What options are available to protect from unauthorised A2A requests?
Release : 3.4
Component : PRIVILEGED ACCESS MANAGEMENT
At the moment A2A requests can be protected by the following criteria:
- host name on which the request is allowed to happen
- executable / interpreter which is allowed to call the A2A request
- location / path where this executable is allowed to be
- full path of the script calling the A2A and making the request
- hash of the script to prevent tampering with it
- user who is allowed to execute the A2A request
Follow these steps to setup the Authorization Mappings accordingly
Set A2A to FINE loglevel in C:\cspm\cloakware\cspmclient\config\cspm_client_config.xml
Restart cspmclientd service to make the modifications effective
In PAM UI (Credentials / Manage A2A / Mappings) add a new A2A Authorization Mapping for the A2A Target Alias.
For now allow all Requestors, do not put any filter options for the script/app execution
Execute the script and confirm it successfully returns accordingly.
Always use the full path to call the script.
Note to call the script always as an explicit argument to the script interpreter.
View the A2A log file C:\cspm\cloakware\cspmclient\log\cspm_client_log.txt and retrieve the values for Script name, Script location and Script hash
In PAM UI (Credentials / Manage A2A / Scripts) add a new A2A Script definition.
Enter the values for Script/App name (the actual script/app name as output in the log), Execution Path (the location from which this script is allowed to be run), File Path (the full path to this script/app), Type and Hash (as output in the log) accordingly.
Update the Authorization Mapping and limit the execution of the Script/App as per your needs.
Request (The A2A client allowed to call the script/app)
Script (All or Individual scripts/apps are allowed to run on this client)
Execution User (the logged on user who is allowed to execute the script/app)
Check Execution Path (script/app can only be from in the specified directory)
Check File Path (script/app must be located in the specified directory)
Perform Script Integrity Validation (script/app must not be modified, i.e. its hash is unchanged)
Attempt to rerun the script while violating any of the above policies (in this example the script was modified) and observe retrieval of the target account credentials are refused accordingly.
To update the new script hash stored in PAM, update the above script definition in the GUI and click GET SCRIPT HASH (a few times)
Finally revert the A2A loglevel to WARNING and restart the service to avoid excessive logging data.