Symantec Privileged Access Management

 View Only
  • 1.  Ca ControlMinder 12.8 Unix Endpoint File protection

    Posted Sep 06, 2016 09:11 AM

    I have installed Unix Agent on RHEL 6 server.

    In selang, I placed the below script which provides file access to a specific user. 

    The file was created using 'root' user. 

    While accessing the file using 'praveen' user, am able to only read the file but not write.

    Can anyone help on this.

     

    nr FILE ('/etc/Test.txt') audit(SUCCESS FAILURE) comment('securing critical files') defaccess(READ) owner('root')
    authorize FILE ('/etc/Test.txt') access(READ WRITE DELETE RENAME CREATE EXECUTE CHOWN CHMOD UTIME SEC CHDIR) uid('praveen') 



  • 2.  Re: Ca ControlMinder 12.8 Unix Endpoint File protection

    Broadcom Employee
    Posted Sep 06, 2016 08:19 PM

    Hi Praveen,

     

    The PIM agent does not override the unix file permissions.

     

    Do the unix permissions permit praveen to have write access to the file?

     

    What are the unix file permisions - what is the output of ls -l /etc/Test.txt?

     

    Cheers, Simon.



  • 3.  Re: Ca ControlMinder 12.8 Unix Endpoint File protection

    Posted Sep 07, 2016 09:06 AM

    Hi Simon,

     

    Thanks for the reply.

     

    As of now I have provided chmod 777 to the Test.txt file using root user.

     

    [ec2-user@Linux5_SukoorS ~]$ ls -ltr /etc/Test.txt
    -rwxrwxrwx. 1 root root 46 Sep 7 06:57 /etc/Test.txt

     

    If I provide only Read permission to the file in the Controlminder Policy Script, will it not restrict the user in modifying the file?

    AUTHORIZE FILE ('/etc/Test.txt') uid('praveen') ACCESS(READ)

     

     

    Thanks 

    Praveen



  • 4.  Re: Ca ControlMinder 12.8 Unix Endpoint File protection
    Best Answer

    Broadcom Employee
    Posted Sep 07, 2016 08:28 PM

    Hi Praveen,

     

    nr FILE ('/etc/Test.txt') audit(SUCCESS FAILURE) comment('securing critical files') defaccess(READ) owner('root')

     

    Will give praveen read only access via defaccess(READ), so the following is redundant.

     

    AUTHORIZE FILE ('/etc/Test.txt') uid('praveen') ACCESS(READ)

     

    I should have been a bit clearer with my previous point "The PIM agent does not override the unix file permissions." If a user does not have unix permissions for an operation on a file, PIM cannot give those permissions. Essentially, unix permissions are still in effect when PIM is running, but PIM can provide more granular permissions on top of them.

     

    I hope this makes sense?

     

    You should also be careful about giving 777 unix permissions because this makes it world writiable if PIM is not running for some reason.