Policy Key Creation

policies determine what a user is able or unable to do during a device connection of any kind in the context of an ssh connection, such policies can be white keys or black keys white keys permit users to use the white key commands, and black keys block users from using black key commands policies are created based on regex classes means all commands if “ ” is used after a command, it means all commands starting with that command (example cd means "any command that starts with cd") the table below shows some of the policy key types that can be defined from the kron pam web gui policy key types definition black key restricted commands radius attribute allowed radius attributes ex cisco avpair = shell\ priv lvl=1 tacacs attribute allowed tacacs attributes ex priv lvl=15 user behavior rating commands that change the behavior rating of a user if a user who is allowed to run commands with sudo abuses this authority and runs too many commands starting with sudo, the rating will eventually cross the threshold and this policy key will block the execution of commands starting with sudo white key allowed commands xml file xml file that contains context aware policies to create a policy with white or black keys navigate to policy > add to create a white key policy select the type as white key, click next , then fill in the mandatory fields (key regex pattern, element type(s)) click save to create a black key policy select the type as black key, click next , then fill in the mandatory fields (key regex pattern, element type(s)) click save t he command pattern generator button that appears next to the key regex pattern field when you fill the input field can help create these regex statements for example, input the desired command into the field, denoting the auto completion point with a “ ‘ ” (single quote) character click the button to create the regex statement the “auto completion point” is the point in a command string where hitting tab completes the remainder of the command in this example , the auto completion point for clear is cl this means hitting tab after typing cl will complete the command to clear the cli screen the regex statement created for the above example can be seen in the figure below since the auto completion point with a single quote character was between l and e (cl’ear), the regex statement is created as (?i)cl(e|ea|ear)? therefore, hitting tab on the keyboard after typing cl will be enough to complete the clear command on the terminal all users have an ubathreshold value on their user property, which can be viewed from the user accounts page the default value of ubathreshold is 50 user behavior rating works as a grey key command when a policy key is defined with the user behavior rating type, a rate field appears for admin users to set the value let’s define a date command as an example as shown in the figure below, select the type as user behavior rating , enter the rate as 20 and then associate this date policy key with a device realm after that, whenever a user, who is assigned this policy, executes the date command, the user will gain 20 points if the same user executes this policy three times, the user gains 60 points and, as such, will exceed the 50 default value of the ubatreshold property at this point, the date command becomes a black key for this user, meaning that the user will no longer execute the date command by default, white key commands are prompted at the beginning of the ssh session if you want to hide the list of white keys shown at the beginning of the session by default, the following definition should be made /pam/ssh/conf/nsso properties file sc policy list whitekeys = false (default value is true) to prevent white and black policies from being listed on the screen during a session, set the “disabledumppolicykey” parameter to true for the relevant user group when this parameter is enabled, users in that group will not see the policy lists on the screen during the session open users > user group > custom properties > add parameter set disabledumppolicykey as true if sc policy dump=false is set in the nsso properties file, the policy list display feature will be disabled for all users /pam/gui/netright/netright properties sc policy dump=false the refresh button added to the policy screen allows the screen to be refreshed without exiting the screen when this button is clicked, the screen will be refreshed and all defined policy records will be listed on the screen