Skill reviewed
skills/identity/privileged-access/SKILL.md
Gap
The current PAM review flags bypass paths, but it does not require evidence that PAM/JIT records reconcile against native platform logs. A PAM deployment can report high onboarding coverage while direct SSH, RDP, cloud console, database admin, Kubernetes, or local break-glass paths still allow privileged actions outside the broker.
False-positive scenario
An assessor accepts the PAM console's account coverage report as proof that privileged access is controlled. Native logs later show administrator sessions on production systems with no matching PAM session, approval, checkout, JIT activation, or emergency record.
Missed variants
- Direct SSH/RDP/database admin ports remain reachable from administrator workstations while PAM is deployed in parallel.
- Cloud admin roles are assumed through access keys, console sign-in, or alternate IdP paths that never traverse PAM/PIM.
- Kubernetes cluster-admin actions happen through unmanaged kubeconfigs outside the broker.
- Local admin accounts and service identities are excluded from onboarding metrics but still perform privileged actions.
- SIEM ingests PAM logs and native logs but does not correlate unmatched privileged events.
Edge cases
Emergency access paths can exist, but they need expiry, ticketing, monitoring, and post-use reconciliation. Native events should match an approved PAM/JIT/emergency record within an expected time window, or produce an alert.
Proposed remediation
Add a direct access bypass evidence gate comparing PAM/JIT logs with native platform logs, network path restrictions, reconciliation tables, SIEM correlation expectations, output scorecard fields, and version history.
Bounty note
If accepted under the project bounty terms, payment details can be provided privately through the maintainer's preferred channel.
Skill reviewed
skills/identity/privileged-access/SKILL.mdGap
The current PAM review flags bypass paths, but it does not require evidence that PAM/JIT records reconcile against native platform logs. A PAM deployment can report high onboarding coverage while direct SSH, RDP, cloud console, database admin, Kubernetes, or local break-glass paths still allow privileged actions outside the broker.
False-positive scenario
An assessor accepts the PAM console's account coverage report as proof that privileged access is controlled. Native logs later show administrator sessions on production systems with no matching PAM session, approval, checkout, JIT activation, or emergency record.
Missed variants
Edge cases
Emergency access paths can exist, but they need expiry, ticketing, monitoring, and post-use reconciliation. Native events should match an approved PAM/JIT/emergency record within an expected time window, or produce an alert.
Proposed remediation
Add a direct access bypass evidence gate comparing PAM/JIT logs with native platform logs, network path restrictions, reconciliation tables, SIEM correlation expectations, output scorecard fields, and version history.
Bounty note
If accepted under the project bounty terms, payment details can be provided privately through the maintainer's preferred channel.