Set up Command Filter Lists (CFL)
Command filtering, like Socket Filters, uses whitelists and blacklists to set the appropriate policy.
capam33
Command filtering, like Socket Filters, uses whitelists and blacklists to set the appropriate policy.
- Ablacklistis a list of commands that a user cannot type. If the user attempts to type the command,Privileged Access Managercan flag (log), alert, remediate, and stop the command from being processed. All other commands are allowed.
- Awhitelistis a list of the commands that a user can type. All other commands are prohibited.
Command filter whitelists cannot be configured for Mainframe TN3270 and TN5250 applets.
Create Command Filter Lists (CFLs) in the user interface using the CFL template or by importing a CSV. See Import or Export Command Filter Lists for information about importing a socket filter list with a CSV.
Use the CFL Template
Use the following procedure to create and manage Socket Filter Lists using the SFL template. Follow these steps:
- Select from the Menu Bar:Policies,Manage Policy Filters.
- TheCommand Filterspage appears.
- Select theADDbutton.TheAdd Command Filterwindow appears.
- Enter aNamefor this socket filter list.
- Specify theTypeof list:
- ABlacklistdenies only the listed command strings.If a user submits a CLI command to a device that is on the blacklist, the user request is denied. This denial appliesper character: After sufficient characters (literal Keyword or Regexp) are entered match a violation criterion, the specified action (Alert/Block) is applied. You must configure a policy for this user that specifies the blacklist.
- AWhitelistallows access only the listed command strings.If a user submits a CLI command to a device that is on the whitelist, then those commands are allowed. This allowance applieshe permission test is made following a linefeed/Enter/carriage return. You must configure a policy for this user that specifies the whitelist.per line string entered. T
Command filter whitelists cannot be configured for Mainframe TN3270 and TN5250 applets. - Select the plus icon to Add a new Keyword.
- In theKeywordfield, enter a command string. Depending on which type of list you are creating:
- If you are creating ablacklist, then for each Keyword to test, you must select one or more controls:
- Alert– Select this box to alert Monitoring administrator immediately by email with each instance of Keyword violation.
- Block– Select this box for the command line containing the Keyword to be canceled immediately, and prevented from executing.
- Regexp– Select this box if the Keyword field specifies a regular expression to be applied to the actual command entered. Whenever a command that is entered by the User conforms to the regexp, the command is flagged as a violation.
- When bothRegexpandAlertare selected, the body of the alert message does not include the Keyword regular expression string for security reasons.If theKeywordis a regular expression and not simply a literal character match, then you must select theRegexpcheckbox. There is no action taken unless you select eitherAlertand/orBlock.Alert and Block log the violation in the sessions log of the local node where the violation occurred. For example, if a standard user commits a violation after having logged into their access method from a secondary site node in a cluster, that violation is only logged in the sessions log of that particular secondary site cluster node. Furthermore, if you want to receive email on the Alerts, you must have the Admin Email configured and the Monitor started on the particular cluster node where the violation occurred. See Set Up Email for Monitoring for more details.Important:When populating the Keyword field for ablacklistusingRegexp, begin with a start-of-line metacharacter, typically ^. However, because a blacklist keyword string is evaluated character by character, the end-of-line metacharacter (ordinarily: $) is never interpreted and is therefore unnecessary.Example:Match (prevent) a user key entry of exactlywho -aFill the Keyword field with one of the following regular expressions:
- Correct:^who -a
- Correct:^who -a$
notwork correctly:- Incorrect:who -a
- Incorrect:who -a$
- If you are creating awhitelist, then for each Keyword to test, you can select:
- Regexp– Select this box if the Keyword field specifies a regular expression to be applied to the actual command entered. The regular expressions that are permitted follow the syntax that is supported by the Perl-based Oracle® java.util.regex API. The command succeeds only when it conforms to one or more of the regexp or commands in this whitelist.When populating the Keyword field for awhitelistwhen using Regexp, it does not matter whether you include the start-of-line (ordinarily: ^) or end-of-line (ordinarily: $) metacharacters. These metacharacters are implied. The string that the user enters is automatically anchored by both of these metacharacters.Example:Match (allow) a user entry of exactly:whoEnter Keyword field content of any of the following regular expressions:
- Correct:who
- ^who
- ^who$
- who$
Example:[Ll][Ss] +This regular expression permits variations of uppercase or lowercase on the UNIX commandls, but requires that a space be added for the expression to be accepted.Example:[Ll][Ss] +\-[LlAa][LlAa]?This regular expression is a variant of the previous example, which is based onls-al, in which uppercase and lowercase are again permitted. But the order of the two charactersalis arbitrary, and two or more spaces are required between the command and its argument. Because the command filter string is anchored by start-of-line and end-of-line metacharacters, trailing spaces are prohibited in this example.
- Select theOKbutton to save the settings.The list is now effective inPrivileged Access Manager, and available for inspection or editing to the Command Filter list page.
Search Command Filter Lists
You can search existing command filter lists for matches to a character substring by using the
Search
field. This search flags a list when there is a match in its Name
field, and when there is a match in any of the Keyword
fields for that list.