BeyondTrust Password Safe

Requirements

  • BeyondInsight 22.X or higher.

  • Linux Control Center 2.10 or higher.

  • API registration key.

  • API account and group with correct permissions.

  • The Managed Account used by the Linux Control Center must be API-enabled and must exist in the Managed System.

Overview

BeyondTrust Password Safe is an enterprise password management software that provides complete control and accountability over all privileged (and non-privileged) accounts within an organization.

Through this integration, it is possible to perform scans using privileged credentials managed by Password Safe.

BeyondTrust Environment Setup

It is recommended that the managed account be dedicated to the Linux Control Center.

All Assets to be imported into the Linux Control Center must be added to BeyondInsight Password Safe through a Discovery Scan to ensure data integrity for proper import. The same applies to the Managed System, meaning it must be created from an Asset along with its respective Managed Accounts.

API Registration in Password Safe

  1. Access the BeyondInsight Console.

  2. Go to Configuration > General > API Registrations.

  3. Click Create New API Registration and select API Key Policy.

  4. Provide a name for the API registration and click Create API Registration.

  5. You must add an Authentication/IP rule for the address of your Linux Control Center Worker instance. If there are multiple workers installed in the network, all Workers IP addresses must be listed.

    • On the Details page, click Add Authentication Rule.

    • Select Single IP Address from the dropdown at the top right.

    • Select the IP Rule option.

    • Enter the IP address.

  6. Disable Multi-Factor Authentication.

  7. Click Update Registration on the Details page.

New Local User Account in BeyondInsight

A user account and a group must be configured for the Linux Control Center.

  1. In the BeyondInsight Console, go to Configuration > Role Based Access > User Management.

  2. Click the Users tab.

  3. Click Create New User and select Create a New User.

  4. Enter user details such as identification and credentials.

  5. Click Create User.

New Local Group in BeyondInsight

  1. Follow the steps to create a new local group and enable the necessary features and Smart Groups:

  2. In the BeyondInsight Console, go to Configuration > Role Based Access > User Management. Click the Groups tab.

  3. Click Create New Group and select Create a New Group.

  4. Provide the group name and description, then click Create Group.

  5. Check the box next to the newly created group, then click the three dots to the right of the group and select View Group Details.

  6. In Group Details, select Features.

  7. On the Features page, locate features by selecting All Features in the Show dropdown. Select Feature Name in the Filter By dropdown, then type the feature name in the Feature Name field. The following features must be enabled:

    • Asset Management

    • Attribute Management

    • Password Safe Account Management

    • Password Safe System Management

  8. The features listed above must be assigned Read Only permissions. Click the three dots to the right of each feature and select Assign Permissions Read Only.

  9. In Group Details, select Smart Groups.

  10. On the Smart Groups Permissions page, locate Smart Groups by selecting All Smart Groups in the Show dropdown. Select Smart Group Name in the Filter By dropdown, then type the Smart Group name in the Smart Group Name field. The target managed Smart Group must be enabled.

  11. Smart Groups must be assigned Full Control permissions. Click the three dots to the right of the Smart Group and select Assign Permissions Full Control.

  12. The target Smart Group must have Requestor, Approver, and Credential Manager selected as roles. Click the three dots to the right of the Smart Group and select Edit Password Safe Roles.

  13. Check the box Requestor and select an access policy from the Access Policy for Requestor dropdown. This policy applies to the managed account used for integration.

The Linux Control Center requires an Access Policy configured with View Password permission and Auto Approve enabled. It is also recommended to enable "Allow multi-day checkout of accounts" to avoid possible denied requests near the end of the day.

  1. Click Save Roles.

  2. To add the previously created user to the group:

    • Go to Configuration > Role Based Access > User Management > Groups.

    • Click the three dots to the right of the new group and select View Group Details.

    • In Group Details, select Users.

    • Select Users Not Assigned in the Show dropdown.

    • In the Filter by dropdown, select Username. Type the username in the Username field.

    • Check the box next to the username and click Assign User.

  3. Finally, assign the API registration created for the integration to this group:

    • Go to Configuration > Role Based Access > User Management > Groups.

    • Click the three dots to the right of the group and select View Group Details.

    • In Group Details, select API Registrations. A list of API registrations will be displayed.

    • Check the box next to the API registration created under API Registration.

Managed Account Used by the Linux Control Center

  1. In the BeyondInsight Console, go to Managed Accounts.

  2. In the Filter by dropdown, select Account. Enter the account name in the Account field.

  3. Click the three dots to the right of each entry and select Edit Account. In Account Settings, ensure that API Enabled is checked.

Integration with Linux Control Center

Set up the integration with the Linux Control Center after completing the setup in your BeyondTrust Password Safe environment.

  1. In the Linux Control Center, go to Config.

  2. Click BeyondTrust.

  3. Click Password Safe.

  4. Click Create.

  5. Provide all necessary settings to authenticate with the Password Safe API, such as API Base URL, API Auth Key, API Auth Username, API Auth Password, and the Managed Account to be used by the Linux Control Center.

  6. Select the Privilege Escalation field based on the chosen account permissions.

  7. Click Save.

  8. After saving, click the created integration, click Actions, and run Test Connection With Safe API to validate communication with BeyondInsight.

    If the connection fails, go to BeyondInsight > Configuration > User Audit options and review the connection details.

Get Assets Info

  1. The Get Assets Info option queries all Smart Group Assets linked to the User Group of the API Auth Username used.

  2. Click Actions and execute Get Assets Info.

  3. Confirm the action by clicking Yes.

  4. A new job will be created in Logs > Queue on the left menu with the "Get Smart Groups" action from the User Group belonging to the Auth Username API.

  5. Once the job is completed, all Assets will be available for the Import Asset action.

Import Assets

  1. To list the Assets available for import into the Linux Control Center, go to Config > Integrations > BeyondTrust > Password Safe, click the created integration, and then click Import Assets.

  2. Select the assets to be imported through the Import Assets process and click Send.

  3. A new action called Import Assets will be created. In this action, the Linux Control Center will attempt to connect to each selected Asset using the provided Managed Account to verify it can connect using the managed account and the password retrieved from Password Safe.

  4. After validation, the Linux Control Center will start a new job with the Photography action for each imported host, collecting host information such as hostname, kernel version, IPv4 address, MAC address, SSH port, operating system version, and other details.

  5. When Import Assets Info successfully reaches the Processed state in the Queue menu, go to the Hosts option in the left menu and verify that the assets were correctly imported into the Linux Control Center using the BeyondTrust authentication method.

PreviousLinux Control Center DiscoverNextHost Actions

Last updated