Policy Key Definition
Policies might be White Key and/or Black Key. White Key permits users to use the white key commands, and Black Key restricts users to using black key commands. Policies are created based on Regex Classes:
Policies might be White Key and/or Black Key. White Key permits users to use the white key commands, and Black Key restricts users to using black key commands. Policies are created based on Regex Classes:
- ā.*ā means all commands.
- If ā.*ā is used after a command, it means all commands starting with that command.
The table below shows the Policy Key types that can be defined from the Kron PAM Web GUI.
Policy Key Types | Definition |
Black Key | Restricted commands. |
RADIUS Attribute | Allowed RADIUS attributes. Ex: cisco-avpair := shell:priv-lvl=1 |
TACACS Attribute | Allowed TACACS attributes. Ex: priv-lvl=15 |
User Behavior Rating | Commands to be detected as suspicious behavior to block. |
White Key | Allowed commands. |
XML File | XML file that contains context-aware policies. |
To define a policy with White and/or Black keys:
- Navigate to Policy Control > Session Policy
- To create a White Key Policy: a. Fill in the mandatory fields (Key, Element Type(s)and select the Type as White Key. b. Click Save.
- To create a Black Key Policy: a. Fill in the mandatory fields (Key Element Type(s)and select the Type as Black Key. b. Click Save.
The policy definition Key parameter contains the allowed or restricted commands in their regex form. The CommandPatternGenerator button next to the key definition can be used to create these regex statements.
Input the desired command into the Commands tab, denoting the auto-completion point with a ā ā ā (single quote) character. Click the button to create the regex statement. The āauto-completion pointā is the point in a command string where hitting TAB completes the remainder of the command. For example, for clear, the auto-completion point is cl. This means hitting TAB after typing cl will complete the command to clear in the CLI screen.
The regex statement created for the above example can be seen in the figure below. Since the auto-completion point with a single quote character was between ālā and āeā (clāear), the regex statement is created as ā(?i)cl(e|ea|ear)?ā. Therefore, hitting TAB on the keyboard after typing āclā will be enough to complete the āclearā command on the terminal.
All users have an ubaThreshold value on their user property, which can be viewed from theĀ User AccountsĀ page. The default value of ubaThreshold is 50.Ā User Behavior RatingĀ works as a grey key command. When a policy key is defined with the User Behavior Rating type, aĀ RateĀ field appears for admin users to set theĀ value.Ā
Letās define a date command as an example.
As shown in the figure below, select theĀ TypeĀ asĀ User Behavior Rating, enter theĀ RateĀ asĀ 20 and then associate this dateĀ policy key with a device realm. After that, whenever a user, who is assigned this policy, executes theĀ dateĀ command, the user will gain 20 points. If the same user executes this policy three times, the user gains 60 points and, as such, will exceed the 50 default value of the ubaTreshold property. At this point, theĀ dateĀ command becomes a black key for this user, meaning that the user will no longer execute theĀ dateĀ command.
ļ»æ