Policy Groups Definition
Policy groups consist of multiple policies. If black and white keys are defined in the same policy group, then black keys have higher priority, i.e., the system restricts the black key commands first, then allows white key commands.
If there are specific commands defined as white keys, the system will allow these commands and restrict all other commands.
- Navigate to Policy> Policy Group.
- Navigate to the Policy Group field then click on the Add button.
- Fill in the mandatory fields (Name, Operation Mode, Select Policy Key(s), Action) under Policy Group Properties and set the Action field as Generate Error.
- Click Save.
Operation Mode | Definition |
---|---|
Operation | Policy groups are available when devices are in operation mode. |
Maintenance | Policy groups are available when devices are in maintenance mode. Maintenance mode is set on devices. Check the Device Inventory – Devices. Right-click the Menu section for more information. |
Kron PAM can send information about executed black key commands to a Simple Network Management Protocol (SNMP) server.
The following parameters should be defined in the System Configuration Manager:
Parameter Name | Parameter Value |
---|---|
snmp.target.ip | Target IP to send the SNMP trap to. If not defined, localhost is used as the default target IP to send the traps. |
snmp.target.port | Target port of the target IP to send the SNMP trap to. If not defined, 162 is used as the default port. |
snmp.community.string | The preferred community string should be defined. If not defined, public” is used as the default value. |
When clicking on the Policy Key Actions, General Actions and Black Key Action fields are shown.
Send Notifications on Policy Key Execution: When the command is run in SSH Proxy, an e-mail is sent to the user group to inform them.
If sc.policy.notification.sendApproval.useOnlyDeviceRealmManagers value is false in System Configuration Manager (default value is false), notification is sent to all managers in the user groups in the session user.
If it is set as true for this property, a notification e-mail is sent to the group managers on the device realms to which the session user is connected.
Time-based restrictions are used to regulate the CLI connections to network elements via Kron PAM in a timely manner. Time and command-based restrictions can be used together to best fit your security needs. The example below reflects a scenario that a service provider may experience often.
Time Interval | Authorization | Explanation |
---|---|---|
Weekdays 06:00-22:00 | Only monitoring commands. | Configuration commands are restricted due to potential effects on service. |
Weekdays 22:00 -02:00 | All configuration commands but the service-affecting commands may be run. | Operators may run all configuration commands but commands such as “reboot”, “restart”, or “BGP shutdown” |
Weekdays 02:00-06:00 | All commands. | No restrictions on running commands |
Weekend | Only monitoring commands. | Configuration commands are restricted due to potential effects on service. |
There must be four time-based policies and three command-based policies covering all the alternatives from the table above. Time-Based Policies: TBP 1: 06:00 – 22:00, Mon, Tue, Wed, Thu, Fri TBP 2: 22:00 – 02:00, Mon, Tue, Wed, Thu, Fri TBP 3: 02:00 – 06:00, Mon, Tue, Wed, Thu, Fri TBP 4: Sat, Sun Command Based Policies Whitelist 1: .*sh.* Blacklist 1: .*rebo.* , .*resta.* , .*bgp.*/s.*shut.* Whitelist 2: .* The Regular Expression, “.*” covers all of the command subsets. By using command and time-based policies together the scenario above would look like this:
- Weekdays 06:00 – 22:00: TBP 1 & Whitelist 1
- Weekdays 22:00 – 02:00: TBP 2 & Blacklist 1
- Weekdays 02:00 – 06:00: TBP 3 & Whitelist 2
- Weekend TBP 4 & Whitelist 1
For direct connection to devices that support TACACS and RADIUS, the “Direct Access” feature is expected to be enabled on the user group. However, for some cases, users are not allowded to connect from all locations. In this case, “Permit Zone” can be defined to be valid for certain users or all users. Within the Permit Zone, direct access to devices can be provided even if “Direct Access” is not defined in the user group.
- Navigate to Policy > Permit Zone.
- Click on the Add button.
- Enter the IP description username and click Save.