Set up Command Filter Lists (CFL)

Command filtering, like Socket Filters, uses whitelists and blacklists to set the appropriate policy.
capam33
Command filtering, like Socket Filters, uses whitelists and blacklists to set the appropriate policy.
  • A
    blacklist
    is a list of commands that a user cannot type. If the user attempts to type the command,
    Privileged Access Manager
    can flag (log), alert, remediate, and stop the command from being processed. All other commands are allowed.
  • A
    whitelist
    is a list of the commands that a user can type. All other commands are prohibited.
Command filter whitelists cannot be configured for Mainframe TN3270 and TN5250 applets.
Create Command Filter Lists (CFLs) in the user interface using the CFL template or by importing a CSV. See Import or Export Command Filter Lists for information about importing a socket filter list with a CSV.
Use the CFL Template
Use the following procedure to create and manage Socket Filter Lists using the SFL template. Follow these steps:
  1. Select from the Menu Bar:
    Policies
    ,
    Manage Policy Filters
    .
  2. The
    Command Filters
    page appears.
  3. Select the
    ADD
    button.
    The
    Add Command Filter
    window appears.
  4. Enter a
    Name
    for this socket filter list.
  5. Specify the
    Type
    of list:
    • A
      Blacklist
      denies only the listed command strings.
      If a user submits a CLI command to a device that is on the blacklist, the user request is denied. This denial applies
      per character
      : After sufficient characters (literal Keyword or Regexp) are entered match a violation criterion, the specified action (Alert/Block) is applied. You must configure a policy for this user that specifies the blacklist.
    • A
      Whitelist
      allows access only the listed command strings.
      If a user submits a CLI command to a device that is on the whitelist, then those commands are allowed. This allowance applies
      per line string entered. T
      he permission test is made following a linefeed/Enter/carriage return. You must configure a policy for this user that specifies the whitelist.
    Command filter whitelists cannot be configured for Mainframe TN3270 and TN5250 applets.
  6. Select the plus icon to Add a new Keyword.
  7. In the
    Keyword
    field, enter a command string. Depending on which type of list you are creating:
    1. If you are creating a
      blacklist
      , then for each Keyword to test, you must select one or more controls:
      • Alert
        – Select this box to alert Monitoring administrator immediately by email with each instance of Keyword violation.
      • Block
        – Select this box for the command line containing the Keyword to be canceled immediately, and prevented from executing.
      • Regexp
        – Select this box if the Keyword field specifies a regular expression to be applied to the actual command entered. Whenever a command that is entered by the User conforms to the regexp, the command is flagged as a violation.
      • When both
        Regexp
        and
        Alert
        are selected, the body of the alert message does not include the Keyword regular expression string for security reasons.
        If the
        Keyword
        is a regular expression and not simply a literal character match, then you must select the
        Regexp
        checkbox. There is no action taken unless you select either
        Alert
        and/or
        Block
        .
        Alert and Block log the violation in the sessions log of the local node where the violation occurred. For example, if a standard user commits a violation after having logged into their access method from a secondary site node in a cluster, that violation is only logged in the sessions log of that particular secondary site cluster node. Furthermore, if you want to receive email on the Alerts, you must have the Admin Email configured and the Monitor started on the particular cluster node where the violation occurred. See
        Set Up Email for Monitoring for more details.
        Important:
        When populating the Keyword field for a
        blacklist
        using
        Regexp
        , begin with a start-of-line metacharacter, typically ^. However, because a blacklist keyword string is evaluated character by character, the end-of-line metacharacter (ordinarily: $) is never interpreted and is therefore unnecessary.
        Example:
        Match (prevent) a user key entry of exactly
        who -a
        Fill the Keyword field with one of the following regular expressions:
        • Correct:
          ^who -a
        • Correct:
          ^who -a$
        However, each of the following regular expressions does
        not
        work correctly:
        • Incorrect:
          who -a
        • Incorrect:
          who -a$
    2. If you are creating a
      whitelist
      , then for each Keyword to test, you can select:
    • Regexp
      – Select this box if the Keyword field specifies a regular expression to be applied to the actual command entered. The regular expressions that are permitted follow the syntax that is supported by the Perl-based Oracle® java.util.regex API. The command succeeds only when it conforms to one or more of the regexp or commands in this whitelist.
      When populating the Keyword field for a
      whitelist
      when using Regexp, it does not matter whether you include the start-of-line (ordinarily: ^) or end-of-line (ordinarily: $) metacharacters. These metacharacters are implied. The string that the user enters is automatically anchored by both of these metacharacters.
      Example:
      Match (allow) a user entry of exactly:
      who
      Enter Keyword field content of any of the following regular expressions:
      • Correct:
        who
      • ^who
      • ^who$
      • who$
      Example:
      [Ll][Ss] +
      This regular expression permits variations of uppercase or lowercase on the UNIX command
      ls
      , but requires that a space be added for the expression to be accepted.
      Example:
      [Ll][Ss] +\-[LlAa][LlAa]?
      This regular expression is a variant of the previous example, which is based on
      ls
      -al
      , in which uppercase and lowercase are again permitted. But the order of the two characters
      al
      is arbitrary, and two or more spaces are required between the command and its argument. Because the command filter string is anchored by start-of-line and end-of-line metacharacters, trailing spaces are prohibited in this example.
  8. Select the
    OK
    button to save the settings.
    The list is now effective in
    Privileged Access Manager
    , and available for inspection or editing to the Command Filter list page.
Search Command Filter Lists
You can search existing command filter lists for matches to a character substring by using the
Search
field. This search flags a list when there is a match in its
Name
field, and when there is a match in any of the
Keyword
fields for that list.