Policy-Rule Commands

Policy-rule commands are used for managing policy rules.

add-policy-rule

Syntax:

ssh-mgr-client [global_options] add-policy-rule -d <data> [-o <format>]

Add a policy rule to the Key Manager system.

Define the new policy rule using data attributes (-d). The available attributes differ depending on the type of policy rule that is to be added. The following lists describe the common data attributes that can be used with all policy types, and any data attributes that are specific to certain types of policy rules.

Common data for all policy rules

rule_type

The type of the policy rule.

• Cryptographic policy: key-algorithms
• Duplicate private keys: duplicate-private-keys
• Forbidden authorizations: forbidden-authorizations
• Forbidden private keys: forbidden-private-keys
• Forced command: forced-command
• Host keys: host-keys
• Key age policy: key-age
• Segregation of duties: segregation-of-duties
• Sign-off policy: key-sign-off
• Source restriction: source-restriction
• SSH server algorithms policy: ssh-server-algorithms
• SSH server configuration policy: ssh-server-configuration
• Unused keys policy: unused-keys

name

The name that is to be set for the policy rule.

severity

The severity of the rule. Can be warning, low, medium, high, or critical

description

Free-text description for the policy rule.

possible_impact

Free-text description about the possible security implications caused by items that violate the policy rule.

recommended_action

Free-text description about actions that should be taken to remediate items that violate the policy.

hostgroup_ids

A list of host-group IDs that the rule applies to. By default the rule applies globally.

classifications

A list of host classifications that the rule applies to. By default the rule applies globally.

username_set

A list of usernames that the rule applies to. By default the rule applies globally.

exclude_username_set

A list of user names that are excluded from the policy. By default the rule applies globally.

uid_set

A list of OS user IDs that the rule applies to. By default the rule applies globally.

exclude_uid_set

A list of OS user IDs that are excluded from the policy. By default the rule applies globally.

exclude_fingerprints

A list of strings corresponding to key fingerprints. SSH keys with any of these fingerprints are excluded from the policy. The list may contain up to 100 fingerprints.

fp_exclusion_comment

Free-text comment, providing reasons for excluded fingerprints.

Additional data for Cryptographic policy

algorithms

A list of allowed algorithms and allowed key sizes. Each entry in the list is to be specified in [algorithm-name, [minimum-size, maximum-size]] format or [algorithm-name, is_algorithm_allowed] format. For example, ["ssh-rsa", [2048, 4096]] or ["ssh-rsa", false]. Any algorithm that is left unspecified is allowed by default.

Additional data for Forbidden private keys

source_exclude_uid_set

Array of user names. Private keys of users with these UIDs are never flagged by this policy.

source_exclude_username_set

Array of user names. Private keys of these users are never flagged by this policy.

source_hostgroup_ids

Array host-group IDs. Private keys on these host group(s) are flagged if they authorize to targeted hosts.

source_classifications

Array of classifications. Private keys with any of these classifications are flagged if they authorize to targeted hosts.

source_uid_set

Array of user names. Private keys of these users are flagged if they authorize to targeted hosts.

source_username_set

Array of user names. Private keys of these users are flagged if they authorize to targeted hosts.

Additional data for Forced command

specific_command

A string representing a specific terminal command, such as 'ls -la'. all authorized keys that are
not set with this forced command are flagged. By default, authorized keys without a forced command
are flagged.

Additional data for Host keys

age

The maximum allowed key age, described as an integer followed by unit-specifier letters (y (years),
m (months), w (weeks), d (days), H (hours), M (minutes), or S (seconds)). For example: 90d

algorithms

A list of allowed algorithms and allowed key sizes. Each entry in the list is to be
specified in [algorithm-name, [minimum-size, maximum-size]] format or [algorithm-name, is_algorithm_allowed] format. For example, ["ssh-rsa", [2048, 4096]] or ["ssh-rsa", false]. Any algorithm that is left unspecified is allowed by default.

Additional data for Key age policy

age

The maximum allowed key age, described as an integer followed by unit-specifier letters (y (years),
m (months), w (weeks), d (days), H (hours), M (minutes), or S (seconds)). For example: 90d

Additional data for Segregation of duties

exclude_fingerprints

A list of key fingerprints. SSH keys with any of these fingerprints are excluded from the policy.

fp_exclusion_comment

Free-text comment.

source_hostgroup_ids

A list of allowed source host-group IDs.

source_classifications

A list of allowed source-host classifications.

include_internal_keys

If set to true, agentless management keys are also included in the policy. By default agentless
management keys are excluded from policies.

Additional data for Sign-off policy

validity

The validity period of sign-off decisions, specified as an integer followed by a time unit. For example, 10d. Keys that have not been signed off for the specified amount of time are flagged.

Additional data for SSH server algorithms

algorithms

JSON object specifying allowed and required algorithms. Possible contents are:

Ciphers

An object specifying the allowed and/or the required ciphers in the following format:

"Ciphers":{"allowed":["alg1","alg2",...],"required":["alg10","alg11",...]}

HostKeyAlgorithms

An object specifying the allowed and/or the required host-key algorithms in the following format:

"HostKeyAlgorithms":{"allowed":["alg1","alg2",...],"required":["alg10","alg11",...]}

KexAlgorithms

An object specifying the allowed and/or the required KEX algorithms in the following format:

"KexAlgorithms":{"allowed":["alg1","alg2",...],"required":["alg10","alg11",...]}

MACs

An object specifying the allowed and/or the required MAC algorithms in the following format:

"MACs":{"allowed":["alg1","alg2",...],"required":["alg10","alg11",...]}

PubkeyAcceptedTypes

An object specifying the allowed and/or the required public-key types in the following format:

"PubkeyAcceptedTypes":{"allowed":["alg1","alg2",...],"required":["alg10","alg11",...]}

Additional data for SSH server configuration

attributes

JSON object specifying SSH-server configurations and their allowed values. For configurations that are not specified, the policy allows any value.

The possible names and their values are as follows:

allow-agent-forwarding

Allow agent forwarding? Possible values are: yes or no

allow-tcp-forwarding

Allow TCP forwarding? Possible values are: yes or no

authorized-key-location

String specifying the allowed authorized-key directory. May consist of SSH path substitutions such as %u (for user name) or %h (for user home directory).

banner

Allow banners? Possible values are: yes or no

chroot-directory

String specifying the chroot directory. May consist of SSH path substitutions such as %u (for user name) or %h (for user home directory).

client-alive-interval

An array with two integers corresponding to the minimum and maximum allowed client-alive times, specified in seconds.

log-level

Array of one or more log levels. Possible log levels are: VERBOSE, FATAL, ERROR, INFO, QUIET, DEBUG, DEBUG1, DEBUG2, and/or DEBUG3

max-auth-tries

An array with two integers corresponding to the minimum and maximum allowed max-auth tries.

permit-root-login

Array of one or more allowed root-login methods. Possible values are: no, prohibit-password, without-password, forced-commands-only, and/or yes

permit-tunnel

Array of one or more allowed tunneling schemes. Possible values are: no, point-to-point, ethernet, and/or yes

port

An array with two integers corresponding to the minimum and maximum allowed SSH port number.

protocols

The allowed SSH protocol. Possible values: 1 or 2

strict-modes

Should strict modes be enforced? Possible values are: yes or no

subsystem

Are subsystems? Possible values are: yes or no

tcp-keepalive

Allow TCP keepalive? Possible values are: yes or no

use-pam

Should PAM authentication be allowed? Possible values are: yes or no

Additional data for Unused keys policy

last_ka_scan_newer_than

Ignore keys on hosts where key-activity data is older than the specified number of days. For example, 7d. By default, no hosts in scope of the policy rule are ignored.

limit

The permitted idle period. For example, 30d. Any keys that have stayed unused for longer than this period are flagged.

Example - Create a global policy that flags unpermitted keys (RSA keys smaller than 2048 bits, DSA keys of any other size than 1024 bits, and ECDSA keys of any size):

$ ssh-mgr-client add-policy-rule -d \
rule_type=key-algorithms,name="Disallowed key algorithms or sizes",severity=medium,\
algorithms='[["ssh-rsa", [2048, null]], ["ssh-dss", [1024, 1024]], ["ecdsa", true]]',\
description="Only 2048-bit and larger RSA keys or 1024-bit DSA keys allowed.",\
recommended_action="Renew authorization using one of the allowed algorithms and \
key sizes."

Example - Create a global policy that flags duplicate private keys, while ignoring keys with certain fingerprints:

$ ssh-mgr-client add-policy-rule -d \
rule_type=duplicate-private-keys,name="Duplicate private key",\
severity=low,exclude_fingerprints='
["be:df:98:0e:e9:5a:9d:2b:27:7a:ae:7e:eb:20:7d:8d",
"c3:56:fb:38:28:ab:a8:19:0f:f2:9f:35:2d:76:c3:24"]',

Example - Create a policy rule that flags keys older than 90 days on all the hosts with the DEV and/or PROD classification:

$ ssh-mgr-client add-policy-rule -d \
rule_type=key-age,name="Key older than 3 months",\
severity=high,age=90d,classifications='["DEV", "PROD"]',\
description="DEV authorization in need of renewal.",\
recommended_action="Renew the authorization ASAP."

Example - Create a policy rule that flags authorizations to root accounts on DEV hosts:

$ ssh-mgr-client add-policy-rule -d \
rule_type=forbidden-authorizations,name="Authorizations to DEV root",\
severity=critical,classifications='["DEV"]',username_set='["root"]',\
description="Authorizations to DEV root are forbidden.",\
recommended_action="Remove authorization immediately."

Example - Create a policy rule that only permits authorizations to DEV hosts from other DEV hosts, and flags authorizations that go to DEV hosts from other sources:

$ ssh-mgr-client add-policy-rule -d \
rule_type=segregation-of-duties,\
name="DEV access from outside sources",severity=high,\
classifications='["DEV"]',source_classifications='["DEV"]',\
description="Access to DEV hosts should not be permitted from \
non-DEV hosts.",recommended_action="Remove the authorization."

Create a policy restricting SSH servers to certain cipher suites and host-key algorithms:

$ ssh-mgr-client add-policy-rule -d \
rule_type=ssh-server-algorithms,\
name="Ciphers and host-key algorithms",severity=high,\
algorithms='{"Ciphers":{"allowed":["aes256-cbc","arcfour256"]},
"HostKeyAlgorithms":{"required":["ssh-rsa"],"allowed":["ssh-dss","ssh-ed25519"]}}'

Example - Create a policy that only allows SSH protocol 2 and prohibits passwordless root logins:

$ ssh-mgr-client add-policy-rule -d \
rule_type=ssh-server-configuration,\
name="No SSHv1 nor passwordless root logins",severity=high,\
attributes='{"protocols":["2"],"permit-root-login":["no","prohibit-password"]}'

delete-policy-rule

Syntax:

ssh-mgr-client [global_options] delete-policy-rule -i <id> [-B]

Delete an existing policy rule.

Select the target policy rule by providing its ID (-i). After you have deleted a policy rule, no items are considered to be in violation of it anymore.

Example - Deleting a policy rule:

$ ssh-mgr-client delete-policy-rule -i 13

edit-policy-rule

Syntax:

ssh-mgr-client [global_options] edit-policy-rule -i <id> -d <data>

Edit an existing policy rule.

Select the target policy rule by providing its ID (-i). Also specify the data attributes that are to be modified (-d). The data attributes that are available for each type of policy rule are described in add-policy-rule.

Example - Change the severity and the permitted key age of a key-age policy:

$ ssh-mgr-client edit-policy-rule -i 8 age=60d,severity=critical

list-policy-rules

Syntax:

ssh-mgr-client [global_options] list-policy-rules [-F <filter>] \
[-X <exclude-filter>] [-o <format>] [-C <columns>] [-H] [-O <sort-order>] \
[-S <start-from>] [-M <max-results>] [-E <delim>] [-B]

List policy rules.

The default command lists all the policy rules currently defined in the system.

$ ssh-mgr-client list-policy-rules

The following columns can be used for filtering (-F) and output formatting (-C):

auth_keys_count

Violating authorized keys

date_created

Date created

date_modified

Date of modification

description

Description of the policy rule

host_count

Violating hosts

id

Internal PrivX Key Manager id for policy rule

last_validated

Last validated date

name

Name

possible_impact

Possible impact of violating the policy rule

private_keys_count

Violating private keys

recommended_action

Recommended action to comply with the policy rule

severity

Policy rule severity level

severity_class

Policy rule severity level class. Only usable for output formatting (-C).

target_types

Types of objects targeted by the policy rule

total_auth_keys_count

Authorized keys in scope

total_host_count

Hosts in scope

total_private_keys_count

Private keys in scope

type

Policy rule type

validating_job

Job validating the rule

validate-policy-rule

Syntax:

ssh-mgr-client [global_options] validate-policy-rule -i <id> [-B]

Validate a policy rule against the environment.

Select the target policy rule by providing its ID (-i).

Example - validating a policy against the environment:

$ ssh-mgr-client validate-policy-rule -i 8