How CA Privileged Access Manager Server Control Protects UNIX

starts immediately after the operating system finishes its initialization. places hooks in system services that must be protected. In this way, control is passed to before the service is performed. The product decides whether to grant the service to the user.
capamsc141
PAM Server Control
starts immediately after the operating system finishes its initialization.
PAM Server Control
places hooks in system services that must be protected. In this way, control is passed to
PAM Server Control
before the service is performed. The product decides whether to grant the service to the user.
For example, a user attempts to access a resource protected by
PAM Server Control
. This access request generates a system call to the kernel to open the resource.
PAM Server Control
intercepts that system call and decides whether to grant access. If permission is granted,
PAM Server Control
passes control to the regular system service. If the product denies permission, it returns the standard permission-denied error code to the program that activated the system call. The system call ends.
The decision is based on access rules and policies that are defined in the database. The database describes two types of objects: accessors and resources.
Accessors
are users and groups.
Resources
are objects to be protected, such as files and services. Each record in the database describes an accessor or a resource.
Each object belongs to a class-a collection of objects of the same type. For example, TERMINAL is a class containing objects that are terminals (workstations) protected by
PAM Server Control
.
Class Activation
PAM Server Control
stores information about whether a CLASS is active or inactive in the database. When
PAM Server Control
starts, it passes a list of active classes to SEOS_syscall, so
PAM Server Control
does not have to constantly intercept these classes. The only time
PAM Server Control
intercepts a class is when a user changes the activity status of a class. If a class is inactive, access to the resource is not intercepted.
You can use the inactive class bypass with the following classes: FILE, HOST, TCP, CONNECT, and PROCESS.
Accessor Elements
An
accessor element
(ACEE) represents each user. The accessor element is an in-memory reflection of the record of the user in the database.
PAM Server Control
builds the accessor element during the login process. The accessor element is associated with the process of the user. Whenever the process requests a system service that is protected by
PAM Server Control
, or issues an implicit request to access a resource, the product accesses the record of the resource. The product then determines whether the information in the previously created accessor element, such as the security level of the user, mode, and group-lets the user access the resource.