What Is Protected
Describes what PAM SC protects on UNIX.
capamsc141
Valid on UNIX
In addition to supplying the regular security functions such as an access rule database, an audit log, and administration tools,
Privileged Access Manager
intercepts the operating system events that are to be protected. Because Privileged Access Manager
works with many different operating systems, it intercepts events in memory. No changes are made to system files, and the operating system is not modified.Privileged Access Manager
protects the following entities:- FilesIs a user authorized to access a particular file?Privileged Access Managerrestricts the ability of a user to access a file. You can give a user one or more types of access, such as READ, WRITE, EXECUTE, DELETE, and RENAME. You can specify the access to an individual file or to a set of similarly named files.
- TerminalsIs a user authorized to use a particular terminal?This check is done during the login process. Individual terminals and groups of terminals can be defined in thePrivileged Access Managerdatabase, with access rules. These rules determine which users, or groups of users, are allowed to use the terminal or terminal group. Terminal protection ensures that no unauthorized terminal or station is used to log in to the accounts of powerfully authorized users.
- Sign-on timeIs a user authorized to log in at a particular time on a particular day?Most users use their stations only on weekdays and only during work hours. The time-of-day and day-of-week login restrictions, and holiday restrictions, provide protection from hackers and from other unauthorized accessors.
- TCP/IPIs another station authorized to receive TCP/IP services from the local computer? Is another station authorized to supply TCP/IP services to the local computer? Is another station permitted to receive services from every user of the local station?An open system is a system in which both the computers and the networks are open. The advantage of an open system is also a disadvantage. Once a computer is connected to the outside world, one can never be sure who enters the system and what damage an alien user may do, intentionally or by mistake.Privileged Access Managerincludes firewalls that prevent local stations and servers from providing services to unknown stations.
- Multiple login privilegesIs the user permitted to log in from a second terminal?The termconcurrent loginsrefers to the ability of a user to log in to the system from more than one terminal.Privileged Access Managercan prevent a user from logging in more than once. This protection prevents intruders from logging in to the accounts of users who are already logged in.
- User-defined entitiesYou can define and protect both regular entities (such as TCP/IP services and terminals) and functional entities. Functional entities are known asabstractobjects, such as performing a transaction and accessing a record in a database.
- Aspects of administrator authorityPrivileged Access Managerprovides the means to both delegate superuser authorities to operators and restrict the permissions of the superuser account.
- Substitute-userAre users authorized to substitute their user IDs?The UNIXsetuidsystem call is one of the most sensitive services that are provided by the operating system.Privileged Access Managerintercepts this system to determine whether the user is authorized to perform the substitution. The substitute-user authority check includes program pathing-users are permitted to substitute their user IDs only through specific programs. This check is especially important in controlling who can substitute to root and therefor gain root access.
- Substitute-groupIs a user authorized to issue the newgrp (substitute-group) command?Substitute-group protection is similar to substitute-user protection.
- Setuid and setgid programsCan a particular setuid or setgid program be trusted? Is the user authorized to invoke it?The security administrator can test programs that are marked as setuid or setgid executables to ensure that they do not contain any security loopholes that can be used to gain unauthorized access. Programs that pass the test and are considered safe are defined as trusted programs. ThePrivileged Access ManagerSelf-Protection Module (also referred to as thePrivileged Access Managerwatchdog) knows which program is in control at a particular time. The module checks whether the program has been modified or moved because it was classified as trusted. If a trusted program is modified or moved, the program is no longer considered trusted andPrivileged Access Managerdoes not allow it to run.
In addition,
Privileged Access Manager
protects against various deliberate and accidental threats, including:- Kill attemptsProtects critical servers and services or daemons against kill attempts.
- Password AttackProtects against various types of password attacks, enforces the password-definition policies of your site, and detects break-in attempts.
- Password DelinquencyDelineates rules that force users to create and use passwords of sufficient quality. To ensure that users create and use acceptable passwords,Privileged Access Managercan set maximum and minimum lifetimes for passwords, restrict certain words, prohibit repetitive characters, and enforce other restrictions. Passwords are not permitted to last too long.
- Account ManagementEnsures that dormant accounts are dealt with appropriately.
- Domain ManagementImplements password protection and enforce security across NIS and non-NIS domains.