Policy Key Definition
Policies might be White Key and/or Black Key. White Key permits users to use the white key commands, and Black Key restricts users to using black key commands. Policies are created based on Regex Classes:
Policies might be White Key and/or Black Key. White Key permits users to use the white key commands, and Black Key restricts users to using black key commands. Policies are created based on Regex Classes:
- “.*” means all commands.
- If “.*” is used after a command, it means all commands starting with that command.
The table below shows the Policy Key types that can be defined from the Kron PAM Web GUI.
Policy Key Types | Definition |
|---|---|
Black Key | Restricted commands. |
RADIUS Attribute | Allowed RADIUS attributes. Ex: cisco-avpair := shell:priv-lvl=1 |
TACACS Attribute | Allowed TACACS attributes. Ex: priv-lvl=15 |
User Behavior Rating | Commands to be detected as suspicious behavior to block. |
White Key | Allowed commands. |
XML File | XML file that contains context-aware policies. |
To define a policy with White and/or Black keys:
- Click on the Policy > +Add.
- To create a White Key Policy: a. Select the Type as White Key and Next then fill in the mandatory fields. (Key, Element Type(s)) b. Click Save.
- To create a Black Key Policy: a. Select the Type as Black Key and Next then fill in the mandatory fields. (Key, Element Type(s)) b. Click Save.
The policy definition Key parameter contains the allowed or restricted commands in their regex form. The CommandPatternGenerator button next to the key definition can be used to create these regex statements.
Input the desired command into the Commands tab, denoting the auto-completion point with a “ ‘ ” (single quote) character. Click the button to create the regex statement. The “auto-completion point” is the point in a command string where hitting TAB completes the remainder of the command. For example, for clear, the auto-completion point is cl. This means hitting TAB after typing cl will complete the command to clear in the CLI screen.
The regex statement created for the above example can be seen in the figure below. Since the auto-completion point with a single quote character was between l and e (cl’ear), the regex statement is created as (?i)cl(e|ea|ear)?. Therefore, hitting TAB on the keyboard after typing cl will be enough to complete the clear command on the terminal.
All users have an ubaThreshold value on their user property, which can be viewed from the User Accounts page. The default value of ubaThreshold is 50. User Behavior Rating works as a grey key command. When a policy key is defined with the User Behavior Rating type, a Rate field appears for admin users to set the value.
Let’s define a date command as an example.
As shown in the figure below, select the Type as User Behavior Rating, enter the Rate as 20 and then associate this date policy key with a device realm. After that, whenever a user, who is assigned this policy, executes the date command, the user will gain 20 points. If the same user executes this policy three times, the user gains 60 points and, as such, will exceed the 50 default value of the ubaTreshold property. At this point, the date command becomes a black key for this user, meaning that the user will no longer execute the date command.
