Skip to content

Command Filters

Command Filters is a security feature of the Access Broker that allows precise control over which shell or terminal commands are permitted or denied during a secure remote session. It operates by intercepting commands issued by the user and evaluating them against configured allow or deny rules using regular expressions. In addition, the feature supports command path enforcement, ensuring that only trusted binaries from approved directories are executed.

Command Filters enable organizations to enforce strict operational controls over remote administrative sessions, mitigating the risk of accidental or malicious execution of sensitive or harmful commands. By filtering commands and enforcing binary paths, the feature strengthens endpoint protection in high-security environments.

How It Works

During a remote session, the Access Broker evaluates each command entered by the user. The evaluation process follows one of two configured modes:

  1. Allow List Mode: Only commands that match one of the specified regular expressions are allowed. All other commands are denied, regardless of any deny rules.
  2. Deny List Mode: Commands that match a deny pattern are blocked. All other commands are permitted.

Only one mode (Allow or Deny) can be active at a time per command filter.

Additionally, a Paths Enforcement mechanism ensures that commands are executed from predefined absolute paths. If a command is entered without a full path, the Access Broker rewrites it to use the corresponding trusted binary path before sending it to the target system.

Key Capabilities of Command Filters

Command Filters provide three core mechanisms to control command execution during remote sessions: Allow, Deny, and Paths. These options enable administrators to define which commands are explicitly permitted or blocked using regular expressions, and to enforce the use of trusted binary paths to prevent command substitution or execution from untrusted locations. Each capability can be configured per access profile to match the security needs of specific users, groups, or assets.

1.Allow List Mode

When configured in Allow Mode, only commands explicitly defined by the administrator using regular expressions will be executed. All other commands are blocked.

Example 'Allow' List: 

^sudo /etc/init.d/mysql restart$
^sudo /etc/init.d/mysql status$
^exit$

In this example, only restarting and checking the status of the MySQL service, and exiting the session, are permitted.


2.Deny List Mode

When configured in Deny Mode, commands matching any of the specified patterns are blocked. All others are permitted.

Example 'Deny' List: 

^kill .*$ 
^sudo shutdown .*$

This configuration blocks process termination and system shutdown commands, but allows all others.


3.Paths Enforcement

To prevent command substitution or execution of malicious binaries from untrusted directories, Command Filters allow specification of absolute paths for trusted binaries.

Example 'Paths' List: 

/bin/ls
/bin/awk
/bin/grep

If a user types ls -alp, the Access Broker rewrites the command to /bin/ls -alp, ensuring execution from the defined trusted directory.

This mechanism addresses common attack vectors where an attacker may place a malicious script with the same name as a system utility (e.g., ls, awk) in a writable directory earlier in the $PATH. Enforcing full paths ensures the integrity of executed commands.

Use Cases for Command Filtering

Command Filters enhance session control by enforcing which commands can or cannot be executed during privileged access sessions. This capability supports a wide range of operational and security objectives, from limiting risky actions to ensuring compliance with internal policies. Below are common scenarios where Command Filters add value.

  • Restricting Database Operations: Limit users to a small set of maintenance operations on a MySQL server, such as restarting or checking service status.
  • Preventing System Downtime: Block potentially destructive commands such as kill, reboot, or shutdown during critical operational windows.
  • Enforcing Trusted Binaries: Avoid execution of compromised or rogue binaries by enforcing command execution only from secure and trusted paths.
  • Compliance Enforcement: Ensure that session activity complies with internal policies or industry regulations by explicitly allowing only approved operations.

Why It Matters in Modern PAM

Privileged Access Management (PAM) is about controlling and monitoring how administrative access is used. Command Filters extend these controls into the command-line interface itself, enforcing granular least privilege even within a session. While session recording and reporting are valuable for post-event analysis, Command Filters provide proactive prevention, stopping unauthorized or risky actions before they are executed.

Additionally, the path enforcement feature mitigates a class of common Linux attacks where compromised $PATH environments are used to hijack legitimate commands. By rewriting commands to point to known, verified binaries, this feature protects well-intentioned administrators from inadvertently executing malicious scripts.

Command Filters represent a powerful control point for any PAM deployment seeking not only to log activity, but to actively control it in real-time.