SECRET SERVER FEATURE: Unix Protection
Generate, store, rotate, limit use of and manage SSH Keys
Overview of Unix Protection:
A successful Unix/Linux attack could be catastrophic. Unix and Linux systems are often heavily tied into critical and sensitive data. If a cyber criminal gains access to powerful root accounts, they have complete administrative control.
A multi-layered approach to Unix/Linux privilege management reduces security risk. It’s important to ensure local root accounts are discovered, protected, controlled, and managed. Additionally, it’s important to maintain Least Privilege policies by ensuring that powerful commands (such as Sudo or Su) are limited and monitored.
Secret Server allows you to extend privileged access management policies to Unix and Linux systems to improve visibility, consistency, and easy of management throughout your entire IT environment. By bringing Unix/Linux under a common PAM umbrella, you can centrally discover, rotate, expire, and disable credentials to prevent misuse and cyber attacks.
SSH Command Control
SSH Command Control allows you to establish an approved list of commands that each use during an active SSH session. For example, you may allow users to access a Unix system, but not use the Sudo command. You can monitor the commands superusers can run based on their role and required tasks.
With the SSH Command Control feature for Secret Server you can:
- Minimize the use of privileged rights and enforces least privilege policies.
- Replace siloed Sudo configuration files with an enterprise-ready, scalable security solution with audit capabilities.
- Restrict commands based on defined policies and limited superuser permissions, reducing the risk of misuse, abuse, and accidental error.
- Manage, monitor, and secure Single-Sign-On for Secret Server privileged accounts.
- Delegate and revoke privileged Unix administration without having to manage Sudo files or allow full root access.
SSH Key Management
Generate, Store, Rotate, and Manage SSH Keys
System administrators typically gain access to Unix systems over SSH using generated keys, often a private/public keypair. With this file-based authentication system, they can provide a single user’s private key with access to one or more of the machines that have corresponding public keys.
Unfortunately, SSH keys are largely left unprotected beyond a simple passphrase and are not rotated.
Malicious users can gain uncontrolled access to any corresponding Unix system, even if a single private key is compromised. In addition, providing access for third parties to Unix systems is difficult, as it requires the generation and use of a keypair or authorized keys file that often times are not protected by the third party.
Please read our related blog post:
SSH proxies vs. jump hosts—how to save time and spend less.