Skip to main content
Version: Axidian Privilege 3.0

Additional Components Setup

PamSu

The PamSu component enables Axidian Privilege users to run commands with root privileges using the password of their own Active Directory user account.

Installation is performed manually on Linux resources, where you need to run commands with root privileges.

Installation

Components are placed in the ..PAM_3.0\axidian-pam-tools\pamsu\ folder.

Choose the ossl build to use static OpenSSL libs from the pamsu package:

  • ..PAM_3.0\axidian-pam-tools\pamsu\axidian-privilege.pamsu-ossl*.x64.deb
  • ..PAM_3.0\axidian-pam-tools\pamsu\axidian-privilege.pamsu-ossl*.x64.rpm

Choose the no-ossl build if pamsu cannot work with static OpenSSL libs and needs to use OpenSSL from the Operating System. 

  • ..PAM_3.0\axidian-pam-tools\pamsu\axidian-privilege.pamsu-no-ossl*.x64.deb
  • ..PAM_3.0\axidian-pam-tools\pamsu\axidian-privilege.pamsu-no-ossl*.x64.rpm

Copy the pamsu installation package to the resource and run the command:

Installation on Debian-based distros

$ sudo dpkg -i axidian-privilege.pamsu*.deb

Installation on RedHat-based distros

$ sudo rpm -i axidian-privilege.pamsu*.rpm

Configuration

On the Resource, you must configure the trust to the Core and Idp web server certificate. You can check if the certificate is OK by running the command:

$ curl https://pam.company.local

Open the /etc/pamsu.conf file in any editor with root privileges, specify the idp_url, api_url, log_path and log_level settings:

  • idp_url — idp URL address
  • core_url — core URL address
  • log_path — path to the folder with log files
  • log_level — logging level, can be INFO, WARN, ERROR, FATAL
Set idp_url https://pam.company.local/idp
Set core_url https://pam.company.local/core
Set log_path /var/log
Set log_level INFO

On some Linux systems, the SSH server does not allow the LC_ * environment variables by default.  For the application to work correctly, add the following line to the /etc/ssh/sshd_config file:

AcceptEnv LC_PAM_USER LC_PAM_SESSION_ID

or just 

AcceptEnv LC_*
note

To allow the execution of the pamsu command, you must enable the Allow run pamsu option in the SSH section in the policy.

Axidian Privilege Agent

Axidian Privilege Agent should be installed directly to the resources to enable the RDP text logging capabilities.

caution

If the agent on the Resource is not installed and Save text logs option is enabled in the policy, the user session will be aborted automatically in a minute.

caution

Please make sure that no third-party software is blocking the Agent's work. Axidian Privilege Windows Agent (Pam.Proxy.WindowsAgent.exe) process will start automatically when new session starts on the resource.

After Axidian Privilege Agent is installed, reboot the computer or log out and log in again. No additional configuration is required.

Axidian Privilege Desktop Console

Configuring for Domain Computers

  1. Copy the contents of the axidian-pam-tools\desktop-console\PolicyDefinitions folder on the domain controller to the C:\Windows\sysvol\domain\policies\PolicyDefinitions folder
  2. On the domain controller, start the Group Policy Management Console snap-in
  3. Select the required GPO, go to the section Computer Configuration\Policies\Administrative Templates\Axidian Privilege\General\ 
  4. Set Enable and fill in Axidian Privilege connection settings
  5. Update group policies on user's computer

Configuring for Computers to which Domain Policies are not Applied

  1. Copy the contents of the axidian-pam-tools\desktop-console\PolicyDefinitions folder to the C:\Windows\PolicyDefinitions
  2. Start local group policy editor gpedit.msc
  3. Go to the section Computer Configuration\Policies\Administrative Templates\Axidian Privilege\General\
  4. Set Enable and fill in Axidian Privilege connection settings

Writing Events to Syslog

  1. Go to the C:\inetpub\wwwroot\ls\targetConfigs folder, create a copy of the sampleSyslog.config file and rename it to Pam.Syslog.config, then edit the <Settings> … </Settings> according to the information below:

    • HostName — Syslog server name 
    • Port — Syslog port number 
    • Protocol — Syslog connection type: TCPoverTLS, TCP, UDP
    • Format — logging format: Plain, CEF, LEEF
    • SyslogVersion — select syslog protocol: RFC3164, RFC5424

    C:\inetpub\wwwroot\ls\targetConfigs
    <Settings HostName="localhost" Port="5081" Protocol="TCP" Format="CEF" SyslogVersion="RFC3164" />

  2. In the C:\inetpub\wwwroot\ls\clientApps.config file edit pam section for work with the Pam.Syslog.config file. Add a new TargetId for the WriteTarget:

    C:\inetpub\wwwroot\ls\clientApps.config
    <Application Id="pam" SchemaId="Pam.Schema">
      <ReadTargetId>Pam.TargetDb</ReadTargetId>
      <WriteTargets>
        <TargetId>Pam.TargetDb</TargetId>
        <TargetId>Pam.Syslog</TargetId>
      </WriteTargets>
      <AccessControl>
        <!--<CertificateAccessControl CertificateThumbprint="001122...AA11" Rights="Read" />-->
      </AccessControl>
    </Application>

  3. In in the same file, in the Targets section add a new element, it should be the same as the configuration file name without extension:

    C:\inetpub\wwwroot\ls\clientApps.config
    <Targets>
      ...
      <Target Id="Pam.TargetDb" Type="mssql"/>
      <Target Id="Pam.Syslog" Type="syslog"/>
    </Targets>

    In Target Id="Pam.TargetDb" specify Type depending on the database you are using: mssql or pgsql.