Symantec Privileged Access Management

  • 1.  Privileged accounts auto discovery

    Posted May 29, 2018 11:47 PM

    Hi,

     

    In PAM, do we have the feature of Auto discovery of privileged accounts from target machines (on OS level accounts)

     

     

    Thanks

    Dina



  • 2.  Re: Privileged accounts auto discovery
    Best Answer

    Broadcom Employee
    Posted May 30, 2018 09:28 AM

    Hi Dina, PAM support discovery of supports discovery of Linux, UNIX, Active Directory, local Windows (using Windows Proxy or Windows Remote), and LDAP accounts. See https://docops.ca.com/ca-privileged-access-manager/3-2/EN/implementing/configure-credential-manager-targets/account-discovery for details.



  • 3.  Re: Privileged accounts auto discovery

    Posted Jun 06, 2018 08:06 AM

    Hi Ralf,

     

    I am trying to discover the accounts used in a Windows server (local accounts). Already I created an admin user on this server and configured this user to device account mapping in PAM. But when I do discovery, there is no privileged accounts discovered.

     

    But we have 4 users are there in the servers.

     

    Kindly let me know if I am missing something.

     

    Thanks

    Dina



  • 4.  Re: Privileged accounts auto discovery

    Posted Jun 06, 2018 08:29 AM

    Which version of PAM do you have? If I am correct Windows local account discovery is included from some version of 3.0.



  • 5.  Re: Privileged accounts auto discovery

    Posted Jun 06, 2018 12:10 PM

    Hi Asif,

     

    we are using 3.1.1. Can you kindly help us how this can be configured?

    OR any documentation with the detailed steps?

     

    Thanks

    DIna



  • 6.  Re: Privileged accounts auto discovery

    Posted Jun 10, 2018 07:13 AM

    Hi Raif,

     

    Scan profile1:

     

    I have setup accounts discovery for a Linux server.. I ran it once and after few seconds it shows as completed

     

    On the scan profile discovery page, for this discovery profile PAM shows 0-0-0-0-0 for all accounts.

    I clicked on "Dicovered"-0 link, and it opens a pop up windows showing the scan results.

     

    In that I choose Logs tab, I can see below

    PAM-CM-0391: Account Discovery Started

    PAM-CM-0392: Account Discovery found account root

     

    As per my understanding, it has discovered the root account, so count should be 1.

     

     

     

    Scan profile2:

    I setup another scan profile for another server. From the logs I see below.

     

    PAM-CM-0391: Account Discovery Started
    PAM-CM-0370: Invalid discovery response from device reflexgwtapp1 for file /home/hendriksim/.ssh/authorized_keys; expected embedded key but instead received #### key file: /home/khudihan/.ssh/authorized_keys
    PAM-CM-0370: Invalid discovery response from device reflexgwtapp1 for file /home/hendriksim/.ssh/authorized_keys; expected embedded key but instead received #### time stamp: 2015-04-10T00:23:10+0700
    PAM-CM-0370: Invalid discovery response from device reflexgwtapp1 for file /home/hendriksim/.ssh/authorized_keys; expected embedded key but instead received #### embedded keys:
    PAM-CM-0363: No discovery credentials with sufficient permissions available for application premiumdapp1. Discovery unsuccessful.
    PAM-CM-0392: Account Discovery found account root

     

    it shows 0 accounts in the history.

     

    Can you please help to troubleshoot this issue?

     

    Thanks

    dina



  • 7.  Re: Privileged accounts auto discovery

    Broadcom Employee
    Posted Jun 11, 2018 09:03 PM

    Hi Dina, I agree that the scan should have come back with at least one discovered user. The scan may have run into an error later on. This is not the right forum for troubleshooting. Please open a support case so we can investigate the problem in detail.