# Job: Minimal Linux

**Audience:** Integrators deploying a custom executable on Linux endpoints.

This example is the Linux equivalent of the [Minimal Windows Job](/keeperpam/endpoint-privilege-manager/integrations/examples/job-minimal-windows.md). The job structure is identical — the differences are the binary path, the `osFilter`, and the absence of a `.exe` extension. If you are deploying to a mixed fleet, pair this file with the Windows and macOS variants and deploy all three.

## The Job JSON

```json
{
  "id": "my-tool",
  "name": "My Tool",
  "description": "Runs MyTool on a 60-minute interval.",
  "enabled": true,

  "schedule": {
    "intervalMinutes": 60
  },

  "osFilter": {
    "windows": false,
    "linux": true,
    "macOS": false
  },

  "mqttTopics": {
    "allowedPublications": ["KeeperLogger"],
    "allowedSubscriptions": []
  },

  "parameters": [],

  "tasks": [
    {
      "id": "run-tool",
      "name": "Run tool",
      "ExecutionType": "Service",
      "command": "mytool",
      "executablePath": "/opt/KeeperPrivilegeManager/Jobs/bin/mytool/mytool",
      "arguments": "--keeper-api-base={KeeperApiBaseUrl}",
      "timeoutSeconds": 3600,
      "continueOnFailure": false,
      "scriptType": "Auto"
    }
  ]
}
```

## What to Change

<table data-header-hidden="false" data-header-sticky><thead><tr><th width="244.6666259765625">Field</th><th>What to Put Here</th></tr></thead><tbody><tr><td><code>id</code></td><td>A unique identifier for this job. Use hyphens — no underscores. The filename must match: <code>my-tool.json</code> for <code>"id": "my-tool"</code>. Keep this ID consistent with your Windows and macOS variants if deploying to a mixed fleet.</td></tr><tr><td><code>name</code></td><td>A human-readable name shown in logs and the admin view.</td></tr><tr><td><code>tasks[0].command</code></td><td>The name of your binary, typically lowercase on Linux. The agent resolves <code>Jobs/bin/{command}/{command}</code> automatically.</td></tr><tr><td><code>tasks[0].executablePath</code></td><td>Full path to your binary. The default agent install root on Linux is <code>/opt/KeeperPrivilegeManager</code> — confirm with your administrator if your deployment uses a different path.</td></tr><tr><td><code>tasks[0].arguments</code></td><td>Any flags your binary accepts. Keep <code>{KeeperApiBaseUrl}</code> — the agent substitutes the local HTTPS API base URL here at run time.</td></tr><tr><td><code>schedule.intervalMinutes</code></td><td>How often to run, in minutes.</td></tr><tr><td><code>tasks[0].timeoutSeconds</code></td><td>Maximum run time before the agent kills the task.</td></tr></tbody></table>

**Binary naming.** Linux executables have no `.exe` extension. Both `command` and `executablePath` should use the plain binary name. By convention, Linux binary names are lowercase — `mytool` rather than `MyTool` — though the agent resolves whatever name you provide.

**File permissions.** The binary must be executable by the agent service account. After deploying:

```bash
chmod +x /opt/KeeperPrivilegeManager/Jobs/bin/mytool/mytool
```

If the agent runs as a specific user (confirm with your administrator), ensure that user has read and execute permission on the binary and its parent directory.

**`osFilter` and validation.** Because `linux` is the only platform set to `true`, agents on Windows and macOS will skip this job entirely. The validator also skips binary existence checks when the job's `osFilter` does not match the current OS — so you can register this job from a Windows host without the Windows validator looking for a Linux binary path.

**Process trust on Linux.** The agent's process trust mechanism on Linux relies primarily on the job runner having launched your binary. Ensure the binary is always started via a job task rather than manually to avoid triggering the certificate check path. See [Code Signing and Process Trust](https://claude.ai/integration/custom-job-guide#part-2-code-signing-and-process-trust) in the Custom Job Integration Guide.

## Before You Deploy

1. **Deploy the binary first.** Place the binary at `executablePath` on the endpoint before calling `POST /api/Jobs`. The validator checks that it exists at the time of the call.
2. **Set executable permissions.** Run `chmod +x` on the binary after copying it.
3. **Confirm the install root.** `/opt/KeeperPrivilegeManager` is the typical Linux default — verify this with your administrator before deploying.
4. **Filename must match `id`.** Save this file as `my-tool.json` if `"id"` is `"my-tool"`.

## Deploy

Validate before saving:

```bash
curl -s -X POST https://127.0.0.1:6889/api/Jobs/validate \
  --cert /path/to/client.pem \
  --key /path/to/client.key \
  --cacert /path/to/ca.pem \
  -H "Content-Type: application/json" \
  -d @my-tool.json
```

Create the job:

```bash
curl -s -X POST https://127.0.0.1:6889/api/Jobs \
  --cert /path/to/client.pem \
  --key /path/to/client.key \
  --cacert /path/to/ca.pem \
  -H "Content-Type: application/json" \
  -d @my-tool.json
```

Trigger a manual run to confirm:

```bash
curl -s -X POST https://127.0.0.1:6889/api/Jobs/my-tool/trigger \
  --cert /path/to/client.pem \
  --key /path/to/client.key \
  --cacert /path/to/ca.pem \
  -H "Content-Type: application/json" \
  -d "{}"
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.keeper.io/keeperpam/endpoint-privilege-manager/integrations/examples/job-minimal-linux.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.