Command Filtering Functionality⚓︎
1 Funtionality Description⚓︎
- JumpServer supports filtering commands used during sessions with command filtering rules setted.
- The command filter can be associated with JumpServer users, assets, and the users who connect to the assets. A command filter can be linked to multiple command groups. When a user connected to the bound asset executes a command using the bound account, the command needs to be matched by all command groups linked to the bound filter. The high priority group is matched first. When a rule is matched, the action defined by that rule is executed. If no corresponding rule is matched, the command is executed normally.
2 Create a Command Filter Rule⚓︎
- The page provides functionality to create, delete, update, and view command filters。
- Click on the
Commond Filter
tab on theCommand Filter
page to access the command filter section. - Click on the
Create
button at the top left corner of this page to create a new command filter.
- Detailed parameter description:
Parameter | Description |
---|---|
Name | Name of command filter |
User-usre name | The JumpServer users matched by the command filter |
Asset-Name | The assets matched by the command filter |
Asset-IP/Host | The assets IP/Host matched by the command filter |
Account-Username | The user name of login asset matched by the command filter |
Command Group | The command groups associated with this command filter. When matched JumpServer users login with matching system to execute these commands on matched assets, the corresponding actions are executed. |
Action | The action taken when the login rule for this asset is matched A."Deny":Deny asset login; B."Permit":Permit asset login; C."Approve":The approver will receive a command review notification, enabling them to either authorize or reject the corresponding action execution; D."Warning":When a matching command is detected, an warning message will be sent to designated person. |
Priority | The priority of the command filter ranges from 1 to 100, with a smaller numerical value indicating higher priority for rule matching. The default priority is set at 50 |
3 Create a command group⚓︎
- Command groups can be associated with command filters. Currently, command groups support two syntaxes: regular expressions and commands.
- Click on the
Command Group
tab on theCommand Filter
page to access the command filter page. - Click on the
Create
button at the top left corner of this page to create a command group.
- Detailed parameter description:
Parameter | Description |
---|---|
Name | Name of command group |
Type | Regular expressions are used to match commands based on a regular expression pattern, while commands are used to filter specific fixed command |
Content | The content can be multi-line text, with each line representing a matching rule |
Ignore case sensitivity | This means that regardless of the case (uppercase or lowercase), the entered commands will be filtered according to the rules |