Defining Custom Related Commands
After a custom command is related to a command rule, the bastion host determines whether to execute the command based on the command rule.
Custom related commands are case-sensitive. If the command to execute is inconsistent with the configured one, the command rule will fail to be triggered. The following examples are for your reference:
- Single command format
If you want to configure a rule to deny the ls command, set the related command of the rule to ls. The rule is triggered when the single command ls is executed.
- Single command and path format
If you want to configure a rule to dynamically authorize the log query actions, set the related command of the rule to ls /var/log/. The rule is triggered when the command ls /var/log/ is executed. If the ls /var/log command is executed, the rule fails to be triggered.
- Commands that contain the wildcard character (*), which indicates one or more characters.
If you want to configure a rule to deny all deletion commands, set the related command of the rule to rm *. The rule is triggered when the command rm -rf is executed; while the rule will fail to be triggered if the rm command is executed.
- Commands that contain the question mark (?), which indicates any single character. The number of entered question marks indicates the number of unknown characters.
If you want to configure a rule to deny commands that will delete files or file directories containing two certain characters, set the related command to rm -rf ??. The rule is triggered when the command rm -rf ts is executed. The rule will fail to be triggered if the rm -rf test command is executed.
- Commands that contain a string or any characters enclosed in square brackets ([]) or negated ones in square brackets (using a vertical bar (|) or caret (^) to negate)
If you want to configure a rule to dynamically approve commands that will delete files or file directories containing any characters in the string "abcd", set the related command of the rule to rm -rf [abcd]. The rule is triggered when the command rm -rf cloud is executed. The rule will fail to be triggered if the rm -rf test or rm -rf ABCD command is executed.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot