Chat now with support
Chat with Support

One Identity Safeguard for Privileged Sessions 7.3 - Administration Guide

Preface Introduction The concepts of One Identity Safeguard for Privileged Sessions (SPS)
The philosophy of One Identity Safeguard for Privileged Sessions (SPS) Policies Credential Stores Plugin framework Indexing Supported protocols and client applications Modes of operation Connecting to a server through One Identity Safeguard for Privileged Sessions (SPS) Archive and backup concepts Maximizing the scope of auditing IPv6 in One Identity Safeguard for Privileged Sessions (SPS) SSH host keys Authenticating clients using public-key authentication in SSH The gateway authentication process Four-eyes authorization Network interfaces High Availability support in One Identity Safeguard for Privileged Sessions (SPS) Versions and releases of One Identity Safeguard for Privileged Sessions (SPS) Accessing and configuring One Identity Safeguard for Privileged Sessions (SPS)
Cloud deployment considerations The Welcome Wizard and the first login Basic settings
Supported web browsers The structure of the web interface Network settings Configuring date and time System logging, SNMP and e-mail alerts Configuring system monitoring on SPS Data and configuration backups Archiving Cleaning up audit data Using plugins Forwarding data to third-party systems Starling integration
User management and access control
Login settings Managing One Identity Safeguard for Privileged Sessions (SPS) users locally Setting password policies for local users Managing local user groups Managing One Identity Safeguard for Privileged Sessions (SPS) users from an LDAP database Authenticating users to a RADIUS server Authenticating users with X.509 certificates Authenticating users with SAML2 Managing user rights and usergroups Creating rules for restricting access to search audit data Displaying the privileges of users and user groups Listing and searching configuration changes
Managing One Identity Safeguard for Privileged Sessions (SPS)
Controlling One Identity Safeguard for Privileged Sessions (SPS): reboot, shutdown Managing One Identity Safeguard for Privileged Sessions (SPS) clusters Managing a High Availability One Identity Safeguard for Privileged Sessions (SPS) cluster Upgrading One Identity Safeguard for Privileged Sessions (SPS) Managing the One Identity Safeguard for Privileged Sessions (SPS) license Accessing the One Identity Safeguard for Privileged Sessions (SPS) console Sealed mode Out-of-band management of One Identity Safeguard for Privileged Sessions (SPS) Managing the certificates used on One Identity Safeguard for Privileged Sessions (SPS)
General connection settings HTTP-specific settings ICA-specific settings MSSQL-specific settings RDP-specific settings SSH-specific settings Using Sudo with SPS Telnet-specific settings VMware Horizon View connections VNC-specific settings Indexing audit trails Using the Search interface Advanced authentication and authorization techniques Reports The One Identity Safeguard for Privileged Sessions (SPS) REST API One Identity Safeguard for Privileged Sessions (SPS) scenarios Troubleshooting One Identity Safeguard for Privileged Sessions (SPS)
Network troubleshooting Gathering data about system problems Viewing logs on One Identity Safeguard for Privileged Sessions (SPS) Changing log verbosity level of One Identity Safeguard for Privileged Sessions (SPS) Collecting logs and system information for error reporting Collecting logs and system information of the boot process for error reporting Support hotfixes Status history and statistics Troubleshooting a One Identity Safeguard for Privileged Sessions (SPS) cluster Understanding One Identity Safeguard for Privileged Sessions (SPS) RAID status Restoring One Identity Safeguard for Privileged Sessions (SPS) configuration and data VNC is not working with TLS Configuring the IPMI from the BIOS after losing IPMI password Incomplete TSA response received Using UPN usernames in audited SSH connections
Using SPS with SPP Configuring external devices Using SCP with agent-forwarding Security checklist for configuring One Identity Safeguard for Privileged Sessions (SPS) Jumplists for in-product help Configuring SPS to use an LDAP backend Glossary

Creating and editing channel policies

The Channel Policy lists the channels (for example, terminal session and SCP in SSH, or Drawing and Clipboard in RDP) that can be used in the connection, and also determines if the channel is audited or not. The Channel Policy can also restrict access to each channel based on the IP address of the client or the server, a user list, user group, or a time policy. For example, all clients may access the servers defined in a connection via SSH terminal, but the channel policy may restrict SCP access only to a single client. The policies set in the Channel Policy are checked when the user attempts to open a particular channel type in the connection.

Figure 177: <Protocol name> Control > Channel Policies — Configuring channel policies

To create a new channel policy or edit an existing one

  1. Channel policies are configured individually for every protocol. Navigate to the Channel Policies tab of the respective protocol (for example, SSH Control > Channel Policies) and click to create a new channel policy. Enter a name for the policy (for example, shell_and_backup).

  2. Click to add a new channel.

  3. Select the channel to be enabled in the connection from the Type field. All restrictions set in the following steps will be effective on this channel type. The available channels are different for every protocol. For their descriptions, see the following sections:

  4. To restrict the availability of the channel only to certain clients, click in the From field and enter the IP address of the client allowed to use this type of the channel. Repeat this step until all required client IP addresses are listed.

    Alternatively, you can also enter a hostname instead. One Identity Safeguard for Privileged Sessions (SPS) saves the hostname and resolves it when opening channels, therefore SPS can trace dynamic IP addresses.

    NOTE: Note the following limitations:

    • The Domain Name Servers you set must be able to resolve the hostnames you enter into the From and Target fields, otherwise this function (and, therefore, the sessions using this Channel Policy) will not work.

    • SPS Channel Policies support wildcard characters in the *.example.com format. If the channel opening request contains an IP address, SPS uses a reverse lookup method to resolve this IP address into a hostname for a match.

    • SPS uses the Domain Name Servers set in the Basic Settings > Network > Naming > Primary DNS server and Secondary DNS server fields to resolve the hostnames.

  5. To restrict the availability of the channel only to certain servers, click in the Target field and enter the IP address of the server allowed to use this type of the channel. Repeat this step until all required server IP addresses are listed.

    NOTE: Use the real IP address of the server, which may be different from the one addressed by the clients, specified in the Target field of the connection policy.

    Alternatively, you can also enter a hostname instead. One Identity Safeguard for Privileged Sessions (SPS) saves the hostname and resolves it when opening channels, therefore SPS can trace dynamic IP addresses.

    NOTE: Note the following limitations:

    • The Domain Name Servers you set must be able to resolve the hostnames you enter into the From and Target fields, otherwise this function (and, therefore, the sessions using this Channel Policy) will not work.

    • SPS Channel Policies support wildcard characters in the *.example.com format. If the channel opening request contains an IP address, SPS uses a reverse lookup method to resolve this IP address into a hostname for a match.

    • SPS uses the Domain Name Servers set in the Basic Settings > Network > Naming > Primary DNS server and Secondary DNS server fields to resolve the hostnames.

    Alternatively, you can configure a custom DNS server to be used for target selection. Select Enable Custom DNS server under the Target section of your connection policies (set under <Protocol name> Control > Connections) and enter the IP address of the custom DNS server.

  6. To restrict the availability of the channel only to certain users, click in the Remote Group field and enter the name of the user group allowed to use this type of the channel. Repeat this step until all permitted groups are listed.

    Caution:

    Adding more than approximately 1000 remote groups to a channel policy may cause configuration, performance, and authentication issues when connecting to LDAP servers.

    To restrict the availability of the channel when using gateway authentication, click in the Gateway Group field and enter the name of the user group allowed to use this type of the channel. Repeat this step until all permitted groups are listed.

    You may list local user lists as defined in Creating and editing user lists, or LDAP groups (for details on accessing LDAP servers from SPS, see Authenticating users to an LDAP server). Note the following behavior of SPS:

    • If you list multiple groups, members of any of the groups can access the channel.

      NOTE: >When listing both a whitelist and blacklist in the Remote Group section and a username appears on both lists, the user will be able to access the channel.

    • If you do not list any groups, anyone can access the channel.

      NOTE: When the channel opens, there are certain cases when the remote group is not known yet. For example, in case of an RDP or ICA login screen, the drawing channel has to be opened first to properly display the logon screen. Only those channel rules will apply, where the Remote group field is empty. In case of network level authentication, all required information is present already so this limitation does not apply.

    • If a local user list and an LDAP group has the same name and the LDAP server is configured in the connection that uses this channel policy, both the members of the LDAP group and the members of the local user list can access the channel.

    NOTE: User lists and LDAP support is currently available only for the SSH and RDP protocols. For other protocols, see Configuring gateway authentication.

  7. Select a time policy to narrow the availability of the channel. If the time policy of the channel policy is set to 7x24, the channel is always available. For details, see Configuring time policies.

  8. Some channel types require additional parameters, for example port forwarding in SSH needs the IP addresses and ports of the source and destination machines. Click in the Details field and enter the required parameters. For a list of parameters used by the different channels, see Supported SSH channel types and Supported RDP channel types.

  9. Select the Record audit trail option to record the activities of the channel into audit trails. Typically large file-transfers (for example system backups, SFTP channels) are not audited because they result in very large audit trails. Check regularly the free hard disk space available on SPS if you do audit such channels. You can also receive alerts about disk space fill-up if you set these. For details, see Preventing disk space fill-up and System related traps.

  10. Select the 4 eyes option to require four-eyes authorization to access the channel. For details, see Configuring four-eyes authorization.

  11. Repeat Steps 2-10 to add other channels to the policy.

    NOTE: The order of the rules matters. The first matching rule will be applied to the connection. Also, note that you can add the same channel type more than once, to fine-tune the policy.

  12. Click to save the list.

Real-time content monitoring with Content Policies

You can monitor the traffic of certain connections in real time, and execute various actions if a certain pattern (for example, a particular command or text) appears in the command line or on the screen, or if a window with a particular title appears in a graphical protocol. Since content-monitoring is performed real-time, One Identity Safeguard for Privileged Sessions (SPS) can prevent harmful commands from being executed on your servers. SPS can also detect numbers that might be credit card numbers. The patterns to find can be defined as regular expressions. In case of ICA, RDP, and VNC connections, SPS can detect window title content.

The following actions can be performed:

  • Log the event in the system logs.

  • Immediately terminate the connection.

  • Send an e-mail or SNMP alerts about the event.

  • Store the event in the connection database of SPS.

SPS currently supports content monitoring in SSH session-shell connections, Telnet connections, RDP and Citrix ICA Drawing channels, and in VNC connections.

NOTE: Command, credit card and window detection algorithms use heuristics. In certain (rare) situations, they might not match the configured content. In such cases, contact our Support Team to help analyze the problem.

Real-time content monitoring in graphical protocols is not supported for Arabic and CJK languages.

Creating a new content policy

The following describes how to create a new content policy that performs an action if a predefined content appears in a connection.

NOTE: Using content policies significantly slows down connections (approximately 5 times slower), and can also cause performance problems when using the indexer service.

Figure 178: Policies > Content Policies — Content policies

To create a new content policy that performs an action if a predefined content appears in a connection

  1. Navigate to Policies > Content Policies, click and enter a name for the policy.

  2. Select the type of event that you want to monitor:

    • Commands: The commands executed in the session-shell channel of SSH connections, or in Telnet connections.

      Caution:

      During indexing, if a separate certificate is used to encrypt the upstream traffic, command detection works only if the upstream key is accessible on the machine running the indexer.

      NOTE: Command detection is case-insensitive.

    • Screen content: Every text that appears on the screen. For example, every text that is displayed in the terminal of SSH or Telnet connections. This includes the executed commands as well, unless echoing is turned off for the terminal.

    • Credit card: Process every text that appears on the screen and attempt to detect credit card numbers in SSH or Telnet connections. One Identity Safeguard for Privileged Sessions (SPS) performs an action if the number of detected credit card numbers exceeds the value set as Permitted number of credit card numbers.

      Credit card number detection is based on the Luhn algorithm and lists of known credit card number prefixes.

    • Window title detection: Text appearing as window titles that can be detected on the screen in RDP, Citrix ICA, and VNC connections. Window title detection involves Optical Character Recognition (OCR) on parts of the screen, and can be slightly resource-intensive. SPS versions up till 6.2 only detected only the active window in the screen. From SPS version 6.3, multiple windows can be detected.

      Limitations
      • Default Windows themes are supported.

      • Windows that do not have an X (close window) button in the top-right corner (or it is not visible) are not detected.

      • Use window title detection for sessions that use a single monitor. The feature works in multi-monitor environments as well, but becomes very slow, therefore it is not recommended.

      • Window title detection is case-insensitive.

  3. Select Take action if the event contains any of the following strings or expressions, click and enter a string or regular expression. SPS will perform an action if this expression is found in the connection, unless it is listed in the Except if it also contains any of these strings or expressions list. For example, SPS can terminate the connection if the user issues the rm -rf * in an SSH connection. Repeat this step to add further expressions if needed.

    • Use Perl Compatible Regular Expressions (PCRE).

    • The following characters must be escaped using a backslash character: '(single-quote). For example, instead of .*' use .*\'

    • SPS uses substring search to find the expression in the content. That is, SPS finds the expression even if there is more content before or after the matching part. For example, the conf pattern will match the following texts: conf, configure, reconfigure, arcconf, and so on.

    • Using complicated regular expressions or using many regular expressions will affect the performance of SPS.

    • If the multiple expressions are set, SPS processes them one after the other, and stops processing the content if the first match is found, even if other expressions would also match the content. Therefore, when using multiple expressions, start with the most specific one, and add general expressions afterward.

    Example: Sample regular expressions for content policies

    The following simple regular expressions are samples to demonstrate what kinds of events that can be detected using content policies.

    • The enable command on Cisco devices: the user enters privileges mode.

    • The conf term command on Cisco devices: the user configures the networking parameters of the device.

    • The sudo and su - commands: the user enters privileged mode Linux and other UNIX platforms.

  4. To add an exception to the Take action if the event contains any of the following strings or expressions rule, select Except if it also contains any of these strings or expressions, click and enter a string or regular expression. SPS will not perform any action if this expression is found in the connection. For example, to permit the users to delete only the /tmp directory in an SSH connection, enter rm -rf /tmp. Repeat this step to add further expressions if needed.

    Example: Sample content policies using Ignore rules

    The following expressions can be used to perform an action if any SQL command is used in MySQL, except for the select and help commands:

    • Into the Take action if the event contains any of the following strings or expressions expression, enter mysql>.*

    • Add two Except if it also contains any of these strings or Except if it also contains any of these strings or Except if it also contains any of these strings or expressions expressions: mysql> select.* and mysql> help.*

  5. Select the action to perform.

    • Log: Send a log message into the system logs. The log message includes the expression that matched the content. On log level 6, the message includes the matching content as well.

    • Terminate connection: Immediately terminate the connection. When using the Terminate connection action for the Command event type, and a command matches an expression, the connection is terminated before the command is executed. When using the Terminate connection action, note the following points.

      • Select the Log or Notify action as well so that it is easy to find out why a connection was terminated.

      • If the connection is terminated by a content policy, the Verdict of the connection becomes ACCEPT-TERMINATED.

    • Notify: Send an e-mail or SNMP alert about the event. To configure the alerts, navigate to Basic Settings > Alerting & Monitoring and set the required alerts for the Real time audit event detected (scbAuditRealTime) event.

    • Store in connection database: Add the event to the SPS connection database. These events are displayed in the Alerts column of the Search page. If the column is not visible, click Customize columns....

  6. To apply the content policy only for users belonging to specific groups, select Apply this policy only to members of these gateway groups or Apply this policy only to members of these remote groups, and specify the usergroups as needed. If Apply this policy only to members of these gateway groups or Apply this policy only to members of these remote groups is set, the content policy is applied only to connections of these usergroups.

  7. To add a new rule to the policy, click and repeat Steps 2-6.

    Note that if you have more than one rules in a policy, SPS evaluates them as follows.

    1. SPS evaluates the first (top) rule.

    2. If the rule contains Apply this policy only to members of these gateway groups or Apply this policy only to members of these remote groups restrictions, SPS checks if the current user belongs to any of the specified groups. If the groups do not match, SPS skips the rule.

    3. If the content matches any entry of the Except if it also contains any of these strings or expressions list, SPS skips the rule.

    4. If the content matches any entry of the Take action if the event contains any of the following strings or expressions list, SPS performs the action configured for the rule. Otherwise, SPS skips the rule.

    5. If the current rule did not match the content, SPS evaluates the next rule of the policy (if any).

  8. Click . A new content policy is created.

  9. To use the content policy created in the previous steps, select the policy in the channel policy that is used to control the connections.

    NOTE: It is not required to enable auditing to use content policies.

Configuring time policies

The time policy determines the timeframe when the users are permitted to access a particular channel. By default, there is no time-based restriction, all channels are available 7x24.

Figure 179: Policies > Time Policies — Configuring time policies

To create a time policy or edit an existing one

  1. Navigate to the Time Policies tab of the Policies menu item and click to create a new time policy. Enter a name for the policy (for example workhoursonly).

  2. Click to display the days of the week and the allowed intervals.

  3. Enter the intervals for each day when the users are allowed to access the connection. Use the hh:mm format (for example from 08:00 to 16:00).

  4. To add multiple intervals for a day, click .

  5. Click .

  6. To actually restrict access to a connection or a channel based on the policy created in the previous steps:

    • Select this policy in the Time Policy field of the channel policy.

    • Click .

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating