PowerBroker Password Safe v6.8 - BeyondTrust€¦ · PowerBroker Password Safe has two main forms of audit capability: User Audits User Audits report on all user and administrative

PowerBroker Password Safe v6.8.0

Logging and Auditing Guide

DOCUMENTATION

2 © 2018. BeyondTrust Software, Inc. Logging and Auditing Guide

Revision/Update Information: December 2018

Software Version: 6.8.0

Revision Number: 6

Corporate Headquarters

5090 N. 40th Street

Phoenix, AZ 85018

Phone: 1 818-575-4000

COPYRIGHT NOTICE

Copyright © 2018 BeyondTrust Software, Inc. All rights reserved.

The information contained in this document is subject to change without notice.

No part of this document may be photocopied, reproduced or copied or translated in any manner to another language without the prior written consent of BeyondTrust Software.

BeyondTrust Software is not liable for errors contained herein or for any direct, indirect, special, incidental or consequential damages, including lost profit or lost data, whether based on warranty, contract, tort, or any other legal theory in connection with the furnishing, performance, or use of this material.

All brand names and product names used in this document are trademarks, registered trademarks, or trade names of their respective holders. BeyondTrust Software is not associated with any other vendors or products mentioned in this document.


Contents

Executive Summary .................................................................................... 4

Password Safe Auditing .............................................................................. 5

User Audits......................................................................................................................... 5

Export of Log Files via Support Package ............................................................................ 5

Audit Record Breakdown ............................................................................ 7

Appendix A – Default Ports ....................................................................... 36

System Discovery ...................................................................................................... 36

Desktop Connectivity ................................................................................................. 36

Network Devices ........................................................................................................ 36

Operating Systems .................................................................................................... 37

Directories ................................................................................................................. 38

Databases ................................................................................................................. 38

Applications ............................................................................................................... 38

Session Management ................................................................................................ 39

Appliance ................................................................................................................... 39

About BeyondTrust ................................................................................... 40


Executive Summary This document contains information on primary auditing / logging facilities for BeyondInsight / Password Safe.

Two primary areas covered are

1. File system logs (…\RetinaCS\logs)

2. User Audits Table


Password Safe Auditing PowerBroker Password Safe has two main forms of audit capability:

User Audits

User Audits report on all user and administrative activity in a simple log format. It requires no setup, and is an integral part of the BeyondInsight interface. The User Audits interface is accessible from the BeyondInsight console and navigating to Configure > User Audits. Each audit record consists of a main record displayed in the list, and a set of subordinate detail records (user audit details). The main record displays the date and time of the event (date), the type of event (action), subject identity (user name), and outcome in the user audit details. For new events, all the applicable values are listed. For edits, the old and new values are displayed.

Export of Log Files via Support Package

The flat-file (text) log files may be downloaded as a zip file via the BeyondInsight Management Console GUI Interface


Selecting the Generate Support Package to download a zip file containing the log files


Audit Record Breakdown Examples of the applicable audit records and their format are identified below.

Note that some audit records and/or required content are contained in the File system (FrontEndLog, PMMLog, and pbsm), and some are in the User Audits page.

Event Additional Information

Example Audit

All use of the authentication mechanism

None User Audits

Successful Login from the Password Safe interface (PMM Login)



Example Audit

Unsuccessful Login from the Password Safe interface (PMM Login Failure)

Successful Login from the BeyondInsight Interface (Login)



Example Audit

Unsuccessful Login from the BeyondInsight Interface (Login Failure)

Unsuccessful Login using an Active Directory Account

Creation and modification of identity and credential data.



Example Audit

Audit of New Managed System

Audit of Managed System Changes



Example Audit

Audit of New Managed Account

Audit of Managed Account Changes



Example Audit

All attempts to transmit information

The destination to which the transmission was attempted

Text logs available in c:\program files (x86)\Eeye Digital Security\Retina CS\Logs\ PMMlog.txt Also available via the BeyondInsight support package – instructions at beginning of audit section Communication to Managed System (PMMLog – ChangePassParamsFull) Example Linux – Change on Release 2017-04-11 14:13:18,495 [Kaylee:6 ] INFO PMMLog - ChangePassParamsFull: Host=ubuntu14.btlab.local 10.0.0.13 Domain= PreferredDomainController= Port=22 PF=2 FA=pbpsfunct FAid=25 MA=admin01 MADN= MAid=137624 Tout=30 NBios= SLF=N RstSrv=N Reason=PostReleaseReset RQ=3628 RL= Aid= Example Windows – Manual Change 2018-03-13 03:43:07,668 [Gary:1 ] INFO PMMLog - ChangePassParamsFull: Host=sql01.btlab.internal 10.3.7.14 Domain= PreferredDomainController= Port=0 PF=1 FA=btlab.internal\svc_PBPSFA FAid=1 MA=admin01 MADN= MAid=1 Tout=30 NBios= SLF=N RstSrv=N Reason=ForcedReset RQ= RL= Aid= Example Windows – Onboarding Change 2018-03-13 03:43:07,668 [Gary:1 ] INFO PMMLog - ChangePassParamsFull: Host=sql01.btlab.internal 10.3.7.14 Domain= PreferredDomainController= Port=0 PF=1 FA=btlab.internal\svc_PBPSFA FAid=1 MA=admin01 MADN= MAid=1 Tout=30 NBios= SLF=N RstSrv=N Reason=ForcedReset RQ= RL= Aid= Example Windows – Scheduled Change 2018-03-13 04:33:11,611 [Chrissi:1 ] INFO PMMLog - ChangePassParamsFull: Host=sql01.btlab.internal 10.3.7.14 Domain= PreferredDomainController= Port=0 PF=1 FA=btlab.internal\svc_PBPSFA FAid=1 MA=admin01 MADN= MAid=1 Tout=30 NBios= SLF=N RstSrv=N Reason=ScheduledChange RQ= RL= Aid= Host: [Hostname] [IP address] Domain: Domain (if applicable) PreferredDomainController: Preferred Domain Controller (if applicable) Port: Communication Port PF: Platform ID (internal) FA: Functional Account Name FAid: Functional Account ID (internal) MA: Managed Account Name MADN: Managed Account Distinguished Name (if applicable) MAid: Managed Account ID (internal) Tout: Timeout value (in seconds) NBIOS: NetBIOS Name (if applicable)



Example Audit

SLF: Use Own Password to Change Password RstSrv: Restart Services(if applicable) Reason: PostReleaseReset / ForcedReset / ScheduledChange RQ: Request ID RL: ISA Release ID (internal) Aid: Managed System ID (internal) Response from Managed System (PMMLog - ChangePassResult ) Success 2018-03-13 03:43:07,888 [Gary:1 ] INFO PMMLog - ChangePassResult: MSid= Host=sql01.btlab.internal IP=10.3.7.14 FAid=1 FAName=btlab.internal\svc_PBPSFA MAid=1 MAName=admin01 UseSelf=False Code=0 Message=Password has been changed successfully. Failure – Managed Account Doesn’t Exist 2018-03-19 23:54:46,187 [8] INFO PMMLog - ChangePassResult: MSid= Host=sql01.btlab.internal IP=10.3.7.14 FAid=1 FAName=btlab.internal\svc_PBPSFA MAid=31 MAName=admin12 UseSelf=False Code=-4 Message=Problem with MA. Managed Account does not exist on the system. Failure – System Doesn’t Exist 2018-03-19 17:10:21,415 [28] INFO PMMLog - ChangePassResult: MSid= Host=10.10.101.10 IP=10.10.101.10 FAid=51 FAName=administrator MAid=887 MAName=admin01 UseSelf=False Code=-8 Message=Failed to logon with FA MSid: Managed system ID (internal) Host: Hostname IP: IP Address FAid: Functional Account ID (internal) FAName: Functional Account Name MAid: Managed Account ID (internal) MAName: Managed Account Name UseSelf: Use Own Password to Change Password Code: Return Code Message: Result Message

Startup/shutdown of the audit function occurs when the product is started/stopped

Text logs available in c:\program files (x86)\Eeye Digital Security\Retina CS\Logs\REMEMConfig.txt



Example Audit

Also available via the BeyondInsight support package – instructions at beginning of audit section Service Startup 2018-03-13 02:12:25,101 [52] INFO CoreService.Utilities.ConfigUtilities - Enable Rem Event Server 2018-03-13 02:12:25,108 [52] DEBUG CoreService.Utilities.ConfigUtilities - Attempting to start service: eeyeevnt 2018-03-13 02:12:25,163 [53] DEBUG eEye.RetinaCS.DataAccess.NHibernateEngine - Creating session factory 2018-03-13 02:12:25,176 [53] DEBUG eEye.RetinaCS.DataAccess.NHibernateEngine - Creating configuration 2018-03-13 02:12:25,517 [52] INFO CoreService.Utilities.ConfigUtilities - Service eeyeevnt (BeyondTrust Application Bus): Running 2018-03-13 02:12:25,522 [52] DEBUG CoreService.Utilities.ConfigUtilities - Attempting to start service: eeyecpsvc 2018-03-13 02:12:25,981 [52] INFO CoreService.Utilities.ConfigUtilities - Service eeyecpsvc (BeyondInsight Central Policy Engine): Running 2018-03-13 02:12:26,034 [52] DEBUG CoreService.Utilities.ConfigUtilities - Attempting to start service: eeyemanagersvc 2018-03-13 02:12:27,269 [13] DEBUG CoreService.Utilities.ConfigUtilities - Attempting to start service: eeyesh 2018-03-13 02:12:27,467 [13] INFO CoreService.Utilities.ConfigUtilities - Service eeyesh not found. 2018-03-13 02:12:27,670 [13] DEBUG CoreService.Utilities.ConfigUtilities - Attempting to start service: eEyeThirdPartyPatchService2K12 2018-03-13 02:12:29,141 [53] INFO eEye.RetinaCS.DataAccess.NHibernateEngine - Created configuration 2018-03-13 02:12:29,738 [52] INFO CoreService.Utilities.ConfigUtilities - Service eeyemanagersvc (BeyondInsight Manager Engine): Running 2018-03-13 02:12:29,768 [52] DEBUG CoreService.Utilities.ConfigUtilities - Attempting to start service: eeyereportingsvc 2018-03-13 02:12:29,766 [53] INFO eEye.RetinaCS.DataAccess.NHibernateEngine - Created session factory 2018-03-13 02:12:29,819 [13] INFO CoreService.Utilities.ConfigUtilities - Service eEyeThirdPartyPatchService2K12 (BeyondTrust Third Party Patch Service): Running 2018-03-13 02:12:29,846 [13] DEBUG CoreService.Utilities.ConfigUtilities - Attempting to start service: eeyewebsvc 2018-03-13 02:12:30,309 [13] INFO CoreService.Utilities.ConfigUtilities - Service eeyewebsvc (BeyondInsight Web Service): Running 2018-03-13 02:12:30,322 [13] DEBUG CoreService.Utilities.ConfigUtilities - Attempting to start service: btPBPSSM 2018-03-13 02:12:30,706 [52] INFO CoreService.Utilities.ConfigUtilities - Service eeyereportingsvc (BeyondInsight Reporting Service): Running 2018-03-13 02:12:30,977 [52] DEBUG CoreService.Utilities.ConfigUtilities - Attempting to start service: eEyeSchedulerSvc 2018-03-13 02:12:30,795 [13] INFO CoreService.Utilities.ConfigUtilities - Service btPBPSSM (BeyondInsight Session Monitoring): Running 2018-03-13 02:12:31,430 [13] DEBUG CoreService.Utilities.ConfigUtilities - Attempting to start service: BeyondTrust.BeyondInsight.Omniworker.Service 2018-03-13 02:12:32,474 [52] INFO CoreService.Utilities.ConfigUtilities - Service eEyeSchedulerSvc (BeyondTrust Scheduling Service): Running 2018-03-13 02:12:32,478 [52] DEBUG CoreService.Utilities.ConfigUtilities - Attempting to start service: remeventssvc 2018-03-13 02:12:34,049 [13] INFO CoreService.Utilities.ConfigUtilities - Service BeyondTrust.BeyondInsight.Omniworker.Service (BeyondInsight Omniworker Service): Running 2018-03-13 02:12:37,167 [52] INFO CoreService.Utilities.ConfigUtilities - Service remeventssvc (BeyondTrust Event Server): Running 2018-03-13 02:12:37,171 [52] INFO CoreService.Utilities.ConfigUtilities - Enable ManagementConsole Role 2018-03-13 02:12:37,175 [52] DEBUG CoreService.Utilities.ConfigUtilities - Attempting to restart service: eeyemanagersvc 2018-03-13 02:12:37,179 [52] INFO CoreService.Utilities.ConfigUtilities - Stopping Service eeyemanagersvc 2018-03-13 02:12:37,434 [52] INFO CoreService.Utilities.ConfigUtilities - Service eeyemanagersvc (BeyondInsight Manager Engine): Stopped 2018-03-13 02:12:37,438 [52] INFO CoreService.Utilities.ConfigUtilities - Starting Service eeyemanagersvc 2018-03-13 02:12:40,811 [52] INFO CoreService.Utilities.ConfigUtilities - Service eeyemanagersvc (BeyondInsight Manager Engine): Running 2018-03-13 02:12:40,816 [52] DEBUG CoreService.Utilities.ConfigUtilities - Attempting to restart service: eeyereportingsvc 2018-03-13 02:12:40,824 [52] INFO CoreService.Utilities.ConfigUtilities - Stopping Service eeyereportingsvc 2018-03-13 02:12:41,109 [52] INFO CoreService.Utilities.ConfigUtilities - Service eeyereportingsvc (BeyondInsight Reporting Service): Stopped 2018-03-13 02:12:41,113 [52] INFO CoreService.Utilities.ConfigUtilities - Starting Service eeyereportingsvc 2018-03-13 02:12:42,487 [52] INFO CoreService.Utilities.ConfigUtilities - Service eeyereportingsvc (BeyondInsight Reporting Service): Running 2018-03-13 02:12:42,647 [52] DEBUG CoreService.Utilities.ConfigUtilities - Attempting to restart service: eeyewebsvc



Example Audit

2018-03-13 02:12:42,651 [52] INFO CoreService.Utilities.ConfigUtilities - Stopping Service eeyewebsvc 2018-03-13 02:12:45,834 [52] INFO CoreService.Utilities.ConfigUtilities - Service eeyewebsvc (BeyondInsight Web Service): Stopped 2018-03-13 02:12:45,839 [52] INFO CoreService.Utilities.ConfigUtilities - Starting Service eeyewebsvc 2018-03-13 02:12:46,843 [52] INFO CoreService.Utilities.ConfigUtilities - Service eeyewebsvc (BeyondInsight Web Service): Running

Service Shutdown 2018-03-13 02:20:13,164 [41] DEBUG CoreService.Utilities.ConfigUtilities - Attempting to stop service: eeyeevnt 2018-03-13 02:20:13,165 [40] DEBUG CoreService.Utilities.ConfigUtilities - Attempting to stop service: eeyesh 2018-03-13 02:20:13,175 [40] INFO CoreService.Utilities.ConfigUtilities - Service eeyesh not found. 2018-03-13 02:20:13,182 [40] DEBUG CoreService.Utilities.ConfigUtilities - Attempting to stop service: eEyeThirdPartyPatchService2K12 2018-03-13 02:20:13,438 [40] INFO CoreService.Utilities.ConfigUtilities - Service eEyeThirdPartyPatchService2K12 (BeyondTrust Third Party Patch Service): Stopped 2018-03-13 02:20:13,443 [40] DEBUG CoreService.Utilities.ConfigUtilities - Attempting to stop service: eeyewebsvc 2018-03-13 02:20:13,700 [40] INFO CoreService.Utilities.ConfigUtilities - Service eeyewebsvc (BeyondInsight Web Service): Stopped 2018-03-13 02:20:13,705 [40] DEBUG CoreService.Utilities.ConfigUtilities - Attempting to stop service: btPBPSSM 2018-03-13 02:20:13,961 [40] INFO CoreService.Utilities.ConfigUtilities - Service btPBPSSM (BeyondInsight Session Monitoring): Stopped 2018-03-13 02:20:13,967 [40] DEBUG CoreService.Utilities.ConfigUtilities - Attempting to stop service: BeyondTrust.BeyondInsight.Omniworker.Service 2018-03-13 02:20:14,666 [39] DEBUG CoreService.Utilities.ConfigUtilities - Attempting to stop service: remeventssvc 2018-03-13 02:20:15,664 [38] DEBUG CoreService.Utilities.ConfigUtilities - Attempting to stop service: eeyecpsvc 2018-03-13 02:20:15,922 [38] INFO CoreService.Utilities.ConfigUtilities - Service eeyecpsvc (BeyondInsight Central Policy Engine): Stopped 2018-03-13 02:20:15,926 [38] DEBUG CoreService.Utilities.ConfigUtilities - Attempting to stop service: eeyemanagersvc 2018-03-13 02:20:16,178 [39] INFO CoreService.Utilities.ConfigUtilities - Service remeventssvc (BeyondTrust Event Server): Stopped 2018-03-13 02:20:16,184 [39] DEBUG CoreService.Utilities.ConfigUtilities - Attempting to stop service: eEyeSchedulerSvc 2018-03-13 02:20:16,184 [38] INFO CoreService.Utilities.ConfigUtilities - Service eeyemanagersvc (BeyondInsight Manager Engine): Stopped 2018-03-13 02:20:16,193 [38] DEBUG CoreService.Utilities.ConfigUtilities - Attempting to stop service: eeyereportingsvc 2018-03-13 02:20:16,441 [39] INFO CoreService.Utilities.ConfigUtilities - Service eEyeSchedulerSvc (BeyondTrust Scheduling Service): Stopped 2018-03-13 02:20:16,451 [38] INFO CoreService.Utilities.ConfigUtilities - Service eeyereportingsvc (BeyondInsight Reporting Service): Stopped 2018-03-13 02:20:17,890 [41] INFO CoreService.Utilities.ConfigUtilities - Service eeyeevnt (BeyondTrust Application Bus): Stopped 2018-03-13 02:21:14,171 [40] INFO CoreService.Utilities.ConfigUtilities - Service BeyondTrust.BeyondInsight.Omniworker.Service (BeyondInsight Omniworker Service): Stopped

The reaching of an unsuccessful authentication attempt threshold, the actions taken when the threshold is reached, and any actions taken to restore the normal state

Action taken when threshold is reached

BI > Configure > User Audits logs unsuccessful attempts and account lockout



Example Audit

When local account is locked out (Password Safe Interface)

When local account is locked out (BeyondInsight Portal)



Example Audit

Audit record for when Password Safe automatically unlocks an account

Use of the management functions

Management function performed

Users being added or removed from groups in Active Directory is an Active Directory function.



Example Audit

An example audit is shown below of the AD group called btlab.internal\PBPS Requestors being granted Requestor permission to the ‘Windows Managed Accounts’ Smart Group, using the All Day Std Access Policy

Audit of new Password Policy



Example Audit

Audit of Password Policy Changes

Audit of new Access Policy



Example Audit

Audit of Access Policy Changes

Audit of New Managed Account



Example Audit

Audit of New Managed Account – additional scrolling of User Audit Details panel

Audit of New Managed Account – additional scrolling of User Audit Details panel

Audit of Managed Account Changes



Example Audit

Audit of Managed Account Changes – additional scrolling of User Audit Details panel

Audit of New Managed System



Example Audit

Audit of Managed System Changes

Audit of Manual Password Chnge Text logs available in c:\program files (x86)\Eeye Digital Security\Retina CS\Logs\ PMMlog.txt Also available via the BeyondInsight support package – instructions at beginning of audit section Note that the following audit shows Manual Password change instigated by the administrator Communication to Managed System (PMMLog – ChangePassParamsFull) Example Windows – Manual Change 2018-03-13 03:43:07,668 [Gary:1 ] INFO PMMLog - ChangePassParamsFull: Host=sql01.btlab.internal 10.3.7.14 Domain= PreferredDomainController= Port=0 PF=1 FA=btlab.internal\svc_PBPSFA FAid=1 MA=admin01 MADN= MAid=1 Tout=30 NBios= SLF=N RstSrv=N Reason=ForcedReset RQ= RL= Aid= Host: [Hostname] [IP address] Domain: Domain (if applicable) PreferredDomainController: Preferred Domain Controller (if applicable) Port: Communication Port PF: Platform ID (internal) FA: Functional Account Name FAid: Functional Account ID (internal) MA: Managed Account Name MADN: Managed Account Distinguished Name (if applicable) MAid: Managed Account ID (internal)



Example Audit

Tout: Timeout value (in seconds) NBIOS: NetBIOS Name (if applicable) SLF: Use Own Password to Change Password RstSrv: Restart Services(if applicable) Reason: PostReleaseReset / ForcedReset / ScheduledChange RQ: Request ID RL: ISA Release ID (internal) Aid: Managed System ID (internal) Response from Managed System (PMMLog - ChangePassResult ) Success 2018-03-13 03:43:07,888 [Gary:1 ] INFO PMMLog - ChangePassResult: MSid= Host=sql01.btlab.internal IP=10.3.7.14 FAid=1 FAName=btlab.internal\svc_PBPSFA MAid=1 MAName=admin01 UseSelf=False Code=0 Message=Password has been changed successfully. Failure – Managed Account Doesn’t Exist 2018-03-19 23:54:46,187 [8] INFO PMMLog - ChangePassResult: MSid= Host=sql01.btlab.internal IP=10.3.7.14 FAid=1 FAName=btlab.internal\svc_PBPSFA MAid=31 MAName=admin12 UseSelf=False Code=-4 Message=Problem with MA. Managed Account does not exist on the system. Failure – System Doesn’t Exist 2018-03-19 17:10:21,415 [28] INFO PMMLog - ChangePassResult: MSid= Host=10.10.101.10 IP=10.10.101.10 FAid=51 FAName=administrator MAid=887 MAName=admin01 UseSelf=False Code=-8 Message=Failed to logon with FA MSid: Managed system ID (internal) Host: Hostname IP: IP Address FAid: Functional Account ID (internal) FAName: Functional Account Name MAid: Managed Account ID (internal) MAName: Managed Account Name UseSelf: Use Own Password to Change Password Code: Return Code Message: Result Message



Example Audit

Audit of New Managed Account (Change Frequency and Change Password after release)

Audit of Managed Account Change (Change Frequency and Change Password after release)



Example Audit

Audit of Local Account Lockout Settings

Audit of Local Account Lockout Options



Example Audit

BI > Configure > User Audits logs all account configuration activity

BI > Configure > User Audits logs changes to group role access Enterprise users are associated with Password Safe Roles by adding their accounts to Active Directory Groups that have been assigned Roles in Password Safe.

An example audit is shown below of the AD group called btlab.internal\PBPS Requestors being granted Requestor permission to the ‘Windows Managed Accounts’ Smart Group, using the All Day Std Access Policy



Example Audit

BI > Configure > User Audits logs all changes to the banner

Configuration of the Secure LDAP option in the BeyondInsight Configuration tool

All session termination events

None



Example Audit

Log off from the Password Safe GUI

Logoff from the BeyondInsight Management GUI

All use of trusted channel functions

Identity of the initiator and target of the trusted channel



Example Audit

Audit record of user being authenticated via Active Directory Text logs available in c:\program files (x86)\Eeye Digital Security\Retina CS\Logs\FrontEndLog.txt Also available via the BeyondInsight support package – instructions at beginning of audit section 2018-03-20 15:35:27,093 [9] INFO BeyondTrust.Logger.Log - eEye Front End Session_Start has been called. IsAppliance=False. ShouldInitialize=True. 2018-03-20 15:35:27,566 [3] WARN eEye.RetinaCS.FrontEnd.PasswordSafe.PMMController - PMM: Login attempt. User Name Halidom.local\rc_req2 2018-03-20 15:35:30,713 [9] INFO eEye.RetinaCS.DataAccess.NHibernateEngine - Created configuration 2018-03-20 15:35:31,217 [9] INFO eEye.RetinaCS.DataAccess.NHibernateEngine - Created session factory 2018-03-20 15:35:31,217 [9] INFO eEye.RetinaCS.DataAccess.NHibernateEngine - Initialized NHibernate 2018-03-20 15:35:31,522 [10] INFO BeyondTrust.Logger.Log - user RC_Req2 has 4 groups 2018-03-20 15:35:31,754 [3] INFO eEye.RetinaCS.FrontEnd.PasswordSafe.PMMController - PMM: Login successful. User Name Halidom.local\rc_req2. Audit record of RDP establishment via the proxy Text logs available in c:\program files (x86)\Eeye Digital Security\Retina CS\Logs\PBSMtxt Also available via the BeyondInsight support package – instructions at beginning of audit section 2018/03/13 06:52:15.227 15052 7752 INFO: PBSMD Service 10084 Spawned 2018/03/13 06:52:15.309 10084 11092 INFO: PBPS Session Manager 1.7.4-735 (Windows 32) (Intel(R) Xeon(R) CPU E5-2673 v3 @ 2.40GHz (2 cores)) 2018/03/13 06:52:15.312 10084 11092 INFO: Ethernet 3(00:0d:3a:60:6e:ce): 10.3.7.15 2018/03/13 06:52:15.312 10084 11092 INFO: User ID: 18 2018/03/13 06:52:15.316 10084 11092 INFO: Server Name: beyondinsight.btlab.internal 2018/03/13 06:52:15.318 10084 11092 INFO: Rest Server listening on http://127.0.0.1:4488 2018/03/13 06:52:15.319 10084 11092 INFO: Init Session Status Controller 2018/03/13 06:52:15.320 10084 11092 INFO: Local RDP Proxy listening on 127.0.0.1:60139 2018/03/13 06:52:15.321 10084 11092 INFO: Init pbpsdeploy manager 2018/03/13 06:52:15.321 10084 11092 INFO: RDP Proxy listening on 0.0.0.0:4489 2018/03/13 06:52:15.325 10084 11092 INFO: SSH Proxy listening on 0.0.0.0:4422 2018/03/13 06:52:15.326 10084 11092 INFO: Starting Session Status Controller 2018/03/13 06:52:53.698 10084 11092 INFO: Accepted RDP session 16964 for 10.3.7.16:1477 2018/03/13 06:52:53.782 16964 1532 INFO: RDP Handler 16964 starting 2018/03/13 06:52:53.793 16964 2528 INFO: Client Security: NLA:1 TLS:1 RDP:0 2018/03/13 06:52:53.793 16964 2528 INFO: Server Security: NLA:0 TLS:1 RDP:1 2018/03/13 06:52:53.793 16964 2528 INFO: Negotiated Security: NLA:0 TLS:1 RDP:0 2018/03/13 06:52:53.793 16964 2528 INFO: FreeRDP Openssl fips mode not enabled 2018/03/13 06:52:53.853 16964 2528 ERROR: BIO_read returned a system error 0: No error 2018/03/13 06:52:53.864 16964 1532 ERROR: BIO_should_retry returned a system error 0: No error 2018/03/13 06:52:53.868 10084 11092 INFO: RDP Session 16964 ended 2018/03/13 06:53:04.944 10084 11092 INFO: Accepted RDP session 12156 for 10.3.7.16:1733 2018/03/13 06:53:05.026 12156 13880 INFO: RDP Handler 12156 starting 2018/03/13 06:53:05.038 12156 4600 INFO: Client Security: NLA:1 TLS:1 RDP:0



Example Audit

2018/03/13 06:53:05.038 12156 4600 INFO: Server Security: NLA:0 TLS:1 RDP:1 2018/03/13 06:53:05.038 12156 4600 INFO: Negotiated Security: NLA:0 TLS:1 RDP:0 2018/03/13 06:53:05.038 12156 4600 INFO: FreeRDP Openssl fips mode not enabled 2018/03/13 06:53:05.083 12156 4600 INFO: Accepted client: JUMPHOST 2018/03/13 06:53:05.083 12156 4600 INFO: Accepted channels: 2018/03/13 06:53:05.083 12156 4600 INFO: rdpdr 2018/03/13 06:53:05.083 12156 4600 INFO: rdpsnd 2018/03/13 06:53:05.083 12156 4600 INFO: cliprdr 2018/03/13 06:53:05.083 12156 4600 INFO: drdynvc 2018/03/13 06:53:05.083 12156 4600 INFO: Active rdp encryption level: NONE 2018/03/13 06:53:05.083 12156 4600 INFO: Selected rdp encryption method: NONE 2018/03/13 06:53:05.196 12156 4600 INFO: Local framebuffer format PIXEL_FORMAT_BGRA32 2018/03/13 06:53:05.196 12156 4600 INFO: Remote framebuffer format PIXEL_FORMAT_RGB16 2018/03/13 06:53:05.344 10084 11092 INFO: Adding pbpsdeploy connection 1 10084 2018/03/13 06:53:05.344 10084 11092 INFO: Pushing pbpsdeploy service to sql01.btlab.internal as user btlab.internal\svc_PBPSFA 2018/03/13 06:53:05.346 10084 11092 INFO: Hostname sql01.btlab.internal resolved to 10.3.7.14 2018/03/13 06:53:07.817 10084 11092 INFO: Starting pbpsdeploy service on sql01.btlab.internal as user btlab.internal\svc_PBPSFA 2018/03/13 06:53:07.880 10084 11092 INFO: Copied pbpsmon.cab 2018/03/13 06:53:08.101 10084 11092 INFO: pbpsmon install: Using binary directory C:\Windows\ Created directory C:\pbps Extracting File "pbpsmon.exe" (Size: 22520 bytes) -> "C:\pbps\pbpsmon.exe" Extracting File "pbpslaunch.exe" (Size: 153080 bytes) -> "C:\pbps\pbpslaunch.exe" Extracting File "msvcp120.dll" (Size: 455328 bytes) -> "C:\pbps\msvcp120.dll" Extracting File "msvcr120.dll" (Size: 970912 bytes) -> "C:\pbps\msvcr120.dll" Extracting File "vccorlib120.dll" (Size: 247984 bytes) -> "C:\pbps\vccorlib120.dll" Extracting File "libeay32.dll" (Size: 1367544 bytes) -> "C:\pbps\libeay32.dll" Extracting File "ssleay32.dll" (Size: 259576 bytes) -> "C:\pbps\ssleay32.dll" Creating registry keys Registry keys successfully created Creating task Task successfully created 2018/03/13 06:53:08.133 12156 13052 INFO: Connecting RDP session 2fdd2a2a808bc11c9ef8ae05a270e9a264a7e5184925755f42b85e8330f5c9c0(12156) to SQL01\[email protected]:3389 2018/03/13 06:53:10.520 12156 13052 INFO: Connected RDP session 2fdd2a2a808bc11c9ef8ae05a270e9a264a7e5184925755f42b85e8330f5c9c0(12156) to SQL01\[email protected]:3389 2018/03/13 06:53:10.520 12156 13052 INFO: Stashing session 2fdd2a2a808bc11c9ef8ae05a270e9a264a7e5184925755f42b85e8330f5c9c0 1 2018-03-13 06:53:08 AM +0:0 2018-03-13 06:53:08 AM +0:0 0 704 2018/03/13 06:53:10.565 10084 6888 INFO: Sending update id: 2fdd2a2a808bc11c9ef8ae05a270e9a264a7e5184925755f42b85e8330f5c9c0 status: 1 2018/03/13 06:53:10.587 10084 6888 INFO: Session queue is empty 2018/03/13 06:53:11.517 12156 13052 INFO: Accepting RDP Channel PBPSMON 2018/03/13 06:53:20.380 12156 4600 ERROR: peer_recv_callback: CONNECTION_STATE_ACTIVE - peer_recv_pdu() fail 2018/03/13 06:53:20.380 12156 4600 ERROR: transport_check_fds: transport->ReceiveCallback() - -1 2018/03/13 06:53:20.391 12156 13052 ERROR: freerdp_check_fds() failed - 0 2018/03/13 06:53:20.395 12156 13880 INFO: Stashing session 2fdd2a2a808bc11c9ef8ae05a270e9a264a7e5184925755f42b85e8330f5c9c0 2 2018-03-13 06:53:08 AM +0:0 2018-03-13 06:53:20 AM +0:0 12 165296 2018/03/13 06:53:20.417 10084 11092 INFO: RDP Session 12156 ended 2018/03/13 06:53:20.417 10084 11092 INFO: Removing pbpsdeploy connection 1 10084 2018/03/13 06:53:20.417 10084 11092 INFO: Cleaning up pbpsdeploy connections



Example Audit

2018/03/13 06:53:20.441 10084 6888 INFO: Sending update id: 2fdd2a2a808bc11c9ef8ae05a270e9a264a7e5184925755f42b85e8330f5c9c0 status: 2 2018/03/13 06:53:20.466 10084 6888 INFO: Session queue is empty

Audit record of SSH establishment via the proxy 2018/03/13 07:00:20.628 10084 11092 INFO: Accepted SSH session 8612 for 10.3.7.16:5573 2018/03/13 07:00:20.710 8612 8168 INFO: SSH Handler 8612 starting 2018/03/13 07:00:20.851 8612 8168 INFO: Connecting SSH session d2806648b29dcf8592922c7af9211e87d7353e4ee2a1d88e39361f039ec77503(8612) to [email protected]:22 2018/03/13 07:00:20.915 8612 8168 INFO: Performing SSH Password authentication 2018/03/13 07:00:20.950 8612 8168 INFO: Stashing session d2806648b29dcf8592922c7af9211e87d7353e4ee2a1d88e39361f039ec77503 1 2018-03-13 07:00:20 AM +0:0 2018-03-13 07:00:20 AM +0:0 0 560 2018/03/13 07:00:20.994 10084 6888 INFO: Sending update id: d2806648b29dcf8592922c7af9211e87d7353e4ee2a1d88e39361f039ec77503 status: 1 2018/03/13 07:00:21.020 10084 6888 INFO: Session queue is empty 2018/03/13 07:00:26.125 8612 8168 INFO: Stashing session d2806648b29dcf8592922c7af9211e87d7353e4ee2a1d88e39361f039ec77503 2 2018-03-13 07:00:20 AM +0:0 2018-03-13 07:00:26 AM +0:0 6 1920 2018/03/13 07:00:26.163 10084 11092 INFO: SSH Session 8612 ended 2018/03/13 07:00:26.254 10084 6888 INFO: Sending update id: d2806648b29dcf8592922c7af9211e87d7353e4ee2a1d88e39361f039ec77503 status: 2 2018/03/13 07:00:26.278 10084 6888 INFO: Session queue is empty Audit record of PowerBroker Windows communication In File: _QueryResults_PmmLogChange.csv - only available from the BeyondInsight Support Package (instructions at beginning of audit section)

LogChangeID = Internal log reference LogTime – Date/Time the log record for the password change was created ManagedAccountID = Internal ID of managed account in Password Safe FunctionalAccountID = Internal ID of Functional Account (optional) ManagedSystemID = Internal ID of Managed System ChangeDt = Date/Time the password was changed by the PBW agent ChangeReasonCd = Change Reason Code (P=Password Changed by PBW Agent) Result = Password Change Result (S = Success, F = Failure) Comment = Comment Details = Password changed by PBW Agent [internal reference of PBW Agent]



Example Audit

Note: The audit above just shows relative information. Text logs available in c:\program files (x86)\Eeye Digital Security\Retina CS\Logs\EventService.txt running in debug mode. A snippit and debug instructions are shown below for information: Enabling debug is done by toggling the Enable/Disable button on the Configure > Services page

Snippit from c:\program files (x86)\Eeye Digital Security\Retina CS\Logs\EventService.txt

2018-03-20 13:38:34,323 [64] DEBUG BeyondTrust.Logger.Log - <Return><EventData ProductName="PasswordSafe" Type="UpdatePasswords"><NewPasswordHeartBeatInterval>5</NewPasswordHeartBeatInterval><Credentials><Credential><UserName>LocalPBPS</UserName><Password>********</Password><Id>73</Id></Credential></Credentials></EventData></Return> 2018-03-20 13:38:34,500 [29] DEBUG BeyondTrust.Logger.Log - CN=eEyeEmsClient 2018-03-20 13:38:34,500 [77] DEBUG BeyondTrust.Logger.Log - Before EnsureCDATA: <Events><EventData ProductName="PBW" Type="EventServerMessages"><evts><evt><Type>0</Type><Category>Status</Category><Severity>0</Severity><SourceIP>10.100.128.94</SourceIP><SourceHost>JSILVA-PLUTUS</SourceHost><Subsystem /><Workgroup>BeyondTrust Workgroup</Workgroup><TransactionGroup>2CC661BA-E28F-4BB3-ADC3-281DA98FC67C</TransactionGroup><SubjectDescription>JSILVA-PLUTUS</SubjectDescription><Subject>Application Launch</Subject><Application>PBW</Application><ApplicationVer>7.4.1.6</ApplicationVer><Name>Start Job</Name><Description>Application Launch</Description><Id>RET-SCAN-010</Id><OS>Windows 10 (X64)</OS><nvps><DomainName>olympus.lab</DomainName><DNSName>jsilva-plutus.olympus.lab</DNSName></nvps></evt><evt><Type>0</Type><Category>Status</Category><Severity>0</Severity><SourceIP>10.100.128.94</SourceIP><SourceHost>JSILVA-PLUTUS</SourceHost><Subsystem /><Workgroup>BeyondTrust Workgroup</Workgroup><TransactionGroup>2CC661BA-E28F-4BB3-ADC3-281DA98FC67C</TransactionGroup><SubjectDescription>JSILVA-PLUTUS</SubjectDescription><Subject>10.100.128.94</Subject><Application>PBW</Application><ApplicationVer>7.4.1.6</ApplicationVer><Name>IP Start Time</Name><Description>2018-03-20 17:39:02</Description><Id>RET-SCAN-012</Id><OS>Windows 10 (X64)</OS></evt><evt><Type>0</Type><Category>Audits</Category><Severity>0</Severity><SourceIP>10.100.128.94</SourceIP><SourceHost>JSILVA-PLUTUS</SourceHost><Subsystem /><Workgroup>BeyondTrust Workgroup</Workgroup><TransactionGroup>2CC661BA-



Example Audit

E28F-4BB3-ADC3-281DA98FC67C</TransactionGroup><SubjectDescription>JSILVA-PLUTUS</SubjectDescription><Subject>10.100.128.94</Subject><Application>PBW</Application><ApplicationVer>7.4.1.6</ApplicationVer><Name>Constant Label</Name><Description /><Id>RET-SCAN-002</Id><OS>Windows 10 (X64)</OS><nvps><RTH_ID>899</RTH_ID><wb_checked>True</wb_checked></nvps></evt><evt><Type>0</Type><Category>Status</Category><Severity>0</Severity><SourceIP>10.100.128.94</SourceIP><SourceHost>JSILVA-PLUTUS</SourceHost><Subsystem /><Workgroup>BeyondTrust Workgroup</Workgroup><TransactionGroup>2CC661BA-E28F-4BB3-ADC3-281DA98FC67C</TransactionGroup><SubjectDescription>JSILVA-PLUTUS</SubjectDescription><Subject>10.100.128.94</Subject><Application>PBW</Application><ApplicationVer>7.4.1.6</ApplicationVer><Name>IP Stop Time</Name><Description>2018-03-20 17:39:02</Description><Id>RET-SCAN-013</Id><OS>Windows 10 (X64)</OS></evt><evt><Type>0</Type><Category>Status</Category><Severity>0</Severity><SourceIP>10.100.128.94</SourceIP><SourceHost>JSILVA-PLUTUS</SourceHost><Subsystem /><Workgroup>BeyondTrust Workgroup</Workgroup><TransactionGroup>2CC661BA-E28F-4BB3-ADC3-281DA98FC67C</TransactionGroup><SubjectDescription>JSILVA-PLUTUS</SubjectDescription><Subject>Application Launch</Subject><Application>PBW</Application><ApplicationVer>7.4.1.6</ApplicationVer><Name>Stop Job</Name><Description>Application Launch</Description><Id>RET-SCAN-011</Id><OS>Windows 10 (X64)</OS><nvps><DomainName>olympus.lab</DomainName><DNSName>jsilva-plutus.olympus.lab</DNSName></nvps></evt></evts><Sequence>1448</Sequence><DateTime>3/20/2018 5:39:02 PM</DateTime><TransactionGuid>165ca239-6267-4868-a62a-3bd583360888</TransactionGuid></EventData></Events>

All attempted uses of the trusted path functions

Identification of user associated with all trusted path functions, if available

Login into Password Safe Portal



Example Audit

Login into BeyondInsight Management GUI


Appendix A – Default Ports

System Discovery

Functionality Service ---> Protocol Requirement/Notes

User Enumeration nb-ssn|ms-ds 139|445*

TCP

Hardware Enumeration

nb-ssn|ms-ds 139|445*

TCP WMI Service running on target

Software Enumeration nb-ssn|ms-ds 139|445*

TCP Remote Registry service running on target

Local Scan Services ms-ds 445 TCP

* Note: 445 preferred

Desktop Connectivity


User interface https 443 TCP

Remote Desktop rdp 4489 TCP

SSH ssh 4422 TCP

Network Devices


Checkpoint ssh 22 TCP

Cisco ssh 22 TCP

Dell iDRAC ssh 22 TCP


F5 BIG IP ssh 22 TCP

HP Comware ssh 22 TCP

HP iLo ssh 22 TCP

Juniper ssh 22 TCP

Palo Alto ssh 22 TCP

Fortinet ssh 22 TCP

SonicWall Ssh 22 TCP

Operating Systems


AIX ssh 22 TCP

HP-UX ssh 22 TCP

IBMi (AS400) telnet 23 TCP

Linux ssh 22 TCP

MAC OSX ssh 22 TCP

Solaris ssh 22 TCP

Windows Desktop adsi-ldap 389 TCP ms-ds (445/TCP) is used as a fallback

Windows Server adsi-ldap 389 TCP ms-ds (445/TCP) is used as a fallback

Windows Update/Restart Services

wmi 135 TCP WMI Service running on target


Directories


Active Directory adsi-ldap 389 TCP ms-ds (445/TCP) is used as a fallback

RACF ssh 22 TCP

LDAP/S ldap 389 TCP

Databases


Oracle oracle-listener 1521 TCP

MS SQL Server netlib 1433 TCP

Sybase ASE

5000 TCP

MySQL

3306 TCP

Teradata

1025 TCP

Applications


VMware vSphere API

API

VMware vSphere SSH

22 TCP

SAP

API


Session Management


Remote Desktop rdp 3389 TCP

SSH ssh 22 TCP

Appliance


Mail Server Integration

smtp 25 TCP

AD Integration ldap 389 TCP

Backup smb 445 TCP

Time Protocol ntp 123 TCP

HA Replication (pair) sql-mirroring|https

5022|443

TCP


About BeyondTrust

BeyondTrust® is a global security company that believes preventing data breaches requires the right visibility to enable control over internal and external risks.

We give you the visibility to confidently reduce risks and the control to take proactive, informed action against data breach threats. And because threats can come from anywhere, we built a platform that unifies the most effective technologies for addressing both internal and external risk: Privileged Account Management and Vulnerability Management. Our solutions grow with your needs, making sure you maintain control no matter where your organization goes.

BeyondTrust's security solutions are trusted by over 4,000 customers worldwide, including over half of the Fortune 100. To learn more about BeyondTrust, please visit www.beyondtrust.com.

http://www.beyondtrust.com/Products/BeyondInsight

http://www.beyondtrust.com/Products/PrivilegedAccountManagement

http://www.beyondtrust.com/Products/VulnerabilityManagement

http://www.beyondtrust.com/Products/VulnerabilityManagement

http://www.beyondtrust.com/

Documents

PowerBroker Password Safe v6.8 - BeyondTrust€¦ · PowerBroker Password Safe has two main forms of audit capability: User Audits User Audits report on all user and administrative