6.2.3 Configuring Command Control

Command Control uses rules to protect and control user commands. When configuring a rule, you must set conditions for the rules to determine which rule or rules are processed, for example, on the command submitted or the user who submitted it. You also need to define what processing to do if the rule conditions are matched.

The components that you can define and configure for a rule are as following:

  • The rule. For configuration information, see Rules.

  • Account groups, user groups, and host groups, which determine who matches the rule. For configuration information, see Command Control Groups.

  • Commands. For configuration information, see Section 6.2.4, Commands.

  • Credential Vault. For configuration information, see Contextual Help.

  • Scripts for additional functionality. For configuration information, see Scripts.

  • Access time to define specific time interval during which access is denied or granted. For configuration information, see Access Times.

NOTE:To enable access to the Command Control console for a Framework user and to control the level of access available, you must add the user to a group with the appropriate roles defined. See Section 4.1.4, Configuring Permissions for details.

The following additional features are provided to assist you with Command Control configuration and management:

Rules

Rules provide the means by which you can control commands. Commands can be authorized to run, or not authorized to run, by setting rule conditions based on different criteria:

  • The command being submitted

  • The user and host submitting the command

  • The user and host assigned to run the command

  • The time the command is submitted

  • The contents of Perl scripts you have defined.

See Setting Conditions for a Rule for details.

If a rule’s conditions are met, there are a number of options you can set to determine how the rule processes the command. You can configure a rule to:

  • Display a message to the user submitting the command

  • Capture the user session for reporting and auditing purposes

  • Authorize or not authorize the command to be run

  • Specify what further rule processing to do. The rule can specify that the processing of additional rules ends by using the stop conditions (Stop, Stop if authorized, Stop if unauthorized).

    When the Framework Manager receives a command request, the evaluation starts at the top of the rule tree. Even when a request matches a rule, the evaluation continues until a rule has a stop condition or the rule tree has been processed.

You can also:

  • Specify the user and host to run the command

  • Set a risk level for use with keystroke reports

  • Assign an audit group to the rule for use with the Compliance Auditor.

See Modifying a Rule for details.

You can also create and assign Perl scripts to the rule to provide additional functionality. See Adding a Script and Assigning a Script to a Rule for details.

NOTE:If you are using a different user (run user) to run an authorized command than the user who submitted the command (submit user), by default the submit user’s environment variables are used for the run user. If you want to use the environment variables associated with the run user, you can add a script to a rule containing the following text:

$meta->get_params("Job")->arg("job_default_env",0);
return 1;

Adding a Rule

  1. On the home page of the console, click Command Control.

  2. In the command control pane, click Rules.

  3. In the task pane, click Add to add a rule at the top level.

    To add a rule as a child of another rule, select the rule and click Add in the task pane.

  4. Specify a name for the rule.

  5. Click Finish to add a new rule.

  6. Select the rule, then click Modify Rule in the task pane.

    For configuration information, see Modifying a Rule.

  7. Move the rule by using the Alt key and drag and drop it to the correct position according to the order in which you want to process the rules. This moves the rule in the same hierarchy.

    When a user specifies a command under Command Control, the following rule processing takes place:

    • The conditions set for the first rule in the hierarchy are checked.

    • If there is a match, the rule is processed. Depending on how the rule is configured, processing of additional rules takes place or stops. If rule processing is not stopped, the next rule for which conditions are checked is the child of this rule. Rule checking and processing continues until it is stopped by a rule, or until all appropriate rules have been processed.

    • If there is no match, the conditions for the next rule at the same hierarchical level as the first rule are checked, and this continues until a match is found. Rule processing then takes place as described above.

    You can change the default order of rule processing on the Modify Rule screen, or by using scripts. See Modifying a Script.

Modifying a Rule

  1. On the home page of the console, click Command Control.

  2. In the command control pane, click Rules.

  3. Select the rule you want to modify.

  4. In the details pane, click the edit icon.

  5. Modify the following as per your requirement:

    Name: Change the name of the rule.

    Disabled: To disable the rule, select the Disabled box. A disabled rule is dimmed.

    Description: Specify a description of the rule.

    User Message: Specify a user message to be displayed to the user when this rule is processed, before any commands are run.

    Session Capture: Select either On or Off. Setting Session Capture to On allows the Audit Manager to perform keystroke logging for the rule.

    To view a captured session from a Command Control report, an Auditing Manager and the Reports Console must be installed.

    X11 Enable: Select either Yes or No to enable the X11 application access over SSH Relay.When you enable X11 application access, you can choose to enable the video recording of the session. Select Video Capture On to enable video capture of the session.

    Authorize: Select either Yes or No, depending on whether you want the command protected by the rule to be authorized or not authorized if the rule conditions are met.

    Define what happens next by using the drop-down list as follows:

    • Blank: The next rule in the hierarchy is checked.

    • Stop: No more rules are checked for the command.

    • Return: The next rule to be checked is up one level in the hierarchy from the current rule.

    • Stop if authorized: If Authorize is set to Yes, no more rules are checked for the command.

    • Stop if unauthorized: If Authorize is set to No, no more rules are checked for the command.

    Secondary Authentication: If Secondary Authentication is set to Yes, then Multi-Factor Authentication is applied during authorization. This is supported for Advanced Authentication only.

    Run User: Define a run user by selecting the name of the user you want to run this command (this overrides any username defined through a set command).

    Account Domain: Select the appropriate LDAP or SSH resource from the drop down list.

    Credentials: The credential for the selected resource gets populated. You can also select the required credential from the drop-down list.

    Run User: The Run User gets automatically populated with the domain user provided in the resource.

    Run Host: Define a run host by selecting the name of the host on which you want to run this command (this overrides any hostname defined through a set command).

    NOTE:When modifying a rule for Run as Privileged User method, ensure to modify the Run Host as Submit Host.

    Risk Level: Set a Risk Level of 0 to 99. This option allows you to set a value representing the relative risk of a rule with the session auditing option (see cpcksh). When viewing a Command Control Keystroke Report, you see commands controlled by rules with different risk values represented in different colors.

    Audit Group: Define an Audit Group. This setting is for use in Compliance Auditor reports.

    NOTE:To configure video capturing refer section Section 8.2.2, Configuring Video Capture

  6. Click Modify.

  7. Drag-and-drop Account Groups, User Groups, Host Groups, Commands, Scripts, or Access Times to add them to Rules. In the pop-up window that appears, select Yes to add them or No to discard your changes.

Viewing Conditions for a Rule

You can view all the conditions that create a rule. These conditions are created with the help of the entities such as host group, user group and so on. You can view the entity that includes the condition and also modify it if required.

To view the condition perform the following steps:

  1. In the Command Control pane, click the required rule.

  2. In the details pane, click View Condition.

    This displays the list of entities that are part of the condition.

  3. (Conditional) Click Locate to locate the required entity.

    This locates and selects the required entity in the middle pane.

  4. (Conditional) In the details pane, click the edit icon o modify the fields of the entity.

Setting Conditions for a Rule

You can set a number of conditions for a rule to determine whether the rule is processed or not. For example, you can set a particular command as a condition, and only process the rule if a user enters that command.

There are two ways of setting conditions for a rule:

  • Dragging and dropping an entity onto the rule.

  • Using the Edit Condition option, as described in the steps below.

NOTE:When you drag and drop an entity onto a rule, you might need to edit the condition to ensure that the condition logic is what you want. If you want to use a script in rule conditions, you must set it to Conditional first (see Modifying a Script).

To set conditions by using the Edit Condition option:

  1. On the home page of the console, click Command Control.

  2. In the Command Control pane, click Rules.

  3. Select the rule for which you want to set conditions.

  4. In the details pane, select the currently defined condition then click Edit Condition.

    If you have not yet defined a condition, select Match All

  5. In the Add Condition drop-down list, select the type of condition you want.

  6. Set the condition to the value and logic you want. For example, if you set a condition to match a run user to a user group:

    1. Change user (submit user) to run user.

    2. Leave the logic setting as IN.

    3.  Select the user group you require from the user group drop-down list.

  7. Repeat Step 5 and Step 6 for any other conditions you want. Set the condition logic as necessary.

    You can use parentheses to group conditions according to the necessary logic by selecting the parentheses ( ) entry from the Add Condition drop-down list. The opening and closing parentheses are displayed.

    1. Select the opening parenthesis.

    2. Select the condition type you want to place inside the parentheses and set it as necessary.

    3. Select the opening parenthesis again.

    4. Select another condition type to place inside the parentheses and set it as necessary.

    5. If necessary, change OR to AND.

    6. Repeat Step 7.d through Step 7.f for any other conditions you require inside this set of parentheses. You can also place parentheses within parentheses.

  8. Click Finish.

Removing Conditions for a Rule

You can remove all the conditions for a rule, or you can remove individual conditions.

  1. On the home page of the console, click Command Control.

  2. In the Command Control pane, click Rules.

  3. Use the arrow to display all the rules and select the rule for which you want to remove conditions.

  4. In the task pane, select the currently defined condition.

  5. To remove all conditions, click Remove Condition in the task pane, then click OK to remove the condition.

    The rule condition is displayed as Match All.

  6. To remove individual conditions, click Edit Condition in the task pane, click the delete icon against the condition to remove the condition, then click Finish.

Configuring Script Arguments and Entities for a Rule

You can configure script arguments and entities for the scripts assigned to a rule before or after assigning the scripts. You can define only one set of arguments and entities, which applies to all scripts assigned to a rule.

  1. On the home page of the console, click Command Control.

  2. In the Command Control pane, click Rules.

  3. Select the rule for which you want to add script arguments.

  4. In the task pane, click Script Arguments.

  5. Click Add .

  6. In the Name field, specify a name for the argument.

  7. In the Value field, specify a value for the argument.

  8. To add more arguments, repeat Step 5 through Step 7.

  9. When you finish adding arguments, click Finish, or continue with Step 10 to add script entities.

  10. Click the arrow under Add Script Entity to display the list of available entities, then select the type of entity you want.

    A drop-down list of entities is displayed in the Script Entities table.

  11. Select the entity you want from the drop-down list.

  12. To add more entities, repeat Step 10 and Step 11.

  13. Click Finish.

Assigning a Script to a Rule

You can use Perl scripts to provide additional, customized functionality to the rules (see Adding a Script). To assign a script to a rule, use drag and drop as described in the following procedure.

NOTE:If you drag and drop a script that has been set to Conditional, the script is added to the rule conditions.

  1. On the home page of the console, click Command Control.

  2. In the Command control pane, click Rules.

  3. Click the arrow to display the list of rules.

  4. In the navigation pane, click the Scripts icon.

  5. Select the script you want to assign to the rule.

  6. Drag and drop the selected script to the rule.

  7. Configure script arguments and entities for the scripts if necessary. For more information, see Configuring Script Arguments and Entities for a Rule.

Removing Script Arguments and Entities

  1. To remove a script argument, select the argument, then click Remove.

  2. To remove a script entity, select the icon next to the name of the entity, then click Remove.

Removing a Script from a Rule

  1. On the home page of the console, click Command Control.

  2. In the navigation pane, click Rules.

  3. Use the arrow to display the list of rules, then select the rule from which you want to remove a script.

  4. In the details pane, select the required script.

  5. Click Remove Script.

  6. Click OK to confirm the removal. The scripts are removed from the rule.

Finding a Rule

  1. On the home page of the console, click Command Control.

  2. In the Command Control pane, click Rules.

  3. In the details pane, click the Find Rule icon to find a rule from the entire list of rules.

    or

    Select the parent rule, then in the details pane click the Find Rule icon.

  4. In the Rule Filter field, specify the name of the rule you are looking for, then click Find.

    You can use wildcard characters “*” and “?”. This field is case sensitive.

    NOTE:Some special characters, such as “[“ and “]”, might not work in this field. For example, if you search for first rule [linked rule], you might get an error message. In such case, replace “[“ and “]” with “*” or “?”.

  5. When the name of the rule is displayed, you can modify the rule by using Modify Rule and if you want to view the rule in the Command Control pane, click Goto Rule. Click Close to return to the Command Control pane without a rule selected.

Moving a Rule

  1. On the home page of the console, click Command Control.

  2. In the Command Control pane, click Rules.

  3. Select the rule you want to move.

  4. Press the Alt key then drag and drop the selected rule to the location in the same hierarchy. If you require to move a rule to a child hierarchy then drag and drop the rule to the required location.

Copying a Rule

You can create a copy of an existing rule in the rule hierarchy, so you can use the same rule in more than one place in the hierarchy, or so you can create a new rule based on the existing rule.

NOTE:If you want to use the same rule in more than one place and you want any changes you make to the rule to be reflected in the other copy or copies, you should link the rule instead. See Linking a Rule for details.

  1. On the home page of the console, click Command Control.

  2. In the Command Control pane, click Rules.

  3. Select the rule you want to copy.

  4. To create the copy, press the Ctrl key and drag and drop the selected rule to the desired location

  5. (Optional) Use the Modify Rule option to rename or modify the copy.

  6. Move the rule to the correct position according to the order in which you want to process the rules. See Adding a Rule for details.

Linking a Rule

If you want a specific rule to be used in different places in the hierarchy of rules, you can create a linked rule. Any changes you make to the linked rule are reflected in all the instances of the rule in the hierarchy. If you simply copy the rule, any changes made to the original rule or to one of its copies are not reflected in the other copies.

Changes to sub-rules of a linked rule are not linked. For example if you add or modify a rule under a linked rule, the change is not reflected in other instances of the linked rule.

  1. On the home page of the console, click Command Control.

  2. In the Command Control pane, click Rules.

  3. Select the rule to link.

  4. To create the links, press the Ctrl key and the Shift key at the same time, then drag and drop the selected rule to the location you want.

    A linked rule is displayed with an arrow .

Deleting a Rule

  1. On the home page of the console, click Command Control.

  2. In the Command Console pane, click Rules.

  3. Select the rule you want to delete.

  4. In the details pane, click Delete.

  5. Click Delete to delete the rule and all rule children.

Viewing Pseudocode

The pseudocode for a rule provides a simplified representation of the actual code that is processed when the rule is activated. For complex rules, this can assist you with understanding what happens in different situations.

To view the pseudocode for a rule:

  1. On the home page of the console, click Command Control.

  2. In the Command Control pane, click Rules.

  3. Select the rule for which you want to view the pseudocode.

  4. In the details pane, click Pseudocode.

    You can copy the pseudocode by using Ctrl+A or Ctrl+C, then paste it into a document for printing.

  5. Click Close.

Command Control Groups

Command Control has three types of groups:

User Groups: Contain users with similar responsibilities. This allows you to use the group as a condition for a rule, which either allows or denies the users the rights to run commands.

Host Groups: Contains hosts with similar content. This allows you to use the group as a condition for a rule that either allows or denies the rights to run the command on a host.

Account Groups: Combine host groups and user groups to be used together in setting rule conditions. Account groups can also contain other account groups. You can also use account groups as script entities.

For example, you could create a Web Account Group, and to this group you could add a user group that contains all the Web server managers and a host group that contains all the host that are Web servers. You could then use the Web Account Group as a condition when creating rules for Web server management.

The following sections explain how to manage these groups:

User Groups

User groups contain users who are allowed, or not allowed, to submit or run commands controlled by the rules that you specify. You can add user groups to the specified rule conditions to control whether the rule is processed, depending on the user who is submitting a command or the user who is specified to run a command. You can also use user groups as script entities.

Command Control has the default user groups, Everyone and Submit User. Do not modify these groups.

Everyone: Use this group to match against any user who has a local account on the hosts where Privileged Account Manager is installed.

Submit User: Use this group to match against the user that submitted the privileged request. This is useful if you want to ensure that a rule only authorizes access to the account that submitted the request. For example when adding a cpcksh login shell, you should add a clause to the rule that ensures that the run user is in the Submit User group. This ensures that a user cannot use the -u option in usrun to gain access to other accounts.

You can search for a specific user in a user group by using suitable regular expressions, strings, or wild cards in the command. For example, the wildcards that you can use in the command could be vi * or /usr/bin/vi *.

To add a regular expression term to the list, prefix the regular expression with =~. For example,

=~/^vi .*$/

=~/^user*/

Command Control also includes a user group that is used for adding or deleting the users in the blocked list.

IMPORTANT:The User Name for Windows user must be provided in capital letters.

Managing the User Groups

The following sections explain how to manage user groups:

User Groups

Adding a User Group

  1. On the home page of the console, click Command Control.

  2. In the navigation pane, click the Account Groups icon.

  3. Click User Groups.

  4. In the details pane, click Add to add a user group to root level. To add the user group for a category, select the category then click Add.

  5. Specify a name for the user group.

  6. Click Add.

    User groups are represented by the group icon.

  7. To configure the user group, continue with Modifying a User Group.

Modifying a User Group

  1. On the home page of the console, click Command Control.

  2. In the navigation pane, click Account Groups, then click User Groups.

  3. In the details pane, select the user group you want to modify, then click the edit icon next to the user group name.

  4. Configure the following fields:

    Name: Specify a name for the group.

    Disabled: Select this check box to disable the group. A disabled user group is dimmed.

    Description: Describe the purpose of this user group.

    Manager Name, Manager Tel., Manager Email: Specify the name, telephone number, and e-mail address of the manager of this user group. The manager details can be used in the Compliance Auditor.

    If these details have been entered in the manager’s Framework user account details, they can be entered automatically by selecting the manager’s username from the drop-down list. This option is only available if you belong to a Framework user group with the read role defined for the auth module (see Section 4.1.4, Configuring Permissions).

    Users: Add or change the users you want to include in this group. You can type the user names, one on each line, or paste them from elsewhere. You can use the Sort button to sort the list of users into alphabetical order. For Windows users, specify the user name in capital letters.

    NOTE:The user names must be provided in capital letters for the LDAP users who are part of the authentication domain.

    User Groups: From the list of groups you have already defined, select the user groups you want to include as subgroups of this user group. You can also add subgroups to a user group by dragging and dropping the groups to the target user group in the navigation pane.

  5. Click Modify.

    You can now use this user group in rule conditions or as a script entity.

Deleting a User Group

  1. On the home page of the console, click Command Control.

  2. In the navigation pane, click Account Groups, then click User Groups.

  3. In the details pane, select the required user group and click the delete icon next to the user group name.

    To delete multiple user groups, click Delete Multiple then select the user groups from the list to delete.

  4. Click Delete to delete the selected user groups.

Host Groups

Host groups contain hosts that are allowed, or not allowed, to submit or run commands that the rules control. You can add host groups to the rule conditions to control whether the rule is processed, depending on the host that is submitting a command or the host specified to run a command. You can also use host groups as script entities.

Command Control has two default host groups. Do not modify these groups.

All Hosts: Use this group to match against any host that have been registered with the Framework. Use the Hosts console to view the hosts that are included has matches for this group.

Submit Host: Use this group to match against the host from which the privileged request was made. This is useful if you want to ensure that a rule only authorizes access to the host from which the privileged request was made. This ensures that a user cannot use the -h option in usrun to gain access to other hosts.

You can search for a specific host in a host group by using suitable regular expressions, strings, or wild cards in the command. For example, the wildcards that you can use in the command could be vi * or /usr/bin/vi *.

To add a regular expression term to the list, prefix the regular expression with =~. For example,

=~/^vi .*$/

=~\w+\.netiq\.com

The following sections explain how to manage host groups:

Adding a Host Group

  1. On the home page of the console, click Command Control.

  2. In the navigation pane, click Account Groups, then click Host Groups.

  3. In the details pane, click Add. To add a host group to a category, select the category and click Add.

  4. Specify a name for the host group.

  5. Click Add.

    Host groups are represented by the icon.

  6. To configure the host group, refer Modifying a Host Group.

Modifying a Host Group

  1. On the home page of the console, click Command Control.

  2. In the navigation pane, click Account Groups, then click Host Groups.

  3. In the details pane, select the host group you want to modify, then click the edit icon next to the host group name.

  4. Configure the following fields:

    Name: Specify a name for the group.

    Disabled: Select this check box to disable the group. A disabled host group is dimmed.

    Description: Describe the purpose of this host group.

    Hosts: Add or change the hosts you want to include in this group. You can type the host names, one on each line, or paste them from elsewhere. You can use the Sort button to sort the list of hosts into alphabetical order.

    Host Groups: From the list of groups you have already defined, select the host groups you want to include as subgroups of this host group. You can also add subgroups to a host group by dragging and dropping the groups to the host group in the navigation pane.

  5. Click Modify. You can use this host group in rule conditions or as a script entity.

Deleting a Host Group

  1. On the home page of the console, click Command Control.

  2. In the navigation pane, click Account Groups, then click Host Groups.

  3. In the details pane, select the host group you want to delete, then click the delete icon next to the host group name.

    To select multiple host groups, click Delete Multiple and select the host groups from the list.

  4. Click Delete. The selected host groups are deleted and are also removed from any account group, rule conditions, and script entities in which they have been defined.

Adding an Account Group

To add a new account group:

  1. On the home page of the console, click Command Control.

  2. In the navigation pane, click Account Groups.

  3. In the details pane, click Add. To add an account group to a category, select the category, then click Add.

  4. Specify a name for the account group.

  5. Click Add.

    Account groups are represented by the icon.

  6. To configure the group, continue with Modifying an Account Group.

Modifying an Account Group

  1. On the home page of the console, click Command Control.

  2. In the navigation pane, click Account Groups.

  3. In the details pane, select the account group you want to modify and click the edit icon next to the account group name.

  4. Modify the following fields:

    Name: Change the name of the group.

    Disabled: To disable the account group, click Disabled. A disabled account group is dimmed.

    Description: Add or change the description.

    Manager Name, Manager Tel., Manager Email: Specify the name, phone number, and e-mail address of the manager of the users in this account group.

    If these details have been entered in the manager’s Framework user account details, they can be entered automatically by selecting the manager’s username from the drop-down list. This option is only available if you belong to a Framework user group with the read role defined for the auth module (see Section 4.1.4, Configuring Permissions).

    The manager details can be used in the Compliance Auditor.

    User Groups, Host Groups, Account Groups: From the lists of groups you have already defined, select or remove the user groups, host groups, and account groups. You can also add groups to an account group by dragging and dropping the groups to the target account group in the navigation pane.

  5. Click Modify. You can now use this account group in rule conditions or as a script entity.

Deleting an Account Group

  1. On the home page of the console, click Command Control.

  2. In the navigation pane, click Account Groups.

  3. In the details pane, select the account group that you want to delete and click the delete icon next to the account group name.

    To select multiple account groups, click the top level account group and click Delete Multiple.

  4. Click Delete. The selected account groups are deleted and are also removed from any other account groups, rule conditions, and script entities where they have been defined.

Copying a Group

  1. On the home page of the console, click Command Control.

  2. Click the category of the group that you are copying such as Account Groups, Host Groups, or User Groups.

  3. Select the group you want to copy.

  4. To create the copy, press the Ctrl key and drag and drop the selected group to the desired location.

Moving a Group

  1. On the home page of the console, click Command Control.

  2. Click the category of the group you are copying such as Account Groups, Host Groups, or User Groups.

  3. Select the group you want to move.

  4. Drag and drop the selected group to the desired location.

You can also drag and drop account groups, user groups, and host groups into an account group. This does not delete the groups from their original location.

Finding a Group

  1. On the home page of the console, click Accounts Group icon and select Account Groups in the middle pane.

  2. In the details pane click Find.

  3. In the Account Group Filter field type the required group name.

    For finding user groups or host groups, click User Groups or Host Groups in the middle pane, then click Find in the details pane.