I have created the following Blacklist item as Command Filter Policy (Policies > Manage Policy Filter). Notice that "Regexp" option is not selected.
This will generate violation when I run the following command
How is PAM blacklist supposed to work? Is PAM not working as designed?
Release : 4.x
PAM is working as designed in this case. When we only specify 'dd' as item in the Blacklist, PAM assumes that the user will run 'dd' command with arguments/options. Normally users won't run just exactly 'dd' command without argument. So PAM is designed to parse the command syntax and block for any possible forms of a user run 'dd' command. However, because of this design, command such as 'useradd' that contains 'dd' in its syntax will also be blocked.
If we do not want to block 'useradd' command, we need to specify the Blacklist item of 'dd' command with more detailed specification using regular expression (select the regexp box). For example, we can specify such as
This regexp specifies the command starts with 'dd' and followed by a space character and then any other characters. With this specification 'useradd' command won't be blocked by PAM.