Skip to content

Command Filtering Functionality⚓︎

1 Funtionality Description⚓︎

  • JumpServer supports filtering commands used during sessions with command filtering rules setted.
  • The command filter can be associated with JumpServer users, assets, and the users who connect to the assets. A command filter can be linked to multiple command groups. When a user connected to the bound asset executes a command using the bound account, the command needs to be matched by all command groups linked to the bound filter. The high priority group is matched first. When a rule is matched, the action defined by that rule is executed. If no corresponding rule is matched, the command is executed normally.

2 Create a Command Filter Rule⚓︎

  • The page provides functionality to create, delete, update, and view command filters。
  • Click on the Commond Filter tab on the Command Filterpage to access the command filter section.
  • Click on the Create button at the top left corner of this page to create a new command filter.

cmd_acls01

  • Detailed parameter description:
Parameter Description
Name Name of command filter
User-usre name The JumpServer users matched by the command filter
Asset-Name The assets matched by the command filter
Asset-IP/Host The assets IP/Host matched by the command filter
Account-Username The user name of login asset matched by the command filter
Command Group The command groups associated with this command filter. When matched JumpServer users login with matching system to execute these commands on matched assets, the corresponding actions are executed.
Action The action taken when the login rule for this asset is matched
A."Deny":Deny asset login;
B."Permit":Permit asset login;
C."Approve":The approver will receive a command review notification, enabling them to either authorize or reject the corresponding action execution;
D."Warning":When a matching command is detected, an warning message will be sent to designated person.
Priority The priority of the command filter ranges from 1 to 100, with a smaller numerical value indicating higher priority for rule matching. The default priority is set at 50

3 Create a command group⚓︎

  • Command groups can be associated with command filters. Currently, command groups support two syntaxes: regular expressions and commands.
  • Click on the Command Group tab on the Command Filter page to access the command filter page.
  • Click on the Create button at the top left corner of this page to create a command group.

cmd_acls02

  • Detailed parameter description:
Parameter Description
Name Name of command group
Type Regular expressions are used to match commands based on a regular expression pattern, while commands are used to filter specific fixed command
Content The content can be multi-line text, with each line representing a matching rule
Ignore case sensitivity This means that regardless of the case (uppercase or lowercase), the entered commands will be filtered according to the rules