My Favorites

Close

Please to see your favorites.


How to configure cpcksh with Enhanced Access Control (EAC) for complete session control and command risk

This document (7022237) is provided subject to the disclaimer at the end of this document.

Environment

Privileged Account Manager

Situation

How to configure Linux / Unix auditing with complete session control and command risk through cpcksh and Enhanced Access Control (EAC)

Resolution

Please follow the steps below to configure cpcksh as the default shell for all users, optionally implement command rewriting to user's preferred shell (i.e. bash), configure for complete session control, command blocking and risk assignment through EAC and optionally auto-disconnect or auto-block a user's session based on Command Risk:

  1. To configure cpcksh as the default shell for users and optionally implement command rewrite to a user preferred shell:
    TID 7017938
    - How to configure Direct-SSH on Linux using a preferred shell
    Note: It is not required to implement command rewriting to a user preferred shell. With EAC applied later, a user can switch to their own preferred shell with no loss of auditing or control; however, this is available for an admin to rewrite to a user's preferred shell automatically.

  2. Add Enhances Access Control (EAC) to the Authorizing Rule:
    • Apply the Enhanced Access Control Policy script to the Command Control (CmdCtrl) Rule by drag and drop:
    • Configure an appropriate Path Policy for complete session control such as command blocking:
      • As an example, the following will allow all commands, block execution of particular commands and disallow write access to a particular file with various log or command risk levels:
        path default all
        path /usr/bin/passwd !exec:log=9
        path /usr/sbin/useradd !exec:log=4
        path /tmp/confidential.txt read:!write:log=4

  3. (optional) Add Command Risk Auto Disconnect or Auto Block:
    Note: Although complete session control can be achieved with just EAC where risky commands can be blocked entirely from execution, it may still be necessary to auto-disconnect or auto-block the user.

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7022237
  • Creation Date:27-OCT-17
  • Modified Date:27-OCT-17
    • NovellPrivileged Account Manager (Privileged User Manager)

Did this document solve your problem? Provide Feedback