Command Restriction for SSH

It is important to note that some commands in Unix are extremely powerful in terms of their magnitude of effect. Misusing such commands may hamper development, maintenance, and production or create a security threat to confidential information. On the other hand, it is difficult to check the illicit use of such commands in an IT environment where hundreds of commands are used daily. Sectona PAM provides a solution to this problem with its Server Access Policy, wherein you can restrict or allow the usage of certain commands for specific User Groups. You can choose these commands from the existing library or add them to the Command Repository.

This chapter will consist of the following:

Before you begin

The User Group you wish to allow/deny access to already exists.

Supported Access Types for Unix to enable

SSH

Telnet

Creating a server access policy

Navigate to Policies on the top navigation bar.
Select Server Access Policy from the sidebar.
Click on the Unix section.
Click on +Add Server Access Policy.
Fill in the essentials(Policy details, User Groups, and Parameters) in the form that appears.
Policy Details: You need to enter the policy details you require. Click on Next
- Policy Name: Provide the name of the policy you want to create.
- Description: Enter a short description of the policy.
- Policy Type: Select whether you want to allow or deny permissions.
- Expiry: Set the expiry date of the policy.

User Groups: In the Enforced to User Group(s), specify the User groups on which you want to apply the server policies. In the Exception User(s), mention the Users who will be exempted from the server access policy. Click on Next
Parameters: Here, you can select the commands you want to allow or restrict in your policy. Confirm option will let you ask the user who has hit the command whether he/she wants to execute the command. The Elevate option will allow the user to elevate access to the privileged level. Click on Next

The Allow permission only allows the selected commands and restricts the rest. The Deny permission denies all the selected commands and enables the rest of the commands. The Confirm and Elevate options will appear only if the Policy Type is set as 'Allow' in the Policy details. You can select both the Confirm and Elevate options, one of them or none of them, for a command. This policy works on SSH as well as SSHD sessions.

Summary: This is the summary of the configuration made. Click on Finish

Defining privileged commands

A command repository is an inbuilt store that holds all commands, restricted or otherwise. By default, there exists a list of general commands in the Command Repository. To add a new command to the repository, follow the steps below:

Navigate to Policies in the navigation bar.
Select the Server Access Policy from the sidebar.
Click on the Unix section.
Click on Command Repository.
Click on +Add Asset Command Unix.
A page will appear. Fill in the essentials for your new command to be created.
- Risk category: According to the nature of the command, choose an appropriate risk category from the ones explained below:
  - Unusual user activity: If the user performs some unusual activity in the system.
  - User activity: If a particular user activity is bringing about a risk.
  - Unusual account activity: If the activities of an account in the system are unusual.
  - Data theft and ex-filtration: Accessing unauthorized data and retrieving it from a system or server.
  - Privilege account abuse: When a privileged user ignores the policies, or some malicious activity occurs due to unauthorized access.
  - Accountability risk: Someone is responsible for stealing the data from the system or server.
  - Identity theft: Someone pretends to be someone else to get access.
  - General: Some misbehavior of the activities due to the user performing them wrongly.
  - Leapfrogging: Using system vulnerabilities to leap across barriers for unauthorized access.
- Command: Specify the command
- Command description: Describe the command description
- Asset command type: The command type may vary from your choice.
  - Administrative
  - Backup
  - Configuration
  - Remote access
Click on Save.

Editing a policy

Navigate to "Policies" in the navigation bar.
Select the "Server Access Policy" from the sidebar.
Click on the Unix tab.
A list of existing Server Access Policies for Unix will be displayed on the screen.
Click on the policy name and make necessary changes in the form.
Click on the Update button, and your policy design will be updated.

Editing a command from the library

Navigate to the "Policies" option in the navigation bar.
Select the "Server Access Policy" from the sidebar.
Click on the Unix tab.
Click on the "+Command Repository" button, and a list of existing commands will be displayed.
Click on the command you want to modify. Make necessary changes.
Click on the update button, and your Unix command is updated.

Deleting a policy

Navigate to the "Policies" option in the navigation bar.
Select the "Server Access Policy" from the sidebar.
Now, you will find two options to hover on: Unix and Windows. Click on the Unix section.
As the new page opens, you will find the list of existing server access policies.
Click the delete icon in the last column, and the form design will be deleted.

Description

Representation

Delete record

Deleting a command from library

Navigate to the "Policies" option in the navigation bar.
Select the "Server Access Policy" from the sidebar.
Now, you will find two options to hover on: Unix and Windows. Click on the Unix section.
Click on the "+Command Repository" button, and the list of existing commands created will be in front of you.
Click on any of the commands which you want to delete.
Click the delete button, and your Unix command will be removed from the list.

If there are any changes made in the policy when a session is started, one needs to restart the session again to implement those changes.