← Back to LEA Platform | Full Site Content | All Insight Articles

LEA Platform Documentation — Complete Reference

Version: 2.0.2 | Publisher: GSR IT | Contact: lea@gsr-it.com

This page contains the complete LEA Platform documentation in static HTML format, designed for AI assistants, search engine crawlers, and automated agents. No JavaScript is required to read this content.

1. Platform Overview

What is LEA?

LEA (Lateral Execution Agent) is a powerful, enterprise-grade platform designed for orchestrating and automating configuration management and compliance across distributed multi-platform environments. Built with security and scalability at its core, LEA enables organizations to define compliance rules, monitor system state in real-time, and automatically remediate drift across their infrastructure spanning Linux, Windows, and macOS systems.

With LEA, you define what your systems should look like using JSON-based rules, and LEA continuously ensures they stay that way—detecting deviations, alerting stakeholders, and optionally remediating issues automatically.

Key Capabilities

• Real-time compliance monitoring across all endpoints
• Automatic remediation of configuration drift
• JSON-based rule engine with regex validation
• Advanced group management with nested hierarchies
• Live command execution for troubleshooting
• Comprehensive audit logging and history
• Multi-platform support (Linux, Windows, macOS)
• Encryption at rest and in transit (TLS 1.3, AES-256)
• Dynamic Tags for automatic metadata generation
• RESTful API for integration and automation
• Live Notifications for real-time platform alerts

Deployment

One-Liner Installation

The LEA agent installs seamlessly on all major operating systems and distributions using a single command. Works on Linux (all distributions), Windows, and macOS.

curl -fsSL https://get.lea-platform.io/agent.sh | bash

Agentless Deployment

For environments preferring agentless operation, LEA supports deployment through all major client orchestration tools including Ansible, Puppet, Chef, SaltStack, and equivalent configuration management platforms.

LEA agents are lightweight (minimal resource footprint) and self-updating. Once deployed, agents automatically connect to the controller and begin executing assigned rules based on group membership.

System Architecture

LEA Controller

The central control plane responsible for rule management, agent coordination, and real-time monitoring.

• Rule scheduling and orchestration
• RESTful API and WebSocket endpoints
• User authentication and RBAC
• Web UI for management and monitoring
• Real-time metrics and alerting

LEA Agents

Lightweight agents deployed on target hosts for rule execution and compliance monitoring.

• Execute validation and remediation commands
• Report execution results and system state
• Maintain secure WebSocket connection to controller
• Support for Linux, Windows, and macOS
• Automatic Dynamic Tag metadata generation

Database Layer

PostgreSQL database for persistent storage of all platform data: rule definitions, execution history, client inventory, group configurations, audit logs, user accounts and permissions.

Communication Flow

1. Rule Defined: Admin creates compliance rule
2. Distributed: Rule pushed to agents via groups
3. Executed: Agent runs validation command
4. Verified: Output checked against expectations
5. Remediated: Fix applied if non-compliant

Scalability

• Horizontal Scaling: Add controller instances behind load balancer
• Agent Capacity: Each controller supports 10,000+ concurrent agents
• High Availability: PostgreSQL replication and failover supported

Security & Compliance

Encryption & Data Protection

• In Transit: TLS 1.3 with mutual authentication
• At Rest: AES-256 encryption for database and storage
• Secrets: Encrypted vaults, never logged or exposed

Access Control

• RBAC: Admin, Operator, Viewer, Auditor roles
• MFA: TOTP, SMS, and hardware token support
• SSO: SAML 2.0 and OAuth 2.0 integration

Standards Alignment

Rules mapped to ISO 27001, NIST 800-53, PCI DSS, CIS benchmarks, NCSC:PQC, EU:DORA, and BIS:QuantumRoadmap.

Common Use Cases

• Security Hardening: Enforce security baselines across your fleet—password policies, file permissions, kernel parameters, and service configurations.
• Compliance Monitoring: Continuously verify compliance with regulatory requirements (PCI DSS, HIPAA, SOC2) and generate audit-ready reports.
• Configuration Drift Detection: Detect and alert on unauthorized changes to critical system configurations, with optional automatic rollback.
• Patch Verification: Verify patch levels across your infrastructure, ensuring systems meet minimum security requirements.

2. Compliance Monitoring

Real-time visibility into client status, rule compliance, and comprehensive troubleshooting capabilities with live actions and advanced metadata-based filtering.

Compliance Dashboard Overview

The Compliance page serves as your central command center for monitoring all managed clients, their compliance status, and provides powerful tools for investigation and live troubleshooting.

Status Cards

• Total Clients: Count of all registered clients in the system
• Verified: Clients with successful compliance verification
• Active: Currently connected and responding clients
• Compliance Rate: Percentage of clients meeting all rules

Filtering Options

• Search: Quick text search across client names
• Status Filter: Filter by All, Verified, or Unverified
• Group Filter: Show clients from specific groups
• Metadata Filters: Advanced multi-attribute filtering

Client List & Quick Details

Expandable Quick Details

Click the expand arrow on any client row to view inline details including:

• System Information: System type, Kernel release, Architecture
• Network Information: Internal IP, Public IP
• Timestamps: Registered date, Last seen, Results updated
• Agent Information: LEA version, Status, Verified state

Client Details Dialog

Comprehensive view of client information, execution history, logs, and live actions. Available tabs:

Details Tab

• Client Name & ID, Status badges (Active, Verified), Registration timestamp, Last seen timestamp
• Operating System & Distribution, Kernel Release version, Architecture (arm64, x86_64, etc.), Network IPs, Agent version
• Rule Tags: Table showing all rules applied to this client with their execution results including return codes, stdout/stderr outputs, and verification status

Executions Tab

Lists all rule executions for this client with their outcomes. Each execution shows the rule name, execution timestamp, return code, and whether the result matched expected values.

Execution Log Tab

Complete chronological log of all command executions on this client. Includes scheduled rule runs, manual executions, and system-triggered checks.

Agent Logs Tab

Raw logs from the LEA agent running on the client. Essential for debugging connectivity issues, understanding agent behavior, and diagnosing problems. Logs can be searched and filtered by severity level.

Live Debug Tab

Real-time debug stream from the agent. When enabled, shows live verbose output from the agent including rule processing, network communications, and internal state changes.

Live Execution Tab

Execute ad-hoc commands directly on the client in real-time. Perfect for troubleshooting, verification, and one-off administrative tasks without creating permanent rules.

Groups Tab

Shows all groups this client belongs to, including groups inherited through nested group relationships. Helps understand which rules apply to this client based on group membership.

Live Command Execution

Execute commands on clients in real-time for troubleshooting and verification.

• Execute any shell command directly on the client
• Results polled every 5 seconds until completion
• Full stdout/stderr output with syntax highlighting
• Exit code displayed for verification

Advanced Metadata Filtering

Filter clients by system attributes collected from each endpoint. Dynamic Tags from rule outputs can be used for filtering and grouping. See the Search & Filter section for full details.

3. Execution Monitoring

Granular visibility into rule execution status across all clients, showing detailed output, verification results, and historical execution data for each client-rule combination.

While the Compliance Monitoring page shows aggregated status per client, the Execution page drills down to show individual execution results for every rule on every client—essential for troubleshooting specific failures and tracking remediation history.

Execution Dashboard Overview

Dashboard Metrics

• Total Executions: Count of all client-rule execution records
• Verified: Executions that passed verification
• Active: Number of active execution records
• Verification Rate: Percentage passing verification

Filtering Options

• Client Name Search: Filter by hostname or identifier
• Rule Name Search: Filter by rule name (unique to Execution page)
• Status Filter: All, Verified, or Unverified
• Metadata Filters: Same advanced filtering as Compliance

Execution Table Columns

Verification Details

When a rule execution fails verification, expand the row to see detailed information:

• Execution Info: Return Code, Status (Verified/Unverified), Execution timestamp
• Failed Verification Steps: Type (e.g., "re" for regex), Stream (stdout/stderr), Pattern (expected regex pattern)

The Standard Output section includes a search field to quickly locate relevant values and highlight all occurrences.

Execution History

Track compliance progression over time for any client-rule combination.

Entry Types

• source: Original command execution retrieving the configuration value
• validation: Verification step checking if the value meets requirements

History Columns

• Time, Type (source or validation), Status (Verified or Unverified), RC (Return code), Stdout/Stderr

Common Use Cases

• Troubleshooting Failed Verifications: Filter by Status = "Unverified", expand row to see verification details, review failed pattern and actual output, use stdout search to find non-compliant value, determine remediation action needed.
• Tracking Remediation Progress: Find the remediated client-rule combination, open the execution history, verify latest validation shows "Verified", confirm Unverified→Verified transition timestamp, document remediation completion.

4. Search & Filter

Powerful search and filtering capabilities to quickly locate clients and executions using text search, status filters, and advanced metadata-based filtering.

The advanced metadata filtering system is shared between the Compliance and Execution pages. The Execution page includes an additional Rule Name search field for filtering by specific rules.

Search Bar Overview

Compliance Page Filters

• Client Name Search: Text search across client hostnames
• Status Filter: All, Verified, or Unverified clients
• Group Filter: Filter by group membership
• Metadata Filters: Advanced attribute-based filtering

Execution Page Filters

• Client Name Search: Text search across client hostnames
• Rule Name Search: Filter by specific rule names
• Status Filter: All, Verified, or Unverified executions
• Metadata Filters: Same advanced filtering as Compliance

Advanced Metadata Filters

Filter clients and executions by system attributes collected from each endpoint.

Active Filters & Multi-Select

• Select multiple values within the same field (OR logic)
• Combine different fields for complex queries (AND logic)
• Active filters displayed as removable tags below the search bar
• Click tag X to remove individual filter value
• Clear All to reset all metadata filters at once
• Filters persist during the session for consistent views

Filter Logic

• Within Same Field (OR): Distribution: Ubuntu + Rocky → Shows clients running Ubuntu OR Rocky
• Across Different Fields (AND): Distribution: Ubuntu + Architecture: aarch64 → Shows only Ubuntu clients AND running on ARM architecture
• Combined with Text Search: Search: "prod" + Distribution: Rocky + Status: Unverified → Shows unverified Rocky clients with "prod" in their hostname

Common Filtering Scenarios

• Find All ARM Servers: Select aarch64 under Architecture
• Non-Compliant Ubuntu Clients: Set Status filter to Unverified, select Ubuntu under Distribution
• Track Specific Rule Compliance: Go to Execution page, enter rule name, filter by Status = Unverified
• Legacy Agent Version Check: Select older versions under LEA Version

5. Rules Management

Define and manage compliance and configuration rules for your infrastructure.

What is a Rule?

A rule is a compliance or configuration definition that will be checked on clients assigned with this rule (via group membership) and verified/remediated in case the detected status is non-compliant. Rules enable automated compliance monitoring and enforcement across your infrastructure.

Rule Structure

Understanding the three main components of a rule:

1. Validation Command

The command executed to check the current state of the system.

• Shell script: Native sh or PowerShell script
• Internal agent function: Predefined agent functions
• uri_sh: Agent browses a provided URL for a script and dynamically runs it via the relevant shell (sh or PowerShell). Supports all HTTPS endpoints, including GitHub, Artifactory, and other remote script repositories.

2. Verification (Expectation) Rule

Defines the checks required to pass for this rule to be marked as 'compliant'.

• Regular expression match against standard output (stdout)
• Regular expression match against standard error (stderr)
• Return code — Process exit code validation
• Complete MD5 match — Against the entire process output

3. Remediation Command

The command executed to fix non-compliant states automatically. Same command types as validation (shell script, internal agent function, uri_sh).

Edit Rule Interface

Basic Information Section

• Rule Name: Descriptive name (e.g., "Blacklisted Offensive Tools Not Running")
• Category: Classification (e.g., integrity, security, compliance)
• Active Toggle: Enable or disable rule execution
• Description: Detailed explanation of what the rule checks
• Interval (seconds): How often to run this rule (e.g., 3600 = every hour)
• Command Info Key (tag): Dynamic Tag name for capturing rule output as client metadata

Dynamic Tags

The Command Info Key (tag) field enables LEA's Dynamic Tags feature. When specified, the rule's stdout output is automatically captured and stored as metadata on each client that executes the rule.

How It Works:

1. Set a tag name (e.g., "hostname")
2. Rule executes validation command on clients
3. Command stdout is stored under that tag name
4. Tag becomes client metadata for filtering/grouping

Example use cases: hostname, mac_addr, package_inventory, process_count.

Dynamic Tags can be used for advanced filtering in the Compliance and Execution pages and for automatic group allocation using JSONPath expressions.

Available Actions

• Save Rule: Persist the rule configuration
• Import JSON: Import rule definitions from JSON files
• JSON Tools: View, edit, or copy the rule configuration in JSON format
• Delete Rule: Remove the rule from the system

Rule Statistics (Sidebar)

• Validations: Number of validation commands configured
• Verifications: Number of expectation rules defined
• Remediations: Number of remediation commands
• Parameters: Number of parameters/secrets configured

Parameters & Secrets Management

The Parameters section allows you to define variables and secrets that can be referenced within your rule commands.

Parameter Types

• Internal Var: Parameters processed on the LEA server before being sent to the agent. Useful for server-side variable substitution and configuration values like log file names or paths.
• Environment Var: Secrets passed directly to the agent as environment variables. The values are securely transmitted and available during command execution. Ideal for passwords, API keys, and tokens.
• File: Content passed to the agent and written to a file path. Useful for certificate files, configuration templates, or any file-based secrets.

Security Note: Secret values are masked in the UI and encrypted during transmission. Use Environment Var type for any sensitive data that should not be visible in logs or audit trails.

Multi-OS & Multi-Distribution Support

LEA allows you to define multiple validation commands within a single rule, each targeting different operating systems or Linux distributions. This creates universal rules that adapt to the target system.

Each validation block includes: Field (command type), Rule (actual command), Systems (target OS: Linux, Darwin/macOS, Windows), Target Distributions (specific Linux distributions).

Example: Cross-Platform Process Check — Validation #1 (Linux): ps -ef, Validation #2 (macOS/Darwin): ps -ax, Validation #3 (Windows): tasklist

The LEA agent automatically detects the operating system and distribution, then executes only the matching validation command.

Supported distributions: Linux, Darwin, Windows, Alpine Linux, Oracle Linux Server, Rocky Linux, Ubuntu, openSUSE Leap.

Regular Expression Builder

LEA includes a powerful Regular Expression Builder to help you create and validate regex patterns for verification rules.

• Test Pattern: Enter your regex pattern with real-time validation
• Sample Text: Test area to verify pattern matches
• Validation Indicator: Green checkmark shows valid pattern syntax
• Apply Pattern: Directly insert the validated pattern into your rule

Common Regex Patterns: .* (any chars), .+ (one or more), \d+ (digits), \w+ (word chars), [a-zA-Z]+ (letters), ^/$ (line boundaries), (group) (capturing), [abc] (character class), \s/\S (whitespace).

JSON Tools

The JSON Tools dialog provides powerful capabilities for viewing and managing your rules in JSON format.

Available Modes

• VIEW: Syntax-highlighted JSON display with color-coded keys, strings, numbers, and booleans
• EDIT: Direct JSON editing with real-time validation
• RAW: Plain text view for easy copying

Use Cases

• Export: Copy rules to store in version control (Git)
• Share: Distribute rule configurations across teams
• Clone: Duplicate and modify existing rules quickly
• Automate: Programmatically generate rules via API

JSON Structure Example

{
  "name": "Blacklisted Offensive Tools Not Running",
  "description": "Ensures no known offensive security tools...",
  "active": true,
  "category": "integrity",
  "cycle": 3600,
  "cmd": {
    "validation": [
      { "command": "ps -ef", "system": ["Linux"], "distribution": [] },
      { "command": "ps -ax", "system": ["Darwin"], "distribution": [] },
      { "command": "tasklist", "system": ["Windows"], "distribution": [] }
    ]
  }
}

Rule Tag Filtering

LEA provides a powerful tag-based filtering system to navigate large rule sets. Filter rules by multiple criteria including compliance category, risk level, environment, priority, and compliance standards.

Tag Categories

• cat: (Compliance Category): access_control, authentication, audit, identity_management, kernel_security, network_security, password_policy, system_hardening
• env: (Environment/Architecture): host_level, linux, macos, windows
• priv: (Priority Level): required rules that must be enforced
• risk: (Risk Level): high, medium, low

Compliance Standards (std:)

• ISO27001: ISO 27001 control references (e.g., A.10.1.1, A.12.4.1)
• NIST 800-53: NIST security controls (e.g., AC-2, AU-12, SC-13)
• PCI DSS: Payment Card Industry requirements (e.g., 8.2.4, 8.3.6)
• CIS: Center for Internet Security benchmarks
• NCSC:PQC: Post-Quantum Cryptography readiness
• EU:DORA: Digital Operational Resilience Act
• BIS:QuantumRoadmap: Quantum readiness requirements

Filter Logic: AND vs OR

• AND: Rules must match all selected tags. Use for narrow, specific filtering.
• OR: Rules must match any of the selected tags. Use for broader searches.

Privilege Wrapper (lea_priv_wrapper.sh)

When a rule's validation or remediation command requires elevated privileges, use lea_priv_wrapper.sh — a strict whitelist gate that replaces broad sudo access with per-command authorization.

Prefixing Rule Commands

In the rule's validation or remediation command field, prefix the command with the wrapper and a COMMAND_KEY:

sudo /usr/local/sbin/lea_priv_wrapper.sh systemctl_status ssh.service
sudo /usr/local/sbin/lea_priv_wrapper.sh sysctl_get net.ipv4.ip_forward
sudo /usr/local/sbin/lea_priv_wrapper.sh apt_install auditd

The wrapper accepts a COMMAND_KEY as the first argument and one validated argument as the second. Each argument is validated against a per-command regex before execution. Only whitelisted operations can run. All invocations are logged to syslog tagged lea_priv_wrapper.

For full installation and sudoers setup details, see the LEA Agent section.

6. Groups Management

Organize managed clients and assign validation rules with flexible targeting.

What are Groups?

Groups allow you to organize managed clients (hosts) and assign specific validation rules to them. This enables targeted compliance and security checks across different segments of your infrastructure. Groups can be static (manually selected hosts) or dynamic (automatically matched using JSONPath expressions on client metadata).

Groups also support nesting, allowing you to include all clients or rules from another group, creating hierarchical configurations that simplify policy management.

Group Edit Interface

Basic Information

• Name: Descriptive group name (e.g., "All Clients", "Production Servers")
• Description: Optional explanation of the group's purpose
• Active: Toggle to enable or disable the group

Assignment Sections

• Clients: Select specific clients to include in the group, or use "All Clients are selected" for universal coverage
• Rules: Select which validation rules to apply to this group's members

Dynamic Settings

• All Clients: When checked, this group encompasses all managed clients. Rules assigned will be applied universally to every connected agent.
• Exclude from All Clients: When checked, clients in this group will not be subject to rules applied to the "All Clients" groups. Useful for exceptions and special-case systems.
• JSONPath Expression: Use JSONPath queries for dynamic group membership based on client attributes.

JSONPath Examples:

$.clients[?(@.os_type == 'Linux')]        — Matches all Linux clients
$.clients[?(@.environment == 'production')] — Matches all production hosts

Nested Groups

Nested groups allow you to include all clients or rules from another group. When you add a nested group, all current members of that group will be automatically included in this group.

How Nested Groups Work

• Select Group: Choose the source group to nest from the dropdown
• Nesting Type: Choose whether to include "Rules" or "Clients" from the selected group
• Preview: View all elements that will be added before applying

Nesting Types

• Rules Nesting: Include all validation rules from the selected group.
• Clients Nesting: Include all client members from the selected group. Useful for creating superset groups.

Creating a Group — Step-by-Step

1. Define Group Identity: Enable Active checkbox, enter a descriptive Name, add optional Description.
2. Configure Client Membership: Choose from: All Clients, Manual Selection, Dynamic JSONPath, or Nested Groups.
3. Assign Rules: Select validation rules to apply.
4. Add Nested Groups (Optional): Click "Add Nested Group" to include rules or clients from existing groups.
5. Review and Save: Verify client membership, rule assignments, and nested group relationships.

Use Cases for Nested Groups

• Policy Inheritance: Create a base "Security Baseline" group with fundamental rules, then nest it into specialized groups like "Web Servers" or "Database Servers".
• Compliance Frameworks: Create groups for each compliance category (e.g., "Kernel Security", "Password Policy") and nest them into a master "CIS Compliance" group.
• Environment-Based Grouping: Nest client groups from "Development Servers" and "Staging Servers" into a "Non-Production" group.

Best Practices

• Use descriptive group names that reflect their purpose and scope
• Leverage JSONPath for dynamic groups that need to scale automatically
• Create specific groups for different compliance requirements or security levels
• Use 'Exclude from All Clients' carefully to avoid gaps in coverage
• Document group descriptions thoroughly for team collaboration
• Use nested groups to create policy hierarchies and reduce duplication
• Test JSONPath expressions before deploying to production
• Combine multiple rules into logical groups for easier nesting

7. Audit & Logging

Track compliance events, client state changes, and administrative activities.

Understanding LEA Audit

LEA provides comprehensive audit capabilities divided into two main views:

• Webhook Audit: Tracks client state changes and compliance events received via webhooks
• System Audit: Records all administrative actions and database operations performed by users, including Live Execution commands

Webhook Audit

The Webhook Audit view displays all incoming events from LEA agents, including compliance state changes, heartbeats, and other client communications.

Statistics Overview

Total Entries, Webhook Events, Compliance Events, Success Rate

Event Types

• Compliance: Client compliance state changes (compliant/non-compliant transitions)
• Webhook: Custom webhook notifications triggered by rules or external systems

Table Columns

Click the arrow next to any entry to expand and view the full request data, showing current and previous state for compliance tracking.

System Audit

The System Audit view records all administrative actions performed within LEA, including database operations like creating, updating, or deleting records.

Statistics Overview

Total Entries, Inserts, Updates, Deletes

Action Types

• UPDATE: Record modification (e.g., updating group settings)
• SELECT: Data retrieval operations
• INSERT: New record creation
• DELETE: Record removal

Table Columns

Changes Highlighted

When you expand an UPDATE entry, LEA displays the changes in a diff format showing removed values in red and added values in green.

Audit Use Cases

• Compliance Verification: Use Webhook Audit to verify all clients are reporting compliance status.
• Incident Investigation: Use System Audit to track administrative changes around the time of an incident.
• Change Management: Track who made changes to groups, rules, or settings.
• Client Health Monitoring: Monitor Webhook Audit to ensure all agents are communicating.

Best Practices

• Review audit logs regularly to detect unusual patterns or unauthorized changes
• Use filters to focus on specific time periods or action types during investigations
• Monitor the Success Rate in Webhook Audit to identify communication issues
• Correlate System Audit entries with change management tickets for compliance
• Export audit data periodically for long-term retention and compliance requirements
• Set up alerts for critical actions like DELETE operations on sensitive tables
• Use Request IDs to track the full scope of complex administrative operations

8. Settings

Configure data retention, webhooks, SSO integration, licensing, user management, and platform-wide preferences.

Settings Overview

The Settings page is the central hub for configuring LEA's operational parameters, integrations, and system behavior. Administrators can manage data retention policies, webhook integrations, Single Sign-On (SSO), licensing, and user accounts.

Data Retention

Automatic purge options: Automatically purge old audit logs; Automatically purge old executions. Purge runs periodically to maintain database performance and storage efficiency.

Webhooks

Webhooks allow LEA to send real-time notifications to external systems when compliance events occur. Integrate with SIEM tools, ticketing systems, or custom automation workflows.

Single Sign-On (SSO)

LEA supports Single Sign-On via Keycloak, enabling centralized user management, multi-factor authentication, and integration with enterprise identity providers (LDAP, Active Directory, SAML, OIDC).

License Management

Current license details: Status, License ID, Customer Name, Customer Email, Installed At, Valid Until, Days Remaining, Max Clients, Max Rules, Features (gsr_sso, lea_agent, lea_console, lea_platform).

License Operations

• Generate Request: Generate a license request with machine fingerprint to send to your vendor
• Copy / Download: Copy the license request to clipboard or download as JSON
• Upload License: Upload or paste a license file to activate or renew

User Management

When to Use Local Accounts

• Avoid for: Interactive user logins, Day-to-day platform access, Administrator accounts, Shared team access
• Acceptable for: API key / service account access, Automation and CI/CD pipelines, Emergency break-glass access, Initial SSO configuration

Benefits of SSO

• Centralized user management in Keycloak
• Multi-factor authentication (MFA) support
• Integration with Active Directory / LDAP
• Automatic session management and logout
• Complete audit trail of user actions
• Role-based access control (RBAC)

Saving Settings

• Click SAVE CHANGES (top-right corner of Settings page)
• Use REFRESH to discard unsaved changes and reload
• Changes apply immediately — most settings take effect without restart
• Settings affect all users and managed systems platform-wide

Best Practices

• Always use SSO (Keycloak) for interactive user management instead of local accounts
• Configure appropriate data retention periods to meet compliance requirements
• Enable automatic purge to maintain optimal database performance
• Use SSL verification for all webhook endpoints in production
• Regularly review and rotate webhook credentials
• Monitor license expiration and plan renewals in advance
• Test SSO configuration in a staging environment before production deployment

9. API Reference

Complete RESTful API documentation with OpenAPI support, advanced filtering, and granular permissions.

API Overview

LEA provides a comprehensive RESTful API built on PostgREST, offering automatic OpenAPI documentation, powerful filtering capabilities, and granular permission controls. All API requests return JSON responses.

• Base URL: https://your-lea-controller.example.com
• API Prefix: /api/* (data endpoints) | /lea/* (platform endpoints)
• OpenAPI 3.0 auto-generated specification
• Advanced Filtering with PostgREST query syntax
• Granular Permissions with role-based access control

Authentication

All API endpoints require authentication. Unauthenticated requests receive a 401 Unauthorized response.

SSO Token Exchange (Recommended)

POST /lea/authenticate_api_from_token
Headers:
  Content-Type: application/json
  Authorization: Bearer <SSO_TOKEN>

Using the Bearer Token

curl -X GET \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer <YOUR_TOKEN>" \
  https://lea-controller.example.com/api/clients

OpenAPI & Advanced Filtering

LEA automatically generates an OpenAPI 3.0 specification at GET /api/.

PostgREST Query Syntax

Query Examples

# Filter by exact value
GET /api/clients?verified=eq.true

# Case-insensitive search with wildcards
GET /api/clients?name=ilike.*production*

# Multiple IDs
GET /api/cmds?id=in.(1,2,3,4,5)

# Pagination and ordering
GET /api/clients?order=name.asc&offset=0&limit=100

# Select specific columns
GET /api/clients?select=id,name,verified,active

# Get count with exact header
GET /api/clients?select=count
Header: Prefer: count=exact

# Metadata filtering (Dynamic Tags)
GET /api/clients?cmd_info->os_version->>stdout=eq.Ubuntu 22.04

Granular Permissions

LEA implements row-level security (RLS) and role-based access control.

API Endpoints — Clients

API Endpoints — Rules (Commands)

API Endpoints — Groups

API Endpoints — Execution Results

API Endpoints — Audit & Logging

API Endpoints — Settings & Configuration

Error Handling

# Example error response
{
  "error": "Permission denied",
  "message": "User does not have access to this resource",
  "details": "RLS policy violation on table 'cmds'",
  "hint": "Check user roles and permissions"
}

10. LEA Agent

The LEA Agent is a lightweight security monitoring client that connects to a LEA server, executes validation commands, and reports results. It ships as two binaries:

In normal operation you only interact with lea-agent (the watchdog). It finds and launches the runner automatically.

Quick Start

Place both binaries in the same directory alongside lea.conf, then run:

./lea-agent

Agent Architecture

The LEA Agent uses a two-component architecture for maximum reliability and self-healing capabilities:

• Watchdog Process (lea-agent): The outer wrapper that monitors and manages the agent runner. Automatically restarts the runner if it crashes, manages version rollbacks, and ensures continuous operation.
• Runner Process (lea-agent-runner): The core agent that connects to the LEA server, receives commands from assigned rules (via Groups Management), executes validation and remediation tasks, and reports system status.

Watchdog (lea-agent) Command Line Options

--help                     Show help and exit
--version                  Show version information and exit
--dry                      Show which runner binary would be used, without starting it
--runner-version=X.Y.Z     Pin to a specific runner version (e.g. 1.2.3)
--force-cmd=COMMAND        Run the agent once for one specific command, then exit
--privileged               Allow the watchdog to run as root / SYSTEM
--user=USERNAME            Run the runner as this user (Linux/macOS only)
--group=GROUPNAME          Run the runner as this group (Linux/macOS only)
--install-service          Install lea-agent as a Windows service (Windows only)
--uninstall-service        Remove the Windows service registration (Windows only)

Runner (lea-agent-runner) Command Line Options

--help                Show help and exit
--version             Show version information and exit
--show-config         Print resolved configuration and exit
--force-cmd=COMMAND   Execute one specific server command, then exit
--privileged          Allow running as root / SYSTEM

Configuration

Configuration is read from the following sources in priority order (highest first):

1. Environment variables (highest priority)
2. Configuration file — searched in order: ./lea.conf, conf/lea.conf, /etc/lea.conf
3. Built-in defaults (lowest priority)

Configuration Keys

Configuration File (lea.conf)

# LEA Agent Configuration File
LEA_SERVER_URL=https://lea.example.com/lea
LEA_SKIP_SSL_VERIFY=false
LEA_DEBUG=0
LEA_INTERVAL=30
LEA_COMMAND_TIMEOUT=60
LEA_USER=lea
LEA_GROUP=lea

Running as a Service

Linux — systemd

Create /etc/systemd/system/lea-agent.service:

[Unit]
Description=LEA Security Agent
After=network.target

[Service]
ExecStart=/opt/lea/lea-agent
WorkingDirectory=/opt/lea
Restart=on-failure
User=lea
Group=lea
StandardOutput=journal
StandardError=journal

[Install]
WantedBy=multi-user.target

sudo systemctl daemon-reload
sudo systemctl enable --now lea-agent
sudo journalctl -u lea-agent -f        # follow logs

macOS — launchd

Create /Library/LaunchDaemons/com.lea.agent.plist:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
  "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>             <string>com.lea.agent</string>
    <key>ProgramArguments</key>  <array><string>/opt/lea/lea-agent</string></array>
    <key>WorkingDirectory</key>  <string>/opt/lea</string>
    <key>RunAtLoad</key>         <true/>
    <key>KeepAlive</key>         <true/>
    <key>StandardOutPath</key>   <string>/opt/lea/lea-agent.log</string>
    <key>StandardErrorPath</key> <string>/opt/lea/lea-agent.log</string>
</dict>
</plist>

sudo launchctl load -w /Library/LaunchDaemons/com.lea.agent.plist

Windows — Service Control Manager

Run the following commands in an elevated (Administrator) terminal:

# Install (auto-start at boot)
.\lea-agent.exe --install-service

# Start immediately
Start-Service LEAAgent

# Stop
Stop-Service LEAAgent

# Remove
.\lea-agent.exe --uninstall-service

You can also manage the service via services.msc — it appears as LEA Agent.

Log file: when running as a service, all output is written to lea-agent.log in the same directory as lea-agent.exe. To follow it in PowerShell:

Get-Content -Wait .\lea-agent.log

When run interactively (not as a service), output goes to stderr as normal.

Version Management

The watchdog scans its own directory for all lea-agent-runner* binaries and selects the highest semantic version. To deploy a new runner version, drop the new binary alongside the old one — the watchdog will pick it up on next restart.

If the runner crashes within 30 seconds of starting, the watchdog falls back to the next lower version automatically.

Exit Codes (Runner)

Privilege Wrapper (lea_priv_wrapper.sh)

lea_priv_wrapper.sh is a privileged command wrapper script for the LEA agent. It acts as a strict whitelist gate for all operations that require root privileges on the monitored machine. Instead of granting the lea service account broad sudo rights, a single sudoers entry points exclusively to this script.

Installation

cp lea_priv_wrapper.sh /usr/local/sbin/lea_priv_wrapper.sh
chown root:root /usr/local/sbin/lea_priv_wrapper.sh
chmod 750 /usr/local/sbin/lea_priv_wrapper.sh

Sudoers Configuration

Add a single entry to /etc/sudoers.d/lea:

lea ALL=(root) NOPASSWD: /usr/local/sbin/lea_priv_wrapper.sh

Validate with visudo -c after saving.

Usage in Rule Commands

sudo /usr/local/sbin/lea_priv_wrapper.sh systemctl_status ssh.service
sudo /usr/local/sbin/lea_priv_wrapper.sh sysctl_get net.ipv4.ip_forward
sudo /usr/local/sbin/lea_priv_wrapper.sh apt_install auditd

View all supported keys: /usr/local/sbin/lea_priv_wrapper.sh --help

Security Model

• The lea service account cannot run arbitrary commands as root — only whitelisted operations.
• All arguments are validated against a per-command regular expression before execution.
• All invocations (allowed and denied) are logged to syslog tagged lea_priv_wrapper.