8.4 Configuring Command Control

Command Control uses rules to protect and control user commands. When configuring a rule, you must set conditions for the rules to determine which rule or rules are processed, for example, on the command submitted or the user who submitted it. You also need to define what processing to do if the rule conditions are matched.

The components that you can define and configure for a rule are as following:

The rule. For configuration information, see Rules.
Account groups, user groups, and host groups, which determine who matches the rule. For configuration information, see Command Control Groups.
Commands. For configuration information, see Commands.
Credential Vault. For configuration information, see Contextual Help.
Scripts for additional functionality. For configuration information, see Scripts.
Access time to define specific time interval during which access is denied or granted. For configuration information, see Access Times.

NOTE:To enable access to the Command Control console for a Framework user and to control the level of access available, you must add the user to a group with the appropriate roles defined. See Configuring Roles for details.

The following additional features are provided to assist you with Command Control configuration and management:

8.4.1 Rules

Rules provide the means by which you can control commands. Commands can be authorized to run, or not authorized to run, by setting rule conditions based on different criteria:

The command being submitted
The user and host submitting the command
The user and host assigned to run the command
The time the command is submitted
The contents of Perl scripts you have defined.

See Setting Conditions for a Rule for details.

If a rule’s conditions are met, there are a number of options you can set to determine how the rule processes the command. You can configure a rule to:

Display a message to the user submitting the command
Capture the user session for reporting and auditing purposes
Authorize or not authorize the command to be run
Specify what further rule processing to do. The rule can specify that the processing of additional rules ends by using the stop conditions (Stop, Stop if authorized, Stop if unauthorized).

When the Framework Manager receives a command request, the evaluation starts at the top of the rule tree. Even when a request matches a rule, the evaluation continues until a rule has a stop condition or the rule tree has been processed.

You can also:

Specify the user and host to run the command
Set a risk level for use with keystroke reports
Assign an audit group to the rule for use with the Compliance Auditor.

See Modifying a Rule for details.

You can also create and assign Perl scripts to the rule to provide additional functionality. See Adding a Script and Assigning a Script to a Rule for details.

NOTE:If you are using a different user (run user) to run an authorized command than the user who submitted the command (submit user), by default the submit user’s environment variables are used for the run user. If you want to use the environment variables associated with the run user, you can add a script to a rule containing the following text:

$meta->get_params("Job")->arg("job_default_env",0);
return 1;

Adding a Rule

On the home page of the console, click Command Control.
In the command control pane, click Rules.
In the task pane, click Add to add a rule at the top level.

To add a rule as a child of another rule, select the rule and click Add in the task pane.
Specify a name for the rule.
Click Finish to add a new rule.
Select the rule, then click Modify Rule in the task pane.

For configuration information, see Modifying a Rule.
Move the rule by using the Alt key and drag and drop it to the correct position according to the order in which you want to process the rules. This moves the rule in the same hierarchy.

When a user specifies a command under Command Control, the following rule processing takes place:
- The conditions set for the first rule in the hierarchy are checked.
- If there is a match, the rule is processed. Depending on how the rule is configured, processing of additional rules takes place or stops. If rule processing is not stopped, the next rule for which conditions are checked is the child of this rule. Rule checking and processing continues until it is stopped by a rule, or until all appropriate rules have been processed.
- If there is no match, the conditions for the next rule at the same hierarchical level as the first rule are checked, and this continues until a match is found. Rule processing then takes place as described above.
You can change the default order of rule processing on the Modify Rule screen, or by using scripts. See Modifying a Script.

Modifying a Rule

On the home page of the console, click Command Control.
In the command control pane, click Rules.
Select the rule you want to modify.
In the details pane, click the edit icon.
Modify the following as per your requirement:

Name: Change the name of the rule.

Disabled: To disable the rule, select the Disabled box. A disabled rule is dimmed.

Description: Specify a description of the rule.

User Message: Specify a user message to be displayed to the user when this rule is processed, before any commands are run.

Session Capture: Select either On or Off. Setting Session Capture to On allows the Audit Manager to perform keystroke logging for the rule.

To view a captured session from a Command Control report, an Auditing Manager and the Reporting Console must be installed.

X11 Enable: Select either Yes or No to enable the X11 application access over SSH Relay.When you enable X11 application access, you can choose to enable the video recording of the session. Select Video Capture On to enable video capture of the session.

Authorize: Select either Yes or No, depending on whether you want the command protected by the rule to be authorized or not authorized if the rule conditions are met.

Define what happens next by using the drop-down list as follows:
- Blank: The next rule in the hierarchy is checked.
- Stop: No more rules are checked for the command.
- Return: The next rule to be checked is up one level in the hierarchy from the current rule.
- Stop if authorized: If Authorize is set to Yes, no more rules are checked for the command.
- Stop if unauthorized: If Authorize is set to No, no more rules are checked for the command.
Run User: Define a run user by selecting the name of the user you want to run this command (this overrides any username defined through a set command).

Account Domain: Select the appropriate LDAP or SSH resource from the drop down list.

Credentials: The credential for the selected resource gets populated. You can also select the required credential from the drop-down list.

Run User: The Run User gets automatically populated with the domain user provided in the resource.

Run Host: Define a run host by selecting the name of the host on which you want to run this command (this overrides any hostname defined through a set command).

NOTE:When modifying a rule for Run as Privileged User method, ensure to modify the Run Host as Submit Host.

Risk Level: Set a Risk Level of 0 to 99. This option allows you to set a value representing the relative risk of a rule with the session auditing option (see cpcksh). When viewing a Command Control Keystroke Report, you see commands controlled by rules with different risk values represented in different colors.

Audit Group: Define an Audit Group. This setting is for use in Compliance Auditor reports.

NOTE:To configure video capturing refer section Video Capture
Click Modify.

Viewing Conditions for a Rule

You can view all the conditions that create a rule. These conditions are created with the help of the entities such as host group, user group and so on. You can view the entity that includes the condition and also modify it if required.

To view the condition perform the following steps:

In the Command Control pane, click the required rule.
In the details pane, click View Condition.

This displays the list of entities that are part of the condition.
(Conditional) Click Locate to locate the required entity.

This locates and selects the required entity in the middle pane.
(Conditional) In the details pane, click the edit icon o modify the fields of the entity.

Setting Conditions for a Rule

You can set a number of conditions for a rule to determine whether the rule is processed or not. For example, you can set a particular command as a condition, and only process the rule if a user enters that command.

There are two ways of setting conditions for a rule:

Dragging and dropping an entity onto the rule.
Using the Edit Condition option, as described in the steps below.

NOTE:When you drag and drop an entity onto a rule, you might need to edit the condition to ensure that the condition logic is what you want. If you want to use a script in rule conditions, you must set it to Conditional first (see Modifying a Script).

To set conditions by using the Edit Condition option:

On the home page of the console, click Command Control.
In the Command Control pane, click Rules.
Select the rule for which you want to set conditions.
In the details pane, select the currently defined condition then click Edit Condition.

If you have not yet defined a condition, select Match All
In the Add Condition drop-down list, select the type of condition you want.
Set the condition to the value and logic you want. For example, if you set a condition to match a run user to a user group:
1. Change user (submit user) to run user.
2. Leave the logic setting as IN.
3. Select the user group you require from the user group drop-down list.
Repeat Step 5 and Step 6 for any other conditions you want. Set the condition logic as necessary.

You can use parentheses to group conditions according to the necessary logic by selecting the parentheses ( ) entry from the Add Condition drop-down list. The opening and closing parentheses are displayed.
1. Select the opening parenthesis.
2. Select the condition type you want to place inside the parentheses and set it as necessary.
3. Select the opening parenthesis again.
4. Select another condition type to place inside the parentheses and set it as necessary.
5. If necessary, change OR to AND.
6. Repeat Step 7.d through Step 7.f for any other conditions you require inside this set of parentheses. You can also place parentheses within parentheses.
Click Finish.

Removing Conditions for a Rule

You can remove all the conditions for a rule, or you can remove individual conditions.

On the home page of the console, click Command Control.
In the Command Control pane, click Rules.
Use the arrow to display all the rules and select the rule for which you want to remove conditions.
In the task pane, select the currently defined condition.
To remove all conditions, click Remove Condition in the task pane, then click OK to remove the condition.

The rule condition is displayed as Match All.
To remove individual conditions, click Edit Condition in the task pane, click the delete icon against the condition to remove the condition, then click Finish.

Configuring Script Arguments and Entities for a Rule

You can configure script arguments and entities for the scripts assigned to a rule before or after assigning the scripts. You can define only one set of arguments and entities, which applies to all scripts assigned to a rule.

On the home page of the console, click Command Control.
In the Command Control pane, click Rules.
Select the rule for which you want to add script arguments.
In the task pane, click Script Arguments.
Click Add.
In the Name field, specify a name for the argument.
In the Value field, specify a value for the argument.
To add more arguments, repeat Step 5 through Step 7.
When you finish adding arguments, click Finish, or continue with Step 10 to add script entities.
Click the arrow under Add Script Entity to display the list of available entities, then select the type of entity you want.

A drop-down list of entities is displayed in the Script Entities table.
Select the entity you want from the drop-down list.
To add more entities, repeat Step 10 and Step 11.
Click Finish.

Assigning a Script to a Rule

You can use Perl scripts to provide additional, customized functionality to the rules (see Adding a Script). To assign a script to a rule, use drag and drop as described in the following procedure.

NOTE:If you drag and drop a script that has been set to Conditional, the script is added to the rule conditions.

On the home page of the console, click Command Control.
In the Command control pane, click Rules.
Click the arrow to display the list of rules.
In the navigation pane, click the Scripts icon.
Select the script you want to assign to the rule.
Drag and drop the selected script to the rule.
Configure script arguments and entities for the scripts if necessary. For more information, see Configuring Script Arguments and Entities for a Rule.

Removing Script Arguments and Entities

To remove a script argument, select the argument, then click Remove.
To remove a script entity, select the icon next to the name of the entity, then click Remove.

Removing a Script from a Rule

On the home page of the console, click Command Control.
In the navigation pane, click Rules.
Use the arrow to display the list of rules, then select the rule from which you want to remove a script.
In the details pane, select the required script.
Click Remove Script.
Click OK to confirm the removal. The scripts are removed from the rule.

Finding a Rule

On the home page of the console, click Command Control.
In the Command Control pane, click Rules.
In the details pane, click the Find Rule icon to find a rule from the entire list of rules.

or

Select the parent rule, then in the details pane click the Find Rule icon.
In the Rule Filter field, specify the name of the rule you are looking for, then click Find.

You can use wildcard characters “*” and “?”. This field is case sensitive.

NOTE:Some special characters, such as “[“ and “]”, might not work in this field. For example, if you search for first rule [linked rule], you might get an error message. In such case, replace “[“ and “]” with “*” or “?”.
When the name of the rule is displayed, you can modify the rule by using Modify Rule and if you want to view the rule in the Command Control pane, click Goto Rule. Click Close to return to the Command Control pane without a rule selected.

Moving a Rule

On the home page of the console, click Command Control.
In the Command Control pane, click Rules.
Select the rule you want to move.
Press the Alt key then drag and drop the selected rule to the location in the same hierarchy. If you require to move a rule to a child hierarchy then drag and drop the rule to the required location.

Copying a Rule

You can create a copy of an existing rule in the rule hierarchy, so you can use the same rule in more than one place in the hierarchy, or so you can create a new rule based on the existing rule.

NOTE:If you want to use the same rule in more than one place and you want any changes you make to the rule to be reflected in the other copy or copies, you should link the rule instead. See Linking a Rule for details.

On the home page of the console, click Command Control.
In the Command Control pane, click Rules.
Select the rule you want to copy.
To create the copy, press the Ctrl key and drag and drop the selected rule to the desired location
(Optional) Use the Modify Rule option to rename or modify the copy.
Move the rule to the correct position according to the order in which you want to process the rules. See Adding a Rule for details.

Linking a Rule

If you want a specific rule to be used in different places in the hierarchy of rules, you can create a linked rule. Any changes you make to the linked rule are reflected in all the instances of the rule in the hierarchy. If you simply copy the rule, any changes made to the original rule or to one of its copies are not reflected in the other copies.

Changes to sub-rules of a linked rule are not linked. For example if you add or modify a rule under a linked rule, the change is not reflected in other instances of the linked rule.

On the home page of the console, click Command Control.
In the Command Control pane, click Rules.
Select the rule to link.
To create the links, press the Ctrl key and the Shift key at the same time, then drag and drop the selected rule to the location you want.

A linked rule is displayed with an arrow .

Deleting a Rule

On the home page of the console, click Command Control.
In the Command Console pane, click Rules.
Select the rule you want to delete.
In the details pane, click Delete.
Click Delete to delete the rule and all rule children.

Viewing Pseudocode

The pseudocode for a rule provides a simplified representation of the actual code that is processed when the rule is activated. For complex rules, this can assist you with understanding what happens in different situations.

To view the pseudocode for a rule:

On the home page of the console, click Command Control.
In the Command Control pane, click Rules.
Select the rule for which you want to view the pseudocode.
In the details pane, click Pseudocode.

You can copy the pseudocode by using Ctrl+A or Ctrl+C, then paste it into a document for printing.
Click Close.

8.4.2 Command Control Groups

Command Control has three types of groups:

User Groups: Contain users with similar responsibilities. This allows you to use the group as a condition for a rule, which either allows or denies the users the rights to run commands.

Host Groups: Contains hosts with similar content. This allows you to use the group as a condition for a rule that either allows or denies the rights to run the command on a host.

Account Groups: Combine host groups and user groups to be used together in setting rule conditions. Account groups can also contain other account groups. You can also use account groups as script entities.

For example, you could create a Web Account Group, and to this group you could add a user group that contains all the Web server managers and a host group that contains all the host that are Web servers. You could then use the Web Account Group as a condition when creating rules for Web server management.

The following sections explain how to manage these groups:

User Groups

User groups contain users who are allowed, or not allowed, to submit or run commands controlled by the rules that you specify. You can add user groups to the specified rule conditions to control whether the rule is processed, depending on the user who is submitting a command or the user who is specified to run a command. You can also use user groups as script entities.

Command Control has the default user groups, Everyone and Submit User. Do not modify these groups.

Everyone: Use this group to match against any user who has a local account on the hosts where Privileged Account Manager is installed.

Submit User: Use this group to match against the user that submitted the privileged request. This is useful if you want to ensure that a rule only authorizes access to the account that submitted the request. For example when adding a cpcksh login shell, you should add a clause to the rule that ensures that the run user is in the Submit User group. This ensures that a user cannot use the -u option in usrun to gain access to other accounts.

You can search for a specific user in a user group by using suitable regular expressions, strings, or wild cards in the command. For example, the wildcards that you can use in the command could be vi * or /usr/bin/vi *.

To add a regular expression term to the list, prefix the regular expression with =~. For example,

=~/^vi .*$/

=~/^user*/

Command Control also includes a user group that is used for adding or deleting the users in the blocked list.

IMPORTANT:The User Name for Windows user must be provided in capital letters.

Managing the User Groups

The following sections explain how to manage user groups:

Adding a User Group

On the home page of the console, click Command Control.
In the navigation pane, click the Account Groups icon.
Click User Groups.
In the details pane, click Add to add a user group to root level. To add the user group for a category, select the category then click Add.
Specify a name for the user group.
Click Add.

User groups are represented by the group icon.
To configure the user group, continue with Modifying a User Group.

Modifying a User Group

On the home page of the console, click Command Control.
In the navigation pane, click Account Groups, then click User Groups.
In the details pane, select the user group you want to modify, then click the edit icon next to the user group name.
Configure the following fields:

Name: Specify a name for the group.

Disabled: Select this check box to disable the group. A disabled user group is dimmed.

Description: Describe the purpose of this user group.

Manager Name, Manager Tel., Manager Email: Specify the name, telephone number, and e-mail address of the manager of this user group. The manager details can be used in the Compliance Auditor.

If these details have been entered in the manager’s Framework user account details (see Modify User: Account Details), they can be entered automatically by selecting the manager’s username from the drop-down list. This option is only available if you belong to a Framework user group with the read role defined for the auth module (see Configuring Roles).

Users: Add or change the users you want to include in this group. You can type the user names, one on each line, or paste them from elsewhere. You can use the Sort button to sort the list of users into alphabetical order. For Windows users, specify the user name in capital letters.

NOTE:The user names must be provided in capital letters for the LDAP users who are part of the authentication domain.

User Groups: From the list of groups you have already defined, select the user groups you want to include as subgroups of this user group. You can also add subgroups to a user group by dragging and dropping the groups to the target user group in the navigation pane.
Click Modify.

You can now use this user group in rule conditions or as a script entity.

Deleting a User Group

On the home page of the console, click Command Control.
In the navigation pane, click Account Groups, then click User Groups.
In the details pane, select the required user group and click the delete icon next to the user group name.

To delete multiple user groups, click Delete Multiple then select the user groups from the list to delete.
Click Delete to delete the selected user groups.

Host Groups

Host groups contain hosts that are allowed, or not allowed, to submit or run commands that the rules control. You can add host groups to the rule conditions to control whether the rule is processed, depending on the host that is submitting a command or the host specified to run a command. You can also use host groups as script entities.

Command Control has two default host groups. Do not modify these groups.

All Hosts: Use this group to match against any host that have been registered with the Framework. Use the Hosts console to view the hosts that are included has matches for this group.

Submit Host: Use this group to match against the host from which the privileged request was made. This is useful if you want to ensure that a rule only authorizes access to the host from which the privileged request was made. This ensures that a user cannot use the -h option in usrun to gain access to other hosts.

You can search for a specific host in a host group by using suitable regular expressions, strings, or wild cards in the command. For example, the wildcards that you can use in the command could be vi * or /usr/bin/vi *.

To add a regular expression term to the list, prefix the regular expression with =~. For example,

=~/^vi .*$/

=~\w+\.netiq\.com

The following sections explain how to manage host groups:

Adding a Host Group

On the home page of the console, click Command Control.
In the navigation pane, click Account Groups, then click Host Groups.
In the details pane, click Add. To add a host group to a category, select the category and click Add.
Specify a name for the host group.
Click Add.

Host groups are represented by the icon.
To configure the host group, refer Modifying a Host Group.

Modifying a Host Group

On the home page of the console, click Command Control.
In the navigation pane, click Account Groups, then click Host Groups.
In the details pane, select the host group you want to modify, then click the edit icon next to the host group name.
Configure the following fields:

Name: Specify a name for the group.

Disabled: Select this check box to disable the group. A disabled host group is dimmed.

Description: Describe the purpose of this host group.

Hosts: Add or change the hosts you want to include in this group. You can type the host names, one on each line, or paste them from elsewhere. You can use the Sort button to sort the list of hosts into alphabetical order.

Host Groups: From the list of groups you have already defined, select the host groups you want to include as subgroups of this host group. You can also add subgroups to a host group by dragging and dropping the groups to the host group in the navigation pane.
Click Modify. You can use this host group in rule conditions or as a script entity.

Deleting a Host Group

On the home page of the console, click Command Control.
In the navigation pane, click Account Groups, then click Host Groups.
In the details pane, select the host group you want to delete, then click the delete icon next to the host group name.

To select multiple host groups, click Delete Multiple and select the host groups from the list.
Click Delete. The selected host groups are deleted and are also removed from any account group, rule conditions, and script entities in which they have been defined.

Adding an Account Group

To add a new account group:

On the home page of the console, click Command Control.
In the navigation pane, click Account Groups.
In the details pane, click Add. To add an account group to a category, select the category, then click Add.

For information about categories, refer Adding a Category.
Specify a name for the account group.
Click Add.

Account groups are represented by the icon.
To configure the group, continue with Modifying an Account Group.

Modifying an Account Group

On the home page of the console, click Command Control.
In the navigation pane, click Account Groups.
In the details pane, select the account group you want to modify and click the edit icon next to the account group name.
Modify the following fields:

Name: Change the name of the group.

Disabled: To disable the account group, click Disabled. A disabled account group is dimmed.

Description: Add or change the description.

Manager Name, Manager Tel., Manager Email: Specify the name, phone number, and e-mail address of the manager of the users in this account group.

If these details have been entered in the manager’s Framework user account details (see Modify User: Account Details), they can be entered automatically by selecting the manager’s username from the drop-down list. This option is only available if you belong to a Framework user group with the read role defined for the auth module (see Configuring Roles).

The manager details can be used in the Compliance Auditor.

User Groups, Host Groups, Account Groups: From the lists of groups you have already defined, select or remove the user groups, host groups, and account groups. You can also add groups to an account group by dragging and dropping the groups to the target account group in the navigation pane.
Click Modify. You can now use this account group in rule conditions or as a script entity.

Deleting an Account Group

On the home page of the console, click Command Control.
In the navigation pane, click Account Groups.
In the details pane, select the account group that you want to delete and click the delete icon next to the account group name.

To select multiple account groups, click the top level account group and click Delete Multiple.
Click Delete. The selected account groups are deleted and are also removed from any other account groups, rule conditions, and script entities where they have been defined.

Copying a Group

On the home page of the console, click Command Control.
Click the category of the group that you are copying such as Account Groups, Host Groups, or User Groups.
Select the group you want to copy.
To create the copy, press the Ctrl key and drag and drop the selected group to the desired location.

Moving a Group

On the home page of the console, click Command Control.
Click the category of the group you are copying such as Account Groups, Host Groups, or User Groups.
Select the group you want to move.
Drag and drop the selected group to the desired location.

You can also drag and drop account groups, user groups, and host groups into an account group. This does not delete the groups from their original location.

Finding a Group

On the home page of the console, click Accounts Group icon and select Account Groups in the middle pane.
In the details pane click Find.
In the Account Group Filter field type the required group name.

For finding user groups or host groups, click User Groups or Host Groups in the middle pane, then click Find in the details pane.

8.4.3 Commands

Command definitions contain the commands you want to control. A command definition can contain a single command, or several commands that you want to control in the same way. You can also specify a command that you want to run in place of a submitted command.

Finding a Command

On the home page of the console click Command Control.
In the navigation pane, select Commands icon and select Command.
In the details pane, select Find.
In the find filter, type the required name.

As you type, the search displays the results. When you click on the required name, that command gets selected in the middle pane. If you require to modify that command you can modify it from the details pane.

Adding a Command

You can add command definitions to your rule conditions to control whether the rule is processed, depending on the command that is submitted by the user. You can also use commands as script entities.

To add a new command:

On the home page of the console, click Command Control.
In the navigation pane, click Commands.
In the details pane, click Add in the task pane. To add a command to a category, select the category and click Add.
Specify a name for the command. This can be different from the name of the actual command you want to control.
Click Add.
To configure the command, continue with Modifying a Command.

Modifying a Command

On the home page of the console, click Command Control.
In the navigation pane, click Commands.
In the details pane, select the command you want to modify and click on the edit icon next to it.

Configure the following fields:

Name: Specify a different name for the command.

Disabled: Select this check box to disable the command. A disabled command is dimmed.

Description: Describe the purpose of this command.

Rewrite: In the Rewrite field, define a command to be used in place of the commands listed in the Command field. You can also enter command arguments. Positional parameters can be used, as described in Using the Command Rewrite Functionality for Command Arguments. To use the Rewrite field to enable auditing of the command, see Configuring Auditing with the Rewrite Functionality

Commands: Define one or more commands, one on each line. You can also enter command arguments. For example:

vi *
/usr/bin/vi *

To add a regular expression term to the list, prefix the regular expression with =~. For example,

=~/^vi .*$/

=~#/usr/bin/vi .*#

You can copy and paste a list of commands from elsewhere. You can use the Sort button to sort the commands into alphabetical order.

Sub Commands: From the list of command definitions you have already created, select the subcommands you want to include in this command definition. You can also add subcommands to a command definition by dragging and dropping them to the command definition in the navigation pane.

Refer the following table to modify the command fields based on the endpoint access methods:

Methods	Command fields
Unix/Linux
pcksh	Specify values for the fields Rewrite and Commands. For example: Rewrite: /usr/bin/pcksh -o audit 1 Commands: (Specify the commands in separate line) pcksh shell
cpcksh	Specify values for the fields Rewrite and Commands. For example: Rewrite: /usr/bin/pcksh -o audit 1 Commands: -cpcksh
usrun	Specify the commands that require privileged access in the Commands field. For example: Commands: *passwd
Windows
RDP Relay	Specify <rdp>* in the Command field.
Credential Provider	Specify <NPAMCP>* in the Command field.
Direct RDP	Specify <rdpDirect>* in the Command field.
Run as privileged user	Specify the process or files that require privileged access in the Command field. For example, if you want to give privileged access to notepad, you can specify the value in following ways: Command:notepad.exe Command:noted.ee Command:n........ex. You can also provide the absolute path of the application. For example, C:\Windows\System32\notepad.exe. If the absolute path contains space, include the absolute path between quotes. For example, "C:\Program Files (x86)\WinSCP\WinSCP.exe".

Click Finish.

Using the Command Rewrite Functionality for Command Arguments

The following table provides examples showing how the command rewrite functionality provided on the Modify Command page can be used with positional parameters to replace the submitted command and parameters. The examples use the echo command as the rewritten command to display the selected parameters on the screen.

Table 8-1 Command Rewrite Examples

Function	Rewrite	Submitted Command	Executed Command
Insert all arguments ($0 is not displayed)	echo $*	ls passwd shadow fstab	echo passwd shadow fstab
Insert argument ’r;n’	echo $3	ls passwd shadow fstab	echo fstab
Insert all but argument 'n' ($0 is not displayed)	echo ${^2}	ls passwd shadow fstab	echo passwd fstab
Insert arguments from 'n' to end	echo ${2-}	ls passwd shadow fstab	echo shadow fstab
Insert arguments from 0 to 'n'	echo ${-2}	ls passwd shadow fstab	echo ls passwd shadow
Insert arguments from 'm' to 'n'	echo ${1-2}	ls passwd shadow fstab	echo passwd shadow
Insert the total number of arguments	echo $#	ls passwd shadow fstab	echo 3
Insert contents of argument $#	echo ${$#}	ls passwd shadow fstab	echo fstab

Rewrite Example Using ufsdump

In this example, the administrator usually does a backup of the system by using the following command:

    ufsdump -0f /dev/rmt/0 /usr

Assume that new tape drive is installed on the host, and it must be used for the backup. In addition, the administrator must make sure that it is working correctly by using the -v flag to verify the tape.

You can ensure that the administrator doesn’t need to remember the changes by using the Rewrite field to create a command definition for the original command:

    $0 -v $1 /dev/rmt/1 ${$#}

When the administrator enters the original command, the following command runs instead:

    ufsdump -v -0f /dev/rmt/1 /usr

Configuring Auditing with the Rewrite Functionality

To enable auditing of the command, add the following to the Rewrite field:

-o audit <n>

Replace <n> with one of the following values:

0: Disables auditing. It has the same effect as removing the audit setting from the Rewrite field.
1: Enables auditing of all commands that are not built into the user's shell.
2: Enables auditing of all commands, including commands that are built into the user's shell. This level of auditing can affect login times.

Setting the Command Risk

This option allows you to set a value representing the relative risk of a command when using the pcksh or cpcksh clients with the session auditing option (see cpcksh). When you view a Command Control Keystroke Report, the commands with different risk values are represented in different colors.

On the home page of the console, click Command Control.
In the navigation pane, click the Commands icon.
In the details pane, click Command Risk.
Click Add.
Set a value for the command risk. You can specify any value between 0 to 9 where 9 indicates the most risky command.
Specify the command you want to set a risk value for, or the regular expression. You can use wildcard symbols.
If you want to base the risk level on the directory in which the command is running, define a working directory.
If you want to base the risk level on who is running the command, define a user.
If you want to base the risk level on the host where the command is running, define a host.
If you want to disconnect any particular user using a particular command, specify the user in the Submit User field.

Ensure that the user name is typed in capital letters for the following users:
- Windows users for Direct RDP
- LDAP users who are part of the authentication domain
If you want to disconnect the user when the specified command is executed, specify 1 in the Auto Disconnect field.If you want to refrain the user from starting the session again after it was disconnected, specify 1 in the Auto Block field.
If you want to change the order in which the commands are listed, use the arrow buttons.
Click Finish.

Removing a Command Risk

On the home page of the console, click Command Control.
In the navigation pane, click the Commands icon.
In the details pane, click Command Risk.
Select the entry, then click Remove.

Copying a Command

On the home page of the console, click Command Control on the home page of the console.
In the navigation pane, click the Commands icon.
Select the command you want to copy.

To select multiple commands in the same category, press the Ctrl key and select the required commands one at a time, or press the Shift key to select a consecutive list of commands.
To create the copy, press the Ctrl key and drag and drop the selected command to the desired location

Moving a Command

On the home page of the console, click Command Control.
In the navigation pane, click Commands.
Select the command you want to move.
Drag and drop the selected command to the desired location.

Deleting a Command

On the home page of the console, click Command Control.
In the navigation pane, click Commands.
In the details pane, select the command you want to delete and click the delete icon next to it.

To select multiple commands in the same category, click Delete Multiple and select the required commands.
Click Delete. The selected commands are deleted and are also removed from any rule conditions and script entities in which they are defined.

Importing Sample Commands

Privileged Account Manager ships with the following types of sample commands that you can import and use or import and modify to fit your needs:

Shell commands (ksh, sh, csh, bash)
vi commands
System commands (kill, mount, passwd, date, mkdir, useradd, chgrp, chown)
User commands (env, ls, id, cat uname)

To import these sample commands, click Command Control > Import Samples > Sample commands.

8.4.4 Finding a Reference

The Find References option allows you to find where a specific account group, user group, host group, command, script, or access time is referenced in the database. For example, you could use this option to find out which account group or groups a specific user group belongs to.

On the home page of the console, click Command Control.
In the navigation pane, select the required icon and select the entity for which you want to find references.
In the task pane, click the Find References icon. The groups or rules in which the entity is referenced are displayed.
To go to one of the listed groups or rules, click on Goto Rule or Goto <entity>.

To modify the rule or groups from the task pane, click Modify Rule or Modify <entity>

8.4.5 Defining Custom Attributes

Custom attributes can be defined for account groups, user groups, host groups, commands, and access times to provide additional parameters for use in scripts. For example, you could set an expiration date as a custom attribute for a user group, check for this date in the script, then expire the user group when the date is reached.

To define custom attributes:

On the home page of the console, click Command Control.
Select the entity you want to add custom attributes to.
In the task pane, click the Define Custom Attributes icon.
Click Add.
In the Name field, specify the name of the custom attribute. For example, Expiration date.
In the Value field, specify the value for the attribute. For example, the date you want the entity to expire.
Repeat Step 4 through Step 6 for any other custom attributes you want to add.
Click Finish.

8.4.6 Functions

The udsh command invokes commands on a set of hosts. It concurrently issues a Command Control request for each host that is specified and returns the output from all the hosts, formatted so that command results from all hosts can be managed.

Syntax

udsh [-bcdqv] [-t <timeout>] [-l <user>] [-f <num>] [-w <host>, <host wildcard>] [-g <hostgrp>, <hostgrp wildcard>] [cmd ...]

Options

The following options can be specified only on the command line:

Table 8-2 udsh Options

Option	Description
-b	Do not break lines to column width when displaying output.
-c	Do not remove the host from the list if the command fails.
-d	Add a time stamp to the displayed output.
-f <num>	Specify the maximum number of concurrent processes to run.
-g <hostgrp>, <hostgrp wildcard>	Specify the Command Control host groups to retrieve the list of agents to run the command on. Wildcards must be properly escaped. For example to run udsh against all host groups that begin with ho, enter the following: -g ho\*
-l <user>	Specify the user to run the command as.
-q	Quiet. Do not display output.
-t <timeout>	Specify the timeout in seconds for the command to complete on each host.
-v	Verbose output.
-w <host>, <host wildcard>	Specify the agents to run the command on. Wildcards must be properly escaped. For example, to run udsh against all hosts that begin with host1, enter the following: -w host1\*

If a command is not specified, the user is placed at a command prompt. Each entry run from this prompt is run separately on each host. If readline(3) is available, command line editing and history are provided.

Keywords

There are various macros that can be specified in the command to substitute keywords when the command is run on the remote host. For example, the following command uses the ${rhost}$ keyword. It performs a usrun echo command of the remote host name on all agents that have a command control agent deployed:

udsh -w \* /bin/echo '${rhost}$'

Table 8-3 udsh Keywords

Keyword	Description
${uid}$	Calling user’s UID
${gid}$	Calling user’s primary group ID
${gecos}$	Calling user’s gecos
${home}$	Calling user’s home directory
${shell}$	Calling user’s shell
${cwd}$	Calling user’s current working directory
${lhost}$	Local hostname
${rhost}$	Remote hostname
${pid}$	PID of the individual udsh call
${ppid}$	PID of the udsh

8.4.7 Adding a Category

You can use the appropriate Add Category option for account groups, user groups, host groups, commands, scripts, and access times into categories for ease of use and maintenance.

On the home page of the console, click Command Control.
In the navigation pane, click the required icon and select the section to which you want to add a category.

You can also add subcategories to the existing categories.
In the task pane, click Add Category.
Specify a name for the category.
Click Finish.

8.4.8 Deleting a Category

Before deleting a category, you must delete or move the items and subcategories that it contains.

On the home page of the console, click Command Control.
In the navigation pane, select the category that you want to delete.
In the task pane, click Delete Category.

8.4.9 Blocked Users

The Blocked Users list displays all the users who are blocked from accessing any privileged account session. This group includes the list of users who are blocked from accessing any server. The users are either added automatically when you block the session during a manual/ automatic disconnect, or added manually when you block a user by adding the user to the Blocked Users list.

To add a user to the blocked user group refer, Adding Users in Blocked Users Group. If you do not want a particular user in the blocked list then you can delete the user from the list. To delete a user from the group refer, Deleting Users in Blocked User Group.

Adding Users in Blocked Users Group

In the navigation pane of the Command control console click the User Groups icon > Blocked Users.
In the details pane, click Add then specify the user.
IMPORTANT:The User Name must be provided in capital letters for the following type of users:
- Windows users for direct RDP
- LDAP users who are part of the authentication domain.
Click Finish.

Deleting Users in Blocked User Group

In the navigation pane of the Command control console click the User Groups icon > Blocked Users.
In the details pane, select the user that you require to remove from the blocked user list, then click the delete icon.

8.4.10 Scripts

You can use Perl scripts to provide additional, customized functionality to your rules. You can also use scripts in rule conditions. Privileged Account Manager contains the embedded Perl interpreter version 5.8.9. You can use any of the core Perl modules for your script. It is not recommended that you install any CPAN Perl modules into the embedded Perl interpreter. If you create a script, be aware that any time consuming tasks within the script affect response times.

Finding a Script

On the home page of the console click Command Control
In the navigation pane, select Scripts icon and in the details pane select Scripts.
In the details pane, select Find.
In the filter type the required name.

As you type, the search displays the results. When you click on the required name, that script gets selected in the middle pane. If you require to modify that script you can modify it from the details pane.

Adding a Script

You can add your own custom attributes for account groups, user groups, host groups, commands, and access times to provide additional parameters for use in your scripts. See Defining Custom Attributes for details.

To add a new script:

On the home page of the console, click Command Control.
In the navigation pane, click the Scripts icon.
In the details pane, click Add. To add a script to a category, select the category and click Add.
Specify a name for the script.
Click Add.
To configure the script, continue with Modifying a Script.

Modifying a Script

On the home page of the console, click Command Control on the home page of the console.
In the navigation pane, click the Scripts icon.
Select the script you want to modify.
In the details pane, click the edit icon next to the script.
Configure the following fields:

Name: Specify a different name for the script.

Conditional script: Select the check box to set the script to be conditional. Scripts defined as conditional can be used in rule conditions. The return codes are limited to 1 for true and 0 for false.

Disabled: Select the check box to disable the script. A disabled script is dimmed.

Description: Describe the purpose of the script.

Script: Specify the text of your script in the text box by typing it or by pasting it from elsewhere. The possible return codes you can use in your script for processing by the Command Control software are shown below this field.

For some sample scripts, see Sample Scripts.
Click Modify.

You can assign the script to a rule, or you can specify it in rule conditions if you have set the script to be conditional.

Copying a Script

On the home page of the console, click Command Control.
In the navigation pane, click Scripts.
Select the script you want to copy.
To create the copy, press the Ctrl key and drag and drop the selected script to the desired location.
If necessary, use the Modify Script option to rename or modify the copy. For details, see Modifying a Script.

Moving a Script

On the home page of the console, click Command Control.
In the navigation pane, click Scripts.
Select the script you want to move.
Drag and drop the selected script to the desired location.

Deleting a Script

On the home page of the console, click Command Control.
In the navigation pane, click.
Select the script you want to delete.

To delete multiple scripts click Delete Multiple and select the scripts from the list.
Click Delete.

Sample Scripts

Privileged Account Manager ships with the following sample scripts that you can import and use:

Display message scripts
Password validation scripts
Alternate validation scripts
Email scripts
Modify environment script
Emulate su script
Secure vi script

Before creating your own Perl script, check out the sample scripts to see if one is available that meets your needs or one that can be modified to meet your needs. To understand what is available, see the sample scripts in the following sections.

To import a sample script, click Command Control > Import Samples > Sample Perl Script.

Modify Environment Script

This script is used to process environment variables. It has a number of script arguments that can add, delete, clear, and keep environment variables.

Argument	Description
clearenv=1:	Clears all environment variables (unless specifically kept using keepenv)
keepenv=VAR:	Specifically keeps environment variables. As soon as this is set, all other environment variables are deleted.
setenv=VAR=val:	Sets up a specific environment variable.
unsetenv=VAR:	Deletes a specific environment variable.
defaultenv=#:	Sets the default environment: 0: Sets up no default environment variables. 1: Sets up all default environment variables. 2: Sets up default environment variables that do not already exist in the environment.

Sample Environment Script

my $e=$meta->child("Environment");
return(1) if(! $e);
 
my $n=$e->node_args();
my %env=();
 
while($n) {
    $env{$1}=$2 if($n->key() ne "items" && $n->value() =~ /^(.*)=(.*)$/);
    $n=$n->next();
}
 
my %keepenv=();
my $clearenv=0;
 
for(my $a=$args->node_args();$a;$a=$a->next()) {
    if($a->key() eq "clearenv" && $a->value() > 0) {
        $clearenv=1;
    } elsif($a->key() eq "keepenv" && $a->value() ne "") {
        $keepenv{$a->value()}=1;
    } elsif($a->key() eq "defaultenv" && $a->value >= 0) {
        $meta->child("Job")->arg_int("job_default_env",$a->value());
    }        
}    
 
if(scalar %keepenv || $clearenv) {
    while(my ($key,$val) = each %env) {
        delete $env{$key} if(! $keepenv{$key});
    }        
}
        
for(my $a=$args->node_args();$a;$a=$a->next()) {
    if($a->key() eq "unsetenv" && $a->value() ne "") {
        delete $env{$a->value()};
    } elsif($a->key() eq "setenv" && $a->value() =~ /^(.*)\s*=\s*(.*)$/) {
        $env{$1}=$2;
    }            
} 
 
$meta->del($e);
$e=$meta->add_node("Environment");
 
my $items=0;
 
while(my ($key,$val) = each(%env)) {
    $e->arg("arg-$items","$key=$val");
    $items++;
}    
 
$e->arg_int("items","$items");
 
return(1);

pcksh Illegal Commands Script

When using the pcksh shell, Command Control has the ability to restrict the commands being run (even as root). This sample script is named illegalcmd, and it restricts the use of the passwd command.

This script does not restrict a user that initiates another shell from within a session. When a user does this, Command Control cannot continue a full audit or control the illegal commands, although the session is still captured

#to set script argument - name=illegalcmd value= kill *
my $t=$meta->get_params('Ticket');
if(! $t) {
$t=$meta->add_param('Ticket');
}

my $i=$t->get_params('IllegalCmds');
if(! $i) {
$i=$t->add_param('IllegalCmds');
}

my @illegal = $args->arg_values('illegalcmd');

#my @illegal=("echo","ls -l","passwd","/usr/bin/ls -l","ksh","echo date");
foreach my $b (@illegal) {
my $c=$i->add_param('Command');
$c->arg("cmd",$b);
}
return 1;

8.4.11 Access Times

You can restrict the times when a rule is valid by defining an access time and adding it to the rule conditions. You can also use access times as script entities.

Finding an Access Time

On the home page of the console click Command Control
In the navigation pane, select Access Times icon and in the details pane select Access Time.
In the details pane, select Find.
In the filter type the required name.

As you type, the search displays the results. When you click on the required access time, that gets selected in the middle pane. In the details pane, click modify to modify the access time.

Adding an Access Time

On the home page of the console, click Command Control.
In the navigation pane, click the Access Times icon.
In the details pane, click Add. To add an access time to a category, select the category and click Add.
Specify a name for the access time, for example, Office hours.
Click Add.
To configure the access time, continue with Modifying an Access Time.

Modifying an Access Time

On the home page of the console, click Command Control.
In the navigation pane, click Access Times.
In the details pane, select the access time you want to modify and click the edit icon next to it.
Modify the access time as required:
- Change the name of the access time.
- Specify a description of the access time.
- Click Disabled to disable the access time. A disabled access time is dimmed.
- Set the access time as described in Step 5.
Set the access time in multiples of half-hourly intervals. The default access time is set to Deny Access for the whole week, shown in the calendar as blue.
- To allow access at specific times, drag and drop across the days and times until the hours when you want to grant access are shown in green,
- To allow access for the majority of times and deny access for specific times, click the Grant Access box below the table to grant access for the whole week, then click and drag across the days and times until the hours when you want to deny access are shown in blue.
For example, to allow access only during the hours from 9:00 to 18:00 from Monday to Friday:
1. Ensure that the whole week is set to Deny Access (blue).
2. Click in the calendar on 9 on Monday morning, then drag and drop to 18 and down to Friday. This creates a green block representing the times when access is allowed.
Click Finish. You can now use this access time in rule conditions or as a script entity.

Copying an Access Time

On the home page of the console, click Command Control.
In the navigation pane, click Access Times.
Select the access time you want to copy.
To create the copy, press the Ctrl key and drag the selected access time and drop it to the desired location.
If necessary, rename or modify the copy by using the Modify Access Time option, as described in Modifying an Access Time.

Moving an Access Time

On the home page of the console, click Command Control.
In the navigation pane, click Access Times in the navigation pane.
Select the access time you want to move.
Drag and drop the selected access time to the desired location.

Deleting an Access Time

On the home page of the console, click Command Control.
In the navigation pane, click Access Times.
In the details pane, select the access time you want to delete and click the delete icon next to the access time.

To delete multiple access times in the same category, click Delete Multiple and select the access times.
Click Delete.

The access time is deleted, and is also removed from any rule conditions and script entities in which it is defined.

8.4.12 Command Control Reports

You can configure customized reports of the contents of the Command Control configuration database, which are dynamically created and e-mailed to the specified person at defined intervals. You can use Perl template scripting to extract the required information and format it into an e-mail for the target person. An option is available for sending your reports to the Compliance Auditor for escalation management.

To use this feature, you must provide details of your e-mail server to the Messaging Component (msgagnt) so that reports can be e-mailed. See Configuring SMTP Settings for the Messaging Component Package for details.

Finding a Report

On the home page of the console click Command Control
In the navigation pane, select Reports icon and in the details pane select Reports.
In the details pane, select Find.
In the filter type the required name.

As you type, the search displays the results. When you click on the required name, that report gets selected in the middle pane. If you require to modify that report you can modify it from the details pane.

Adding a Command Control Report

On the home page of the console, click Command Control.
In the navigation pane, click Reports.
In the details pane, click Add.

To add a report to a category, select the category and click Add.
Specify a name for the report.
Click Add.
To configure the report, continue with Modifying a Command Control Report.

Modifying a Command Control Report

On the home page of the console, click Command Control.
In the navigation pane, click the Reports icon and click Report.
In the details pane, select the report you want to modify and click the edit icon next to it.
Modify the report as required:
- Change the name of the report.
- Click Disabled to disable the report. A disabled report is dimmed.
- Set the Run Report settings to determine the time of the first report and subsequent frequency of each report. You can set the initial date by using the calendar and type in the time, then set the frequency as required.
Select the e-mail options you want:
1. In the Email To field, specify the e-mail address of the person you want to send the report to.
2. In the Email From field, specify the e-mail address of the person you want to send the report from.
3. In the Email Subject field, specify a subject for the e-mail.
4. If you want the e-mail to be displayed in HTML, select the HTML check box.
5. If you require a receipt, select the Receipt check box.
6. Enter a Perl script in the Report Template field to control how the e-mail will be formatted and what it will contain.
7. If you want the report to be available for auditing through Compliance Auditor, select the Audit check box.
If you want to send an e-mail while testing this report, select the Send email check box.
(Optional) Click Test Report to view the report that will be sent to the defined e-mail address. If there are errors in the Report Template, those are displayed.
Click Back to return to the report configuration page.
Click Finish.

Copying a Command Control Report

On the home page of the console, click Command Control.
In the navigation pane, click Reports.
Select the report you want to copy.
To create the copy, press the Ctrl key and drag and drop the selected report to the desired location.
If necessary, use the Modify Report option to rename or modify the copy, as explained in Modifying a Command Control Report.

Moving a Command Control Report

On the home page of the console, click Command Control.
In the navigation pane, click Reports.
Select the report you want to move.
Drag and drop the selected report to the desired location.

Deleting a Command Control Report

On the home page of the console, click Command Control on the home page of the console.
In the navigation pane, click the Reports icon and click Report.
In the details pane, select the report you want to delete and click the delete icon next to the report.

To select multiple reports in the same category, click Delete Multiple and select the reports.
Click Delete.