Symantec Privileged Access Management

Expand all | Collapse all

RegEx in CA PAM

  • 1.  RegEx in CA PAM

    Posted May 09, 2018 10:29 AM

    How to use command filter regular expression in CA PAM to block certain commands with wild card entry.

    For example - I would like to block following command.

    ls -la /etc/bin

     

    Please let me know.



  • 2.  Re: RegEx in CA PAM

    Broadcom Employee
    Posted May 09, 2018 10:43 AM

    Hi Bipin, You give an example, but you don't state which part of it you expect to match a wildcard. Can you clarify?

     



  • 3.  Re: RegEx in CA PAM

    Posted May 09, 2018 10:51 AM

    The folder structure should be wild card 



  • 4.  Re: RegEx in CA PAM
    Best Answer

    Broadcom Employee
    Posted May 09, 2018 04:37 PM

    Hi Bipin,

    Here is a sample regex using wildcards in a blacklist command filter:

     

    ^ls +-[a-zA-Z0-9]+ +.*/etc/[km].*

     

    This will allow a simple "ls /etc/<anything>”, but not a "ls -<any option> */etc/m*” or "ls -<any option> */etc/k*”.

    Note that this in itself is not very enforcing. Without any other restrictions, I could just do a "cd /etc” and then list anything I want.

    Anyway with the above regex I get these sample responses:

     

    [fe785u1@prira01-U163106 ~] $ ls -l /etc/ipsec.conf                                                                                 

    -rw-------. 1 root root 710 Oct 18  2013 /etc/ipsec.conf

    [fe785u1@prira01-U163106 ~] $ ls /etc/man.config

    /etc/man.config

    [fe785u1@prira01-U163106 ~] $ ls -l /etc/man.config

    Warning: ls -l /etc/man.config is an unauthorized command.

    You have 1 violations. Your session will be terminated or account deactivated should violations continue.

    Please contact the administrator if you have any questions

     

    [fe785u1@prira01-U163106 ~] $ ls -l ../../etc/man.config                                                                            

    Warning: ls -l ../../etc/man.config is an unauthorized command.

    You have 2 violations. Your session will be terminated or account deactivated should violations continue.

    Please contact the administrator if you have any questions

     

    [fe785u1@prira01-U163106 ~] $ ls -l /etc/hosts

    -rw-r--r-- 1 root root 343 Apr 23 14:29 /etc/hosts

     

     



  • 5.  Re: RegEx in CA PAM

    Posted May 10, 2018 08:58 AM

    Thank you so much for the detailed answer. this is perfect. just one more case of regex if you can help me with below

     

    ln -s */* /etc/shadow (this command need to be blacklisted with */* as wild card)

     

    Appreciate your help.



  • 6.  Re: RegEx in CA PAM

    Broadcom Employee
    Posted May 11, 2018 10:58 AM

    Hi Bipin, This is just normal regex syntax. A dot represents any character. ".*” represents a string containing any number (including 0) of characters. ".+” would match a string of at least length 1, as would "..*”.

    ".*/.*” would match */* if you want to include the case where "*” represents an empty string.



  • 7.  Re: RegEx in CA PAM

    Posted Oct 01, 2018 04:29 PM

    Hi @Ralf

     

    What would the regular expression look like to block the "useradd" command?

    For the following examples:

     

    • useradd juan
    • cd / && useradd juan
    • cd .. | useradd juan
    • cd  / && useradd juan && cd /home/


  • 8.  Re: RegEx in CA PAM

    Broadcom Employee
    Posted Oct 16, 2018 11:24 AM

    Hi Juan, Sorry for the late response, I was out a couple of weeks. I would try ".*useradd.*”, blocking anything that contains the word "useradd”, since this is not a word that you would expect to be used in any context other than running the command.



  • 9.  Re: RegEx in CA PAM

    Posted Oct 16, 2018 12:22 PM

    Good day:

     

    Thank you very much for your support. I already try and it Works.

     

    I show you the screenshot in case someone is interested.

     

     

    Note: The CA PAM version that I use is 3.2.2

     

    Greetings.



  • 10.  RE: Re: RegEx in CA PAM

    Posted Jan 02, 2020 02:51 AM
    Hi Ralf,

    Can you provide the RegEx for blocking the commands like rm -r,rm -d like that. If we enters rm or rm -d also it need to block. Can you help on this?

    ThanksBhumesh


  • 11.  RE: Re: RegEx in CA PAM

    Broadcom Employee
    Posted Jan 03, 2020 01:42 AM

    Hello Bhumesh,

    you can try this ^rm+-[md]+/*

    Thanks,

    Reatesh.



    ------------------------------
    Principal Support Engineer
    Broadcom
    ------------------------------



  • 12.  RE: Re: RegEx in CA PAM

    Posted Jan 06, 2020 01:16 AM
      |   view attached
    hi Reatesh,

    Thanks for the update. 

    I have checked the same but it is not working. It is not blocking rm or rm - d. It is accepting all the commands.Please find the attached screenshot for command which i mentioned in command filtering.

    Thanks
    Bhumesh