Command Line Policy Type

Overview

On macOS and Linux systems, the Command-line policy manages the use of sudo as a standard user.

By default, Keeper has created a specific list of Linux commands which are elegible to be elevated by the standard user with sudo. If the request matches one of the eligible commands, Keeper will apply the policy and enforce approval, MFA or justification based on the policy details.

How it Works

After a command has been approved, the Keeper service temporarily adds the requested command to the sudoers file for the designated user.

Usage

When a Command-line policy is applied, Keeper uses a pam module to override the sudo command with a new keepersudo command. Users can simply execute keepersudo to either request approval, elevate with MFA or send a justification message.

If a user attempts to use sudo, they will be instructed with the new command:

ubuntu@ip-172-31-8-134:/home$ sudo systemctl restart nginx
ERROR: To run sudo, use keepersudo

If an elevation policy is applied, the user can execute the command using keepersudo:

ubuntu@ip-172-31-8-134:/home$ keepersudo systemctl restart nginx

Your Keeper Administrator requires approval for this action.
Please enter the reason for this request: Ticket SYS-4432 I need to restart nginx

Approval request has been submitted.

To refresh approval status run: keeperagent --refresh
After approval run: keeperagent --approval

The admin will receive the elevation request.

After the request has been approved, the user can run keeperagent --approval to execute the approved request.

ubuntu@ip-172-31-8-134:/home$ keeperagent --approval

You have 1 approved command:

1: /usr/bin/sudo /usr/bin/systemctl restart nginx (expires in 23 hours and 57 minutes)

To run an approved command, enter the number.
To see pending requests, type 'p'
To refresh approvals, type 'r'
Choose an option or 'e' to exit: 1

Managing Sudo Elevation

From the Admin Console > Endpoint Privilege Manager > Policies create a new policy. Select "Command Line" from the policy type and then "Enforce".

Command Line policies can be applied to specific users and machine collections. Select the machine collections to apply the policy.

Advanced Configuration

The "eligible" list of sudo commands is explicitly set in a file called ExecutableAllowlist.json.

On macOS, the file is located here:

/Library/Keeper/sbin/Plugins/bin/KeeperLeastPrivilegeEnforcer/Configuration/ExecutableAllowlist.json

On Linux systems, the file is located here:

/opt/keeper/sbin/Plugins/bin/KeeperLeastPrivilegeEnforcer/Configuration/ExecutableAllowlist.json

If the admininstrator would like to allow additional commands, this file must be modified on each endpoint. (Note: In an upcoming release, Keeper will be incorporating the list of allowed commands into the front-end UI and sync'd policy).

Built-In User Behavior

Keeper does not modify the sudo permissions of the built-in user, e.g. ubuntu or ec2-user. Therefore, when a user is a member of a group with existing sudo permissions, attempts to elevate to sudo will not be limited to the list of ExecutableAllowlist.json commands. In other words, Keeper's service applies best effort to adhere to enforcement policies when the user has already been granted elevated access by the system administrator.

To ensure full control over the elevation rights, ensure that users are not part of a group with existing sudo membership.