In Mavis, you can set limits, preventing them from doing unauthorized behavior through a series of policy, in this article, we will use 2 demo case to illustrate how to set up policy, and block certain command.
To start off, we provide two types of policy based on the scope:
system policy: Set by admin, will be effective on systemwide.
project policy: Set by PM (role), will be effective on project personal, and further customizer role or device to be specific.
A policy consists of 3 or 4 components:
1. Policy checkpoint: Set of target or scope of action that you want to restrict with policy.
2. Action: Action to be taken when the violation of the policy occurred.
3. Policy content: Elaboration of the rule for certain policy checkpoint
4. Role & Resource scope (only for project policy): Designate specific role or resource within project to apply the policy.
Demo case 1- Block SSH Command via System Policy
In demo case 1, we would like to avoid the whole system's user to input "sudo" during SSH connect session.
Create system policy
Admin can go to system policy and click create new policy.
Enter the policy name, policy checkpoint as SSH-command and action as blocked
Alert is optional, once enabled, admin will be notified in real time given any violation of the policy.
Next, we will set the policy content,
接著設定政策資料,由於檢核點選擇為 SSH-指令 政策資料中會需要指名哪些指令會被阻擋
若您有多個指令也可以以文字檔案上傳
阻擋 SSH 指令
After complete the policy setting, when any system user enter "sudo" during the SSH remote session, the terminal will show the following message, this behavior will be recorded in the system log as well.
Demo case 2 - Alert certain command via Policy Alert
In demo case 2, we hope when user enter the command "5t" , PM(role) will be notified.
Set up project policy
PM can go to the project and click create new policy.
Enter policy name, select policy checkpoint as SSH-command , and action as None
Enable the alert, this way, when user enter certain command, PM will get notified in real time, since action is None, the command will not be blocked.
Enter the command we would like to alert.
Project policies have more roles and resource scopes compare to system policies that can be customized, and the scope of policy application can be customized to a greater extent according to project needs.
Regarding which users will be affected by the policy, we can choose any role or specify a specific role to specify.
For resources, you can select all resources or target specific resource tags. If you select all resources, all devices in the project will be affected by the policy.
If you select a specific tag, you can also 1. Select an existing tag 2. Create a new tag
In future, if you want to apply this policy to other devices, just add the tag of this policy.
Receive alert and take action
For policy effected user, once they enter the "5t" during the SSH connect session, PM will get notification in real time, and can take action to terminate the session.
If the receiver of the message is admin (can be PM at the same time), the admin can further disabled the user for potential hazard.
FAQ related to Policy:
Q: Who can set policy?
A: System policies can only be set by admin, and project policies can only be set by PMs or admin.
Q: Who will receive the warnings in the policy?
A: If the alert is turned on, the administrator will receive a alert for violating the system policy, and the PM within the project will receive an alert for the project policy.
Q: Can the policy be deactivated?
A: Yes, on the policy page, click More on a policy to deactivate it.
Q: Will managers be affected by policies?
A: Whether it is project policy or system policy, admin will not be affected by the policy.
Q: Will blocked commands be recorded?
A: Yes.
Q: If the input command contains a blocked command, will it be blocked?
A: No, if the command is "rm", inputting "arm" will not be blocked.