Highlighted
Santiago Valued Contributor.
Valued Contributor.
177 views

How to send an email notification when a user executes a risky command using ssh relay conection

Hi,

I want to notify a administrator of a server when a user login to a machine usign a ssh relay connection and tries to excecute a risky command like rm or rmdir.

Note: Rigth now i dont want to rectrict the command or disconect the session although i know that can't be done if the user is usign a ssh relay connection. 

Please let me know if this is posible. If it is posible can you show me the steps to do this and if i can do the same for Windows machines and databases like oracle and sql?

- I'm using PAM 3.5.0 

- I have already configured SMTP settings in the PAM Manager host.

Thank you in advance for the help.

 

Labels (4)
0 Likes
1 Reply
Micro Focus Expert
Micro Focus Expert

Re: How to send an email notification when a user executes a risky command using ssh relay conection

I think you will be needing an Agent to achieve this fully and seamless. Please take a look at the documented feature set for each approach with Linux / UnixCommand Risk & Automatic Session Disconnect will need Agents for doing more granular type controls like this I believe.

A big advantage to using Agents on linux would be full session control. So you could do more granular / nuanced policies that still permit the user to run the command, but set a risk level, or just block them from doing those commands like removing specific files or directories even-though they have privileged access to the server. This is done typically with an Enhanced Access Control policy applied to a pcksh/cpcksh shell through PAM Agent on server. You could also do a set of allowed commands through usrun.

One approach that could be taken through sshrelay though would be to pass the command after the connection command, which would then appear as part of the cmdctrl request and could take some cmdctrl script actions based on that to do an email notification or mark as a risky connection in the cmdctrl rule itself. This isn't an ideal approach of course.. For example:

 

ssh -t -p2222 user@manager runAs@runHost rm file

 

Command coming into cmdctrl would be "<ssh> rm file"

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.