6.6 Privileged Access to UNIX and Linux
Using Privileged Account Manager you can provide UNIX and Linux users with controlled access to privileged commands in a secure manner across the enterprise. You can enable complete lockdown of user privilege by providing rules to determine the commands that are authorized to run, and a powerful account delegation feature that removes the need for common access to the root account.
You can provide access to UNIX, Linux, Network devices and Mainframe computers in the following ways:
-
pcksh and cpcksh: Using these shells, you can provide privileged access to UNIX, Linux, Mainframe and network devices and monitor the actions performed in the target machine in the form of keystrokes. These shells are based on the Korn shell (ksh) and are installed as part of the Command Control Agent.
For information about configuring pcksh and cpcksh, see pcksh and cpcksh respectively.
-
usrun Command: Using this command, you can provided privileged access to specific UNIX or Linux command. This package is installed as part of the Command Control Agent.
-
Secure Shell Relay (SSH Relay): Using this method, you can provide access to the target SSH machine through a standard SSH client.
-
SSH Web Relay: The functionality provides the benefit of achieving SSH relay to target servers without a requirement of installation of a client or an agent as the SSH session can be achieved in the web browser itself. This functionality requires an "Agentless module" to be installed on Privileged Account Manager Linux manager. For more information, see Secure Shell Web Relay.
-
Application SSO: Using this method, you can allow user to access UNIX, Linux, Mainframe and network device using any protocol, such as SSH, Telnet, and so on.
For information about configuring application SSO, see Application SSO.
Based on the information in the following table, you can choose the method to establish privileged session in Unix or Linux system:
|
Methods |
Audit |
Video Capture |
Privileged Access |
Live Session View |
Command Risk & Automatic Session Disconnect |
Access Through |
Authentication Through |
||
|---|---|---|---|---|---|---|---|---|---|
|
SSH Client |
User Console |
System Account |
Privileged Account Manager Account |
||||||
|
pcksh (Agent- based) |
(Audits all the user actions in the privileged shell) |
|
|
|
|
|
|
|
|
|
cpcksh (Agent- based) |
|
|
|
|
|
|
|
|
|
|
usrun (Agent- based) |
(Audits only the commands that has usrun as a prefix) |
|
|
|
|
|
|
|
|
|
SSH Relay (Agentless) |
|
(Session replay* of SSH session along with video capture of X11 window.) |
|
|
|
|
|
|
|
|
SSH Web Relay (Client less) |
|
|
|
|
|
|
|
|
|
Session Replay: Session replay is replay of the SSH user’s terminal input and output.