Command definitions contain the commands you want to control. A command definition can contain a single command, or several commands that you want to control in the same way. You can also specify a command that you want to run in place of a submitted command.
On the home page of the console click Command Control.
In the navigation pane, select Commands icon and select Command.
In the details pane, select Find.
In the find filter, type the required name.
As you type, the search displays the results. When you click on the required name, that command gets selected in the middle pane. If you require to modify that command you can modify it from the details pane.
You can add command definitions to your rule conditions to control whether the rule is processed, depending on the command that is submitted by the user. You can also use commands as script entities.
To add a new command:
On the home page of the console, click Command Control.
In the navigation pane, click Commands.
In the details pane, click Add in the task pane. To add a command to a category, select the category and click Add.
Specify a name for the command. This can be different from the name of the actual command you want to control.
Click Add.
To configure the command, continue with Modifying a Command.
On the home page of the console, click Command Control.
In the navigation pane, click Commands.
In the details pane, select the command you want to modify and click on the edit icon next to it.
Configure the following fields:
Name: Specify a different name for the command.
Disabled: Select this check box to disable the command. A disabled command is dimmed.
Description: Describe the purpose of this command.
Rewrite: In the Rewrite field, define a command to be used in place of the commands listed in the Command field. You can also enter command arguments. Positional parameters can be used, as described in Using the Command Rewrite Functionality for Command Arguments. To use the Rewrite field to enable auditing of the command, see Configuring Auditing with the Rewrite Functionality
Commands: Define one or more commands, one on each line. You can also enter command arguments. For example:
vi * /usr/bin/vi *
To add a regular expression term to the list, prefix the regular expression with =~. For example,
=~/^vi .*$/
=~#/usr/bin/vi .*#
You can copy and paste a list of commands from elsewhere. You can use the Sort button to sort the commands into alphabetical order.
Sub Commands: From the list of command definitions you have already created, select the subcommands you want to include in this command definition. You can also add subcommands to a command definition by dragging and dropping them to the command definition in the navigation pane.
Refer the following table to modify the command fields based on the endpoint access methods:
|
Methods |
Command fields |
|---|---|
|
Unix/Linux |
|
|
pcksh |
Specify values for the fields Rewrite and Commands. For example: Rewrite: /usr/bin/pcksh -o audit 1 Commands: (Specify the commands in separate line) pcksh shell |
|
cpcksh |
Specify values for the fields Rewrite and Commands. For example: Rewrite: /usr/bin/pcksh -o audit 1 Commands: -cpcksh |
|
usrun |
Specify the commands that require privileged access in the Commands field. For example: Commands: *passwd |
|
Windows |
|
|
RDP Relay |
Specify <rdp>* in the Command field. |
|
Credential Provider |
Specify <NPAMCP>* in the Command field. |
|
Direct RDP |
Specify <rdpDirect>* in the Command field. |
|
Run as privileged user |
Specify the process or files that require privileged access in the Command field. For example, if you want to give privileged access to notepad, you can specify the value in following ways: Command:*notepad.exe* Command:*note*d.e*e* Command:*n........ex.* You can also provide the absolute path of the application. For example, C:\Windows\System32\notepad.exe. If the absolute path contains space, include the absolute path between quotes. For example, "C:\Program Files (x86)\WinSCP\WinSCP.exe". |
Click Finish.
The following table provides examples showing how the command rewrite functionality provided on the Modify Command page can be used with positional parameters to replace the submitted command and parameters. The examples use the echo command as the rewritten command to display the selected parameters on the screen.
Table 6-1 Command Rewrite Examples
|
Function |
Rewrite |
Submitted Command |
Executed Command |
|---|---|---|---|
|
Insert all arguments ($0 is not displayed) |
echo $* |
ls passwd shadow fstab |
echo passwd shadow fstab |
|
Insert argument ’r;n’ |
echo $3 |
ls passwd shadow fstab |
echo fstab |
|
Insert all but argument 'n' ($0 is not displayed) |
echo ${^2} |
ls passwd shadow fstab |
echo passwd fstab |
|
Insert arguments from 'n' to end |
echo ${2-} |
ls passwd shadow fstab |
echo shadow fstab |
|
Insert arguments from 0 to 'n' |
echo ${-2} |
ls passwd shadow fstab |
echo ls passwd shadow |
|
Insert arguments from 'm' to 'n' |
echo ${1-2} |
ls passwd shadow fstab |
echo passwd shadow |
|
Insert the total number of arguments |
echo $# |
ls passwd shadow fstab |
echo 3 |
|
Insert contents of argument $# |
echo ${$#} |
ls passwd shadow fstab |
echo fstab |
In this example, the administrator usually does a backup of the system by using the following command:
ufsdump -0f /dev/rmt/0 /usr
Assume that new tape drive is installed on the host, and it must be used for the backup. In addition, the administrator must make sure that it is working correctly by using the -v flag to verify the tape.
You can ensure that the administrator doesn’t need to remember the changes by using the Rewrite field to create a command definition for the original command:
$0 -v $1 /dev/rmt/1 ${$#}
When the administrator enters the original command, the following command runs instead:
ufsdump -v -0f /dev/rmt/1 /usr
To enable auditing of the command, add the following to the Rewrite field:
-o audit <n>
Replace <n> with one of the following values:
0: Disables auditing. It has the same effect as removing the audit setting from the Rewrite field.
1: Enables auditing of all commands that are not built into the user's shell.
2: Enables auditing of all commands, including commands that are built into the user's shell. This level of auditing can affect login times.
This option allows you to set a value representing the relative risk of a command when using the pcksh or cpcksh clients, the RDP sessions, and DB monitoring sessions with the session auditing option (see cpcksh). When you view a Command Control Keystroke Report, the commands with different risk values are represented in different colors.
On the home page of the console, click Command Control.
In the navigation pane, click the Commands icon.
In the details pane, click Command Risk.
Click Add.
Set a value for the command risk. You can specify any value between 0 to 9 where:
0 indicates no risk
1 – 3 indicate low risk
4 – 6 indicate medium risk
7 – 9 indicate high risk
Specify the command you want to set a risk value for, or the regular expression. You can use wildcard symbols.
If you want to base the risk level on the directory in which the command is running, define a working directory.
If you want to base the risk level on who is running the command, define a user.
If you want to base the risk level on the host where the command is running, define a host.
If you want to disconnect any particular user using a particular command, specify the user in the Submit User field.
Ensure that the user name is typed in capital letters for the following users:
Windows users for Direct RDP
LDAP users who are part of the authentication domain
If you want to disconnect the user when the specified command is executed, specify 1 in the Auto Disconnect field.If you want to refrain the user from starting the session again after it was disconnected, specify 1 in the Auto Block field.
If you want to change the order in which the commands are listed, use the arrow buttons.
Click Finish.
On the home page of the console, click Command Control.
In the navigation pane, click the Commands icon.
In the details pane, click Command Risk.
Select the entry, then click Remove.
On the home page of the console, click Command Control on the home page of the console.
In the navigation pane, click the Commands icon.
Select the command you want to copy.
To select multiple commands in the same category, press the Ctrl key and select the required commands one at a time, or press the Shift key to select a consecutive list of commands.
To create the copy, press the Ctrl key and drag and drop the selected command to the desired location
On the home page of the console, click Command Control.
In the navigation pane, click Commands.
Select the command you want to move.
Drag and drop the selected command to the desired location.
On the home page of the console, click Command Control.
In the navigation pane, click Commands.
In the details pane, select the command you want to delete and click the delete icon next to it.
To select multiple commands in the same category, click Delete Multiple and select the required commands.
Click Delete. The selected commands are deleted and are also removed from any rule conditions and script entities in which they are defined.
Privileged Account Manager ships with the following types of sample commands that you can import and use or import and modify to fit your needs:
Shell commands (ksh, sh, csh, bash)
vi commands
System commands (kill, mount, passwd, date, mkdir, useradd, chgrp, chown)
User commands (env, ls, id, cat uname)
To import these sample commands, click Command Control > Import Samples > Sample commands.
The Find References option allows you to find where a specific account group, user group, host group, command, script, or access time is referenced in the database. For example, you could use this option to find out which account group or groups a specific user group belongs to.
On the home page of the console, click Command Control.
In the navigation pane, select the required icon and select the entity for which you want to find references.
In the task pane, click the Find References icon. The groups or rules in which the entity is referenced are displayed.
To go to one of the listed groups or rules, click on Goto Rule or Goto <entity>.
To modify the rule or groups from the task pane, click Modify Rule or Modify <entity>
Custom attributes can be defined for account groups, user groups, host groups, commands, and access times to provide additional parameters for use in scripts. For example, you could set an expiration date as a custom attribute for a user group, check for this date in the script, then expire the user group when the date is reached.
To define custom attributes:
On the home page of the console, click Command Control.
Select the entity you want to add custom attributes to.
In the task pane, click the Define Custom Attributes icon.
Click Add.
In the Name field, specify the name of the custom attribute. For example, Expiration date.
In the Value field, specify the value for the attribute. For example, the date you want the entity to expire.
Repeat Step 4 through Step 6 for any other custom attributes you want to add.
Click Finish.
The udsh command invokes commands on a set of hosts. It concurrently issues a Command Control request for each host that is specified and returns the output from all the hosts, formatted so that command results from all hosts can be managed.
udsh [-bcdqv] [-t <timeout>] [-l <user>] [-f <num>] [-w <host>, <host wildcard>] [-g <hostgrp>, <hostgrp wildcard>] [cmd ...]
The following options can be specified only on the command line:
Table 6-2 udsh Options
|
Option |
Description |
|---|---|
|
-b |
Do not break lines to column width when displaying output. |
|
-c |
Do not remove the host from the list if the command fails. |
|
-d |
Add a time stamp to the displayed output. |
|
-f <num> |
Specify the maximum number of concurrent processes to run. |
|
-g <hostgrp>, <hostgrp wildcard> |
Specify the Command Control host groups to retrieve the list of agents to run the command on. Wildcards must be properly escaped. For example to run udsh against all host groups that begin with ho, enter the following: -g ho\* |
|
-l <user> |
Specify the user to run the command as. |
|
-q |
Quiet. Do not display output. |
|
-t <timeout> |
Specify the timeout in seconds for the command to complete on each host. |
|
-v |
Verbose output. |
|
-w <host>, <host wildcard> |
Specify the agents to run the command on. Wildcards must be properly escaped. For example, to run udsh against all hosts that begin with host1, enter the following: -w host1\* |
If a command is not specified, the user is placed at a command prompt. Each entry run from this prompt is run separately on each host. If readline(3) is available, command line editing and history are provided.
There are various macros that can be specified in the command to substitute keywords when the command is run on the remote host. For example, the following command uses the ${rhost}$ keyword. It performs a usrun echo command of the remote host name on all agents that have a command control agent deployed:
udsh -w \* /bin/echo '${rhost}$'
Table 6-3 udsh Keywords
|
Keyword |
Description |
|---|---|
|
${uid}$ |
Calling user’s UID |
|
${gid}$ |
Calling user’s primary group ID |
|
${gecos}$ |
Calling user’s gecos |
|
${home}$ |
Calling user’s home directory |
|
${shell}$ |
Calling user’s shell |
|
${cwd}$ |
Calling user’s current working directory |
|
${lhost}$ |
Local hostname |
|
${rhost}$ |
Remote hostname |
|
${pid}$ |
PID of the individual udsh call |
|
${ppid}$ |
PID of the udsh |
You can use the appropriate Add Category option for account groups, user groups, host groups, commands, scripts, and access times into categories for ease of use and maintenance.
On the home page of the console, click Command Control.
In the navigation pane, click the required icon and select the section to which you want to add a category.
You can also add subcategories to the existing categories.
In the task pane, click Add Category.
Specify a name for the category.
Click Finish.
Before deleting a category, you must delete or move the items and subcategories that it contains.
On the home page of the console, click Command Control.
In the navigation pane, select the category that you want to delete.
In the task pane, click Delete Category.
The Blocked Users list displays all the users who are blocked from accessing any privileged account session. This group includes the list of users who are blocked from accessing any server. The users are either added automatically when you block the session during a manual/ automatic disconnect, or added manually when you block a user by adding the user to the Blocked Users list.
To add a user to the blocked user group refer, Adding Users in Blocked Users Group. If you do not want a particular user in the blocked list then you can delete the user from the list. To delete a user from the group refer, Deleting Users in Blocked User Group.
In the navigation pane of the Command control console click the User Groups icon > Blocked Users.
In the details pane, click Add then specify the user.
IMPORTANT:The User Name must be provided in capital letters for the following type of users:
Windows users for direct RDP
LDAP users who are part of the authentication domain.
Click Finish.
In the navigation pane of the Command control console click the User Groups icon > Blocked Users.
In the details pane, select the user that you require to remove from the blocked user list, then click the delete icon.
You can use Perl scripts to provide additional, customized functionality to your rules. You can also use scripts in rule conditions. Privileged Account Manager contains the embedded Perl interpreter version 5.8.9. You can use any of the core Perl modules for your script. It is not recommended that you install any CPAN Perl modules into the embedded Perl interpreter. If you create a script, be aware that any time consuming tasks within the script affect response times.
On the home page of the console click Command Control
In the navigation pane, select Scripts icon and in the details pane select Scripts.
In the details pane, select Find.
In the filter type the required name.
As you type, the search displays the results. When you click on the required name, that script gets selected in the middle pane. If you require to modify that script you can modify it from the details pane.
You can add your own custom attributes for account groups, user groups, host groups, commands, and access times to provide additional parameters for use in your scripts. See Defining Custom Attributes for details.
To add a new script:
On the home page of the console, click Command Control.
In the navigation pane, click the Scripts icon.
In the details pane, click Add. To add a script to a category, select the category and click Add.
Specify a name for the script.
Click Add.
To configure the script, continue with Modifying a Script.
On the home page of the console, click Command Control on the home page of the console.
In the navigation pane, click the Scripts icon.
Select the script you want to modify.
In the details pane, click the edit icon next to the script.
Configure the following fields:
Name: Specify a different name for the script.
Conditional script: Select the check box to set the script to be conditional. Scripts defined as conditional can be used in rule conditions. The return codes are limited to 1 for true and 0 for false.
Disabled: Select the check box to disable the script. A disabled script is dimmed.
Description: Describe the purpose of the script.
Script: Specify the text of your script in the text box by typing it or by pasting it from elsewhere. The possible return codes you can use in your script for processing by the Command Control software are shown below this field.
For some sample scripts, see Sample Scripts.
Click Modify.
You can assign the script to a rule, or you can specify it in rule conditions if you have set the script to be conditional.
On the home page of the console, click Command Control.
In the navigation pane, click Scripts.
Select the script you want to copy.
To create the copy, press the Ctrl key and drag and drop the selected script to the desired location.
If necessary, use the Modify Script option to rename or modify the copy. For details, see Modifying a Script.
On the home page of the console, click Command Control.
In the navigation pane, click Scripts.
Select the script you want to move.
Drag and drop the selected script to the desired location.
On the home page of the console, click Command Control.
In the navigation pane, click.
Select the script you want to delete.
To delete multiple scripts click Delete Multiple and select the scripts from the list.
Click Delete.
Privileged Account Manager ships with the following sample scripts that you can import and use:
Display message scripts
Password validation scripts
Alternate validation scripts
Email scripts
Modify environment script
Emulate su script
Secure vi script
Before creating your own Perl script, check out the sample scripts to see if one is available that meets your needs or one that can be modified to meet your needs. To understand what is available, see the sample scripts in the following sections.
To import a sample script, click Command Control > Import Samples > Sample Perl Script.
This script is used to process environment variables. It has a number of script arguments that can add, delete, clear, and keep environment variables.
|
Argument |
Description |
|---|---|
|
clearenv=1: |
Clears all environment variables (unless specifically kept using keepenv) |
|
keepenv=VAR: |
Specifically keeps environment variables. As soon as this is set, all other environment variables are deleted. |
|
setenv=VAR=val: |
Sets up a specific environment variable. |
|
unsetenv=VAR: |
Deletes a specific environment variable. |
|
defaultenv=#: |
Sets the default environment: 0: Sets up no default environment variables. 1: Sets up all default environment variables. 2: Sets up default environment variables that do not already exist in the environment. |
my $e=$meta->child("Environment");
return(1) if(! $e);
my $n=$e->node_args();
my %env=();
while($n) {
$env{$1}=$2 if($n->key() ne "items" && $n->value() =~ /^(.*)=(.*)$/);
$n=$n->next();
}
my %keepenv=();
my $clearenv=0;
for(my $a=$args->node_args();$a;$a=$a->next()) {
if($a->key() eq "clearenv" && $a->value() > 0) {
$clearenv=1;
} elsif($a->key() eq "keepenv" && $a->value() ne "") {
$keepenv{$a->value()}=1;
} elsif($a->key() eq "defaultenv" && $a->value >= 0) {
$meta->child("Job")->arg_int("job_default_env",$a->value());
}
}
if(scalar %keepenv || $clearenv) {
while(my ($key,$val) = each %env) {
delete $env{$key} if(! $keepenv{$key});
}
}
for(my $a=$args->node_args();$a;$a=$a->next()) {
if($a->key() eq "unsetenv" && $a->value() ne "") {
delete $env{$a->value()};
} elsif($a->key() eq "setenv" && $a->value() =~ /^(.*)\s*=\s*(.*)$/) {
$env{$1}=$2;
}
}
$meta->del($e);
$e=$meta->add_node("Environment");
my $items=0;
while(my ($key,$val) = each(%env)) {
$e->arg("arg-$items","$key=$val");
$items++;
}
$e->arg_int("items","$items");
return(1);
When using the pcksh shell, Command Control has the ability to restrict the commands being run (even as root). This sample script is named illegalcmd, and it restricts the use of the passwd command.
This script does not restrict a user that initiates another shell from within a session. When a user does this, Command Control cannot continue a full audit or control the illegal commands, although the session is still captured
#to set script argument - name=illegalcmd value= kill *
my $t=$meta->get_params('Ticket');
if(! $t) {
$t=$meta->add_param('Ticket');
}
my $i=$t->get_params('IllegalCmds');
if(! $i) {
$i=$t->add_param('IllegalCmds');
}
my @illegal = $args->arg_values('illegalcmd');
#my @illegal=("echo","ls -l","passwd","/usr/bin/ls -l","ksh","echo date");
foreach my $b (@illegal) {
my $c=$i->add_param('Command');
$c->arg("cmd",$b);
}
return 1;
You can restrict the times when a rule is valid by defining an access time and adding it to the rule conditions. You can also use access times as script entities.
On the home page of the console click Command Control
In the navigation pane, select Access Times icon and in the details pane select Access Time.
In the details pane, select Find.
In the filter type the required name.
As you type, the search displays the results. When you click on the required access time, that gets selected in the middle pane. In the details pane, click modify to modify the access time.
On the home page of the console, click Command Control.
In the navigation pane, click the Access Times icon.
In the details pane, click Add. To add an access time to a category, select the category and click Add.
Specify a name for the access time, for example, Office hours.
Click Add.
To configure the access time, continue with Modifying an Access Time.
On the home page of the console, click Command Control.
In the navigation pane, click Access Times.
In the details pane, select the access time you want to modify and click the edit icon next to it.
Modify the access time as required:
Change the name of the access time.
Specify a description of the access time.
Click Disabled to disable the access time. A disabled access time is dimmed.
Set the access time as described in Step 5.
Set the access time in multiples of half-hourly intervals. The default access time is set to Deny Access for the whole week, shown in the calendar as blue.
To allow access at specific times, drag and drop across the days and times until the hours when you want to grant access are shown in green,
To allow access for the majority of times and deny access for specific times, click the Grant Access box below the table to grant access for the whole week, then click and drag across the days and times until the hours when you want to deny access are shown in blue.
For example, to allow access only during the hours from 9:00 to 18:00 from Monday to Friday:
Ensure that the whole week is set to Deny Access (blue).
Click in the calendar on 9 on Monday morning, then drag and drop to 18 and down to Friday. This creates a green block representing the times when access is allowed.
Click Finish. You can now use this access time in rule conditions or as a script entity.
On the home page of the console, click Command Control.
In the navigation pane, click Access Times.
Select the access time you want to copy.
To create the copy, press the Ctrl key and drag the selected access time and drop it to the desired location.
If necessary, rename or modify the copy by using the Modify Access Time option, as described in Modifying an Access Time.
On the home page of the console, click Command Control.
In the navigation pane, click Access Times in the navigation pane.
Select the access time you want to move.
Drag and drop the selected access time to the desired location.
On the home page of the console, click Command Control.
In the navigation pane, click Access Times.
In the details pane, select the access time you want to delete and click the delete icon next to the access time.
To delete multiple access times in the same category, click Delete Multiple and select the access times.
Click Delete.
The access time is deleted, and is also removed from any rule conditions and script entities in which it is defined.
You can configure customized reports of the contents of the Command Control configuration database, which are dynamically created and e-mailed to the specified person at defined intervals. You can use Perl template scripting to extract the required information and format it into an e-mail for the target person. An option is available for sending your reports to the Compliance Auditor for escalation management.
To use this feature, you must provide details of your e-mail server to the Messaging Component (msgagnt) so that reports can be e-mailed. See Configuring SMTP Settings for the Messaging Component Package for details.
On the home page of the console click Command Control
In the navigation pane, select Reports icon and in the details pane select Reports.
In the details pane, select Find.
In the filter type the required name.
As you type, the search displays the results. When you click on the required name, that report gets selected in the middle pane. If you require to modify that report you can modify it from the details pane.
On the home page of the console, click Command Control.
In the navigation pane, click Reports.
In the details pane, click Add.
To add a report to a category, select the category and click Add.
Specify a name for the report.
Click Add.
To configure the report, continue with Modifying a Command Control Report.
On the home page of the console, click Command Control.
In the navigation pane, click the Reports icon and click Report.
In the details pane, select the report you want to modify and click the edit icon next to it.
Modify the report as required:
Change the name of the report.
Click Disabled to disable the report. A disabled report is dimmed.
Set the Run Report settings to determine the time of the first report and subsequent frequency of each report. You can set the initial date by using the calendar and type in the time, then set the frequency as required.
Select the e-mail options you want:
In the Email To field, specify the e-mail address of the person you want to send the report to.
In the Email From field, specify the e-mail address of the person you want to send the report from.
In the Email Subject field, specify a subject for the e-mail.
If you want the e-mail to be displayed in HTML, select the HTML check box.
If you require a receipt, select the Receipt check box.
Enter a Perl script in the Report Template field to control how the e-mail will be formatted and what it will contain.
If you want the report to be available for auditing through Compliance Auditor, select the Audit check box.
If you want to send an e-mail while testing this report, select the Send email check box.
(Optional) Click Test Report to view the report that will be sent to the defined e-mail address. If there are errors in the Report Template, those are displayed.
Click Back to return to the report configuration page.
Click Finish.
On the home page of the console, click Command Control.
In the navigation pane, click Reports.
Select the report you want to copy.
To create the copy, press the Ctrl key and drag and drop the selected report to the desired location.
If necessary, use the Modify Report option to rename or modify the copy, as explained in Modifying a Command Control Report.
On the home page of the console, click Command Control.
In the navigation pane, click Reports.
Select the report you want to move.
Drag and drop the selected report to the desired location.
On the home page of the console, click Command Control on the home page of the console.
In the navigation pane, click the Reports icon and click Report.
In the details pane, select the report you want to delete and click the delete icon next to the report.
To select multiple reports in the same category, click Delete Multiple and select the reports.
Click Delete.