How to configure cpcksh with Enhanced Access Control (EAC) for complete session control and command risk

  • 7022237
  • 27-Oct-2017
  • 22-Aug-2018

Environment

Privileged Account Manager

Situation

How to configure Linux / Unix auditing with complete session control and command risk through cpcksh and Enhanced Access Control (EAC)

Resolution

Please follow the steps below to configure cpcksh as the default shell for all users, optionally implement command rewriting to user's preferred shell (i.e. bash), configure for complete session control, command blocking and risk assignment through EAC and optionally auto-disconnect or auto-block a user's session based on Command Risk:

  1. To configure cpcksh as the default shell for users and optionally implement command rewrite to a user preferred shell:
    TID 7017938
    - How to configure Direct-SSH on Linux using a preferred shell
    Note: It is not required to implement command rewriting to a user preferred shell. With EAC applied later, a user can switch to their own preferred shell with no loss of auditing or control; however, this is available for an admin to rewrite to a user's preferred shell automatically.

  2. Add Enhances Access Control (EAC) to the Authorizing Rule:
    • Apply the Enhanced Access Control Policy script to the Command Control (CmdCtrl) Rule by drag and drop:
    • Configure an appropriate Path Policy for complete session control such as command blocking:
      • As an example, the following will allow all commands, block execution of particular commands and disallow write access to a particular file with various log or command risk levels:
        path default all
        path /usr/bin/passwd !exec:log=9
        path /usr/sbin/useradd !exec:log=4
        path /tmp/confidential.txt read:!write:log=4

  3. (optional) Add Command Risk Auto Disconnect or Auto Block:
    Note: Although complete session control can be achieved with just EAC where risky commands can be blocked entirely from execution, it may still be necessary to auto-disconnect or auto-block the user.