Self-Service Privilege Elevation in PAM360
Self-Service Privilege Elevation allows end-users to perform highly privileged operations in remote sessions without relying on administrators for their approvals. The highly privileged operations include; installing applications, executing specific operations, executing commands, etc., that need administrator or root privileges, depending on the type of Operating System. The process involves configuring the selected accounts/resource with the allowed apps/scripts/commands shared with the end-users for their accessibility. Users with the administrator role control the overall configuration of Self-Service Privilege Elevation with predefined rules and policies.
Let us consider a case where an administrator has to allow a non-privileged user to install third-party applications or execute commands to access a particular directory for a specific period. It will be painful for the administrator when this has to be repeatedly done for multiple users. Here comes this elevation feature into play - it allows configuring users' operations with a privileged account, which lets users self-elevate privileges for a stipulated time until they complete their intended operations.
Note:
The Self-Service Privilege Elevation feature together with access control workflow and SSH command control (Linux) will ensure a higher level of security by allowing the privilege elevation with time-framed and command-based restrictions.
At the end of this document, you will have learned the following in detail:
- Self-Service Privilege Elevation for Windows and Windows Domain
- Self-Service Privilege Elevation for Linux
1. Self-Service Privilege Elevation for Windows and Windows Domain
(This feature is applicable from build 5304 and later for C# Agent only)
PAM360 allows administrators to configure Self-Service Privilege Elevation to the target machines. This allows users to run certain types of files/applications (.cmd, .exe, .msc, .msi, and .bat) with elevated account privileges without sharing the password of the higher privilege account.
1.1 Setting up Self-Service Privilege Elevation
First, install C# agent with Self-Service Privilege Elevation in the target machine and follow the below steps:
- Log in to PAM360 and navigate to Admin >> Manage >>Allowed Apps/Scripts. Here, all the applications that are allowed for Privilege Elevation are listed.
- Click Add to add a new application/file to the list.
- In the Application/File List pop-up, enter the Application Name and Application File Name along with the extension (.cmd, .exe, .msc, .msi, and .bat).
- Mention the SHA256SUM Value of the application to be added. Click here to know how to get the hash value of a file/application or use this application.
- Click Save. You have successfully added the application to the Application/File List.
- Now, navigate to Resources >> All My Passwords >> Resources to view the list of all the resources added in PAM360.
- Click the Resource action icon against one of the owned resources and click Configure Self-Service Privilege Elevation.
Note: The DNS name of the resource should not be empty.
- In the pop-up that appears,
- Select the Account Type.
- If you choose the Account Type as Domain Account, select the Domain Name and Account Name. This will allow the user to run the files/applications using the selected Domain Account with elevated account privileges.
- If you choose the Account Type as Local Account, select the Account Name.
- Here, selected account will be used for Self-Service Elevation in the Agent installed resources.
- When access control is enabled for an account in the resource where Self-Service Privilege Elevation is configured, Self-Service Privilege Elevation will take precedence over password access control.
- Mention the name of the files/applications that the user is allowed to access with elevated account privileges under Allowed Apps/Files.
(Example: cmd.exe, services.msc, etc)
Note: .exe, .msc, .msi, .cmd and .bat are the file types that are currently available for users to access with elevated account privileges.
- Click Configure. Now, you have successfully configured Self-Service Privilege Elevation.
- Click Clear to reset the configurations of Self-Service Privilege Elevation.
- To delete an application from the Application/File List, navigate to Admin >> Manage >> Manage Applications. Select the desired application(s) and click Delete.
- Navigate to Reports >> Query Reports >> Resources and search "Resources with self-service privilege elevation configuration" under Report Name to find all the resources configured with self-service privilege elevation.
- Navigate to Reports >> Custom Reports to find two new custom reports namely:
- Authorized App Privilege Elevated
- Unauthorized App Elevation Triggered
Notes:
1.2 Using Self-Service Privilege Elevation
- Login as any user in a resource where you have configured Self-Service Privilege Elevation.
- Right-click on the file/application (.exe, .msc, .msi, .cmd and .bat) which is configured by administrator to open as a privilege user and select Run as PAM360 Privileged Account.
- In the pop-up that appears, mention the Reason for elevation(mandatory) and click Elevate.
Now, PAM360 will allow users to run the application/file in the elevated privilege chosen by the administrator.
2. Self-Service Privilege Elevation for Linux
(Applicable from build 5950 and later for Linux Agent only)
Self-Service Privilege Elevation in Linux environments allows users to execute privileged commands with an elevated account privilege without sharing the passwords of highly privileged user accounts.
Refer to the following links to know more about configuring the Self-Service Privilege Elevation in Linux-based environments:
2.2 Managing Commands and Command Groups
2.3 Configuring Self-Service Privilege Elevation
2.4 Using Self-Service Privilege Elevation in Linux
2.5 Audits and Reports of Self-Service Privilege Elevation
2.6 Self-Service Privilege Elevation Precedence in Real-Time
2.1 Installing Linux Agent
Refer to this section to install the Linux agent in the desired target Linux resource for which the Self-Service Privilege Elevation is to be configured.
2.2 Managing Commands and Command Groups
After completing the agent installation, log in to your PAM360 interface and create a command group with the set of required privileged commands for which the Self-Service Privilege Elevation is to be applied in the desired target accounts or resources.
Refer to this section to learn more about creating the commands and the command groups in PAM360.
2.3 Configuring Self-Service Privilege Elevation
Once you have done with the agent installation and the command group management, you can start configuring the Self-Service Privilege Elevation for the desired accounts or resources for elevated privileges without sharing access to the privileged accounts.
Do the steps that follow to configure an account or a resource with Self-Service Privilege Elevation:
i. Configuration at Account Level
- Navigate to 'Resources >> All My Passwords >> Resources' and click on the desired resource to view the list of all the available accounts in the resource.
[or]
Navigate to 'Resources >> All My Passwords >> Passwords'. - Click the Account Actions drop-down against one of the owned/shared accounts and click Configure Self-Service Privilege Elevation.
- In the window that opens:
- Provide the privileged account detail in the 'Run As' field.
Note:
The account added here will be used for the Self-Service Privilege Elevation to execute the privileged commands in the devices installed with the Linux agent. - Select the sets of required command groups with the privileged commands.
Note:
Click on the link Available Command Groups. From the pop-up that opens, you will know in detail about the commands available in the respective command groups. - Click Configure to complete the configuration of the Self-Service Privilege Elevation.
- Click Clear to revoke the Self-Service Privilege Elevation from the account.
- Provide the privileged account detail in the 'Run As' field.
ii. Configuration at Resource Level
- Navigate to 'Resources >> All My Passwords >> Resources'.
- Click the Resource Actions drop-down against one of the owned/shared accounts and click Configure Self-Service Privilege Elevation.
- In the window that opens:
- Provide the privileged account detail in the 'Run As' field.
Note:
The account added here will be used for Self-Service Privilege Elevation to execute the privileged commands in the devices installed with the Linux agent. - Select the sets of required command groups with the privileged commands.
- Click Configure to complete the configuration of the Self-Service Privilege Elevation.
- Click Clear to revoke the Self-Service Privilege Elevation from the resource.
- Provide the privileged account detail in the 'Run As' field.
2.4 Using Self-Service Privilege Elevation in Linux
Now, users can execute privileged commands in the remote sessions of accounts configured with Self-Service Privilege Elevation. Do the steps that follow to execute the privilege commands mapped with a privileged user account for Self-Service Privilege Elevation.
Note:
In certain scenarios, privilege elevation might not be accessible when a user account is added to a resource after agent installation. During such situations, execute the following command first, followed by the privileged commands:
export PATH="$PATH:/(homepath)/PAM360Elevation/"
i. From an Account Configured with SSH Command Control
- Launch a remote session for an account configured with SSH command control and Self-Service Privilege Elevation.
- In the session that opens, you will find a set of predefined allowed command lists associated with the logged-in SSH account.
- Hover on the right pane and click on the execute icon under the Elevate & Execute list beside the desired privileged command to execute it in the launch SSH console.
- Under the Elevate & Execute list, the commands configured with Self-Service Privilege Elevation alone will have an enabled execute icon.
- The Self-Service Privilege Elevation feature cannot be utilized through external SSH clients when an account/resource is configured with SSH command control.
Note:
ii. From an Account Configured without SSH Command Control
- Launch a remote session to the account configured with Self-Service Privilege Elevation from PAM360 or from any other external SSH client such as Remote Connect, PuTTY, etc.
- Use the prefix "pamelevate" before commands that require privileged administrative action (e.g., pamelevate fdisk). The associated privileged commands will execute as long as the Self-Service Privilege Elevation is configured for the account.
2.5 Audits and Reports of Self-Service Privilege Elevation
Navigate to Audit >> Resource Audit to check the trail of audits recorded during the process of Self-Service Privilege Elevation. From here, you will get the different types of audit information that include:
- Agent installation, modification of agent modules, etc.,
- Commands and command groups audits
- Configuration of Self-Service Privilege Elevation to an account or resources
- Unauthorized execution of commands
Navigate to Reports >> Query Reports. From here, you can generate query reports that include information such as:
- Command groups association at different levels,
- List of unauthorized command executions using the Self-Service Privilege Elevation (pamelevate).
Refer to this section to know more about query reports and management.
2.6 Self-Service Privilege Elevation Precedence in Real-Time
Case 1:
Account Configured with SSH Command Control and Self-Service Privilege Elevation
Consider the command "fdisk" configured in a command group of an account for which the user requires privilege elevation.
denotes - enabled Self-Service Privilege Elevation or SSH command control
denotes - disabled Self-Service Privilege Elevation or SSH command control
Self-Service Privilege Elevation | SSH Command Control | Elevation Result in PAM360 Session |
---|---|---|
|
|
No Elevation |
|
|
Allowed Elevation |
|
|
No Elevation |
|
Allowed Elevation |
|
|
No Elevation |
Case 2:
Switching Self-Service Privilege Elevation between Configured User Accounts from the SSH Console
Consider the following users account with different configuration for the upcoming scenarios:
- kate - Account listed in PAM360 and configured with Self-Service Privilege Elevation
- marko - Account not listed in PAM360
- lindsey - Account listed in PAM360 and not configured with Self-Service Privilege Elevation
- paul - Account listed in PAM360 and configured with Self-Service Privilege Elevation with different sets of privileged commands.
Scenario 1:
If a user logs in to the account kate using PAM360 remote session and then changes internally to marko, which is not a PAM360 user account - then the current user account session does not allow Self-Service Privilege Elevation for the privileged commands configured in kate.
Scenario 2:
If a user logs in to the account kate using PAM360 remote session and then changes internally to lindsey, which is not configured with Self-Service Privilege Elevation - then the current user account session does not allow Self-Service Privilege Elevation for the privileged commands configured in kate.
Scenario 3:
If a user logs in to the account kate using PAM360 remote session and then changes internally to paul, which is configured with Self-Service Privilege Elevation for different sets of privileged commands - then the current user account session allows Self-Service Privilege Elevation for the privileged commands configured only in paul.