Click HERE to see how Saviynt Intelligence is transforming the industry. |
05/08/2023 07:30 AM
We are trying to set up the basic PAM use cases for Linux platform in POC environment, and to do that we have deployed an on-prem Linux server, configured the master connection in Saviynt, provisioned the Linux local accounts. However we are stuck in PAM bootstrapping these local Linux accounts. Below are the detailed steps performed so far – please can anyone guide us with the next steps
Steps performed:
{
"Connection":"On-Premise",
"encryptionMechanism":"ENCRYPTED",
"EVQuery":"ev.customproperty40=’PAM_BOOTSTRAP'",
"UNIX":{
"defaultCredentialConnection":{
"changeConnectionCredentials":true,
"connectionName":"UNIXPOCMaster"
},
"defaultSecuritySystemDetails":{
"securitySystemName":"UNIXPOC",
"workflow":"AutoWorkflow",
"passwordPolicy":"POC_Password_Policy"
},
"actions":{
"restricted":"visudo,apt,install,iptables,rm,mkfs,alias,ssh,telnet,scp,kill,shutdown,passwd,cron,traceroute",
"risky":{
"high":"file,wget,scp,curl,df,chmod,chown,echo,exit,uname,netstat",
"medium":"yum,sudo,cat,vi,touch,find,history,awk,grep"
}
},
"shareableAccounts":{
"IDQueryCredentialless":"acc.name like ('linuxadmin%')",
"IDQueryCredentials":"acc.name like ('linuxpocuser%')"
},
"maxConcurrentSession":"51",
"maxCredSessionRequestTime":"14400",
"maxCredlessSessionRequestTime":"14400",
"maxIDRequestableTime":"86400",
"skipOpenPorts":"true",
"skipPushKeys":"true",
"endpointAccessQuery":"where users.USERNAME is not null"
}
}
05/10/2023 09:29 AM
@Sankhadeep It appears that the steps followed are not appropriate.
The thumb rule is that every target will be represented by 3 objects in Saviynt : Connection, Security System and Endpoint. As you are onboarding workloads of onpremise, you will first need a connection, security system and endpoint to represent your onprem itself. This is covered in the sections "Creating an On-Premise Connection", "Configuring a Security System" and "Creating an Endpoint" of the article Configuring-PAM-for-OnPremises.
Then we will need the same 3 objects for every workload being onboarded. The master connection for Unix acts like a template so that EIC creates individual connections for every linux server being onboarded. And PAM_CONFIG in On-premise connection defines how each server type (linux, windows, db) has to get onboarded to Saviynt. The onboarding process itself is explained here : Discover-On-Premise-Workloads. Please note that PAM_CONFIG is always present in the platform level connections (AWS, GCP, On-Premise) and not in the individual workload connections
And finally, in the PAM_CONFIG keep the value of "securitySystemName" as new itself. This indicates the system that for every linux/windows/db server being onboarded a new security system will be created.
Please go through the articles once more and retry the bootstrap process
Thanks,
Nagesh K
05/11/2023 01:58 AM
Thanks @NageshK
followed the steps as per the guide
- Configuring PAM for On-Premises (saviyntcloud.com))
while configuring the PAM bootstrap microservice job, we need to provide the sskey details in the URL value, do you where can find the sskey value ?
05/16/2023 08:18 AM - edited 05/16/2023 08:18 AM
@Sankhadeep As disucssed on 05/12, Bootstrap was successful after adding the entitlement types and triggering the Extension jar. Also, as suggested please use proper names for the objects (Connection, SS and EP) representing Onprem so that it is easier to identify them.
If there are no further questions, please confirm the solution and we can close this thread
Thanks,
Nagesh K
05/18/2023 07:51 AM
Hi Nagesh,
I have shared the Linux logs with you on 16th May, PAM bootstrapping failed as the password change failed after account onboarding
05/22/2023 06:45 AM
@Sankhadeep Since change pwd is working fine for credentials based account, can you try placing one of the credless account (IDQueryCredentialless) into the cred section (IDQueryCreds) and retrigger bootstrap?
Thanks,
Nagesh K
10/24/2023 05:40 PM
Hello, noob here, trying to get the master linux connection to work, did you have to upload a .pem file to file directory -> connector files, if so what is the path to be specified. I have used the template as is with no changes. I keep getting test connection failed. Any insight or help would be appreciated.
Thank you!