Specifying Privilege Elevation Commands and Applications

You can control access to specific commands and applications on Windows and Linux systems, and you can even specify which arguments a user can pass to a privileged command. You specify which commands and applications to restrict access to as part of your overall privilege elevation security controls.

Examples of Windows Elevated Privilege Commands and Apps

Here are some examples of Windows elevated privilege commands and applications, which you could include in a command set entitled "Windows Management Tools" or something similar:

Privilege elevation command name	Application and Arguments	Path
Server Manager	ServerManager.exe	Standard system path
Service Control Manager	sc.exe	Standard system path
Microsoft Management Console (MMC)	mmc.exe	Standard system path

Examples of Linux Elevated Privilege Commands and Apps

Here are some examples of Linux elevated privilege commands and applications, which you could include in a command set entitled "Linux commands" or something similar:

Privilege Elevation Command Name	Command	Glob or Regular Expressions	Match Path	Description
Edit SSH server config	`vi /etc/ssh/sshd_config`	Glob expression	Standard user path	Allows the granted user to edit the SSH server's config file but nothing else.
Edit SSH	`vi /etc/ssh/\*_config`	Glob expression	Standard user path	Allows the granted user to edit any SSH-related configuration.
Change firewall	`iptables -A INPUT -s \* -j ACCEPT`	Glob expression	Standard system path	Allows the granted user to change Linux firewall rules so specified hosts can make network connections
Restart PostgreSQL	`systemctl restart pgsql`	Glob expression	Standard system path	Allows the granted user to restart the PostgreSQL service
Linux Start/Restart Service	`^(systemctl) (restart\|start\|status) [a-zA-Z0-9_.-]*$`	Regular expression	Standard user path	Start/Restart the Linux services.
Linux Apache config file vi(m)	`^(vim?\|nano) (\/etc\/httpd\/conf\/httpd.conf)$`	Regular expression	Standard user path	vi or vim Edit the Apache httpd.conf file.
Linux CClient cache flush	`^(cflush).*`	Regular expression	Standard system path	The Delinea client cache flush.
Linux Reboot Machine	`(reboot)(?!.?halt).`	Regular expression	Standard system path	Reboot the Linux machine with options other than --halt.
Linux Show local security log	`^(cflush).*`	Regular expression	Standard user path	Show information from the local /var/log/secure to show command attribution to the individual user.
Linux Display sudoers	`(cat/more) \/etc\/sudoers`	Regular expression	Standard user path	Display the contents of the sudoers file.
Linux cat the shadow file	`(cat/more) /etc/shadow`	Regular expression	Standard user path	View the restricted /etc/shadow file.

When you add or modify privilege elevation commands, you can also specify which user accounts the commands will run as. The Root user is the default. You can add one or more users by adding it under Run Command As.

About Linux Match Paths

When you specify a match path, you can select one of the following options:

Standard system path
Standard user path
System search path
Specify path

Here's how the match path maps to the binary directories on Linux systems:

Path Setting	Included Directories
System Path	`/sbin`, `/usr/sbin`
User Path	`/bin`, `/usr/bin`
Search Path	`/sbin`, `/usr/sbin`, `/bin`, `/usr/bin`

Here's a brief overview of how Linux uses each directory:

Copy

/bin : For binaries usable before the /usr partition is mounted. This /bin directory is used for trivial binaries used in the very early boot stage or ones that you need to have available in booting single-user mode. Think of binaries like cat, ls, and so forth.

/sbin : Same, but for binaries with superuser (root) privileges required.

/usr/bin: Same as first, but for general system-wide binaries.

/usr/sbin: Same as above, but for binaries with superuser (root) privileges required.

For more details about glob and regular expressions, see About Glob Expressions and About Regular Expressions.

To Specify the Privilege Elevation Commands

Navigate to Settings > Resources > Privilege Elevation Command.
Click Add.

The Add Command Settings page opens.
Enter a name and description.
Select the operating system: Windows or Linux.
If you selected Windows:
1. In the Application and Arguments field, enter the applications or command arguments that you want to control access to.
2. For Match Path, specify whether to use the default path to the command or you can select Specify path and enter the path manually.
  
  Here's an example of how to specify the MMC console:
If you selected Linux:
1. In the Command field, enter the applications or command arguments that you want to control access to.
2. If you're using regular expressions, select that option. Otherwise, keep Glob expressions selected.
  
  If you plan to use regular expressions, note that regex support has been introduced in sudo 1.9.10, per https://www.sudo.ws/posts/2022/03/sudo-1.9.10-using-regular-expressions-in-the-sudoers-file/ . Make sure that the systems you plan to run these commands on are running at least that version of sudo.
  
  The default glob pattern matching enables you to specify a string using wild card characters. For example, with glob pattern matching, the command can contain a question mark (?) to represent any single character, an asterisk (*) to represent any string, including an empty string, or an expression enclosed by brackets ([. . .]).
  
  Here's an example of how to specify the command to restart PostgreSQL
3. Select Run Command As and select Root User.
  1. Or, you can configure a specific user so that the command is run as that user.
  2. Under Specific Users, select Add, enter the name of your user group.
  3. Select that group and continue.
In the Match Path select the best path where the command can be found.
Specify the priority.

By default, the priority is set to 0 (zero), which indicates the lowest priority. You can specify any positive integer for this field. For example, you might want to set different privilege commands with different priorities if they have different runtime attributes (such as Bypass MFA enabled). At runtime, the privilege elevation command with the highest priority in the same operating system group is used.
Click Save.

The service saves the command (or range of commands) and the new specification displays in the list on the Privilege Elevation Command page. You can now grant access to these commands as discussed in Granting Privilege Elevation Access to Users.

Add a Set of Commands

Go to Settings > Resources > Privilege Elevation Command Click Add listed in the Sets pane in the upper right.
Fill out Create Set under Settings list your Name set Description and select a set Type.
Click Save.

Privilege Elevation with Added Group Privileges for Windows

The Run as self with added administrative privileges option was added for users to be able to run specific commands on Windows with added group membership.

The option is unchecked by default.
When the option is checked, the command will run with the user that is logged into the system but with added local Administrator privileges.
When the option is unchecked, windows will use the local -priv user created for Privilege Elevation: aduser1@domain.test will log into the agent as itself and do privilege elevation as the local account localmachine\aduser1-priv with admin privileges granted.

About Glob Expressions

Glob pattern matching is text matching— for example, if you do a glob pattern search for "app" it returns anything with the exact name of "app." Most of the time people use glob pattern matching in Unix shells or the Windows command window.

The glob standard gives special meaning to a few characters:

Glob Character	Description	Example Pattern	Example Results
* (asterisk)	Matches any number of characters, including zero	`app\*`	application, apple, app
		`b\*d`	bad, bud, bid, bGd, blood, burgundy's last spud
? (question mark)	Matches any one character	`b?d`	bad, bud, bid, bGd
`[ ]` (brackets)	Can contain any number of characters and matches exactly one character if it's contained between the brackets.	`the\brown\f?x j[au]\*`	the quick brown fox jumps, the sly, silly brown fox jabbed

For the complete documentation for the glob standard, see https://man7.org/linux/man-pages/man7/glob.7.html.

About Regular Expressions

Regular expression matching is similar to glob pattern matching but allows for more complex patterns. Regular expressions are useful for cases where you want to be more precise or strict with what the expression matches.

For example, consider if you restrict access to commands according to the glob expression vi /etc/ssh/*conf*. This pattern is too generous because users can still run a command such as vi /etc/ssh/../tinyproxy/tinyproxy.conf.

To prevent these kinds of workarounds, you can use regular expressions to more precisely define the matching pattern.

Regular expressions use the following special characters:

^ (caret) "anchors" to the start of a line, thus ^foo will only match if "foo" is the first thing found on a text line
$ (dollar sign) "anchors" to the end of a line, thus foo$ will only match if "foo" are the last three characters on that line
. (period) matches any one character (like ? in glob)
? (question mark) will match exactly zero or one occurrences of the character before it (for example: fa?o will match fao or fo)
* (asterisk) will match the previous character zero or more times (for example: fa*o will match fo, fao and faaaaaao)
+ (plus sign) will match the previous character at least once and possibly more (for example: fa+o will match fao and faaaaaaaao but NOT fo)
.* (period asterisk) is the same as the bare asterisk * in glob patterns
[ ] (brackets) can surround "ranges" of explicitly enumerated characters ([aoeui] for all vowels), implied ranges ([a-z] for all lower-case letters from a to z or [0-9] for all numerals from zero to nine). You can combine ranges with ?, * and + to match certain repeats of specified ranges.

Our service uses PCRE (Perl Compatible Regular Expressions). For the full documentation, see http://www.pcre.org/original/doc/html/.