8 Replies Latest reply on Jun 14, 2013 10:00 AM by Yanick Girouard

    How to prevent users from executing specific remote commands through NSH (using nexec)

    Yanick Girouard

      I've recently assisted to the Best Practices Webinar about Server Automation's RBAC system and asked how I could restrict access to specific remote commands. The answer I was given was to check the following documentation:

       

      https://docs.bmc.com/docs/display/bsa83/Restricting+commands

      https://docs.bmc.com/docs/display/public/bsa83/Adding+or+modifying+an+nexec+command

       

      Reading this, I still can't see how I could prevent users to run specific remote commands while allowing them to use the nexec command for others.

       

      For example, one of the most feared command that a NSH user could run on a Unix server is: nexec -i -e /bin/bash

       

      Which basically grants a full blown root interactive shell on the server, and which is not logged anywhere in the agent log (other than the nexec call itself). Other very dangerous commands, such as init, shutdown, reboot, etc... could also be denied even for a sysadmin.

       

      If I wanted the sysadmin to be able to execute all available remote commands on a server EXCEPT specific ones, how can I do this? Could someone give me a clear example?

       

      ---

       

      Another approach would be the sudo approach... Allow only very specific remote commands and deny all others (which could be hard to manage however, but would definitely be the safest way). Is this also possible?

        • 1. Re: How to prevent users from executing specific remote commands through NSH (using nexec)
          Bill Robinson

          it's been a little while since i've done this - but i believe what you need to do is to create new command authorizations - those will all be nexec commands, for whatever you want to allow.  then you need to add those commands to the role's authorization list or an authorization profile the role has assigned (and then i think on the target server too)

           

          the issue is how the command authorizations work i think - right now there is no 'deny' - there is only an explicit allow, or if nothing is allowed you get everything.  so if you are granted no command authorizations (nexec or otherwise) you can run anything via nsh.  if i grant you 'agentinfo', that's all you can run.

           

          so long term is is probably going to be a rfe for a deny - so if something like !bash is in the users file you can't run bash but you could run other stuff.

           

          so you have to approach this from the perspective of "what do i want to allow my users to do" not "what don't i want them to do"

          1 of 1 people found this helpful
          • 2. Re: How to prevent users from executing specific remote commands through NSH (using nexec)
            Paul Seager-Smith

            I have tried to setup the nsh command authorisations a couple of times and it is tough - especially as you have to bear in mind that some othe commands for compliance or something else might be using these commands too.

             

            As Bill said, you only have a whitelist currently so you have to add all the commands that might be needed and I would love to see a blacklist approach being made available too. I may have even raised an RFE on this several years ago ...

             

            Incidentally, you can also setup the RSCD agent to log all keyboard strokes if you do want to track what people are doing in nexec sessions, but that has other challenges.

            1 of 1 people found this helpful
            • 3. Re: How to prevent users from executing specific remote commands through NSH (using nexec)
              Yanick Girouard

              I see, this is what I feared. What threw me off in the doc is that in the example to restrict specific remote commands, it shows this:

               

              ps:nexec:/bin/ps

               

              What I thought was that it was all a simple colon separated list of allowed commands, an since nexec was explicitly allowed, that any remote command could be run with it. The doc says that if you put the path of a remote command in the list (i.e. /bin/ps) then only that specific command (by basename) could be run. In other words, if another version of ps existed in /usr/local/bin/ps, then that one wouldn't be allowed.

               

              So what you're saying is that if I add multiple remote commands (with absolute path) in the list, that only those will be allowed through nexec? If so, what if I want to list two possible locations for a command (that may be in different places on two different Unix OS for example?), and what about Windows servers that could also have a command named the same thing?

              • 4. Re: How to prevent users from executing specific remote commands through NSH (using nexec)
                Yanick Girouard

                For nsh commands, it's straight forward enough, even though what you said is true and I did think about that as well when I was thinking how we could ever implement this with the complexity of our compliance jobs, extended objects and such. My big floating question mark however is regarding remote commands called with nexec. If you allow nexec, all is allowed to be run remotely, so how can you only allow certain remote commands ?

                • 5. Re: How to prevent users from executing specific remote commands through NSH (using nexec)
                  Bill Robinson

                  anything that comes after the nexec: in the users file is considered a nexec command iirc.so that first 'ps' is the nsh ps, then the next one is the /bin/ps on the target.

                   

                  i'm not sure what happens if you create a nexec command of 'ps' - that might be a catch all.

                  • 6. Re: How to prevent users from executing specific remote commands through NSH (using nexec)
                    Yanick Girouard

                    Ok, I'm further confused... I'm trying to understand how I would create a new nexec command for a specific remote command, and I don't know what to put in the name field. For example, if I wanted to create a new nexec command for /bin/bash, I would type what, just "bash"?

                     

                    06-14-13 9-38-28 AM.jpg

                     

                    I also found several duplicates in the list of nsh commands, I'm not sure if this is normal or what this means? We did upgrade our DB from the 7.6 schema to 8.0, then 8.1 during the last upgrade we did, so would this be a remnant of the old environment?

                     

                    06-14-13 9-37-01 AM.jpg

                    • 7. Re: How to prevent users from executing specific remote commands through NSH (using nexec)
                      Yanick Girouard

                      Just found my answer for the second part of my last comment... One is a Command, the other a Nexec command:

                       

                      06-14-13 9-45-26 AM.jpg

                      • 8. Re: Re: How to prevent users from executing specific remote commands through NSH (using nexec)
                        Yanick Girouard

                        Alright, once again I answered my own question through trial and error. This is what I did:

                         

                        1. Created a new nexec command called "/bin/ls"

                        2. Created a new role called nsh_command_test containing the following auths:

                         

                            BLAdmins (AuthProfile)

                            /bin/ls (Nexec command)

                            agentinfo (Command)

                            NSH_Proxy.Connect (Authorization)

                         

                        3. I added my user to it and added it to the ACL of a Linux server

                        4. I pushed the ACL on that server and this is the line it added in the users file:

                         

                        # nsh_command_test ACLs

                        nsh_command_test:yanick.girouard   rw,map=root,commands=CM:agentinfo:nexec:/bin/ls

                         

                        Notice how nexec automatically gets added after all nsh commands (only agentinfo here) and that all remote commands are appended after. There's no need to add nexec explicitely to the ACL of the role, it's implied...

                         

                        5. Opened a NSH shell using the bladmin role and created a symbolic link to /bin/ls named /tmp/ls
                        6. Switched to the nsh_command_test role and did the following. As you can see, only the very explicit commands (including remote command) that I added were allowed.

                         

                        GMA-371066# agentinfo whml16043.cgicti

                        whml16043.cgicti:

                          Agent Release   : 8.1.05.506

                          Hostname        : whml16043

                          Operating System: Linux 2.6.18-308.16.1.el5

                          User Permissions: 0/0 (root/root)

                          Security        : Protocol=5, Encryption=TLS1

                          Host ID         : FFFFFFFFFE0A7AC1

                          # of Processors : 1

                          License Status  : Licensed for NSH/CM

                        GMA-371066# ndf whml16043.cgicti

                        Error reaching whml16043.cgicti: No authorization to access host

                        GMA-371066# nps whml16043.cgicti

                        Error reaching whml16043.cgicti: No authorization to access host

                        GMA-371066# nexec -i whml16043.cgicti /bin/bash

                        Not authorized to run this command

                        GMA-371066# nexec whml16043.cgicti /bin/ls

                        bin              boot  etc   lib    lost+found  misc  net  proc  sbin     srv  tmp  var

                        bl_installables  dev   home  lib64  media       mnt   opt  root  selinux  sys  usr

                        GMA-371066# nexec whml16043.cgicti ls

                        bin              boot  etc   lib    lost+found  misc  net  proc  sbin     srv  tmp  var

                        bl_installables  dev   home  lib64  media       mnt   opt  root  selinux  sys  usr

                        GMA-371066# nexec whml16043.cgicti touch /tmp/test

                        Not authorized to run this command

                        GMA-371066# nexec whml16043.cgicti /tmp/ls

                        Not authorized to run this command