7017938: How to configure Direct-SSH on Linux using a preferred shell

This document (7017938) is provided subject to the disclaimer at the end of this document.

Environment

Privileged Account Manager

Privileged User Manager

Situation

How to configure Direct-SSH on Linux to capture native ssh connections using the default shell

How to approach capturing direct ssh connections where users can use the default shell

How to capture / audit direct ssh similar to the Direct-RDP feature for Windows

Resolution

Direct-SSH connections can only be monitored through provided shells (pcksh, cpcksh) and usrun (See Privileged Account Management for Unix and Linux). If the user prefers another shell over pcksh, cpcksh, or usrun, then the following approach can be used to enable complete-session capture while appearing seamless to the user as their preferred shell. This is achieved through configuring the user’s default shell to one that can be captured and is integrated with Command Control and then configuring command rewriting to rewrite the user’s command to their preferred shell.

Note: This approach is only possible if there are Agents running on the target Linux servers.

  1. Change the user(s) default shell to /usr/bin/cpcksh. Please refer to appropriate documentation in the UNIX or Linux environment to properly configure the user(s) login shell.

    Please refer to man usermod. An example would be:

    sudo usermod -s /usr/bin/cpcksh user1

  2. If the user prefers an alternate shell, please configure a cpcksh command to rewrite to the appropriate or preferred shell (i.e. /bin/bash, /usr/bin/pcksh, etc.). For more details about command rewriting, please refer to Modifying a Command.
  • Create a new command, see Commands.

    Name: <command name>

    Rewrite: <path to preferred shell, i.e. /bin/bash>

    Commands: -cpcksh

  • Create the necessary cpcksh rule:

    Begin Rule :cpcksh

    IF ((command IN cpcksh))

    THEN

    Set Authorize : yes

    Set Session Capture : yes

    Stop if authorized

    END IF

    END RULE :cpcksh



    Note: The command configured in Step 2 has been applied to the conditions of this rule.

  • Additional Information

    For other approaches and more details, please refer to Privileged Account Management for Unix and Linux.

    To determine what shell a user is currently using:

    ps -p $$

    Disclaimer

    This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented “AS IS” WITHOUT WARRANTY OF ANY KIND.

    Related:

    Leave a Reply