Direct or Console based logins on the Linux Servers(agents) must also be recorded. Nowadays when almost every server is virtualized console/direct logins are very common from hypervisor management utility(eg. vsphere client).
by: Muhammad S. | over a year ago | Integrations
Comments
Direct SSH sessions can already be audited through PAM with cpcksh:
https://www.netiq.com/documentation/privileged-account-manager-3/npam_admin/data/t42urslwgwm6.html#bjfzqbd
The following TID also demonstrates how to implement command rewriting to audit a direct ssh session while also rewriting to the user's preferred shell:
https://www.novell.com/support/kb/doc.php?id=7017938
Yes Direct SSH Sessions can be audited very smoothly and perfectly.
By Direct or Console based logins, I meant to say that agent should audit/record the sessions when someone logs-in into the system via Graphical User Interface(GNOME or KDE).
For example if I have a physical access(Direct and/or Console) of a system running Linux where X Window System and Graphical Desktop Environment(GNOME or KDE) are installed, and if I login on that system directly(without using network facility) in GUI(GNOME) the existing agent does not audit and record the session, which it should, as now a days almost every server is virtualized and console/direct logins are available from hypervisor management utility(eg. vsphere client), i,e I don't need to be physically present at Datacenter, because the direct/console based logins are available from VSphere/VMware client.
I get this I think. If the customer is running vSphere Client for example. They log into vSphere and pick a server that should have privileged access to. PAM should be able to monitor for these types of activities and initiate a recording that takes place when someone establishes a privileged session through the "direct" connection provided by the virtualization application. today, PAM provides privilege management support for vSphere the application, but not in this use case. Do I have a correct understanding of what is being asked for in this idea?
Yes, you got it right. In the age of Virtualization "Direct connections" does not required the physical access, tools like vSphere etc provides the direct access to the servers.
PAM does the job when servers are running MS Windows OS and such a feature is required for Linux based agents too.
This is interesting because it poses an interesting challenge. It (PAM) has to somehow be aware of direct connections. This would require the agent to be present. I'm not trying to get too far into the "How" here except I'm curious whether it would change anyone's vote / position on the idea if this was a use case that could only be supported with an agent.
Ideally 'agents' should be installed on the servers for 360 protection, though the "Desktop Agent" should be smart/comprehensive enough that servers without agents installed should also be monitored/audited(as we are discussing at Idea#12438).
This Idea should serve as an added advantage of installing the agents on the servers i,e another reason to install the agent on the servers(installing agent on servers is normally does not appreciated by Admins).
Also as said, the agent for MS Windows is doing the same job, so why not the same feature should also be provided with Linux Agents.