We have CA PAM in our environment where we have the linux servers integrated with PAM for password management. we want to check how to restrict the user from changing the password manually in the linux servers once he extracted the password from PAM.
If the users in your environment only use PAM sessions to connect to the Unix endpoints, then you could use the command filtering feature in PAM to prevent them from using the passwd command while connected via PAM. You can find more information about command filtering here.
If users can access the Unix endpoints outside of PAM, then I would suggest using SELinux or CA PAM Server Control policies to restrict access to the passwd command.
CA Support Engineer
Thanks Brian for the prompt response.
Can you also help me with steps of how to restrict user to only use PAM sessions to connect to the Unix endpoints.
I believe you must restrict user access to a server at the server level... It would be a Unix configuration (possibly SSH config) to only accept connections from the PAM appliances.
CA PAM does not have the capability to restrict access to a target endpoint from another server, you would need to use either local server configuration or a network firewall rule to accomplish this.
The PAM socket filter agent (SFA) can prevent leapfrogging, i.e. block users from using a PAM access session to one device to connect to another device.