Symantec Privileged Access Management

With latest Xceedium Xsuite or CA PAM, do we still have or need the concept of distribution server and selang which are part of CA ControlMinder or CA PIM?

Hello ManicRaj,

With just CA PAM (Xsuite) there is NO fine-grain control agent installed on your endpoints, so there is no need or use for any selang rules or distribution servers to deploy those rules. Similarly to PIM (ControlMinder) you may need a separate Windows server in your environment in order to manage Windows account passwords (depending on your needs/configuration choices).

If you have both CA PAM and PIM, you can use the PIM fine-grain control agent with selang for additional control on the endpoints, but this would require PIM ENTM and DS servers if you want to distribute selang rules because CA PAM cannot distribute selang rules.

Hope this helps clarify.

-Christian

Thanks Christian for your reply here.

Between, understand there are SFA (Socket Filtering Agents) which can help to some extend for fine grained controls.

How does SELang really works? I am trying to understand the internals of it. Any pointers around this?

Thanks Again!

Hello ManicRaj,

Yes, CA PAM does offer a Socket Filter Agent (SFA), however this only allows you to control which ports can be used during the session.

Selang is the name of the language/utility part of the PIM Endpoint Agent that creates rules for control & auditing of things like logins, file access, special permissions (sudo), network usage and more. On Linux/UNIX you can also enable a keyboard logger.

If you would like more information about what selang is and how to use it, please see the selang section of the PIM reference guide here:

selang Reference Guide - CA Privileged Identity Manager - 12.9 - CA Technologies Documentation

-Christian

Thanks Again Christian.

CA PAM seem to give option around blacklist and white-list at a command level that can be executed. (like block 'kill' command in a Linux device, also supports regex) which i see to be a fine-grained access control.

Your thought....

Best Wishes!

Hello again ManicRaj,

The black/white list options in CA PAM do provide fine-grained control over what commands can be run. Both CA PAM and PIM offer similar controls, however CA PAM's control is on the user side where PIM enacts control over the server side. The one you choose to use would depend on which fits your requirements.

Here is the difference:

CA PAM acts as a tunnel between the end user's PC & the target device. When a user types any command the command is sent to the CA PAM appliance, CA PAM then checks the command against the blacklist and either sends it through to the target device or blocks it and registers a violation. This means that ONLY sessions started through CA PAM (via the built-in applet or an SSH service) will be monitored, direct connections (connections not tunneled through CA PAM) to the device will NOT be monitored.

The PIM agent is installed directly on the server. Using selang rules you can define who can access which binaries. When a user attempts to run a command the PIM agent checks its ruleset to see if this should be allowed and either allows the command to be run or blocks the command and depending on your settings creates audit logs showing the attempt. These rules can be applied at the folder level to block whole directories, at an individual file level to block binaries or access to any specific files & there are may more options. Using PIM these rules are in place for the user no matter HOW they access the server. Direct access = monitored, access via ENTM = monitored, access via CA PAM = monitored, GUI access = monitored.

CA PAM & PIM can be combined for maximum control.

-Christian

Super!...this gave lot more clarity...Much Appreciated!!