Filter commands executed on remote servers using command guard
How to restrict commands that a gateway user can execute on remote servers in Ezeelogin?
Synopsis: In this article we will configure command guard in Ezeelogin such that an ssh gateway user "Tom" who is a JuniorTech would only run the following commands (wget, touch, w, top, tcpdump, iftop) on remote servers (kvm, vps, hostnodes)
This feature is available from Ezeelogin version 7.36.0. Refer article to upgrade Ezeelogin to the latest version.
Ezeelogin uses IEEE Std 1003.2 (“POSIX.2”) regular expressions in the command guard.
Note: Command guard is an experimental feature (user can bypass command guard by using scripts, up arrow key, tab key, etc).
.png)
Refer user manual: https://www.ezeelogin.com/user_manual/CGM.html
Step 1: Enable command guard globally from Ezeelogin GUI -> Settings -> General -> Security -> Command Guard -> Enable
Step 2: Add the commands ("tcpdump, wget, touch, w, top, iftop" etc ) in command guard -> commands tab.
Step 3: Create command group called “JuniorTechCmds” and assign the commands “top,iftop,w,tcpdump,wget” to the group.
Step 4: Create UserGroup called "Junior Techs" and assign the command group as shown below.
If the UserGroup already exists, then edit and select the “JuniorTechCommands” in Command Guard and click "Allow" and then “Save”.
Step 5: Edit the user “Tom” and assign the gateway user with the user group “Junior Techs".
Step 6: Login into remote server "web.eznoc.com" via ezsh shell as user tom (UserGroup “Junior Techs”)
The user "Tom" would only be able to run the commands that is added in command group “JuniorTechCommands”.
6 a.) Below example shows the user "Tom" is allowed to run only the command added in the "JuniorTechcommands"
Allow will let the gateway users in the usergroup execute only those commands matching the regular expression of commands in the command group
Disallow will prevent the gateway users in the usergroup from executing any of the commands matching the regular expression of commands in the command group and will let the user execute all other commands.
6 b.) Below example shows the user "Tom" is not allowed to run the command that is added in the "JuniorTechcommands" group.
- Few regular expressions for the following commands :
The following image shows another example of a regular expression to match fdisk with edit options only. If a command group with this command is disallowed, prevents the user fdisk command to edit the partion table but can list partitions.
The following image shows regular expressions to block a user from executing the " kubectl " command with the " delete " option.
The following image shows another example of a regular expression to delete files and directories from the command line with '' rm -rf ''.
Related Articles:
User switching when command guard is enabled