WAB 3.1 Admin Guide

Wallix AdminBastion 3.
1 - Administration Guide
Wallix AdminBastion 3.1

Administration Guide
Wallix AdminBastion 3.1 - Administration Guide
Wallix AdminBastion 3.1: Administration Guide
ii
Table of Contents
1. Introduction ............................................................................................................................. 1 1.1. Preamble ....................................................................................................................... 1 1.2. Copyright, Licences ....................................................................................................... 1 1.3. Legend ......................................................................................................................... 1 1.4. About this document ...................................................................................................... 1 2. Concepts ................................................................................................................................. 3 2.1. General information ....................................................................................................... 3 2.2. Positioning of the WAB in the network infrastructure ......................................................... 3 2.3. The concept of WAB ACLs ............................................................................................ 4 2.4. Roll-out ........................................................................................................................ 4 3. Administration interface ............................................................................................................ 6 3.1. Initial logon .................................................................................................................. 6 3.2. Menu tree structure ........................................................................................................ 7 3.3. My preferences .............................................................................................................. 9 3.4. My authorisations .......................................................................................................... 9 3.5. WAB audit .................................................................................................................. 10 3.5.1. Current connections ........................................................................................... 10 3.5.2. View sessions in real time .................................................................................. 11 3.5.3. Connection history ............................................................................................. 12 3.5.4. View session recording ...................................................................................... 14 3.5.5. Authentication history ........................................................................................ 15 3.5.6. Connection statistics .......................................................................................... 17 3.6. System audit ................................................................................................................ 18 3.6.1. System status .................................................................................................... 18 3.6.2. System logs ...................................................................................................... 19 3.7. Users .......................................................................................................................... 19 3.7.1. Accounts .......................................................................................................... 20 3.7.2. Groups (of users) ............................................................................................... 24 3.7.3. Import (users) ................................................................................................... 27 3.8. Resources and accounts ................................................................................................ 31 3.8.1. Devices ............................................................................................................ 31 3.8.2. Target accounts ................................................................................................. 34 3.8.3. Device admin credentials .................................................................................... 37 3.8.4. Groups (of target accounts) ................................................................................. 40 3.8.5. Authentication mechanisms ................................................................................. 43 3.8.6. Import (target devices and target accounts) ........................................................... 44 3.9. Manage authorisations .................................................................................................. 46 3.9.1. Add an authorisation .......................................................................................... 46 3.9.2. Delete an authorisation ....................................................................................... 48 3.9.3. Import authorisations from CSV .......................................................................... 48 3.10. User profiles .............................................................................................................. 48 3.10.1. Default profiles ................................................................................................ 49 3.10.2. Add a user profile ............................................................................................ 49 3.10.3. Edit a user profile ............................................................................................ 50 3.10.4. Delete a user profile ......................................................................................... 50 3.11. WAB configuration .................................................................................................... 50 3.11.1. Time frames .................................................................................................... 50 3.11.2. External authentications .................................................................................... 52 3.11.3. Notifications .................................................................................................... 54 3.11.4. Password policy ............................................................................................... 57 3.11.5. Secondary passwords ........................................................................................ 58
iii
Wallix AdminBastion 3.1 - Administration Guide 3.11.6. Logon settings ................................................................................................. 3.12. System configuration .................................................................................................. 3.12.1. Network .......................................................................................................... 3.12.2. Time service ................................................................................................... 3.12.3. Remote storage ................................................................................................ 3.12.4. Syslog ............................................................................................................ 3.12.5. SNMP ............................................................................................................ 3.12.6. SMTP ............................................................................................................. 3.12.7. Licence ........................................................................................................... 3.13. Back-up/Restore ......................................................................................................... Operation ............................................................................................................................... 4.1. Using the command line to connect to the WAB .............................................................. 4.2. Exporting audit data ..................................................................................................... 4.3. Back-up/Restore from the command line ......................................................................... 4.4. Configuring automatic back-up ...................................................................................... 4.5. Rights engine: operating limitations ................................................................................ 4.6. SSH flows analysis / Pattern detection ............................................................................ 4.7. TELNET connection scenario ........................................................................................ 4.8. Resolving common problems ......................................................................................... 4.8.1. Restoring the factory 'admin' account ................................................................... 4.8.2. Resetting the device ........................................................................................... Data encryption ...................................................................................................................... Compatibility: ........................................................................................................................ Limits: ................................................................................................................................... Definitions ............................................................................................................................. 61 62 62 63 64 65 66 67 68 69 71 71 71 71 72 73 73 73 74 74 74 75 76 78 79
4.
5. 6. 7. 8.
iv
List of Figures
2.1. Wallix AdminBastion in the network infrastructure .................................................................... 4 3.1. WAB logon screen ................................................................................................................. 6 3.2. WAB home page (administrator profile) ................................................................................... 7 3.3. 'My preferences' page ............................................................................................................. 9 3.4. User's authorisations ............................................................................................................. 10 3.5. Close an SSH connection ...................................................................................................... 11 3.6. View RDP sessions in real time ............................................................................................. 12 3.7. Connection history ............................................................................................................... 13 3.8. Connection history filters ...................................................................................................... 14 3.9. View an RDP recording with OCR ........................................................................................ 15 3.10. Authentication history ......................................................................................................... 16 3.11. Connection statistics ........................................................................................................... 17 3.12. Sample statistical graph ....................................................................................................... 18 3.13. System status ..................................................................................................................... 19 3.14. List of users ...................................................................................................................... 20 3.15. Add user form ................................................................................................................... 22 3.16. Delete users ....................................................................................................................... 23 3.17. List of devices accessible by a user ...................................................................................... 24 3.18. List of user groups ............................................................................................................. 25 3.19. Add user group form .......................................................................................................... 26 3.20. List of users in a group ....................................................................................................... 27 3.21. Import users page ............................................................................................................... 28 3.22. Summary of user import from a CSV file .............................................................................. 29 3.23. Import users from a directory .............................................................................................. 31 3.24. List of target devices .......................................................................................................... 32 3.25. Add device form ................................................................................................................ 33 3.26. List of all target accounts for a device .................................................................................. 35 3.27. List of target accounts for a service ...................................................................................... 36 3.28. Add target account form ..................................................................................................... 37 3.29. Device admin credentials .................................................................................................... 38 3.30. Admin credentials on a Linux/Unix device ............................................................................ 39 3.31. Admin credentials on a Windows device ............................................................................... 39 3.32. Admin credentials on a Cisco device .................................................................................... 40 3.33. List of target account groups ............................................................................................... 41 3.34. Add a target account group form .......................................................................................... 42 3.35. Authentication mechanisms ................................................................................................. 43 3.36. List of authorisations .......................................................................................................... 46 3.37. Add authorisation form ....................................................................................................... 47 3.38. Add user profile form ......................................................................................................... 50 3.39. List of time frames ............................................................................................................. 51 3.40. Add time frame form .......................................................................................................... 52 3.41. Add LDAP authentication form ........................................................................................... 54 3.42. Add notification form ......................................................................................................... 56 3.43. 'Password policy' page ........................................................................................................ 58 3.44. 'Secondary password' page .................................................................................................. 59 3.45. 'Secondary password' page .................................................................................................. 61 3.46. 'Logon settings' page .......................................................................................................... 62 3.47. Network configuration ........................................................................................................ 63 3.48. Time service configuration .................................................................................................. 64 3.49. Configuring remote storage ................................................................................................. 65 3.50. Configuring syslog routing .................................................................................................. 66
Wallix AdminBastion 3.1 - Administration Guide 3.51. 3.52. 3.53. 3.54. Configuring the SNMP agent ............................................................................................... SMTP service configuration ................................................................................................ Managing the licence .......................................................................................................... 'Back-up/Restore' page ........................................................................................................ 67 68 69 70
vi
Chapter 1. Introduction
1.1. Preamble
Thank you for choosing Wallix AdminBastion, also called WAB. WAB is marketed in the form of a dedicated, ready-to-use server or as a virtual device for the VMWare ESX 4.x and 5.x environments. This product has been engineered with the greatest of care by our teams at Wallix and we trust that it will deliver complete satisfaction.
1.2. Copyright, Licences

This document is the property of Wallix and may not be reproduced without its prior consent. All the product or company names mentioned herein are the registered trademarks of their respective owners. Wallix AdminBastion is subject to the Wallix software licence contract. Wallix AdminBastion is based on free software. The list and source code of GPL and LGPL licenced software used by Wallix AdminBastion are available from Wallix. Please send your request by email to: [email protected] or in writing to: Wallix Service Support 118, rue de Tocqueville 75017 Paris France
1.3. Legend
prompt $ command to input command output on one or more lines prompt $
1.4. About this document

This is the Administration Guide for the Wallix AdminBastion 3.1. Use it to configure the WAB prior to roll-out, and also for its administration and operation day to day. Wallix provides dedicated guides covering the configuration and use of the WAB for the following functionalities: Administration console X509 authentication HA (High Availability) With in addition:
Wallix AdminBastion 3.1 - Administration Guide a Quick Start Guide a User Guide
Chapter 2. Concepts
2.1. General information
WAB has been developed for the technical teams that administer IT infrastructure (servers, network and security devices, etc.). Designed to meet the access control and traceability needs of system administrators, Wallix AdminBastion features access control lists (ACLs) and traceability functions. It constitutes a security buffer for administrators who wish to log on to devices by: checking the authentication details provided by the user checking their access rights for the resource in question The WAB also allows you to automate logons to target devices to enhance the security of the information system by preventing disclosure of server authentication details. Protocols currently supported are: SSH (and its sub-systems) Telnet, Rlogin RDP and VNC in the user domain HTTP and HTTPS The WAB has a graphic Web interface, validated using Firefox 3, Internet Explorer 7 and Internet Explorer 8, to monitor activity and connections and to configure its component parts.
2.2. Positioning of the WAB in the network infrastructure

AdminBastion is positioned between a low trust domain and a high trust domain. The high trust domain is represented by the devices isolated by the AdminBastion. These devices and their related accounts are called 'target accounts' in WAB terminology. The low trust domain is represented by the population with direct access to the Bastion: the company's personnel Internet zone For users of the solution, access to the target accounts (high trust domain) is only possible through the WAB.
Figure 2.1. Wallix AdminBastion in the network infrastructure
2.3. The concept of WAB ACLs

Wallix AdminBastion features an advanced rights management engine to determine who has access to what, when and with which protocol(s). These ACLs consist of the following objects: users: i.e. physical users of the AdminBastion user groups: sets of users devices: i.e. physical or virtualised devices to which access is requested via the AdminBastion target accounts: the accounts declared on a device target account groups: a set of target accounts In the WAB, access to a target account by a user depends on an authorisation profile. Authorisations are declared between a group of users and a group of target accounts (which means that each target account must belong to a target account group, and that each user must belong to a user group). The authorisation allows users in group X to access target accounts in group Y, via protocols A, B, or C. Entities are added to these primary entities allowing you to define: connection time frames criticality of access to target resources whether the session is recorded or not the type of user authentication procedure You can also define a number of different WAB administrator profiles, with rights limited, for example, to audit, adding users, system administration, authorisations, etc.
2.4. Roll-out
The WAB includes a set of import tools to facilitate roll-out. However, to ensure the WAB is commissioned successfully, we recommend inventorying:
Wallix AdminBastion 3.1 - Administration Guide the roles of users who must have access to the target accounts the roles of users who must administer the target accounts the target devices and target accounts to be accessed through the WAB You must be able to answer the following questions for each user: does this user have the right to administer the solution, and if so, which rights should be assigned to him or her? does this user need to access target accounts? when does the user have the right to log on? can s/he access critical resources? You must be able to answer the following questions for each target account: Is this target account or device critical? should user sessions on this account be recorded? what protocol(s) can be used to access this target account or device?
Chapter 3. Administration interface

3.1. Initial logon
To access the Web administration interface, enter the following URL into your browser:
https://wab_ip_address
Note:
Your browser must be configured to accept cookies and run JavaScript. The WAB comes with a factory-set 'admin' account as standard (password 'admin').
Figure 3.1. WAB logon screen

After you have logged on successfully, the following page is displayed.
Figure 3.2. WAB home page (administrator profile)

On this page you have: a header containing: the language selection the name of the user who is logged on the logout link a footer with the copyright notice a side menu from which you can access all the WAB administration functions a working area In the interests of security, we recommend changing the 'admin' password on first login (see Section 3.3, My preferences).
3.2. Menu tree structure

My preferences My authorisations WAB audit Current connections Connection history Authentication history Connection statistics System audit System status System logs System authentications Start-up messages Users Accounts Groups Change user preferences Display a user's authorisations and shortcuts to access resources List connections and logout List of closed connections Primary authentication history Generate graphs connection statistics
View system status Content of file /var/log/syslog local Content of file /var/log/auth.log local Content of file /var/log/messages local Manage WAB users Manage WAB user groups
Import Devices & accounts Devices Accounts Groups
Import users (csv file and LDAP directory) Manage target devices Manage target accounts Manage target account groups
Device admin authentication de- Manage password changes tails Authentication mechanisms Import Authorisations Manage authorisations Define authentication systems Import target devices and accounts (csv file) Manage authorisations between target account groups and user groups Import authorisations. (csv file) Define user profiles Import user profiles (csv file) Manage time frames Manage external authentication methods (LDAP/LDAPS, Active Directory, Kerberos, Radius) Manage the notification mechanism Manage the local password policy Configure the policy for changing remote passwords. Settings for banners displayed when a user logs on to proxies Configure revocation lists for the X509 certificate authentication option. Configure network settings Time service settings (NTP) Manage remote storage of session recordings Manage routing via Syslog Manage the SNMP agent Configure the server for sending emails Display and update licence key Start encryption protection Save and restore the WAB configuration
Import User profiles WAB configuration Manage user profiles Import Time frames External authentications
Notifications Password policy Secondary passwords Logon settings X09 settings
System configuration Network Time service Remote storage Syslog SNMP SMTP server Licence Encryption Save/Restore
3.3. My preferences
This sub-menu contains the settings that can be changed by a user. All users have access to this page, regardless of their administration rights. Here users can: change their password (only if the user has been declared locally) download an SSH public key change their email address
Figure 3.3. 'My preferences' page
3.4. My authorisations
This menu displays the list of accessible devices. To access target accounts via RDP, click the icon to download the linked RDP file (to open the Microsoft RDP client directly). For access to HTTP/ HTTPS, an icon gives direct access to the resources via the Web user interface.
Figure 3.4. User's authorisations
3.5. WAB audit

3.5.1. Current connections
This page lists the active connections made via the WAB for the SSH, RDP and HTTPS proxies (active sessions on the Web user interface are not shown). For the HTTPS proxy, active sessions via the WAB are listed.
Note:
In the remainder of this Guide, the generic term connection will be used for SSH and RDP connections, and also for HTTPS sessions. For each of these connections, the WAB shows the following information: the user, in the form user@machine(ip) the source protocol (RDP, SSH or HTTPS)
10
Wallix AdminBastion 3.1 - Administration Guide the destination protocol the target accessed (in the form account@target:service) the connection start time the connection duration You can also terminate one or more connections. In the case of the SSH and RDP proxies, users are then informed that an administrator has terminated the connection. The session is closed in the case of HTTPS.
Figure 3.5. Close an SSH connection
Note:
The page displaying the current connections is refreshed regularly. To stop refresh, use the prompt at the top of the page. This feature is particularly useful when selecting the active connections to terminate.
3.5.2. View sessions in real time

A magnifying glass icon may appear next to items in the list of current connections. Click this icon to open a tab to view the RDP or SSH session in real time. Click a second time to close the tab.
11
Figure 3.6. View RDP sessions in real time
3.5.3. Connection history

This page shows the history of all connections made through the WAB. This view shows only the closed connections (see Section 3.5.1, Current connections for the current connections).
12
Figure 3.7. Connection history

Each record provides: the user name and source IP for the connection (i.e. name@ipsource) the target accessed (in the form account@target:service) the source protocol the destination protocol the connection start time the connection end time the connection duration the status
Note:
The connection status shows you whether there was a problem connecting to the target account (for example, wrong password, target resource not available, etc.). Filters can also be applied to the records to facilitate searches. The filters available are: by time, based on: the last N days a date range by occurrence in the columns.
13
Figure 3.8. Connection history filters
Note:
Only the last 1,000 records are displayed in the Web user interface. The occurrence filter is applied to these 1,000 records. Older sessions can only be retrieved through the date range filter.
3.5.4. View session recording

Three icons may appear next to items in the history report: a diskette, text document and magnifying glass, respectively. Click the diskette icon to download an SSH session recording in unprocessed ttyrec format. To download the visible content of an SSH session in flat text format, click the text icon. The magnifying glass icon directs you to the page to view session recordings. For an RDP session, the first page allows you to select the video quality level and whether or not to generate OCR data. If the OCR option is enabled, the titles of applications detected in the film by the OCR module will be shown under the film. Click in this list or the thumbnails to browse quickly through the film. The RDP page also contains a diskette icon, which you can use to download the entire film in the quality you selected for viewing.
14
Figure 3.9. View an RDP recording with OCR
3.5.5. Authentication history

This page lists the authentication attempts on the proxy's RDP and SSH interfaces (ports 3389 and 22, respectively). This section does not cover logins to the HTTPS proxy. Each record provides: the event date the user name provided (WAB user name) the source IP address the login result the result diagnostic The login result can be 'SUCCESS' or 'FAILURE' depending on whether the authentication to the AdminBastion was successful or failed. More detail is provided in the Diagnostic column.
15
Wallix AdminBastion 3.1 - Administration Guide This page uses the same filters as the connection history. The same limitations on the number of results displayed also apply.
Figure 3.10. Authentication history
16
3.5.6. Connection statistics
Figure 3.11. Connection statistics

This module provides statistical information on connections made through the WAB for a given period of time. This period may be a date range or a number of days before the current date. The statistical report displays: the number of secondary connections per device the number of secondary connections per target account the number of primary connections per user the number of secondary connections per user secondary connections by duration, total secondary connection time per user secondary connections by date, All data in these statistical reports can be downloaded as a CSV file. Statistical reports can also be sent out on a regular basis (see Section 3.11.3, Notifications).
17
Figure 3.12. Sample statistical graph
3.6. System audit

The WAB system information is shown under this menu, i.e. the WAB: status logs The 'System configuration' menu is used to configure the system (see Section 3.12, System configuration).
3.6.1. System status

This tab shows general system information, including: the number of current connections RAM usage rate SWAP usage rate
18
Wallix AdminBastion 3.1 - Administration Guide available space on the partition/var (where the session recordings are saved)
Figure 3.13. System status
Note:
The RAM usage rate does not show buffer systems.
3.6.2. System logs

You can view and save system logs from the Web user interface. The WAB displays three system logs: 'syslog' in the 'System logs' menu. This log shows the majority of messages on proxy operation or the use of the administration interface. 'auth.log' in the 'System authentication' menu. This log shows the direct connections to the WAB as the Unix server. Authentications on the administration interface or proxies are shown in 'syslog' and not this log. The 'dmesg' system start log in the 'Start-up message' menu.
3.7. Users
Use this menu to create/import Wallix AdminBastion users/administrators.
19
Wallix AdminBastion 3.1 - Administration Guide You can also configure the user groups to which the authorisations apply (see Section 3.9, Manage authorisations).
3.7.1. Accounts
Use this page to: list user accounts add/edit/delete a user account see the devices a user is authorised to access You can also filter the table displayed. The filter is applied to all users (and not just the page currently displayed).
Figure 3.14. List of users

10 results are displayed per page by default. Use the navigation menu to browse through the pages and change the number of results displayed per page.
3.7.1.1. Add a user

From this page listing the users, click the 'Add user' icon to go to the Add user page.
20
Wallix AdminBastion 3.1 - Administration Guide The add user form consists of the following: the user name used to log on to the Web user interface and proxies a name, used to identify the person to whom the user name belongs an email address a preferred language, used to select the language in which the messages sent to the user from the proxies are displayed a source IP address, used to limit access to the proxies at this IP address or FQDN (this limitation does not concern access to the WUI), a profile, used to define a user's rights (see Section 3.10, User profiles), a list of groups, used to select the groups in which to place the user. You can also add a user to a group in the add/edit page for a group (see Section 3.7.2, Groups (of users)), an authentication procedure, which may be different for each user (see Section 3.11.2, External authentications). You can select several procedures to indicate the back-up servers for external authentications (LDAP, RADIUS, etc.) a field to force password change: users will receive a message notifying them that their account has been created and that the password must be changed the first time they log on (see also Section 3.12.6, SMTP), a password: there may be certain requirements regarding the passwords the system will accept (see Section 3.11.4, Password policy); it is not necessary to re-enter this password for authentication other than 'local', an SSH public key
21
Figure 3.15. Add user form
Note:
The user name cannot be changed after it has been added; however the password and public key can be changed by the user.
3.7.1.2. Edit a user

From the page listing user accounts, click the user's name and then click the 'Change this user' icon to display the Edit user page. The fields in this Edit user page are the same as in the Add user page, with one exception: you cannot change the user name.
22
Note:
If the 'password' field is not changed, the user's password is not changed.
3.7.1.3. Delete a user

From the page listing the user accounts, check the box at the start of each line to select one or more accounts, then click to delete the list of users selected. The system displays a confirmation dialogue box before permanently deleting the item(s).
Figure 3.16. Delete users
3.7.1.4. Accounts accessible by a user

From the page listing the user accounts, click a name to display the list of devices this user can access. Each line shows an authorised access. For each line, the following information is available: target device target account target's actual address
23
Wallix AdminBastion 3.1 - Administration Guide protocol(s) used to access this service related time frame
Figure 3.17. List of devices accessible by a user
3.7.2. Groups (of users)

Use this page to: list declared user groups add/edit/delete a group or groups
24
Wallix AdminBastion 3.1 - Administration Guide see the members of each group
Figure 3.18. List of user groups
3.7.2.1. Add user group

From the page listing the user groups, click the 'Add group' icon to go to the Add group page.
The form to create a user group consists of the following: group name description: open text field time frame(s) to apply a list to select the users in the group a list of actions to apply when certain character strings are detected in the upward flow from proxies (see Section 4.6, SSH flows analysis / Pattern detection).
Note:
If several time frames are selected, the resulting time frame applied is the combination of these.
25
Warning:
character string detection is only enabled for data sent by the client to the server and only for SSH, TELNET or RLOGIN connections.
Figure 3.19. Add user group form
3.7.2.2. Edit a user group

From the page listing the user groups, click the group's name and then click the 'Change this group' icon to display the Edit user group page. The fields in this Edit user group page are the same as in the Add user group page, with one exception: you cannot change the name of the user group.
3.7.2.3. Delete a user group or groups

From the page listing the user groups, check the box at the start of each line to select one or more accounts, then click to delete the list of groups selected. The system displays a confirmation dialogue box before permanently deleting the item(s).
26
3.7.2.4. User group members

From the page listing the user groups, click a group's name to display the list of users in this group.
Figure 3.20. List of users in a group
3.7.3. Import (users)

You can import users from: a company directory (directories supported are: LDAP/LDAPS/AD), or a CSV file.
27
Figure 3.21. Import users page
3.7.3.1. Import user from CSV

A CSV file can be used to populate the WAB user database. The field separators can be configured. The file must start with a line containing the following tag:
#wab31
Warning:
If this tag is not present, the file format must follow WAB version 3.0 conventions (not described in this document). This allows to keep compatibility with files created for former versions of WAB. Each subsequent line must be formed as follows: Field User name User group Actual name Source IP Type Text Text Text IP/FQDN R o o O R(equired)/ O(ptional) Possible values [aA-zZ], [0-9], '-', '_' [aA-zZ], [0-9], '-', '_' Free text [aA-zZ], [0-9], '-', '_' n/a n/a n/a n/a Default value
28
Field Profile Authentication SSH public key Password
Type Text Text Text Text R R O R/O
R(equired)/ O(ptional)
Possible values Profiles defined Authentications fined Free text n/a de- n/a n/a n/a
Default value
[aA-zZ], [0-9], '-', '_'
Note:
The password is required if authentication is defined as local ('local' authentication').
Note:
if the user group doesn't exist, it is created with the default time frame set as 'allthetime'. Example:
#wab31 martin;linuxadmins;Pierre Martin;;user;local;;jMpdu9/x2z
After you have imported the CSV file, a summary report similar to the example below is displayed.
Figure 3.22. Summary of user import from a CSV file
29
Wallix AdminBastion 3.1 - Administration Guide The report contains: the import date and time the total number of lines read in the file the number of lines compliant with the syntax the number of users actually created in the WAB's internal database the number of lines rejected An error message is sent for each line rejected.
3.7.3.2. Import users from an LDAP/LDAPS/AD directory

User data stored in a remote directory can be used to populate the WAB's internal LDAP database. For each directory, you must know: the type of server, its address and connection port the unit of organisation the connection attribute, which is the user data that will be used for the WAB user name the user name and password if read access to the directory is restricted (mandatory for an AD)
Note:
The user name and password used to log on must have read rights for the path in which the user data is stored. If the import is successful, the system opens a new page with the list of users extracted from the directory. Next, import each user and assign: a user group an authentication a user profile
Note:
If you want the imported users to be authenticated for the directory used for the import, you must first create the authentication method (see also Section 3.11.2.1, Add an external authentication).
30
Figure 3.23. Import users from a directory
3.8. Resources and accounts

You can use this menu to create/import devices and accounts that can be accessed from the AdminBastion and to define target account groups.
3.8.1. Devices
List all devices recorded. You can add/edit/delete new devices from this page.
31
Figure 3.24. List of target devices
3.8.1.1. Add a target device

From the page listing the devices, click the 'Add device' icon to go to the Add device page.
32
Figure 3.25. Add device form

The form to create a device consists of the following: the device name: this is the name users will use to access the device. It can be unrelated to the machine's DNS name. an alias: equivalent to the option to assign a second name to a device For a HTTPS resource, the alias field can be used to specify an (other) host name for the resource. E.g.: If the resource 'www.monsite.com' is also known under the name 'www.monsite.org', it can be configured by putting the first name in the 'Resource' field and the second in the 'Alias' field. a network address (IP or FQDN) an SSH key fingerprint, which is automatically entered when a device is accessed in SSH a description the list of services that can be accessed on this device The list of services consists of the following information: the service name: this is the name users will use to access the service. The name can be unrelated to the protocol name and the port number a protocol (the default port is given in parentheses) a list of sub-protocols supported, for SSH
33
Wallix AdminBastion 3.1 - Administration Guide an authentication mechanism, used by HTTP(S), TELNET and RLOGIN Enter the text input line and click the icon Click on the right to add this service.
on the right of a line to delete that service.
The authentication mechanism must be specified in the following cases: access to a device in TELNET, select a connection scenario you have previously defined (see also Section 4.7, TELNET connection scenario) access to a HTTP(S) device using HTTP authentication, select the HTTP(S)_BASIC or HTTP(S)_DIGEST mechanism according to the authentication mode required by the server access to a HTTP(S) device using HTML form authentication, select the predefined mechanism for your target application, if it is supported, or the generic HTTP_SIMPLE_FORM, if your application uses a simple form (containing only the Login and Password fields in static HTML).
3.8.1.2. Edit a target device

From the page listing the target devices, click the device name and then click the 'Change this device' icon to display the Edit target device page. The fields in this Edit target device page are the same as in the Add device page, with one exception: you cannot change the name of the device.
3.8.1.3. Delete a target device

From the page listing the target devices, check the box at the start of each line to select one or more devices, then click to delete the items selected. The system displays a confirmation dialogue box before permanently deleting the item(s).
Note:
You cannot delete a target device if there are target accounts declared on it.
3.8.2. Target accounts

From this page, you can list the declared devices, the services available on them and the target accounts declared on each. Click one of the "All accounts" links to display all the target accounts for the device, for all services.
34
Figure 3.26. List of all target accounts for a device

Click the name of a service for each device to display the list of accounts declared for the service. You can then add or edit one or more accounts. Click the account name to access the Edit target accounts page. Click the page to add target accounts. "Add account" to go to
35
Figure 3.27. List of target accounts for a service
3.8.2.1. Add a target account.

From the list of target accounts linked to a service, click account form. The form consists of the following information: account name: this is the user name of the remote account a description a check box to enable or disable auto logon to the target device a check box to enable or disable automatic authentication transfer by the SSH agent a double field to enter and confirm the password a check box to enable or disable automatic password change If "Auto logon" is unchecked, the AdminBastion user trying to access this account must know the password to sign in. It will not be possible to use the SCP and SFTP protocols with this account. For an account defined on a HTTP(S) resource, 'Auto logon' must be unchecked if not using authentication with this account. If 'Automatic change' is checked, AdminBastion will apply the secondary password policy to this account (see Section 3.11.5, Secondary passwords). The admin credentials for the device must be entered for the AdminBastion to change the password (see Section 3.8.3, Device admin credentials). "Add account" to display the Add target
Note:
See Chapter 5, Data encryption for the data encryption information for storing passwords.
36
Figure 3.28. Add target account form
3.8.2.2. Edit a target account

The information in this Edit target account form is the same as in the Add form, with one exception: you cannot change the name of the account. Click a declared account name to access this form.
3.8.2.3. Delete a target account

Click to delete one or more pre-selected target accounts.
3.8.3. Device admin credentials

From this page, click on the right of a device name to display the form to configure the administrator account credentials for account password changes on this device.
37
Figure 3.29. Device admin credentials

The content of the form depends on the type of system selected.
3.8.3.1. Admin credentials on a Linux/Unix device

The form consists of the following information: the device name the type of system: Linux/Unix the email addresses of recipients of the notification of password changes, which must have a GPG key configured in the WAB (see Section 3.11.5, Secondary passwords) the minimum password length generated by the WAB to comply with the password policy on the target a check box to allow special characters in the passwords generated to comply with the password policy on the target
38
Figure 3.30. Admin credentials on a Linux/Unix device
3.8.3.2. Admin credentials on a Windows device

The form consists of the following information: the device name the type of system: Windows the WAB target account used for the administrator logon: the account can be defined in any available service or equipment (see Section 3.8.2, Target accounts), but must have the required administrator rights on the target system the email addresses of recipients of the notification of password changes, which must have a GPG key configured in the WAB (see Section 3.11.5, Secondary passwords) the minimum password length generated by the WAB to comply with the password policy on the target a check box to allow special characters in the passwords generated to comply with the password policy on the target
Figure 3.31. Admin credentials on a Windows device
39
3.8.3.3. Admin credentials on a Cisco device

The form consists of the following information: the device name the type of system: Cisco the password to raise privilege levels the email addresses of recipients of the notification of password changes, which must have a GPG key configured in the WAB (see Section 3.11.5, Secondary passwords) the minimum password length generated by the WAB to comply with the password policy on the target a check box to allow special characters in the passwords generated to comply with the password policy on the target
Figure 3.32. Admin credentials on a Cisco device
3.8.4. Groups (of target accounts)

Use this page to: list declared target account groups add/edit/delete a group or groups see which target accounts are included in each group
40
Figure 3.33. List of target account groups
3.8.4.1. Add a target account group

From the page listing the target account groups, click the target account group form. "Add group" icon o display the Add
41
Figure 3.34. Add a target account group form

The form to add a target account group can be used to configure the following information: the target account group id a description of the group, if relevant the target accounts belonging to the group the devices on which account correspondence is authorised. In the case of account correspondence, a user can log on to the target device using their primary logon details. This is particularly
42
Wallix AdminBastion 3.1 - Administration Guide useful when the user's account is declared on a company directory and the user has access rights to the target resource. The user's primary credentials are then replayed on the target device. a list of actions to apply when certain character strings are detected in the upward flow from proxies (similar to the list presented on the user groups page, see Section 4.6, SSH flows analysis / Pattern detection).
3.8.4.2. Edit a target account group

The information in this Edit target account group form is the same as in the Add form, with one exception: you cannot change the name of the group. Click a declared group name to access this form.
3.8.4.3. Delete a target account group

Click to delete one or more pre-selected target account groups.
Note:
You cannot delete a target account group if the account has active authorisations attached (see Section 3.9, Manage authorisations) and/or if there are target accounts attached to this group.
3.8.5. Authentication mechanisms

This page gives the list of all authentication mechanisms available in the WAB. The mechanisms available for HTTP and HTTPS protocols are preconfigured and cannot be deleted or changed. Mechanisms can be added, edited or deleted for the TELNET protocol.
Figure 3.35. Authentication mechanisms
43
3.8.5.1. Add an authentication mechanism for TELNET

From the page listing the authentication mechanisms, click the 'Add authentication mechanism' icon and select 'TELNET'' from the dropdown list of associated generic protocols to display the Add authentication mechanism form for the TELNET protocol. Use this form to configure the following information: the authentication mechanism id a logon script (see Section 4.7, TELNET connection scenario)
3.8.5.2. Edit an authentication mechanism

The information in this Edit authentication mechanism form is the same as in the Add form, with one exception: you cannot change the name of the mechanism. Click a declared mechanism name to access this form.
3.8.5.3. Delete an authentication mechanism

Click to delete one or more pre-selected authentication mechanisms.
Note:
You cannot delete pre-configured authentication mechanisms.
3.8.6. Import (target devices and target accounts)

From this page, you can import devices and target accounts previously stored as a CSV file. The device and account descriptions are contained in two separate files, and each line obeys a specific format. Each line of these files describes a target device or target account.
Note:
The import takes place in two steps: first the devices are imported, and then the target accounts (the device linked to each target account must previously exist). The file must start with a line containing the following tag:
#wab31
Warning:
If this tag is not present, the file format must follow WAB version 3.0 conventions (not described in this document). This allows to keep compatibility with files created for former versions of WAB. The lines describing a device must comply with the following: Field Device name Type Text R(equired)/ O(ptional) R Possible values [aA-zZ], [0-9], '-', '_' n/a Default value
44
Field Alias Description Network address Service/Protocol/Port/Subprotocol
Type Text Text IP/FQDN Text
R(equired)/ O(ptional) O O R R
Possible values [aA-zZ], [0-9], '-', '_' Free text [aA-zZ], [0-9], '-', '_' NAME/PROTOCOL/N*/ SUB-PROTOCOL* NAME: Free text PROTOCOL Protocol name (see below) N*: Optional port number SUB-PROTOCOL*: Optional sub-protocol name (see below) n/a n/a n/a n/a
Default value
PROTOCOL: one of the following values: SSH, TELNET, RLOGIN, RDP, VNC, HTTP, HTTPS. SUB-PROTOCOL: For SSH: one of the following values: SSH_SHELL_SESSION, SSH_REMOTE_COMMAND, SSH_SCP_UP, SSH_SCP_DOWN, SSH_X11_SESSION, SFTP_SESSION. If SUB-PROTOCOL is not specified, all the sub-protocols are added. The value for the other protocols is exactly the same as PROTOCOL and can be omitted. The 'Service/Protocol/Port/Sub-Protocol' may contain several values separated by a space. Example:
#wab31 asterix;intranet;"Intranet server";192.168.0.10;ssh_22/ssh/22/ssh_shell_session obelix;mail1;"Exchange server";192.168.0.11;telnet_23/telnet/23 rdp_1/rdp/3389
The lines describing a target device must comply with the following format: Field Account name Group name Description Password Type Text Text Text IP/FQDN R R O R R(equired)/ O(ptional) Possible values [aA-zZ], [0-9], '-', '_' [aA-zZ], [0-9], '-', '_' Free text [aA-zZ], [0-9], '-', '_' n/a n/a n/a n/a Default value
Note:
At present, you cannot create target accounts with the 'secondary auto logon' function disabled. Example:
#wab31
45

root@asterix;linux;"Root account";SecurePassword adminlinux@asterix;linux;"Compte pour la connexion sans droits";plO@56zZ
3.9. Manage authorisations

The authorisations determine which target accounts and protocols users can use to access devices. Authorisations are applied to user groups linked to target account groups. All users in the same group inherit the same authorisations. Use this menu to list, add or delete authorisations.
Figure 3.36. List of authorisations
3.9.1. Add an authorisation

From the page listing the authorisations, click the icon to display the Add new authorisation form. An authorisation is a link created between a user group and a target account group. Therefore, the form contains the following information: the user group the target account group
46
Wallix AdminBastion 3.1 - Administration Guide a description a list of authorised protocols a check box to indicate whether or not the sessions allowed by the authorisation are critical (a notification can be sent each time a critical device is accessed) a check box to enable or disable session recording. The type of recording depends on the protocol to access the device.
Figure 3.37. Add authorisation form
Note:
The recording for RDP includes both video and automatic OCR of the applications run on the remote machine by detecting title bars. Important note: the algorithm used to detect the title bar content is very fast to enable real-time execution, but also very sensitive to the configuration. It only works with 'Windows Standard' windows and a default font size of 96PPP with a colour depth of 15 bits or more (15, 16, 24 or 32 bits, it does not work in 8-bit mode). In its current version, the OCR function will not work if the title bar style is changed, even to a style that is visually very similar, for example to 'Windows classic', or if the title bar colour, style, font size or resolution is changed. In addition, OCR is configured to detect only the title bars of applications closed using the three icons, close, minimise and maximise. If the title bar contains an icon, this will generally be replaced by question marks before the recognised text.
47
Wallix AdminBastion 3.1 - Administration Guide Use the form to select several protocols for a user group and a given target account group. This means you can create several authorisations between the two groups.
3.9.2. Delete an authorisation

Click to delete one or more pre-selected authorisations.
3.9.3. Import authorisations from CSV

A CSV file can be used to populate the WAB authorisation database. The field separators can be configured. The file must start with a line containing the following tag:
#wab31
Warning:
If this tag is not present, the file format must follow WAB version 3.0 conventions (not described in this document). This allows to keep compatibility with files created for former versions of WAB. Each subsequent line must be formed as follows: Field User Group Device Group Protocol Type Text Text Text R(equired)/ O(ptional) R R R Possible values [aA-zZ], [0-9], '-', '_' [aA-zZ], [0-9], '-', '_' n/a n/a Default value
SSH_SHELL_SESSION, n/a SSH_REMOTE_COMMAND, SSH_SCP_UP, SSH_SCP_DOWN, SSH_X11_SESSION, TELNET, RLOGIN, RDP, VNC, HTTP, HTTPS
Example:
#wab31 group_users1;group_devices1;SSH_SHELL_SESSION
After you have imported the CSV file, a summary report is displayed.
3.10. User profiles

You can list, add, edit or delete user profiles from this page. From the User profiles page, you can define the audit or administration authorisations for the solution.
48
Wallix AdminBastion 3.1 - Administration Guide The authorisation types match the menu on the left of the main interface.
3.10.1. Default profiles

The WAB is pre-configured with a number of default user profiles, which can be edited or changed just like any other profile. The default profiles are: 'user': no admin rights, but can access target devices 'auditor': can consult WAB audit data (see Section 3.5, WAB audit), but cannot access devices 'WAB_Administrator': has full admin rights and can connect to target devices 'system_administrator': can access the 'system configuration' tab, but does not have access to target devices 'disabled': profile with no rights.
Note:
The factory configuration for the 'admin' profile is the 'Wab_Administrator' profile
3.10.2. Add a user profile

From the page listing the user profiles, click the This page consists of: a filed for the profile id a series of check boxes to define the rights There are two series of check boxes: graphic user interface functions proxy connectivity and limitations on use functions There is a series of rights for each GUI function: none: no rights: the menu will not appear when the user logs on consult: the user can view objects created but cannot change them change: the user can view and change objects execute (only for back-up/restore): the user can start a system back-up or restore (see Section 3.13, Back-up/Restore) Two other check boxes can be used to: enable/disable the connection to the target devices limit the use of certain admin rights for groups The limitation on rights for groups allows you to add users or target accounts only to groups for which the profile is authorised. icon to display the Add new profile form.
49
Figure 3.38. Add user profile form
3.10.3. Edit a user profile

The information in this Edit user profile form is the same as in the Add form, with one exception: you cannot change the name of the user profile. Click a declared user profile name to access this form.
3.10.4. Delete a user profile

Click to delete one or more pre-selected user profiles.
3.11. WAB configuration

Use this menu to configure: user time frames authentication procedures for users notifications password policy (for registered WAB users),
3.11.1. Time frames

You can add, edit or delete time frames from this page.
50
Wallix AdminBastion 3.1 - Administration Guide The default WAB time frame is 'allthetime'. This time frame allows users to connect to target devices at any time and on any day. You cannot delete this time frame.
Figure 3.39. List of time frames
3.11.1.1. Add a time frame

From the page listing the time frames, click the The Add new time frame consists of the following: a field for the name of the time frame a description a check box to disable automatic disconnection at the end of the specified time frame a sub-form to add one or more periods Each period is a calendar period during which users can log on: between certain dates on certain weekdays between certain times on every authorised day icon to display the Add new time frame form.
51
Figure 3.40. Add time frame form
Note:
The time used in the WAB local time.
3.11.1.2. Edit a time frame

The information in this Edit time frame form is the same as in the Add form, with one exception: you cannot change the name of the time frame. Click the name of a declared time frame to access this form.
3.11.1.3. Delete a time frame.

Click to delete one or more pre-selected time frames.
3.11.2. External authentications

The WAB allows you to define external authentications. These authentication methods are used to authenticate a user on the WAB. 'Local' authentication is the default configured on the WAB allowing users to log on using the product's internal data engine. You can list, add, edit or delete external authentication procedures from this page. The WAB supports the following authentication methods: LDAP/LDAPS Active Directory Kerberos
52
Wallix AdminBastion 3.1 - Administration Guide Radius
3.11.2.1. Add an external authentication

From the page listing the time frames, click the The add form consists of the following fields: an authentication type: when you select the type, the fields required for authentication are displayed an authentication name a description icon to display the Add new authentication form.
server address (IP or FQDN) a connection port For LDAP/LDAPS authentications, enter the organisation unit and the connection attribute. The connection attribute must be the field where the WAB user's name is stored. You can also add a user name and a password, if anonymous access is disabled on the directory.
Note:
The user must have read rights for the DN base used. The connection attribute for LDAP-AD authentications is sAMAccountName. In addition, since you cannot access an Active Directory anonymously, a domain administrator account is required to create the authentication. For KERBEROS authentications, a domain name is required (REALM) For RADIUS authentications, the packet encryption key is required. For LDAP/AD authentications, the user name to specify must be the user's 'Distinguished Name' (or DN) (e.g.: cn=admin,dc=mycorp,dc=lan).
53
Figure 3.41. Add LDAP authentication form
3.11.2.2. Edit an external authentication

The information in this Edit external authentication form is the same as in the Add form, with one exception: you cannot change the name of the external authentication. Click the name of a declared external authentication to access this form.
3.11.2.3. Delete an external authentication

Click to delete one or more pre-selected external authentications.
3.11.3. Notifications
WAB allows you to define notifications. These notifications are triggered if one of the following events is detected: wrong primary authentication logon to a critical device new recording of an SSH server fingerprint bad SSH fingerprint detected RAID error
54
Wallix AdminBastion 3.1 - Administration Guide failed secondary logon detection of an occurrence during analysis of an SSH flow licence error password expiry alerts available disk space alerts daily logs
3.11.3.1. Add a notification

From the page listing the notifications, click the The add form consists of the following fields: a name for the notification check boxes to enable notifications to be sent for the events listed above the sender's email address the recipient's email address icon to display the Add new notification form.
55
Figure 3.42. Add notification form
Note:
Go to 'System configuration'/SMTP to configure the mail settings (Section 3.12.6, SMTP).
3.11.3.2. Edit a notification

The information in the Edit notification form is the same as in the Add form, with one exception: you cannot change the name of the notification. Click the name of a declared notification to access this form.
3.11.3.3. Delete a notification

Click to delete one or more pre-selected notifications.
56
3.11.4. Password policy

The password policy establishes a set of rules for storing local passwords. By default, the minimum password length is six characters, the last four passwords used cannot be reused, and the password cannot be similar to the user name. A list of prohibited trivial passwords is also inserted by default. On this page, you can also configure the password expiration time. The form consists of the following fields: the password validity period in days. After this time, an administrator must define new credentials and users may no longer log on using their existing password. We recommend configuring this setting for a period of less than one year. the time before the first password expiration warning in days, advising users that their password will soon expire the minimum password length. This must be greater than the sum of the other password length constraints. the minimum number of upper case characters in the password. We recommend at least 2. the minimum number of figures in the password. We recommend at least 2. the minimum number of special characters in the password. We recommend at least 2. the number of previous passwords that cannot be reused. We recommend at least 5. a check box to allow or prohibit passwords similar to the user name. We recommend not allowing it. a file to define a list of prohibited passwords
Note:
The list of prohibited passwords must be in a file in UTF-8 format
57
Figure 3.43. 'Password policy' page
3.11.5. Secondary passwords

With the WAB, you can change passwords to target accounts on Windows and UNIX devices remotely.
Warning:
The following systems are supported by the password change procedures: Local accounts on UNIX systems managed by the passwd command. Local accounts on Windows server machines: Windows Server 2003 and Windows Server 2008 Active Directory accounts.
There are three steps to configuring the procedure for changing the passwords to target accounts:
58
Figure 3.44. 'Secondary password' page

1. Go to WAB Configuration > Secondary password policy (see Figure 3.44, 'Secondary password' page): Define the frequency for triggering changes: times, daily, weekly, monthly, or disable. Download the GPG/PGP public keys of the administrators who will receive the new passwords in encrypted emails. Only the GPG/PGP public keys used to define the administrators' credentials will be displayed in the panel: "GPG public key(s) used to send passwords". 2. Go to Devices & Accounts > Device Admin Credentials > and click the key for each device (see Figure 3.29, Device admin credentials): a. For a Windows device: Enter the WAB account for the domain administrator for (the domain accounts and the local accounts) or the local administrator for local accounts. The WAB account is in the form 'nom_de_compte_wab@nom_de_ressource_wab'
Note:
The domain administrator account must match an existing WAB account, otherwise the system returns an error and the credentials are not saved. The administrator's password (local or on the DA).
59
Wallix AdminBastion 3.1 - Administration Guide b. For a Cisco device: Enter the password to elevate privilege levels. c. For all devices (Linux/Unix, Windows and Cisco): Input the email addresses for the recipients of the new passwords generated (their GPG/ PGP keys must have been previously imported). The minimum length of the passwords generated. Check the box to enable special characters in the passwords generated, according to the password strength policy for the device. 3. Enable password change for each account on each device (see Figure 3.45, 'Secondary password' page): Go to Devices & Accounts > Accounts > and click the device > then click the key for each account. Check the box to enable automatic password change for this account. If automatic password change is not enabled, you can enter a password manually. Each time a password is changed, an email will be sent to the recipients configured in the system indicating whether the new password was successfully changed (encrypted email), or if the attempt failed, specifying the reason for the failure.
Warning:
On Windows machines belonging to a domain, it is essential to correctly configure the domain controller's IP address for the password change process to function successfully. If the SMTP server is not configured, the passwords will not be changed. If a GPG/PGP key is missing from the list of recipients, the passwords will not be changed. For password changes on UNIX machines, the WAB must always have the passwords for the accounts to manage. Passwords must never be changed without entering them in the WAB; otherwise the changes will not be made.
60
Figure 3.45. 'Secondary password' page
3.11.6. Logon settings

Here you can configure the default language used to display user messages.
61
Figure 3.46. 'Logon settings' page

These messages can also be changed by the administrator.
3.12. System configuration

Use this menu to enter the AdminBastion system configuration information.
3.12.1. Network
This page sends the device's network information. You can change: the host name the domain name the gateway the configuration of network interfaces You can add: routes entries in the 'hosts' file DNS servers
62
Figure 3.47. Network configuration
Warning:
Before changing the WAB IP address used to communicate with the file server with remote storage, we recommend disabling remote storage and re-enabling it again after you have changed the address. See Section 3.12.3, Remote storage
3.12.2. Time service

Use this page to configure the time service. This is especially important, because: the WAB's date and time must be synchronised with the Kerberos authentication servers. the WAB is the time reference for audit information escalated and for management of time frames. By default, the time service is enabled and synchronised with the Debian project time servers.
63
Figure 3.48. Time service configuration
3.12.3. Remote storage

From this page you can move video recordings to an external file system. Important note: if recordings have already been made on a WAB, enabling remote storage will hide old sessions (they will become visible again when remote storage is disabled). The file systems supported are CIFS and NFS. For each of these systems you must specify: the IP address or FQDN of the file server, the port number of the remote service, the remote directory in which the recordings will be stored. You must also specify for CIFS: the user name to log on to the remote service, the password. The 'Mount' button mounts the file system. A status icon shows you whether the file system is mounted.
64
Figure 3.49. Configuring remote storage
3.12.4. Syslog
From this page you can configure the routing of syslogs to another network device. The logs will be sent to the selected IP address, port and protocol stored on the local file system so that they are always available in read access through the System audit tab.
65
Figure 3.50. Configuring syslog routing
3.12.5. SNMP
WAB includes an embedded SNMP agent with the following properties: Protocol version supported: 2c MIB implemented: MIB 2 no alert mechanisms (traps) or notifications no ACL on the source IP address SNMP command available: 'get', 'getbulk' The factory configuration is: sysName: WAB v2 sysContact: root@yourdomain sysLocation: yourlocation community: empty by default; the community name used to connect to the WAB By default, the agent is disabled.
66
Figure 3.51. Configuring the SNMP agent
Note:
The SNMP agent can only be enabled via the Web user interface. Examples of use:
$ snmpget -v2c -c WALLIXdefault 192.168.0.5 system.sysDescr.0 SNMPv2-MIB::sysDescr.0 = STRING: "Wallix AdminBastion Version 3.1" $ snmpget -v2c -c WALLIXdefault 192.168.0.5 system.sysUpTime.0 DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (65833) 0:10:58.33 $ snmpget -v2c -c WALLIXdefault 192.168.0.5 IF-MIB::ifHCOutOctets.1 IF-MIB::ifHCOutOctets.1 = Counter64: 255823831
3.12.6. SMTP
You can use this entry to configure (or change the configuration of) the mail server for sending notifications. Enter the following information: Server name server port (default: 25)
67
Wallix AdminBastion 3.1 - Administration Guide sender's name (default: wab) a user name and password if required, To test the settings, enter one or more destination addresses in a free text field and click 'TEST'.
Figure 3.52. SMTP service configuration
3.12.7. Licence
From this page you can display the licence information and modify the licence key. Use of the WAB is controlled by this licence key. The licence mechanisms checks: the number of target devices that can be declared the maximum number of simultaneous unique primary connections the maximum number of simultaneous secondary connections the licence expiration date The licence key contains the elements included in the sales contract and is provided by Wallix. It is entered in the WAB by the client via the Web user interface. To obtain a licence, the device serial number and all network card MAC addresses must be sent to Wallix. The licence key can also be managed from the command line (root menu). To display the licence information:
wab2:~# WABGetLicence
To enter a new licence number:

wab2:~# WABSetLicence <Nouveau numro de licence>
To delete the old licence key:
68

wab2:~# WABDropLicence
Figure 3.53. Managing the licence
3.13. Back-up/Restore
From this page you can back up or restore a copy of the WAB configuration. Each back-up is encrypted using a 16-character key. You must know the back-up key before restoring it.
Warning:
only back-ups created with WAB version 3.1 can be restored. this back-up/restore function does not save audit data, all data changed or added after a back-up will be lost if the back-up is restored. the administrator will be logged off. S/he must log on again with one of the accounts included in the back-up, which might be different from those in the system before the back-up/restore was performed. if a back-up is restored on a machine other than the one used to generate the backup, the encrypted data present before the restore may become indecipherable.
69
Figure 3.54. 'Back-up/Restore' page
70
Chapter 4. Operation
4.1. Using the command line to connect to the WAB
An SSH daemon listening on port 2242 allows you to connect to an administration shell. The default credentials are: User name: wabadmin Password: SecureWabAdmin This user is in the list of 'sudoers'. You can use the 'sudo' command to access the root menu using the same password. Once in root, you can use a set of scripts to manage the day-to-day operation of the WAB.
Note:
We strongly recommend changing the wabadmin account password on first connection.
4.2. Exporting audit data

You can use the WABSessionLogExport script to export audit data (see Section 3.5.3, Connection history).
wab2:~# /opt/wab/bin/WABSessionLogExport -h Usage: WABSessionLogExport [options] Options: -h, --help show this help message and exit -s START_DATE, --start_date=START_DATE Should be like this: YYYY-MM-DD -e END_DATE, --end_date=END_DATE Should be like this: YYYY-MM-DD
Use this command to create a zip file, saved in /var/wab/recorded/export_sessions, containing for the period defined: all SSH and RDP sessions a CSV file containing the export of the data viewed in the connection history
4.3. Back-up/Restore from the command line

You can perform back-up and restore actions (see Section 3.13, Back-up/Restore) using the scripts wallix-config-backup.py and wallix-config-restore-.py
wab2:~# /usr/bin/wallix-config-backup.py -h Usage: wallix-config-backup.py [options] Options: -h, --help
show this help message and exit
71

-d DIRECTORY, --directory=DIRECTORY Directory where you want to store your backup. -s, --sdcard Set this option to store the Backup in the sdcard. -a, --aes Set this option force use of AES256 instead of Gpg symmetric cipher. -b, --blowfish Set this option force use of Blowfish instead of Gpg symmetric cipher.
DIRECTORY is the directory path in which the back-up file will be created. Option -s can be used to create a copy on an external drive (sdcard or USB). Options -a and -b should not normally be used. Without these options, the file is GPG encrypted.
wab2:~# /usr/bin/wallix-config-restore.py -h Usage: wallix-config-restore.py [options] Options: -h, --help show this help message and exit -f FILENAME, --file=FILENAME Provide full path of Backup file (.wbk). -s, --sdcard Enter in interactive mode to select file on SDcard. -a, --aes Set this option force use of AES256 instead of Gpg symmetric cipher. -b, --blowfish Set this option force use of Blowfish instead of Gpg symmetric cipher.
FILENAME is the back-up file path. Option -s can be used to restore from the external drive (sdcard or USB). Options -a and -b should not normally be used. Without these options, the file is GPG decrypted.
4.4. Configuring automatic back-up

The WAB performs an automatic back-up configured in a cron task. By default, this is performed every day at 18:50 and the files are stored in the directory /var/wab/backups. You can change the time and frequency of the back-ups in /etc/cron.d/wabcore by changing the line that runs the WABExcuteBackup command. The fields are crontab fields, namely MINUTE, HOUR, DAY_OF_MONTH, MONTH and DAY_OF_WEEK. The values permitted in each field are: MINUTE: 0 - 59 HOUR: 0 - 23 DAY_OF_MONTH: 1 - 31 MONTH: 1 - 12 DAY_OF_WEEK: 0 - 7 (0 or 7 for Sunday) Each field can also have an asterisk '*' corresponding to all possible values. Lists are also permitted, with the values separated by commas and intervals, separating the range with a hyphen, e.g. '1,2,5-9,12-15,21'. You can also change the path and the value of the key used by editing the file /opt/wab/bin/WABExcuteBackup and changing the DIR and KEY values at the start of the file.
72
4.5. Rights engine: operating limitations

The rights engine supplied implies a number of operating limitations. Thus: you cannot delete a user group if users belong to this group you cannot delete an authentication if at least one user has this authentication you cannot delete a user profile if at least one user is linked to this profile you cannot delete a time frame if it is linked to a user group you cannot delete a user group if authorisations involve this user group you cannot delete a device if target accounts are attached to this device you cannot delete target account groups if the group is not empty
4.6. SSH flows analysis / Pattern detection

When creating/editing groups, you can enable/disable pattern detection in SSH upward flows (the data analysed are the data input by the user). The list of patterns applied is the sum of those present in the user group and the target account group. The linked action is the most restrictive (if the action 'KILL' is in one of the groups, then this action will be selected). Actions must be entered in the form of regular expressions, with one expression per line. E.g.: to ensure files are not deleted, the expressions to enter are:
unlink\s+.* rm\s+.*
4.7. TELNET connection scenario

You can declare a connection scenario when creating a target device (see Section 3.8.1.2, Edit a target device). This scenario can be used to interpret commands sent by an interactive shell and to automate logon. It is a pseudo language and the syntax includes the following: SEND: send a character string EXPECT: expect to receive a character string in the next 10 seconds (?i): ignore the case $login: send a user name $password: send a password The following scenario (tested on a 3Com Superstack switch accessible via Telnet):
SEND:\r\n EXPECT:(?i)login: SEND:$login\r\n EXPECT:(?i)Password: SEND:$password\r\n
is interpreted as follows:
73
Wallix AdminBastion 3.1 - Administration Guide send a carriage return expect to receive the 'login' string (ignoring the case) send the user name followed by a carriage return expect to receive the 'password' string (ignoring the case) send the password followed by a carriage return
4.8. Resolving common problems

4.8.1. Restoring the factory 'admin' account
You can execute the following command in the root menu to restore the 'admin' account:
wab2:~# WABRestoreDefaultAdmin
4.8.2. Resetting the device

To reset the device, execute the following command in the root menu:
wab2:~# /opt/wab/bin/.tools/WABResetConfig
Note:
This command will also delete all audit data (session recordings, connection history, etc.).
74
Chapter 5. Data encryption

Many types of sensitive data may be stored in the WAB. In particular: primary authentication information secondary authentication information passwords to access authentication services WAB data back-ups Access to the various services (HTTP/RDP/SSH) also requires encrypted data to enable encryption of traffic. Below is a summary table of the encryption methods used: Data Password of local users Login and passwords for target accounts External directory authentication data SNMP settings Encryption SSHA1 fingerprint AES 256 symmetric encryption AES 256 symmetric encryption AES 256 symmetric encryption
Authentication settings on the remote storage AES 256 symmetric encryption servers Back-up Web user interface connection key SSH proxy connection key RDP proxy connection AES 256 symmetric encryption RSA 2048 bit key + AES 256 RSA 2048 bit key + AES 256 RSA 1024 bit key + RC4 128 bits
75
Chapter 6. Compatibility:
The WAB was tested with the following clients: SSH: OpenSSH 5.1 to 5.5 Putty Cygwin SCP OpenSSH 5.1 to 5.5 Putty Cygwin SFTP OpenSSH 5.1 to 5.5 Cygwin FileZilla WinSCP (in SFTP mode) SSH X11 forwarding OpenSSH 5.1 to 5.5 Cygwin and Xming RDP MSTSC 6.x (Windows native client, 'Remote desktop access') for Windows XP, Windows 7, Windows Server 2003, Windows Server 2008, rdesktop, freerdp (Linux) HTTPS: Mozilla Firefox 3.x Internet Explorer 7 and 8 Safari 5 Google Chrome The following remote servers were tested: SSH/SCP/SFTP/X11 OpenSSH 5.1 to 5.5 RDP Microsoft Terminal Server for: Windows Server 2008 Windows Server 2003 VNC RealVNC (for Windows) xtightvnc with Ubuntu Server 10.04 The HTTPS proxy was tested on the following targets in particular:
76
Wallix AdminBastion 3.1 - Administration Guide BitDefender Remote Admin. Cisco Access Point Configuration Utility - AP541N-K9-2.0 Dell OpenManage Switch Administrator - PowerConnect 2848 Dell iDRAC Enterprise Dell iDRAC Express F5 BIG-IP 10.1 TLM GLPI - 0.78 administration interface Switch NetGear GS724T Wallix AdminBastion Web UI - 3.1 Wallix LogBox Web UI - 2.1 Zabbix 1.8 Password change has been tested on the following servers: Linux/Unix GNU/Linux OpenBSD 5.1 FreeBSD 9 NetBSD 5.1.2 French Solaris 10 Solaris 11 Windows Windows Server 2003 Cisco ASA 5510
77
Chapter 7. Limits:
RDP: Screen resizing is not supported by Rdesktop (see Patches 2987616: http://sourceforge.net/ tracker/?func=detail&aid=2987616&group_id=24366&atid=381349), the connection to some VNC servers may appear pink; increasing the number of colours may resolve the problem. The former MSTSC 5.1 client in 16 bit mode causes palette problems in full screen (the screen appears green). SSH: X11 support is not enabled with the PuTTY client, WinSCP is not supported in SCP mode. WinSCP may cause problems in SFTP when creating files and directories with accented characters. HTTPS: Although tested on numerous targets (Chapter 6, Compatibility:), the operation of the HTTP/ HTTPS proxy may be degraded in some cases: "highly dynamic" JavaScript code, with calls to external targets, for example. Java or Flash Applets, communicating with protocols other than HTTP(S), or where the target is hard coded, are not supported. HTTP(S) sessions that are not based on cookies cannot really be cut off (Section 3.5.1, Current connections).
78
Chapter 8. Definitions
1. ACLs: Acronym for 'Access Control List This is a system to manage access to a resource (a device, file, etc.). 2. Primary connection: connection initiated between a user and the WAB. 3. Secondary connection: connection initiated between the WAB and a target account. 4. Local authentication: authentication managed by the WAB. 5. External authentication: authentication managed by a directory external to the WAB. 6. User domain: low trust domain (open access to the Internet, etc.). 7. Connection scenario: scenario to automate connection to a device that does not offer protocols supporting automated sending of credentials (SSH, RDP).
79

WAB 3.1 Admin Guide

Uploaded by

Copyright:

Available Formats

WAB 3.1 Admin Guide

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

WAB 3.1 Admin Guide

Uploaded by

Copyright:

Available Formats

What are ACLs and what is their purpose?

What are ACLs and what is their purpose?

What are the main components of the WAB administration interface?

What are the main components of the WAB administration interface?

Wallix AdminBastion 3.

Wallix AdminBastion 3.1

Wallix AdminBastion 3.1 - Administration Guide

Wallix AdminBastion 3.1: Administration Guide

Wallix AdminBastion 3.1 - Administration Guide

Wallix AdminBastion 3.1 - Administration Guide

Wallix AdminBastion 3.1 - Administration Guide

1.2. Copyright, Licences

1.4. About this document

Wallix AdminBastion 3.1 - Administration Guide

2.2. Positioning of the WAB in the network infrastructure

Wallix AdminBastion 3.1 - Administration Guide

Figure 2.1. Wallix AdminBastion in the network infrastructure

2.3. The concept of WAB ACLs

Wallix AdminBastion 3.1 - Administration Guide

Chapter 3. Administration interface

Figure 3.1. WAB logon screen

Wallix AdminBastion 3.1 - Administration Guide

Figure 3.2. WAB home page (administrator profile)

3.2. Menu tree structure

Wallix AdminBastion 3.1 - Administration Guide

Import Devices & accounts Devices Accounts Groups

Notifications Password policy Secondary passwords Logon settings X09 settings

Wallix AdminBastion 3.1 - Administration Guide

Figure 3.3. 'My preferences' page

Wallix AdminBastion 3.1 - Administration Guide

Figure 3.4. User's authorisations

3.5. WAB audit

Figure 3.5. Close an SSH connection

3.5.2. View sessions in real time

Wallix AdminBastion 3.1 - Administration Guide

Figure 3.6. View RDP sessions in real time

3.5.3. Connection history

Wallix AdminBastion 3.1 - Administration Guide

Figure 3.7. Connection history

Wallix AdminBastion 3.1 - Administration Guide

Figure 3.8. Connection history filters

3.5.4. View session recording

Wallix AdminBastion 3.1 - Administration Guide

Figure 3.9. View an RDP recording with OCR

3.5.5. Authentication history

Figure 3.10. Authentication history

Wallix AdminBastion 3.1 - Administration Guide

3.5.6. Connection statistics

Figure 3.11. Connection statistics

Wallix AdminBastion 3.1 - Administration Guide

Figure 3.12. Sample statistical graph

3.6. System audit

3.6.1. System status

Figure 3.13. System status

3.6.2. System logs

Figure 3.14. List of users

3.7.1.1. Add a user

Wallix AdminBastion 3.1 - Administration Guide

Figure 3.15. Add user form

3.7.1.2. Edit a user