# Command Line Policy Type

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FAkh47cIcjTGptHO30EsJ%2Fimage.png?alt=media&#x26;token=f2483025-c85c-4292-81d8-98664005b10b" alt=""><figcaption></figcaption></figure>

### Overview

On **macOS and Linux** systems, the Command-line policy manages the use of `sudo` as a standard user.

By default, Keeper has created a specific list of Linux commands which are elegible to be elevated by the standard user with sudo. If the request matches one of the eligible commands, Keeper will apply the policy and enforce approval, MFA or justification based on the policy details.

Command-Line policies provide granular control over how applications are executed. Administrators can define allowed or denied command arguments and enforce restrictions at the subcommand level, ensuring that even permitted applications operate strictly within approved parameters.

#### How it Works

After a command has been approved, the Keeper service temporarily adds the requested command to the sudoers file for the designated user.

### Usage

When a Command-line policy is applied, Keeper uses a pam module to override the sudo command with a new `keepersudo` command. Users can simply execute `keepersudo` to either request approval, elevate with MFA or send a justification message.

If a user attempts to use sudo, they will be instructed with the new command:

```
ubuntu@ip-172-31-8-134:/home$ sudo systemctl restart nginx
ERROR: To run sudo, use keepersudo
```

If an elevation policy is applied, the user can execute the command using keepersudo:

```
ubuntu@ip-172-31-8-134:/home$ keepersudo systemctl restart nginx

Your Keeper Administrator requires approval for this action.
Please enter the reason for this request: Ticket SYS-4432 I need to restart nginx

Approval request has been submitted.

To refresh approval status run: keeperagent --refresh
After approval run: keeperagent --approval
```

The admin will receive the elevation request.

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FbWeAusZuTswapjlpfqk7%2FScreenshot%202025-10-23%20at%206.45.48%E2%80%AFPM.png?alt=media&#x26;token=b0e13b70-300f-406f-bc1f-e90716311665" alt=""><figcaption></figcaption></figure>

After the request has been approved, the user can run `keeperagent --approval` to execute the approved request.

```
ubuntu@ip-172-31-8-134:/home$ keeperagent --approval

You have 1 approved command:

1: /usr/bin/sudo /usr/bin/systemctl restart nginx (expires in 23 hours and 57 minutes)

To run an approved command, enter the number.
To see pending requests, type 'p'
To refresh approvals, type 'r'
Choose an option or 'e' to exit: 1
```

### Managing Sudo Elevation

From the **Admin Console** > **Endpoint Privilege Manager** > **Policies** create a new policy. Select "**Command Line**" from the policy type and then "**Enforce**".

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2F4hjPUXySZnEHogQrV7wk%2Fimage.png?alt=media&#x26;token=6ebd931f-c441-4b9d-9dc4-47e3259a3b61" alt=""><figcaption></figcaption></figure>

Command Line policies can be applied to specific users and machine collections. Select the machine collections to apply the policy.

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FlQ7lC7ItDpMlwtnjXrX5%2FScreenshot%202025-10-23%20at%206.24.47%E2%80%AFPM.png?alt=media&#x26;token=df606192-841e-4893-974c-ef081f227033" alt=""><figcaption></figcaption></figure>

### Advanced Configuration

The "eligible" list of sudo commands is explicitly set in a file called `ExecutableAllowlist.json`.

On macOS, the file is located here:

{% code overflow="wrap" %}

```
/Library/Keeper/sbin/Plugins/bin/KeeperLeastPrivilegeEnforcer/Configuration/ExecutableAllowlist.json
```

{% endcode %}

On Linux systems, the file is located here:

{% code overflow="wrap" %}

```
/opt/keeper/sbin/Plugins/bin/KeeperLeastPrivilegeEnforcer/Configuration/ExecutableAllowlist.json
```

{% endcode %}

If the admininstrator would like to allow additional commands, this file must be modified on each endpoint. (Note: In an upcoming release, Keeper will be incorporating the list of allowed commands into the front-end UI and sync'd policy).

### Built-In User Behavior

Keeper **does not** modify the sudo permissions of the built-in user, e.g. `ubuntu` or `ec2-user`. Therefore, when a user is a member of a group with existing sudo permissions, attempts to elevate to sudo will **not** be limited to the list of `ExecutableAllowlist.json` commands. In other words, Keeper's service applies best effort to adhere to enforcement policies when the user has already been granted elevated access by the system administrator.

To ensure full control over the elevation rights, ensure that users are not part of a group with existing sudo membership.

### Interaction with Other Policy Types

Command-Line policies complement Privilege Elevation and Least Privilege policies by enforcing argument-level restrictions across both elevated and standard execution contexts. This ensures consistent enforcement regardless of privilege state.