How to configure cpcksh with Enhanced Access Control (EAC) for complete session control and command risk

How to configure Linux / Unix auditing with complete session control and command risk through cpcksh and Enhanced Access Control (EAC)

Please follow the steps below to configure cpcksh as the default shell for all users, optionally implement command rewriting to user's preferred shell (i.e. bash), configure for complete session control, command blocking and risk assignment through EAC and optionally auto-disconnect or auto-block a user's session based on Command Risk:

1. To configure cpcksh as the default shell for users and optionally implement command rewrite to a user preferred shell:
   TID 7017938 - How to configure Direct-SSH on Linux using a preferred shell
   Note: It is not required to implement command rewriting to a user preferred shell. With EAC applied later, a user can switch to their own preferred shell with no loss of auditing or control; however, this is available for an admin to rewrite to a user's preferred shell automatically.
   
   
2. Add Enhances Access Control (EAC) to the Authorizing Rule:
• Apply the Enhanced Access Control Policy script to the Command Control (CmdCtrl) Rule by drag and drop:
  
  • For more details, please refer to Configuring a Command Control Policy.
• Configure an appropriate Path Policy for complete session control such as command blocking:
  
  • For more details, please refer to Configuring a Path Policy.
  • As an example, the following will allow all commands, block execution of particular commands and disallow write access to a particular file with various log or command risk levels:
    path default all
    path /usr/bin/passwd !exec:log=9
    path /usr/sbin/useradd !exec:log=4
    path /tmp/confidential.txt read:!write:log=4
    
    
3. (optional) Add Command Risk Auto Disconnect or Auto Block:
   Note: Although complete session control can be achieved with just EAC where risky commands can be blocked entirely from execution, it may still be necessary to auto-disconnect or auto-block the user.
   
• For more details, please refer to the following sources:
  Disconnection the Session Automatically Based on Risk Level
  Settings the Command Risk
• As an example, the following Command could be added to Command Risk with Auto Disconnect selected:
  =~/^(|\/bin\/|\/sbin\/|\/usr\/bin\/)passwd(\s+|$)/
  Note: EAC may block passwd from being executed, but this would then auto-disconnect the user from their session.