Discover / Add Applications, Processes, Commands¶
The essential aspect of privilege elevation and delegation is elevating the privileges for applications (in Windows) and allowing users to run specific commands with SUDO privileges in Linux.
To ensure that least privilege enforcement does not impact productivity, Securden provides the application control feature. You can 'allowlist' the trusted applications that can be installed/run with elevated privileges by standard users.
The term application refers to any Windows process/executable. When you install the Securden agent on Windows endpoints and servers, the applications that normally require admin privileges are automatically discovered and added here. You can also add applications manually.
In the case of Linux, you need to add the commands that are allowed or not allowed to be run with SUDO privileges. You can review the list and add any other application or command that needs to be controlled.
There are two ways in which you can add applications (in Windows) to Securden:
- Discovering and automatically adding applications
- Manually adding applications
Automatic Discovery of Applications¶
When you install Securden agents on endpoints and servers, the agents automatically start discovering the applications running at that time on the computers and add them to the applications inventory.
However, the discovery process is not an instant one; applications are discovered over a period of time. Typically, it takes about a couple of weeks to complete the process. This is because the agent discovers and adds only the applications that require elevated privileges and not all processes/applications unnecessarily.
You can view the discovered applications in the Admin >> Privilege Elevation and Delegation >> Applications and Commands section.
In the GUI that opens, all discovered applications are listed.
Adding Applications Manually¶
While the automatic discovery takes time, if you want to instantly add applications, you can manually add them. To add applications, navigate to Admin >> Privilege Elevation and Delegation >> Applications and Commands section in the GUI and click the button Add.
In the GUI that opens, you need to define the Windows applications through multiple attributes so Securden can identify them.
You need to specify the following details:
Name: Provide a name to uniquely identify this application/command in Securden.
Description: You can optionally give the application a brief description.
Type: Type of application (exe/msi/msc etc.)
Attributes: Attributes could be digital signatures, actual file path, original file name and hash value of files. You may provide any number of attributes as desired that would help Securden identify the application.
Once you have filled in all the details, click Save.
Adding Linux Commands¶
For controlling which commands can be run (or cannot be run) with SUDO privileges on Linux machines, you need to add the commands in Securden. Navigate to Admin >> Privilege Elevation and Delegation >> Applications and Commands section in the GUI and click the button Add and select Linux Command for type.
Ensure to specify the command with its absolute path. You can also pass parameters with the command.
Examples:
/usr/bin/apt-get
/usr/bin/apt-get install python2
Step 3: Create Control Policies
After adding applications/commands, you need to define policies for a seamless, on-demand elevation of applications for standard users. This is basically, specifying the list of applications that are to be elevated for specific users on specific computers.
For example, you can create a policy whitelisting the ADUC application and associate it with computers in 'Department A' for 'User X' and 'User group Y.' ADUC will be elevated for User X and all users of group Y on the computers in Department A.
Similarly, in the case of Linux, you can specify the commands that can be run with SUDO privileges by specific users/groups on specific computers.
Application control policies created here are to be associated with the needed computers and users or user groups.
To add application control policies, navigate to Admin >> Privilege Elevation and Delegation >> Control Policies section in the GUI.
You need to create policies separately for domain-joined computers, non- domain computers, and Linux.