How to send an email notification when a user executes a risky command using ssh relay conection
I want to notify a administrator of a server when a user login to a machine usign a ssh relay connection and tries to excecute a risky command like rm or rmdir.
Note: Rigth now i dont want to rectrict the command or disconect the session although i know that can't be done if the user is usign a ssh relay connection.
Please let me know if this is posible. If it is posible can you show me the steps to do this and if i can do the same for Windows machines and databases like oracle and sql?
- I'm using PAM 3.5.0
- I have already configured SMTP settings in the PAM Manager host.
Thank you in advance for the help.
Re: How to send an email notification when a user executes a risky command using ssh relay conection
I think you will be needing an Agent to achieve this fully and seamless. Please take a look at the documented feature set for each approach with Linux / Unix. Command Risk & Automatic Session Disconnect will need Agents for doing more granular type controls like this I believe.
A big advantage to using Agents on linux would be full session control. So you could do more granular / nuanced policies that still permit the user to run the command, but set a risk level, or just block them from doing those commands like removing specific files or directories even-though they have privileged access to the server. This is done typically with an Enhanced Access Control policy applied to a pcksh/cpcksh shell through PAM Agent on server. You could also do a set of allowed commands through usrun.
One approach that could be taken through sshrelay though would be to pass the command after the connection command, which would then appear as part of the cmdctrl request and could take some cmdctrl script actions based on that to do an email notification or mark as a risky connection in the cmdctrl rule itself. This isn't an ideal approach of course.. For example:
ssh -t -p2222 user@manager runAs@runHost rm file
Command coming into cmdctrl would be "<ssh> rm file"