PEDM for Linux and SSH command filtering in PAM360 | Privileged Access Management | ManageEngine

PAM360 is ManageEngine’s comprehensive privileged access management (PAM) solution designed for enterprises to protect sensitive, privileged identities from internal and external threats. With the principle of least privilege enshrined across the product, PAM360’s privilege elevation and delegation management (PEDM) capabilities help enterprises eliminate standing privileges and provide granular privileged access in a restricted, time-based manner.

What’s new in PAM360?

  • PAM360 now features advanced privilege elevation capabilities for Linux-based resources in addition to its already extensive PEDM capabilities for Windows environments.

  • Leverage SSH command control to allow only a select set of commands to be executed during remote privileged sessions.

The importance of PEDM for enterprises

IT teams often provision access privileges to an employee needing them for a task, then forget to revoke them once the task is done. These are called standing privileges. Leaving standing privileges unchecked for privileged assets beyond the necessary duration is like opening the door for an insider attack.

PEDM, a part of PAM, refers to a set of functions that help IT teams provide temporary elevated access to users with lower access levels for task-based requests. This includes users who would otherwise not have access to a sensitive resource and users who have limited access to a machine but require temporary administrative access to perform job-critical functions. PEDM limits password exposure and ensures that there are zero standing privileges.

In addition to its comprehensive set of PEDM features for Windows environments, including self-service privilege elevation controls and just in time access, PAM360 now features advanced PEDM capabilities for Linux.

SSH command control  

SSH command control is the latest addition to PAM360’s extensive privileged session monitoring and management capabilities, which include real-time shadowing, application controls, secure file transfers, recording, and the termination of remote sessions.

Often, enterprises depend on Unix or Linux resources for business-critical daily functions. Interruptions to the availability of these resources disrupt crucial daily processes and result in costly downtime. Through PAM360’s SSH command control (aka filtering) capabilities, IT administrators can create allowed command lists for critical Linux devices and allow only those pre-approved commands to be executed when an SSH connection is made to a device.

The case of Zylker 

Zylker is a fictional enterprise with hundreds of privileged users, including database administrators, file administrators, and system administrators, who need elevated access to sensitive Linux servers to execute privileged commands on a daily basis. These commands may include modifications or deletions of files, data mining, and changes to directory permissions on business-critical Linux servers.

Given the sensitive nature of the servers and the amount of users requiring privileged access, it is vital for IT administrators to pre-approve and limit the commands that can be executed on the target resource, even by privileged users.

If PAM360’s SSH command control (aka filtering) is configured for a device, users will be able to execute only allowlisted commands. Any command outside of the group of allowlisted commands cannot be executed on the device, even by privileged users.

Self-service privilege elevation

Self-service privilege elevation in PAM360 allows IT administrators to provision elevated access to non-privileged users who need to execute privileged commands or access sensitive apps, services, and directories—all without sharing the passwords of highly sensitive privileged accounts. This is achieved by allowing users to execute a pre-approved list of privileged commands with elevated privileges.

Meet Sarah at Zylker 

Sarah is an external data consultant for Zylker. She performs daily log collection on critical Linux servers by accessing the /var/log/wtmp directory using non-privileged local accounts. However, for her next task, Sarah also requires root or sudo privileges on the same set of servers in order to perform directory cleanup operations.

This can happen in one of two ways:

  1. Sarah is provided with privileged credentials or sudo access to the machine.

  2. An IT admin can configure self-service privilege elevation for a privileged account on the Linux machine using PAM360 and allow a list of pre-approved commands that Sarah can run with elevated access.

In the first scenario, there is no restriction on the commands and operations that Sarah can execute while connected to the server, opening up the possibility of privilege abuse. Sarah could delete and modify critical files, install malware accidentally, or gain access to other sensitive information present on the server.

In the second scenario, Sarah uses self-service privilege elevation to get elevated access, but she can only execute the pre-approved commands to access the required directory. This also ensures that privileged credentials are not exposed to third-party contractors like Sarah.

Comprehensive audits and reports 

PAM360’s exhaustive audit trails and reports capture all privilege elevation activities,  including SSH command control configuration, self-service privilege elevation configuration, command allowlisting and grouping, agent installation, and unauthorized command elevation attempts. Using PAM360’s comprehensive audit trails, IT administrators can have complete visibility into privilege elevation activities across the enterprise and ensure that they are audit-ready.

Schedule a free, personalized demo to learn about PAM360’s capabilities in depth directly from our experts!