How to setup and test Socket Filter Agent (SFA)
Article ID: 124856
Updated On:
Products
Issue/Introduction
Environment
Privileged Access Manager
Resolution
Please follow the steps to install/configure/test the SFA feature.
Step1: Create Target Device and Target Account in PAM.
You can setup SSH Access Method or create a Putty Service to access the target device.
In this case I will use "Putty" Service.
You can also add the "SSH" method in the "Access Method" as well. This makes it easier to transfer the SFA installer to the machine.
If you want to allow file transfer from "SSH" Access Method, you will need to switch on the "SSH Terminal File Transfer" option in the "Global Settings -> Applet Customization".
Now add the "Putty Local" service.
I am using auto-login so the "Client Application" is set as below.
"C:\Program Files\PuTTY\putty.exe" -ssh -l <Username> <Local IP> <First Port>
Create "Socket Filters" which is located at "Policies --> Manage Policy Filters --> Socket Filters"
In this sample I named it "SFABlackList".
You will need to select the Type as "Blacklist" as we will only block those registered.
Enter the IP Address of the other server (not the target server but the one that you want to block users from SSH'ing to).
Click OK to save.
You can click on the "CONFIG" button to enable "SFA Monitoring" which you can see which SFA are active. It is just for monitoring purpose. Note that SFA are by default listening on TCP Port 8550.
Do not check "Log All Access" as that is going to generate lots of entries in the sessions log.
You will need to have 2 Target Accounts for this testing.
Account1: root
Account2: user1
Note that root account is not affected by the SFA Blacklist and they can SSH to other machines even if you have configured a blacklist. Only non-root accounts would be affected.
Create a Policy to allow both root and user1 to have access to the target device.
Now you should see the Access Buttons as below.
Now, let's install the socket filter agent on the AIX7.1 machine.
Logon to AIX7.1 as root using the "SSH" Access Method.
When using Mindterm, when you press [ENTER] key, it would append ^E to the command so you will see "xterm" in the command line.
You need to execute "set -o emacs" and that problem will go away.
At the "Plugins" menu you can select either one of the transfer options and it will bring up the window to transfer files.
Transfer the SFA installer that matches the target device.
Check if there is anything listening on the port 8550.
If anything is listening on that port it would be either you already have SFA installed and running or you have 3rd party software that is also occupying the same port which would conflict with SFA.
If you already had SFA installed and if it was running then you must turn it off.
(# /etc/rc.d/init.d/rc.gksfd stop)
Also, you need to ensure the following 2 requirement.
1. TCP 8550 port is open at the target device for incoming direction.
2. TCP 443 port is open to PAM Servers for outgoing direction.
You can now execute the installer. This must be run as "root".
The installation is pretty quick and simple.
In the following case, I already had SFA installed and the installer would simply overwrite it if you tell it to.
The installer has installed the following.
/etc/rc.d/init.d/rc.gksfd
/etc/gksfd.cfg
/usr/sbin/gksfd
/usr/sbin/gksfdconf
rc.gksfd is used for starting or stopping the SFA service.
Usage: /etc/rc.d/init.d/rc.gksfd (start|stop|restart|reload)
| #!/bin/ksh # # This script starts the CA's SFA daemon process # Checking permission invoker=`id | cut -c5,5` if [ $invoker != "0" ] then echo "You have no permission to execute. Should be super-user." exit 0 fi # Checking disk space available=`df -Pk /var | tail -1 | awk '{print $4}'` minimumspace="10240" if [ $1 = "start" -o $1 = "restart" ]; then if [ $available -lt $minimumspace ]; then echo "Not enough disk space in /var. You need at least 10M of free disk space to start the Socket Filtering Service." exit 0 fi fi case "$1" in start) # startsrc -s gksfd pid=`ps -ef | grep -e '\/gksfd$' -e '\/gksfd ' -e ' gksfd$' -e ' gksfd ' | grep -v grep|awk '{print $2}'` if [ "X$pid" = "X" ] ; then if [ -f /usr/sbin/gksfd ] ; then echo "Starting the Socket Filtering Service" /usr/sbin/gksfd fi fi ;; stop) # stopsrc -s gksfd status=0 pid=`ps -ef | grep -e '\/gksfd$' -e '\/gksfd ' -e ' gksfd$' -e ' gksfd ' | grep -v grep|awk '{print $2}'` for p in $pid; do kill $p if [ $? -ne 0 ]; then status=1 fi done if [ "$status" = 0 ]; then echo "Socket Filtering Service stopped" else echo "Unable to stop Socket Filtering Service" fi ;; restart) $0 stop $0 start ;; reload) status=0 /usr/sbin/gksfdconf if [ $? -ne 0 ]; then status=1 fi if [ "$status" != 0 ]; then echo "Unable to reload Socket Filtering Service" fi ;; * ) echo "Usage: $0 (start|stop|restart|reload)" ;; esac exit 0 |
gksfd.cfg file stores SFA configuration.
| # gksfd configuration # policy mode (user: user-based policy, session: session-based policy) POLICY=session # verbose mode (0: non-verbose, 1: verbose) VERBOSE=0 # secure login mode (0: allow login from non-GK, 1: allow login from GK ONLY) SECURE_LOGIN=0 # secure user list # use comma(,) as delimiter and not allowed any white-space SECURE_USER= |
gksfd is used for starting SFA with extra parameters
usage: gksfd [-h] [-v] [-ver] [-p port#] [-l log-file]
-h print usage help
-ver print version number
-v set log-level to verbose mode (default: info level)
-p port# set agent port number (default: 8550)
-l log-file set log file (default: /var/tmp/gksfd.log)
gksfdconf is used for reconfiguring SFA service.
Once the SFA is installed, before you can start the gksfd you can enable verbose mode by updating the /etc/gksfd.cfg file to set VERBOSE=1.
Then start the SFA by running gksfd
You will then see the following content in the /var/tmp/gksfd.log
| <5>gksfd: 2019-01-16 19:53:05 ## =============================== ## <5>gksfd: 2019-01-16 19:53:05 ## Process Started ## <5>gksfd: 2019-01-16 19:53:05 ## =============================== ## <5>gksfd: 2019-01-16 19:53:05 ## version: gksfd 3.2.0 <5>gksfd: 2019-01-16 19:53:05 ## process-id: 7799014 <5>gksfd: 2019-01-16 19:53:05 ## argument[0]: gksfd <6>gksfd: 2019-01-16 19:53:05 POLICY=session <6>gksfd: 2019-01-16 19:53:05 VERBOSE=1 <6>gksfd: 2019-01-16 19:53:05 SECURE_LOGIN=0 <6>gksfd: 2019-01-16 19:53:05 SECURE_USER= <6>gksfd: 2019-01-16 19:53:05 >>>>> configuration <<<<< <6>gksfd: 2019-01-16 19:53:05 policy-mode = [session-based policy] <6>gksfd: 2019-01-16 19:53:05 log-level = [debug] <6>gksfd: 2019-01-16 19:53:05 secure-login = [disabled] <6>gksfd: 2019-01-16 19:53:05 # of secure-user = [0] <6>gksfd: 2019-01-16 19:53:05 >>>>> end of configuration <<<<< <6>gksfd: 2019-01-16 19:53:05 Set verbose mode logging <6>gksfd: 2019-01-16 19:53:05 init_policy: size poilcy_t(66016) max_policy(1024) max_list(4096) <6>gksfd: 2019-01-16 19:53:05 init_session: size session_t(66080) max_session(1024) <6>gksfd: 2019-01-16 19:53:05 init_cm: size conninfo_t [443] <6>gksfd: 2019-01-16 19:53:05 init_cm: TLS support <6>gksfd: 2019-01-16 19:53:05 init_cm: initialized openssl library <7>gksfd: 2019-01-16 19:53:05 old stack size = [192] kbytes <6>gksfd: 2019-01-16 19:53:05 new stack size = [1024] kbytes <6>gksfd: 2019-01-16 19:53:05 init_thread: main inited. <6>gksfd: 2019-01-16 19:53:05 start signal handler service <6>gksfd: 2019-01-16 19:53:05 interface information: 192.#.#.1 <6>gksfd: 2019-01-16 19:53:05 sig_handler: signal(20) - ignore <6>gksfd: 2019-01-16 19:53:05 start packet capture service <7>gksfd: 2019-01-16 19:53:05 pm: ether=14 ip=20 tcp=20 <6>gksfd: 2019-01-16 19:53:05 init_thread: pm inited. <6>gksfd: 2019-01-16 19:53:05 pm: filter = [tcp[13] = 18 and ( dst host 192.#.#.1 )] |
It has started up fine.
Now, if you try to ssh to the blacklisted (10.#.#.1) you will see the following
| <6>gksfd: 2019-01-16 20:26:33 pm: src(10.#.#.1:22) dst(192.#.#.1:52161) flags=18 |
If you are seeing the "RSA key fingerprint xxxx" then the connection is already established to the destination.
This was supposed to be blocked but it went through because the test user in this case was a "root" account.
So, now you need to open a new SSH session as non-root user.
When you try with a non-root user, you will see the following screen and log.
| <6>gksfd: 2019-01-16 20:31:00 new connection accepted from 172.#.#.1 (11) <6>gksfd: 2019-01-16 20:31:00 init_thread: cm inited. <6>gksfd: 2019-01-16 20:31:00 pm: src(10.#.#.1:22) dst(192.#.#.1:52176) flags=18 <6>gksfd: 2019-01-16 20:31:00 build_proc: n_proc = [105] <6>gksfd: 2019-01-16 20:31:00 search_proc_tree: pid(6357198) -- pid(7995612)'s tree <6>gksfd: 2019-01-16 20:31:00 >>> G session[0]: (1) st(2) uid(205) pid(5767412,7995612) tid(1335) pty(pts/2) ti(190116 203035) peer(192.#.#.123) <6>gksfd: 2019-01-16 20:31:00 apply_policy: uid(205) (8dca29cc:22) in bl(8dca29cc/ffffffff:22-22) <6>gksfd: 2019-01-16 20:31:00 sm: kill. cmd(ssh) uid(205) pid(6357198) <6>gksfd: 2019-01-16 20:31:00 sm: report bl. cmd(ssh) uid(205) pid(6357198) <6>gksfd: 2019-01-16 20:31:00 gkhttps: cmd=[https://198.#.#.1/ajax_cmd.php?cmd=AGNLOG&host=10.#.#.1&port=22&PHPSESSID=5210a19bbfd7110a71b2d16b896b7802&src_host=172.#.#.1&nat_host=172.#.#.1&h_id=33&tsk_name=ssh&svc_name=<&gkhost=lodibm24ab.ca.com&pid=105&log_level=ERROR&policy_type=bl] <6>gksfd: 2019-01-16 20:31:00 cm: peek message = GKSFD_NOTIFY 873140652:3442068109 (33) <6>gksfd: 2019-01-16 20:31:00 cm: should be <= CAPAM 2.7, non TLS mode <6>gksfd: 2019-01-16 20:31:00 do_hello: (11) len(27) ver(2) id(1) st(0) res(0) param(873140652:3442068109|) <6>gksfd: 2019-01-16 20:31:00 do_server: (11) connection dropped |
IP 192.#.#.1 is the AIX7.1 Target Server
IP 10.#.#.1 is the other machine which we want to blacklist so users cannot SSH from 192.#.#.1 to 10.#.#.1
IP 172.#.#.1 is the Windows Client Machine I am accessing PAM server from.
IP 198.#.#.1 is the PAM server
If everything is working fine you can update the "/etc/gksfd.cfg" to change back the VERBOSE=1 to 0.
Then just restart the SFA (/etc/rc.d/init.d/rc.gksfd restart)
You should also find the status of this SFA from PAM.
Feedback
