Linux Fortress Machine Command audit function is divided into the incident and afterwards, after the video audit, command retrieval function Most of the Fort Machine products are similar. Here is the main thing about the sensitive command audit, sensitive command blocking and interception is an important feature of security audit, can effectively avoid the team members to conduct illegal operations, sensitive operations, misoperation to the company caused unnecessary losses.
Take the Cloud Butler Bastion Machine product For example, it takes three steps to implement a sensitive command audit:
One: Define Linux bastion machine directive rules.
First click on "policy Edit", by default, the instruction rule list is empty, users can follow the business situation, add the appropriate rules. In the definition of sensitive instructions, it is also necessary to specify the instruction matching rules and corresponding response actions, as long as the instructions executed in the critical equipment are matched, it will trigger the instruction audit policy and handle the response action set by the user.
Define Linux bastion machine Directive rules
1, line Cloud Butler Linux Fortress Machine currently supports the following three kinds of command matching methods:
"Exact Match": Suitable for all operations matching an instruction, all forms of execution of the instruction will be matched, such as the instruction rule is yum, using the exact matching rules, then the user input yum, yum install, yum Remove and other related instructions will be matched;
"Regular expression": support regular expression fuzzy match, suitable for matching some parameters of an instruction, such as only need to match yum install and unload operation, the instruction rule is yum (install|remove), then user input Yum Search will not be matched, but input yum Install, yum remove will be matched;
Wildcard: Wildcard fuzzy matching is supported, using scenes and regular expressions similar, but syntax is slightly different, such as matching yum install and unload operations, the instruction rule is yum {install,remove};
2, line Cloud Butler Linux Fortress Machine currently supports the following four response actions:
"Instruction Reminder": For the team manager wants the team member to be careful to execute but the timeliness general sensitive instruction, may set as "The instruction reminder", when executes, needs by the member self-confirmation after execution;
"Directive Audit": for the team managers believe that will bring a certain risk of sensitive instructions, can be set as "command audit", such directives, when executed, will be temporarily blocked, pending the approval of the order to execute;
"Instruction Block": For the team manager that the risk is high, do not want members to execute the sensitive instructions, will be directly blocked, not allowed to execute;
"Interrupt session": recommended to be set to "interrupt session" for malicious instructions that team managers consider to be extremely dangerous.
II: Linux Fortress machine Sensitive command audit
When a team member initiates a 5-class action that triggers a Linux bastion Machine command Audit response, the relevant audit role members receive audit messages in two ways:
1, the station Audit message: Audit role members will receive the station message, click to view and enter the "Security Audit/sensitive command audit", in the "Pending Approval" tab will be listed in the current all pending approval of the sensitive instruction request, just according to the actual situation to choose to agree or refuse to execute. For query approval history, switch to the Completed tab;
2. Audit message: Audit role member account if the binding, it will receive the command approval information, you can directly click into the approval operation;
It is important to note that the command approval role in the team may have multiple members, each member receives an approval message, the approval action is in chronological order, one request can only be approved once, and the other member will no longer be allowed to approve the request.
Three: How to bypass the Linux Fortress Machine command blacklist interception
Linux bastion Machine Directive blacklist once set, all team members, including team owners and team administrators, perform the corresponding response action when the instructions are identified as sensitive instructions. However, in some special scenarios, if you need to give the individual members a higher privilege, when the operation is not affected by the directive blacklist, it can be given to temporarily disable the command approval rules permission;
1. Enter team/Rights Management/role management to create a dedicated role for such members, such as "Disable the command approval role" and add the appropriate members to the role;
2. Enter "Team/Rights Management/feature authorization" to locate the "Security Audit/disable command Approval rule" and add the role "Disable directive approval role" created in the previous step to the function permission;
3, members of the role during the access session, in the session details, you can see "command approval", as long as the current host is a critical device and open the black and white list of instructions, you can set the command approval to close, so that in the current session, the execution of the instructions will not be affected by the operations policy.
How does a Linux bastion machine implement a sensitive command audit?
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
