Environment
Privileged Account Manager
Privileged User Manager
Privileged User Manager
Situation
How to configure Direct-SSH on Linux to capture native ssh connections using the default shell
How to approach capturing direct ssh connections where users can use the default shell
How to capture / audit direct ssh similar to the Direct-RDP feature for Windows
How to approach capturing direct ssh connections where users can use the default shell
How to capture / audit direct ssh similar to the Direct-RDP feature for Windows
Resolution
Direct-SSH connections can only be monitored through provided shells (pcksh, cpcksh) and usrun (See Privileged Account Management for Unix and Linux). If the user prefers another shell over pcksh, cpcksh, or usrun, then the following approach can be used to enable complete-session capture while appearing seamless to the user as their preferred shell. This is achieved through configuring the user's default shell to one that can be captured and is integrated with Command Control and then configuring command rewriting to rewrite the user's command to their preferred shell.
Note: This approach is only possible if there are Agents running on the target Linux servers.
Note: This approach is only possible if there are Agents running on the target Linux servers.
- Change the user(s) default shell to /usr/bin/cpcksh. Please refer to appropriate documentation in the UNIX or Linux environment to properly configure the user(s) login shell.
Please refer to man usermod. An example would be:
sudo usermod -s /usr/bin/cpcksh user1 - If the user prefers an alternate shell, please configure a cpcksh command to rewrite to the appropriate or preferred shell (i.e. /bin/bash, /usr/bin/pcksh, etc.). For more details about command rewriting, please refer to Modifying a Command.
- Create a new command, see Commands.
Name: <command name>
Rewrite: <path to preferred shell, i.e. /bin/bash>
Commands: -cpcksh - Create the necessary cpcksh rule:
Begin Rule :cpcksh
IF ((command IN cpcksh))
THEN
Set Authorize : yes
Set Session Capture : yes
Stop if authorized
END IF
END RULE :cpcksh
Note: The command configured in Step 2 has been applied to the conditions of this rule.
Additional Information
For other approaches and more details, please refer to Privileged Account Management for Unix and Linux.
To determine what shell a user is currently using:
ps -p $$
To determine what shell a user is currently using:
ps -p $$