sharfuddin2 Absent Member.
Absent Member.
931 views

Planning and Monitoring for PAM deployment


Hello,

My customer raised following questions:

a) How much bandwidth is required when an agent sends data(recordings)
to Manager ?

b) How to plan storage requirement for PAM deployment ? Also does PAM
stores data(recording, auditing) in compressed form.

c) where does the PAM stores the credentials of MS Windows
Administrator(for rdp access etc) and root user(for ssh access of
Linux/Unix) .. is it in the DB or in a flat file ?

d) Does PAM encrypts the credentials ? if yes which algo is used (md5,
sha1 etc).

e) if a rouge system admin hard reboots the machine(windows or linux)
and then boots the system in maintenance mode(safe mode in windows and
runlevel 1 in Linux) and either uninstall the
agent or damage the agent by deleting a few files, is there any way to
prevent it.

f) PAM Manager displays the status of machines.. but is there any option
to configure Alerts to send email when a machine goes offline.

Regards,


--
sharfuddin
------------------------------------------------------------------------
sharfuddin's Profile: https://forums.netiq.com/member.php?userid=1016
View this thread: https://forums.netiq.com/showthread.php?t=57188

0 Likes
4 Replies
AutomaticReply Absent Member.
Absent Member.

Re: Planning and Monitoring for PAM deployment

sharfuddin,

It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.

These forums are peer-to-peer, best effort, volunteer run and that if your issue
is urgent or not getting a response, you might try one of the following options:

- Visit https://www.microfocus.com/support-and-services and search the knowledgebase and/or check
all the other self support options and support programs available.
- Open a service request: https://www.microfocus.com/support
- You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://forums.microfocus.com)
- You might consider hiring a local partner to assist you.
https://www.partnernetprogram.com/partnerfinder/find.html

Be sure to read the forum FAQ about what to expect in the way of responses:
http://forums.microfocus.com/faq.php

Sometimes this automatic posting will alert someone that can respond.

If this is a reply to a duplicate posting or otherwise posted in error, please
ignore and accept our apologies and rest assured we will issue a stern reprimand
to our posting bot.

Good luck!

Your Micro Focus Forums Team
http://forums.microfocus.com



0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Planning and Monitoring for PAM deployment

If needed, I'd recommend opening a Service Request for these questions to be answered more fully, as some may require discussion with Development.

The required bandwidth for session capture recording is heavily dependent on the rule configurations such as fps, etc. There is CPU Utilization that will occur on the agent itself when sessions are encoded to video prior to delivering to the audit manager. For hopefully more details, please see our Performance and Sizing Guidelines.

For video capture, you can schedule compression and archiving of video files to external storage. For more details, please refer to Video Capture for Windows. Compressed rollover can also be configured for audit database files. For more details, please refer to Auditing Settings.

PAM stores details of all the domains and the respective credentials in the Enterprise Credential Vault database. By default, the credentials are securely stored in an encrypted form. I believe the credentials in the vault are encrypted using a salted 256-bit AES algorithm. Additionaly, you have the option to add an additional layer of encryption to the database. For information about how to encrypt the Enterprise Credential Vault database (prvcrdvlt.db), refer to Modifying a Domain.

In regards to a rogue system admin, there are policies / rules that can be created to help limit what even a system administrator can do; however, this requires the PAM agent to be running and monitoring the session. For example, you can automatically disconnect a session based on the risk of using a command. You can also configure auto block on particular commands, which will ban the user from connecting again. For more details, please refer to Disconnecting the Session Automatically.

For email notifications of system alerts, I am not quite sure how to configure that. I do know that automatic email reports can be configured through the Compliance Auditor Console, but I suspect are for audited sessions rather than system alerts. I'd encourage you to suggest this idea to the PAM Idea Portal. This may already be possible, which would be answered here as well as be considered for future enhancements if not.

Regards,
Tyler
0 Likes
sharfuddin2 Absent Member.
Absent Member.

Re: Planning and Monitoring for PAM deployment


Thanks for your detailed and explanatory responses, I opened the
SR#101045987281 and got the following responses

a) There is no actual calculation done for bandwidth required for data
transfer. But the agent expect fair data bandwidth for data transfer.

b) Yes the data is in compressed form and the disk space is mentioned in
the following link,
http://tinyurl.com/hgfbpdm

c) All the credentials for both RDP and SSH are stored in the DB and it
is encryted.

d) For security reasons NPAM does not disclose the algos used for
encrypting the credentials.
Along with the encryption of credentials, administrator can also encrypt
individual databases of NPAM.
The same is documented in the following link,
http://tinyurl.com/jjystf8

e) I think this issue is related to securing the Windows system rather
than NPAm restricting the actions with Windows in safe mode.
Once someone gets physical access to the machine, I think it is quite
difficult to secure the machine.
The only way I can think of is securing the files under /opt/netiq/npum
and /etc/ directory using third party tools from corresponding OS.

f) There is an option to configure alert settings for individual host or
for a domain. But I do not see an options to send an email to
administrator.
I will ask engineering if they are planning to add this in the upcoming
releases or if there is an option in any of the command options.
http://tinyurl.com/gpf446h

For alerts, I already have created the ideat @
https://ideas.microfocus.com/MFI/pam/Idea/Detail/12547 -- please vote
😉

Regards,


--
sharfuddin
------------------------------------------------------------------------
sharfuddin's Profile: https://forums.netiq.com/member.php?userid=1016
View this thread: https://forums.netiq.com/showthread.php?t=57188

0 Likes
cpedersen Outstanding Contributor.
Outstanding Contributor.

Re: Planning and Monitoring for PAM deployment

On 13/01/2017 06:54, sharfuddin wrote:
>
> Hello,
>
> My customer raised following questions:
>
> a) How much bandwidth is required when an agent sends data(recordings)
> to Manager ?
>
> b) How to plan storage requirement for PAM deployment ? Also does PAM
> stores data(recording, auditing) in compressed form.
>
> c) where does the PAM stores the credentials of MS Windows
> Administrator(for rdp access etc) and root user(for ssh access of
> Linux/Unix) .. is it in the DB or in a flat file ?
>
> d) Does PAM encrypts the credentials ? if yes which algo is used (md5,
> sha1 etc).
>
> e) if a rouge system admin hard reboots the machine(windows or linux)
> and then boots the system in maintenance mode(safe mode in windows and
> runlevel 1 in Linux) and either uninstall the
> agent or damage the agent by deleting a few files, is there any way to
> prevent it.
>
> f) PAM Manager displays the status of machines.. but is there any option
> to configure Alerts to send email when a machine goes offline.
>


a) in practical terms, not much. I don't see that as being an issue.

b) Per Agent: 2 minutes = approx. 450-650kb at 1920x1200 resolution
(mp4), you then need to calculate how many Agents you have and how long
you want to keep the data.

One thing to remember, if you take your Audit server offline the Agent
will store the captured data until it comes online.

Multiple Audit servers are not a cluster, Agents will talk to all
configured Audit servers, and the same apply when taking one offline.

c) already answered.

d) already answered.

e) no.

f) no.



Casper

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.