-
Title
IPMI Access Auditing Using Windows Active Directory -
Description
Auditing of the IPMI on physical Syslog-ng Store Box (SSB) appliances is required to monitor and log who has access the IPMI of the SSB in perpetuity. -
Cause
By default the IPMI does not log access, nor does auditing exist within the IPMI, for anything other than system events such as hardware events, power outages, etc... -
Resolution
This guide assumes the following pre-requisites are currently configured:- An active Domain Environment using Windows Server 2008 R2 or newer.- A physical Syslog-ng Store Box (SSB) appliance.
Before starting, please review the permissions for the User, Operator, and Administrator access within the IPMI via the table directly below:
1.) Start by logging into Active Directory Users and Computers.2.) Next, locate the Organizational Unit (OU) in which the 3 security groups will be created for access to the IPMI.3.) Start by creating the User group.3.a) Right-click and select New > Group3.b) Enter in a Group name for this group. It can be any name, just know that this group only applies "User" permissions to those who are members.3.c) The Group scope should be "Global" and the Group type should be "Security".3.d) Click OK.4.) Next, create the Operator group.4.a) Right-click and select New > Group4.b) Enter in a Group name for this group. It can be any name, just know that this group only applies "Operator" permissions to those who are members.4.c) The Group scope should be "Global" and the Group type should be "Security".4.d) Click OK.5.) Next, create the Administrator group.5.a) Right-click and select New > Group5.b) Enter in a Group name for this group. It can be any name, just know that this group will apply "Administrator" permissions to those who are members.5.c) The Group scope should be "Global" and the Group type should be "Security".5.d) Click OK.6.) Now that the 3 groups have been created members can be added to the groups based on what permissions are desired for those accounts.7.) Navigate to the IPMI of the Syslog-ng Store Box (SSB) via a web browser.8.) Log into the IPMI with the ADMIN account and navigate to Configuration > Active Directory.9.) Left-click on Role Group ID number 1 to highlight this group and then left-click on the option "Modify Role Group".10.) A new page will appear, fill out the following as follows:10.a) Role Group Name: - This is the group name created for "User" privileges only.10.b) Role Group Domain: - This will be the Fully Qualified Domain Name (FQDN) of the domain authenticating against.10.c) Role Group Privilege: - Left-click the drop-down and choose "User".10.d) Left-click on the "Modify" option which will apply the changes made. A small window at the top of the page may appear stating the changes were successful, if so, left-click "OK" when prompted.11.) The page will redirect back to the Active Directory options page, continue forward with left-clicking on Role Group ID number 2 to highlight this group and then left-click on the option "Modify Role Group".12.) A new page will appear, fill out the following as follows:12.a) Role Group Name: - This is the group name created for "Operator" privileges only.12.b) Role Group Domain: - This will be the Fully Qualified Domain Name (FQDN) of the domain authenticating against.12.c) Role Group Privilege: - Left-click the drop-down and choose "Operator".12.d) Left-click on the "Modify" option which will apply the changes made. A small window at the top of the page may appear stating the changes were successful, if so, left-click "OK" when prompted.13.) The page will redirect back to the Active Directory options page, continue forward with left-clicking on Role Group ID number 3 to highlight this group and then left-click on the option "Modify Role Group".14.) A new page will appear, fill out the following as follows:14.a) Role Group Name: - This is the group name created for "Administrator" privileges.14.b) Role Group Domain: - This will be the Fully Qualified Domain Name (FQDN) of the domain authenticating against.14.c) Role Group Privilege: - Left-click the drop-down and choose "Administrator".14.d) Left-click on the "Modify" option which will apply the changes made. A small window at the top of the page may appear stating the changes were successful, if so, left-click "OK" when prompted.15.) Now that the groups have been defined, left-click on the linked text "here" at the top of the page where the following appears: "To enable or configure the Active Directory server, please click. here"16.) Start by left-clicking the checkbox for "Enable Active Directory Authentication."17.) If SSL is desired the checkbox for "Active Directory Authentication over SSL." may be checked. Please ensure that the proper certificates have been uploaded to Configuration > SSL Certification.18.) By default, AD authentication is done over port 389 using TCP, when using SSL port 636 using TCP is the default. Ensure all firewall rules and access is allowed for the successful connection of Active Directory.19.) For "User Domain Name" please fill in with the FQDN of the domain.20.) For "Time Out" the default is 10 seconds, feel free to adjust accordingly.21.) For Domain Controller Server Address1,2 and 3, please input the IP Address of 1,2, or 3 Domain Controllers within the domain specified in the "User Domain Name".*NOTE* Only IPv4 addresses can be used at this time, support for hostnames and/or IPv6 is not available currently.*NOTE* Only a single domain can be used at this time. The IPMI cannot be configured for access across multiple domains at this time.22.) Left-click the "Save" option once done. A small window at the top of the page may appear stating "The requested configuration has been successfully set.", if so, left-click "OK" when prompted.23.) Active Directory authentication should be set, please log out and try logging in using an Active Directory account in the following format:Username - exampleaccount@example.domain.localPassword - Active Directory password for the above account.24.) Once successfully authenticated, navigate to one of the domain controllers set in the Active Directory Authentication page's options Domain Controller Server Address1,2, or 3.25.) Launch the Event Viewer on the Domain Controller.26.) Navigate to the Security event container.27.) Logs should now appear in this Security Event Container for successful and failed logon attempts to the IPMI.
*NOTE* An example event from a successful login using Active Directory Authentication in the IPMI of the SSB is attached to this KB article, please view it to learn what an event generated would look similar to.
For searching for specific IPMI Logon events the following can be used:
Event ID: 4624
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
The Source Network Address: should be the IP Address of the IPMI Interface on the SSB.
The Domain Controller handling authentication to the IPMI of the SSB will need either the Syslog-ng Agent for Windows installed and configured to log Security events or will need the Windows Event Collector (WEC) service configured so the Security events are sent to the SSB.
For help installing and/or configuring the Syslog-ng Agent for Windows or WEC service, please consult the One Identity support page for Syslog-ng PE as both Admin and Install guides are posted in One Identity's Technical Documentation section of the One Identity Support Site.
For help configuring filters, alerts, or other forms of log manipulation/management please reach out to One Identity support to better manage the IPMI auditing if desired.
Example filter statement for an SSB to have IPMI auditing be directed to a single logspace when using the Syslog-ng Agent for Windows (Change IPMI_INTERFACE_IP_ADDRESS with the IP Address for the interface of the IPMI on the SSB):match("Advapi", value("MESSAGE")) and
match("IPMI_INTERFACE_IP_ADDRESS", value("MESSAGE"))Example filter statement for an SSB to have IPMI auditing be directed to a single logspace when using WEC (Change IPMI_INTERFACE_IP_ADDRESS with the IP Address for the interface of the IPMI on the SSB):
match("Advapi", value(".SDATA.Event.EventData.LogonProcessName")) and
match("IPMI_INTERFACE_IP_ADDRESS", value(".SDATA.Event.EventData.IpAddress"))For configuring filters within the SSB, please consult the Syslog-ng Store Box (SSB) Admin guide for the version in use which can be found on the One Identity Support Page.
-
Additional Information