# BeyondTrust Password Safe

## Requirements

* BeyondInsight 22.X or higher.
* Linux Control Center 2.10 or higher.
* API registration key.
* API account and group with correct permissions.
* The *Managed Account* used by the Linux Control Center must be API-enabled and must exist in the *Managed System*.

## Overview

BeyondTrust Password Safe is an enterprise password management software that provides complete control and accountability over all privileged (and non-privileged) accounts within an organization.

Through this integration, it is possible to perform scans using privileged credentials managed by Password Safe.

## BeyondTrust Environment Setup

{% hint style="warning" %}
It is recommended that the managed account be dedicated to the Linux Control Center.
{% endhint %}

{% hint style="danger" %}
All *Assets* to be imported into the Linux Control Center must be added to BeyondInsight Password Safe through a *Discovery Scan* to ensure data integrity for proper import. The same applies to the *Managed System*, meaning it must be created from an *Asset* along with its respective *Managed Accounts*.
{% endhint %}

### API Registration in Password Safe

1. Access the BeyondInsight Console.
2. Go to **Configuration** > **General** > **API Registrations**.
3. Click **Create New API Registration** and select **API Key Policy**.
4. Provide a name for the API registration and click **Create API Registration**.
5. You must add an Authentication/IP rule for the address of your *Linux Control Center Worker* instance. If there are multiple workers installed in the network, all *Workers* IP addresses must be listed.

   * On the *Details* page, click *Add Authentication Rule*.
   * Select *Single IP Address* from the dropdown at the top right.
   * Select the *IP Rule* option.
   * Enter the IP address.

   ![](https://1620115297-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtZm19HsLxuDm2GumYKEz%2Fuploads%2Fgit-blob-7e5e373e17a548131adbfb6e690aae3ec8218edb%2Fimage%20\(39\).png?alt=media)
6. Disable *Multi-Factor Authentication*.
7. Click *Update Registration* on the Details page.

   ![](https://1620115297-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtZm19HsLxuDm2GumYKEz%2Fuploads%2Fgit-blob-77778696e465fff07c70d634188cce024fee2410%2Fimage%20\(88\).png?alt=media)

### New Local User Account in BeyondInsight

A user account and a group must be configured for the Linux Control Center.

1. In the BeyondInsight Console, go to **Configuration** > **Role Based Access** > **User Management**.
2. Click the **Users** tab.
3. Click **Create New User** and select **Create a New User**.

   ![](https://1620115297-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtZm19HsLxuDm2GumYKEz%2Fuploads%2Fgit-blob-63635521fff1427755754ca8d1749700307004f3%2Fimage%20\(42\).png?alt=media)
4. Enter user details such as identification and credentials.
5. Click *Create User*.

   ![](https://1620115297-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtZm19HsLxuDm2GumYKEz%2Fuploads%2Fgit-blob-e021089a0322c3403bcca482f7048f2935b2d559%2Fimage%20\(94\).png?alt=media)

   ![](https://1620115297-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtZm19HsLxuDm2GumYKEz%2Fuploads%2Fgit-blob-0d0b49b14711cacb0cba70ca17393f2d686197d0%2Fimage%20\(95\).png?alt=media)

### New Local Group in BeyondInsight

1. Follow the steps to create a new local group and enable the necessary features and *Smart Groups*:
2. In the BeyondInsight Console, go to **Configuration** > **Role Based Access** > **User Management**. Click the **Groups** tab.
3. Click **Create New Group** and select **Create a New Group**.

   ![](https://1620115297-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtZm19HsLxuDm2GumYKEz%2Fuploads%2Fgit-blob-4153d14f1069bf61d8d2a9d1c2b1376d70aa1db2%2Fimage%20\(49\).png?alt=media)
4. Provide the group name and description, then click **Create Group**.

   ![](https://1620115297-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtZm19HsLxuDm2GumYKEz%2Fuploads%2Fgit-blob-d2abedefdcd2b7b8dc3581d05ce4411a8f2e1144%2Fimage%20\(91\).png?alt=media)
5. Check the box next to the newly created group, then click the three dots to the right of the group and select **View Group Details**.
6. In **Group Details**, select **Features**.
7. On the **Features** page, locate features by selecting **All Features** in the Show dropdown. Select **Feature Name** in the **Filter By** dropdown, then type the feature name in the **Feature Name** field. The following features must be enabled:

   * Asset Management
   * Attribute Management
   * Password Safe Account Management
   * Password Safe System Management

   ![](https://1620115297-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtZm19HsLxuDm2GumYKEz%2Fuploads%2Fgit-blob-5ab24c1f6c93eefc84cb1a53800f4737d0193346%2Fimage%20\(43\).png?alt=media)
8. The features listed above must be assigned **Read Only** permissions. Click the three dots to the right of each feature and select **Assign Permissions Read Only**.
9. In **Group Details**, select **Smart Groups**.
10. On the **Smart Groups Permissions** page, locate **Smart Groups** by selecting **All Smart Groups** in the Show dropdown. Select **Smart Group Name** in the **Filter By** dropdown, then type the Smart Group name in the **Smart Group Name** field. The target managed Smart Group must be enabled.
11. Smart Groups must be assigned **Full Control** permissions. Click the three dots to the right of the Smart Group and select **Assign Permissions Full Control**.
12. The target Smart Group must have *Requestor, Approver, and Credential Manager* selected as roles. Click the three dots to the right of the Smart Group and select **Edit Password Safe Roles**.
13. Check the box **Requestor** and select an access policy from the **Access Policy for Requestor** dropdown. This policy applies to the managed account used for integration.

    ![](https://1620115297-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtZm19HsLxuDm2GumYKEz%2Fuploads%2Fgit-blob-6ecd768e2eb53a49c9049af51ec61ef13e865e34%2Fimage%20\(103\).png?alt=media)

{% hint style="warning" %}
The Linux Control Center requires an **Access Policy** configured with **View Password** permission and **Auto Approve** enabled. It is also recommended to enable **"Allow multi-day checkout of accounts"** to avoid possible denied requests near the end of the day.
{% endhint %}

14. Click **Save Roles**.
15. To add the previously created user to the group:
    * Go to **Configuration > Role Based Access > User Management > Groups**.
    * Click the three dots to the right of the new group and select **View Group Details**.
    * In **Group Details**, select **Users**.
    * Select **Users Not Assigned** in the Show dropdown.
    * In the **Filter by** dropdown, select **Username**. Type the username in the **Username** field.
    * Check the box next to the username and click **Assign User**.
16. Finally, assign the **API registration** created for the integration to this group:

    * Go to **Configuration > Role Based Access > User Management > Groups**.
    * Click the three dots to the right of the group and select **View Group Details**.
    * In **Group Details**, select **API Registrations**. A list of API registrations will be displayed.
    * Check the box next to the API registration created under **API Registration**.

    ![](https://1620115297-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtZm19HsLxuDm2GumYKEz%2Fuploads%2Fgit-blob-9db1ab64ecd6525533dab0a7a1487e3a6bb32afe%2Fimage%20\(46\).png?alt=media)

### Managed Account Used by the Linux Control Center

1. In the **BeyondInsight Console**, go to **Managed Accounts.**
2. In the **Filter by** dropdown, select **Account**. Enter the account name in the **Account** field.
3. Click the three dots to the right of each entry and select **Edit Account**. In **Account Settings**, ensure that **API Enabled** is checked.

   ![](https://1620115297-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtZm19HsLxuDm2GumYKEz%2Fuploads%2Fgit-blob-37642b866ae614b4b0daa5cfbf874775591a40a9%2Fimage%20\(50\).png?alt=media)

## Integration with Linux Control Center

Set up the integration with the Linux Control Center after completing the setup in your BeyondTrust Password Safe environment.

1. In the Linux Control Center, go to **Config**.

   ![](https://1620115297-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtZm19HsLxuDm2GumYKEz%2Fuploads%2Fgit-blob-f570451f9e9e9ca31fa03e70d2d579135e9627af%2Fbotao_config.png?alt=media)
2. Click **BeyondTrust**.

   ![](https://1620115297-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtZm19HsLxuDm2GumYKEz%2Fuploads%2Fgit-blob-4c6f63278032ba0530bc1a3ad607ba014ee7e26f%2Fbotao_beyondtrust.png?alt=media)
3. Click **Password Safe**.

   ![](https://1620115297-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtZm19HsLxuDm2GumYKEz%2Fuploads%2Fgit-blob-4c52640671251f4410a5b9114436ceda38c1b83b%2Fbotao_passwordsafe.png?alt=media)
4. Click **Create**.

   ![](https://1620115297-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtZm19HsLxuDm2GumYKEz%2Fuploads%2Fgit-blob-49c520bc541b0f9ec87c7eaef430f82f08b5f133%2Fbotao_create.png?alt=media)
5. Provide all necessary settings to authenticate with the Password Safe API, such as **API Base URL, API Auth Key, API Auth Username, API Auth Password**, and the **Managed Account** to be used by the Linux Control Center.
6. Select the **Privilege Escalation** field based on the chosen account permissions.
7. Click **Save**.

   ![](https://1620115297-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtZm19HsLxuDm2GumYKEz%2Fuploads%2Fgit-blob-53bc2e4d0317cd6f35eafd4bbca8c7715c59ca58%2Fformulario_ps.png?alt=media)
8. After saving, click the created integration, click **Actions**, and run **Test Connection With Safe API** to validate communication with BeyondInsight.

   ![](https://1620115297-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtZm19HsLxuDm2GumYKEz%2Fuploads%2Fgit-blob-451e1cf94da2cd2293c8170c9fc24a9c20f1cba0%2Fbotao_test_api.png?alt=media)

   If the connection fails, go to **BeyondInsight > Configuration > User Audit options** and review the connection details.

### Get Assets Info

1. The **Get Assets Info** option queries all **Smart Group Assets** linked to the **User Group** of the **API Auth Username** used.

   ![](https://1620115297-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtZm19HsLxuDm2GumYKEz%2Fuploads%2Fgit-blob-f24d5aa417fdbdfa3826c600c393f82fe7e5e1de%2Fdiagrama_discover_bt.png?alt=media)
2. Click **Actions** and execute **Get Assets Info**.

   ![](https://1620115297-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtZm19HsLxuDm2GumYKEz%2Fuploads%2Fgit-blob-f15fda1d14feb127eca8e65b86962e3cbf0fedeb%2Fget_assets_info.png?alt=media)
3. Confirm the action by clicking **Yes**.

   ![](https://1620115297-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtZm19HsLxuDm2GumYKEz%2Fuploads%2Fgit-blob-dc5f437ef298908f1ce6cd2de045b795d27ee19d%2Fconfirm_action.png?alt=media)
4. A new job will be created in **Logs > Queue** on the left menu with the **"Get Smart Groups"** action from the User Group belonging to the **Auth Username API**.

   ![](https://1620115297-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtZm19HsLxuDm2GumYKEz%2Fuploads%2Fgit-blob-22432bc00cfde76e7caea2463ac8b48f40c66b25%2Fimage%20\(75\).png?alt=media)
5. Once the job is completed, all Assets will be available for the **Import Asset** action.

### Import Assets

1. To list the Assets available for import into the Linux Control Center, go to **Config > Integrations > BeyondTrust > Password Safe**, click the created integration, and then click **Import Assets**.
2. Select the assets to be imported through the **Import Assets** process and click **Send**.

   ![](https://1620115297-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtZm19HsLxuDm2GumYKEz%2Fuploads%2Fgit-blob-cfa3e16386302a3fc5b4329599f47f1d7c1c54a7%2Fimage%20\(77\).png?alt=media)
3. A new action called **Import Assets** will be created. In this action, the Linux Control Center will attempt to connect to each selected Asset using the provided Managed Account to verify it can connect using the managed account and the password retrieved from Password Safe.
4. After validation, the Linux Control Center will start a new job with the **Photography** action for each imported host, collecting host information such as hostname, kernel version, IPv4 address, MAC address, SSH port, operating system version, and other details.

   ![](https://1620115297-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtZm19HsLxuDm2GumYKEz%2Fuploads%2Fgit-blob-683303ab247bf3cb7f8ed8da27bfe067e1de0f4a%2Fimage%20\(66\).png?alt=media)
5. When **Import Assets Info** successfully reaches the **Processed** state in the Queue menu, go to the **Hosts** option in the left menu and verify that the assets were correctly imported into the Linux Control Center using the BeyondTrust authentication method.

   ![](https://1620115297-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtZm19HsLxuDm2GumYKEz%2Fuploads%2Fgit-blob-56f5e2fef2c1a3e42d4afd4b74b1e112c017ea82%2Fimage%20\(67\).png?alt=media)