kenelmulric_d Absent Member.
Absent Member.
805 views

Command Restriction not working

Hi All,

Im currently configuring the command restriction, however its not working.

I configured the command restriction with the use of EAC.

Here is the policy


The logging is working, when i see the keystrokes the color coded risk are there, but the !exec is not working.

Thanks!
0 Likes
3 Replies
Micro Focus Expert
Micro Focus Expert

Re: Command Restriction not working

Does it make a difference if you enter the complete path to the command in the terminal session, as defined here in the EAC policy? For example, if you enter "useradd" in the terminal, it may not be resolving to the path defined in the EAC policy (i.e. "which useradd").
0 Likes
kenelmulric_d Absent Member.
Absent Member.

Re: Command Restriction not working

So i have finally determine what's happening.

Basically, i have 2 set of EAC.

For SysAD:
https://i.imgur.com/Tg0syXu.png

For DBA:
https://i.imgur.com/UOwaO1x.png

So the rule book looks like this:
https://i.imgur.com/ISWplm0.png

So if both of the Command Restrictions rule are enabled, only 1 of them is working which is t he SysAD Command Restriction, i have to disable that first for the DBA Command Restriction to work.

Does this mean that i can only have 1 EAC?
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Command Restriction not working

No, I believe this means that both rules are matched when the session request comes through. So the request is valid for both the rules, so the result is a layering, which is by design.
To fix, you should see about adding another cmdctrl filter that restricts the request more so that only 1 of the 2 are matched when the session request comes through to cmdctrl.

For example, consider adding a User Group > user (Submit User) Rule Condition on them so each rule applies to a certain set of users.

For more details, please refer to the following:
https://www.netiq.com/documentation/privileged-account-manager-35/npam_admin/data/bjfzqbk.html#rules_overview
"When the Framework Manager receives a command request, the evaluation starts at the top of the rule tree. Even when a request matches a rule, the evaluation continues until a rule has a stop condition or the rule tree has been processed."
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.