Advanced Keystroke Action

Advanced Keystroke Action was introduced to allow control and audit of command line based network appliances, and was implemented as an enhancement to the pbssh feature. Full session logging provides a complete command audit trail through the existing session logging technology.

Advanced Keystroke Action differs from previous features in that instead of trying to apply command control as the user types, it emulates an interactive command line, and only then authorizes the command once the user has pressed Enter to execute the command. This means the policy can try to match the command it has received in context to the task the user is performing, and it can choose to rewrite the command, accept it, or reject it. It also allows the policy to change the user environment as they carry out their tasks, for example, changing prompts or tab completion.

A diagram of the Advanced Keystroke Action architecture in Privilege Management for Unix and Linux.

Get Started with Advanced Keystroke Action

Configure Privilege Management for Unix and Linux Policy

Advanced Keystroke Action is implemented on top of existing pbssh technology and appropriate configuration is required in the policy script file. For example:

if(pbclientname=="pbssh") {
myadmins={"admin1"};
myswitches={"cisco1"};
if(pbclientmode=="pbssh") {
if(search(myadmins,user) >= 0 && search(myswitches,host) >= 0) {
accept;
} else {
reject;
}
} else if(pbclientmode=="run") {
args=split(argv[argc-1]," ");
argslen = length(args);
if(argslen > 0 && search(myswitches,args[argslen-1]) >= 0) {
keystrokeactionprofile="cisco profile1";
accept;
} else {
reject;
}
}
}

Configure Password Safe

Configure Password Safe on the Advanced Keystroke Action primary server or Policy Servers.

To provide automatic authentication, Password Safe can be configured to retrieve logon credentials. For information on this configuration, including the specification of pkrunfile, pk_cert, and pk_servers in the pb.settings configuration file, please see pbssh

Configure the Advanced Keystroke Action Primary Server or Policy Servers

If the Advanced Keystroke Action is being configured for the first time, the policy database will need to be created on the primary AKA server or primary Policy Server.

  1. Specify the Advanced Keystroke Action Policy Database by adding the keyword advkeystrokeactionpolicydb to the pb.settings on all server hosts.
  2. If you are using Registry Name Service you will need to define your Primary Server in the RNS using:
  3. pbadmin --svc -u '{"svcgname":"dflt_akapolicy_service",
    	"svc":"advkeystrokeactionpolicy", 
    	"cn": "<policy server fqdn>",
    	"role":"primary"}'
  1. Create the policy database (which includes a demo policy that can be used as a basis for further configuration and learning)
  2. pbadmin –-aka -n

The pbadmin command can then be used to export and re-import Advanced Keystroke Action policies. The Privilege Management for Unix and Linux script policy keyword must match a valid Advanced Keystroke Action policy name for the session to run.

Maintenance and Configuration of Advanced Keystroke Action Policy

pbadmin has been enhanced to provide methods to maintain the Advanced Keystroke Action Policy on the Primary Policy server. This includes a new section (--aka) with new options.

pbdbutil --aka [<options>] [ <file> <file> ...]

Options for AKA client:

-R Force refresh of the client aka profile cache file(s)
args Optional. The arguments to the function.

Options for Advanced Keystroke Action profile server database management:

-n Create new AKA database
-l List all AKA configurations in database
-s <[-|+]attribute> Sort the list of records by attribute name (asc/desc)
-i <file> Import AKA configuration file
-e <name> <file> Export specified AKA configuration
-g <name> Get AKA configuration by name
-d <name> Delete AKA configuration
-u { "name" : "<name>", "cfg": { json param... }} Update AKA configuration