Options for A2A to prevent unauthorised password requests
search cancel

Options for A2A to prevent unauthorised password requests

book

Article ID: 199248

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM) CA Privileged Access Manager - Cloakware Password Authority (PA)

Issue/Introduction

What options are available to protect from unauthorised A2A requests?

Environment

Release : All CA PAM versions as of October 2023.

Component : PRIVILEGED ACCESS MANAGEMENT

Resolution

At the moment A2A requests can be protected by the following criteria:

- host name on which the request is allowed to happen
- executable / interpreter which is allowed to call the A2A request
- location / path where this executable is allowed to be
- full path of the script calling the A2A and making the request
- hash of the script to prevent tampering with it
- user who is allowed to execute the A2A request

Additional Information

Follow these steps to setup the Authorization Mappings accordingly

Set A2A to FINE loglevel in C:\cspm\cloakware\cspmclient\config\cspm_client_config.xml

Restart cspmclientd service to make the modifications effective

In PAM UI  (Credentials / Manage A2A / Mappings) add a new A2A Authorization Mapping for the A2A Target Alias.
For now allow all Requestors, do not put any filter options for the script/app execution

Execute the script and confirm it successfully returns accordingly.
Always use the full path to call the script.
Note to call the script always as an explicit argument to the script interpreter.

PS C:\Users\....\C:\c:\cspm\cloackware\cspmclient\examples\example64.ps1 <user@FQDN> true
Return Code: 400
User ID : <user@FQDN>
Password: <The password in text format>

View the A2A log file C:\cspm\cloakware\cspmclient\log\cspm_client_log.txt and retrieve the values for Script name, Script location and Script hash

Target alias: <user@FQDN>
Script name: example64.ps1
Script path:
Script Location: C:\cspm\cloackware\cspmclient\examples
Script hash: The hash value, this changes based on the script

In PAM UI  (Credentials / Manage A2A / Scripts) add a new A2A Script definition.

Enter the values for Script/App name (the actual script/app name as output in the log), Execution Path (the location from which this script is allowed to be run), File Path (the full path to this script/app), Type and Hash (as output in the log) accordingly.

Update the Authorization Mapping and limit the execution of the Script/App as per your needs.

Request (The A2A client allowed to call the script/app)

Script (All or Individual scripts/apps are allowed to run on this client)

Execution User (the logged on user who is allowed to execute the script/app)

Check Execution Path (script/app can only be from in the specified directory)

Check File Path (script/app must be located in the specified directory)

Perform Script Integrity Validation (script/app must not be modified, i.e. its hash is unchanged)


Attempt to rerun the script while violating any of the above policies (in this example the script was modified) and observe retrieval of the target account credentials are refused accordingly.

PS C:\Users\....> powershell C:\cspm\cloackware\cspmclient\examples\example64.ps1 <User@FQDN_hostname> true
Return Code: 436
User ID: null
Password: null

To update the new script hash stored in PAM, update the above script definition in the GUI and click GET SCRIPT HASH (a few times)

Finally revert the A2A loglevel to WARNING and restart the service to avoid excessive logging data.

Powered by Wolken Software