PamSu

The PamSu component enables PAM users to run commands with root privileges using the password of their own AD user account.

Installation is performed manually on Linux resources, where you need to run commands with root privileges.

Installation

Components are placed in the IndeedPAM_2.8\IPAM\PAMSU\ folder.

Choose the ossl build to use static OpenSSL libs from the pamsu package:

  • IndeedPAM_2.8\IPAM\PAMSU\Indeed Identity.PAM.PamSu-ossl*.x64.deb
  • IndeedPAM_2.8\IPAM\PAMSU\Indeed Identity.PAM.PamSu-ossl*.x64.rpm

Choose the no-ossl build if pamsu cannot work with static OpenSSL libs and needs to use OpenSSL from the Operating System. 

  • IndeedPAM_2.8\IPAM\PAMSU\Indeed Identity.PAM.PamSu-no-ossl*.x64.deb
  • IndeedPAM_2.8\IPAM\PAMSU\Indeed Identity.PAM.PamSu-no-ossl*.x64.rpm

Copy the pamsu installation package to the resource and run the command:

Installation on Debian-based distros
$ sudo dpkg -i Indeed.PAM.PamSu*.deb
Installation on RedHat-based distros
$ sudo rpm -i Indeed.PAM.PamSu*.rpm

Configuration

On the Resource, you must configure the trust to the Core and Idp web server certificate. You can check if the certificate is OK by running the command:

$ curl https://pam.indeed-id.local

 Open the /etc/pamsu.conf file in any editor with root privileges, specify the idp_url, api_url, log_path and log_level settings:

  • idp_url - idp URL address
  • core_url - core URL address
  • log_path - path to the folder with log files

  • log_level - logging level, can be INFO, WARN, ERROR, FATAL

    Set idp_url https://pam.indeed-id.local/idp
Set core_url https://pam.indeed-id.local/core
Set log_path /var/log
Set log_level INFO

On some Linux systems, the SSH server does not allow the LC_ * environment variables by default.  For the application to work correctly, add the following line to the /etc/ssh/sshd_config file:

AcceptEnv LC_PAM_USER LC_PAM_SESSION_ID

or just 

AcceptEnv LC_*
To allow the execution of the pamsu command, you must enable the Allow run pamsu option in the SSH section in the policy.

PAM Agent

Indeed Identity PAM Agent should be installed directly to the resources to enable the RDP text logging capabilities.

If the agent on the Resource is not installed and Save text logs option is enabled in the policy, the user session will be aborted automatically in a minute.

Please make sure that no third-party software is blocking the Agent's work. Pam Windows Agent (Pam.Proxy.WindowsAgent.exe) process will start automatically when new session starts on the resource.

After PAM Agent is installed, reboot the computer or log out and log in again. No additional configuration is required.

PAM Desktop Console

Configuring for Domain computers

  1. Copy the contents of the  \IPAM\IPAMDC\PolicyDefinitions folder on the domain controller to the C:\Windows\sysvol\domain\policies\PolicyDefinitions folder
  2. On the domain controller, start the Group Policy Management Console snap-in
  3. Select the required GPO, go to the section Computer Configuration\Policies\Administrative Templates\Indeed PAM\General\ 
  4. Set Enable and fill in PAM connection settings 
  5. Update group policies on user's computer

Configuring for computers to which domain policies are not applied

  1. Copy the contents of the \IPAM\IPAMDC\PolicyDefinitions folder to the C:\Windows\PolicyDefinitions
  2. Start local group policy editor gpedit.msc
  3. Go to the section Computer Configuration\Policies\Administrative Templates\Indeed PAM\General\
  4. Set Enable and fill in PAM connection settings 

Writing events to Syslog

  1. Go to the C:\inetpub\wwwroot\ls\targetConfigs folder, create a copy of the file sampleSyslog.config and rename it to Syslog.config, then edit the file according to the settings below:
    <Settings> … </Settings>    :
    • HostName -Syslog server name 
    • Port - Syslog port number 
    • Protocol - Syslog connection type: TCPoverTLS, TCP, UDP
    • Format - logging format: Plain, CEF, LEEF

    • SyslogVersion - select syslog protocol: RFC3164, RFC5424

      <Settings HostName="localhost" Port="5081" Protocol="TCP" Format="CEF" SyslogVersion="RFC3164" />

  2. In the C:\inetpub\wwwroot\ls\clientApps.config file edit pam section for work with the Syslog.config file. Add a new TargetId for the WriteTarget:

        <Application Id="pam" SchemaId="Pam.Schema">
      <ReadTargetId>mssqlDB</ReadTargetId>
      <WriteTargets>
        <TargetId>mssqlDB</TargetId>
        <TargetId>Syslog</TargetId>
      </WriteTargets>
      <AccessControl>
        <!--<CertificateAccessControl CertificateThumbprint="001122...AA11" Rights="Read" />-->
      </AccessControl>
    </Application>

  3. In the Targets section add a new element, it should be the same as the tagretConfig filename without extension:

      <Targets>
    ...
	<Target Id="mssqlDb" Type="mssql"/>
    <Target Id="Syslog" Type="syslog"/>
  </Targets>

  • No labels