Hi Bipin,
Here is a sample regex using wildcards in a blacklist command filter:
^ls +-[a-zA-Z0-9]+ +.*/etc/[km].*
This will allow a simple "ls /etc/<anything>”, but not a "ls -<any option> */etc/m*” or "ls -<any option> */etc/k*”.
Note that this in itself is not very enforcing. Without any other restrictions, I could just do a "cd /etc” and then list anything I want.
Anyway with the above regex I get these sample responses:
[fe785u1@prira01-U163106 ~] $ ls -l /etc/ipsec.conf
-rw-------. 1 root root 710 Oct 18 2013 /etc/ipsec.conf
[fe785u1@prira01-U163106 ~] $ ls /etc/man.config
/etc/man.config
[fe785u1@prira01-U163106 ~] $ ls -l /etc/man.config
Warning: ls -l /etc/man.config is an unauthorized command.
You have 1 violations. Your session will be terminated or account deactivated should violations continue.
Please contact the administrator if you have any questions
[fe785u1@prira01-U163106 ~] $ ls -l ../../etc/man.config
Warning: ls -l ../../etc/man.config is an unauthorized command.
You have 2 violations. Your session will be terminated or account deactivated should violations continue.
Please contact the administrator if you have any questions
[fe785u1@prira01-U163106 ~] $ ls -l /etc/hosts
-rw-r--r-- 1 root root 343 Apr 23 14:29 /etc/hosts