How Privileged Access Manager Server Control Protects UNIX
Describes how PAM SC places hooks in system services that must be protected assuming control before the service is performed.
capamsc141
Privileged Access Manager
starts immediately after the operating system finishes its initialization. Privileged Access Manager
places hooks in system services that must be protected. In this way, control is passed to Privileged Access Manager
before the service is performed. The product decides whether to grant the service to the user.For example, a user attempts to access a resource protected by
Privileged Access Manager
. This access request generates a system call to the kernel to open the resource. Privileged Access Manager
intercepts that system call and decides whether to grant access. If permission is granted, Privileged Access Manager
passes control to the regular system service. If the product denies permission, it returns the standard permission-denied error code to the program that activated the system call. The system call ends.The decision is based on access rules and policies that are defined in the database. The database describes two types of objects: accessors and resources.
Accessors
are users and groups. Resources
are objects to be protected, such as files and services. Each record in the database describes an accessor or a resource.Each object belongs to a class-a collection of objects of the same type. For example, TERMINAL is a class containing objects that are terminals (workstations) protected by
Privileged Access Manager
.Class Activation
Privileged Access Manager
stores information about whether a CLASS is active or inactive in the database. When Privileged Access Manager
starts, it passes a list of active classes to SEOS_syscall, so Privileged Access Manager
does not have to constantly intercept these classes. The only time Privileged Access Manager
intercepts a class is when a user changes the activity status of a class. If a class is inactive, access to the resource is not intercepted.You can use the inactive class bypass with the following classes: FILE, HOST, TCP, CONNECT, and PROCESS.
Accessor Elements
An
accessor element
(ACEE) represents each user. The accessor element is an in-memory reflection of the record of the user in the database. Privileged Access Manager
builds the accessor element during the login process. The accessor element is associated with the process of the user. Whenever the process requests a system service that is protected by Privileged Access Manager
, or issues an implicit request to access a resource, the product accesses the record of the resource. The product then determines whether the information in the previously created accessor element, such as the security level of the user, mode, and group-lets the user access the resource.