15.0 Privileged Access to UNIX and Linux
Using Privileged Account Manager you can provide UNIX and Linux users with controlled access to privileged commands in a secure manner across the enterprise. You can enable complete lockdown of user privilege by providing rules to determine the commands that are authorized to run, and a powerful account delegation feature that removes the need for common access to the root account.
You can provide access to UNIX, Linux, Network devices and Mainframe computers in the following ways:
-
pcksh and cpcksh: Using these shells, you can provide privileged access to UNIX, Linux, Mainframe and network devices and monitor the actions performed in the target machine in the form of keystrokes. These shells are based on the Korn shell (ksh) and are installed as part of the Command Control Agent.
For information about configuring pcksh and cpcksh, see pcksh and cpcksh respectively.
-
usrun Command: Using this command, you can provided privileged access to specific UNIX or Linux command. This package is installed as part of the Command Control Agent.
For information about configuring usrun, usrun.
-
Secure Shell Relay (SSH Relay): Using this method, you can provide access to the target SSH machine through a standard SSH client.
For information about configuring SSH Relay, see Secure Shell Relay.
-
Application SSO: Using this method, you can allow user to access UNIX, Linux, Mainframe and network device using any protocol, such as SSH, telnet, and so on.
For information about configuring application SSO, see Application SSO.
Based on the information in the following table, you can choose the method to establish privileged session in Unix or Linux system:
|
Methods |
Audit |
Video Capture |
Privileged Access |
Command Risk & Automatic Session Disconnect |
Access Through |
Authentication Through |
||
|---|---|---|---|---|---|---|---|---|
|
SSH Client |
User Console |
System Account |
PAM Account |
|||||
|
pcksh (Agent- based) |
(Audits all the user actions in the privileged shell) |
|
|
|
|
|
|
|
|
cpcksh (Agent- based) |
|
|
|
|
|
|
|
|
|
usrun (Agent- based) |
(Audits only the commands that has usrun as a prefix) |
|
|
|
|
|
|
|
|
SSH Relay (Agentless) |
|
(Session replay* of SSH session along with video capture of X11 window.) |
|
|
|
|
|
|
|
Application SSO (Agentless) |
|
|
|
|
|
|
|
|
Session Replay: Session replay is replay of the SSH user’s terminal input and output.