Command Control Policies
Command Control offers Administrators the ability to limit commands that can be executed via a whitelist or blacklist in both Windows and Unix remote in-browser sessions.
In addition to the command restrictions themselves, Command Control can also place restrictions on command Arguments and what can, cannot or is required to be “piped” to commands.
Special forbidden sequences and meta-commands are run under Command Control policies.
Create Command Control Policies
Any user who has been granted the global System Administrator role may access and modify the Command Control policies, located at Administration > Command Control.
To create a new policy, navigate to Administration > Command Control and click the Create button.
Create your policy by entering the values as required.
Name |
Enter a unique, but descriptive name of your policy. When applying the policy, the user will be selecting your policy by name only from a dropdown menu. |
Description |
Enter a description for your policy. |
Control Type |
Select either Whitelist or Blacklist. |
Next, click the Add Command button to begin configuring your white- or blacklist policy.
Command |
Enter the command to be included in this policy. |
Add/Remove Argument |
Optionally, add or remove argument(s) to be included with the command. |
Type |
Select the Include or Exclude option that will pertain to the above argument. |
For example, if you want to restrict commands for your Cisco device so that the user may only execute show version (i.e. whitelist), the following configuration can be used:
Command |
show |
Add/Remove Argument |
version |
Type |
Include |
You may repeat the process to add additional commands to this policy or click Save to complete the policy creation.
Edit or Delete Command Control Policies
To edit or delete an existing policy, navigate to Administration > Command Control and click the Edit or Delete button next to your desired policy.
If editing a policy, be sure to click the Save button when you are finished with your modifications.
Apply Command Control Policies
Command Control policies are applied to Record Types or individual Records to ensure user commands are limited when remote sessions are active.
Apply Policies to Record Types
Applying the Command Control policy to a Record Type allows for the policy to be inherited down to all records that make use of this type. To apply the policy to a Record Type:
-
Navigate to Administration > Record Type and click the Edit button for the desired Record Type.
-
On the Record Type’s Edit page, click the Command button.
-
On the Command Control page, click the Add button.
-
Enter a principal(s) that should have the policy applied and then click the Add button.
-
Select the desired policy by name from the Command Control dropdown menu.
-
Click the Select button to apply the policy.
-
Review the policy as configured and finally click the Save button to apply it to the Record Type.
To remove a policy, select the applied Policy by checking the box to its left and then clicking the Remove button.
Finally, click the Save button to finalize the update.
Apply Policies to Records
Applying the Command Control policy to an individual Record allows for the policy to be relevant for a specific host or user rather than for all hosts.
To apply the policy to a Record:
-
Navigate to the record and choose the option Manage > Command Control.
-
If the inheritance is not already broken, then click the Make Unique button.
-
On the Command Control page, click the Add button.
-
Enter a principal(s) that should have the policy applied and then click the Add button.
-
Select the desired policy by name from the Command Control dropdown menu.
-
Click the Select button to apply the policy.
-
Review the policy as configured and finally click the Save button to apply it to the Record.
To remove a policy, select the applied Policy by checking the box to its left and then clicking the Remove button.
Finally, click the Save button to finalize the update.