Keystroke replay color-coding problem


Hi Brett,

I am facing a new problem. In the framework manager, under the reporting
tab, on viewing the command control reports, and checking the keystroke
replay, the commands are not coming in the color-coded way. Also the
options 'Show audited commands' and 'Show profile command' checkboxes
are disabled.

Please let me know, how to get the command control reports in a
color-coded manner, and how can these options be enabled.

I have mailied you the screenshots for the same at : brett at novell dot
com

I'll have mailed you from the following mailing ID: mansi.t@tcs.com

Thanks and Regards,
Yogesh


--
yogesh09021983
------------------------------------------------------------------------
yogesh09021983's Profile: https://forums.netiq.com/member.php?userid=683
View this thread: https://forums.netiq.com/showthread.php?t=46056


  • Yogesh,

    To enable the color‐code user keystroke activity and the Command
    Risk Analysis Engine, you must have the proper Command Control Audit
    level set.

    The Command Control Audit level must be set to 1, which enables an
    additional level of audit to use with the Command Risk.

    For example, if you are giving the user a pcksh shell

    You'd create a command of 'pcksh' and then use the Command rewrite to
    rewrite the 'pcksh' command to '/usr/bin/pcksh -o audit 1'. And then a
    rule to match on this command.

    So if a user did the following:

    deni@sd5:~> usrun -u root pcksh
    #

    It would actually run '/usr/bin/pcksh -o audit 1' as root.

    With the '-o audit 1' set, it will now look at the Command Risk's you've
    defined.

    To define Command Risk, login to the GUI | Command Control | select
    Commands | from the left nav, select 'Command Risk'

    Here are a few examples:

    Risk= 10
    Regex= checkmark
    Command=(^|/usr/bin/)passwd

    This would mark anyone who ran 'password' or '/usr/bin/password'

    Or maybe you want to set a command risk anytime someone does an 'ls'
    against a private directory, such as '/data/private'

    Risk= 8
    Regex= checkmark
    Command= (^|/bin/)ls(\s |$)
    Working Directory= /data/private

    Or maybe you want to mark a reboot as risky.

    Risk= 9
    Regex= checkmark
    Command= (^|/sbin)reboot$


    Hope this helps.

    -Brett


    --
    deni
    ------------------------------------------------------------------------
    deni's Profile: https://forums.netiq.com/member.php?userid=1793
    View this thread: https://forums.netiq.com/showthread.php?t=46056