How to configure cpcksh with Enhanced Access Control (EAC) for complete session control and command risk
This document (7022237) is provided subject to the disclaimer at the end of this document.
- To configure cpcksh as the default shell for users and optionally implement command rewrite to a user preferred shell:
TID 7017938 - How to configure Direct-SSH on Linux using a preferred shell
Note: It is not required to implement command rewriting to a user preferred shell. With EAC applied later, a user can switch to their own preferred shell with no loss of auditing or control; however, this is available for an admin to rewrite to a user's preferred shell automatically.
- Add Enhances Access Control (EAC) to the Authorizing Rule:
- Apply the Enhanced Access Control Policy script to the Command Control (CmdCtrl) Rule by drag and drop:
- For more details, please refer to Configuring a Command Control Policy.
- Configure an appropriate Path Policy for complete session control such as command blocking:
- For more details, please refer to Configuring a Path Policy.
an example, the following will allow all commands, block execution of
particular commands and disallow write access to a particular file with
various log or command risk levels:
path default all
path /usr/bin/passwd !exec:log=9
path /usr/sbin/useradd !exec:log=4
path /tmp/confidential.txt read:!write:log=4
Note: Although complete session control can be achieved with just EAC where risky commands can be blocked entirely from execution, it may still be necessary to auto-disconnect or auto-block the user.
- For more details, please refer to the following sources:
Disconnection the Session Automatically Based on Risk Level
Settings the Command Risk
- As an example, the following Command could be added to Command Risk with Auto Disconnect selected:
Note: EAC may block passwd from being executed, but this would then auto-disconnect the user from their session.
This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:7022237
- Creation Date:27-OCT-17
- Modified Date:27-OCT-17
- NovellPrivileged Account Manager (Privileged User Manager)
Did this document solve your problem? Provide Feedback