Privileged Access Management¶
Version 1.0 | Classification: CONFIDENTIAL — Internal Use Only
Principles¶
All privileged access to GPUS-IT systems follows these controls:
- No persistent root sessions — admin work is performed via
sudo; root shells are not used for routine tasks - Full sudo audit trail — all
sudocommands are logged byauditdand forwarded to WIND - Just-in-time access — privileged sessions are terminated when the task is complete
- Dual-person rule (P1 incidents) — recommended to have a second person observing during emergency root-level changes
sudo Configuration¶
Each admin account has a dedicated /etc/sudoers.d/ file. The sudoers file itself is never edited directly.
# View current sudoers entries
sudo ls /etc/sudoers.d/
# Verify a specific entry
sudo cat /etc/sudoers.d/dnsadmin
All sudo usage is captured by auditd. Search recent sudo activity:
# On the server directly
sudo ausearch -m USER_CMD --start today
# In Kibana (WIND)
# Index: auth-logs-* | filter: process.name: sudo
SSH Key Management¶
SSH public key authentication is the only permitted remote login method on all four servers.
# List authorized keys for an account
sudo cat /home/<username>/.ssh/authorized_keys
# Verify SSH password auth is disabled
sudo grep "PasswordAuthentication" /etc/ssh/sshd_config
# Expected: PasswordAuthentication no
Key rotation schedule: annually, or immediately upon suspected compromise.
ESXi Console (Emergency Root)¶
Root-level console access via ESXi is reserved for:
- VM recovery when SSH is unavailable
- Boot-time troubleshooting
- Disaster recovery operations
All console access should be logged manually to /var/log/asset-inventory.log.
Planned Enhancement — Okta PAM¶
Okta Privileged Access Management will replace local sudo and key-based access with:
- Time-limited privileged sessions
- MFA-gated
sudoelevation - Centralized session recording
- Automatic credential rotation
See Okta Integration.
Pam · v1.1 · 2026-03-14 · GPUS-IT · Classification: CONFIDENTIAL — Internal Use Only