PSM for SSH post-installation tasks

The following topic describes tasks that may need to be performed following the PSM for SSH installation.

Verify AD Bridge services are running

After PSM for SSH has been installed successfully, it will be started automatically. Use the following commands or log files to verify that the psmpsrv service is running.

Platform/File

Command/Location

RHEL7, SUSE11, SUSE12
  
service psmpsrv status psmpadb

RHEL8
  
systemctl status psmpsrv-psmpadbserver

PSMPConsole.log

/var/opt/CARKpsmp/logs

ADBConsole.log

/var/opt/CARKpsmpadb/logs

Delete installation files and installation utility (optional)

  1. Delete the following files that were used during installation.

    • The user.cred file that you created before installation for the user who created the Vault environment.

    • The vault.ini that you used during installation.

  1. Delete the following utility that you copied from the installation package.

    • CreateCredFile – The CyberArk utility that creates credentials files.

Integrate PSM for SSH with LDAP authentication

  1. Make sure the Vault is configured to work with LDAP. For more information, refer to Configure transparent user management using LDAP.

  2. Add the relevant LDAP group as an Owner of the Safe where the accounts used to access the target systems are stored:

    1. Log onto the PrivateArk Administrative Client as an administrative user.

    2. On the PrivateArk toolbar, click Owners; the Owners window appears.

    3. Click Add; the Add Owners dialog box appears.

    4. Click Add From LDAP; a list of supported directory names appears.

    5. Select the LDAP directory that contains the relevant LDAP group.

    6. In the Search For listbox, select Groups.

    7. in the Filter edit box, specify all or part of the group name, then click Search; a list of group names that match the specified criteria is displayed.

    8. Select the relevant LDAP group, then click OK; the selected group appears in the Add Owners list.

    9. Select the name of the new LDAP group, then click the arrow to move the group to the Selected User(s) field.

    1. Set the authorizations and preferences for the new group, then click OK; the Safe Owner is added to the Safe Owners list with the authorizations that you have set.

      When the test LDAP user logs on, a corresponding Vault user will automatically be created and added to the Vault group for this LDAP group, with ownership of the Safe where the accounts used to access the target systems are stored.

      For more information about configuring transparent user management, refer to Configure transparent user management using LDAP.

Integrate PSM for SSH with Radius Authentication

Make sure the Vault is configured to work with Radius authentication. For more information, refer to RADIUS Authentication.

Harden the PSM for SSH server

The PSM hardening procedure on the PSM for SSH server machine enhances PSM for SSH security.

The following table describes hardening methods for supported platforms.

Platform

Hardening Method

How to

  • Red Hat Linux

  • Centos

Automatic

Automatically harden the PSM for SSH server

  • SUSE

Manual

Manually harden the PSM for SSH server

 

When installing the PSM for SSH on AWS, refer to Manually Install the Privileged Session Manager, before hardening the PSM for SSH server.

Automatically harden the PSM for SSH server

The PSM for SSH server is automatically hardened during installation on the following platforms:

  • Red Hat Linux

  • CentOs

This hardening enforces security best practices recommended for these platforms.

The following table describes the additional manual steps you need to do to harden the PSM for SSH server after installation:

Task

 How to

Partitioning

Use a separate partition for the following folders:

  • /tmp and /var/tmp

  • /var/log

  • /var/log/audit

  • /home

Configure the partition with noexec,nosuid,nodev for the following partitions:

  • /tmp and /var/tmp

  • /dev/shm

  • removable media partitions

Software update

Verify that the latest patch of the operating systems is applied to your environment.

Verify that the gpgcheck is globally activated in your yum repositories.

Networking

We recommend that you enable a firewall that only permits incoming connections on the SSH port. the default SSH port is TCP 22.

SELinux

We recommend that you enable SELinux on the PSM for SSH machine. For details, see Enable SELinux on the PSM for SSH server.

While not recommended, you can bypass the automatic hardening by setting the Hardening parameter in the PSM for SSH parameters file. For more details, see Create the PSM for SSH parameters file for installation.

Manually harden the PSM for SSH server

  1. In the /etc/ssh directory, open the sshd_config configuration file.

    1. Verify that the file does not contain the following:

      • Subsystem: sftp internal-sftp

      • Subsystem: sftp /usr/libexec/openssh/sftp-server

      These subsystems prevent users, including PSMConnect, from using SFTP even though they have no shell.

    2. Set the following attributes:

      Attribute

      Value

      		 Description
      DisableForwarding

      yes

      		 Disable all existing forwarding features
      AllowTcpForwarding

      no

      		 Allow TCP forwarding
      PermitOpen

      localhost:* 127.0.0.1:* [::1]:*

      		 Specifies the destinations to which TCP port forwarding is permitted
      PermitListen

      none

      		 Specifies the addresses/ports on which a remote TCP port forwarding may listen
      GatewayPorts no Specifies whether remote hosts are allowed to connect to ports forwarded for the client
      AllowStreamLocalForwarding no Specifies whether StreamLocal (Unix-domain socket) forwarding is permitted
      StreamLocalBindUnlink no Specifies whether to remove an existing Unix-domain socket file for local or remote port forwarding before creating a new one
      PermitTunnel no Specifies whether tun(4) device forwarding is permitted
      X11Forwarding no Specifies whether X11 forwarding is permitted
      AllowAgentForwarding no Specifies whether ssh-agent(1) forwarding is permitted

      PrintLastLog

      		no

      Prints the last login of the current user

  2. Set the required services:

    Make sure the services listed in the table below are ON:

    Service Description
    acpid Advanced Configuration and Power Interface event daemon.
    atd Runs jobs queued by at.
    auditd Linux auditing system.
    cpuspeed Monitors the system’s idle percentage and reduces or raises the CPU’s clock speeds and voltages accordingly in order to minimize power consumption when idle or maximize performance when needed.
    Crond The task scheduling tool.
    network Activates the network card.
    psmpsrv PSM for SSH and AD Bridge services
    rawdevices Assigns raw devices to blocks.
    sshd OpenSSH server.
    syslog Controls all system logging.

    Make sure the services listed in the table below are OFF under the conditions explained in the Comments column:

    Service Comments
    iptables, ip6tables Must be OFF if a firewall is not used.
    iscsi, iscsid Must be OFF if iCSCSI storage is not used.
    mdmonitor Must be OFF if RAID is not used.
    vmware-tools Must be OFF if the PSM for SSH server is not running on VMWARE VM.
    lvm2-monitor Must be OFF if the Linux Volume Manager-based storage is not used.

  3. In the /etc directory, in the inittab file, change the running level in the following line:

    Change id:5:initdefault: to id:3:initdefault: 

  4. It is highly recommended to enable a firewall that only permits incoming connections on the SSH port. The default SSH port is TCP 22.

  5. Make sure that the credential file for the PSM for SSH gateway user is set with the following permission: 640. By default this credential file is in "/etc/opt/CARKpsmp/Vault/ psmpgwuser.cred".

  6. Allow the PSM for SSH gateway user to access the Vault from the PSM for SSH server only by creating a network area that includes only the PSM for SSH server IP address. Add this network area as the only trusted network area for the PSM for SSH gateway user.

     

    Network areas can only be created for IPV4 addresses.

    The PSM for SSH server must have a static IP address.
  7. Restart the PSM for SSH server machine.

Query the installed PSM for SSH

You can view information about the PSM for SSH installation using the following commands:

Use the following command to query information about the PSM for SSH that has been installed:
  
rpm –q CARKpsmp
Use the following command to print all the files in the PSM for SSH package:
  
rpm –ql CARKpsmp
Use the following command to print all the PSM for SSH package information:
  
rpm –qi CARKpsmp

Enable sftp-server

Manually enable the sftp-server definition, which was disabled during hardening. In the sshd_config file, remove the # at the beginning of the following line:

  
#Subsystem sftp /usr/libexec/openssh/sftp-server

Enable SELinux on the PSM for SSH server

When installing the PSM for SSH on servers where SELinux was enabled prior to the installation, no further changes are required.

When enabling SELinux on the server after PSM for SSH was already installed, perform the following steps to enable SELinux support.

  1. In the sshd_config configuration file, set the following parameters:

    • UsePAM yes

    • ChallengeResponseAuthentication no

  2. Repair the PSM for SSH installation. For more information, refer to Repairing the PSM for SSH Installation.

Enable Integrated mode on SUSE

If you installed PSM for SSH in Integrated mode (InstallCyberArkSSHD = Integrated) on SUSE, you must perform the following post-installation procedure.

  1. Do one of the following:

    • Disable the nscd module

      Run the following command:

        
      rcnscd stop && chkconfig nscd off

      This fully disables the nscd module.

    • Disable password caching in /etc/nscd.conf

      When you disable passwd caching, nss modules work without caching.

      1. In /etc/nscd.conf, change

          
        enable-cache passwd yes

        to

          
        enable-cache passwd no

      2. Run the following command:

          
        rcnscd restart
  2. In sshd_config, ensure that PermitEmptyPasswords is set to no.