
7. Use the ldap_getvalues() function to retrieve the actual attribute values that are associated with an entry.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 535

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

8. Process the next entry. Repeat steps 5 through 7 until all entries are processed.
9. Use the function ldap_unbind() to unbind and close the LDAP Server connection.

For more information on using LDAP, refer to your LDAP documentation.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 536

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

ldap_attributes

Description
The ldap_attributes() function returns a list that contains all of the attributes that are associated with the specified LDAP entry. Each
element in result contains an attribute name.

Note: Not supported in Endpoint Privilege Management for Linux (EPM-L).

Syntax

result = ldap_attributes (LDAPEntry);

Arguments

Required. A unique LDAP entry that is generated by ldap_firstentry(), ldap_nextentry(), or ldap_

LDAPEntry
search().

Return values
A list in which each element contains an attribute name. On error, it returns an empty list.

Example:

result = ldap_attributes (LDAPEntry);

In this example, result might look like the following:

{"firstname", "lastname", "department", "jobcode"}

For more information, see the following:

l "ldap_firstentry" on page 543

l "ldap_nextentry" on page 547
l "ldap_search" on page 549

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 537

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

ldap_bind

Description
The ldap_bind() function binds an existing LDAP server connection using the specified DN and password If the DN is not specified, an
anonymous bind is attempted.

Note: Not supported in Endpoint Privilege Management for Linux (EPM-L).

Syntax

result = ldap_bind (ConnectionId, dn [,Password]);

Arguments

ConnectionId Required. LDAP server connection that is generated by the ldap_open() function.

dn Required. User’s DN. May be an empty string.

Password Optional. String that contains the password for dn.

Return values

0 Bind operation successful.

1 Bind operation failed.

Example:

result = ldap_bind (ldapConnection, "");

In this example, an anonymous bind is performed using the LDAP server connection that is specified in ldapConnection.

For more information, see the following:

l "ldap_open" on page 548

l "ldap_unbind" on page 551

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 538

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

ldap_dn2ufn

Description
The ldap_dn2ufn() function converts the supplied DN into a more user-friendly form by stripping off the type names. The resulting
character string is returned in result.

Note: Not supported in Endpoint Privilege Management for Linux (EPM-L).

Syntax

result = ldap_dn2ufn (dn);

Arguments

dn Required. A string that contains a DN (Distinguished Name).

Return values

string A character string that contains a DN name with type names removed.

Empty string Error.

Example:

result = ldap_dn2ufn (dn);

In this example, result contains the specified DN name without type names.

For more information, see "ldap_explodedn" on page 541.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 539

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

ldap_entry_count

Description
The ldap_entry_count() function returns the number of entries that exist in a specific LDAP message. The ldap_search() function
generates LDAPEntry.

Note: Not supported in Endpoint Privilege Management for Linux (EPM-L).

Syntax

result = ldap_entry_count (LDAPEntry);

Arguments

LDAPEntry Required. LDAP message that is generated by ldap_search().

Return values

integer The number of entries that are contained in the specified LDAP message.

0 If zero entries or on error.

Example:

result = ldap_entry_count (LDAPEntry);

In this example, result contains the number of entries in the LDAP message that is identified by LDAPEntry.

For more information, see "ldap_search" on page 549.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 540

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

ldap_explodedn

Description
The ldap_explodedn() function splits the supplied DN into its separate subcomponents. Each subcomponent is called a relative
distinguished name (RDN).

The notypes argument specifies whether the RDNs are returned with only values or both values and attributes. Setting notypes to false
returns both values and attributes. Setting notypes to true returns only values.
The RDNs are returned in a list. If only values were requested, then each list element contains one value. If both values and attributes
have been requested, each result list element has the format "attribute=value".

Note: Not supported in Endpoint Privilege Management for Linux (EPM-L).

Syntax

result = ldap_explodedn (dn, notypes);

Arguments

dn Required. A string that contains a Distinguished Name (DN).

notypes Required. An integer that represents a true or false value.

Return values
result is a list containing the DN subcomponents (that is, the RDNs). If only values are requested, then the list has the following format:

{"value", "value", …}

If both values and attributes are requested, then the list has the following format:

{"attribute=value", "attribute=value", …}.

Example:

result = ldap_explodedn (dn, false);

In this example, result is a list containing DN subcomponents. Both values and attributes are returned in this case.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 541

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

For more information, see "ldap_dn2ufn" on page 539.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 542

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

ldap_firstentry

Description
The ldap_firstentry() function returns the first entry in the specified LDAP message that is returned from ldap_search().
The first entry message is needed to retrieve successive entries from the specified LDAP message by using the ldap_nextentry()
function.
The ldap_firstentry() function does not retrieve values. It returns a unique entry. The result can be used in a function such as ldap_
getvalues() to actually retrieve attribute values.

Note: Not supported in Endpoint Privilege Management for Linux (EPM-L).

Syntax

result = ldap_firstentry (LDAPEntry);

Arguments

LDAPEntry Required. LDAP message. ldap_search() generates LDAP messages.

Return values

LDAPEntry An LDAP entry.

Empty String Error.

Example:

result = ldap_firstentry (LDM);

For more information, see the following:

l "ldap_nextentry" on page 547

l "ldap_search" on page 549

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 543

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

ldap_getdn

Description
The ldap_getdn() function returns the DN for the specified LDAP entry.

Note: Not supported in Endpoint Privilege Management for Linux (EPM-L).

Syntax

result = ldap_getdn (LDAPEntry);

Arguments

Required. An LDAP entry. ldap_firstentry(), ldap_nextentry(), and ldap_search() generate LDAP

LDAPEntry
entries.

Return values

string A DN.

Empty string Error condition.

Example:

result = ldap_getdn (LDAPEntry);

For more information, see the following:

l "ldap_firstentry" on page 543

l "ldap_nextentry" on page 547
l "ldap_search" on page 549

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 544

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

ldap_getvalues

Description
The ldap_getvalues() function returns the values that are associated with the specified attribute. The values are returned in a list where
each list element represents a value. The length() function can be used to determine the number of elements that are returned in result. If
ldap_getvalues() is successful, result has the format {"value", "value", …}.

The ldap_getvalues() function is typically used after a call to ldap_search(), ldap_firstentry(), or ldap_nextentry() to retrieve attribute
values for the entry that is currently being processed.

Note: Not supported in Endpoint Privilege Management for Linux (EPM-L).

Syntax

result = ldap_getvalues (LDAPEntry, attributeName);

Arguments

LDAPEntry Required. An LDAP entry that is created by ldap_firstentry(), ldap_nextentry(), or ldap_search().

attributeName Required. String that identifies the attribute for which a value should be returned.

Return values

list If successful, then a list of character strings is returned. Each element in the list contains a value.

empty list Error condition, list length is set to zero.

Example:

result = ldap_getvalues (LDAPEntry, "uid");

For more information, see the following:

l "ldap_firstentry" on page 543

l "ldap_getvalues" on page 545
l "ldap_nextentry" on page 547
l "ldap_search" on page 549

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 545

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

ldap_init
l Version 3.5 and earlier: ldap_init() function available.
l Version 4.0 and later: ldap_init() function deprecated.

Description
Initializes a connection to an LDAP database. This function supersedes ldap_open() and ldap_init().

Note: Not supported in Endpoint Privilege Management for Linux (EPM-L).

Syntax

ldap_initialize (ldap_url [, 2 | 3])

Arguments

ldap_url Required, string. An LDAP URL pointing to the desired LDAP database.

Optional, number. The LDAP database version. Either a 2 or 3. If the version is not included, then a
version
version 2 connection is created.

Return values
On success, an LDAP Connection is returned. On failure, null is returned.

Example:

connection = ldap_initialize("ldap://ldaphost");

For more information, see the following:

l "ldap_init" on page 546

l "ldap_open" on page 548

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 546

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

ldap_nextentry

Description
The ldap_nextentry() function returns the next LDAP entry in the specified LDAP message.
The ldap_nextentry() function does not retrieve values. It returns a unique entry. The result can be used in a function like ldap_
getvalues() to actually retrieve attribute values.

Note: Not supported in Endpoint Privilege Management for Linux (EPM-L).

Syntax

result = ldap_nextentry (LDAPEntry);

Arguments

LDAPEntry Required. An LDAP entry that is returned by the previous ldap_firstentry() or ldap_nextentry().

Return values

LDAP_Entry An LDAP entry.

empty string Error condition.

Example:

result = ldap_nextentry (LDAPEntry);

For more information, see the following:

l "ldap_firstentry" on page 543

l "ldap_search" on page 549

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 547

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

ldap_open

Description
The ldap_open() function establishes a connection to the LDAP server that is specified in ServerName. The connection is made through
the port number in port (if specified).

Note: Not supported in Endpoint Privilege Management for Linux (EPM-L).

Syntax

result = ldap_open (ServerName [,port]);

Arguments

ServerName Required. Character string that contains the host name of an LDAP server.

port Optional. Integer that contains a port number. The default port number is 389.

Return values

LDAP_Connection If the open operation is successful, an LDAP server connection is returned in result.

Example:

result = ldap_open ("mycompany.ldap.server1", 200);

In this example, if the open operation is successful, result contains an LDAP server connection ID for
mycompany.ldap.server1 on port 200. If the connection is not successful, result contains a null string.

For more information, see the following:

l "ldap_bind" on page 538

l "ldap_init" on page 546
l "ldap_unbind" on page 551

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 548

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

ldap_search

Description
The ldap_search() function searches the LDAP directory below the baseDN, using the search criteria that are specified in the search
filter. The scope argument defines the scope, or boundaries, of the search.

Note: Not supported in Endpoint Privilege Management for Linux (EPM-L).

Syntax

result = ldap_search (ConnectionId, baseDN, scope, searchfilter, attributeList, attributeFlag);

Arguments

ConnectionId Required. LDAP Server Connection.

baseDN Required. String that contains the base DN for the search.

Required. String that contains a search scope value. Value entries are subtree (search the baseDN
scope and the entire directory below), onelevel (search the baseDN and one level below), and base
(search the baseDN only).

searchfilter Required. String that contains search criteria.

Required. List that identifies the attributes that should be returned. Each list element must be an
attributeList
attribute name. An empty list defaults to all attributes.

Required. Integer that represents either true or false. If set to true, only attribute types are returned.
attributeFlag
If set to false, both attribute types and values are returned.

Return values

LDAP message The search operation was successful.

empty string Unsuccessful search.

Example:

result = ldap_search (ConnectionId, "dc=beyondtrust, "dc=com", subtree", "jobcode=mgr",

{}, 0);

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 549

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

For more information, see the following:

l "ldap_attributes" on page 537

l "ldap_entry_count" on page 540
l "ldap_firstentry" on page 543
l "ldap_getvalues" on page 545
l "ldap_nextentry" on page 547

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 550

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

ldap_unbind

Description
The ldap_unbind() function unbinds and closes an existing LDAP server connection.

Note: Not supported in Endpoint Privilege Management for Linux (EPM-L).

Syntax

result = ldap_unbind (LDAP_Connection);

Arguments

LDAP_Connection Required. An LDAP Server Connection that was created by ldap_ open().

Return values

0 Unbind operation successful.

-1 Unbind operation failed.

Example:

result = ldap_unbind (ldapConnection);

In this example, an unbind and close are performed on the LDAP server connection ID specified in ldapConnection.

For more information, see the following:

l "ldap_bind" on page 538

l "ldap_open" on page 548

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 551

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

List functions
The following table summarizes the available Endpoint Privilege Management for Unix and Linux list functions.

Function Description

append() Creates a new list by appending one or more strings or lists to the end of another list.

Creates a new list by inserting additional strings or lists into a specific position (indicated by an
insert()
integer index) in the original list.

Creates a new string by concatenating each element of a specified list separated by a delimiter
join()
character. This is the opposite of the split() function.

length() Returns the number of elements in a list.

range() Creates a new list from a specific range of elements from an existing list.

Creates a new list by deleting a specific range of elements from an existing list. Replacement
replace()
elements can be inserted into the new list in positions where original elements were deleted.

search() Searches a list for a specific pattern.

Creates a new list by splitting the contents of a string into individual list elements. This is the opposite
split()
of the join() function.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 552

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

append

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 553

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Description
The append() function creates a new list by concatenating the supplied arguments to the end of list1 in sequential order.

Syntax

result = append (list1, list-or-string1 [,list-or-string2, …]);

Arguments

list1 Required. Contains the list to which the specified arguments are appended.

list-or-string1 Required. Contains either a character string or a list. This argument is appended to list1.

Optional. Contains additional character strings and/or lists. These additional arguments are
list-or-string2 …
appended to list1.

Return values
The newly created list.

Example:

TrustedUsers = {"JWhite", "TBrown", "SBlack"};

NewList = append (TrustedUsers, "RRoads");

In this example, result contains the following list:

{"JWhite", "TBrown", "SBlack", "RRoads"}

Example:

List1 = {"JWhite", "TBrown"};

List2 = {"SBlack", "RRoads"};
NewList = append (List1, "RGreen", List2);

In this example, result contains:

{"JWhite", "TBrown", "RGreen", "SBlack", "RRoads"}

For more information, see the following:

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 554

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

l "insert" on page 556

l "join" on page 558

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 555

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

insert

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 556

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Description
Returns a list constructed by inserting the strings or lists into a specific position (indicated by an integer index) in the specified list. Note
that 0 is the start of the list, 1 is between the first and second elements in the list, and so on.
If you specify an index number that is larger than the specified list, then the strings are placed at the end of the list.

Syntax

result = insert (list, index, list-or-string1 [, list-or-string2, ...])

Arguments

list Required. The original list.

index Required. The integer index.

list-or-string1 Required. The list or string to insert.

list-or-string2 Optional. The subsequent list(s) or string(s) to insert.

Return values
A list.

Example:

trustedusers={"jamie", "cory", "tom"};

a=insert(trustedusers, 1, "leslie");

The example above sets the following to the list:

{"jamie", "leslie", "cory", "tom"}

For more information, see the following:

l "append" on page 553

l "join" on page 558
l "replace" on page 564

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 557

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

join

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 558

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Description
The join() function creates a string by concatenating all of the elements in a list. The specified delimiter character separates each element
in the generated string. If a delimiter character is not specified, then a blank is used as the delimiter.

Syntax

result = join (list [,delimiter]);

Arguments

list Required. The list whose elements are to be concatenated into a new character string.

Optional. If specified, the delimiter character is used as a separator character between list elements
delimiter
as they are concatenated together.

Return values
result Contains the new character string.

Example:

TrustedUsers = {"Fred", "John", "George"};

NewString = join (Trustedusers, ",");

In this example, NewString contains the character string: Fred, John, George.

For more information, see "split" on page 569.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 559

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

length

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 560

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Description
The length() function returns the number of elements in the specified list. The index number for the first element in a list is always 0. The
index number for the last list element is always the list length - 1.

Syntax

result = length (list1);

Arguments
list1 Required. The list for which the number of elements is determined.

Return values
result Contains the number of elements in list1.

Example:

list1 = {"Fred", "George", "Sally"};

result = length (list1);

In this example, result contains the integer value 3.

For more information, see the following:

l "append" on page 553

l "insert" on page 556
l "join" on page 558
l "range" on page 562
l "split" on page 569

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 561

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

range

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 562

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Description
The range() function generates a new list from the elements in a list, starting at the element number that is specified by index1 and ending
with the element number that is specified by index2.
The first element in a list always has an index value of 0. An index number that is larger then the last index in the list is treated as the last
element. In the case where index1 is larger than the last index in the list, an empty list is returned (that is, with a list length equal to 0).

Syntax

result = range (list1, index1, index2);

Arguments

list1 Required. The list from which a new list is extracted.

index1 Required. The element number, in list1, at which the extraction should begin.

index2 Required. The element number in list1 at which the extraction should end, inclusive.

Return values
result Contains the new list that was extracted from list1.

Example:

list1 = {"JWhite", "SBrown", "RRoads"};

result = range (list1, 1, 2);

In this example, result contains the following list:

{"SBrown", "RRoads"}

For more information, see the following:

l "append" on page 553

l "insert" on page 556
l "join" on page 558
l "length" on page 560
l "replace" on page 564
l "split" on page 569

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 563

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

replace

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 564

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Description
The replace() function replaces elements in a list, thereby creating a new list. The list elements in the specified range are deleted and
those that are specified by the string arguments are inserted in their place. If replacement arguments are not supplied, then the
appropriate elements are deleted without being replaced.

Syntax

result = replace (list1, index1, index2, list-or-string1 [, list-or-string2, ...]);

Arguments

list1 Required. The list from which list elements are removed, and optionally, replaced by new elements

index1 Required. The first element in the range of elements to delete or replace.

index2 Required. The last element in the range of elements to delete or replace.

string1..n Optional. The list(s) or character string(s) that will replace the list elements that are being deleted.

Return values

result Contains the new list that is created by deleting or replacing elements from the original list.

Example:

list1 = {"Adm1", "Adm2", "Adm3", "Adm4"};

result = replace (list1, 2, 3, "SysAdm1", "SysAdm2");

In this example, result contains the following list:

{"Adm1", "Adm2", "SysAdm1", "SysAdm2"}

For more information, see the following:

l "append" on page 553

l "insert" on page 556
l "join" on page 558

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 565

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

l "length" on page 560

l "range" on page 562
l "split" on page 569

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 566

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 567

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Description
The search() function searches a list for the first element that is found to match a specific pattern. The search is case sensitive and
wildcard characters can be used within the pattern.

For more information on using wildcard characters, see Wildcard Search Characters and "quote" on page 1.

Syntax

result = search (list1, pattern);

Arguments

list1 Required. The list to search.

pattern Required. The pattern to search for.

Return values
An integer value is returned. If a match is found, then result contains the element number of the first pattern match in the list. If no match is
found, result is set to -1.

Example
In this example,

list1 = {"ADM1", "ADM2", "ADM3", "SYSADM1", "SYSADM2", "USER1", "USER2"};

result = search (list1, "SYS*");

result is set to 3 as list1[3] is the first element in the list to match the search pattern.

See also

append(), insert(), join(), length(), range(), replace()

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 568

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

split

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 569

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Description
The split() function creates a list from a string. The string is broken up into separate list elements based on the characters in the specified
delimiter string. If a delimiter string is not specified, then a string containing space, tab (\t), and newline (\n) is used. If none of the delimiter
characters are encountered, then a list that contains one element (that is, the entire string) is returned.

Syntax

result = split (string1[,delimiter[,omit_empty_elements]]);

Arguments

string1 Required. The string to separate into list elements.

Optional. The delimiter string that is used to break the string into separate elements. If delimiter is
delimiter
not specified, then \t\n is used as the delimiter string.

Optional. Boolean value that determines whether empty elements of the resulting list are omitted
omit_empty_elements
(true) or included (false). If omit_empty_elements is not specified, it defaults to true.

Return values
result contains the new list.

Example:

UserList = "user1,user2,user3,,user4";
result = split (UserList,",");

In this example, result contains the following list:

{"user1", "user2", "user3", "user4"}

Example:

UserList = "user1,user2,user3,,user4";
result = split (UserList,",",false);

In this example, result contains the following list:

{"user1", "user2", "user3", "", "user4"}

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 570

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

For more information, see the following:

l "append" on page 553

l "insert" on page 556
l "join" on page 558
l "length" on page 560
l "range" on page 562
l "replace" on page 564

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 571

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Miscellaneous functions and procedures

Miscellaneous functions and procedures (refer to the following table) do not fit into any other category.

Function/ Procedure Description

Runs the policy server host’s egrep() command using the provided arguments and files, and returns
the result as a string.
egrep()
Version 4.0 and earlier: function not available.
Version 5.0 and later: function available.

Runs the policy server host’s fgrep command using the provided arguments and files, and returns
the result as a string.
fgrep()
Version 4.0 and earlier: function not available.
Version 5.0 and later: function available.

glob() Matches a string to a pattern.

Runs the policy server host’s grep command using the provided arguments and files, and returns the
result as a string.
grep()
Version 4.0 and earlier: function not available.
Version 5.0 and later: function available.

Executes a specified program on the runhost when the session is ended and the iolog is closed.
iologcloseaction
Version 9.3 and earlier: procedure not available.
runhost()
Version 9.4 and later: procedure available.

ipaddress() Returns a machine’s IP address.

isset() Checks a variable to see if it has a value.

quote() Encloses a string in quotation marks.

remotesystem() Runs a command on a specified Endpoint Privilege Management for Unix and Linux runhost.

Warns the user on stderr that the session has exceeded the time limit.
runtimewarn() Version 9.3 and earlier: procedure not available.
Version 9.4 and later: procedure available.

Records to logserver’s syslog that a user’s session has exceeded the time limit.
runtimewarnlog() Version 9.3 and earlier: procedure not available.
Version 9.4 and later: procedure available.

system() Runs a command.

unset Removes temporary variables from the event and I/O log files.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 572

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

egrep
l Version 4.0 and earlier: egrep() function not available.
l Version 5.0 and later: egrep() function available.

Note: Not supported in Endpoint Privilege Management for Linux (EPM-L).

Description
The egrep() function runs the policy server host’s egrep() command using the provided arguments and files, and returns the result as a
string.

Syntax

egrep ([egrep-arguments, ] search-pattern, filename-or-template [, filenameor-template …]);

Arguments

Optional. Switch arguments to the policy server host’s egrep command. Refer to the policy server
egrep-arguments
host’s grep documentation for specifics.

search-pattern Required. The regular expression to search for.

filename-or-template Required. A file name, possibly with wildcards, to search for the search-pattern.

Return values
A string that contains the output of egrep().

Example:

result = egrep ("-w", "word", "filename");

result = egrep ("pattern", "manynames*");

For more information, see the following:

l "fgrep" on page 574

l "grep" on page 577

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 573

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

fgrep
l Version 4.0 and earlier: fgrep() function not available.
l Version 5.0 and later: fgrep() function available.

Description
The fgrep() function runs the policy server host’s fgrep command using the provided arguments and files, and returns the result as a
string.

Note: Not supported in Endpoint Privilege Management for Linux (EPM-L).

Syntax

fgrep ([fgrep-arguments, ] search-pattern, filename-or-template [, filenameor-template …]);

Arguments

Optional. Switch arguments to the policy server host’s fgrep command. Refer to the policy server
fgrep-arguments
host’s fgrep documentation for specifics.

search-pattern Required. The regular expression to search for.

filename-or-template Required. A file name, possibly with wildcards to search for the search-pattern.

Return values
A string that contains the output of fgrep.

Example:

result = fgrep ("-w", "word", "filename");

result = fgrep ("pattern", "manynames*");

For more information, see the following:

l "egrep" on page 573

l "grep" on page 577

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 574

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

glob

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 575

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Description
The glob() function searches a character string for a specific shell-style pattern. glob() is often used to match patterns to file names
because the patterns that are used are the same patterns that are used by the Unix/Linux shell file name matching algorithms.

For more information on creating search patterns, see Wildcard Search Characters and "quote" on page 1.

Syntax

result = glob (pattern, string);

Arguments

pattern Required. The search pattern

string Required. The string to search

Return values

true A pattern match was found

false A pattern match was not found

Example

result = glob (pattern, logfilename);

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 576

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

grep
l Version 4.0 and earlier: grep() function not available.
l Version 5.0 and later: grep() function available.

Description
The grep() function runs the policy server host’s grep command using the provided arguments and files, and returns the result as a string.

Note: Not supported in Endpoint Privilege Management for Linux (EPM-L).

Syntax

grep ([grep-arguments, ] search-pattern, filename-or-template [, filename-ortemplate …]);

Arguments

Optional. Switch arguments to the policy server host’s grep command. Refer to the policy server
grep-arguments
host’s grep documentation for specifics.

search-pattern Required. The regular expression to search for.

filename-or-template Required. A file name, possibly with wildcards, to search for the search-pattern.

Return values
A string containing the output of grep.

Example:

result = grep ("-w", "word", "filename");

result = grep ("pattern", "manynames*");

For more information, see the following:

l "egrep" on page 573

l "fgrep" on page 574

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 577

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

iologcloseaction

Description
iologcloseaction() is used to specify a program to be executed on the log server (or policy server, if no log server ) when an iolog is
closed.

This can be used, for example, to execute scripts that can send IOlog or ACA data to Splunk or other systems. When Endpoint Privilege
Management for Unix and Linux is installed, an example Perl script called closeactionsplunk.pl, that sends ACA data from the IOlog to
Splunk is installed in /opt/pbul/scripts.
Note that unlike the iologcloseactionrunhost() procedure, this does not include the ability to specify runuser, runcwd, environment,
timeout, or command line arguments.
IOLogs with a closeaction specified, or when Solr is used, are placed in a queue, rather than acted upon immediately.
pbconfigd monitors the queue and launches pbreplay to handle both Solr and iologcloseaction activity.

Note: Not supported in Endpoint Privilege Management for Linux (EPM-L).

Syntax

iologcloseaction( command );

Arguments

Required string specifying the /full/path/to/external/program.

The syntax for the script or program must be /path/to/external/program /path/to/iolog.log.
The program should exit 0 if successful, should exit 255 (or -1) to have Endpoint Privilege
command
Management for Unix and Linux log that the script failed, and should exit 254 (-2) to have Endpoint
Privilege Management for Unix and Linux requeue the item and have the queue mechanism pause.
This can be used, for example, to indicate that a destination host is not reachable, and additional
closeaction activity should not take place immediately.

Example:

iologcloseaction("/opt/pbul/scripts/closeactionsplunk.pl");

For more information, see the following:

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 578

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

l "iolog" on page 308

l "iologcloseactionrunhost" on page 580
l The "iologactionqueuetimelimit," "iologactionmaxprocs keywords," and "pbdbutil --iologidx" sections in the Endpoint
Privilege Management for Unix and Linux System Administration Guide at
https://www.beyondtrust.com/docs/privilege-management/unix-linux/index.htm

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 579

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

iologcloseactionrunhost

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 580

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Description
iologcloseactionrunhost() is used to specify a /path/filename to be executed on the runhost when the iolog is closed. The specified
/path/filename can be a shell script or binary. The user to run the program as, environment, arguments, and working directory are
specified in the function call. Stdin, stdout, stderr are redirected to /dev/null. The timeout (specified in seconds) is mandatory. A timeout
value of zero indicates no timeout. Note that a timeout value greater than zero causes the end user’s invocation of pbrun to pause while
the close action takes place or until the timeout expires. Any runtime errors such as invalid user, cwd, or command are logged via syslog,
and to the appropriate EPM log (for example,pbrunlog, pblocaldlog) if specified in pb.settings.

Syntax

Iologcloseactionrunhost( user, environment, timeout, cwd "/path/command and arguments");

Arguments

User The user to run the command. This user must exist on the runhost.

ENV settings to execute the command with. If an empty list is specified, su – is used to create a login
Environment
environment.

Required integer. When set to 0, no timeout is used, and the specified command could potentially run
Timeout forever. When set to > 0, specified the number of seconds for a timeout. If the timeout is reached, the
command is terminated using SIGTERM, and if needed, by a SIGKILL.

Required string to specify the working directory.

Cwd
Note: With an empty environment list, this directory may be changed via the login shell.

Required string specifying the fully qualified command, and its arguments. This is passed to su using
command
su’s –c option.

Example:

iologcloseactionrunhost( "jsmith", {"PATH=/bin", "TMPDIR=/tmp/", "PBUL=PBULTEST"}, 20,

"/tmp", "/usr/local/bin/closeaction –a –b" );

Example:

iologcloseactionrunhost( "root", {}, 0, "/tmp", "/usr/local/bin/closeaction –a –b" );

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 581

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

For more information, see "iolog" on page 308.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 582

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

ipaddress

Description
The ipaddress() function returns the IP address of the machine that is specified by hostname. hostname should be a fully qualified
machine name.

Note: Not supported in Endpoint Privilege Management for Linux (EPM-L).

Syntax

result = ipaddress (hostname);

Arguments
hostname Required. A fully qualified host name.

Return values
result contains the IP address of the specified machine. If the IP address cannot be determined, a blank string is returned (that is, length
= 0).

Example:

result = ipaddress (hostname);

In this example, result contains the IP address of the machine specified in hostname.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 583

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

isset

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 584

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Description
The isset() function determines whether a variable has been set. A variable with a blank or zero value returns true, because blank and
zero are considered values.

Syntax

result = isset (string);

Arguments
string Required. A string that contains a variable name.

Return values

true Integer. The specified variable has a value.

false Integer. The specified variable does not have a value.

Example:

runhost = "beyondtrust1";
result = isset ("runhost");

In this example, result contains an integer value of 1 (true) because the runhost variable has a value of beyondtrust1.

For more information, see "unset" on page 599.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 585

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

policytimeout

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 586

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Description
The policytimeout() procedure adds an overall policy timeout mechanism so that pbmasterd can abort the request when the policy
processing takes an inordinate amount of time.
For example, when submitconfirmuser() is used, but the submitting user (or process) does not enter a password.
This prevents pbmasterd processes that appear to be unresponsive when the policy is waiting for user input which may never arrive.
When the policy timeout is encountered, the request is rejected, with the exitstatus set to:

policy timeout (<seconds> seconds) reached for <submitting user> on host <submithost> for command
<command and args>

That message is also logged to pbmasterd.log.

This timeout mechanism terminates pbmasterd any time that the policy processing takes longer than the timeout value specified.
This includes any user input functions, infinite loops, long running external programs run with system() and remotesystem(), DNS and
NFS hangs, and lengthy policies.
When the policytimeout() procedure is called at the beginning of the policy it applies to the entire policy. If called later, it applies to the
rest of the policy.
If the function is not called, or called with a value of 0, there is no timeout and pbmasterd processes the entire policy (including waiting for
user input) before terminating.
The policytimeout() procedure can be called many times, each time overriding the value previously set.
This timeout is canceled when an accept or reject is encountered (for example, the policy is completed). Note that this timeout does not
affect the runconfirmuser mechanism, which is processed after an accept. This timeout does not affect the secured task once accepted.
For example, this cannot protect against a user not providing username/password input for pbrun telnet <host>. pbmasterd informs
EPM clients (pbrun, pbksh, pbsh, pbssh) of the timeout, and those clients also timeout. Note that the exact timing of pbmasterd timing
out and the client timing out is not exact.
pbmasterd and the client process the timeout independently, and either may terminate before the other. Older clients cannot process
such a timeout, and may appear unresponsive when pbmasterd terminates during expected user input. pbmasterd does not have a
mechanism to interrupt an older client that is expecting input.

When remotesystem() is used with the submithost, the policy timeout is independent of the timeout specified in the remotesystem
function call. The first of those timeouts to be encountered is the one that is processed.
When remotesystem() is used with a host other than the submithost, only the timeout specified in the remotesystem function call is
used. If that is 0 (meaning no timeout), and the policy server encounters the policy timeout, the remote host may have a hungpblocald
process.

Syntax

policytimeout( <timeout_value_in_seconds> );

Arguments
timeout_value_in_seconds Required. Specifies the policy timeout value in seconds.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 587

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Return values
Not applicable

Example:

policytimeout(25);
submitconfirmuser(user);
accept;

Example:

tmout=2;
policytimeout(tmout);
submitconfirmuser(user);
accept;

Example:

policytimeout(25);
...
policytimeout(40);
...
policytimeout(0);
...

For more information, see "remotesystem" on page 591.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 588

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

quote

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 589

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Description
The quote() function encloses a string in the specified character. It also inserts a backslash character (\) in front of any special characters
that are contained in the string, to indicate that these characters should be taken literally (that is, treated as special characters). The quote
() function is useful when parsing arguments into commands that are shell scripts.

For more information on special characters, see Special Characters.

Syntax

result = quote (string1, quotechar);

Arguments

string1 Required. The string to enclose in the specified quotechar

quotechar Required. The character to use as the enclosing character

Return values
result contains the quoted string.

Example
In the example:

result = quote ("Hello, Hello, Hello", "*");

result is assigned:

"Hello, Hello, Hello"

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 590

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

remotesystem

Description
Introduced in Endpoint Privilege Management for Unix and Linux 7.1, remotesystem() is used to run commands on a host other than the
policy server host (any Endpoint Privilege Management for Unix and Linux runhost) as part of the policy. This can be called as a procedure
(command output is shown on pbrun's terminal) or as a function (command output is captured into a policy variable). This is similar to the
system() function/procedure, however the command is run on a different host. The Endpoint Privilege Management for Unix and Linux
variable status is set to the return code of the command upon exit. Input to the command comes from the user's keyboard or from the
inputstring argument if it is present. Output goes to the user's screen or to the result string variable, if present.
If the specified host is the same as the submithost, the requesting program (pbrun, pbksh, pbsh) executes the command. If the
specified host is not the submithost, pblocald is used to execute the command.
This is primarily intended to be used as a function, without interactive keyboard or screen I/O. Limited I/O is allowed, however programs
such as vi are not supported.
This policy function requires Endpoint Privilege Management for Unix and Linux 7.1 clients (pbrun, pbsh, pbksh, pbssh, pblocald).

Note: Not supported in Endpoint Privilege Management for Linux (EPM-L).

Syntax

[result =] remotesystem( hostname, user, environment, timeout, cwd, "command and arguments"
[,inputstring]);

Arguments

hostname Required. The host on which to run the command. This can be short name, FQDN, or IP address.

user Required. The user to execute the command as.

environment Required. A list specifying the environment variables to execute the command with.

Required. The maximum time in seconds that the remote command is allowed to take. A timeout of
timeout
zero indicates no timeout.

cwd Required. Directory from which to execute the command.

command Required. The command (possibly including path) and arguments to run.

inputstring Optional. Command input, formatted into a single character string

Return values
If the result variable is specified, remotesystem() acts as a function returning the output of the command. If the result variable is not
specified, the output from the command that is executed by the remotesystem() procedure appear on stderr of the requesting program

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 591

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

(pbrun, pbsh, pbksh, pbssh).

The Endpoint Privilege Management for Unix and Linux variable status is set to the return code. In general, a return code of 0 means the
command completed successfully. For a description of non-zero return codes, see the documentation for the command that is being run.
A status of -15 indicates a timeout.

Example:

processlist = remotesystem( submithost, "root", {"PATH=/bin","TMPDIR=/tmp/"}, 20, "/tmp",

"ps -ef", "" );

In this example, the processlist variable is assigned the output from the ps command executed on the submithost. Note that
the optional input argument is a set of empty quotes, meaning that the command is not given any input.

Example:

processlist = remotesystem( submithost, "root", {"PATH=/bin","TMPDIR=/tmp/"}, 20, "/tmp",

"bash -c 'ps -ef | grep ^" +user+"'");

In this example, again, the processlist variable is assigned the output from the ps command executed on the submithost.
Note that the optional input argument is not provided, meaning that the submituser's keyboard is connected through to the
command. Note that bash -c is used to allow for a shell to process the multiple commands (ps and grep).

For more information, see the following:

l "system" on page 597

l "status" on page 394

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 592

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

runtimewarn

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 593

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Description
After the specified number of minutes, a message is written to the user’s stderr. If the optional message argument is not specified, the
default message is: WARNING: You have exceeded the maximum allowed session time.
Internally, this feature makes use of the new read-only policy variables runtimewarn and runtimewarnmsg to communicate the details
from the policy server to the run host.
This feature might typically be used to warn a user of an upcoming timeout specified by the runtimelimit variable.

Note: The runtimewarn time limit is specified in minutes (within a procedure), while runtimeout is specified in seconds (as a
variable).

This feature may also be used with the new runtimewarnlog() procedure described below.

Syntax

runtimewarn( minutes [, message] );

Arguments

Minutes Required positive integer specifying the timeout in minutes.

Message Optional string specifying a message to issue to the user on stderr.

Example:

runtimewarn(20);
runtimewarn(20, "Warning, your session will expire soon!");

For more information, see the following:

l "runtimelimit" on page 249

l "runtimewarnlog" on page 595

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 594

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

runtimewarnlog

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 595

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Description
This feature requires an I/O log. After the specified number of minutes, a message is written to the log server’s syslog. This message
allows variable substitution using the %variable% syntax. Any variable recorded in the Accept event can be incorporated into the
message. When the finish event is logged, the new timelimitexceeded variable is set to 1. If the time limit is not exceeded, the
timelimitexceeded variable is not recorded in the finish event. If the optional message argument is not specified, the default message is:
user:%user% exceeded time limit as %runuser%@%runhost% for %runargv%

Internally, this feature makes use of the new read-only policy variables runtimewarnlog and runtimewarnlogmsg to communicate the
details from the policy server to the run host.
This feature might typically be used to create log entries of the longer sessions, possibly after warning a user using runtimewarn() of an
upcoming timeout specified by the runtimelimit variable.

Note: The runtimewarnlog time limit is specified in minutes (within a procedure), while runtimeout is specified in seconds
(as a variable).

Syntax

runtimewarnlog( minutes [, message] );

Arguments

Minutes Required positive integer specifying the timeout in minutes.

Message Optional string specifying a message to syslog on the log server.

Example:

runtimewarnlog(20);
runtimewarnlog(20, "user:%user% exceeded session time limit");

For more information, see the following:

l "runtimelimit" on page 249

l "runtimewarn" on page 593

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 596

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

system

Description
The system() function is used to run commands on the policy server host as part of the policy. The Endpoint Privilege Management for
Unix and Linux variable status is set to the return code of the command upon exit. By default, commands that are run by the system()
function are run as root. However, commands can be run as different users by setting the Endpoint Privilege Management for Unix and
Linux variable subprocuser.
Input to the command comes from the user’s keyboard or from the inputstring if it is present. Output goes to the user’s screen or to the
result string variable, if present.

Note: Not supported in Endpoint Privilege Management for Linux (EPM-L).

Syntax

[result =] system (command [,inputstring]);

Arguments

command Required. The command to run.

inputstring Optional. Command input arguments, formatted into a single character string.

Return values
result contains the output of the command. If the result variable is not specified, the output from the command that is executed by the
system() function appears on stderr of the requesting program (pbrun, pbsh, pbksh).
The Endpoint Privilege Management for Unix and Linux variable status is set to the return code. In general, a return code of 0 means the
command completed successfully. For a description of non-zero return codes, see the documentation for the command that is being run.

Example:

result = system ("echo date");

In this example, result is assigned date\n because the echo command outputs the string date with a newline character.

For more information, see the following:

l "policygetenv" on page 613

l "policysetenv" on page 614

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 597

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

l "policyunsetenv" on page 615

l "status" on page 394
l "subprocuser" on page 398

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 598

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

unset

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 599

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Description
>
The unset procedure is used to remove temporary variables from the event and I/O log files when the variables are no longer needed.
Variables that are required for the functioning of an EPM daemon may not be unset.

Syntax

unset (variable);

Arguments
variable Required. The temporary variable to remove.

Return values
Not applicable

Example:

unset("xyz");

In this example, removes the temporary variable xyz from the log files.

For more information, see the following:

l "isset" on page 584

l "logomit" on page 314

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 600

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

NIS functions
NIS functions are used to access the network information system. They are summarized in the following table.

Function Description

innetgroup() Determines if a machine is a member of a specific netgroup.

inusernetgroup() Determines if a user is a member of a specific netgroup.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 601

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

innetgroup

Description
The innetgroup() function determines if a specific machine is a member of a netgroup.

Note: Not supported in Endpoint Privilege Management for Linux (EPM-L).

Syntax

result = innetgroup (netgroup, host [, user [, domain]])

Arguments

netgroup Required. Name of the netgroup to query.

host Required. The name of the machine in question.

user Optional. The user name.

domain Optional. The user name.

Return values

true The specified machine is a member of the specified netgroup.

false The specified machine is not a member of the specified netgroup.

Example:

result = innetgroup ("myhosts", "machine1");

In this example, result contains an integer value of 1 (true) if machine1 is a member of the netgroup myhosts. result
contains an integer value of 0 (false) if machine1 is not a member of the netgroup myhosts.

For more information, see "inusernetgroup" on page 603.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 602

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

inusernetgroup

Description
The inusernetgroup() function determines if a user is a member of a specific netgroup.

Note: Not supported in Endpoint Privilege Management for Linux (EPM-L).

Syntax

result = inusernetgroup (netgroupname, username);

Arguments

netgroupname Required. Name of the netgroup to query.

username Required. Name of the user in question.

Return values

true The specified user is a member of the specified netgroup.

false The specified user is not a member of the specified netgroup.

Example:

currentuser = "sysadm1";
result = inusernetgroup ("myhosts", currentuser);

In this example, result contains an integer value of 1 (true) if sysadm1 is a member of the netgroup myhosts or 0 (false) if
sysadm1 is not a member of the netgroup.

For more information, see "innetgroup" on page 602.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 603

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Policy environment functions and procedures

Policy environment functions and procedures are used to get, set, and unset the values of environment variables on the policy server host
during the run of a policy. The following table summarizes these functions and procedures.

Function/ Procedure Description

Returns the value of a list setting in the current policy server host settings file.

getlistsetting() Version 4.0 and earlier: function not available .

Version 5.0 and later: function available.

Returns the value of a numeric setting in the current policy server host settings file.
getnumericsetting() Version 4.0 and earlier: function not available.
Version 5.0 and later: function available.

Returns the value of a string setting in the current policy server host settings file.
getstringsetting() Version 4.0 and earlier: function not available.
Version 5.0 and later: function available.

Returns the value of a yes/no setting in the current policy server host settings file.
getyesnosetting() Version 4.0 and earlier: function not available.
Version 5.0 and later: function available.

policygetenv() Sets the value of a local variable to that of an environment variable on the policy server host.

policysetenv Enables the user to locally set an environment variable on the policy server host.

policyunsetenv Used to locally unset the value of an environment variable on the policy server host.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 604

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

getlistsetting
l Version 4.0 and earlier: getlistsetting() function not available.
l Version 5.0 and later: getlistsetting() function available.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 605

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Description
The getlistsetting() function returns the value of a list setting in the current policy server host settings file.

Syntax

getlistsetting (setting-name)

Arguments

setting-name Required. The list setting to retrieve.

Return values
A list that contains the value of the specified setting.

Example:

submitMasterList = getlistsetting("submitmasters");

For more information, see the following:

l "getnumericsetting" on page 607

l "getstringsetting" on page 609
l "getyesnosetting" on page 611

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 606

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

getnumericsetting
l Version 4.0 and earlier: getnumericsetting() function not available.
l Version 5.0 and later: getnumericsetting() function available.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 607

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Description
The getnumericsetting() function returns the value of a numeric setting in the current policy server host settings file.

Syntax

getnumericsetting (setting-name)

Arguments

setting-name Required. The numeric setting to retrieve.

Return values
A number that contains the value of the specified setting.

Example:

delayTime= getnumericsetting("masterdelay");

For more information, see the following:

l "getlistsetting" on page 605

l "getstringsetting" on page 609
l "getyesnosetting" on page 611

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 608

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

getstringsetting
l Version 4.0 and earlier: getstringsetting() function not available.
l Version 5.0 and later: getstringsetting() function available.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 609

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Description
The getstringsetting() function returns the value of a string setting in the current policy server host settings file.

Syntax

getstringsetting (setting-name)

Arguments

setting-name Required. The string setting to retrieve.

Return values
A string that contains the value of the specified setting.

Example:

policyDirectory = getstringsetting("policydir");

For more information, see the following:

l "getlistsetting" on page 605

l "getnumericsetting" on page 607
l "getyesnosetting" on page 611

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 610

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

getyesnosetting
l Version 4.0 and earlier: getyesnosetting() function not available.
l Version 5.0 and later: getyesnosetting() function available.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 611

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Description
The getyesnosetting() function returns the value of a yes/no setting in the current policy server host settings file.

Syntax

getyesnosetting (setting-name)

Arguments

setting-name Required. The yes/no setting to retrieve.

Return values
A number containing the value of the specified setting.

l 0 False. A no value
l 1 True. A yes value

Example:

useRNS=getyesnosetting("registrynameservice");

For more information, see the following:

l "getnumericsetting" on page 607

l "getstringsetting" on page 609

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 612

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

policygetenv

Description
The policygetenv() function sets the value of a local variable to that of an environment variable on the policy server.

Note: Not supported in Endpoint Privilege Management for Linux (EPM-L).

Syntax

result = policygetenv (variable);

Arguments

Required. The environment variable on the policy server host that is used to set the value of the local
variable
variable.

Return values
The value of the specified environment variable.

Example:

termtype = policygetenv("TERM");

In this example, the local variable termtype is set equal to the TERM variable on the policy server.

For more information, see the following:

l "policysetenv" on page 614

l "policyunsetenv" on page 615
l "system" on page 597

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 613

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

policysetenv

Description
The policysetenv procedure is used to locally set an environment variable on the policy server host.

Note: Not supported in Endpoint Privilege Management for Linux (EPM-L).

Syntax

policysetenv(variable, value)

Arguments

variable Required. The environment variable on the policy server host to set.

value Required. The value to set the variable to.

Return values
Not applicable

Example:

policysetenv("PATH", "/bin:/usr/bin:/usr/sbin");

In this example, the policy server host’s PATH variable is set to /bin:/usr/bin:/usr/sbin.

For more information, see the following:

l "policyunsetenv" on page 615

l "system" on page 597

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 614

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

policyunsetenv

Description
The policyunsetenv procedure is used to locally unset an environment variable on the policy server.

Note: Not supported in Endpoint Privilege Management for Linux (EPM-L).

Syntax

policyunsetenv(variable)

Arguments

variable Required. The environment variable to be unset on the policy server.

Return values
The value of the environment variable.

Example:

policyunsetenv("OLDPATH");

In this example, the environment variable OLDPATH is removed from the policy server’s environment.

For more information, see "policysetenv" on page 614.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 615

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

String functions
String functions are used to manipulate and handle string variables. The following table summarizes the available string functions.

Function Description

Returns the number of single-byte or multiple-byte characters in a string.

charlen() Version 6.0.1 and earlier: function not available.

Version 6.1 and later: function available.

gsub() Replaces all occurrences of a pattern within a source string.

length() Returns the number of bytes in a string.

pad() Pads a string with a specified pad character.

sub() Replaces the first occurrence of a pattern within a source string.

substr() Extracts part of a string.

Returns a copy of a string, converted to all lowercase.

tolower() Version 4.0 and earlier: function not available.
Version 5.0 and later: function available.

Returns a copy of a string, converted to all uppercase.

toupper() Version 4.0 and earlier: function not available.
Version 5.0 and later: function available.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 616

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

charlen

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 617

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Description
The charlen() function returns the number of characters (single-byte or multiple-byte) in the argument string.
By contrast, the length() function returns the number of bytes in a string, which equals the number of characters only for single-byte
character encodings. Also in contrast to the length() function, the charlen() function does not accept a list as an argument.

Syntax

result = charlen (string)

Arguments

string Required. A character string in single-byte or multiple-byte encoding.

Return values
result Contains an integer that indicates the number of characters in string.

Example:

string = "BeyondTrust Software";

howLong = charlen(string);

In this example, the howLong variable contains the integer value 20.

For more information, see "length" on page 621.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 618

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

gsub

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 619

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Description
The gsub() function replaces all occurrences of the pattern within the source string.

Syntax

result = gsub (pattern, replacement, sourcestring);

Arguments

pattern Required. The regular expression pattern to search for.

replacement Required. The replacement string.

sourcestring Required. The source string to search for all occurrences of pattern.

Return values
The resulting string.

Example:

newstring = gsub("abc", "xyz", startingstring)

In this example, xyz replaces all occurrences of abc in startingstring.

For more information, see "sub" on page 625.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 620

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

length

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 621

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Syntax

result = length (list1);

Arguments
list1 Required. The list for which the number of elements is determined.

Return values
result Contains the number of elements in list1.

Example:

list1 = {"Fred", "George", "Sally"};

result = length (list1);

In this example, result contains the integer value 3.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 622

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

pad

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 623

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Description
The pad() function creates a new string from string1 based on the specified length (length) and pad character (padchar). If string1 is
shorter than the specified length, then it is padded by adding the appropriate number of the specified pad character to the end of the string.
If string1 is longer than the specified length, then it is truncated and pad characters are not added. If the length of string1 is equal to the
specified length, no changes are made and the original contents of string1 are returned in result.
The pad() function supports both single-byte and multiple-byte character sets.

Syntax

result = pad (string1, length, padchar);

Arguments

string1 Required. The string field to pad using the specified pad character.

length Required. The length (number of characters) of the new string.

Required. The pad character that is used to pad string1, if string1 is shorter than the value specified
padchar
in length.

Return values
result contains the new string.

Example:

string = "Jim White";

result = pad (string1, 10, "123");

In this example, result contains Jim White1.

Example:

string1 = "書策搜 ";

result = pad (string1, 4, "文 ");

In this example, result contains the value 書策搜文 .

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 624

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

sub

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 625

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Description
>
The sub() function replaces the first occurrence of the pattern within the source string.

Syntax

result = sub (pattern, replacement, sourcestring);

Arguments

pattern Required. The regular expression pattern to search for.

replacement Required. The replacement string.

sourcestring Required. The source string to search for the first occurrence of pattern.

Return values
The resulting string

Example:

newstring = sub("\n$", "", textstring)

In this example, the first occurrence of a trailing new line is replaced with nothing, effectively chopping it off.

For more information, see "gsub" on page 619.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 626

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

substr

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 627

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Description
The substr() function extracts a substring from the specified string variable (string1) based on the provided starting position (start) and
optional length (length). The first character in string1 is position 1. If the optional length is not specified, then substr() returns all
characters from the starting position through the end of the string.
An error is generated if a negative starting position is given or if the starting position is past the end of the string (for example, if string1 is
10 characters long and the specified starting location is 12).

The substr() function supports single-byte an multiple-byte character strings. In either case, the starting position and length are in units of
characters, not bytes.

Syntax

result = substr (string1, start [, length]);

Arguments

string1 Required. The string from which a substring is extracted.

Required. Specifies the substring starting position within string1. The first character in string1 is
start
position 1.

length Optional. Specifies the maximum length of the substring.

Return values
result contains the new substring.

Example:

UserList = "User1, User2, User3";

result1 = substr (UserList, 8, 5);
result2 = substr (UserList, 8);

In this example, result1 contains the value User2, and result2 contains User2, User3.

Example:

UserList = "書策搜書策搜書策搜書策搜書策搜書策搜書策搜 ";

result = substr (UserList, 8, 5);

In this example, result contains the value 策搜書策搜 .

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 628

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

tolower
l Version 4.0 and earlier: tolower() function not available.
l Version 5.0 and later: tolower() function available.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 629

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Description
>
The tolower() function returns a copy of a string, converted to all lowercase.
The tolower() function supports both single-byte and multiple-byte character sets. If the character set for the locale does not distinguish
uppercase and lowercase characters, the original string is returned unchanged.

Syntax

tolower (string)

Arguments

string Required. The string to convert to lowercase.

Return values
A string that contains a lowercase copy of the argument.

Example:

result = tolower (variableName);

result = tolower("String Constant");

For more information, see "toupper" on page 631.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 630

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

toupper
l Version 4.0 and earlier: toupper() function not available.
l Version 5.0 and later: toupper() function available.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 631

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Description
>
The toupper() function returns a copy of a string, converted to all uppercase.
The toupper() function supports both single-byte and multiple-byte character sets. If the character set for the locale does not distinguish
uppercase and lowercase characters, the original string is returned unchanged.

Syntax

toupper (string)

Arguments

string Required. The string to convert to uppercase.

Return values
A string that contains an uppercase copy of the argument.

Example:

result = toupper (variableName);

result = toupper ("String Constant");

For more information, see "tolower" on page 629.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 632

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Task control procedures

The task control procedures are used to control the execution of the secured task. These functions are summarized in the following table.

Procedure Description

Used in a policy to override forbidkeypatterns and forbidkeyaction, which will be discontinued at a

setkeystrokeaction
future date

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 633

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

setkeystrokeaction

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 634

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Description
The setkeystrokeaction procedure looks for a keystroke pattern in the input stream and performs the specified action. It extends the
functionality of the forbidkeypatterns list and forbiddenkeyaction string. If used in a policy, setkeystrokeaction overrides
forbidkeypatterns and forbidkeyaction, which will be discontinued at a future date.

Note: The setkeystrokeaction function is not supported in local mode.

Syntax

setkeystrokeaction(pattern, patterntype, action [, message]);

Arguments

pattern Required. The pattern to match. This can be a shell-type template or regular expression.

Required. The type of search, specified by the pattern argument. Valid values are shell for shell-style
patterntype
pattern matching or re for regular expression matching.

Required. The action to take if the pattern is found. If set to reject, the program aborts and the action
is logged in the EPM event log and syslog (if in use).
action
A value of ignore results in no action being taken when the pattern is encountered. Any other value
is used to tag the keystroke event in the event log.

message Optional. Add an optional message to display when keystrokes are rejected.

Return values
None

Example:

setkeystrokeaction("*rm*","shell","reject");

In this example, setkeystrokeaction is set to terminate the current job if the pattern rm is found anywhere in the input stream.
This would react to rm, /bin/rm, disarm, and alarm.

Example:

setkeystrokeaction("*rm*","shell","warn");

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 635

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

In this example, if rm is found anywhere in the input stream, setkeystrokeaction is configured to record the keystroke event
with a warn tag in the event log.

Example:

setkeystrokeaction("rm","re","reject");

In this example, the job is terminated if the pattern rm is seen anywhere in the input.

Example:

setkeystrokeaction("[[:boundary:]]rm[[:boundary:]]", "re","user ran rm");

In this example, the setkeystrokeaction procedure logs a keystroke event and tags it with user ran rm if rm is seen as an
entire word. It ignores words that contain the letters rm (for example, disarm or alarm) but would react to rm and /bin/rm.

Example:

setkeystrokeaction("fdisk",“shell”,“reject”,“Illegal command has been reported”);

In this example, the setkeystrokeaction logs a reject event and displays an error using the message option.

For more information, see the following:

l "forbidkeyaction" on page 300

l "forbidkeypatterns" on page 302

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 636

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Task environment functions and procedures

Task environment functions are used to manage task environment variables. The task environment functions and procedures are
summarized in the following table.

Function/ Procedure Description

keystrokeactionprofile Provides advanced control over remote SSH and Telnet sessions.

getenv() Retrieves an environment variable from env.

keepenv Keep only the listed variables. Clear all others from runenv.

setenv Sets the value of an environment variable in runenv.

unsetenv Delete an environment variable from runenv.

All task environment functions and procedures act upon the Endpoint Privilege Management for Unix and Linux environment variables
env and runenv.
env and runenv are list variables that contain all of the environment variables that are defined for the current request. env is a read-only
variable that contains task information from the initial task request on the submit host. runenv is a modifiable variable that contains the
task information that is actually used during task execution on the run host.
env and runenv have the following format:

{"variable-name=value", "variable-name=value", …};

For more information on env and runenv, see "Task information variables" on page 115.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 637

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

keystrokeactionprofile

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 638

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Description
The Advanced Keystroke Action component provides advanced control over remote SSH and Telnet sessions.

Syntax

keystrokeactionprofile="profile";

Arguments
profile

Required
A configured Advanced Keystroke Action profile

Return values
None

Example:

keystrokeactionprofile="demo";

For more information, see Advanced Keystroke Action in the Endpoint Privilege Management for Unix and Linux
Administration Guide at https://www.beyondtrust.com/docs/privilege-management/unix-linux/index.htm.

For more information on Advanced Keystroke Action, see Advanced Keystroke Action in the Endpoint Privilege Management
for Unix and Linux Administration Guide at https://www.beyondtrust.com/docs/privilege-management/unix-linux/index.htm.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 639

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

getenv

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 640

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Description
The getenv() function returns the value of the environment variable that is specified in the name parameter.
Values that are returned by getenv are unaffected by the setenv, keepenv, and unsetenv procedures, because getenv accesses the
user’s original, read-only task environment variable information that is stored in the env variable from the client on the submit host.

Syntax

result = getenv (name, value);

Arguments

name Required. A string that contains the name of a task environment variable.

Optional. A string that contains the value to use if the environment variable name does not exist in
value
env.

Return values
If the specified task environment variable is found, then result contains its value.
If the specified task environment variable is not found, then the value returns as a string. If value is not specified, then an empty string is
returned.

Example:

result = getenv ("TZ");

In this example, the value of the environment variable TZ is retrieved from env and stored in result. If TZ is not found, then
result is empty.

For more information, see "setenv" on page 644.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 641

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

keepenv

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 642

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Description
The runenv variable is a list in which each element contains an environment variable. The format of a runenv element is name=value,
where name is the name of an environment variable and value is the current value of that variable.
The keepenv procedure modifies the runenv variable so that it contains only the variables that are listed as input parameters. All other
environment variables that are stored in the runenv variable are deleted.
keepenv is typically used to limit the set of environment variables that are available to the current task during execution.

Syntax

keepenv (name1, [,name2, …]);

Arguments

Required. String that contains the name of a task environment variable that should be stored in
name1
runenv.

Optional. String that contains the name of a task environment variable that should be stored in
name2
runenv.

Return values
Because keepenv is a procedure, no return value is set.

Example:

keepenv ("TERM", "CWD", "PS1");

In this example, runenv contains the environment variables TERM, CWD, and PS1. All other environment variables are
deleted from runenv.

For more information, see "setenv" on page 644.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 643

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

setenv

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 644

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Description
The setenv procedure sets the value of an environment variable in runenv.

Syntax

setenv (name, value);

Arguments

name Required. String that contains the name of the variable to set in runenv.

value Required. String that contains the value of the specified variable.

Return values
Because setenv is a procedure, no return value is set.

Example:

setenv ("SHELL", "/bin/sh");

In this example, the SHELL environment variable that is stored in runenv is set to /bin/sh.

For more information, see "keepenv" on page 642.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 645

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

unsetenv

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 646

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Description
>
The unsetenv procedure deletes environment variables from runenv.

Syntax

unsetenv (name1 [, name2,…]);

Arguments

Required. A string or a list of character strings that contain the names of runenv environment
name1
variables to delete.

Optional. A string or a list of character strings that contain the names of runenv environment
name2
variables to delete.

Return values
Because unsetenv is a procedure, no return value is set.

Example:

unsetenv ("IFS", "USER");

In this example, the runenv environment variables IFS and USER are deleted.

For more information, see "keepenv" on page 642.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 647

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Command line parsing functions

Functions to facilitate the parsing of command arguments. The following table summarizes these functions.

Function Description

Examines a list of arguments for short options.

getopt() Version 3.5 and earlier: function not available.

Version 4.0 and later: function available.

Examines a list of arguments for any combination of short or long-style options.

getopt_long() Version 3.5 and earlier: function not available.
Version 4.0 and later: function available.

Examines a list of arguments long-style options.

getopt_long_only() Version 3.5 and earlier: function not available.
Version 4.0 and later: function available.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 648

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

getopt
l Version 3.5 and earlier: getopt() function not available.
l Version 4.0 and later: getopt() function available.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 649

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Description
Breaks up command lines for easy parsing and to check for legal options. This function examines a list of arguments for short options.
A short option consists of a dash followed by a single letter and possibly a parameter. For example, in the command command –a –b
name –c, –a and –c are short options with no extra parameter, and -b is a short option with the parameter name.
On the first invocation, getopt() examines the first argument. On subsequent invocations, it picks up where it left off and examines the
next argument.

Syntax

result = getopt (argc, argv, short-option-string)

Arguments

argc Required. Number. The number of entries that are in the argument array list argv.

argv Required. List. The argument array to process.

Required. A string that contains valid options. This list contains the letters for the short options. Each
letter can be followed by a single colon (:) to indicate a required argument if the option is found. Each
letter can be followed by two colons (::) to indicate an optional argument to the option.

short-option-string The leading characters of the short option string can modify the search characteristics as follows:

l A leading + stops parsing as soon as the first non-option parameter is found that is not an
option argument. All other parameters are treated as non-option strings.
l A leading – returns non-option parameters at the place where they are found.

Return values
If a valid option is found, then the function returns that option. If an optional or required argument is associated with the option, then the
policy variable optarg contains the value of that argument.
If no valid option is found or if a required argument is missing, then a question mark (?) is returned. The variable optchar is set to the letter
of the problem option.
When the end of the argument list is found, an empty string, "", is returned.
The variable optind is set to the subscript of the next string in the argv list.

Example:

result = getopt(argc, argv, "ab:c");

This example examines the list of augments in argv looking for –a or –c without a parameter, or –b with a parameter.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 650

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

For more information, see the following:

l "getopt_long" on page 652

l "getopt_long_only" on page 655
l "optarg" on page 283
l "opterr" on page 284
l "optind" on page 285
l "optopt" on page 286
l "optreset" on page 287

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 651

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

getopt_long
l Version 3.5 and earlier:getopt_long() function not available.
l Version 4.0 and later: getopt_long() function available.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 652

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Description
Breaks up command lines for easy parsing and to check for legal options. This function examines a list of arguments for any combination
of short-style or long-style options.
A short option consists of a dash followed by a single letter and possibly a parameter. For example, in the command command –a –b
name –c, –a and -c are short options with no extra parameter, and -b is a short option with the parameter name.
A long option consists of two dashes followed by a name and possibly a parameter. For example, in the command command –-option1 --
option2=2 –-option3 parameter –-option4, --option1 and --option4 are long options with no parameters, and --option2 and --option3
are options with extra parameters.
On the first invocation, it examines the first argument. On subsequent invocations, it picks up from where it left off and examines the next
argument.

Syntax

result = getopt_long(argc, argv, short-option-string, long-option-list)

Arguments

argc Required. Number. The number of entries that are in the argument array list argv.

argv Required. List. The argument array to process.

short-option-string The leading characters of the short option string can modify the search characteristics as follows:

Required. List. A list of strings that contains the long options. Each parameter can be followed by a
long-option-list single colon (:) to indicate it has a required parameter, or two colons (::) to indicate that it may have
an optional parameter.

Return values
If a valid option is found, then the function returns that option. If an optional or required argument is associated with the option, then the
policy variable optarg contains the value of that argument.
If no valid option is found, or if a required argument is missing, then a question mark (?) is returned. The variable optchar is set to the
letter of the problem option.
When the end of the argument list is found, an empty string, "", is returned.
The variable optind is set to the subscript of the next string in the argv list.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 653

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Example:

result = getopt_long(argc, argv, "ab:c", {"long1", "long2:"});

This example examines the list of augments in argv looking for –a or –c without a parameter, –b with a parameter, --long1
without a parameter, or --long2 with a parameter.

For more information, see the following:

l "getopt" on page 649

l "getopt_long_only" on page 655
l "optarg" on page 283
l "opterr" on page 284
l "optind" on page 285
l "optopt" on page 286
l "optreset" on page 287
l "optstrictparameters" on page 288

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 654

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

getopt_long_only
l Version 3.5 and earlier:getopt_long_only() function not available.
l Version 4.0 and later: getopt_long_only() function available.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 655

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Description
Breaks up command lines for easy parsing and to check for legal options. This function examines a list of arguments for long-style options
only.
A long option usually consists of two dashes followed by a name and possibly a parameter. When using the long-only version of getopt,
the function also recognizes a single dash at the front of an option. For example, in the command command –-option1 –-option2=2 –-
option3 parameter --option4, --option1 and --option4 are long options with no parameters, and --option2 and --option3 are options
with extra parameters.
On the first invocation, it examines the first argument. On subsequent invocations, it picks up from where it left off and examines the next
argument.

Syntax

result = getopt_long_only (argc, argv, short-option-string, long-option-list)

Arguments

argc Required. Number. The number of entries in the argument array list argv.

argv Required. List. The argument array to process.

Required. Although this function does not process short options, the entry is still available to specify
the leading control modifiers. The leading characters of the short option string may modify the search
characteristics as follows:
short-option-string
l A leading + stops parsing as soon as the first non-option parameter is found that is not an
option argument. All other parameters are treated as non-option strings.
l A leading – returns non-option parameters at the place where they are found.

Required. List. A list of strings that contains the long options. Each parameter can be followed by a
long-option-list single colon (:), to indicate it has a required parameter, or two colons (::) to indicate that it may have
an optional parameter.

Return values
If a valid option is found, then the function returns that option. If an optional or required argument is associated with the option, then the
policy variable optarg contains the value of that argument.
If no valid option is found, or if a required argument is missing, then a question mark (?) is returned. The variable optchar is set to the
letter of the problem option.
When the end of the argument list is found, an empty string, "", is returned.
The variable optind is set to the subscript of the next string in the argv list.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 656

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Example:

result = getopt_long_only (...)

For more information, see the following:

l "getopt" on page 649

l "getopt_long" on page 652

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 657

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

User and password functions

User and password functions are used to verify passwords and provide password control. The following table summarizes the user and
password functions.

Element Description

getfullname() function Returns the specified user’s full name.

getgroup() function Returns the specified user’s primary group.

Prompts for a user and the password of one of the members of the group specified as argument to
getgrouppasswd() function
the function.

getgroups() function Returns all groups the specified user is in.

gethome() function Returns the specified user’s home directory.

getshell() function Returns the specified user’s default login shell.

getstringpasswd() function Prompts the user for a special password.

getuid() function Returns the user's uid.

getuserpasswd() function Prompts the user for the password belonging to the specified user.

ingroup() function Determines whether a user belongs to a specific group.

submitconfirmuser() function Controls if a user must enter a password before the current task request can be accepted.

runconfirmuser variable Controls whether a user must enter a password before the current task request can be executed.

runconfirmmessage variable Contains the prompt that is displayed when the submitting user is required to provide a password.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 658

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

getfullname

Description
The getfullname() function retrieves the full name of the specified user. This information is taken from the gecos field of /etc/passwd on
the policy server host or the password map in NIS.

Note: Not supported in Endpoint Privilege Management for Linux (EPM-L).

Syntax

result = getfullname([user]);

Arguments

Optional. The name of the user ID for which a full name is retrieved. The value of the runuser
user
variable is used when this argument is not specified.

Return values
The full name of the user as specified in the gecos field of /etc/passwd or the NIS password map. An error is returned if the user is null or
invalid.

Example:

result = getfullname();

In the example, result is assigned the full name of the runuser.

Example:

result = getfullname("user1");

In this example, result is assigned the full name of user1.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 659

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

getgroup

Description
The getgroup() function retrieves the first occurrence of the group name that is associated with the GID to which the specified user
belongs. This information is taken from the gecos field of /etc/passwd on the policy server host or the password map in NIS.

Note: Not supported in Endpoint Privilege Management for Linux (EPM-L).

Syntax

result = getgroup([user]);

Arguments

Optional. The name of the user for which the group should be retrieved. If this argument is not
user
specified, the value of the runuser variable is used.

Return values
If the user is found, result contains the first occurrence of the group name that is associated with the GID to which the specified user
belongs as found in /etc/passwd or the NIS password map. An error is returned if the user is null or invalid.

Example:

result = getgroup("SysAdm001");

In this example, if SysAdm001 is found, result contains the first occurrence of the group name that is associated with the GID
to which the specified user belongs.

For more information, see "getgroups" on page 662.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 660

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

getgrouppasswd

Description
The getgrouppasswd() function prompts first for a user (member of the specified group) then for the password of that user.

Note: Not supported in Endpoint Privilege Management for Linux (EPM-L).

Syntax

result = getgrouppasswd(group[, prompt[, attempts]]);

Arguments

group Required. The name of the group for which a username and password must be entered.

Optional. The password prompt that is displayed to the user. If a prompt is not provided, then the
prompt following default prompt is displayed: Enter the username and group of someone in the <group
name> group.

Optional. Number of attempts that the user gets to enter the correct password. If the user does not
attempts enter the correct password in the specified number of attempts, then the task request is rejected. If
the number of attempts is not specified, then the default value of 3 is used.

Return values

true Password matched the user password.

false Password did not match the user password.

Example:

result = getgrouppasswd("HelpDeskUsers", "Please enter HelpDesk Password:", 1);

In this example, a user has one attempt to enter a correct username and password for a member of the HelpDeskUsers
group. If the correct password in not entered in one attempt, then result contains 0. If the correct password is entered in one
attempt, then result contains 1.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 661

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

getgroups

Description
The getgroups() function retrieves a list of all groups to which the specified user belongs. This information is taken from the /etc/groups
file on the policy server host or the group map in NIS.

Note: Not supported in Endpoint Privilege Management for Linux (EPM-L).

Syntax

result = getgroups([user]);

Arguments

Optional. The name of the user for which the secondary group names should be retrieved. If this
user
argument is not specified, then the value of the runuser variable is used.

Return values
A list of character strings that contains all of the groups that the user belongs to. An error is returned if the user is invalid or null.

Example:

result = getgroups(runuser);

For more information, see "getgroup" on page 660.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 662

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

gethome

Description
The gethome() function retrieves the home directory for the specified user. This information is obtained from the home directory field of
/etc/passwd or the NIS password map.

Note: Not supported in Endpoint Privilege Management for Linux (EPM-L).

Syntax

result = gethome([user]);

Arguments

Optional. The name of the user for which home directory information should be retrieved. If this
user
argument is not specified, then the value of the runuser variable is used.

Return values
A string that contains the specified user’s home directory from the home directory field of /etc/password or the NIS map. If the user is not
found, then result contains a blank string.

Example:

result = gethome("JSmith");

In this example, the home directory for the user JSmith is returned in result. For example, /home/JSmith.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 663

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

getshell

Description
The getshell() function retrieves the default login shell of the specified user. This information is obtained from the shell field of
/etc/passwd or the NIS password map.

Note: Not supported in Endpoint Privilege Management for Linux (EPM-L).

Syntax

result = getshell([user]);

Arguments

Optional. The name of the user for which shell information should be retrieved. If the user is not
user
specified, then the value of the runuser variable is used.

Return values
A string that contains the default login shell for the specified user from the shell field of /etc/password or the password NIS map. If the
username is not found or is invalid, then the policy is rejected with an error code.

Example:

result = getshell("JSmith");

In this example, the default shell information for the account JSmith is returned in result. For example, /bin/sh.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 664

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

getstringpasswd

Description
The getstringpasswd() function prompts the user for a password and compares the answer against the previously encrypted password.

Note: The user’s failure to provide the correct password does not automatically result in a rejection of the secured task
request. The policy should examine the result of the getstringpasswd() function and respond accordingly.

Syntax

result = getstringpasswd(encryptedpassword[, prompt [, attempts]]);

Arguments

Required. An encrypted password, which can be generated by pbpasswd. The clear text form of this
encryptedpassword
password is the password that the user is expected to enter.

Optional. A user prompt that describes the desired password. If none is specified, then the default
prompt
prompt Password: is used.

Optional. Number of attempts the user gets to specify the correct password. The default value for
attempts
attempts is 3.

Return values

true The answer matched the password.

false The answer did not match the password.

Example:

result = getstringpasswd(<encrypted string>, "Please enter the Backup Task Password: ",
2);

In this example, result contains true if the user enters the correct Backup Task Password. If the correct password is not
entered in two attempts, the function sets result to false.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 665

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

getuid

Description
The getuid() function returns the user ID number for the specified user. This information is taken from the gecos field of /etc/passwd on
the policy server host or the password map in NIS.

Note: Not supported in Endpoint Privilege Management for Linux (EPM-L).

Syntax

result = getuid([user]);

Arguments

Optional. The name of the user for which a user ID number should be returned. If this argument is not
user
specified, then the value of the runuser variable is used.

Return values
result contains the uid of the specified user of /etc/passwd or the NIS password map. An error is returned if the user is null or invalid.

Example:

result = getuid("root");

For more information, see the following:

l "getfullname" on page 659

l "getgroup" on page 660
l "gethome" on page 663
l "getshell" on page 664

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 666

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

getuserpasswd

Description
The getuserpasswd() function prompts the user for the password that belongs to the specified user on the policy server. The password is
not echoed to the screen as it is typed.

Note: Not supported in Endpoint Privilege Management for Linux (EPM-L).

Note: The user’s failure to provide the correct password does not automatically result in a rejection of the secured task
request. The policy should examine the result of the getuserpasswd() function and respond accordingly.

Syntax

result = getuserpasswd(user[, prompt[, attempts[, name, time]]]);

Arguments

user Required. The user whose password must be entered.

prompt Optional. The prompt to display to the user.

attempts Optional. The number of attempts that the user has to enter the correct password. The default value for attempts is 3.

Optional. The name of a file or persistent variable whose age/expiration determines the re-authentication grace period.
name If the value starts with a dollar sign ($), it is treated as a persistent variable, otherwise it is treated as a filename.

If name is specified, the time parameter (below) is required.

Required if name argument (above) is specified). The time/expiry date (number of seconds) after which a prompt is
forced. getuserpasswd() returns true without prompting the user for a password if one of the following is true:

time 1. The file defined by the name argument exists, and has not been modified in the last time seconds.
2. The persistent variable defined by the name argument exists and its expiry date, defined by time, has not been
exceeded.

Return values

true Password matched.

false Password did not match.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 667

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Example:

result = getuserpasswd(runuser, "Please enter " + runuser _ "'s Password:");

In this example, result contains true if the user enters the password for the runuser. If the correct password is not entered in
three attempts, then the function sets result to false.

Example:

getuserpasswd(user, "Passwd for "+user+": ", 3, "/opt/pbul/gp001", 300);

In this example, the file /opt/pbul/gp001 is created at initial successful user authentication and for 5 minutes (300 seconds)
thereafter, the user is not prompted for a password as long as the file is not modified.

For more information, see the following:

l "submitconfirmuser" on page 670

l "runconfirmuser" on page 228
l "getstringpasswd" on page 665
l "Persistent variable functions and procedures" on page 676

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 668

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

ingroup

Description
The ingroup() function determines whether the specified user is a member of the specified group.

Syntax

result = ingroup(user, group);

Arguments

users Required. A username.

group Required. A group name.

Return values

true User is a member of group.

false User is not a member of group or the user or group is null or invalid.

Example:

result = ingroup("user1", "admgroup");

In this example, result contains an integer value 1 if user1 belongs to the group admgroup. result contains an integer value 0
if user1 does not belong to group admgroup.

For more information, see the following:

l "getgroup" on page 660

l "getgroups" on page 662

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 669

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

submitconfirmuser

Description
The submitconfirmuser() function controls whether or not a user must enter a password before the current task request is accepted.
When this function is set, the user submitting the request is prompted for the password that is associated with the submit host username
set in this function.

Note: The user’s failure to provide the correct password does not automatically result in a rejection of the secured task
request. The policy should examine the result of the submitconfirmuser() function and respond accordingly.

Syntax

result = submitconfirmuser(user[, prompt[, attempts[, name, time]]]);

Arguments

user Required. A string that contains a username that exists on the submit host.

prompt Optional. The prompt text for the password. The default is Enter password for <user>.

Optional. The number of attempts that the user has to enter the correct password. The default value
attempts
for attempts is 3.

Optional. The name of a persistent variable whose expiration determines the reauthenticate grace
period. The value must start with a dollar sign ($), otherwise no grace period is set and
name submitconfirmuser() automatically prompts for a password.
If name is specified, the time parameter (below) is required.

Required if name argument (above) is specified). The expiry date (number of seconds) after which a
prompt is forced. submitconfirmuser() returns true without prompting the user for a password if the
time
persistent variable, defined by the name argument, exists and its expiry date, defined by time, has
not been exceeded.

Return values

true Password matched.

false Password did not match.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 670

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Example:

result = submitconfirmuser(user, "Please enter the user's password:", 3);

if (result != 1) {
reject;
}

In this example, the prompt "Please enter the user’s password:" is displayed and the user is allowed three login attempts.

Example:

submitconfirmuser(user, "Passwd for "+user+": ", 3, "$gpvar5", 300);

In this example, a persistent variable gpvar5 is created at initial successful user authentication and for 5 minutes (300
seconds) thereafter, the user is not prompted for a password.

For more information, see the following:

l "getgrouppasswd" on page 661

l "getstringpasswd" on page 665
l "getuserpasswd" on page 667
l "runconfirmuser" on page 228
l "runconfirmmessage" on page 224
l "Persistent variable functions and procedures" on page 676

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 671

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

PAM policy functions

getuserpasswdpam
l Version 8.0 and earlier: getuserpasswdpam() function not available.
l Version 8.5 and later: getuserpasswdpam() function available.

Description
The getuserpasswdpam() function uses PAM password authentication on the policy server host for the specified user.
It is similar to using the getuserpasswd() function with the pampasswordservice keyword in the policy server host’s /etc/pb.settings.
When used, this policy function overrides the pampasswordservice setting in the policy server host’s settings file and works even if the
PAM setting is set to no.
The getuserpasswdpam() function prompts the user for the password that belongs to the specified user on the policy server. The
password is not echoed to the screen as it is typed.

Note: Not supported in Endpoint Privilege Management for Linux (EPM-L).

Syntax

result = getuserpasswdpam(user, pampasswordservice[, prompt[, attempts[, name, time]]]);

Arguments

user Required. The user whose password must be entered.

Required. The name of the PAM service that you want to use for PAM password authentication and
pampasswordservice
account management.

Optional. Extra text that appears before the PAM prompt that displays for the user. Enter a null
prompt
argument ("") if you do not want to add text before the PAM prompt.

Optional. The number of attempts that the user has to enter the correct password. The default value
attempts
for attempts is 3.

Optional. The name of a file or persistent variable whose age/expiration determines the re-
name authentication grace period. If the value starts with a dollar sign ($), it is treated as a persistent
variable, otherwise it is treated as a file name.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 672

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

If name is specified, the time parameter (below) is required.

Required if name argument (above) is specified). The time/expiry date (number of seconds) after
which a prompt is forced. getuserpasswdpam() returns true without prompting the user for a
password if one of the following is true:

time 1. The file defined by the name argument exists, and has not been modified in the last time
seconds.
2. The persistent variable defined by the name argument exists and its expiry date, defined by
time, has not been exceeded.

Return values

true Password matched.

false Password did not match or invalid password service.

Example:

result = getuserpasswdpam(runuser, "pbulpass", "Please enter " + runuser + "'s Password:

");

In this example, result contains true if the user enters the password for the runuser. If the correct password is not entered in
three attempts, then the function sets result to false.

Example:

getuserpasswdpam(user, "pbulpass", "Passwd for "+user+": ", 3, "/opt/pbul/gp001", 300);

For more information, see the following:

l "getuserpasswdpam" on page 672

l "submitconfirmuser" on page 670
l "runconfirmuser" on page 228
l "getstringpasswd" on page 665
l "Persistent variable functions and procedures" on page 676
l On pampasswordservice, the Endpoint Privilege Management for Unix and Linux System Administration Guide at
https://www.beyondtrust.com/docs/privilege-management/unix-linux/index.htm

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 673

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

submitconfirmuserpam
l Version 8.0 and earlier: submitconfirmuserpam() function not available.
l Version 8.5 and later: submitconfirmuserpam() function available.

Description
The submitconfirmuserpam() function controls whether or not a user must enter a password before the current task request is accepted.
Password authentication and account management is performed by PAM and name of the PAM service must be provided. When this
function is set, the user submitting the request is prompted for the password that is associated with the submit host user name set in this
function.
When used, this policy function overrides the pampasswordservice setting in the submit host’s settings file and works even if the PAM
setting is set to no.

Syntax

result = submitconfirmuserpam(user, pampasswordservice[, prompt[, attempts[, name, time]]]);

Arguments

user Required. A string that contains a user name that exists on the submit host.

Required. The name of the PAM service that you want to use for PAM password authentication and
pampasswordservice
account management.

prompt Optional. The prompt text for the password. The default is Enter password for <user>.

Optional. The number of attempts that the user has to enter the correct password. The default value
attempts
for attempts is 3.

Optional. The name of a persistent variable whose expiration determines the reauthenticate grace
period. The value must start with a dollar sign ($), otherwise no grace period is set and
name submitconfirmuserpam() automatically prompts for a password.
If name is specified, the time parameter (below) is required.

Required if name argument (above) is specified). The expiry date (number of seconds) after which a
prompt is forced. submitconfirmuserpam() returns true without prompting the user for a password
time
if the persistent variable, defined by the name argument, exists and its expiry date, defined by time,
has not been exceeded.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 674

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Return values

true Password matched.

false Password did not match or invalid password service.

Example:

result = submitconfirmuserpam(user, "pbulpass", "Please enter the user's password:", 3);

if (result != 1) {reject;}

In this example,

submitconfirmuserpam(user, "pbulpass", "Passwd for "+user+": ", 3, "$gpvar5", 300);

a persistent variable gpvar5 is created at initial successful user authentication and for 5 minutes (300 seconds) thereafter, the
user is not prompted for a password.

For more information, see the following:

l "submitconfirmuser" on page 670

l "Persistent variable functions and procedures" on page 676
l On pampasswordservice, see the Endpoint Privilege Management for Unix and Linux Administration Guide at
https://www.beyondtrust.com/docs/privilege-management/unix-linux/index.htm.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 675

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Persistent variable functions and procedures

Persistent variables are a method of setting variables that persist for a specified time and are synchronized across all of the policy servers
in the enterprise. Procedures are provided to list, get, set and delete persistent variables.

Function/Procedure Description

Returns a list of the current persistent variables.

listpersistenvars() Version 9.4.4 and earlier: function not available.

Version 9.4.5 and later: function available.

Sets a persistent variable in the database.

setpersistentvar() Version 9.4.4 and earlier: function not available.
Version 9.4.5 and later: function available.

Returns an integer value persistent variable.

getpersistentvarint() Version 9.4.4 and earlier: function not available.
Version 9.4.5 and later: function available.

Returns a string value persistent variable.

getpersistentvarstring() Version 9.4.4 and earlier: function not available.
Version 9.4.5 and later: function available.

Returns a List value persistent variable.

getpersistentvarlist() Version 9.4.4 and earlier: function not available.
Version 9.4.5 and later: function available.

Delete a persistent variable from the database.

delpersistentvar() Version 9.4.4 and earlier: function not available.

Version 9.4.5 and later: function available.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 676

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

listpersistentvars
l Version 9.4.4 and earlier: listpersistentvars() function not available.
l Version 9.4.5 and later: listpersistentvars() function available.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 677

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Description
The listpersistentvars() procedure returns a list of currently active persistent variables. Variables that expire are not retrieved.

Syntax

Var = listpersistentvars(wildcard)

Arguments

wildcard Optional. A glob(3) wildcard limiting the returned values to those matched.

Return values
A list that contains the current active persistent variables.

Example:

vars = listpersistentvars("a*");

For more information, see the following:

l "setpersistentvar" on page 679

l "getpersistentvarint" on page 681
l "getpersistentvarstring" on page 683
l "getpersistentvarlist" on page 685
l "delpersistentvar" on page 687

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 678

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

setpersistentvar
l Version 9.4.4 and earlier: setpersistentvar() function not available.
l Version 9.4.5 and later: setpersistentvar() function available.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 679

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Description
The setpersistentvar() procedure sets a persistent variable in the local database, and synchronizes the value to other specified policy
servers. If Registry Name Service is enabled, it synchronizes to all of the other policy servers in the Service Group. If Registry Name
Service is not enabled, it synchronizes to all of the other policy servers specified by the submitmasters setting on the current policy
server.

Syntax

boolean setpersistentvar(name,value,[expiry])

Arguments

name Required. The name of the variable to be set. This can be any text string.

Value Required. The value of the variable. This can be an integer, string, or list values.

Optional. This is the UNIX epoch (in seconds) of the expiry date of the variable. Suitable values can
Expiry
be calculated using unixtimestamp with additional seconds calculated using Date/Time functions.

Return values
A boolean indicating success or failure of the procedure.

Example:

setpersistentvar("flag_" + submituser,true,unixtimestamp+300)

For more information, see the following:

l "listpersistentvars" on page 677

l "getpersistentvarint" on page 681
l "getpersistentvarstring" on page 683
l "getpersistentvarlist" on page 685
l "delpersistentvar" on page 687

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 680

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

getpersistentvarint
l Version 9.4.4 and earlier: getpersistentvarint() function not available.
l Version 9.4.5 and later: getpersistentvarint() function available.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 681

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Description
The getpersistentvarint() procedure retrieves a persistent variable from the local database. If the variable does not exist, or has expired,
it returns the default 0.

Syntax

int getpersistentvarint(name)

Arguments

name Required. The name of the variable to be retrieved. This can be any text string.

Return values
An integer containing the variable contents, or zero if the variable does not exist or has expired.

Example:

myflag = getpersistentvarint("flag_" + submituser)

For more information, see the following:

l "listpersistentvars" on page 677

l "setpersistentvar" on page 679
l "getpersistentvarstring" on page 683
l "getpersistentvarlist" on page 685
l "delpersistentvar" on page 687

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 682

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

getpersistentvarstring
l Version 9.4.4 and earlier: getpersistentvarstring() function not available.
l Version 9.4.5 and later: getpersistentvarstring() function available.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 683

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Description
The getpersistentvarstring() procedure retrieves a persistent variable from the local database. If the variable does not exist, or has
expired, it returns the default empty string "".

Syntax

string getpersistentvarstring(name)

Arguments

name Required. The name of the variable to be retrieved. This can be any text string.

Return values
A string containing the variable contents, or an empty string ("") if the variable does not exist or has expired.

Example:

mystr = getpersistentvarstring("msg_" + submituser)

For more information, see the following:

l "listpersistentvars" on page 677

l "setpersistentvar" on page 679
l "getpersistentvarint" on page 681
l "getpersistentvarlist" on page 685
l "delpersistentvar" on page 687

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 684

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

getpersistentvarlist
l Version 9.4.4 and earlier: getpersistentvarlist() function not available.
l Version 9.4.5 and later: getpersistentvarlist() function available.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 685

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Description
The getpersistentvarlist() procedure retrieves a persistent variable from the local database. If the variable does not exist, or has expired,
it returns the default empty list {}.

Syntax

list getpersistentvarlist(name)sna

Arguments

name Required. The name of the variable to be retrieved. This can be any text string.

Return values
A list containing the variable contents, or an empty list if the variable does not exist or has expired.

Example:

mylist = getpersistentvarlist("hosts_" + submituser)

For more information, see the following:

l "listpersistentvars" on page 677

l "setpersistentvar" on page 679
l "getpersistentvarstring" on page 683
l "getpersistentvarint" on page 681
l "delpersistentvar" on page 687

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 686

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

delpersistentvar
l Version 9.4.4 and earlier: delpersistentvar() function not available.
l Version 9.4.5 and later: delpersistentvar() function available.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 687

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Description
The delpersistentvar() procedure deletes a persistent variable from the local database. This deletion is synchronized to the other
specified policy servers.

Syntax

boolean delpersistentvar(wildcard)

Arguments

name Required. A glob(3) wildcard limiting the deleted variables to those matched.

Return values
A boolean indicating success or failure of the procedure.

Example:

delpersistentvar("flag*")

For more information, see the following:

l "listpersistentvars" on page 677

l "setpersistentvar" on page 679
l "getpersistentvarstring" on page 683
l "getpersistentvarlist" on page 685
l "getpersistentvarint" on page 681

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 688

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Glossary
The term that is used to indicate that a secured task request has passed all security checks and may
accept
now be executed.

built-in function Predefined function that comes with Endpoint Privilege Management for Unix and Linux.

character string list A sequence of zero or more characters enclosed in double (") or single (') quotation marks.

character string list An ordered list of character strings separated by commas and enclosed in curly braces ({}).

A unique value that is derived from an application. It can be used to determine if an application has
checksum
been modified since the checksum value was created.

constant A value that cannot be modified. A read-only variable is an example of a constant.

decimal integer Base 10 numeric value (0, 1, 2, 3, 4, 5, 6, 7, 8, 9).

The file that Endpoint Privilege Management for Unix and Linux uses to record information about
event log
each user task request that Endpoint Privilege Management for Unix and Linux processes.

environment variable One of a set of Unix/Linux variables that define the environment that is passed to child processes.

A read-only Endpoint Privilege Management for Unix and Linux variable that is equal to an integer
false
value of 0.

Used to insert variable values into character strings. Format command characters specify not only
format command character
where to insert values, but also how to format the inserted values.

A stand-alone unit of security verification logic that performs a specific task. Procedures are
function generally used to implement repetitive tasks. The difference between a function and a procedure is
that a function returns a value, whereas a procedure does not.

Determines whether a variable that is defined in one security policy function or procedure can be
used by another security policy function or procedure. In Endpoint Privilege Management for Unix
function scope
and Linux, functions and procedures have a global scope, meaning that variables that are used in
one function or procedure can be used by any other function or procedure.

an Endpoint Privilege Management for Unix and Linux variable that applies to the Endpoint Privilege
global variable
Management for Unix and Linux system, rather than to a specific task request.

hexadecimal integer Base 16 integer value (0, 1, 2, 3, 4, 5, 6, 7, 8, 9, A, B, C, D, E, F).

index A number that is used to access a specific element within a list variable.

integer A numeric value; a member of the set of both positive and negative whole numbers.

an Endpoint Privilege Management for Unix and Linux log that captures the input (keystroke), output,
I/O log
and error streams for an interactive Unix/Linux session.

A special data type that is used to pass parameters to and from Endpoint Privilege Management for
LDAP connection
Unix and Linux LDAP functions.

A special data type that is used to pass parameters to and from Endpoint Privilege Management for
LDAP message
Unix and Linux LDAP functions.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 689

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Contain information that controls Endpoint Privilege Management for Unix and Linux logging
logging variables
activities.

Machine on which the Endpoint Privilege Management for Unix and Linux log server runs. See
log host
pblogd.

A task request can bypass security policy file processing and be manually accepted from the
manual accept
Endpoint Privilege Management for Unix and Linux web user interface.

octal integer Base 8 integer value (0, 1, 2, 3, 4, 5, 6, 7).

operator A symbol that performs a specific mathematical, relational, logical or other special function.

The Endpoint Privilege Management for Unix and Linux daemon that is responsible for initiating task
pblocald
execution. See run host.

When used, pblogd is responsible for saving log records to the appropriate event log files and I/O
log files. pblogd is not a required Endpoint Privilege Management for Unix and Linux component. If
pblogd
pblogd is not used, then the policy server host and the run host write their own log records. See log
host.

The main Endpoint Privilege Management for Unix and Linux daemon. pbmasterd is responsible for
pbmasterd determining whether requests should be allowed to run (accepted) or be terminated (rejected). See
policy server host.

The Endpoint Privilege Management for Unix and Linux daemon that intercepts task requests and
pbrun determines if the task is subject to security policy rules. If so, then pbrun passes the request on to
the policy server host. See submit host.

Machine on which the main Endpoint Privilege Management for Unix and Linux daemon
policy server host
(pbmasterd) runs. See pbmasterd.

policy server security policy The security policy files invoked by policy server host to start security validation processing for a
file task.

A stand-alone unit of security verification logic that performs a specific task. Procedures are
procedure generally used to implement repetitive tasks. The difference between a function and a procedure is
that a function returns a value, whereas a procedure does not.

read-only variable A variable whose value cannot be changed; also known as a constant.

The term used to indicate that a secured task request did not pass all security checks and so may not
reject
be executed.

Machine on which the Endpoint Privilege Management for Unix and Linux task-execution daemon is
run host
run. See pblocald.

Modifiable version of a task information variable. These variables contain properties that affect task
run variable
execution.

An activity that is checked against Endpoint Privilege Management for Unix and Linux security policy
secured activity
files, before it is executed, to verify that it adheres to all security policy rules. See secured task.

A task that is checked against Endpoint Privilege Management for Unix and Linux security policy
secured task files, before they are executed, to verify that they adhere to all security policy rules. See secured
activity.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 690

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

security administrator The person who is responsible for implementing a company’s network security policy.

A file that contains the actual security checks that are used to determine whether a specific task
security policy file
should be accepted or rejected.

Security Policy Scripting

A C-like, interpreted programming language that is used to create security policy files.
Language

A security policy file that is included by another security policy file. Security policy sub-files generally
security policy sub-file
focus on specific areas of security verification processing.

security verification The process of checking a task request against security policy files to determine if that task adheres
processing to all security policy rules. The Policy Server host controls task verification processing.

Character combinations that are used in place of characters that cannot be typed directly with a
special characters
keyboard.

Machine on which the Endpoint Privilege Management for Unix and Linux task-receiving component
submit host
runs. See pbrun.

An interface that enables Endpoint Privilege Management for Unix and Linux to access the
syslog
Unix/Linux logging daemon.

submitting user The user who submitted the current task request.

One of a set of variables that contain information about the current task. There are two types of task
task information variable
information variables: read-only variables and run variables.

The process of checking a task request against security policy files to determine if that task adheres
task verification processing
to all security policy rules. The Policy Server host controls task verification processing.

task request Any request to run a job.

A read-only Endpoint Privilege Management for Unix and Linux variable that is equal to an integer
true
value of 1.

A task request that is not checked against Endpoint Privilege Management for Unix and Linux
unsecured task security policy files. Unsecured task requests are allowed to execute without first undergoing
Endpoint Privilege Management for Unix and Linux task verification processing.

Variable that is used within a security policy file to store information during task security verification
user-defined variable
processing.

A stand-alone unit of security verification logic that performs a specific task. These units of code are
written using the Security Policy Scripting Language. They are generally used to implement
user-written function
repetitive tasks. The difference between a function and a procedure is that a function returns a value,
whereas a procedure does not.

A stand-alone unit of security verification logic that performs a specific task. These units of code are
written using the Security Policy Scripting Language. They are generally used to implement
user-written procedure
repetitive tasks. The difference between a function and a procedure is that a function returns a value,
whereas a procedure does not.

Defines the type of information that can be stored in a variable, as well as the types of operations that
variable data type
can be performed on a variable.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 691

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
ENDPOINT PRIVILEGE MANAGEMENT FOR UNIX AND LINUX 23.1.2
POLICY LANGUAGE GUIDE

Determines whether another security policy file can use a variable that is defined in one security
variable scope policy file. In Endpoint Privilege Management for Unix and Linux, all variables have a global scope,
meaning that after they are created, any security policy file can reference them.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 692

©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 8/28/2024
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

PM Windows Admin 24 1
No ratings yet
PM Windows Admin 24 1
194 pages
Syspass Doc Readthedocs Io en 3.1
No ratings yet
Syspass Doc Readthedocs Io en 3.1
67 pages
Linux+ and LPIC-1 Guide To Linux Certification, 5th Edition Jason W. Eckert - Ebook PDF Download
100% (8)
Linux+ and LPIC-1 Guide To Linux Certification, 5th Edition Jason W. Eckert - Ebook PDF Download
68 pages
Mastering Linux Security and Hardening
0% (1)
Mastering Linux Security and Hardening
17 pages
Rh294 8.0 Student Guide
No ratings yet
Rh294 8.0 Student Guide
534 pages
AC Admin UX ENU
0% (1)
AC Admin UX ENU
287 pages
CIS SUSE Linux Enterprise 15 Benchmark v2.0.0
No ratings yet
CIS SUSE Linux Enterprise 15 Benchmark v2.0.0
992 pages
LFCE Exam v3.18 Revised Jan 2019
100% (1)
LFCE Exam v3.18 Revised Jan 2019
269 pages
Official CompTIA Linux+ Student Guide
33% (3)
Official CompTIA Linux+ Student Guide
566 pages
Client Guide Linux SEP14.x
100% (1)
Client Guide Linux SEP14.x
31 pages
Push Installation From EPM Server
No ratings yet
Push Installation From EPM Server
4 pages
PM Mac Admin
No ratings yet
PM Mac Admin
103 pages
Rs Admin 23 2
No ratings yet
Rs Admin 23 2
255 pages
Book-Administration Color en
No ratings yet
Book-Administration Color en
720 pages
Ps Admin
No ratings yet
Ps Admin
182 pages
Deploying Jupyter Notebooks For Students and Researchers
No ratings yet
Deploying Jupyter Notebooks For Students and Researchers
35 pages
Pgpcmdline 10 4 2 Usersguide en
No ratings yet
Pgpcmdline 10 4 2 Usersguide en
306 pages
Emerging Technologies 2024 Vision Report
100% (1)
Emerging Technologies 2024 Vision Report
47 pages
User Manual
No ratings yet
User Manual
116 pages
Pmul Admin
No ratings yet
Pmul Admin
585 pages
Pra Cloud Admin 24 1
No ratings yet
Pra Cloud Admin 24 1
222 pages
Epo 510 PG 0b00 En-Us
No ratings yet
Epo 510 PG 0b00 En-Us
325 pages
Book - Security Color en
No ratings yet
Book - Security Color en
415 pages
Book-Security Color en PDF
No ratings yet
Book-Security Color en PDF
401 pages
B CLI Reference Guide
No ratings yet
B CLI Reference Guide
320 pages
PBISO Installation and Administration Guide V7.0 PDF
No ratings yet
PBISO Installation and Administration Guide V7.0 PDF
252 pages
Pra Cloud Admin 24 v2
No ratings yet
Pra Cloud Admin 24 v2
101 pages
Topic - 3-Endpoint Security Concepts
No ratings yet
Topic - 3-Endpoint Security Concepts
48 pages
Pra Access Console 20 1
No ratings yet
Pra Access Console 20 1
70 pages
Pra Admin 20 2
No ratings yet
Pra Admin 20 2
145 pages
PBX Admin Basic
No ratings yet
PBX Admin Basic
69 pages
Linuxsec3e PPT ch06
No ratings yet
Linuxsec3e PPT ch06
25 pages
PM Core Scripting 24 1
No ratings yet
PM Core Scripting 24 1
18 pages
Book Security
No ratings yet
Book Security
440 pages
CT-6611 Chapter-6-..
No ratings yet
CT-6611 Chapter-6-..
48 pages
DLP 15-5 PI LabGuide 200114
100% (1)
DLP 15-5 PI LabGuide 200114
28 pages
Installing Oracle Application Server 11g R1 On CentOS
100% (3)
Installing Oracle Application Server 11g R1 On CentOS
13 pages
Symcli Config - Guide
No ratings yet
Symcli Config - Guide
122 pages
CH 04
No ratings yet
CH 04
49 pages
PM Api 24 1
No ratings yet
PM Api 24 1
14 pages
Umhlahlandlela Wokuzifundela Ukubhala Draft 1
100% (1)
Umhlahlandlela Wokuzifundela Ukubhala Draft 1
58 pages
Advanced Linux User Management
No ratings yet
Advanced Linux User Management
26 pages
Grsecurity Presentation
No ratings yet
Grsecurity Presentation
25 pages
ARH95ETE
No ratings yet
ARH95ETE
233 pages
Unit 2
No ratings yet
Unit 2
23 pages
Pra Cloud Admin 24 1
No ratings yet
Pra Cloud Admin 24 1
100 pages
Symantec Data Loss Prevention Installation Guide For Linux: Last Updated: September 24, 2020
No ratings yet
Symantec Data Loss Prevention Installation Guide For Linux: Last Updated: September 24, 2020
105 pages
Writing Secure Privileged Programs
No ratings yet
Writing Secure Privileged Programs
41 pages
CP R77 CLI ReferenceGuide
No ratings yet
CP R77 CLI ReferenceGuide
131 pages
PM Linux Administration
No ratings yet
PM Linux Administration
126 pages
Bi Install
No ratings yet
Bi Install
44 pages
Privilege Management For Unix and Linux 23.1
No ratings yet
Privilege Management For Unix and Linux 23.1
2 pages
Math 7-Q1-Item-Analysis
No ratings yet
Math 7-Q1-Item-Analysis
205 pages
PM Unix Linux Datasheet WEB PDF
No ratings yet
PM Unix Linux Datasheet WEB PDF
2 pages
Lesson7 - Presentation
No ratings yet
Lesson7 - Presentation
23 pages
The Manual 2024
No ratings yet
The Manual 2024
199 pages
12 - T4 - OS SEC - Linux Hardening
No ratings yet
12 - T4 - OS SEC - Linux Hardening
27 pages
A Hands-On Approach To Linux Privilege Escalation: Tanishq Sharma, Shikhar Saxena
No ratings yet
A Hands-On Approach To Linux Privilege Escalation: Tanishq Sharma, Shikhar Saxena
14 pages
CH 5
No ratings yet
CH 5
40 pages
2024 JAE Courses
No ratings yet
2024 JAE Courses
52 pages
zPDT-vol2-Installation and Basic Use-Sg247722 PDF
No ratings yet
zPDT-vol2-Installation and Basic Use-Sg247722 PDF
86 pages
Cs04computer Security
No ratings yet
Cs04computer Security
20 pages
Gapb 2024 Aaos 101 Day3 Performance Analysis Tuning
No ratings yet
Gapb 2024 Aaos 101 Day3 Performance Analysis Tuning
75 pages
2024 Mechanics Presentation
No ratings yet
2024 Mechanics Presentation
27 pages
European Solidarity Corps Guide 2024 en
No ratings yet
European Solidarity Corps Guide 2024 en
112 pages
Passing Unix Linux Audit With Power Broker
100% (2)
Passing Unix Linux Audit With Power Broker
11 pages
Ten Big Trends 2024 infographic-MF-E
No ratings yet
Ten Big Trends 2024 infographic-MF-E
11 pages
DAC List of ODA Recipients For Reporting 2024 25 Flows
No ratings yet
DAC List of ODA Recipients For Reporting 2024 25 Flows
1 page
Netbackup Device Configuration Guide (Unix, Windows & Linux) 6.5
No ratings yet
Netbackup Device Configuration Guide (Unix, Windows & Linux) 6.5
202 pages
Global Software Developer: Case Study
No ratings yet
Global Software Developer: Case Study
2 pages
Chapter03-Managing Files From The Command Line
50% (2)
Chapter03-Managing Files From The Command Line
7 pages
PBL MN404 Updated Nov 2020
0% (1)
PBL MN404 Updated Nov 2020
27 pages
Beyondtrust PAM Unix:Linux
No ratings yet
Beyondtrust PAM Unix:Linux
3 pages
2024 Game Manual
No ratings yet
2024 Game Manual
153 pages
Pra Supported Platforms
No ratings yet
Pra Supported Platforms
5 pages
Linux Netacad
No ratings yet
Linux Netacad
8 pages
Iom Global Appeal 2024 - Final
No ratings yet
Iom Global Appeal 2024 - Final
97 pages
PSV Circular 10 of 2024
No ratings yet
PSV Circular 10 of 2024
84 pages
Just eSIM Guide Android en
No ratings yet
Just eSIM Guide Android en
14 pages
Linux Tutorial ASP2024
No ratings yet
Linux Tutorial ASP2024
46 pages
AIX Basics Student Guide-7
No ratings yet
AIX Basics Student Guide-7
4 pages
Red Hat Enterprise Linux 9.0 M
No ratings yet
Red Hat Enterprise Linux 9.0 M
197 pages
State of Enterprise Linux 2024 89wyMvW
No ratings yet
State of Enterprise Linux 2024 89wyMvW
30 pages
Tech Trend 2024 Report-2
No ratings yet
Tech Trend 2024 Report-2
11 pages
PDFlib in PHP HowTo PDF
No ratings yet
PDFlib in PHP HowTo PDF
11 pages
Week 01 B
No ratings yet
Week 01 B
14 pages
Practical Unix
No ratings yet
Practical Unix
10 pages
Introduction To UNIX-Workshop On Genomics 2024 Fix
No ratings yet
Introduction To UNIX-Workshop On Genomics 2024 Fix
41 pages
NativeCAM Install Proceedure
No ratings yet
NativeCAM Install Proceedure
3 pages
LIPIcs ECRTS 2024 2
No ratings yet
LIPIcs ECRTS 2024 2
24 pages
CN Unit 4
No ratings yet
CN Unit 4
20 pages
StateofDesign2024 PDF V1 Compressed
No ratings yet
StateofDesign2024 PDF V1 Compressed
16 pages
Drop Box
No ratings yet
Drop Box
138 pages
To Install or Add A Zebra Printer
No ratings yet
To Install or Add A Zebra Printer
9 pages
CSC 150 Operating Systems Fundamentals UNIX 5.2024
No ratings yet
CSC 150 Operating Systems Fundamentals UNIX 5.2024
6 pages
Cut Command in Linux With Examples - Geeksforgeeks
No ratings yet
Cut Command in Linux With Examples - Geeksforgeeks
4 pages
Ucd 16480 P 2024
No ratings yet
Ucd 16480 P 2024
13 pages
What DevOps Is Why Do We Need It
No ratings yet
What DevOps Is Why Do We Need It
3 pages
Logcat 1734975802887
No ratings yet
Logcat 1734975802887
59 pages
Retiree Rates Tier 2
No ratings yet
Retiree Rates Tier 2
1 page
2024 Oklahoma Youth Expo Ag Mechanics Rule Book A
No ratings yet
2024 Oklahoma Youth Expo Ag Mechanics Rule Book A
8 pages
HP UX Common+Unix+Commands
No ratings yet
HP UX Common+Unix+Commands
12 pages
Eoss24 Prospectus 011524a
No ratings yet
Eoss24 Prospectus 011524a
5 pages
DD P Boostfs 7 10 Linux Configuration Guide en Us
No ratings yet
DD P Boostfs 7 10 Linux Configuration Guide en Us
32 pages
Settings
No ratings yet
Settings
12 pages
Release Notes
No ratings yet
Release Notes
2 pages
German Design Award 2024 - Programme
No ratings yet
German Design Award 2024 - Programme
2 pages
Activty 2 Command Line Skills For Systems Administration Fundamentals
No ratings yet
Activty 2 Command Line Skills For Systems Administration Fundamentals
3 pages
Ansys Platform Support Strategy Plans January 2024
No ratings yet
Ansys Platform Support Strategy Plans January 2024
6 pages
Name Synopsis Description: Wimapply WIMFILE
No ratings yet
Name Synopsis Description: Wimapply WIMFILE
6 pages
Certified Kubernetes Application Developer (CKAD) Crash Course in 3 Days - O'Reilly Live Events
No ratings yet
Certified Kubernetes Application Developer (CKAD) Crash Course in 3 Days - O'Reilly Live Events
8 pages
Pcs Should Allow To Remove A Dead Node From A Cluster
No ratings yet
Pcs Should Allow To Remove A Dead Node From A Cluster
5 pages
Install Zabbix Agent Ubuntu
No ratings yet
Install Zabbix Agent Ubuntu
4 pages