search cancel

How does PAM blacklist when specifying blacklist item without regexp option selected?

book

Article ID: 255198

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

I have created the following Blacklist item as Command Filter Policy (Policies > Manage Policy Filter). Notice that "Regexp" option is not selected.

This will generate violation when I run the following command
     dd
or
     useradd

How is PAM blacklist supposed to work? Is PAM not working as designed?

 

Environment

Release : 4.x

Resolution

PAM is working as designed in this case. When we only specify 'dd' as item in the Blacklist, PAM assumes that the user will run 'dd' command with arguments/options. Normally users won't run just exactly 'dd' command without argument. So PAM is designed to parse the command syntax and block for any possible forms of a user run 'dd' command. However, because of this design, command such as 'useradd' that contains 'dd' in its syntax will also be blocked.

If we do not want to block 'useradd' command, we need to specify the Blacklist item of 'dd' command with more detailed specification using regular expression (select the regexp box). For example, we can specify such as
    ^dd\s.*

This regexp specifies the command starts with 'dd' and followed by a space character and then any other characters. With this specification 'useradd' command won't be blocked by PAM. 

Attachments