Updated on 2024-06-12 GMT+08:00

Defining Custom Related Commands

After a custom command is related to a command rule, the CBH system determines whether to execute the command based on the command rule.

Custom related commands are case-sensitive. If the command to execute is inconsistent with the configured one, the command rule will fail to be triggered. The following examples are for your reference:

  • Single command format

    If you want to configure a rule to deny the ls command, set the related command of the rule to ls. The rule is triggered when the single command ls is executed.

  • Single command and path format

    If you want to configure a rule to dynamically authorize the log query actions, set the related command of the rule to ls /var/log/. The rule is triggered when the command ls /var/log/ is executed. If the ls /var/log command is executed, the rule fails to be triggered.

  • Commands that contain the wildcard character (*), which indicates one or more characters.

    If you want to configure a rule to deny all deletion commands, set the related command of the rule to rm *. The rule is triggered when the command rm -rf is executed; while the rule will fail to be triggered if the rm command is executed.

  • Commands that contain the question mark (?), which indicates any single character. The number of entered question marks indicates the number of unknown characters.

    If you want to configure a rule to deny commands that will delete files or file directories containing two certain characters, set the related command to rm -rf ??. The rule is triggered when the command rm -rf ts is executed. The rule will fail to be triggered if the rm -rf test command is executed.

  • Commands that contain a string or any characters enclosed in square brackets ([]) or negated ones in square brackets (using a vertical bar (|) or caret (^) to negate)

    If you want to configure a rule to dynamically approve commands that will delete files or file directories containing any characters in the string "abcd", set the related command of the rule to rm -rf [abcd]. The rule is triggered when the command rm -rf cloud is executed. The rule will fail to be triggered if the rm -rf test or rm -rf ABCD command is executed.