Specifying privilege elevation commands and applications

You can control access to specific commands and applications on Windows and Linux systems, and you can even specify which arguments a user can pass to a privileged command. You specify which commands and applications to restrict access to as part of your overall privilege elevation security controls. For details, see Working with privilege elevation.

Here are some examples of Windows elevated privilege commands and applications, which you could include in a command set entitled "Windows Management Tools" or something similar:

Privilege elevation command name Application and Arguments Path

Server Manager

ServerManager.exe

Standard system path

Service Control Manager

 

sc.exe

Standard system path

Microsoft Management Console (MMC)

 

mmc.exe

Standard system path

Here are some examples of Linux elevated privilege commands and applications, which you could include in a command set entitled "Linux commands" or something similar:

Privilege elevation command name Command Glob or regular expressions Match path Description

Edit SSH server config

vi /etc/ssh/sshd_config

Glob expression

Standard system path

Allows the granted user to edit the SSH server's config file but nothing else.

Edit SSH

vi /etc/ssh/*_config

Glob expression

Standard system path

Allows the granted user to edit any SSH-related configuration.

Change firewall

iptables -A INPUT -s * -j ACCEPT

Glob expression

Standard system path

Allows the granted user to change Linux firewall rules so specified hosts can make network connections

Restart PostgreSQL

systemctl restart pgsql

Glob expression

 

Standard system path

Allows the granted user to restart the PostgreSQL service

Firewall open

iptables -A INPUT -s [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ -j ACCEPT

 

Regular expression

Standard system path

A more rigorous way to allow firewall openings for specific IP addresses but not to specify arbitrary host names.

Start or restart anything

systemctl [re]*start .*

Regular expression

Standard system path

Allows the granted user to start or restart services but does not allow that user to stop or permanently disable them.

 

Just reboot

reboot$

Regular expression

Standard system path

Allows the granted user to restart the system without extra options

For more details about glob and regular expressions, see About Glob expressions and About regular expressions.

To specify the privilege elevation commands :

  1. Navigate to Settings > Resources > Privilege Elevation Command.

  2. Click Add.

    The Add Command Settings page opens.

  3. Enter a name and description.

  4. Select the operating system: Windows or Linux.

  5. If you selected Windows:

    1. In the Application and Arguments field, enter the applications or command arguments that you want to control access to.

    2. For Match Path, specify whether to use the default path to the command or you can select Specify path and enter the path manually.

      Here's an example of how to specify the MMC console:

      Privilege Elevation Command for Windows example

  6. If you selected Linux:

    1. In the Command field, enter the applications or command arguments that you want to control access to.

    2. If you're using regular expressions, select that option. Otherwise, keep Glob expressions selected.

      The default glob pattern matching enables you to specify a string using wild card characters. For example, with glob pattern matching, the command can contain a question mark (?) to represent any single character, an asterisk (*) to represent any string, including an empty string, or an expression enclosed by brackets ([. . .]).

      Here's an example of how to specify the command to restart PostgreSQL

  7. Specify the priority.

    By default, the priority is set to 0 (zero), which indicates the lowest priority. You can specify any positive integer for this field. For example, you might want to set different privilege commands with different priorities if they have different runtime attributes (such as Bypass MFA enabled). At runtime, the privilege elevation command with the highest priority in the same operating system group is used.

  8. Click Save.

    The service saves the command (or range of commands) and the new specification displays in the list on the Privilege Elevation Command page. You can now grant access to these commands as discussed in Working with privilege elevation.

About Glob expressions

Glob pattern matching is text matching— for example, if you do a glob pattern search for "app" it returns anything with the exact name of "app." Most of the time people use glob pattern matching in Unix shells or the Windows command window.

The glob standard gives special meaning to a few characters:

Glob character Description Example pattern Example results

* (asterisk)

Matches any number of characters, including zero

app*

application, apple, app

b*d

bad, bud, bid, bGd, blood, burgundy's last spud

? (question mark)

Matches any one character

b?d

bad, bud, bid, bGd

[ ] (brackets)

Can contain any number of characters and matches exactly one character if it's contained between the brackets.

the*brown*f?x j[au]*

the quick brown fox jumps, the sly, silly brown fox jabbed

For the complete documentation for the glob standard, see https://man7.org/linux/man-pages/man7/glob.7.html.

About regular expressions

Regular expression matching is similar to glob pattern matching but allows for more complex patterns. Regular expressions are useful for cases where you want to be more precise or strict with what the expression matches.

For example, consider if you restrict access to commands according to the glob expression vi /etc/ssh/*conf*. This pattern is too generous because users can still run a command such as vi /etc/ssh/../tinyproxy/tinyproxy.conf.

To prevent these kinds of workarounds, you can use regular expressions to more precisely define the matching pattern.

Regular expressions use the following special characters:

  • ^ (caret) "anchors" to the start of a line, thus ^foo will only match if "foo" is the first thing found on a text line

  • $ (dollar sign) "anchors" to the end of a line, thus foo$ will only match if "foo" are the last three characters on that line

  • . (period) matches any one character (like ? in glob)

  • ? (question mark) will match exactly zero or one occurrences of the character before it (for example: fa?o will match fao or fo)

  • * (asterisk) will match the previous character zero or more times (for example: fa*o will match fo, fao and faaaaaao)

  • + (plus sign) will match the previous character at least once and possibly more (for example: fa+o will match fao and faaaaaaaao but NOT fo)

  • .* (period asterisk) is the same as the bare asterisk * in glob patterns

  • [ ] (brackets) can surround "ranges" of explicitly enumerated characters ([aoeui] for all vowels), implied ranges ([a-z] for all lower-case letters from a to z or [0-9] for all numerals from zero to nine). You can combine ranges with ?, * and + to match certain repeats of specified ranges.

Our service uses PCRE (Perl Compatible Regular Expressions). For the full documentation, see http://www.pcre.org/original/doc/html/.