After you install PSM for SSH
After you Run the PSM for SSH setup, perform the following procedures.
To delete installation files:
Delete the following files that were used during installation.
The user.cred file that you created before installation for the user who created Privilege Cloud environment.
The vault.ini that you used during installation.
Delete the following utility that you copied from the installation package.
- CreateCredFile – The CyberArk utility that creates credentials files.
Hardening the server enforces the recommended security best practices.
Hardening methods differ depending on the platform type.
Hardening is done automatically during installation for the following platforms:
- Red Hat Linux v7.9 and above
- CentOs v7.9 only
In addition to the essential hardening steps performed automatically, we recommend that you perform the following steps:
Use a separate partition for the following folders:
Configure the partition with noexec,nosuid,nodev for the following partitions:
Enable a firewall that only permits incoming connections on the SSH port. the default SSH port is TCP 22.
Enable SELLinux on the PSM for SSH machine. For details, see Enable SELinux on the PSM for SSH server.
Hardening is done manually, post-installation for the following platforms:
To manually harden the server:
In the /etc/ssh directory, open the sshd_config configuration file and block the following:
SFTP file transfer
Verify that the file does not contain the following subsystems:
These subsystems prevent users, including PSMConnect, from using SFTP even though they have no shell.
Alternatively, you can enable SFTP file transfer:
Your organization may decide to enable SFTP file transfer on PSM for SSH
In this case, in the sshd_config configuration file, uncomment the subsystems sftp internal-sftp and sftp /usr/libexec/openssh/sftp-server to activate them
Port forwarding to remote machines
Set GatewayPorts to no .
Make sure the services listed in the table below are ON:
Service Description acpid Advanced Configuration and Power Interface event daemon. atd Runs jobs queued by at. auditd Linux auditing system. cpuspeed Monitors the system’s idle percentage and reduces or raises the CPU’s clock speeds and voltages accordingly in order to minimize power consumption when idle or maximize performance when needed. Crond The task scheduling tool. network Activates the network card. psmpsrv PSM for SSHservices rawdevices Assigns raw devices to blocks. sshd OpenSSH server. syslog Controls all system logging.
Make sure the services listed in the table below are OFF under the conditions explained in the comments column:
Service Comments iptables, ip6tables Must be OFF if a firewall is not used. iscsi, iscsid Must be OFF if iCSCSI storage is not used. mdmonitor Must be OFF if RAID is not used. vmware-tools Must be OFF if the PSM for SSH server is not running on VMWARE VM. lvm2-monitor Must be OFF if the Linux Volume Manager-based storage is not used.
In the /etc directory, in the inittab file, change the running level in the following line:
Change id:5:initdefault: to id:3:initdefault:Recommended: Enable a firewall that only permits incoming connections on the SSH port. the default SSH port is TCP 22.
Make sure that the credential file for the PSM for SSH gateway user is set with the following permission: 640. By default this credential file is in /etc/opt/CARKpsmp/Vault/ psmpgwuser.cred.
- Restart the PSM for SSH server machine.
Query the installed PSM for SSH
You can view information about the PSM for SSH installation using the following commands:
|Use the following command to query information about the PSM for SSH that has been installed:
|Use the following command to print all the files in the PSM for SSH package:
|Use the following command to print all the PSM for SSH package information:
When installing the PSM for SSH on servers where SELinux was enabled prior to the installation, no further changes are required.
When enabling SELinux on the server after PSM for SSH was already installed, perform the following steps to enable SELinux support.
To enable SELinux on the server:
In the sshd_config configuration file, set the following parameters:
Repair the PSM for SSH installation. Run the following command:
rpm –Uvh --force CARKpsmp-<version>-<build number>.x86_64.rpm
If your platform is SUSE, perform the following procedure.
To enable integrated mode on SUSE:
Disable the nscd module in one of the following ways, depending on your SUSE version:
In this step, perform only one of the following options.
For SUSE v15.4, you can only perform the first step - disable the nscd module.
Disable the nscd module (SUSE v12.4, v12.5, v15.4)
Run the following command to fully disable the nscd module:
rcnscd stop && chkconfig nscd off
Disable password caching in /etc/nscd.conf
(SUSE v12.4, v12.5)
Disable passswd caching to set nss modules to work without caching:
In /etc/nscd.conf, set password caching to no, as follows:
enable-cache passwd no
- In sshd_config, ensure that PermitEmptyPasswords is set to no.
In /etc/nscd.conf, run the following command:
enable-cache passwd yes
Verify the location of CA-certificates
PSM for SSH searches for the machine’s trusted CA-certificates in the CA-certificates bundle file, located in /etc/pki/tls/certs/ca-bundle.crt .
In the SUSE OS default settings and in other cases where the CA-certificates location has been changed, PSM for SSH must be able to access the CA-certificates location during the search. If PSM for SSH fails to locate the CA-certificate file, users attempting to access their targets by remote connection will fail.
Ensure that PSM for SSH is directed to the correct location of the CA-certificate bundle. There are several ways to do this. Following is one option.
Create a symbolic link that directs /etc/pki/tls/certs/ca-bundle.crt to the path where the CA-certificates are located.
if PSM for SSH fails to locate the CA-certificate file, the following events occur:
Users fail to connect
Users are unable to connect to their targets by remote access
PSMPTTrace.log error message
PSMPPS[PSLog][IdentityUserSession][ < session-id > ]: Start Authentication failed for user [ <user-name> ]. exception: [Failed to communicate to Identity server: '<Identity server address>' error setting certificate verify locations: CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none]
Enable the existing antivirus agent, or install an industry standard antivirus software.