Symantec Privileged Access Management

  • Private Community

  • 1.  Regex option in PAM to blcok any commands in /apps folder

    Posted May 06, 2018 05:29 AM

    Hi,

     

    I have the below requirement in LInux server integration to PAM. Kindly help.

     

    I have privileged accounts [pam_appadmin and pam_appvendor]. The requirement is:

     

    pam_appadmin should have full access to /apps directory.

    But pam_appvendor should not have access to /apps directory - using any command, PAM should block.

     

    Is this doable via command filtering / reg ex?

     

    I know this can be done in Local linux OS level - access rights. But I wanted to check what is the use of regex, and can we use the regex for this requirement.

     

    Thanks

    DK



  • 2.  Re: Regex option in PAM to blcok any commands in /apps folder
    Best Answer

    Broadcom Employee
    Posted May 07, 2018 06:44 AM

    Hi Dinakaran,

    I am not sure I fully understand the question: do you mean you want to define a linux/unix command blacklist for a given user so that he cannot do something like ls /apps ? And you are asking if it is possible to make sure no command is issued against that directory when you are accessing the endpoint by using a regular expression ? If this is the case I am afraid you cannot define a blacklist for all commands in  the system, like *. Even if worked it would affect all and not just /app1. My advice for this type of fine-grained control would be to use CA PAM Server Control



  • 3.  Re: Regex option in PAM to blcok any commands in /apps folder

    Broadcom Employee
    Posted May 09, 2018 05:56 AM

    Hi Dinakaran, 

    I'm agree with Miquel's comment.

    PAM won't restrict the access to the directories. The regular expression filtering commands will prevent users to execute certain commands but this won't restrict the access. 
    Imagine you set to deny a user to execute the command "cd /apps" . This user can access to the directory via sftp, for eg.

    What you can do is to restrict the access and use the reg exp to monitor or be notified when a user tried to access to that directory.

     

    Regards.



  • 4.  Re: Regex option in PAM to blcok any commands in /apps folder

    Posted May 11, 2018 12:53 PM

    My colleagues do not have it quite right.  While it is not possible to just restrict access to the folder, you could specify the folder in the command filter.  For example, I created a command called hello.bat in the tmp folder on a unix system.  I then created a command filter to block and alert based upon this regular expression, "/tmp/.*", excluding the quotes.  I assigned this command filter to the policy for the target device.  When I executed /tmp/hello.bat I got a violation.  This would not have prevented me from doing a cd /tmp and the executing hello.bat.  You would also need to block cd /tmp, so the user would not be able to cd to the folder and execute the command in the folder, with either hello.bat or ./hello.bat.