After you install PSM for SSH

After you Run the PSM for SSH setup, perform the following procedures.

Delete installation files and installation utility

To delete installation files:

  1. Delete the following files that were used during installation.

    • The user.cred file that you created before installation for the user who created Privilege Cloud environment.

    • The vault.ini that you used during installation.

  1. Delete the following utility that you copied from the installation package.

    • CreateCredFile – The CyberArk utility that creates credentials files.

Harden the PSM for SSH server

Hardening the server enforces the recommended security best practices.

Hardening methods differ depending on the platform type.

Platform

How to

  • Red Hat Linux

  • Centos

Automatically harden the PSM for SSH server

  • SUSE

Manually harden the PSM for SSH server

Automatically harden the PSM for SSH server

Hardening is done automatically during installation for the following platforms: 

  • Red Hat Linux v7.9 and above
  • CentOs v7.9 only

In addition to the essential hardening steps performed automatically, we recommend that you perform the following steps: 

Task

How to

Partitioning

Use a separate partition for the following folders:

  • /tmp and /var/tmp
  • /var/log
  • /var/log/audit
  • /home

Configure the partition with noexec,nosuid,nodev for the following partitions:

  • /tmp and /var/tmp
  • /dev/shm
  • removable media partitions

Software update

  • Verify that the latest patch of the operating systems is applied to your environment.
  • Verify that the gpgcheck is globally activated in your yum repositories.

Networking

Enable a firewall that only permits incoming connections on the SSH port. the default SSH port is TCP 22.

SELinux

Enable SELLinux on the PSM for SSH machine. For details, see Enable SELinux on the PSM for SSH server.

Manually harden the PSM for SSH server

Hardening is done manually, post-installation for the following platforms: 

  • SUSE

To manually harden the server:

  1. In the /etc/ssh directory, open the sshd_config configuration file and block the following:

    Function

    Block action

    SFTP file transfer

    Verify that the file does not contain the following subsystems:

    sftp internal-sftp

    sftp /usr/libexec/openssh/sftp-server.

    These subsystems prevent users, including PSMConnect, from using SFTP even though they have no shell.

    Alternatively, you can enable SFTP file transfer:

    Your organization may decide to enable SFTP file transfer on PSM for SSH

    In this case, in the sshd_config configuration file, uncomment the subsystems sftp internal-sftp and sftp /usr/libexec/openssh/sftp-server to activate them

    Port forwarding to remote machines

    Set GatewayPorts to no .

  2. Make sure the services listed in the table below are ON:

    Service Description
    acpid Advanced Configuration and Power Interface event daemon.
    atd Runs jobs queued by at.
    auditd Linux auditing system.
    cpuspeed Monitors the system’s idle percentage and reduces or raises the CPU’s clock speeds and voltages accordingly in order to minimize power consumption when idle or maximize performance when needed.
    Crond The task scheduling tool.
    network Activates the network card.
    psmpsrv PSM for SSHservices
    rawdevices Assigns raw devices to blocks.
    sshd OpenSSH server.
    syslog Controls all system logging.
  3. Make sure the services listed in the table below are OFF under the conditions explained in the comments column:

    Service Comments
    iptables, ip6tables Must be OFF if a firewall is not used.
    iscsi, iscsid Must be OFF if iCSCSI storage is not used.
    mdmonitor Must be OFF if RAID is not used.
    vmware-tools Must be OFF if the PSM for SSH server is not running on VMWARE VM.
    lvm2-monitor Must be OFF if the Linux Volume Manager-based storage is not used.
  4. In the /etc directory, in the inittab file, change the running level in the following line:

    Change id:5:initdefault: to id:3:initdefault: 

    Recommended: Enable a firewall that only permits incoming connections on the SSH port. the default SSH port is TCP 22.
  5. Make sure that the credential file for the PSM for SSH gateway user is set with the following permission: 640. By default this credential file is in /etc/opt/CARKpsmp/Vault/ psmpgwuser.cred.

  6. Restart the PSM for SSH server machine.

Query the installed PSM for SSH

You can view information about the PSM for SSH installation using the following commands:

Use the following command to query information about the PSM for SSH that has been installed:
 
rpm –q CARKpsmp
Use the following command to print all the files in the PSM for SSH package:
 
rpm –ql CARKpsmp
Use the following command to print all the PSM for SSH package information:
 
rpm –qi CARKpsmp

Enable SELinux on the PSM for SSH server

When installing the PSM for SSH on servers where SELinux was enabled prior to the installation, no further changes are required.

When enabling SELinux on the server after PSM for SSH was already installed, perform the following steps to enable SELinux support.

To enable SELinux on the  server:

  1. In the sshd_config configuration file, set the following parameters:

    UsePAM

    yes

    ChallengeResponseAuthentication

    no

  2. Repair the PSM for SSH installation. Run the following command:

     
    rpm –Uvh --force CARKpsmp-<version>-<build number>.x86_64.rpm

Enable Integrated mode on SUSE

If your platform is SUSE, perform the following procedure.

To enable integrated mode on SUSE:

  1. Disable the nscd module in one of the following ways, depending on your SUSE version:

    • In this step, perform only one of the following options.

    • For SUSE v15.4, you can only perform the first step - disable the nscd module.

    Option

    Steps

    Disable the nscd module (SUSE v12.4, v12.5, v15.4)

    Run the following command to fully disable the nscd module:

     
    rcnscd stop && chkconfig nscd off

    Disable password caching in /etc/nscd.conf

    (SUSE v12.4, v12.5)

    Disable passswd caching to set nss modules to work without caching:

    1. In /etc/nscd.conf, set password caching to no, as follows:

       
      enable-cache passwd no
    2. Restart :

       
      rcnscd restart

  2. In sshd_config, ensure that PermitEmptyPasswords is set to no.
To revert to password caching:
  1. In /etc/nscd.conf, run the following command:

     
    enable-cache passwd yes
  2. Restart:

     
    rcnscd restart

Verify the location of CA-certificates

PSM for SSH searches for the machine’s trusted CA-certificates in the CA-certificates bundle file, located in /etc/pki/tls/certs/ca-bundle.crt .

In the SUSE OS default settings and in other cases where the CA-certificates location has been changed, PSM for SSH must be able to access the CA-certificates location during the search. If PSM for SSH fails to locate the CA-certificate file, users attempting to access their targets by remote connection will fail.

Ensure that PSM for SSH is directed to the correct location of the CA-certificate bundle. There are several ways to do this. Following is one option.

Option for directing the CA-certificate bundle to the required path:

Create a symbolic link that directs /etc/pki/tls/certs/ca-bundle.crt to the path where the CA-certificates are located.

Indicators that PSM for SSH fails to locate the CA-certificates file

if PSM for SSH fails to locate the CA-certificate file, the following events occur:

Users fail to connect

Users are unable to connect to their targets by remote access

PSMPTTrace.log error message

PSMPPS[PSLog][IdentityUserSession][ < session-id > ]: Start Authentication failed for user [ <user-name> ]. exception: [Failed to communicate to Identity server: '<Identity server address>' error setting certificate verify locations: CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none]

Install antivirus

Enable the existing antivirus agent, or install an industry standard antivirus software.