How do I use PIM to block SSH connections for a clean room setup?

Document ID : KB000010150
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

These are basic steps to configure a PIM endpoint to block ssh connections from a specific host. 

Environment:
Linux / Unix Based OSPIM Endpoint
Instructions:
  1. Turn on the TCP and HOST classes from selang

so class+(TCP)

so class+(HOST)

 

  1. Make sure that our LADB has the host listed. If not then add it to the local hosts file or configure sebuildla for DNS. Once done rebuild the host LADB via sebuildla -h.

# sebuildla -H | grep u191597

u191597.ca.com           101.130.22.11

 

  1. Create a host rule that case matches the server name listed in sebuildla -H output

nr host u191597.ca.com owner(nobody)

 

  1. Create a auth rule to remove access to the SSH service

auth HOST u191597.ca.com service(ssh) access(none)

 

  1. Test an ssh connection from the host that is now blocked.

[root@U191597 bin]# ssh U193882

ssh_exchange_identification: Connection closed by remote host

 

  1. Review the audit log for the denial.

# seaudit -a -st now-1 | grep D

CA ControlMinder seaudit  v12.91.0.301 - Audit log lister

Copyright (c) 2013 CA. All rights reserved.

 

21 Apr 2017 11:28:40 D HOST         ssh                  156  3 u191597.ca.com /usr/sbin/sshd