Create a control policy and associate it with assets and users - Bastionhost

Bastionhost supports control policies. You can configure command, protocol control, access control, and logon control policies to manage O&M operations. This prevents users from running high-risk commands or performing misoperations to ensure O&M security.

Step 1: Create a control policy

Log on to the Bastionhost console. In the top navigation bar, select the region in which your bastion host resides.
In the bastion host list, find the bastion host that you want to manage and click Manage.
In the left-side navigation pane, click Control Policies.
On the Control Policies page, click Create Control Policy.

On the Create Control Policy page, configure the required parameters and click Create Control Policy.

Priority

Valid values: 1 to 100. Default value: 1. The default value specifies the highest priority.
You can configure the same priority for different control policies. If multiple control policies have the same priority, the latest policy has the highest priority. If a command control policy and a command approval policy have the same commands, the commands are prioritized in descending order: reject, allow, and approve.

Command Policy

Host Command Policy

Commands That Require Control

Note

This field applies only to Linux hosts.

Specify the commands that can or cannot be run by the users or on the hosts to which the policy applies.

(Blacklist) Listed Commands Are Not Allowed: If you select this option, you can leave the Commands That Require Control field empty. The commands in a blacklist cannot be run by the users or on the hosts to which the policy applies.
(Whitelist) Only Listed Commands Are Allowed: If you select this option, you must configure the Commands That Require Control field. Only the commands in a whitelist can be run by the users and on the hosts to which the policy applies.

For more information, see Recommended policies for host commands.

Commands That Require Approval

If users run the commands that require approval, an administrator must choose whether to approve the execution of the commands in the console of the bastion host. Only approved commands can be run. For more information, see Review commands.

Note

The command control policy takes precedence over the command approval policy during validation.

Database Command Policy

Commands That Require Control

(Blacklist) Listed Commands Are Not Allowed: If you select this option, you can leave the Commands That Require Control field empty. The commands in a blacklist cannot be run by the users or on the databases to which the policy applies.
(Whitelist) Only Listed Commands Are Allowed: If you select this option, you must configure the Commands That Require Control field. Only the commands in a whitelist can be run by the users and on the databases to which the policy applies.
Match Method: SQL parsing and regular expression matching are supported.

Recommended policies for host commands

The following table describes some commands and the recommended policies for host commands.

Command	Description	Recommendation policy
reboot	Restarts the system.	This command must be approved before it can be run.
restart	Restarts the system.	This command must be approved before it can be run.
shutdown	Shuts down the system.	This command must be approved before it can be run.
halt	Shuts down the system.	This command must be approved before it can be run.
poweroff	Shuts down the system.	This command must be approved before it can be run.
init 0	Stops the system.	This command must be approved before it can be run.
pkill	Terminates multiple processes at a time.	This command must be approved before it can be run.
kill	Terminates a single process.	This command must be approved before it can be run.
rm -rf	Recursively deletes directories and ignores prompts.	This command must be approved before it can be run.
mount	Mounts a file system. This may cause virus replication risks.	This command must be approved before it can be run.
umount	Unmounts a file system.	This command must be approved before it can be run.
parted	Partitions a file system.	This command must be approved before it can be run.
format	Formats the disk.	This command must be added to a blacklist.
dd if=/dev/zero of=/dev/had	Clears the disk.	This command must be added to a blacklist.
:(){:\|:&};:	Creates a fork bomb.	This command must be added to a blacklist.
(mv)(\|.*)(/dev/null)	Moves a directory to the /dev/null file.	This command must be added to a blacklist.
(wget)(\|.*)(-O- \\| sh)	Downloads a file and immediately executes the file.	This command must be added to a blacklist.
mkfs.ext3 *	Formats the disk.	This command must be added to a blacklist.
dd if=/dev/random of=/dev/*	Writes data to a block device in a random manner.	This command must be added to a blacklist.

Protocol Control

Configure the RDP Options, SSH Options, and SFTP Options fields.

After you select required options, the users to which the policy applies can perform the operations based on the selected options. For example, if you select File Upload, the users can upload files.

Important

You must select at least one of the SSH Channel and SFTP Channel options. If you clear SSH Channel, SSH-based logon is disabled for accounts. Proceed with caution.
If you enable Enable Only SFTP Permission for a host account, do not disable SSH Channel and SFTP Channel for the host account in a control policy. Otherwise, the host account cannot be used to access the host by using the bastion host.

Access Control

Specify whether a source IP address can access the assets to which the policy applies.

(Whitelist) Only Listed IP Addresses Are Allowed: If you select this option, you must configure the IP Addresses field. Users can use the source IP addresses only in a whitelist to access the assets to which the policy applies.
(Blacklist) Listed IP Addresses Are Not Allowed: If you select this option, you can leave the IP Addresses field empty. Users cannot use the source IP addresses in a blacklist to access the assets to which the policy applies.

Logon Control

O&M Approval: After you enable O&M approval, an O&M engineer can log on to the required assets and perform O&M operations only after the administrator approves the O&M application. For more information, see Review an O&M application.
Logon Remarks: After you enable logon remarks, O&M personnel must enter the remarks when they perform web page-based O&M and single sign-on (SSO)-based O&M operations, and apply for O&M tokens. The following figure shows the logon remarks when you perform O&M operations on assets in the O&M portal of a bastion host.

Step 2: Associate the control policy with assets and users

On the Assets and Users to Which Policy Is Attached page, you must associate the control policy with assets and users for the policy to take effect on the assets and users.

Associate the control policy with assets. You can select Takes Effect on All Assets or Takes Effect on Selected All Assets.
- If you select Takes Effect on All Assets, the control policy takes effect on all asset accounts.
- If you select Takes Effect on Selected All Assets, select the assets that you want to associate with the control policy and then select Associate All Accounts or Associate Specific Accounts.
Note
To associate a control policy with multiple assets or asset accounts, add the assets to an asset group and then associate the control policy.
Associate the control policy with users. You can select Apply to All Users or Apply to Selected Users.