Skip to main content

Commands Control

Commands control allows users to add a list of allowed or denied commands.

note

Please note that Commands Control feature currently only support on linux amd architecture and not yet implemented in arm architecture.

  1. To create a new policy with allowed rules and denied commands, go to the Policies > Commands Control page of the Safous admin portal.
  2. Create a Name and Description for the policy.
  3. Choose from the list of available allowed and denied commands at the bottom of the screen. Note that by default, commands not listed will be treated as the opposite.
  4. Once the policy is set, go to the Policies > Actions page, and select the relevant policy there.
  5. See the SSH section of the Actions page for additional information.
  6. (Optional) Configure systemd on destination server with this code
sudo sed -i '/^\[Service\]/a RuntimeDirectory=cycommandcontrol' /etc/systemd/system/cycommandcontrol.service
note

This systemd configuration ensures the socket is recreated under /var/run after a server reboot.

Example Deny Command use for SSH application

  1. Go to the Policies > Commands Control page and create new policy, then enter a Name and Description for the policy.
  2. In the Command section, click Deny and enter the full path of the command to block. For example, to deny rm, enter /usr/bin/rm (not just rm). Then save the policy.
  3. Go to the Policies > Actions page then create new or edit existing action policy, then enter a Name and Description for the policy.
  4. Next on Protocol section. Ensure that it have Protocol > Server and Type > SSH.
  5. Next on Action section. Toggle on SSH command control then select Commands control have been created in step 1-2.
  6. You can also add other option in this Action profile. See the SSH section of the Actions page for additional information. Then save the policy.
  7. Go to the Applications > Applications page then create new or edit existing ssh applications. see Create SSH Application for more detail about ssh application.
  8. Before saving the application, on Application Parameter section ensure that Allow SSH command control is checked then input root credential. Root credentials must be provided to perform an apt install.
  9. Next on Rules section. ensure that you select action profile that you created in step 3-6 then save the application.
  10. You can test command control is working by using the ssh application on Application Portal then try running the blocked command then it will result like this :
Last updated on