Generating SNMP Alerts From PAM
Article ID: 125112
Updated On:
Products
CA Privileged Access Manager - Cloakware Password Authority (PA)
PAM SAFENET LUNA HSM
CA Privileged Access Manager (PAM)
Issue/Introduction
Alerts are generated when specific events occur. It is not clearly documented how to generate each alert.
Environment
This was seen on 3.2.4, but would be the same on earlier versions of PAM too. Be aware that changes are being made with 3.3 and 3.2.5.
Resolution
There are 3 lists below. The first list contains those alerts that have been successfully generated along with the method used to generate the alert. The next list identifies those alerts for which an alert was not successfully generated. The third list contains those alerts for which the method to generate is not known.
Successfully generated alerts Test method
gkSysClusterStatus Configure a MultiMaster cluster and shutdown one of the nodes.
gkSysCredMgmtStatus Configure a cluster with the Max Number of Queued Replication Records Before Member Deactivation and generate DB activity, ie LDAP refresh, API program, or large csv import.
gkSysMultiSiteStatus Configure a MultiMaster cluster and shutdown one of the nodes.
gkSessLoginFailed Attempt a login with bad credentials
gkSessSFViolation Configure a Socket Filter Black List denying port 22 to a target server. Apply the Socket Filter to the policy for a device from which you can make connections to a second target via ssh. Connect to the first target and attempt to connect via ssh to the second target.
gkSessSFAccDeactivated Do as for gkSessSFAccViolation, but make sure to set the Action After Limit Exceeded to Deactive account
gkSessCFViolation Configure a Command Filter Black List denying a particular unix command, ie ps -ef. Apply the Command Filter to the policy for a device. Connect to the target and enter the black listed command. Make sure that the Block box is checked.
gkSessCFAlert Do as for gkSessCFViolation, but make sure that the Alert box is checked.
gkSessCFAccDeactivated Do as for gkSessCFViolation, but make sure that Action After Limit Exceeded is set to Deactivate account, and make sure to attempt the blocked command enough times to hit the limit.
gkSysLDAPServerStatus Configure an LDAP server and confirm that LDAP refreshes work. Shutdown the LDAP server and start another refresh. Wait for it to fail.
gkAppSNMPAgentStatus Configure SNMP, Start and Stop SNMP
Alerts not generated Test method
gkSysSMBServerStatus Configure Session Recording to use a CIFS mount. Insure it is working. Shutdown the CIFS server. Attempt to generate a recording.
gkSysNFSServerStatus Configure Session Recording to use a NFS mount. Insure it is working. Shutdown the NFS server. Attempt to generate a recording.
gkSysDbBackupSMBServerStatus Configure Scheduled Backups to use a CIFS mount. Insure it is working. Shutdown the CIFS server. Attempt to generate a scheduled backup.
gkSysDbBackupNFSServerStatus Configure Scheduled Backups to use a NFS mount. Insure it is working. Shutdown the NFS server. Attempt to generate a scheduled backup.
gkSessConnExpired Configure the Applet timeout to something other than zero. Logout and Login. Launch an PAM applet and wait for the timeout.
gkSessLoginExpired Configure the Login timeout to 2 or greater. Logout and Login. Wait for the timeout. It is important that you not set the login timeout to 1. Doing so will make PAM inaccessible.
gkSysSyslogServerStatus Configure a syslog server and the Splunk forwarder. Confirm syslog messages are sent to both, ie updating the sy. Shutdown the syslog server. Perform a task that generates
gkSessLoginTerminated Login to PAM twice, as super and another user. From super terminate the session of the other user.
Alerts not tested
gkGenericNotification Test method not known
gkSysDbBackupS3ServerStatus The behavior is expected to be the same as for gkSysDbBackupSMBServerStatus and gkSysDbBackupNFSServerStatus, but the method to make the S3 unavailable, while still keeping AWS available, is not currently known.
gkSysMailServerStatus The methodology to test this alert requires using an email server which may be shutdown. That was not possible in the environment used for this testing.
gkSysDNSServerStatus Method to trigger this alert is unknown at this time.
gkSessConnTerminated Method to trigger this alert is unknown at this time.
gkSessSessRecAlert Method to trigger this alert is unknown at this time.
gkSessSessRecViolation Method to trigger this alert is unknown at this time.
gkAppGKMonitorStatus Method to trigger this alert is unknown at this time.
gkAppLogwatchStatus Method to trigger this alert is unknown at this time.
gkAppSNMPSubagentStatus Method to trigger this alert is unknown at this time.
gkAppDBStatus Method to trigger this alert is unknown at this time.
gkAppFWDStatus Method to trigger this alert is unknown at this time.
gkAppSessManagerStatus Method to trigger this alert is unknown at this time.
gkAppSSLVPNMonStatus Method to trigger this alert is unknown at this time.
gkAppSessRecAPIStatus Method to trigger this alert is unknown at this time.
gkAppSSLVPNStatus Method to trigger this alert is unknown at this time.
gkAppAPWDStatus Method to trigger this alert is unknown at this time.
gkAppGKAuthDStatus Method to trigger this alert is unknown at this time.
gkAppClusterStatus Method to trigger this alert is unknown at this time.
The alerts for which the trigger method is not known are being investigated. This document will be updated as each trigger is identified.
Successfully generated alerts Test method
gkSysClusterStatus Configure a MultiMaster cluster and shutdown one of the nodes.
gkSysCredMgmtStatus Configure a cluster with the Max Number of Queued Replication Records Before Member Deactivation and generate DB activity, ie LDAP refresh, API program, or large csv import.
gkSysMultiSiteStatus Configure a MultiMaster cluster and shutdown one of the nodes.
gkSessLoginFailed Attempt a login with bad credentials
gkSessSFViolation Configure a Socket Filter Black List denying port 22 to a target server. Apply the Socket Filter to the policy for a device from which you can make connections to a second target via ssh. Connect to the first target and attempt to connect via ssh to the second target.
gkSessSFAccDeactivated Do as for gkSessSFAccViolation, but make sure to set the Action After Limit Exceeded to Deactive account
gkSessCFViolation Configure a Command Filter Black List denying a particular unix command, ie ps -ef. Apply the Command Filter to the policy for a device. Connect to the target and enter the black listed command. Make sure that the Block box is checked.
gkSessCFAlert Do as for gkSessCFViolation, but make sure that the Alert box is checked.
gkSessCFAccDeactivated Do as for gkSessCFViolation, but make sure that Action After Limit Exceeded is set to Deactivate account, and make sure to attempt the blocked command enough times to hit the limit.
gkSysLDAPServerStatus Configure an LDAP server and confirm that LDAP refreshes work. Shutdown the LDAP server and start another refresh. Wait for it to fail.
gkAppSNMPAgentStatus Configure SNMP, Start and Stop SNMP
Alerts not generated Test method
gkSysSMBServerStatus Configure Session Recording to use a CIFS mount. Insure it is working. Shutdown the CIFS server. Attempt to generate a recording.
gkSysNFSServerStatus Configure Session Recording to use a NFS mount. Insure it is working. Shutdown the NFS server. Attempt to generate a recording.
gkSysDbBackupSMBServerStatus Configure Scheduled Backups to use a CIFS mount. Insure it is working. Shutdown the CIFS server. Attempt to generate a scheduled backup.
gkSysDbBackupNFSServerStatus Configure Scheduled Backups to use a NFS mount. Insure it is working. Shutdown the NFS server. Attempt to generate a scheduled backup.
gkSessConnExpired Configure the Applet timeout to something other than zero. Logout and Login. Launch an PAM applet and wait for the timeout.
gkSessLoginExpired Configure the Login timeout to 2 or greater. Logout and Login. Wait for the timeout. It is important that you not set the login timeout to 1. Doing so will make PAM inaccessible.
gkSysSyslogServerStatus Configure a syslog server and the Splunk forwarder. Confirm syslog messages are sent to both, ie updating the sy. Shutdown the syslog server. Perform a task that generates
gkSessLoginTerminated Login to PAM twice, as super and another user. From super terminate the session of the other user.
Alerts not tested
gkGenericNotification Test method not known
gkSysDbBackupS3ServerStatus The behavior is expected to be the same as for gkSysDbBackupSMBServerStatus and gkSysDbBackupNFSServerStatus, but the method to make the S3 unavailable, while still keeping AWS available, is not currently known.
gkSysMailServerStatus The methodology to test this alert requires using an email server which may be shutdown. That was not possible in the environment used for this testing.
gkSysDNSServerStatus Method to trigger this alert is unknown at this time.
gkSessConnTerminated Method to trigger this alert is unknown at this time.
gkSessSessRecAlert Method to trigger this alert is unknown at this time.
gkSessSessRecViolation Method to trigger this alert is unknown at this time.
gkAppGKMonitorStatus Method to trigger this alert is unknown at this time.
gkAppLogwatchStatus Method to trigger this alert is unknown at this time.
gkAppSNMPSubagentStatus Method to trigger this alert is unknown at this time.
gkAppDBStatus Method to trigger this alert is unknown at this time.
gkAppFWDStatus Method to trigger this alert is unknown at this time.
gkAppSessManagerStatus Method to trigger this alert is unknown at this time.
gkAppSSLVPNMonStatus Method to trigger this alert is unknown at this time.
gkAppSessRecAPIStatus Method to trigger this alert is unknown at this time.
gkAppSSLVPNStatus Method to trigger this alert is unknown at this time.
gkAppAPWDStatus Method to trigger this alert is unknown at this time.
gkAppGKAuthDStatus Method to trigger this alert is unknown at this time.
gkAppClusterStatus Method to trigger this alert is unknown at this time.
The alerts for which the trigger method is not known are being investigated. This document will be updated as each trigger is identified.
Feedback
Powered by
