Generating SNMP Alerts From PAM

book

Article ID: 125112

calendar_today

Updated On:

Products

CA Privileged Access Manager - Cloakware Password Authority (PA) PAM SAFENET LUNA HSM CA Privileged Access Manager (PAM)

Issue/Introduction

Alerts are generated when specific events occur.  It is not clearly documented how to generate each alert.

Environment

This was seen on 3.2.4, but would be the same on earlier versions of PAM too.  Be aware that changes are being made with 3.3 and 3.2.5.

Resolution

There are 3 lists below.  The first list contains those alerts that have been successfully generated along with the method used to generate the alert.  The next list identifies those alerts for which an alert was not successfully generated.  The third list contains those alerts for which the method to generate is not known.

Successfully generated alerts                      Test method
gkSysClusterStatus                                          Configure a MultiMaster cluster and shutdown one of the nodes.
gkSysCredMgmtStatus                                  Configure a cluster with the Max Number of Queued Replication Records Before Member Deactivation and generate DB activity, ie LDAP refresh, API program, or large csv import.
gkSysMultiSiteStatus                                      Configure a MultiMaster cluster and shutdown one of the nodes.
gkSessLoginFailed                                            Attempt a login with bad credentials
gkSessSFViolation                                            Configure a Socket Filter Black List denying port 22 to a target server.  Apply the Socket Filter to the policy for a device from which you can make connections to a second target via ssh.  Connect to the first target and attempt to connect via ssh to the second target.
gkSessSFAccDeactivated                               Do as for gkSessSFAccViolation, but make sure to set the Action After Limit Exceeded to Deactive account
gkSessCFViolation                                           Configure a Command Filter Black List denying a particular unix command, ie ps -ef.  Apply the Command Filter to the policy for a device.  Connect to the target and enter the black listed command.  Make sure that the Block box is checked.
gkSessCFAlert                                                   Do as for gkSessCFViolation, but make sure that the Alert box is checked.
gkSessCFAccDeactivated                              Do as for gkSessCFViolation, but make sure that Action After Limit Exceeded is set to Deactivate account, and make sure to attempt the blocked command enough times to hit the limit.
gkSysLDAPServerStatus                                 Configure an LDAP server and confirm that LDAP refreshes work.  Shutdown the LDAP server and start another refresh.  Wait for it to fail.      
gkAppSNMPAgentStatus                              Configure SNMP, Start and Stop SNMP


Alerts not generated                                      Test method
gkSysSMBServerStatus                                  Configure Session Recording to use a CIFS mount.  Insure it is working.  Shutdown the CIFS server.  Attempt to generate a recording.
gkSysNFSServerStatus                                   Configure Session Recording to use a NFS mount.  Insure it is working.  Shutdown the NFS server.  Attempt to generate a recording.
gkSysDbBackupSMBServerStatus              Configure Scheduled Backups to use a CIFS mount.  Insure it is working.  Shutdown the CIFS server.  Attempt to generate a scheduled backup.
gkSysDbBackupNFSServerStatus                Configure Scheduled Backups to use a NFS mount.  Insure it is working.  Shutdown the NFS server.  Attempt to generate a scheduled backup.
gkSessConnExpired                                         Configure the Applet timeout to something other than zero.  Logout and Login.  Launch an PAM applet and wait for the timeout.                                
gkSessLoginExpired                                        Configure the Login timeout to 2 or greater.  Logout and Login.  Wait for the timeout.  It is important that you not set the login timeout to 1.  Doing so will make PAM inaccessible.
gkSysSyslogServerStatus                               Configure a syslog server and the Splunk forwarder.  Confirm syslog messages are sent to both, ie updating the sy.  Shutdown the syslog server.  Perform a task that generates
gkSessLoginTerminated                                Login to PAM twice, as super and another user.  From super terminate the session of the other user.

Alerts not tested
gkGenericNotification                                    Test method not known
gkSysDbBackupS3ServerStatus                  The behavior is expected to be the same as for gkSysDbBackupSMBServerStatus and gkSysDbBackupNFSServerStatus, but  the method to make the S3 unavailable, while still keeping AWS available, is not currently known.
gkSysMailServerStatus                                  The methodology to test this alert requires using an email server which may be shutdown.  That was not possible in the  environment used for this testing.
gkSysDNSServerStatus                                   Method to trigger this alert is unknown at this time.
gkSessConnTerminated                                Method to trigger this alert is unknown at this time.
gkSessSessRecAlert                                         Method to trigger this alert is unknown at this time.
gkSessSessRecViolation                                 Method to trigger this alert is unknown at this time.
gkAppGKMonitorStatus                                Method to trigger this alert is unknown at this time.
gkAppLogwatchStatus                                   Method to trigger this alert is unknown at this time.
gkAppSNMPSubagentStatus                       Method to trigger this alert is unknown at this time.
gkAppDBStatus                                                 Method to trigger this alert is unknown at this time.
gkAppFWDStatus                                             Method to trigger this alert is unknown at this time.
gkAppSessManagerStatus                            Method to trigger this alert is unknown at this time.
gkAppSSLVPNMonStatus                              Method to trigger this alert is unknown at this time.
gkAppSessRecAPIStatus                                Method to trigger this alert is unknown at this time.
gkAppSSLVPNStatus                                       Method to trigger this alert is unknown at this time.
gkAppAPWDStatus                                         Method to trigger this alert is unknown at this time.
gkAppGKAuthDStatus                                    Method to trigger this alert is unknown at this time.
gkAppClusterStatus                                        Method to trigger this alert is unknown at this time.

The alerts for which the trigger method is not known are being investigated.  This document will be updated as each trigger is identified.