Updated on 2024-09-24 GMT+08:00

Creating a Command Rule

Command rules are used to control permissions for critical O&M operations on managed resources, implementing fine-grained control over the execution of commands on Linux hosts.

For hosts using SSH and Telnet protocols, a bastion host can record O&M session operations, trigger dynamic authorization, and disconnect connection to an operation session. A bastion host uses the guacd proxy to audit and filter the commands executed during operations based on the rule configured by the administrator. The proxy will return the audited commands, filtering results, and command output content for session operation recording, dynamic authorization, and disconnection.

With command rules, you can:

  • Sort command rules by priority. The rule in the upper position has the higher priority than the ones in a lower position.
  • Configure four command execution actions, including permitting, rejecting, requiring dynamic approval, and disconnecting the connection.
    • Permit: When a command rule is triggered, the system continues to execute the command. By default, all operations are allowed.
    • Reject command: After a command rule is triggered, the system rejects to execute the command and displays a message indicating that the command has been intercepted.
    • Disconnect: After a command rule is triggered, the system rejects to execute the command and disconnects the O&M session. The system displays a message indicating that the connection is forcibly disconnected by the administrator.
    • Dynamic approval: After a command rule is triggered, the system rejects to execute the command. The system displays a message indicating that the command has been intercepted and asking you to submit a command approval ticket. A command approval ticket is automatically generated. The command can be executed only after the ticket is submitted and approved.

Constraints

Command rules apply only to Linux hosts using the SSH or Telnet protocol for fine-grained permission control.

Prerequisites

You have obtained the permissions to manage the Cmd Rules module.

Creating a Command Rule

  1. Log in to your bastion host.
  2. Choose Policy > Cmd Rules > Cmd Rules.

    Figure 1 Cmd Rules

  3. Click New in the upper right corner of the page to switch to the New Command Rule dialog box.

    You can also select a command rule and choose More > Insert to create a command rule. After the configuration is complete, a new rule is created.

  4. Configure the basic information.

    Figure 2 New Command Rule
    Table 1 Basic information parameters

    Parameter

    Description

    Rule Name

    Name of a command rule. The rule name must be unique in a bastion host.

    Action

    Action executed by the command rule.

    The options are Disconnect, Reject command, Dynamic approval, and Permit.

    • Disconnect: When a session runs the command to bring the rule into effect, the session is disconnected.
    • Reject command: When a session runs the command to bring the rule into effect, the command is rejected directly.
    • Dynamic approval: When a session runs the command to bring the rule into effect, the command is rejected directly. The command must be submitted to the administrator for approval to be executed.
    • Permit: When a session runs the command to bring the rule into effect, the system runs the command.

    Period of validity

    Effective time and expiration time of the rule

    Time Limit

    Validity period of a rule

  5. Click Next and start to relate the command rule to one or more commands or command sets.

  6. Click Next and start to relate the command rule to one or more users or user groups.

    • After a user group is related to a command rule, users automatically obtain the permissions of the command rule the instant they are added to the user group.

  7. Select a created account or account group.

    • After a command rule is related to an account group, accounts automatically obtain the permissions of the rule the instant they are added to the account group.

  8. Click OK. You can then view the created command rule in the rule list.

    During O&M, when a command rule is triggered, the system executes configured actions accordingly.

    Users in the Relate User and Relate User Group must have been assigned a role that has ticket approval permissions. Otherwise, users cannot view the command approval ticket module or submit a ticket to obtain required permissions.

Follow-up Operations

In your bastion host, you can manage all command rules on the rule list page, including managing related users or resources, deleting, enabling, or disabling one or more command rules, and sorting command rules by priority.

  • To quickly relate a command rule to more users, user groups, accounts, or account groups, select the rule and click Relate in the Operation column.
  • To delete a command rule, select the rule and click Delete in the Operation column.
  • To disable command rules, select the ones you want to disable and click Disable at the bottom of the list. When the status of those rules changes to Disabled, they become invalid.
  • To change the priority of a command rule, select the rule and drag and drop it to an upper or lower position.