Filter commands executed on remote servers using command guard
How to restrict commands that a gateway user can execute on remote servers in Ezeelogin?
Synopsis: In this article we will configure command guard in Ezeelogin such that an ssh gateway user "Tom" who is a JuniorTech would only run the following commands (wget, touch, w, top, tcpdump, iftop) on remote servers (kvm, vps, hostnodes)
.png)
Refer user manual: https://www.ezeelogin.com/user_manual/CGM.html
Step 1: Enable command guard globally from Ezeelogin GUI -> Settings -> General -> Security -> Command Guard -> Enable
Step 2: Add the commands ("tcpdump, wget, touch, top" etc ) in command guard -> commands tab. Select the mode (Normal, PCRE or Password) from drop down option to select the required option.
Step 2.a: Refer to the example below to add a PCRE regular expression (PCRE is more compatible and configurable).
Step 2.b: Refer to the example below to add a normal regular expression which supports POSIX regular expression.
Step 2.c: Refer to the example below to add a password for the remote user, which can be used when command guard is enabled and a remote user needs to switch users (password will be saved in encrypted format and cannot be viewed after saving).
Command guard tab will list all the commands that have been added.
Step 3: Create command group called “JuniorTechCmds” and assign the commands “top,iftop,w,tcpdump,wget” to the group.
Step 4: Create UserGroup called "Junior Techs" and assign the command group as shown below.
If the UserGroup already exists, then edit and select the “JuniorTechCommands” in Command Guard and click "Allow" and then “Save”.
Step 5: Edit the user “Tom” and assign the gateway user with the user group “Junior Techs".
Step 6: Login into remote server "web.eznoc.com" via ezsh shell as user tom (UserGroup “Junior Techs”)
The user "Tom" would only be able to run the commands that is added in command group “JuniorTechCommands”.
6 a.) Below example shows the user "Tom" is allowed to run only the command added in the "JuniorTechcommands"
Allow will let the gateway users in the usergroup execute only those commands matching the regular expression of commands in the command group
Disallow will prevent the gateway users in the usergroup from executing any of the commands matching the regular expression of commands in the command group and will let the user execute all other commands.
6 b.) Below example shows the user "Tom" is not allowed to run the command that is added in the "JuniorTechcommands" group.
Refer to some examples of regular expressions:
- The following image shows example of a regular expression to match PCRE formats.
- The following image shows another example of a regular expression to match fdisk with edit options only. If a command group with this command is disallowed, prevents the user fdisk command to edit the partion table but can list partitions.
- The following image shows regular expressions to block a user from executing the " kubectl " command with the " delete " option.
- The following image shows another example of a regular expression to delete files and directories from the command line with '' rm -rf ''.
NOTE:
IEEE Std 1003.2 (“POSIX.2”) regular expressions by default.
PCRE regular expression supported from Ezeelogin version 7.38.0. Upgrade to latest version to use this feature.
Note: Command guard is an experimental feature (user can bypass command guard by using scripts, up arrow key, tab key, etc).
Related Articles:
User switching when command guard is enabled