Keystroke replay color-coding problem

Hi Brett,

I am facing a new problem. In the framework manager, under the reporting
tab, on viewing the command control reports, and checking the keystroke
replay, the commands are not coming in the color-coded way. Also the
options 'Show audited commands' and 'Show profile command' checkboxes
are disabled.

Please let me know, how to get the command control reports in a
color-coded manner, and how can these options be enabled.

I have mailied you the screenshots for the same at : brett at novell dot

I'll have mailed you from the following mailing ID:

Thanks and Regards,

yogesh09021983's Profile:
View this thread:

  • Yogesh,

    To enable the color‐code user keystroke activity and the Command
    Risk Analysis Engine, you must have the proper Command Control Audit
    level set.

    The Command Control Audit level must be set to 1, which enables an
    additional level of audit to use with the Command Risk.

    For example, if you are giving the user a pcksh shell

    You'd create a command of 'pcksh' and then use the Command rewrite to
    rewrite the 'pcksh' command to '/usr/bin/pcksh -o audit 1'. And then a
    rule to match on this command.

    So if a user did the following:

    deni@sd5:~> usrun -u root pcksh

    It would actually run '/usr/bin/pcksh -o audit 1' as root.

    With the '-o audit 1' set, it will now look at the Command Risk's you've

    To define Command Risk, login to the GUI | Command Control | select
    Commands | from the left nav, select 'Command Risk'

    Here are a few examples:

    Risk= 10
    Regex= checkmark

    This would mark anyone who ran 'password' or '/usr/bin/password'

    Or maybe you want to set a command risk anytime someone does an 'ls'
    against a private directory, such as '/data/private'

    Risk= 8
    Regex= checkmark
    Command= (^|/bin/)ls(\s |$)
    Working Directory= /data/private

    Or maybe you want to mark a reboot as risky.

    Risk= 9
    Regex= checkmark
    Command= (^|/sbin)reboot$

    Hope this helps.


    deni's Profile:
    View this thread: