SSH Command Control (Filtering) in PAM360

17 minutes to read

PAM360 can launch remote connections via SSH protocol to perform the desired operations by executing the relevant commands. The SSH Command Control (filtering) feature allows you to configure a set of predefined command lists in remote sessions by associating command groups with accounts, resources, and/or resource groups, as required.

Say, if you are a user having access to a particular resource with applied command control, you can execute only those commands within the allowed command lists, thereby ensuring security with an enhanced scope of access control.

SSH Command Control (Filtering) Workflow -
Add Command → Associate Command to Command Group → Configure Command Group at the Required Level (Accounts, Resources, and/or Resource Groups)

Note:
The command and command group operations performed in PAM360 will have a trail of records in the resource audit section with the relevant operation types and reasons.

At the end of this document you will have learned the following topics:

Enable Command Control Access
Manage Commands
Manage Command Groups
Configure SSH Command Control
Execute Filtered Commands
How does the Precedence Works in Real-Time

1. Enable Command Control Access

The first step to SSH command control (filtering) is enabling command control-related permissions for custom roles based on required privileges. To do this, navigate to 'Admin >> Customization >> Roles >> Add Role >> Privilege Elevation' and do the following:

Manage Command Lists
Enabling this option lets the user manage the command list and command groups in PAM360. This role enabled users can create new commands and command groups with operations that include edit, delete, associate, and dissociate.
Associate Command Groups
Users enabled with this role can associate/dissociate a command group with/from the accounts, resources, and resource groups and view the commands and command groups from the Manage Command Lists window.
Use Command Control
Users with this role can execute only the predefined commands associated with the SSH-based resources. By enabling this role, the user privilege will be limited by not allowing SSH commands apart from the predefined list. Administrator, Privileged Administrator, Password Administrator, and Connection users will be given this role by default. Also, users disabled with this role cannot take any connection for the accounts configured with SSH command control.

2. Manage Commands

Important Note:

Before proceeding with the command management, users with the Manage Command Lists and Associate Command Groups roles have to verify the following criteria for the proper execution of commands in the launch SSH console:

The commands added to the PAM360 should have the valid input.
The target system has to be checked for the alias commands if any, and it has to be considered the same while adding it to the PAM360 Commands tab.

Navigate to 'Admin >> Privilege Elevation >> Manage Command'.

From the Commands tab under the Manage Commands window, you can perform the necessary operations related to the commands, which include Add, Import, Edit, Delete, and Export. The following sub-sections will guide you with a brief step-by-step procedure about each operation mentioned above:

a. Add Command

You can add commands to the command list in two available methods:

i. Adding Command Manually

In the Commands tab, click the Add button.
In the window that opens, enter the Command Name, Command, and Description.
Upon entering the respective fields, click the Add button to add the command or Add More to add the subsequent commands.

The added command(s) will be available in the Commands tab of the Manage Commands window.

ii. Import Commands from CSV

In the Commands tab, click the Import button.
In the pop-up that appears, select the file Type, provide the directory of the file in the Attach File field and click Next.

Tip:
For a better understanding of the CSV file format, you can manually add a few commands and command groups and export them as a CSV file for reference.

If you select the file type as Password protected ZIP file, enter the file name in the zip file and the password to access the file in the zip.
The import inventory of the command list contains four fields by default. Out of these four fields, Command Name and Command are mandatory, and the CSV file can hold the values of these fields in any order. You can also associate the commands to the command groups from here.

Note:
Mapping the Associate to Command Group field will associate the commands with the command groups of the same names. If a command group name in the CSV file does not exist in the Command Groups tab of Manage Command Lists, a new command group will be created in the same name, and the respective command will be associated with it.

Select the fields in the CSV to map to the corresponding attributes and click Import.

The commands imported from the CSV file will be available in the Commands tab of the Manage Commands window.

Click on the desired command from the command list. From the Command Details window that opens, you will get the command information, and you can also perform operations that include Edit and Delete.

b. Edit Command

In the Commands tab, click the Edit Command icon under Actions beside the desired command or the Edit button from the Command Details window.
In the window that opens, update the necessary fields and click Save to edit the existing command details.

Note:
Select the required command groups available in the Associate to Command Group field to associate the command to the respective command group(s).

c. Delete Command(s)

In the Commands tab, click the Delete Command icon under Actions beside the desired command or the Delete button from the Command Details pop-up.
In the pop-up that opens, click on the Delete button to delete the command from the command list.
To delete the commands in bulk:
1. Select the desired commands to be deleted.
2. Click the Delete button on the top pane.
3. Click Delete to delete the selected commands in bulk.

Note:
Deleting the command from the Commands tab will dissociate it from the existing command group, if any, and will remove it permanently from the command list.

d. Export Commands

You can export the commands available in the Commands tab of the Manage Commands window. From the Commands tab, click on the Export button to export all the commands as a CSV file. Upon execution, a CSV file with all the available commands will be downloaded in the default directory as set in your browser.

3. Manage Command Groups

After managing the desired commands, you can start performing the command groups operations that include Add, Edit, Associate/Dissociate and Delete from the Command Groups tab under the Manage Commands window. The following sub-sections will guide you with a brief step-by-step procedure about the different operations mentioned above:

a. Add Command Group

In the Command Groups tab, click the Add button.
In the window that opens, enter the Command Group Name and Description and click Add.

Note:
Before submitting the confirmation to add a command group, you can select the desired commands from the below command list to associate them with this newly added command group.

Click on the desired command group from the Command Groups tab. From the Command Group Details window that opens, you will get the command group information with the associated command details, and you can also perform operations that include Edit and Delete.

b. Edit Command Group

In the Command Groups tab, click the Edit Command Group icon under Actions beside the desired command group or the Edit button from the Command Group Details pop-up.
In the window that opens, update the necessary and click Save to edit the command group detail.

c. Delete Command Group(s)

In the Command Groups tab, click the Delete Command Group icon under Actions beside the desired command group or the Delete button from the Command Group Details pop-up.
In the pop-up that opens, click Delete to delete the command group from the command group list.
To delete the command groups in bulk:
1. Select the desired command groups to be deleted.
2. Click the Delete button on the top pane.
3. Click Delete to delete the selected command groups in bulk.

Note:
Deleting the command group will delete it permanently, but will not delete the commands associated with it.

d. Associate/Dissociate Command(s) with/from Command Group(s)

In the Command Groups tab, click the Edit Command Group icon under Actions beside the desired command group or the Edit button from the Command Group Details pop-up.
Select/deselect the command(s) from the available command list to associate/dissociate the commands with/from the command group.
Click Save to apply the changes.

Note:
You can also associate commands with the command group while adding a new command group.

4. Configure SSH Command Control

Once you are ready with the desired command groups, you can start configuring them via SSH command control at the accounts, resources, and resource groups level. The below sub-sections will describe you briefly about the step-by-step process for configuring SSH command control at different levels:

Important Note:
We strongly suggest using command control (filtering) with configured access control. This is to restrict users from accessing the shared accounts passwords. If an account password is accessible as plain text, the users can use any third-party SSH clients to execute commands on their own without any command control restrictions.

a. Configure Command Control to Account(s)

Navigate to 'Resources >> All My Passwords >> Resources' and click the desired SSH resource.
[or]
Navigate to 'Resources >> All My Passwords >> Passwords'.
In the page that appears, click the Account Actions drop-down beside the desired account and select Configure SSH Command Control.
In the pop-up that opens, select the required command group(s) to be associated with the account and click Associate.

Note:
Deselect the command group(s) to dissociate the command group from the account or click the Dissociate button to revoke the command control for the account.

To configure command control in bulk:
1. Select the desired accounts, click the More Actions drop-down and select Configure SSH Command Control.
  [or]
  Select the desired accounts, click the Account Actions drop-down at the top pane and select SSH Command Control in the Configure section.
2. In the pop-up that opens, select the command group(s) to be associated with the accounts and click Associate.

b. Configure Command Control to Resource(s)

Navigate to Resources >> All My Passwords >> Resources.
Click the Resource Actions drop-down beside the desired SSH resource and select Configure SSH Command Control.
In the pop-up that opens, select the required command group(s) to be associated with the resource and click Associate.

Note:
Deselect the command group(s) to dissociate the command group(s) from the resource or click the Dissociate button to revoke the command control for the resource.

From the Resources tab, to configure command control in bulk:
1. Select the desired SSH resources, click the Resource Actions drop-down at the top pane, and select SSH Command Control in the Configure section.
2. In the pop-up that opens, select the required command group(s) to be associated with the resources and click Associate.

c. Configure Command Control to Resource Group(s)

Navigate to the Groups tab.
Click the Actions drop-down beside the desired resource group and select Configure SSH Command Control.
In the pop-up that opens, select the required command group(s) to be associated with the resource group and click Associate.

Note:
Deselect the command group(s) to dissociate the command group(s) from the resource group or click the Dissociate button to revoke the command control for the resource group.

To configure command control in bulk:
1. Select the desired SSH resource groups, click the Bulk Configuration drop-down at the top pane and select SSH Command Control in the Configure section.
2. In the pop-up that opens, select the required command group(s) to be associated with the resources and click Associate.

5. Execute Filtered List

Users enabled with the Use Command Control role can execute only the commands applied at the different group levels. To execute the allowed list of commands:

Launch a remote session for the desired account using the SSH protocol.

In the session that opens, you will find a set of predefined allowed list of commands associated to the logged in SSH account.
1. Hover on the right pane and click on the Execute icon beside the desired command from the command list to execute the command in the launch SSH console.
2. Click on the Preview icon on the right pane to see the command execution logs of the SSH session.

Note:

Configuring SSH command control will allow users to execute the commands that are predefined by the administrator.
The users will not be able to manually execute any commands in the accounts configured with SSH command control.
Accounts configured with SSH command control will restrict remote sessions for users without the Use Command Control role.

6. How does the Precedence Work in Real-Time?

Case 1:

If an SSH connection to a device gets SSH command control configuration from an account, resource, and resource group level, then the authorized SSH session of that particular account will take the commands associated via command groups at the account level.

Note:
The precedence will be given to the lower level (Account << Resource << Resource Group) when configured with different command groups at different group level.

Case 2:

Similarly, If an SSH connection to a device gets SSH command control configuration from the resource and resource group level, then the authorized SSH session of that account will take the commands configured via command groups at the resource level.

Case 3:

If an SSH connection to a device gets SSH command control configuration from different resource groups, then the authorized SSH session will take the consolidated commands in the command groups configured with the different resource groups.