Set up Command Filter Lists (CFL)

Command filtering, like Socket Filters, uses whitelists and blacklists to set the appropriate policy.
capam33
Command filtering, like Socket Filters, uses whitelists and blacklists to set the appropriate policy.
  • blacklist 
    is a list of commands that a user cannot type. If the user attempts to type the command, 
    Privileged Access Manager
     can flag (log), alert, remediate, and stop the command from being processed. All other commands are allowed.
  • whitelist
     is a list of the commands that a user can type. All other commands are prohibited.
Command filter whitelists cannot be configured for Mainframe TN3270 and TN5250 applets.
Create Command Filter Lists (CFLs) in the user interface using the CFL template or by importing a CSV. See Import or Export Command Filter Lists for information about importing a socket filter list with a CSV.
Use the CFL Template
Use the following procedure to create and manage Socket Filter Lists using the SFL template. Follow these steps:
  1. Select from the Menu Bar: 
    Policies
    Manage Policy Filters
    .
  2. The 
    Command Filters
     page appears.
  3. Select the 
    ADD
     button.
    The 
    Add Command Filter 
    window appears.
  4. Enter a 
    Name
     for this socket filter list.
  5. Specify the 
    Type
     of list:
    • Blacklist 
      denies only the listed command strings.
      If a user submits a CLI command to a device that is on the blacklist, the user request is denied. This denial applies 
      per character
      : After sufficient characters (literal Keyword or Regexp) are entered match a violation criterion, the specified action (Alert/Block) is applied. You must configure a policy for this user that specifies the blacklist.
    • Whitelist 
      allows access only the listed command strings.
      If a user submits a CLI command to a device that is on the whitelist, then those commands are allowed. This allowance applies 
       
      per line string entered. T
       
      he permission test is made following a linefeed/Enter/carriage return. You must configure a policy for this user that specifies the whitelist.
    Command filter whitelists cannot be configured for Mainframe TN3270 and TN5250 applets.
  6. Select the plus icon to Add a new Keyword.
  7. In the 
    Keyword
     field, enter a command string. Depending on which type of list you are creating:
    1. If you are creating a 
      blacklist
      , then for each Keyword to test, you must select one or more controls:
      • Alert
         – Select this box to alert Monitoring administrator immediately by email with each instance of Keyword violation.
      • Block
         – Select this box for the command line containing the Keyword to be canceled immediately, and prevented from executing.
      • Regexp
         – Select this box if the Keyword field specifies a regular expression to be applied to the actual command entered. Whenever a command that is entered by the User conforms to the regexp, the command is flagged as a violation.
      • When both 
        Regexp
         and 
        Alert
         are selected, the body of the alert message does not include the Keyword regular expression string for security reasons.
        Select at least one of the three checkboxes or the Keyword has no effect.
        Important: 
        When populating the Keyword field for a 
        blacklist
         using Regexp, begin with a start-of-line metacharacter, typically ^. However, because a blacklist keyword string is evaluated character by character, the end-of-line metacharacter (ordinarily: $) is never interpreted and is therefore unnecessary.
        Example: 
        Match (prevent) a user key entry of exactly 
        who -a
        Fill the Keyword field with one of the following regular expressions:
        • Correct:
           ^who -a
           
        • Correct:
           ^who -a$
           
        However, each of the following regular expressions does
         not
         work correctly:
        • Incorrect: 
          who -a
           
        • Incorrect: 
          who -a$
           
    2. If you are creating a 
      whitelist
      , then for each Keyword to test, you can select:
    • Regexp
       – Select this box if the Keyword field specifies a regular expression to be applied to the actual command entered. The regular expressions that are permitted follow the syntax that is supported by the Perl-based Oracle® java.util.regex API. The command succeeds only when it conforms to one or more of the regexp or commands in this whitelist.
      When populating the Keyword field for a 
      whitelist 
      when using Regexp, it does not matter whether you include the start-of-line (ordinarily: ^) or end-of-line (ordinarily: $) metacharacters. These metacharacters are implied. The string that the user enters is automatically anchored by both of these metacharacters.
      Example: 
      Match (allow) a user entry of exactly: 
      who
      Enter Keyword field content of any of the following regular expressions:
      • Correct: 
        who
         
      • ^who
         
      • ^who$
         
      • who$
         
      Example: 
      [Ll][Ss] +
      This regular expression permits variations of uppercase or lowercase on the UNIX command 
      ls
      , but requires that a space be added for the expression to be accepted.
      Example: 
      [Ll][Ss] +\-[LlAa][LlAa]?
      This regular expression is a variant of the previous example, which is based on 
      ls
       
      -al
      , in which uppercase and lowercase are again permitted. But the order of the two characters 
      al 
      is arbitrary, and two or more spaces are required between the command and its argument. Because the command filter string is anchored by start-of-line and end-of-line metacharacters, trailing spaces are prohibited in this example.
  8. Select the 
    OK
     button to save the settings.
    The list is now effective in 
    Privileged Access Manager
    , and available for inspection or editing to the Command Filter list page.
Search Command Filter Lists
You can search existing command filter lists for matches to a character substring by using the 
Search
 field. This search flags a list when there is a match in its 
Name
 field, and when there is a match in any of the 
Keyword
 fields for that list.