This topic describes how to use Bastionhost to enable automatic O&M operations on multiple assets at a time and audit the O&M process and results. This helps enterprises improve O&M efficiency, lower management costs, and reduce O&M security risks.
Background information
Enterprises often need to perform O&M operations on a large number of assets at a time. For example, enterprises may regularly back up host files, delete temporary files, and run scripts on multiple assets. This leads to a high demand for batch automatic O&M operations. Enterprises can write and execute O&M scripts to simplify the O&M process and improve O&M efficiency.
However, issues such as unknown script sources, insufficient content review, and execution policy bypass may arise in scenarios where a large number of scripts are executed. This results in risks including business data theft, system damage, and malicious script execution. Therefore, how to ensure security while improving O&M efficiency is a critical concern for enterprises.
Solution
Bastionhost provides the batch automatic O&M feature to meet the requirements of enterprises. This feature allows O&M engineers to configure O&M tasks and specify O&M scripts in the console of their bastion hosts to enable automatic O&M operations on multiple hosts at a time. Bastion host administrators can review the O&M script content and O&M task configurations to prevent issues such as malicious scripts and accidental operations. After the O&M tasks are executed, O&M engineers can view and download the execution results, whereas administrators can view the execution status and results of all O&M tasks on their bastion hosts. All O&M operations are audited to improve security and efficiency.
O&M
An O&M engineer can execute an O&M task to run an O&M script on multiple hosts at a time. The O&M script can be associated with multiple host accounts that have the required permissions. This way, the O&M script can be run on the corresponding hosts after the related O&M task starts. After the O&M task is complete, the O&M engineer can view or download the task execution results.
The script size can be up to 64 KB. Only shell commands are supported.
When an O&M engineer configures an O&M task, the O&M engineer can manually enter the script content or select an existing O&M script. O&M scripts are divided into private and public ones. O&M engineers can create only private scripts. The administrator can create public scripts for O&M engineers to use.
Create and execute an O&M task
If the O&M engineer uses a Resource Access Management (RAM) user, the O&M engineer can log on to the console of a bastion host to create and execute an O&M task. For more information, see the "RAM user" section of the Automatic O&M topic.
If the O&M engineer does not use a RAM user, the O&M engineer can log on to the O&M portal of a bastion host to create and execute an O&M task. For more information, see the "Non-RAM user" section of the Automatic O&M topic.
View the task execution results
Bastionhost console (RAM user)
Log on to the Bastionhost console. In the top navigation bar, select the region in which your bastion host resides.
In the bastion host list, find the bastion host that you want to manage and click Manage.
In the left-side navigation pane, choose .
On the O&M Tasks tab, find the task that you executed and click View Execution Results in the Actions column to view the task execution results.
O&M portal (other user)
Log on to the O&M portal of your bastion host. For more information, see Log on to the O&M portal.
In the left-side navigation pane, click O&M Tasks.
On the O&M Tasks tab, find the task that you executed and click View Execution Results in the Actions column to view the task execution results.
O&M management and audit
The administrator can manage the whole process of batch automatic O&M, such as creating public O&M scripts, reviewing O&M tasks, auditing the execution results of O&M tasks, and viewing the details, including the script content and execution results, of all O&M tasks on the bastion host. This reduces the risks of malicious scripts and unauthorized commands.
Create a public O&M script
After the administrator creates a public O&M script, O&M engineers can select the script when they configure O&M tasks.
Log on to the Bastionhost console. In the top navigation bar, select the region in which your bastion host resides.
In the bastion host list, find the bastion host that you want to manage and click Manage.
In the left-side navigation pane, choose .
On the Public Script Management tab, click Create O&M Script.
In the Create O&M Script panel, specify the Script Name and Script Content parameters, and then click Create O&M Script.
NoteThe script name must be 1 to 128 characters in length and can contain letters, periods (.), underscores (_), hyphens (-), and spaces. It cannot start with a special character.
The script size can be up to 64 KB. Only shell commands are supported.
Review an O&M task
The O&M tasks created by O&M engineers can be executed only after the tasks are approved by the administrator.
Log on to the Bastionhost console. In the top navigation bar, select the region in which your bastion host resides.
In the bastion host list, find the bastion host that you want to manage and click Manage.
In the left-side navigation pane, choose .
On the Task Review tab, find the task to review and click Allow or Reject in the Actions column.
Audit the task execution results
After O&M engineers execute O&M tasks, Bastion automatically saves the task records. The administrator can search for, view, and download task execution records in different time periods.
Log on to the Bastionhost console. In the top navigation bar, select the region in which your bastion host resides.
In the bastion host list, find the bastion host that you want to manage and click Manage.
In the left-side navigation pane, choose .
On the Task Records page, view the task execution records in the last 180 days. Click View Details in the Actions column of a record to view the details, including the script content and execution results.