Skip to main content
Version: Axidian Privilege 3.3

Additional Components Setup

PamSu

The PamSu component enables Axidian Privilege users to run commands with root privileges using the password of their own Active Directory user account.

Installation is performed manually on Linux resources, where you need to run commands with root privileges.

Installation

Depending on the Linux distribution, select the required installation package format:

  • The .deb format is intended for Debian-based distributions: these include Debian and Ubuntu.
  • The .rpm format is intended for RHEL-based distributions: these include CentOS, Oracle Linux, Rocky Linux and RHEL.

To install PamSu:

  1. Navigate to the folder with the distribution AxidianPAM_3.3\axidian-pam-tools\pamsu\

  2. Install the PamSu utility of the latest OSSL version:

    sudo dpkg -i "axidian-privilege.pamsu-ossl(3.1.8)-v3.3.0-master.196334.x64.deb"

If errors occurred during installation or PamSu does not work:

  1. Remove the utility:

    sudo dpkg -P pamsu

  2. Install:

    • an earlier OSSL version, for example:

      sudo dpkg -i "axidian-privilege.pamsu-ossl(1.1.1s)-v3.3.0-master.196334.x64.deb"

    • NO-SSL version, if additional cryptographic modules for OpenSSL are already installed:

      sudo dpkg -i "axidian-privilege.pamsu-no-ossl(3.1.8)-v3.3.0-master.196334.x64.deb"

If you were unable to install PamSu, contact technical support.

Configuration

On the resource, you need to configure trust for the certificates of the Core and IdP components.

To verify correct operation with certificates, execute the command:

curl https://pam.company.local/idp/

Open the /etc/pamsu.conf  file in any editor with root privileges, specify the idp_url, api_url, log_path and log_level settings:

  • idp_url — idp URL address
  • core_url — core URL address
  • log_path — path to the folder with log files
  • log_level — logging level, can be INFO, WARN, ERROR, FATAL
Example
Set idp_url https://pam.company.local/idp
Set core_url https://pam.company.local/core
Set log_path /var/log
Set log_level INFO

On some Linux systems, the SSH server does not allow the LC_ * environment variables by default.  For the application to work correctly, add the following line to the /etc/ssh/sshd_config file:

AcceptEnv LC_PAM_USER LC_PAM_SESSION_ID

or just 

AcceptEnv LC_*
info

To allow the execution of the pamsu command, you must enable the Allow run pamsu option in the SSH section in the policy.

Axidian Privilege Agent

Install Axidian Privilege Agent on the resource to enable text logging of RDP sessions.

Install the Axidian.Privilege.AgentService when the resource hosts multiple concurrent RDP sessions. The service starts automatically when connecting to the resource and prevents high CPU load.

  1. Go to the path [AxidianPAM distribution]\axidian-pam-tools\agent
  2. Copy the installation packages for the Axidian.Privilege.Agent and the Axidian.Privilege.AgentService to the resource.
  3. Install the agent and service on the resource.
  4. Reboot the resource.
caution

Please make sure that no third-party software is blocking the Agent's work. Axidian Privilege Windows Agent (Pam.Proxy.WindowsAgent.exe) process will start automatically when new session starts on the resource.

If the agent on the Resource is not installed and Save text logs option is enabled in the policy, the user session will be aborted automatically in a minute.

Axidian Privilege Desktop Console

Configuring for Domain Computers

  1. Copy the contents of the axidian-pam-tools\desktop-console\PolicyDefinitions folder on the domain controller to the C:\Windows\sysvol\domain\policies\PolicyDefinitions folder.
  2. On the domain controller, start the Group Policy Management Console snap-in.
  3. Select the required GPO, go to the section Computer Configuration\Policies\Administrative Templates\Axidian Privilege\General\.
  4. Set Enable and fill in Axidian Privilege connection settings. Specify the following URLs: https://<your_FQDN>/core and https://<your_FQDN>/idp.
  5. Update group policies on user's computer.

Configuring for Computers to which Domain Policies are not Applied

  1. Copy the contents of the axidian-pam-tools\desktop-console\PolicyDefinitions folder to the C:\Windows\PolicyDefinitions.
  2. Start local group policy editor gpedit.msc.
  3. Go to the section Computer Configuration\Policies\Administrative Templates\Axidian Privilege\General\.
  4. Set Enable and fill in Axidian Privilege connection settings. Specify the following URLs: https://<your_FQDN>/core and https://<your_FQDN>/idp.

Writing Events to Syslog

The Syslog server is used for integration with a SIEM system and serves as a unified data storage for PAM event records and/or text session logs. Data is updated in real time: during an active remote connection, not after its completion.

To send Event log records to a Syslog server, configure the configuration files according to the instructions below.
Sending text session logs to a Syslog server is configured in the Configuration section.

  1. Go to the C:\inetpub\wwwroot\ls\targetConfigs folder, create a copy of the sampleSyslog.config file and rename it to Pam.Syslog.config, then edit the <Settings> … </Settings> according to the information below:

    • HostName — Syslog server name 
    • Port — Syslog port number 
    • Protocol — Syslog connection type: TCPoverTLS, TCP, UDP
    • Format — logging format: Plain, CEF, LEEF
    • SyslogVersion — select syslog protocol: RFC3164, RFC5424

    C:\inetpub\wwwroot\ls\targetConfigs
    <Settings HostName="localhost" Port="5081" Protocol="TCP" Format="CEF" SyslogVersion="RFC3164" />

  2. In the C:\inetpub\wwwroot\ls\clientApps.config file edit pam section for work with the Pam.Syslog.config file. Add a new TargetId for the WriteTarget:

    C:\inetpub\wwwroot\ls\clientApps.config
    <Application Id="pam" SchemaId="Pam.Schema">
      <ReadTargetId>Pam.TargetDb</ReadTargetId>
      <WriteTargets>
        <TargetId>Pam.TargetDb</TargetId>
        <TargetId>Pam.Syslog</TargetId>
      </WriteTargets>
      <AccessControl>
        <!--<CertificateAccessControl CertificateThumbprint="001122...AA11" Rights="Read" />-->
      </AccessControl>
    </Application>

  3. In in the same file, in the Targets section add a new element, it should be the same as the configuration file name without extension:

    C:\inetpub\wwwroot\ls\clientApps.config
    <Targets>
      ...
      <Target Id="Pam.TargetDb" Type="mssql"/>
      <Target Id="Pam.Syslog" Type="syslog"/>
    </Targets>

    In Target Id="Pam.TargetDb" specify Type depending on the database you are using: mssql or pgsql.