search cancel

Security Credential scans against CA PAM

book

Article ID: 215755

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

We normally use a credential on a VM to coordinate internal security scans. Since CA PAM is using a hardened Debian OS we are unsure how to create the account for access to the VM using PAM.

How would we go about doing this?

 

Environment

Release : 3.x, 4.x

Component : PRIVILEGED ACCESS MANAGEMENT

Resolution

Part of what hardens the CA PAM is the lack of ability for anyone , including system monitors from accessing the console or backend. The only port that is open to any external access by default is port 443. Several other ports are required to be opened between cluster nodes but these are not accessible by any other resource.

The only  access methods to  the backend of this appliance is through Broadcom support and even then the ssh access must be manually started prior to that access and this access is never passed over to the client. This access uses Private Key authentication witch expires every 3 months from when the key is made, not when the key is added to the system. Furthermore the ssh service used to connect can only be started based on time, default is 1 week and the max time is 3 month. See "Remote PAM Debugging Services" in the latest CA PAM Manual for more information on how to enable.