You can import a complete command control configuration database, including test suites, using the Import Settings option, or you can import test suites only, using the Import Test Suites option under Test Suites.
If you import a complete command control configuration database, all existing data is overwritten, including test suites. If you import test suites only, they are added to the existing configuration and do not overwrite the existing test suites.
You can export the Command Control configuration settings to a text file for backup purposes, or for use in another Framework. You use the Import Settings option to restore the backed-up configuration settings, or to import the settings into another Framework.
NOTE:NetIQ recommends that you take frequent backups of the Command Control configuration settings.
On the home page of the console, click Command Control.
In the command control pane, click Command Control.
In the details pane, click Export Settings.
Use Ctrl+A to select all the Command Control configuration settings, or right-click in the text window and click Select All.
Use Ctrl+C to copy the settings, or right-click in the text window and click Copy.
Paste the text into a text document and save it.
Click Close.
To use a command line option to export Command Control settings, see Importing and Exporting Command Control Settings.
You can use the Import Settings option to restore a previously backed-up version of the Command Control configuration settings, or to import Command Control configuration settings from another Framework. You then use the Export Settings option to obtain configuration settings so you can paste them into a text document for backup or for use on another Framework.
IMPORTANT:This process overwrites the existing configuration settings.
Access the Command Control configuration settings you need and copy the whole configuration.
On the home page of the console, click Command Control.
In the Command Control pane, click Command control.
In the details pane, click Import Settings.
Click in the text area, then use Ctrl+V to paste the copied settings, or right-click in the text area and click Paste.
Click Finish.
To use a command line option to import Command Control settings, see Importing and Exporting Command Control Settings.
NetIQ Privileged Account Manager provides a set of sample commands and Perl scripts to assist you with configuring the Command Control rules.
To add these samples to the configuration:
On the home page of the console, click Command Control.
In the command control pane, click Command Control.
In the details pane, click Import Samples.
Select the samples you want.
To select multiple samples in a folder, display the samples, then press the Ctrl key and select the required samples one at a time, or press the Shift key and select a consecutive list of samples. You cannot import samples by selecting a folder.
Click Finish. The samples are added to the appropriate section of the configuration.
The Command Control database can be protected through the use of the Transactions feature, which automatically locks the database when you start making changes and prevents other Framework users from making any changes. You must then commit the transaction to save the changes and release the lock, and you are prompted by customized questions to provide information that can be viewed in the Compliance Auditor. You can cancel the transaction at any time.
To use this feature, you must first enable it and create a customized Commit Transactions page, then you can use the feature and commit the changes you have made.
You can configure the Command Control Manager to use the Transactions feature when configuring Command Control rules.
You can also configure the Commit Transaction page that can be used for committing a transaction. The data entered on the Commit Transaction page is displayed in Compliance Auditor.
To configure this feature:
On the home page of the console, click Command Control.
In the command control pane, click Command Control.
In the details pane, click Transaction Settings.
Select the Enable Transaction check box to enable the use of Command Control transactions.
Click Add.
Specify a name for the field that you want to be displayed when a user commits a transaction. For example, to request the user’s name when committing a transaction, specify the value as Name.
Select Text if you want the user to enter one line of text, or select TextArea if you want the user to be able to enter several lines of text.
Select required if you want to force the user to enter text in this field. The Finish button on the Commit Transaction page does not become available until the user has entered text in this field.
Repeat Step 5 through Step 8 for any other fields you want to display when the user commits the transaction.
Select Finish.
On the home page of the console, click Command Control.
Make the configuration changes you want.
A message appears next to Command Control in the navigation pane to indicate that the Command Control database is locked, by whom, and when it was locked.
In the command control pane, click Command Control, then in the details pane, click Commit Transaction.
Complete the fields as set up on the Transaction Settings page, then click Finish.
Alternatively, if you do not want to keep the changes you have made, select Cancel Transaction in the details pane and select Yes to confirm. Any changes you have made since the database was locked are removed.
When you have finished changing the Command Control database, you must commit the transaction to save the changes and release the lock on the database. The Commit Transaction page can be customized to request whatever information you require when a transaction is committed (see Enabling Transactions and Configuring Settings for details).
To commit a transaction:
On the home page of the console, click Command Control.
In the command control pane, click Command Control.
In the details pane, click Commit Transaction.
To create a backup of the Command Control database enable the Create Backup checkbox to restore it in future and, then specify a reason for the backup in the text box.
Complete the customized fields according to company policies.
Click Finish.
All Command Control audit records contain the following information:
Submit details such as, the submitting username, hostname, and primary group.
Target details such as, the run username and the run hostname.
Command details, which include the original command requested and the actual command run.
Authorization status, either yes or no.
Session capture status, either yes or no.
Audit ID, which is the unique ID used to group audit events for the user’s session.
Codeset, which is the character encoding used for localization.
Terminal details such as tty name, terminal dimensions, and type.
The Audit Settings option allows you to modify this default record and add the following:
Encryption of sensitive password data in keystroke capture reports along with a password that allows authorized Framework administrators to decrypt it.
Additional options that can be audited for each record.
To define audit settings:
On the home page of the console, click Command Control.
In the command control pane, click Command Control.
In the details pane, click Audit Settings.
Configure the Password keystorke settings:
Select the Password filter check box.
In the Password filter text box, specify the text that is used to prompt users for their passwords.
For example, if the systems request a user’s password by using the word Password, specify Password in this field. If the systems use password, enter password in this field. This ensures that the password the user enters in response to this prompt is encrypted in the command control reports.
You can also use regular expressions as a password filter.
For example:
=~#([Pp]assword:)|(RDN:)#
This password filter would match Password, password, or RDN.
Select the Encryption password check box.
NOTE:If a filter is set and the Encryption Password is not set, then the filtered data is deleted from audit records.
In the Encryption password text box, specify the password that you require to decrypt the sensitive password data in the report.
This password must be entered on the Command Control Keystroke Report page under the Reporting console to decrypt the password data.
Specify the password again in the Confirm password text box.
(Optional) Select the required check boxes under Metadata Audit Settings to add more information to the audit record:
Command: Complete information about the command being run, including the actual filename and arguments.
Host: Information about the submitting host
Environment: Complete list of the environment variables that are passed to the executed command.
Local time: The time on the machine that submitted the request.
Cwd: Details about the current working directory where the command was executed.
Options: Details about the various process control options for executing the command.
Run Account: Information about the account that is used to execute the command.
Process: Details about the process that submitted the request.
Jobs: The job control setting that were passed to the executed command.
Passwd: Details of the /etc/passwd entry for the user submitting the request.
Groups: The group membership details for the executed command.
Logon: The login time and source for the user submitting the request.
Click Finish.
The backup option allows you to create snapshots of the command control database and restore these snapshots at future date. You can back up and restore from the Framework Manager console, but you need to use the command line to remove a backed-up snapshot. For information about the command line options, see Backing Up and Restoring a Command Control Configuration.
On the home page of the console, click Command Control.
In the Command Control pane, click Command Control.
In the details pane, click Backup and Restore.
To back up the database, specify a reason for the backup, then click Backup.
To restore a previous version of the database, select the version, then click Restore.
The current version is overwritten by the selected version.
Click Close.
The following information is recorded for each backed-up version:
Date: The date and time the backup was performed.
Administrator: The user that performed the backup.
Reason: The reason for performing the backup. This is optional information, but recommended.
Command control test suites allow you to test the defined rules by running specified commands, submit users and other input values through your rule configuration, and performs a check to ensure the result is as expected. Each test suite can contain a number of test cases where you specify the expected outcome for one or more input values.
On the home page of the console, click Command Control.
In the Command Control pane, click Command Control.
In the details pane, click Test Suites.
Click Add Test Suite in the task pane.
Specify a name for the test suite.
Specify a description for the test suite.
Click Finish.
Continue with Adding or Modifying a Test Case to add test cases to your test suite.
A test case allows you to emulate an end user running a command through the Command Control system.
On the home page of the console, click Command Control.
In the details pane, click Test Suites.
Select the test suite to add a test case, or modify an existing test case.
In the details pane, click View Test Suite.
Perform either of the following:
To add a new test case, click Add Test Case in the task pane.
To modify a test case, select the test case, then click Modify Test Case.
Specify the values and the expected results that you want to run through the rule configuration. (To review the rule configuration you want to test with this case, see Modifying a Rule.)
Enter a single value in each field. The purpose of the test case is emulate the user performing a usrun command from the command line.
To create a test case that can be used for general testing and could possible match multiple rules, supply only submit information for the test case.
To create a test case that matches only one rule, use the expected fields to specify values that match a single rule.
Command: (Required) Specify the command the user would run.
For example, if the user would enter the following on the command line:
usrun passwd user1
Specify the following as the command:
passwd user1
Submit User: (Required) Specify the name of the user who is entering the privileged command.
Submit Host: (Required) Specify the name of the host that the submit user is logged in to.
Run User: (Optional) When the submit user is requesting to run the command as a specific user with the usrun command, specify the username that is being requested. For example, if the user would enter the following on the command line:
usrun -u root ksh
Specify the following as the run user:
root
Run Host: (Optional) When the submit user is requesting to run the command on a specific host, specify the hostname that is being requested. For example, if the user would enter the following on the command line:
usrun -h hosta ksh
Specify the following as the run host:
hosta
User Input: (Optional) Use this field to specify the information that a script, associated with the Command Control policy, expects the user to enter.
Expected command: (Optional) Use this field to confirm that the command being executed is the correct command. If the command specified in this field does not match the results, the test case fails.
Expected authorized: (Optional) Use this field to confirm that the request was authorised. If value in this field does not match the results, the test case fails.
Expected capture: (Optional) This field is compared with the result of the authorization request to confirm the capture mode is correct. If this field does not match the results, the test case fails.
Expected run user: (Optional) Use this field to confirm that the user context used to execute the command is correct. If this field does not match the results, the test case fails.
Expected run host: (Optional) Use this field to confirm that the host on which the command is being executed is correct. If this field does not match the results, the test case fails.
Expected risk: (Optional) This field is compared with the result of the authorization request in order to confirm the risk associated with the command being executed is correct. If this field does not match the results, the test case fails.
Submit Time: (Optional) Specify the time that the request should appear to be made. This is useful for testing access time restrictions in the policy.
Custom Input: (Optional) Use this field to add attributes within the request object. These XML definitions are inserted into the privileged request. For example, you could use this field to configure the group memberships for a user in order to test policies that perform tests on the user’s group membership:
<Groups> <Group name='grpa'/> <Group name='grpb'/> </Groups>
Click Finish. The input values are shown in the Test Cases table.
Repeat Step 5 through Step 7 for any additional test cases you want to include or modify in this test suite.
You can now run the test suite as explained in Running a Test Suite.
On the home page of the console, click Command Control.
In the details pane, click Test Suites.
Select the required test suite.
To select multiple test suites, press the Ctrl key and select the required test suites one at a time, or press the Shift key to select a consecutive list of test suites. Use Ctrl+A to select all test suites.
Click Run Test Suites in the task pane. The results are displayed for each test case as Success or as Failure, along with the reason for the failure.
Use the buttons on the left and right of the table to find previous successes and failures, and the next successes and failures.
To view further details on a specific entry, select the entry and click Details.
The configuration for the test case is shown, and a list of rules that have been tested, with configuration settings for each rule. The Matched column shows true if the rule conditions were met, and false if the rule conditions were not met.
Click Back to return to the main Run Test Suite page.
Click Cancel to return to the list of test suites.
To use a command line option to run a test suite or to run a specific test case, see Running Test Suites.
On the home page of the console, click Command Control.
In the details pane, click Test Suites.
Select the required test suite, then click View Test Suite.
From here you can also modify the test suite; add, modify and delete test cases; and run the test suite.
On the home page of the console, click Command Control.
In the details pane, click Test Suites.
Select the test suite you want to modify.
In the details pane, click View Test Suite.
Click Modify Test Suite.
Modify the test suite as desired:
Change the name of the test suite.
Add or change the description.
Use the Up and Down buttons to change the order in which the test cases are run.
Click Finish.
On the home page of the console, click Command Control.
In the details pane, click Test Suites.
Select the test suite from which you want to delete a test case.
In the details pane, click View Test Suite.
Select the test case to delete.
In the details pane, click Delete Test Case.
Click Yes to confirm the deletion.
On the home page of the console, click Command Control.
In the details pane, click Test Suites.
Select the test suite that you want to delete.
To select multiple test suites, press the Ctrl key and select the required test suites one at a time, or press the Shift key to select a consecutive list of test suites.
Click Delete Test Suite.
Click Yes to confirm the deletion.
You use the Import Test Suites option to restores a previously backed-up test suite, or to test suites from another Framework. You then use the Export Test Suites option to obtain configuration details so you can then paste them into a text document for backup or for use on another Framework.
NOTE:When you import test suites, they are added to your existing configuration and do not overwrite your existing test suites. However, if you import a Command Control database by using the Import Settings option, your existing test suites are overwritten.
Access the test suite data you require and copy it.
Click Command Control on the home page of the console.
Click Test Suites in the task pane.
Click Import Test Suites in the task pane.
Click in the text area, then paste the copied settings by using Ctrl+V, or right-click in the text area and click Paste.
Click Finish.
You can export your Command Control test suites to a text file for backup purposes, or for use in another Framework. You can then use the Import Test Suites option to restore the backed-up test suites, or to import the test suites into another Framework.
Click Command Control on the home page of the console.
Click Test Suites in the task pane.
Select the test suite you want to export.
To select multiple test suites, press the Ctrl key and select the required test suites one at a time, or press the Shift key to select a consecutive list of test suites. To select all test suites, use Ctrl+A.
Click Export Test Suites in the task pane.
Select the test suite data by using Ctrl+A, or right-click in the text window and click Select All.
Copy the test suite data by using Ctrl+C, or right-click in the text window and click Copy.
Paste the text into a text document.
Click Finish.
When you install Privileged Account Manager, some objects are created by default. These are required for the proper functioning of the policies. If you have upgraded from an earlier release to the latest release, the manager for Privileged Account Manager may not have all the new default objects. You can add those default objects by using the Create Default Objects option in the Command Control console.
To create default objects, perform the following:
On the home page of the administrator console, click Command Control.
In the left pane click Command Control.
In the details pane, click Create Default Objects.
Click Create.