Command Restriction for SSH
It is important to note that some commands in Unix are extremely powerful in terms of their magnitude of effect. Misuse of such commands may hamper development, maintenance, production or else create a security threat for confidential information. On the other hand, it is difficult to check illicit use of such commands in an IT environment where hundreds of commands are used everyday. Sectona PAM provides a solution to this problem with its Server Access Policy wherein you can restrict or allow the usage of certain commands for specific User Groups. You can choose these commands from the existing library or add to the Command Repository.
This chapter will consists of the following:
- Before you begin
- Creating a server access policy
- Defining privileged commands
- Editing a policy
- Editing a command from library
- Deleting a policy
- Deleting a command from library
Before you begin
- The User Group you wish to allow/deny access already exists.
Supported Access Types for Unix to enable
- SSH
- Telnet
Creating a server access policy
- Login to the system and select PAM from the product navigator.
- Navigate to Policies on the top navigation bar.
- Select Server Access Policy from the sidebar.
- Click on the Unix tab.
- Click on Add Policy.
- Fill in the essentials(Policy details, User Groups and Parameters) in the form that appears.
- Policy Details: You need to enter the details of the policy that you require. Click on Next
- Policy Name: Provide the name of the policy you want to create.
- Description: Enter a short description about the policy.
- Type: Selecting Allow will let you choose commands that will allowed in a particular static server and the Deny option will block the user from using those commands.
- Expiry: Set the expiry date of the policy.
- User Groups: In the Enforced to User Group(s), specify the User groups you want to apply the server policies on. In the Exception User(s), mention the Users who will be exempted from the server access policy. Click on Next
- Parameters: Here, you can select the commands which you want to allow or restrict in your policy. Confirm option will allow you to ask the user who has hit the command saying whether he/she wants to execute the command. The Elevate option will allow the user to elevate the access to the privileged level. Click on Next
The Allow permission allows only the selected commands and restricts the rest of the commands. The Deny permission denies all the selected commands and allows the rest of the commands. The Confirm and Elevate options will appear only if the Policy Type is set as 'Allow' in the Policy details. You are free to select both the Confirm and Elevate options, one of them or none of them for a command. This policy works on SSH as well as SSHD sessions.
- Summary: This the summary of the configuration made. Click on Finish
Defining privileged commands
Command repository is an inbuilt store that holds all commands, restricted or otherwise. By default, there exists a list of general commands in the Command Repository. To add a new command into the repository follow the steps below:
- Login to the system and select PAM from the product navigator.
- Navigate to Policies in the navigation bar.
- Select the Server Access Policy from the sidebar.
- Click on the Unix tab.
- Click on Command Repository.
- Click on +Add Command Unix.
- A page will appear. Fill in the essentials for your new command to be created.
- Risk category: According to the nature of the command, choose an appropriate risk category from the ones explained below
- Unusual user activity: If the user is performing some unusual activity in the system.
- User activity: If a certain user activity is bringing about a risk.
- Unusual account activity: If the activities of an account in the system are unusual.
- Data theft and ex-filtration: Accessing unauthorized data and retrieving it from a system or server.
- Privilege account abuse: When a privileged user ignores the policies or some malicious activity occurs due to unauthorized access.
- Accountability risk: Someone is responsible for stealing the data from the system or server.
- Identity theft: Someone pretends to be someone else in order to get the access.
- General: Some misbehavior of the activities due to user performing it wrongly.
- Leapfrogging: Using system vulnerabilities to leap across barriers for unauthorized access.
- Command: Specify the command
- Command description: Describe the command description
- Asset command type: The command type may vary from the choice you made.
- Administrative
- Backup
- Configuration
- Remote access
- Risk category: According to the nature of the command, choose an appropriate risk category from the ones explained below
- Click on Save.
Editing a policy
- Login to the system and select PAM from the product navigator.
- Navigate to "Policies" in the navigation bar.
- Select the "Server Access Policy" from the sidebar.
- Click on the Unix tab.
- A list of existing Server Access Policies for Unix will be displayed on the screen.
- Click on to the edit button next to the policy and make necessary changes in the form that appears.
- Click on the "Finish" button and your policy design will be updated.
Editing a command from library
- Login to the system and select PAM from the product navigator.
- Navigate to the "Policies" option in the navigation bar.
- Select the "Server Access Policy" from the sidebar.
- Click on the Unix tab.
- Click on the "Command Repository" button and a list of existing commands will be displayed.
- Click on the edit button of the command you want to modify. Make necessary changes.
- Click on to the update button and your Unix command is been updated.
Deleting a policy
- Login to the system and select PAM from the product navigator.
- Navigate to the "Policies" option in the navigation bar.
- Select the "Server Access Policy" from the sidebar.
- Now you will find three options: Unix, Windows and Database.
- As the new page open you will find the list of existing server access policies.
- Click on to the delete icon in the last column and the form design will be deleted.
Deleting a command from library
- Login to the system and select PAM from the product navigator.
- Navigate to the "Policies" option in the navigation bar.
- Select the "Server Access Policy" from the sidebar.
- Now you will find three options: Unix, Windows and Database.
- Click on the "Command Repository" button and the list of existing commands created will be in front of you.
- Click on the edit button of the commands which you want to delete.
- Click on the delete button and your Unix command will be removed from the list.
If there are any changes made in the policy when a session is started, one needs to restart the session again to implement those changes.