17.3 Command Management

You can gain privileged access to a specific command using the following method:

17.3.1 usrun

The usrun command is a function provided by Privileged Account Manager for executing specific commands in the UNIX and Linux system with privileges.

By using the usrun command, you can elevate the access privilege of a specific command based on the policies defined in Privileged Account Manager. You must specify usrun before any command in the Linux or UNIX system to elevate the access rights of that command.

When you use usrun command, Privileged Account Manager audits only the commands that are appended with the usrun and other operations in the session are not audited.

usrun Command Syntax

The usrun function can be used with the following options:

usrun [-b] [-p] [-t] [-x] [-u <user>] [-h <host>] <command> 

Option

Description

-b

Puts the execution of the command into the background.

-p

Provides a pipe compatibility option for competitive products. It is only used for a competitive swap-out.

-t

Provides a test command option that tests the specified command against the rule structure. A yes or no is printed to the screen, indicating whether the command would be accepted or not.

-x

Enables the X11 forwarding option.

-u <user>

Specifies the user you want the command to run as, although this can be overwritten by the Command Control rules.

-h <host>

Specifies the host you want the command run on, although this can be overwritten by the Command Control rules. For <host> you can use either the hostname of the server or the agent name specified in the Hosts console.

<command>

Specifies the command to pass to the Command Control Manager.

Configuring usrun Command for Privileged Access

To provide privileged access to a specific set of command, you must make appropriate configurations in Privileged Account Manager. For steps to configure usrun in Privileged Account Manager, see Privileged Access to UNIX and Linux

Accessing usrun for Privileged Access

To use usrun to get privileged access,

  1. Log into the target system as a non-privileged user

  2. Execute the commands with prefix usrun to get privileged access to the command. For example, usrun passwd.

    Privileged access is provided only to the specific set of commands that you have defined in the usrun Command Control policy.

  3. All the privileged actions that is the commands executed with the prefix usrun are audited and can be viewed in the Command Control Reports. For more information about the Command Control Reports, see Command Control Reports.

Usage Scenario

Consider a scenario where the administrator has to provide a privileged access to a specific command such as passwd.

For this scenario, the administrator must perform the following configuration in the command control:

  1. Register the agent to Privileged Access Manager.

  2. Add a command and name it usrun_pwd_cmd with the following field values:

    Description: Explain the purpose of this command. For example:

    Allows a user to submit a usrun passwd command to change account passwords.

    Commands: passwd *

  3. Create a user group usrun_pwd_usrgrp with the following field values:

    Description: Explain the purpose of the user group. For example:

    Defines the user accounts that can run the usrun passwd command to change account passwords.

    Users: Specify the usernames of the users on the Linux and UNIX hosts that have thepermission to use the usrun passwd command.

  4. Add a rule usrun_pwd_rule with the following field values:

    Description: Explain the purpose of the rule. For example:

    Matches users who submit a usrun passwd command. It authorizes their session and sets the run user to root.

    Session Capture: Select On.

    Authorize: Select Yes, then select Stop from the drop-down menu.

    Run User: Specify root.

  5. Drag and drop the command usrun_pwd_cmd and user group usrun_pwd_usrgrp to the rule usrun_pwd_rule.

After the administrator has configured the authorization rule in Privileged Account Manager, the non-privileged Linux or UNIX user can gain privileged access as following:

  1. Log into the Linux or UNIX system as a non-privileged user.

  2. Execute the command usrun passwd.

    You can access the passwd command with elevated access and this user action is recorded and the administrator can view these reports in the admin console.