Absent Member.
Absent Member.

Keystroke replay color-coding problem

Hi Brett,

I am facing a new problem. In the framework manager, under the reporting
tab, on viewing the command control reports, and checking the keystroke
replay, the commands are not coming in the color-coded way. Also the
options 'Show audited commands' and 'Show profile command' checkboxes
are disabled.

Please let me know, how to get the command control reports in a
color-coded manner, and how can these options be enabled.

I have mailied you the screenshots for the same at : brett at novell dot

I'll have mailed you from the following mailing ID: mansi.t@tcs.com

Thanks and Regards,

yogesh09021983's Profile: https://forums.netiq.com/member.php?userid=683
View this thread: https://forums.netiq.com/showthread.php?t=46056

1 Reply
Absent Member.
Absent Member.


To enable the color‐code user keystroke activity and the Command
Risk Analysis Engine, you must have the proper Command Control Audit
level set.

The Command Control Audit level must be set to 1, which enables an
additional level of audit to use with the Command Risk.

For example, if you are giving the user a pcksh shell

You'd create a command of 'pcksh' and then use the Command rewrite to
rewrite the 'pcksh' command to '/usr/bin/pcksh -o audit 1'. And then a
rule to match on this command.

So if a user did the following:

deni@sd5:~> usrun -u root pcksh

It would actually run '/usr/bin/pcksh -o audit 1' as root.

With the '-o audit 1' set, it will now look at the Command Risk's you've

To define Command Risk, login to the GUI | Command Control | select
Commands | from the left nav, select 'Command Risk'

Here are a few examples:

Risk= 10
Regex= checkmark

This would mark anyone who ran 'password' or '/usr/bin/password'

Or maybe you want to set a command risk anytime someone does an 'ls'
against a private directory, such as '/data/private'

Risk= 8
Regex= checkmark
Command= (^|/bin/)ls(\s+|$)
Working Directory= /data/private

Or maybe you want to mark a reboot as risky.

Risk= 9
Regex= checkmark
Command= (^|/sbin)reboot$

Hope this helps.


deni's Profile: https://forums.netiq.com/member.php?userid=1793
View this thread: https://forums.netiq.com/showthread.php?t=46056

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.