Symantec Privileged Access Management

  • Private Community

  • 1.  How to allow password change from CA PAM only, not from Unix Server

    Posted May 15, 2018 08:34 AM

    Hi Team,

     

    We have CA PAM in our environment and  we are just managing the password for Unix server. Some time we found that someone changed the password from server itself and after that PAM is not able to manage the password.

     

    Is there any way to disable the password changed feature from server side and only enable it from PAM for Unix server?

     

    Thanks,

    Praveen Kushwaha



  • 2.  Re: How to allow password change from CA PAM only, not from Unix Server
    Best Answer

    Broadcom Employee
    Posted May 15, 2018 09:11 AM

    Hello Praveen,

     

    If the users in your environment only use PAM sessions to connect to the Unix endpoints, then you could use the command filtering feature in PAM to prevent them from using the passwd command while connected via PAM. You can find more information about command filtering here.

     

    If users can access the Unix endpoints outside of PAM, then I would suggest using SELinux or CA PAM Server Control policies to restrict access to the passwd command.

     

    Thanks,

    Brian Rehder

    CA Support Engineer



  • 3.  Re: How to allow password change from CA PAM only, not from Unix Server

    Posted May 16, 2018 01:33 AM

    Thanks Brian for this information.

     

    As we are not using session from PAM. So could you please help here to use the SELinux option to disable the password change from server side.

     

    Thanks,

    Praveen kushwaha



  • 4.  Re: How to allow password change from CA PAM only, not from Unix Server

    Broadcom Employee
    Posted May 16, 2018 09:12 AM

    Hello Praveen,

     

    You would have to work with your sys admins and/or RedHat to create the SELinux policy so it can adhere to your company's security standards. CA cannot provide such assistance.

     

    Thanks,

    Brian Rehder

    CA Support