wab 3.1 admin guide

Wallix AdminBastion 3.1 - Administration Guide

i

Wallix AdminBastion 3.1

Administration Guide


ii

Wallix AdminBastion 3.1: Administration Guide


iii

Table of Contents1. Introduction ............................................................................................................................. 1

1.1. Preamble ....................................................................................................................... 11.2. Copyright, Licences ....................................................................................................... 11.3. Legend ......................................................................................................................... 11.4. About this document ...................................................................................................... 1

2. Concepts ................................................................................................................................. 32.1. General information ....................................................................................................... 32.2. Positioning of the WAB in the network infrastructure ......................................................... 32.3. The concept of WAB ACLs ............................................................................................ 42.4. Roll-out ........................................................................................................................ 4

3. Administration interface ............................................................................................................ 63.1. Initial logon .................................................................................................................. 63.2. Menu tree structure ........................................................................................................ 73.3. My preferences .............................................................................................................. 93.4. My authorisations .......................................................................................................... 93.5. WAB audit .................................................................................................................. 10

3.5.1. Current connections ........................................................................................... 103.5.2. View sessions in real time .................................................................................. 113.5.3. Connection history ............................................................................................. 123.5.4. View session recording ...................................................................................... 143.5.5. Authentication history ........................................................................................ 153.5.6. Connection statistics .......................................................................................... 17

3.6. System audit ................................................................................................................ 183.6.1. System status .................................................................................................... 183.6.2. System logs ...................................................................................................... 19

3.7. Users .......................................................................................................................... 193.7.1. Accounts .......................................................................................................... 203.7.2. Groups (of users) ............................................................................................... 243.7.3. Import (users) ................................................................................................... 27

3.8. Resources and accounts ................................................................................................ 313.8.1. Devices ............................................................................................................ 313.8.2. Target accounts ................................................................................................. 343.8.3. Device admin credentials .................................................................................... 373.8.4. Groups (of target accounts) ................................................................................. 403.8.5. Authentication mechanisms ................................................................................. 433.8.6. Import (target devices and target accounts) ........................................................... 44

3.9. Manage authorisations .................................................................................................. 463.9.1. Add an authorisation .......................................................................................... 463.9.2. Delete an authorisation ....................................................................................... 483.9.3. Import authorisations from CSV .......................................................................... 48

3.10. User profiles .............................................................................................................. 483.10.1. Default profiles ................................................................................................ 493.10.2. Add a user profile ............................................................................................ 493.10.3. Edit a user profile ............................................................................................ 503.10.4. Delete a user profile ......................................................................................... 50

3.11. WAB configuration .................................................................................................... 503.11.1. Time frames .................................................................................................... 503.11.2. External authentications .................................................................................... 523.11.3. Notifications .................................................................................................... 543.11.4. Password policy ............................................................................................... 573.11.5. Secondary passwords ........................................................................................ 58


iv

3.11.6. Logon settings ................................................................................................. 613.12. System configuration .................................................................................................. 62

3.12.1. Network .......................................................................................................... 623.12.2. Time service ................................................................................................... 633.12.3. Remote storage ................................................................................................ 643.12.4. Syslog ............................................................................................................ 653.12.5. SNMP ............................................................................................................ 663.12.6. SMTP ............................................................................................................. 673.12.7. Licence ........................................................................................................... 68

3.13. Back-up/Restore ......................................................................................................... 694. Operation ............................................................................................................................... 71

4.1. Using the command line to connect to the WAB .............................................................. 714.2. Exporting audit data ..................................................................................................... 714.3. Back-up/Restore from the command line ......................................................................... 714.4. Configuring automatic back-up ...................................................................................... 724.5. Rights engine: operating limitations ................................................................................ 734.6. SSH flows analysis / Pattern detection ............................................................................ 734.7. TELNET connection scenario ........................................................................................ 734.8. Resolving common problems ......................................................................................... 74

4.8.1. Restoring the factory 'admin' account ................................................................... 744.8.2. Resetting the device ........................................................................................... 74

5. Data encryption ...................................................................................................................... 756. Compatibility: ........................................................................................................................ 767. Limits: ................................................................................................................................... 788. Definitions ............................................................................................................................. 79


v

List of Figures2.1. Wallix AdminBastion in the network infrastructure .................................................................... 43.1. WAB logon screen ................................................................................................................. 63.2. WAB home page (administrator profile) ................................................................................... 73.3. 'My preferences' page ............................................................................................................. 93.4. User's authorisations ............................................................................................................. 103.5. Close an SSH connection ...................................................................................................... 113.6. View RDP sessions in real time ............................................................................................. 123.7. Connection history ............................................................................................................... 133.8. Connection history filters ...................................................................................................... 143.9. View an RDP recording with OCR ........................................................................................ 153.10. Authentication history ......................................................................................................... 163.11. Connection statistics ........................................................................................................... 173.12. Sample statistical graph ....................................................................................................... 183.13. System status ..................................................................................................................... 193.14. List of users ...................................................................................................................... 203.15. Add user form ................................................................................................................... 223.16. Delete users ....................................................................................................................... 233.17. List of devices accessible by a user ...................................................................................... 243.18. List of user groups ............................................................................................................. 253.19. Add user group form .......................................................................................................... 263.20. List of users in a group ....................................................................................................... 273.21. Import users page ............................................................................................................... 283.22. Summary of user import from a CSV file .............................................................................. 293.23. Import users from a directory .............................................................................................. 313.24. List of target devices .......................................................................................................... 323.25. Add device form ................................................................................................................ 333.26. List of all target accounts for a device .................................................................................. 353.27. List of target accounts for a service ...................................................................................... 363.28. Add target account form ..................................................................................................... 373.29. Device admin credentials .................................................................................................... 383.30. Admin credentials on a Linux/Unix device ............................................................................ 393.31. Admin credentials on a Windows device ............................................................................... 393.32. Admin credentials on a Cisco device .................................................................................... 403.33. List of target account groups ............................................................................................... 413.34. Add a target account group form .......................................................................................... 423.35. Authentication mechanisms ................................................................................................. 433.36. List of authorisations .......................................................................................................... 463.37. Add authorisation form ....................................................................................................... 473.38. Add user profile form ......................................................................................................... 503.39. List of time frames ............................................................................................................. 513.40. Add time frame form .......................................................................................................... 523.41. Add LDAP authentication form ........................................................................................... 543.42. Add notification form ......................................................................................................... 563.43. 'Password policy' page ........................................................................................................ 583.44. 'Secondary password' page .................................................................................................. 593.45. 'Secondary password' page .................................................................................................. 613.46. 'Logon settings' page .......................................................................................................... 623.47. Network configuration ........................................................................................................ 633.48. Time service configuration .................................................................................................. 643.49. Configuring remote storage ................................................................................................. 653.50. Configuring syslog routing .................................................................................................. 66


vi

3.51. Configuring the SNMP agent ............................................................................................... 673.52. SMTP service configuration ................................................................................................ 683.53. Managing the licence .......................................................................................................... 693.54. 'Back-up/Restore' page ........................................................................................................ 70


1

Chapter 1. Introduction1.1. Preamble

Thank you for choosing Wallix AdminBastion, also called WAB.

WAB is marketed in the form of a dedicated, ready-to-use server or as a virtual device for theVMWare ESX 4.x and 5.x environments.

This product has been engineered with the greatest of care by our teams at Wallix and we trustthat it will deliver complete satisfaction.

1.2. Copyright, LicencesThis document is the property of Wallix and may not be reproduced without its prior consent.

All the product or company names mentioned herein are the registered trademarks of their respec-tive owners.

Wallix AdminBastion is subject to the Wallix software licence contract.Wallix AdminBastion is based on free software. The list and source code of GPL and LGPL licencedsoftware used by Wallix AdminBastion are available from Wallix. Please send your request by emailto: [email protected] or in writing to:

WallixService Support118, rue de Tocqueville75017 ParisFrance

1.3. Legendprompt $ command to inputcommand outputon one or more linesprompt $

1.4. About this documentThis is the Administration Guide for the Wallix AdminBastion 3.1. Use it to configure the WAB priorto roll-out, and also for its administration and operation day to day.

Wallix provides dedicated guides covering the configuration and use of the WAB for the followingfunctionalities:

Administration console X509 authentication HA (High Availability)With in addition:


2

a Quick Start Guide a User Guide


3

Chapter 2. Concepts2.1. General information

WAB has been developed for the technical teams that administer IT infrastructure (servers, networkand security devices, etc.). Designed to meet the access control and traceability needs of systemadministrators,

Wallix AdminBastion features access control lists (ACLs) and traceability functions. It constitutes asecurity buffer for administrators who wish to log on to devices by:

checking the authentication details provided by the user checking their access rights for the resource in question

The WAB also allows you to automate logons to target devices to enhance the security of theinformation system by preventing disclosure of server authentication details.

Protocols currently supported are:

SSH (and its sub-systems) Telnet, Rlogin RDP and VNC in the user domain HTTP and HTTPS

The WAB has a graphic Web interface, validated using Firefox 3, Internet Explorer 7 and InternetExplorer 8, to monitor activity and connections and to configure its component parts.

2.2. Positioning of the WAB in the network infrastruc-ture

AdminBastion is positioned between a low trust domain and a high trust domain.

The high trust domain is represented by the devices isolated by the AdminBastion.

These devices and their related accounts are called 'target accounts' in WAB terminology.

The low trust domain is represented by the population with direct access to the Bastion:

the company's personnel Internet zone

For users of the solution, access to the target accounts (high trust domain) is only possible throughthe WAB.


4

Figure 2.1. Wallix AdminBastion in the network infrastructure

2.3. The concept of WAB ACLsWallix AdminBastion features an advanced rights management engine to determine who has ac-cess to what, when and with which protocol(s).These ACLs consist of the following objects: users: i.e. physical users of the AdminBastion user groups: sets of users devices: i.e. physical or virtualised devices to which access is requested via the AdminBastion target accounts: the accounts declared on a device target account groups: a set of target accounts

In the WAB, access to a target account by a user depends on an authorisation profile. Authorisationsare declared between a group of users and a group of target accounts (which means that each targetaccount must belong to a target account group, and that each user must belong to a user group).The authorisation allows users in group X to access target accounts in group Y, via protocols A,B, or C.

Entities are added to these primary entities allowing you to define:

connection time frames criticality of access to target resources whether the session is recorded or not the type of user authentication procedure

You can also define a number of different WAB administrator profiles, with rights limited, for exam-ple, to audit, adding users, system administration, authorisations, etc.

2.4. Roll-outThe WAB includes a set of import tools to facilitate roll-out.

However, to ensure the WAB is commissioned successfully, we recommend inventorying:


5

the roles of users who must have access to the target accounts the roles of users who must administer the target accounts the target devices and target accounts to be accessed through the WAB

You must be able to answer the following questions for each user:

does this user have the right to administer the solution, and if so, which rights should be assignedto him or her?

does this user need to access target accounts? when does the user have the right to log on? can s/he access critical resources?

You must be able to answer the following questions for each target account:

Is this target account or device critical? should user sessions on this account be recorded? what protocol(s) can be used to access this target account or device?


6

Chapter 3. Administration interface3.1. Initial logon

To access the Web administration interface, enter the following URL into your browser:

https://wab_ip_address

Note:

Your browser must be configured to accept cookies and run JavaScript.

The WAB comes with a factory-set 'admin' account as standard (password 'admin').

Figure 3.1. WAB logon screen

After you have logged on successfully, the following page is displayed.


7

Figure 3.2. WAB home page (administrator profile)On this page you have:

a header containing: the language selection the name of the user who is logged on the logout link

a footer with the copyright notice a side menu from which you can access all the WAB administration functions a working area

In the interests of security, we recommend changing the 'admin' password on first login (see Sec-tion 3.3, My preferences).

3.2. Menu tree structureMy preferences Change user preferencesMy authorisations Display a user's authorisations and

shortcuts to access resourcesCurrent connections List connections and logoutConnection history List of closed connectionsAuthentication history Primary authentication history

WAB audit

Connection statistics Generate connection statisticsgraphs

System status View system statusSystem logs Content of file /var/log/syslog localSystem authentications Content of file /var/log/auth.log local

System audit

Start-up messages Content of file /var/log/messageslocal

Accounts Manage WAB usersUsersGroups Manage WAB user groups


8

Import Import users (csv file and LDAP di-rectory)

Devices Manage target devicesAccounts Manage target accountsGroups Manage target account groupsDevice admin authentication de-tails

Manage password changes

Authentication mechanisms Define authentication systems

Devices & accounts

Import Import target devices and accounts(csv file)

Manage authorisations Manage authorisations betweentarget account groups and usergroups

Authorisations

Import Import authorisations. (csv file)Manage user profiles Define user profilesUser profilesImport Import user profiles (csv file)Time frames Manage time framesExternal authentications Manage external authentication

methods (LDAP/LDAPS, Active Di-rectory, Kerberos, Radius)

Notifications Manage the notification mechanismPassword policy Manage the local password policySecondary passwords Configure the policy for changing

remote passwords.Logon settings Settings for banners displayed

when a user logs on to proxies

WAB configuration

X09 settings Configure revocation lists for theX509 certificate authentication op-tion.

Network Configure network settingsTime service Time service settings (NTP)Remote storage Manage remote storage of session

recordingsSyslog Manage routing via SyslogSNMP Manage the SNMP agentSMTP server Configure the server for sending

emailsLicence Display and update licence key

System configuration

Encryption Start encryption protectionSave/Restore Save and restore the WAB configu-

ration


9

3.3. My preferencesThis sub-menu contains the settings that can be changed by a user. All users have access to thispage, regardless of their administration rights. Here users can:

change their password (only if the user has been declared locally) download an SSH public key change their email address

Figure 3.3. 'My preferences' page

3.4. My authorisationsThis menu displays the list of accessible devices. To access target accounts via RDP, click the iconto download the linked RDP file (to open the Microsoft RDP client directly). For access to HTTP/HTTPS, an icon gives direct access to the resources via the Web user interface.


10

Figure 3.4. User's authorisations

3.5. WAB audit3.5.1. Current connections

This page lists the active connections made via the WAB for the SSH, RDP and HTTPS proxies(active sessions on the Web user interface are not shown).For the HTTPS proxy, active sessions via the WAB are listed.

Note:

In the remainder of this Guide, the generic term connection will be used for SSH and RDPconnections, and also for HTTPS sessions.

For each of these connections, the WAB shows the following information:

the user, in the form user@machine(ip) the source protocol (RDP, SSH or HTTPS)


11

the destination protocol the target accessed (in the form account@target:service) the connection start time the connection duration

You can also terminate one or more connections. In the case of the SSH and RDP proxies, usersare then informed that an administrator has terminated the connection. The session is closed inthe case of HTTPS.

Figure 3.5. Close an SSH connection

Note:

The page displaying the current connections is refreshed regularly. To stop refresh, usethe prompt at the top of the page. This feature is particularly useful when selecting theactive connections to terminate.

3.5.2. View sessions in real timeA magnifying glass icon may appear next to items in the list of current connections. Click this iconto open a tab to view the RDP or SSH session in real time. Click a second time to close the tab.


12

Figure 3.6. View RDP sessions in real time

3.5.3. Connection historyThis page shows the history of all connections made through the WAB. This view shows only theclosed connections (see Section 3.5.1, Current connections for the current connections).


13

Figure 3.7. Connection history

Each record provides:

the user name and source IP for the connection (i.e. name@ipsource) the target accessed (in the form account@target:service) the source protocol the destination protocol the connection start time the connection end time the connection duration the status

Note:

The connection status shows you whether there was a problem connecting to the targetaccount (for example, wrong password, target resource not available, etc.).

Filters can also be applied to the records to facilitate searches. The filters available are:

by time, based on: the last N days a date range

by occurrence in the columns.


14

Figure 3.8. Connection history filters

Note:

Only the last 1,000 records are displayed in the Web user interface. The occurrence filteris applied to these 1,000 records. Older sessions can only be retrieved through the daterange filter.

3.5.4. View session recordingThree icons may appear next to items in the history report: a diskette, text document and magnifyingglass, respectively.

Click the diskette icon to download an SSH session recording in unprocessed ttyrec format.

To download the visible content of an SSH session in flat text format, click the text icon.

The magnifying glass icon directs you to the page to view session recordings. For an RDP session,the first page allows you to select the video quality level and whether or not to generate OCR data.If the OCR option is enabled, the titles of applications detected in the film by the OCR module willbe shown under the film. Click in this list or the thumbnails to browse quickly through the film.

The RDP page also contains a diskette icon, which you can use to download the entire film in thequality you selected for viewing.


15

Figure 3.9. View an RDP recording with OCR

3.5.5. Authentication historyThis page lists the authentication attempts on the proxy's RDP and SSH interfaces (ports 3389 and22, respectively).This section does not cover logins to the HTTPS proxy.

Each record provides:

the event date the user name provided (WAB user name) the source IP address the login result the result diagnostic

The login result can be 'SUCCESS' or 'FAILURE' depending on whether the authentication to theAdminBastion was successful or failed. More detail is provided in the Diagnostic column.


16

This page uses the same filters as the connection history. The same limitations on the number ofresults displayed also apply.

Figure 3.10. Authentication history


17

3.5.6. Connection statistics

Figure 3.11. Connection statistics

This module provides statistical information on connections made through the WAB for a givenperiod of time.

This period may be a date range or a number of days before the current date.

The statistical report displays:

the number of secondary connections per device the number of secondary connections per target account the number of primary connections per user the number of secondary connections per user secondary connections by duration, total secondary connection time per user secondary connections by date,

All data in these statistical reports can be downloaded as a CSV file.

Statistical reports can also be sent out on a regular basis (see Section 3.11.3, Notifications).


18

Figure 3.12. Sample statistical graph

3.6. System auditThe WAB system information is shown under this menu, i.e. the WAB:

status logs

The 'System configuration' menu is used to configure the system (see Section 3.12, System con-figuration).

3.6.1. System statusThis tab shows general system information, including:

the number of current connections RAM usage rate SWAP usage rate


19

available space on the partition/var (where the session recordings are saved)

Figure 3.13. System status

Note:The RAM usage rate does not show buffer systems.

3.6.2. System logsYou can view and save system logs from the Web user interface. The WAB displays three systemlogs:

'syslog' in the 'System logs' menu. This log shows the majority of messages on proxy operationor the use of the administration interface.

'auth.log' in the 'System authentication' menu. This log shows the direct connections to the WABas the Unix server. Authentications on the administration interface or proxies are shown in 'syslog'and not this log.

The 'dmesg' system start log in the 'Start-up message' menu.

3.7. UsersUse this menu to create/import Wallix AdminBastion users/administrators.


20

You can also configure the user groups to which the authorisations apply (see Section 3.9, Manageauthorisations).

3.7.1. AccountsUse this page to:

list user accounts add/edit/delete a user account see the devices a user is authorised to access

You can also filter the table displayed. The filter is applied to all users (and not just the page currentlydisplayed).

Figure 3.14. List of users

10 results are displayed per page by default. Use the navigation menu to browse through the pagesand change the number of results displayed per page.

3.7.1.1. Add a user

From this page listing the users, click the 'Add user' icon to go to the Add user page.


21

The add user form consists of the following:

the user name used to log on to the Web user interface and proxies a name, used to identify the person to whom the user name belongs an email address a preferred language, used to select the language in which the messages sent to the user from

the proxies are displayed a source IP address, used to limit access to the proxies at this IP address or FQDN (this limitation

does not concern access to the WUI), a profile, used to define a user's rights (see Section 3.10, User profiles), a list of groups, used to select the groups in which to place the user. You can also add a user to

a group in the add/edit page for a group (see Section 3.7.2, Groups (of users)), an authentication procedure, which may be different for each user (see Section 3.11.2, External

authentications). You can select several procedures to indicate the back-up servers for externalauthentications (LDAP, RADIUS, etc.)

a field to force password change: users will receive a message notifying them that their accounthas been created and that the password must be changed the first time they log on (see alsoSection 3.12.6, SMTP),

a password: there may be certain requirements regarding the passwords the system will accept(see Section 3.11.4, Password policy); it is not necessary to re-enter this password for authen-tication other than 'local',

an SSH public key


22

Figure 3.15. Add user form

Note:

The user name cannot be changed after it has been added; however the password andpublic key can be changed by the user.

3.7.1.2. Edit a user

From the page listing user accounts, click the user's name and then click the 'Change this user'icon to display the Edit user page.

The fields in this Edit user page are the same as in the Add user page, with one exception: youcannot change the user name.


23

Note:

If the 'password' field is not changed, the user's password is not changed.

3.7.1.3. Delete a user

From the page listing the user accounts, check the box at the start of each line to select one ormore accounts, then click to delete the list of users selected. The system displays a confirmationdialogue box before permanently deleting the item(s).

Figure 3.16. Delete users

3.7.1.4. Accounts accessible by a user

From the page listing the user accounts, click a name to display the list of devices this user canaccess.

Each line shows an authorised access. For each line, the following information is available:

target device target account target's actual address


24

protocol(s) used to access this service related time frame

Figure 3.17. List of devices accessible by a user

3.7.2. Groups (of users)Use this page to:

list declared user groups add/edit/delete a group or groups


25

see the members of each group

Figure 3.18. List of user groups

3.7.2.1. Add user group

From the page listing the user groups, click the 'Add group' icon to go to the Add group page.

The form to create a user group consists of the following:

group name description: open text field time frame(s) to apply a list to select the users in the group a list of actions to apply when certain character strings are detected in the upward flow from

proxies (see Section 4.6, SSH flows analysis / Pattern detection).

Note:

If several time frames are selected, the resulting time frame applied is the combinationof these.


26

Warning:

character string detection is only enabled for data sent by the client to the server and onlyfor SSH, TELNET or RLOGIN connections.

Figure 3.19. Add user group form

3.7.2.2. Edit a user groupFrom the page listing the user groups, click the group's name and then click the 'Change this group'icon to display the Edit user group page.

The fields in this Edit user group page are the same as in the Add user group page, with oneexception: you cannot change the name of the user group.

3.7.2.3. Delete a user group or groups

From the page listing the user groups, check the box at the start of each line to select one or moreaccounts, then click to delete the list of groups selected. The system displays a confirmationdialogue box before permanently deleting the item(s).


27

3.7.2.4. User group members

From the page listing the user groups, click a group's name to display the list of users in this group.

Figure 3.20. List of users in a group

3.7.3. Import (users)You can import users from:

a company directory (directories supported are: LDAP/LDAPS/AD), or a CSV file.


28

Figure 3.21. Import users page

3.7.3.1. Import user from CSVA CSV file can be used to populate the WAB user database. The field separators can be configured.

The file must start with a line containing the following tag:

#wab31

Warning:If this tag is not present, the file format must follow WAB version 3.0 conventions (notdescribed in this document). This allows to keep compatibility with files created for formerversions of WAB.

Each subsequent line must be formed as follows:

Field Type R(equired)/O(ptional)

Possible values Default value

User name Text R [aA-zZ], [0-9], '-', '_' n/aUser group Text o [aA-zZ], [0-9], '-', '_' n/aActual name Text o Free text n/aSource IP IP/FQDN O [aA-zZ], [0-9], '-', '_' n/a


29



Profile Text R Profiles defined n/aAuthentication Text R Authentications de-

finedn/a

SSH public key Text O [aA-zZ], [0-9], '-', '_' n/aPassword Text R/O Free text n/a

Note:The password is required if authentication is defined as local ('local' authentication').

Note:if the user group doesn't exist, it is created with the default time frame set as 'allthetime'.

Example:

#wab31martin;linuxadmins;Pierre Martin;;user;local;;jMpdu9/x2z

After you have imported the CSV file, a summary report similar to the example below is displayed.

Figure 3.22. Summary of user import from a CSV file


30

The report contains:

the import date and time the total number of lines read in the file the number of lines compliant with the syntax the number of users actually created in the WAB's internal database the number of lines rejected

An error message is sent for each line rejected.

3.7.3.2. Import users from an LDAP/LDAPS/AD directoryUser data stored in a remote directory can be used to populate the WAB's internal LDAP database.

For each directory, you must know:

the type of server, its address and connection port the unit of organisation the connection attribute, which is the user data that will be used for the WAB user name the user name and password if read access to the directory is restricted (mandatory for an AD)

Note:

The user name and password used to log on must have read rights for the path in whichthe user data is stored.

If the import is successful, the system opens a new page with the list of users extracted from thedirectory.

Next, import each user and assign:

a user group an authentication a user profile

Note:

If you want the imported users to be authenticated for the directory used for the import,you must first create the authentication method (see also Section 3.11.2.1, Add anexternal authentication).


31

Figure 3.23. Import users from a directory

3.8. Resources and accountsYou can use this menu to create/import devices and accounts that can be accessed from the Ad-minBastion

and to define target account groups.

3.8.1. DevicesList all devices recorded. You can add/edit/delete new devices from this page.


32

Figure 3.24. List of target devices

3.8.1.1. Add a target device

From the page listing the devices, click the 'Add device' icon to go to the Add device page.


33

Figure 3.25. Add device form

The form to create a device consists of the following:

the device name: this is the name users will use to access the device. It can be unrelated to themachine's DNS name.

an alias: equivalent to the option to assign a second name to a device

For a HTTPS resource, the alias field can be used to specify an (other) host name for the resource.E.g.: If the resource 'www.monsite.com' is also known under the name 'www.monsite.org', it canbe configured by putting the first name in the 'Resource' field and the second in the 'Alias' field.

a network address (IP or FQDN) an SSH key fingerprint, which is automatically entered when a device is accessed in SSH a description the list of services that can be accessed on this device

The list of services consists of the following information:

the service name: this is the name users will use to access the service. The name can be unrelatedto the protocol name and the port number

a protocol (the default port is given in parentheses) a list of sub-protocols supported, for SSH


34

an authentication mechanism, used by HTTP(S), TELNET and RLOGIN

Enter the text input line and click the icon on the right to add this service.

Click on the right of a line to delete that service.

The authentication mechanism must be specified in the following cases:

access to a device in TELNET, select a connection scenario you have previously defined (seealso Section 4.7, TELNET connection scenario)

access to a HTTP(S) device using HTTP authentication, select the HTTP(S)_BASIC orHTTP(S)_DIGEST mechanism according to the authentication mode required by the server

access to a HTTP(S) device using HTML form authentication, select the predefined mechanismfor your target application, if it is supported, or the generic HTTP_SIMPLE_FORM, if your appli-cation uses a simple form (containing only the Login and Password fields in static HTML).

3.8.1.2. Edit a target device

From the page listing the target devices, click the device name and then click the 'Change thisdevice' icon to display the Edit target device page.

The fields in this Edit target device page are the same as in the Add device page, with one exception:you cannot change the name of the device.

3.8.1.3. Delete a target device

From the page listing the target devices, check the box at the start of each line to select one or moredevices, then click to delete the items selected. The system displays a confirmation dialoguebox before permanently deleting the item(s).

Note:

You cannot delete a target device if there are target accounts declared on it.

3.8.2. Target accountsFrom this page, you can list the declared devices, the services available on them and the targetaccounts declared on each. Click one of the "All accounts" links to display all the target accountsfor the device, for all services.


35

Figure 3.26. List of all target accounts for a device

Click the name of a service for each device to display the list of accounts declared for the service.You can then add or edit one or more accounts.

Click the account name to access the Edit target accounts page. Click "Add account" to go tothe page to add target accounts.


36

Figure 3.27. List of target accounts for a service

3.8.2.1. Add a target account.

From the list of target accounts linked to a service, click "Add account" to display the Add targetaccount form.

The form consists of the following information:

account name: this is the user name of the remote account a description a check box to enable or disable auto logon to the target device a check box to enable or disable automatic authentication transfer by the SSH agent a double field to enter and confirm the password a check box to enable or disable automatic password change

If "Auto logon" is unchecked, the AdminBastion user trying to access this account must know thepassword to sign in. It will not be possible to use the SCP and SFTP protocols with this account.

For an account defined on a HTTP(S) resource, 'Auto logon' must be unchecked if not using au-thentication with this account.

If 'Automatic change' is checked, AdminBastion will apply the secondary password policy to thisaccount (see Section 3.11.5, Secondary passwords). The admin credentials for the device mustbe entered for the AdminBastion to change the password (see Section 3.8.3, Device admin cre-dentials).

Note:

See Chapter 5, Data encryption for the data encryption information for storing passwords.


37

Figure 3.28. Add target account form

3.8.2.2. Edit a target account

The information in this Edit target account form is the same as in the Add form, with one exception:you cannot change the name of the account. Click a declared account name to access this form.

3.8.2.3. Delete a target account

Click to delete one or more pre-selected target accounts.

3.8.3. Device admin credentialsFrom this page, click on the right of a device name to display the form to configure the adminis-trator account credentials for account password changes on this device.


38

Figure 3.29. Device admin credentials

The content of the form depends on the type of system selected.

3.8.3.1. Admin credentials on a Linux/Unix device


the device name the type of system: Linux/Unix the email addresses of recipients of the notification of password changes, which must have a

GPG key configured in the WAB (see Section 3.11.5, Secondary passwords) the minimum password length generated by the WAB to comply with the password policy on the

target a check box to allow special characters in the passwords generated to comply with the password

policy on the target


39

Figure 3.30. Admin credentials on a Linux/Unix device

3.8.3.2. Admin credentials on a Windows deviceThe form consists of the following information:

the device name the type of system: Windows the WAB target account used for the administrator logon: the account can be defined in any

available service or equipment (see Section 3.8.2, Target accounts), but must have the requiredadministrator rights on the target system

the email addresses of recipients of the notification of password changes, which must have aGPG key configured in the WAB (see Section 3.11.5, Secondary passwords)

the minimum password length generated by the WAB to comply with the password policy on thetarget

a check box to allow special characters in the passwords generated to comply with the passwordpolicy on the target

Figure 3.31. Admin credentials on a Windows device


40

3.8.3.3. Admin credentials on a Cisco device


the device name the type of system: Cisco the password to raise privilege levels the email addresses of recipients of the notification of password changes, which must have a

GPG key configured in the WAB (see Section 3.11.5, Secondary passwords) the minimum password length generated by the WAB to comply with the password policy on the

target a check box to allow special characters in the passwords generated to comply with the password

policy on the target

Figure 3.32. Admin credentials on a Cisco device

3.8.4. Groups (of target accounts)Use this page to:

list declared target account groups add/edit/delete a group or groups see which target accounts are included in each group


41

Figure 3.33. List of target account groups

3.8.4.1. Add a target account group

From the page listing the target account groups, click the "Add group" icon o display the Addtarget account group form.


42

Figure 3.34. Add a target account group form

The form to add a target account group can be used to configure the following information:

the target account group id a description of the group, if relevant the target accounts belonging to the group the devices on which account correspondence is authorised. In the case of account correspon-

dence, a user can log on to the target device using their primary logon details. This is particularly


43

useful when the user's account is declared on a company directory and the user has access rightsto the target resource. The user's primary credentials are then replayed on the target device.

a list of actions to apply when certain character strings are detected in the upward flow fromproxies (similar to the list presented on the user groups page, see Section 4.6, SSH flows anal-ysis / Pattern detection).

3.8.4.2. Edit a target account groupThe information in this Edit target account group form is the same as in the Add form, with oneexception: you cannot change the name of the group. Click a declared group name to access thisform.

3.8.4.3. Delete a target account group

Click to delete one or more pre-selected target account groups.

Note:

You cannot delete a target account group if the account has active authorisations at-tached (see Section 3.9, Manage authorisations) and/or if there are target accounts at-tached to this group.

3.8.5. Authentication mechanismsThis page gives the list of all authentication mechanisms available in the WAB.

The mechanisms available for HTTP and HTTPS protocols are preconfigured and cannot be deletedor changed.

Mechanisms can be added, edited or deleted for the TELNET protocol.

Figure 3.35. Authentication mechanisms


44

3.8.5.1. Add an authentication mechanism for TELNETFrom the page listing the authentication mechanisms, click the 'Add authentication mechanism'icon and select 'TELNET'' from the dropdown list of associated generic protocols to display the Addauthentication mechanism form for the TELNET protocol.

Use this form to configure the following information:

the authentication mechanism id a logon script (see Section 4.7, TELNET connection scenario)

3.8.5.2. Edit an authentication mechanismThe information in this Edit authentication mechanism form is the same as in the Add form, withone exception: you cannot change the name of the mechanism. Click a declared mechanism nameto access this form.

3.8.5.3. Delete an authentication mechanism

Click to delete one or more pre-selected authentication mechanisms.

Note:

You cannot delete pre-configured authentication mechanisms.

3.8.6. Import (target devices and target accounts)From this page, you can import devices and target accounts previously stored as a CSV file.

The device and account descriptions are contained in two separate files, and each line obeys aspecific format. Each line of these files describes a target device or target account.

Note:

The import takes place in two steps: first the devices are imported, and then the targetaccounts (the device linked to each target account must previously exist).


#wab31

Warning:

If this tag is not present, the file format must follow WAB version 3.0 conventions (notdescribed in this document). This allows to keep compatibility with files created for formerversions of WAB.

The lines describing a device must comply with the following:



Device name Text R [aA-zZ], [0-9], '-', '_' n/a


45



Alias Text O [aA-zZ], [0-9], '-', '_' n/aDescription Text O Free text n/aNetwork address IP/FQDN R [aA-zZ], [0-9], '-', '_' n/aService/Proto-col/Port/Sub-protocol

Text R NAME/PROTOCOL/N*/SUB-PROTOCOL*

NAME: Free text

PROTOCOL Protocol name(see below)N*: Optional port number

SUB-PROTOCOL*: Optionalsub-protocol name (see be-low)

n/a

PROTOCOL: one of the following values: SSH, TELNET, RLOGIN, RDP, VNC, HTTP, HTTPS.

SUB-PROTOCOL: For SSH: one of the following values: SSH_SHELL_SESSION,SSH_REMOTE_COMMAND, SSH_SCP_UP, SSH_SCP_DOWN, SSH_X11_SESSION,SFTP_SESSION. If SUB-PROTOCOL is not specified, all the sub-protocols are added. The valuefor the other protocols is exactly the same as PROTOCOL and can be omitted.

The 'Service/Protocol/Port/Sub-Protocol' may contain several values separated by a space.

Example:

#wab31asterix;intranet;"Intranet server";192.168.0.10;ssh_22/ssh/22/ssh_shell_sessionobelix;mail1;"Exchange server";192.168.0.11;telnet_23/telnet/23 rdp_1/rdp/3389

The lines describing a target device must comply with the following format:



Account name Text R [aA-zZ], [0-9], '-', '_' n/aGroup name Text R [aA-zZ], [0-9], '-', '_' n/aDescription Text O Free text n/aPassword IP/FQDN R [aA-zZ], [0-9], '-', '_' n/a

Note:

At present, you cannot create target accounts with the 'secondary auto logon' functiondisabled.

Example:

#wab31


46

root@asterix;linux;"Root account";SecurePasswordadminlinux@asterix;linux;"Compte pour la connexion sans droits";plO@56zZ

3.9. Manage authorisationsThe authorisations determine which target accounts and protocols users can use to access devices.

Authorisations are applied to user groups linked to target account groups. All users in the samegroup inherit the same authorisations.

Use this menu to list, add or delete authorisations.

Figure 3.36. List of authorisations

3.9.1. Add an authorisationFrom the page listing the authorisations, click the icon to display the Add new authorisation form.

An authorisation is a link created between a user group and a target account group. Therefore, theform contains the following information:

the user group the target account group


47

a description a list of authorised protocols a check box to indicate whether or not the sessions allowed by the authorisation are critical (a

notification can be sent each time a critical device is accessed) a check box to enable or disable session recording. The type of recording depends on the protocol

to access the device.

Figure 3.37. Add authorisation form

Note:

The recording for RDP includes both video and automatic OCR of the applications runon the remote machine by detecting title bars.

Important note: the algorithm used to detect the title bar content is very fast to enablereal-time execution, but also very sensitive to the configuration. It only works with 'Win-dows Standard' windows and a default font size of 96PPP with a colour depth of 15 bits ormore (15, 16, 24 or 32 bits, it does not work in 8-bit mode). In its current version, the OCRfunction will not work if the title bar style is changed, even to a style that is visually verysimilar, for example to 'Windows classic', or if the title bar colour, style, font size or res-olution is changed. In addition, OCR is configured to detect only the title bars of applica-tions closed using the three icons, close, minimise and maximise. If the title bar containsan icon, this will generally be replaced by question marks before the recognised text.


48

Use the form to select several protocols for a user group and a given target account group. Thismeans you can create several authorisations between the two groups.

3.9.2. Delete an authorisationClick to delete one or more pre-selected authorisations.

3.9.3. Import authorisations from CSVA CSV file can be used to populate the WAB authorisation database. The field separators can beconfigured.


#wab31

Warning:

If this tag is not present, the file format must follow WAB version 3.0 conventions (notdescribed in this document). This allows to keep compatibility with files created for formerversions of WAB.

Each subsequent line must be formed as follows:



User Group Text R [aA-zZ], [0-9], '-', '_' n/aDevice Group Text R [aA-zZ], [0-9], '-', '_' n/aProtocol Text R SSH_SHELL_SESSION,

SSH_REMOTE_COMMAND,SSH_SCP_UP,SSH_SCP_DOWN,SSH_X11_SESSION, TELNET,RLOGIN, RDP, VNC, HTTP,HTTPS

n/a

Example:

#wab31group_users1;group_devices1;SSH_SHELL_SESSION

After you have imported the CSV file, a summary report is displayed.

3.10. User profilesYou can list, add, edit or delete user profiles from this page.

From the User profiles page, you can define the audit or administration authorisations for the so-lution.


49

The authorisation types match the menu on the left of the main interface.

3.10.1. Default profilesThe WAB is pre-configured with a number of default user profiles, which can be edited or changedjust like any other profile. The default profiles are:

'user': no admin rights, but can access target devices 'auditor': can consult WAB audit data (see Section 3.5, WAB audit), but cannot access devices 'WAB_Administrator': has full admin rights and can connect to target devices 'system_administrator': can access the 'system configuration' tab, but does not have access to

target devices 'disabled': profile with no rights.

Note:

The factory configuration for the 'admin' profile is the 'Wab_Administrator' profile

3.10.2. Add a user profileFrom the page listing the user profiles, click the icon to display the Add new profile form.

This page consists of:

a filed for the profile id a series of check boxes to define the rights

There are two series of check boxes:

graphic user interface functions proxy connectivity and limitations on use functions

There is a series of rights for each GUI function:

none: no rights: the menu will not appear when the user logs on consult: the user can view objects created but cannot change them change: the user can view and change objects execute (only for back-up/restore): the user can start a system back-up or restore (see Sec-

tion 3.13, Back-up/Restore)

Two other check boxes can be used to:

enable/disable the connection to the target devices limit the use of certain admin rights for groups

The limitation on rights for groups allows you to add users or target accounts only to groups forwhich the profile is authorised.


50

Figure 3.38. Add user profile form

3.10.3. Edit a user profileThe information in this Edit user profile form is the same as in the Add form, with one exception: youcannot change the name of the user profile. Click a declared user profile name to access this form.

3.10.4. Delete a user profileClick to delete one or more pre-selected user profiles.

3.11. WAB configurationUse this menu to configure:

user time frames authentication procedures for users notifications password policy (for registered WAB users),

3.11.1. Time framesYou can add, edit or delete time frames from this page.


51

The default WAB time frame is 'allthetime'. This time frame allows users to connect to target devicesat any time and on any day.

You cannot delete this time frame.

Figure 3.39. List of time frames

3.11.1.1. Add a time frameFrom the page listing the time frames, click the icon to display the Add new time frame form.

The Add new time frame consists of the following:

a field for the name of the time frame a description a check box to disable automatic disconnection at the end of the specified time frame a sub-form to add one or more periods

Each period is a calendar period during which users can log on:

between certain dates on certain weekdays between certain times on every authorised day


52

Figure 3.40. Add time frame form

Note:

The time used in the WAB local time.

3.11.1.2. Edit a time frameThe information in this Edit time frame form is the same as in the Add form, with one exception:you cannot change the name of the time frame. Click the name of a declared time frame to accessthis form.

3.11.1.3. Delete a time frame.Click to delete one or more pre-selected time frames.

3.11.2. External authenticationsThe WAB allows you to define external authentications. These authentication methods are used toauthenticate a user on the WAB.

'Local' authentication is the default configured on the WAB allowing users to log on using theproduct's internal data engine.

You can list, add, edit or delete external authentication procedures from this page.

The WAB supports the following authentication methods:

LDAP/LDAPS Active Directory Kerberos


53

Radius

3.11.2.1. Add an external authentication

From the page listing the time frames, click the icon to display the Add new authentication form.

The add form consists of the following fields:

an authentication type: when you select the type, the fields required for authentication are dis-played

an authentication name a description

server address (IP or FQDN) a connection port

For LDAP/LDAPS authentications, enter the organisation unit and the connection attribute. Theconnection attribute must be the field where the WAB user's name is stored. You can also add auser name and a password, if anonymous access is disabled on the directory.

Note:

The user must have read rights for the DN base used.

The connection attribute for LDAP-AD authentications is sAMAccountName. In addition, since youcannot access an Active Directory anonymously, a domain administrator account is required tocreate the authentication.

For KERBEROS authentications, a domain name is required (REALM)For RADIUS authentications, the packet encryption key is required.

For LDAP/AD authentications, the user name to specify must be the user's 'Distinguished Name' (orDN) (e.g.: cn=admin,dc=mycorp,dc=lan).


54

Figure 3.41. Add LDAP authentication form

3.11.2.2. Edit an external authentication

The information in this Edit external authentication form is the same as in the Add form, with oneexception: you cannot change the name of the external authentication. Click the name of a declaredexternal authentication to access this form.

3.11.2.3. Delete an external authentication

Click to delete one or more pre-selected external authentications.

3.11.3. NotificationsWAB allows you to define notifications. These notifications are triggered if one of the followingevents is detected:

wrong primary authentication logon to a critical device new recording of an SSH server fingerprint bad SSH fingerprint detected RAID error


55

failed secondary logon detection of an occurrence during analysis of an SSH flow licence error password expiry alerts available disk space alerts daily logs

3.11.3.1. Add a notificationFrom the page listing the notifications, click the icon to display the Add new notification form.

The add form consists of the following fields:

a name for the notification check boxes to enable notifications to be sent for the events listed above the sender's email address the recipient's email address


56

Figure 3.42. Add notification form

Note:

Go to 'System configuration'/SMTP to configure the mail settings (Section 3.12.6,SMTP).

3.11.3.2. Edit a notificationThe information in the Edit notification form is the same as in the Add form, with one exception:you cannot change the name of the notification. Click the name of a declared notification to accessthis form.

3.11.3.3. Delete a notificationClick to delete one or more pre-selected notifications.


57

3.11.4. Password policyThe password policy establishes a set of rules for storing local passwords.

By default, the minimum password length is six characters, the last four passwords used cannot bereused, and the password cannot be similar to the user name.

A list of prohibited trivial passwords is also inserted by default.

On this page, you can also configure the password expiration time.

The form consists of the following fields:

the password validity period in days. After this time, an administrator must define new credentialsand users may no longer log on using their existing password. We recommend configuring thissetting for a period of less than one year.

the time before the first password expiration warning in days, advising users that their passwordwill soon expire

the minimum password length. This must be greater than the sum of the other password lengthconstraints.

the minimum number of upper case characters in the password. We recommend at least 2. the minimum number of figures in the password. We recommend at least 2. the minimum number of special characters in the password. We recommend at least 2. the number of previous passwords that cannot be reused. We recommend at least 5. a check box to allow or prohibit passwords similar to the user name. We recommend not allowing

it. a file to define a list of prohibited passwords

Note:

The list of prohibited passwords must be in a file in UTF-8 format


58

Figure 3.43. 'Password policy' page

3.11.5. Secondary passwordsWith the WAB, you can change passwords to target accounts on Windows and UNIX devices re-motely.

Warning:

The following systems are supported by the password change procedures:

Local accounts on UNIX systems managed by the passwd command. Local accounts on Windows server machines: Windows Server 2003 and Windows

Server 2008 Active Directory accounts.

There are three steps to configuring the procedure for changing the passwords to target accounts:


59

Figure 3.44. 'Secondary password' page

1. Go to WAB Configuration > Secondary password policy (see Figure 3.44, 'Secondary pass-word' page): Define the frequency for triggering changes: times, daily, weekly, monthly, or disable. Download the GPG/PGP public keys of the administrators who will receive the new passwords

in encrypted emails.Only the GPG/PGP public keys used to define the administrators' credentials will be displayedin the panel: "GPG public key(s) used to send passwords".

2. Go to Devices & Accounts > Device Admin Credentials > and click the key for each device (seeFigure 3.29, Device admin credentials):a. For a Windows device:

Enter the WAB account for the domain administrator for (the domain accounts and thelocal accounts) or the local administrator for local accounts.The WAB account is in the form 'nom_de_compte_wab@nom_de_ressource_wab'

Note:The domain administrator account must match an existing WAB account, oth-erwise the system returns an error and the credentials are not saved.

The administrator's password (local or on the DA).


60

b. For a Cisco device: Enter the password to elevate privilege levels.

c. For all devices (Linux/Unix, Windows and Cisco): Input the email addresses for the recipients of the new passwords generated (their GPG/

PGP keys must have been previously imported). The minimum length of the passwords generated. Check the box to enable special characters in the passwords generated, according to the

password strength policy for the device.3. Enable password change for each account on each device (see Figure 3.45, 'Secondary pass-

word' page): Go to Devices & Accounts > Accounts > and click the device > then click the key for each

account.

Check the box to enable automatic password change for this account. If automatic password change is not enabled, you can enter a password manually.

Each time a password is changed, an email will be sent to the recipients configured in thesystem indicating whether the new password was successfully changed (encrypted email), orif the attempt failed, specifying the reason for the failure.

Warning:

On Windows machines belonging to a domain, it is essential to correctly configure thedomain controller's IP address for the password change process to function success-fully.

If the SMTP server is not configured, the passwords will not be changed. If a GPG/PGP key is missing from the list of recipients, the passwords will not be

changed. For password changes on UNIX machines, the WAB must always have the passwords

for the accounts to manage. Passwords must never be changed without entering themin the WAB; otherwise the changes will not be made.


61

Figure 3.45. 'Secondary password' page

3.11.6. Logon settingsHere you can configure the default language used to display user messages.


62

Figure 3.46. 'Logon settings' page

These messages can also be changed by the administrator.

3.12. System configurationUse this menu to enter the AdminBastion system configuration information.

3.12.1. NetworkThis page sends the device's network information. You can change:

the host name the domain name the gateway the configuration of network interfaces

You can add:

routes entries in the 'hosts' file DNS servers


63

Figure 3.47. Network configuration

Warning:

Before changing the WAB IP address used to communicate with the file server with re-mote storage, we recommend disabling remote storage and re-enabling it again after youhave changed the address. See Section 3.12.3, Remote storage

3.12.2. Time serviceUse this page to configure the time service. This is especially important, because:

the WAB's date and time must be synchronised with the Kerberos authentication servers. the WAB is the time reference for audit information escalated and for management of time frames.

By default, the time service is enabled and synchronised with the Debian project time servers.


64

Figure 3.48. Time service configuration

3.12.3. Remote storageFrom this page you can move video recordings to an external file system.

Important note: if recordings have already been made on a WAB, enabling remote storage will hideold sessions (they will become visible again when remote storage is disabled).The file systems supported are CIFS and NFS. For each of these systems you must specify:

the IP address or FQDN of the file server, the port number of the remote service, the remote directory in which the recordings will be stored.

You must also specify for CIFS:

the user name to log on to the remote service, the password.

The 'Mount' button mounts the file system. A status icon shows you whether the file system ismounted.


65

Figure 3.49. Configuring remote storage

3.12.4. SyslogFrom this page you can configure the routing of syslogs to another network device. The logs will besent to the selected IP address, port and protocol stored on the local file system so that they arealways available in read access through the System audit tab.


66

Figure 3.50. Configuring syslog routing

3.12.5. SNMPWAB includes an embedded SNMP agent with the following properties:

Protocol version supported: 2c MIB implemented: MIB 2 no alert mechanisms (traps) or notifications no ACL on the source IP address SNMP command available: 'get', 'getbulk'

The factory configuration is:

sysName: WAB v2 sysContact: root@yourdomain sysLocation: yourlocation community: empty by default; the community name used to connect to the WAB

By default, the agent is disabled.


67

Figure 3.51. Configuring the SNMP agent

Note:

The SNMP agent can only be enabled via the Web user interface.

Examples of use:

$ snmpget -v2c -c WALLIXdefault 192.168.0.5 system.sysDescr.0SNMPv2-MIB::sysDescr.0 = STRING: "Wallix AdminBastion Version 3.1"$ snmpget -v2c -c WALLIXdefault 192.168.0.5 system.sysUpTime.0DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (65833) 0:10:58.33$ snmpget -v2c -c WALLIXdefault 192.168.0.5 IF-MIB::ifHCOutOctets.1IF-MIB::ifHCOutOctets.1 = Counter64: 255823831

3.12.6. SMTPYou can use this entry to configure (or change the configuration of) the mail server for sendingnotifications.

Enter the following information:

Server name server port (default: 25)


68

sender's name (default: wab) a user name and password if required,

To test the settings, enter one or more destination addresses in a free text field and click 'TEST'.

Figure 3.52. SMTP service configuration

3.12.7. LicenceFrom this page you can display the licence information and modify the licence key.

Use of the WAB is controlled by this licence key. The licence mechanisms checks:

the number of target devices that can be declared the maximum number of simultaneous unique primary connections the maximum number of simultaneous secondary connections the licence expiration date

The licence key contains the elements included in the sales contract and is provided by Wallix. Itis entered in the WAB by the client via the Web user interface.

To obtain a licence, the device serial number and all network card MAC addresses must be sentto Wallix.

The licence key can also be managed from the command line (root menu).To display the licence information:

wab2:~# WABGetLicence

To enter a new licence number:

wab2:~# WABSetLicence

To delete the old licence key:


69

wab2:~# WABDropLicence

Figure 3.53. Managing the licence

3.13. Back-up/RestoreFrom this page you can back up or restore a copy of the WAB configuration.

Each back-up is encrypted using a 16-character key. You must know the back-up key before restor-ing it.

Warning:

only back-ups created with WAB version 3.1 can be restored. this back-up/restore function does not save audit data, all data changed or added after a back-up will be lost if the back-up is restored. the administrator will be logged off. S/he must log on again with one of the accounts

included in the back-up, which might be different from those in the system before theback-up/restore was performed.

if a back-up is restored on a machine other than the one used to generate the back-up, the encrypted data present before the restore may become indecipherable.


70

Figure 3.54. 'Back-up/Restore' page


71

Chapter 4. Operation4.1. Using the command line to connect to the WAB

An SSH daemon listening on port 2242 allows you to connect to an administration shell.

The default credentials are:

User name: wabadmin

Password: SecureWabAdmin

This user is in the list of 'sudoers'. You can use the 'sudo' command to access the root menu usingthe same password.

Once in root, you can use a set of scripts to manage the day-to-day operation of the WAB.

Note:

We strongly recommend changing the wabadmin account password on first connection.

4.2. Exporting audit dataYou can use the WABSessionLogExport script to export audit data (see Section 3.5.3, Connectionhistory).

wab2:~# /opt/wab/bin/WABSessionLogExport -hUsage: WABSessionLogExport [options]

Options: -h, --help show this help message and exit -s START_DATE, --start_date=START_DATE Should be like this: YYYY-MM-DD -e END_DATE, --end_date=END_DATE Should be like this: YYYY-MM-DD

Use this command to create a zip file, saved in /var/wab/recorded/export_sessions, containing forthe period defined:

all SSH and RDP sessions a CSV file containing the export of the data viewed in the connection history

4.3. Back-up/Restore from the command lineYou can perform back-up and restore actions (see Section 3.13, Back-up/Restore) using thescripts wallix-config-backup.py and wallix-config-restore-.py

wab2:~# /usr/bin/wallix-config-backup.py -hUsage: wallix-config-backup.py [options]

Options: -h, --help show this help message and exit


72

-d DIRECTORY, --directory=DIRECTORY Directory where you want to store your backup. -s, --sdcard Set this option to store the Backup in the sdcard. -a, --aes Set this option force use of AES256 instead of Gpg symmetric cipher. -b, --blowfish Set this option force use of Blowfish instead of Gpg symmetric cipher.

DIRECTORY is the directory path in which the back-up file will be created.

Option -s can be used to create a copy on an external drive (sdcard or USB).Options -a and -b should not normally be used. Without these options, the file is GPG encrypted.

wab2:~# /usr/bin/wallix-config-restore.py -hUsage: wallix-config-restore.py [options]

Options: -h, --help show this help message and exit -f FILENAME, --file=FILENAME Provide full path of Backup file (.wbk). -s, --sdcard Enter in interactive mode to select file on SDcard. -a, --aes Set this option force use of AES256 instead of Gpg symmetric cipher. -b, --blowfish Set this option force use of Blowfish instead of Gpg symmetric cipher.

FILENAME is the back-up file path.

Option -s can be used to restore from the external drive (sdcard or USB).Options -a and -b should not normally be used. Without these options, the file is GPG decrypted.

4.4. Configuring automatic back-upThe WAB performs an automatic back-up configured in a cron task. By default, this is performedevery day at 18:50 and the files are stored in the directory /var/wab/backups.

You can change the time and frequency of the back-ups in /etc/cron.d/wabcore by changing the linethat runs the WABExcuteBackup command. The fields are crontab fields, namely MINUTE, HOUR,DAY_OF_MONTH, MONTH and DAY_OF_WEEK.

The values permitted in each field are:

MINUTE: 0 - 59 HOUR: 0 - 23 DAY_OF_MONTH: 1 - 31 MONTH: 1 - 12 DAY_OF_WEEK: 0 - 7 (0 or 7 for Sunday)Each field can also have an asterisk '*' corresponding to all possible values. Lists are also permit-ted, with the values separated by commas and intervals, separating the range with a hyphen, e.g.'1,2,5-9,12-15,21'.

You can also change the path and the value of the key used by editing the file /opt/wab/bin/WABEx-cuteBackup and changing the DIR and KEY values at the start of the file.


73

4.5. Rights engine: operating limitationsThe rights engine supplied implies a number of operating limitations. Thus:

you cannot delete a user group if users belong to this group you cannot delete an authentication if at least one user has this authentication you cannot delete a user profile if at least one user is linked to this profile you cannot delete a time frame if it is linked to a user group you cannot delete a user group if authorisations involve this user group you cannot delete a device if target accounts are attached to this device you cannot delete target account groups if the group is not empty

4.6. SSH flows analysis / Pattern detectionWhen creating/editing groups, you can enable/disable pattern detection in SSH upward flows (thedata analysed are the data input by the user).The list of patterns applied is the sum of those present in the user group and the target accountgroup. The linked action is the most restrictive (if the action 'KILL' is in one of the groups, then thisaction will be selected).Actions must be entered in the form of regular expressions, with one expression per line.

E.g.: to ensure files are not deleted, the expressions to enter are:

unlink\s+.*rm\s+.*

4.7. TELNET connection scenarioYou can declare a connection scenario when creating a target device (see Section 3.8.1.2, Edita target device).This scenario can be used to interpret commands sent by an interactive shell and to automatelogon. It is a pseudo language and the syntax includes the following:

SEND: send a character string EXPECT: expect to receive a character string in the next 10 seconds (?i): ignore the case $login: send a user name $password: send a passwordThe following scenario (tested on a 3Com Superstack switch accessible via Telnet):

SEND:\r\nEXPECT:(?i)login:SEND:$login\r\nEXPECT:(?i)Password:SEND:$password\r\n

is interpreted as follows:


74

send a carriage return expect to receive the 'login' string (ignoring the case) send the user name followed by a carriage return expect to receive the 'password' string (ignoring the case) send the password followed by a carriage return

4.8. Resolving common problems4.8.1. Restoring the factory 'admin' account

You can execute the following command in the root menu to restore the 'admin' account:

wab2:~# WABRestoreDefaultAdmin

4.8.2. Resetting the deviceTo reset the device, execute the following command in the root menu:

wab2:~# /opt/wab/bin/.tools/WABResetConfig

Note:

This command will also delete all audit data (session recordings, connection history, etc.).


75

Chapter 5. Data encryptionMany types of sensitive data may be stored in the WAB. In particular:

primary authentication information secondary authentication information passwords to access authentication services WAB data back-ups

Access to the various services (HTTP/RDP/SSH) also requires encrypted data to enable encryptionof traffic.

Below is a summary table of the encryption methods used:

Data EncryptionPassword of local users SSHA1 fingerprintLogin and passwords for target accounts AES 256 symmetric encryptionExternal directory authentication data AES 256 symmetric encryptionSNMP settings AES 256 symmetric encryptionAuthentication settings on the remote storageservers

AES 256 symmetric encryption

Back-up AES 256 symmetric encryptionWeb user interface connection key RSA 2048 bit key + AES 256SSH proxy connection key RSA 2048 bit key + AES 256RDP proxy connection RSA 1024 bit key + RC4 128 bits


76

Chapter 6. Compatibility:The WAB was tested with the following clients:

SSH: OpenSSH 5.1 to 5.5 Putty Cygwin

SCP OpenSSH 5.1 to 5.5 Putty C

wab 3.1 admin guide

Documents