THE PROBLEM
- PSM is not sufficient for Network and Linux Targets
- Unix, Linux systems are usually critical and are not centrally managed
- Unix Administrators understandably will be reluctant to change their existing workflow and tool set to accommodate a new security layer.
- The solution is to integrate seamlessly with the existing business process, using PSM for SSH Servers.
Privileged Session Manager SSH Proxy (PSMP) - To Isolate, Monitor Control *NIX Family Server/Network Accounts
- The Privileged Session Manager SSH Proxy (PSMP) enables organizations to secure, control and monitor privileged access to network/*NIX devices (only SSH protocol).
- The PSMP is installed on a dedicated machine that has access to the Vault and to the target systems.
Become a Cyberark Certified professional by learning this HKR Cyberark Training!
A - Supported O.S
- Red Hat Enterprise 7.x versions and 8.x versions
- CentOS Linux 7.x and 8.x versions
- SUSE Linux Enterprise Server 11 SP4 or 12 - 12 SP5
- PSM for SSH can be installed on Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platforms
B - Minimum Sever Requirments
- Quad Core processor (Intel compatible)
- 10 GB disk space for installation, and additional 40GB space for worksapce
- Minimum 8 GB RAM
C - PSMP Package (will be provided by CyberArk professional Services or Sales Team or https://support.cyberark.com/SFE/Logon.aspx)
D - AD Bridge - Configure LDAP integration so that users and groups will be provisioned in the Vault automatically.
- 2nd Factor with Radius - Vault must be integrated with Radius Server #Not mandatory
E - Automated hardening - The PSMP server is automatically hardened during installation on the following platforms:
- RedHat Linux v7.0 and above
- CentOs v7.0 and above
- This hardening enforces security best practices recommended for these platforms.
INSTALLATION STEPS
- Copy the PSM for SSH servers software to the server
- Create administrative users on the PSMP machine for future administrative access
- Edit vault.ini file of the installation package to inform the installer where to find the vault on the network
- Create a credential file for the build-in Administrator user for the installer
- Edit PSMPparms file to define the installation path and accept the Software License Agreement
- Install software dependencies and the RPM package
A - Configure PSMP Linux
- vi /etc/hosts
192.168.64.165 psmp.cyberlab.com
- vi /etc/resolv.conf
nameserver 192.168.64.50
- vi /etc/sysconfig/network-scripts/ifcfg-enxxxx
- Verify configuration
- systemctl restart network
- hostname
- hostname -i
- cat /etc/redhat -release
- ifconfig
- Create administrative user for management task in PSMP ( additional user are specified in the PSMP_MaintenanceUsers parameter in the sshd_config configuration file )
useradd admin1 -G wheel
passwd admin1
visudo ***** remove # from wheel line
su - admin1
** to verify sudo access
sudo -l
B - Installation #as root user
- mkdir /var/PSMP/
- Copy binaries to PSMP directory via WinSCP or SFTP
- chmod -R 777 /var/PSMP/
- Prepare vault.ini
Vault = "cyberlab.com"
Address =192.168.64.180
Port =1858
- Create CredFile
chmod 755 CreateCredFile
./CreateCredFile user.cred
Vault Administrator / Password
- Copy/move PSMP Parameter sample file
cp psmpparms.sample /var/tmp/psmpparms
vi /var/tmp/psmpparms
InstallationFolder=/var/PSMP
InstallCyberArkSSHD=Yes
Hardening=Yes
AcceptCyberArkEULA=Yes
chmod -R 777 /var/tmp/psmpparms
- SELinux must be enabled #if its permission or disabled, change it to enforcing and restart the server.
vi /etc/sysconfig/selinux
SELINUX=enforcing
- Install PSMP RPM
Run the RedHat installation package
rpm -ivh CARKpsmp-x.xx-xx86_64.rpm
Preparing... ################################# [100%]
Installation process is starting...
Updating / installing...
1:CARKpsmp-x.xx.x-xx ################################# [100%]
Starting PSM SSH Proxy...
PSM SSH Proxy was started successfully.
Starting PSMP ADBridge...
PSMP ADBridge was started successfully.
Loading PSMP SELinux policy...
Note: Forwarding request to 'systemctl enable auditd.service'.
Redirecting to /bin/systemctl reload auditd.service
Machine hardening was completed successfully.
Installation process was completed successfully.
- Verify Installation
- Review the following installation log files to ensure the installation completed successfully or find errors that occurred:
- /var/tmp/psmp_install.log : This log file describes the activities that occurred during the installation process
- /var/opt/CARKPSMP/ logs - The following PSMP logs log file describes the activities that occurred when the Vault environment for PSM for SSH servers was created in this directory
- psmpsrv status
- service sshd status
C - Repairing the PSM for SSH Installation
- To repair the PSM for SSH installation, use the following command: rpm -Uvh --force CARKpsmp-version-build number.x86_64.rpm CyberArk PSMP Uninstall: If InstallCyberArkSSHD = Yes or InstallCyberArkSSHD = No Use : rpm –e CARKpsmp If InstallCyberArkSSHD = Integrated rpm –e CARKpsmp rpm –e CARKpsmp CARKpsmp-infra Use the following command to check that PSM for SSH has been uninstalled: rpm –q CARKpsmp
- Run the EnvManager tool in the TeardownEnv mode on the PSMP machine to delete the PSMP environment on the Vault. /opt/CARKpsmp/bin/envmanager "TeardownEnv" -AcceptEULA "Y" -CredFile "/tmp/user.cred" -PSMPAppUser "PSMPAppUser_PSMP1" -PSMPGWUser "PSMPGWUser _PSMP1" Restart the sshd service for these changes to take affect: /etc/init.d/sshd restart
D - Post-Installation Environment
- Impact on Vault
3 Safes
- PSMPADBridgeConf – This Safe contains the main PSMP-ADBridge configuration files used by the PSMP. It is configured to clear history every five days.
- PSMPADBUserProfile – This Safe contains the configuration files that define customized profiles for provisioned users.
- PSMPADBridgeCustom
3 Users
- PSMPApp_psmp.cyberlab.com - Unique user is created to enable the PSMP to authenticate to the Vault and retrieve passwords.
- PSMPGW_psmp.cyberlab.com - Gateway Account will be used to connect all users to Vault using PSMP
- PSMP_ADB_psmp.cyberlab.com = Group (PSMP_ADB_AppUsers) - A unique user is created to enable the PSMP to integrate with AD Bridge capabilities
1 Group
- PSMP_ADB_AppUsers
- Impact on Local PSMP server
- Service
- Monitoring the PSM for SSH servers Service
service psmpsrv {start | stop | restart | status} [{psmp|psmpadb}]
- Monitoring the sshd daemon service
service sshd [status | stop | start]
- Configuration Files
1. Executables
Query installed PSMP
rpm -q CARKpsmp#PSMP Version
rpm -e CARKpsmp#Uninstall PSMP
PSMP Executables - SDK, libraries
/opt/CARKpsmp/bin
/opt/CARKpsmpadb
2. cd /etc/opt/CARKpsmp/conf # basic configuration file
basic_psmpserver.conf
cd /etc/opt/CARKpsmp/vault # vault.ini and cred files
vault.ini
- Log files
cd /var/opt/CARKpsmp/logs
- PSMPConsole.log contains informational messages and errors that refer to PSM function. This log is meant for the system administrator who needs to monitor the status of the PSM for SSH servers.
- PSMPTrace.log contains errors and trace messages. The types of messages that are included depend on the debug levels specified in the main configuration file.
- Recording Live Session
cd /var/opt/CARKpsmp/recordings
- ADBridge
To set trace level
vi /var/opt/CARKpsmpadb/main_psmpadbridge.conf.linux.10.06
cd /var/opt/CARKpsmpadb/logs
ADBConsole.log
ADBTrace.log
** Main Config file
main_psmpadbridge.conf.linux.xx.xx
- Log Level #if issue comes, then only Work with Cyber-Ark Support
- PVWA = Administration = Options = Privileged Session Management = General Settings = Server Settings = TraceLevels = 1,2,3,4,5
- PVWA = Administration = Options = Privileged Session Management = General Settings =Connection Client Settings = TraceLevels = 1,2
vi /etc/ssh/sshd_config
PSMP_OpenSSHTraceLevel 1,2
PSMP_OpenSSHLogFolder /var/opt/CARKpsmp/logs/components
- /opt/CARKPSMP/bin/
- PSM for SSH server
- createenv
- createcredfile
- Changes in the PVWA (Platform and Options)
- Assign an AD user to Linux Safe(TestLinuxSafe) with Linux Target server account configured
- Modify the Linux Target Server Platform ( Unix via SSH)
PVWA = Administration
UI Workflow = Privileged Session Management = DisableDualControlForPSMConnections = Yes
UI Workflow = Privileged Session Management = SSH Proxy EnableSSHTunneling= Yes
- Verify: UI Workflow = Connection Components = PSMP-SSH = Yes
- PVWA = Administration = Options = Privileged Session Management = General Settings = Server Settings = SSH Proxy Settings
AuthenticationMethod = LDAP
- Testing (Execution of Use Cases)
e.g. - Rotem@radmin01@192.168.202.211@192.168.202.142
AD User@Target Account@Target Server@PSMP Server2
- After Installation of PSMP, root user will not allow to login, if required login then
- vi /etc/ssh/sshd_config
- PermitRootLogin Yes
- systemctl restart sshd
PSM for SSH Servers Hardening and Security
- The PSMP is automatically hardened during installation
- Additional manual steps required for harden by Linux administrator
- Disable root access - root user will not be able to authenticate to the PSM for SSH servers remotely using password, after hardening
___________________________________________________________
Using SFTP for Remote File Transfer from the Command Line
https://linuxize.com/post/how-to-use-linux-sftp-command-to-transfer-files/
https://cat.pdx.edu/platforms/linux/remote-access/using-sftp-for-remote-file-transfer-from-command-line/
The SSH File Transfer Protocol allows you to transfer files from the command line via SSH between a local computer and a specified remote computer. Like SSH, SFTP can be run natively from the shell. This is true of macOS and Linux machines, and is also true of any up-to-date Windows 10 PC
Top 50 frequently asked Cyberark Interview Question and Answers
1. Instantiating an SFTP Connection with a Remote Host
sftp username@hostname
sftp root@192.168.100.80
2 - Remote Directory Navigation
Use cd .. in order to move to the parent directory, e.g. from /home/Documents/ to /home/.
3 - Local Directory Navigation
lls, lpwd, lcd
4 - Transferring Files
A - Downloading Files with the SFTP Command
To download a single file from the remote server, use the get command:
sftp get filename.zip
To download a directory from the remote system
sftp get -r remote_directory
B - Uploading Files with the SFTP Command
To upload a file from the local machine to the remote SFTP server, use the put command:
sftp put filename.zip
To upload a local directory, you would type:
sftp put -r locale_directory
