Restricted Process Termination
In addition to the capability to control which sessions are able to be terminated from the user interface, Enterprise Session Monitor administrators can configure agent level protections against the termination of certain processes through the use of a
The functionality to terminate sessions from the SAS Enterprise Session Monitor user interface requires the configuration of the
terminateSpec.yaml file. If this file is not present in the
bin folder the Agent, no processes can be terminated from the application's user interface regardless of the permissions configured.
The file is there "out of the box" on both Unix and Windows and is by default completely permissive. This means that the restrictions applied within the user interface define who can terminate what from within the application.
Sessions with an ESM type of
SYS cannot be terminated from the user interface, regardless of the settings configured within the
terminateSpec.yaml file uses regular expressions to match the name of the process that is requested to be killed and the owning user of the process that is to be killed and parses them against a rule set to determine whether or not the process can be killed.
||Regular expression pattern to match the process command line.|
||Regular expression pattern to match the process|
||Boolean parameter about whether the process that matches the above two rules can be terminated.|
Allow termination of SAS 9.4 sessions owned by any user¶
terminateSpec: - processFilterRegex: .*SASFoundation\/9.4\/sas.* userFilterRegex: '' canBeTerminated: true
The above example allows any privileged user in SAS Enterprise Session Monitor to kill any SAS session where that process is owned by any user, and where the installed path of SAS is something like
Don't allow processes owned by root to be terminated¶
terminateSpec: - processFilterRegex: .* userFilterRegex: root canBeTerminated: false
The above example will deny privileged user in SAS Enterprise Session Monitor the ability to kill any session owned by the user "root" regardless of their permissions in the user interface.
Created: April 24, 2023