BeyondTrust
This guide provides information and steps for integrating BeyondTrust Password Safe with Linux Control C/enter.
BeyondTrust
BeyondTrust Password Safe is an /enterprise password manager software which /ensures complete control and accountability over privileged (and non privileged) accounts within an organization.
Through this integration will be possible to perform Discovers using privileged cred/entials managed by Password Safe, Import Assets from Password Safe and create scripts using Managed Accounts and Secrets from Secrets Safe (cred/entials, passwords, tok/ens, files and texts).
Version Requirem/ents
BeyondInsight 22.X and later.
Linux Control C/enter 2.0 and later.
BeyondTrust Password Safe Configuration
API registration key;
API account and group with correct permissions;
Managed Account used by Linux Control C/enter must be API /enabled;
Managed System for the Managed Account must exist;
Asset for the Managed Account must exist.
The Managed Account used in this integration it is preferred that it be a dedicated account for the Linux Control C/enter.
It is recomm/ended that the Assets that will be imported into Linux Control C/enter should be added to BeyondInsight Password Safe from a Discovery Scan to /ensure the integrity of the data that must be imported correctly. Manually creted Assets and Managed System are also supported, but it is a requirem/ent that the Asset be created for each managed Linux Server.
Linux Control C/enter does not support this characters in passwords # { } " \ @. This restriction needs to be defined in "Password Policies" for the Managed Account used by Linux Control C/enter:
API Registration
To register a new API:
In BeyondInsight Console, go to Configuration > G/eneral > API Registrations, click on Create New API Registration and select API Key Policy.
Provide a name for the API registration and click Create API Registration.
You must add an Auth/entication/IP rule for the address of your Linux Control C/enter Worker instance. If there are multiple workers installed on the /environm/ent, all workers addresses must be listed.
On the Details page, click Add Auth/entication Rule.
From the Type dropdown list, select Single IP Address.
Select the IP Rule option.
Provide the IP address.
Disable the /enforce Multi-Factor Auth/entication checkbox option.
On the Details page, click Update Registration.
User Account and Group
An User account and Group must be configured for Linux Control C/enter. To create a BeyondInsight local user account:
In the BeyondInsight Console, go to Configuration > Role Based Access > User Managem/ent. Click the Users tab.
Click Create New User and select Create a New User.
Provide user details, such as id/entification and cred/entials, and click Create User.
To create a new BeyondInsight local group, and /enable the required features and Smart Groups for that group:
In the BeyondInsight Console, go to Configuration > Role Based Access > User Managem/ent. Click the Groups tab.
Click Create New Group and select Create a New Group.
Provide group name and description, and th/en click Create Group.
Check the box next to the newly created group, and th/en click the ellipsis to the right of the group. Select View Group Details.
Under Group Details, select Features.
On Features page, locate features by selecting All Features in the Show dropdown list. Select Feature Name under the Filter By dropdown list, and th/en type the feature in the Feature Name field. The following features must be /enabled:
Asset Managem/ent
Attribute Managem/ent
Password Safe Account Managem/ent
Password Safe System Managem/ent
The above features must be assigned a permission of read only. Click the corresponding ellipsis to the right of the feature, and th/en select Assign Permissions Read Only.
Under Group Details, select Smart Groups.
On the Smart Groups Permissions page, locate Smart Groups by selecting All Smart Groups in the Show dropdown list. Select Smart Group Name under the Filter By dropdown list, and th/en type the Smart Group name in Smart Group Name field. The target Managed Account Smart Group must be /enabled.
The Smart Groups must be assigned a permission of full control. Click the corresponding ellipsis to the right of the Smart Group, th/en select Assign Permissions Full Control.
The target Smart Group must have Requestor, Approver and Cred/ential Manager selected as role. Click the corresponding ellipsis to the right of the Smart Group, and th/en select Edit Password Safe Roles.
Check the Requestor box, and th/en select a policy from the Access Policy for Requestor dropdown list. This policy is applied to the managed account that is used for the integration.
Linux Control C/enter requires the use of an Access Policy configured with View Password permition and Auto Approve /enabled. It is also recomm/end to /enable "Allow multi-day checkout of accounts" to avoid possible d/enied requests near the /end of day.
Click Save Roles.
To add the user created above to the group:
Go to Configuration > Role Based Access > User Managem/ent > Groups.
Click the ellipsis to the right of the new group, and th/en select View Group Details.
Under Group Details, select Users.
Select Users Not Assigned from the Show dropdown list.
In the Filter by dropdown list, select Username. Type the user name in the Username field.
Check the box beside the user name, and th/en click Assign User.
Finally, assign the API that was registered for the integration to this group:
Go to Configuration > Role Based Access > User Managem/ent > Groups.
Click the ellipsis to the right of the group, and th/en select View Group Details.
Under Group Details, select API Registrations. A list of API registrations is displayed.
Check the box beside the API registration created in API Registration.
Managed Account Used by Linux Control C/enter
To confirm the account is /enabled for use with API:
In the BeyondInsight Console, go to Managed Accounts.
In the Filter by dropdown list, select Account. /enter the account name in the Account field.
Click the ellipsis to the right of each /entry, and th/en select Edit Account. Under Account Settings, make sure the API /enabled is /enabled.
Linux Control C/enter Configuration
BeyondTrust Configuration Page
In the Linux Control C/enter, go to Config > Integrations and click on BeyondTrust Configuration button.
Provide all necessary settings to perform auth/entication on the Password Safe API such as API Url Base, API Auth Key, API Auth Username, API Auth Password and the Managed Account that will be used by Linux Control C/enter.
Select the Privilege Escalation Type field from dropdown list based on the chos/en account permission.
Click Save.
After saving, a test connection will be made to validate communication with BeyondInsight. If the connection fails, go to BeyondInsight -> Configuration -> User Audit options and analyze the connection details.
Get Assets Info
Get Assets Info option searches for All Assets of the Smart Group linked to the User Group of the API Auth Username used.
To perform a Get Assets Info go to Config > Integrations > BeyondTrust and click Get Assets Info th/en Yes.
A new job will be created in Logs > Queue left m/enu with the action "Get Smart Groups" of the User Group belonging to the Auth Username API.
After the job is completed, all Assets will be available to perform an Import Asset Action.
Import Assets
To list which Assets are available to import to Linux Control C/enter, go to Config > Integrations > BeyondTrust and click Import Assets.
Select the assets that will be imported by Import Assets process and click S/end.
A new action called "Import Assets" will be created, in this action Linux Control Center will try to connect to each selected Asset using the provided Managed Account to confirm that it is able to connect using the Managed Account and password retrieved from Password Safe.
After validating, Linux Control Center will start a new job with the "Photography" action for each imported host, fetching host information such as hostname, kernel version, ipv4 address, mac address, ssh port, os version and other informations.
Wh/en the Import Assets Info successfully reach the "Processed" state in Queue menu, go to left M/enu Hosts option, and validate that assets were imported correctly by Linux Control Center with the BeyondTrust Auth/entication Method.
Last updated