How to configure Direct-SSH on Linux using a preferred shell

  • 7017938
  • 11-Aug-2016
  • 24-Feb-2020

Environment

Privileged Account Manager
Privileged User Manager

Situation

How to configure Direct-SSH on Linux to capture native ssh connections using the default shell
How to approach capturing direct ssh connections where users can use the default shell
How to capture / audit direct ssh similar to the Direct-RDP feature for Windows

Resolution

Direct-SSH connections can only be monitored through provided shells (pcksh, cpcksh) and usrun (See Privileged Account Management for Unix and Linux). If the user prefers another shell over pcksh, cpcksh, or usrun, then the following approach can be used to enable complete-session capture while appearing seamless to the user as their preferred shell. This is achieved through configuring the user's default shell to one that can be captured and is integrated with Command Control and then configuring command rewriting to rewrite the user's command to their preferred shell.
Note: This approach is only possible if there are Agents running on the target Linux servers.

  1. Change the user(s) default shell to /usr/bin/cpcksh. Please refer to appropriate documentation in the UNIX or Linux environment to properly configure the user(s) login shell.

    Please refer to man usermod. An example would be:
    sudo usermod -s /usr/bin/cpcksh user1

  2. If the user prefers an alternate shell, please configure a cpcksh command to rewrite to the appropriate or preferred shell (i.e. /bin/bash, /usr/bin/pcksh, etc.). For more details about command rewriting, please refer to Modifying a Command
    • Create a new command, see Commands.
      Name: <command name>
      Rewrite: <path to preferred shell, i.e. /bin/bash>
      Commands: -cpcksh


  3. Create the necessary cpcksh rule:

    Begin Rule :cpcksh
    IF ((command IN cpcksh))
    THEN
           Set Authorize : yes
           Set Session Capture : yes
           Stop if authorized
    END IF
    END RULE :cpcksh

    Note: The command configured in Step 2 has been applied to the conditions of this rule.

Additional Information

For other approaches and more details, please refer to Privileged Account Management for Unix and Linux.

To determine what shell a user is currently using:
ps -p $$