Advanced Commandline Filter
This filter performs a Glob or RegEx match on the commandline submitted by Unix\Linux agent via sudo or pmsh. Commands can then be executed as they have been submitted or the filter has the ability to re-write the executed command via the Replacement field of the Command.
When adding commands, the Glob or RegEx is matched:
- Glob for simple filename matches such as *
- RegEx for advanced searches and matches of patterns in files such as ${pwd}
The command match is based on the command source, such as from the agent:
- The submitting user would only type a command such as sudo id, although the agent will submit the full path of the command such as
/usr/bin/id
. - For security the command should be defined with the full executable path such as
/usr/bin/id
or/bin/id
.
Arguments
Allows more specific command submission matching from the agent such as ls -l /root/*
.
Replacement
Rewrites the submitted command being executed on the Unix\Linux Agent
Creating a new Advanced Commandline Type Filter
-
Navigate to Admin | Filters.
-
Click Create Filter.
-
On the New Filter page, select the platform. For this example, select Unix/Linux.
-
From the Filter Type drop-down select Advanced Commandline Filter.
-
Enter a name and description and click Create.
-
Customize the newly created filter, click Add Command.
-
Select the matching type, Glob or RegEx. Use Glob for filename matches and RegEx for searches and matches of patterns in files.
-
Enter a Command.
-
Enter Arguments.
-
Enter a Replacement.
-
Click Save Changes.
Examples
A commandline filter examines the commandline (excluding the primary executable) and uses either Glob or RegEx for the pattern match. Here are examples for both options:
Example of Commandline Replacements
Command: restart
Arguments: pmagent
Replacement: /usr/bin/systemctl restart pmagent
User submits: sudo restart pmagent
Command executed: /usr/bin/systemctl restart pmagent
Limitations of the Advanced Commandline Filter
The command re-write is done BEFORE any action defined in the Policy, therefore commands that will also display actions assigned to the policy such as runas user
and environment variable will not be displayed as expected, because the commandline filter is processed before the action.