Install and Configure a Socket Filter Agent

Socket Filter Agents (SFAs) restrict access either to server-based devices or from server-based devices. Socket filters provide a different kind of access control than devices with finite command sets, such as routers, for which command filtering is applied.
capam33
Privileged Access Manager
Socket Filter Agents (SFAs) restrict access either to server-based devices or from server-based devices. Socket filters provide a different kind of access control than devices with finite command sets, such as routers, for which command filtering is applied.
SFAs work with Socket Filter Lists (SFLs) configured on the appliance. For details, see Socket Filter Agent Support.
2
Socket Filter Agent Installation Requirements
This section describes SFA requirements for installing a Socket Filter Agent.
  • Network Port Requirements:
    SFAs have the following network port requirements:
    • By default, port 8550 must be allowed between the target host containing the SFA and the appliance. You can configure the SFA to use a different port.
    • Port 443 must also be open to allow communication back to the appliance, including messages for log entries.
      For AWS or Azure, ensure that these ports are also open in the AWS or Azure network settings, and the OS firewall of the instance.
  • Permissions:
    SFA installation requires administration privileges, such as those provided by the Windows default Administrator account or the UNIX
    root
    account.
  • Supported Operating Systems:
    See Supported Environments for operating systems that support the SFA.
Use the following optional procedure to monitor the status of SFA agents from the
PAM
UI.
Download the Socket Filter Agent Software
Use this procedure to download the SFA software package.
Follow the appropriate steps on the target system:
  • If your appliance is running a Service Pack (X.x.
    x
    ) release, do the following steps to identify whether there are any Socket Filter Agent patches listed for your release stream:
    1. Select the appropriate Socket Filter Agent zip file for your operating system and release (for example, WindowsSFA-3.3.2.zip) to download the .zip file to local storage.
    2. Unzip the installation package.
  • If you are running a major (X.
    x
    ) release, follow these steps:
    1. Log in to Download Management and search for, then select, the "Privileged Access Management" entry.
    2. Filter the results to locate the "Privileged Access Manager MSP Debian" software and select the entry that is returned.
    3. Select the appropriate release from the Release drop-down list.
    4. Download the "Windows Socket Filter Agent" or "Unix Windows Socket Filter Agent" entry, as appropriate.
    5. Unzip the installation package that downloads to a directory on a local drive.
Install and Configure a Socket Filter Agent on Windows
Windows Socket Filter Agents are provided as MSI self-extracting packages. This section describes how to install and configure SFAs on a Windows target system.
On Window targets, Socket Filter policies are not enforced against users who log in to targets directly, bypassing
Privileged Access Manager
.
Install a Windows SFA Using the Installer UI
Use this procedure to install a Windows SFA using the installer UI.
The account that is used to install the SFA impacts which accounts can uninstall the SFA. If one of the following accounts installs the SFA, no other account can uninstall the agent:
  • A domain-based account with local Administrator privileges
  • A local account with local Administrator privilege installs the SFA, but not the Administrator itself.
  • A local Administrator account with local Administrator privileges
If the installing domain-based or local account becomes obsolete or invalid, you might not be able to uninstall the SFA. To uninstall the SFA product under these circumstances, contact
CA Technologies
Support.
Follow these steps:
  1. Ensure that all installation prerequisites are met.
  2. Log in to the target Windows device as a local administrator.
  3. Use the
    Add/Remove Programs
    window (or equivalent) to remove any existing Windows SFA from the target device.
  4. Navigate to the directory where you uncompressed the SFA download.
  5. Start the installer by double-clicking the
    WinSFA.exe
    file.
  6. Follow the prompts.
After installation, the SFA starts and runs as a background Windows service with the default name "
CA Technologies
Socket Filter". Use the local Windows Services interface for service settings and control.
Install an SFA Silently on Windows
Use this procedure to install a Windows SFA silently with automatic startup.
The account that is used to install the SFA impacts which accounts can uninstall the SFA. If one of the following accounts installs the SFA, no other account can uninstall the agent:
  • A domain-based account with local Administrator privileges
  • A local account with local Administrator privilege installs the SFA, but not the Administrator itself.
  • A local Administrator account with local Administrator privileges
If the installing domain-based or local account becomes obsolete or invalid, you might not be able to uninstall the SFA. To uninstall the SFA product under these circumstances, contact
CA Technologies
Support.
Follow these steps:
  1. Ensure that all installation prerequisites are met.
  2. Log in to the target Windows device as a local administrator.
  3. Use the
    Add/Remove Programs
    window (or equivalent) to remove any existing Windows SFA from the target device.
  4. Navigate to the directory where you uncompressed the SFA download.
  5. Open a Command Prompt window and navigate to the directory where you uncompressed the SFA download.
    On Windows Server 2008 and Windows Server 2012, right-click on the Command Prompt icon and select
    Run as Administrator
    .
  6. Enter the following command:
    path\WinSFA.exe /s /v"/qn /liwe c:\XCDM_SFA.log"
    Where
    path
    is the path where the WinSFA.exe file is located.
    The /q and /l options and parameters are recommended but not required.
After installation, the SFA starts and runs as a background Windows service (with the default name "
CA Technologies
Socket Filter"). Use the local Windows Services interface for service settings and control.
Change Basic Windows SFA Configuration Settings
Run the SFAConfig.exe configuration utility to change basic SFA settings.
Follow these steps:
  1. Navigate to
    SFA_Install_Dir
    /Bin.
    SFA_Install_Dir
    is the SFA installation directory. Default: C:\Program Files (x86)\CATech\Socket Filter.
  2. Execute
    SFAConfig.exe
    .
  3. Change any of the following settings, as required:
    • Port:
      The port that the SFA uses to communicate with the appliance. Default: 8550
    • Service Name:
      The name of the SFA Windows service. Default: "
      CA Technologies
      Socket Filter."
    • Service Description:
      The description of the SFA Windows service Default: "
      CA Technologies
      Socket Filter."
    • Run Agent in Verbose mode:
      Determines whether the SFA produces detailed log messages for diagnostic purposes. Default: off.
  4. Select
    Save
    .
After you save the new settings, the SFA restarts.
Troubleshoot a Windows SFA
Turn on Verbose mode using the SFAConfig.exe configuration utility to generate detailed log messages.
Log messages are stored in the
log.txt
file that is located in the installation directory.
Uninstall a Windows SFA
To uninstall a Windows SFA, do
one
of the following steps:
  • Access the Windows Control Panel and use the
    Add/Remove Programs
    window (or equivalent).
  • Open a Command Prompt window and enter the following text:
    MsiExec.exe /X{5A2A2643-2BD6-4D09-9B03-E08098887B06} /norestart
Install and Configure a Socket Filter Agent on UNIX
This section describes how to install and configure a Socket Filter Agent (SFAs) on a UNIX target.
On UNIX and Linux targets, the Socket Filter Agent only filters non-root users. A Socket Filter List in a policy becomes effective only for non-root users logging in to targets through
PAM
. Afterwards, the filter is in effect, even if the user logs in to the target directly. Socket filters for all users are reset after root restarts the socket agent (gksfd).
Install a UNIX SFA
The UNIX SFA download package contains a separate installer script for each supported UNIX operating system. Each script has a descriptive filename of the following format:
gksfd_
sfa-version_os-version
[_64]_linux_install.sh
Where
sfa-version
is the SFA release version and
os-version
is the UNIX version.
For example:
  • gksfd_2.70_debian6_64_linux_install.sh
    for a Release 2.7 SFA for Debian 6 (64-bit)
  • gksfd_2.70_rh6_linux_install.sh
    for a Release 2.7 SFA for Red Hat EL 6 (32-bit)
Depending on the OS, there are different methods of deploying the SFAs. Because minimal configuration is required on the managed target device, an SFA can be deployed through preexisting software delivery mechanisms.
Follow these steps:
  1. Ensure that all installation prerequisites are met.
  2. Log in to the target device as a local administrator.
  3. Remove any existing UNIX SFA from the target device.
  4. Open a terminal window.
  5. Copy the appropriate installer script for your operating system to the directory where you want to install the SFA.
  6. Run the installer script. For example, to install a 2.7 SFA on Red Hat Enterprise Linux (32-bit):
    [root]# sh gksfd_2.70_rh6_linux_install.sh
    A terminal window opens, allowing you to interact with the installer script.
  7. Follow the online directions. When requested, supply a destination directory to install the SFA. The default is
    /usr/sbin
    .
    For AIX, the control script is installed in
    /etc/rc.d/init.d/
    . For all other versions of UNIX, the control script is installed in
    /etc/init.d/
    .
    If you specify a location different from the default installation location, you might encounter unexpected behavior.
    CA Technologies
    recommend against moving from default locations.
Configure and Operate a UNIX SFA
A configuration file (
/etc/gksfd.cfg
) and a control script control UNIX SFA operation. For Linux, the control script is located at
/etc/init.d/rc.gksfd
. Other OS versions store this script in corresponding locations.
The following table describes key settings in the
gksfd.cfg
configuration file.
Name
Setting
Description
Login control
SECURE_LOGIN=
[
0
|
1
]
0
: Allow login from outside the
PAM
1
: Allow login only from a
PAM
connection
Secure user list
SECURE_USER=
<username_1>
,
<username_2>
,
… <username_N>
Specifies every SFA superuser: every device login user that is not subjected to any socket filter policy.
Each username is delimited with comma, with no spaces permitted.
The syntax to run the control script is as follows:
rc.gksfd { start | stop | restart | reload }
The syntax for the UNIX SFA executable is as follows:
gksfd [-options]
The following table describes the options.
Option
Default values when option is not set
Description
-h
Display online help.
-l logfile
/var/log/gksfd.log
.
Specify the log file used.
-p port#
8550
Set the port to communicate with the appliance.
-v
info
Set log-level to Verbose mode. For example:
/usr/sbin/gksfd –v >> /var/log/gksfdmessages
Set this option only when extra logging is required.
-ver
Display the version number.
To apply persistent changes, set the UNIX SFA options in the
rc.gksfd
file.
Some platforms, such as Red Hat Linux, might block port 8550 by default, which inhibits SFA operation. To determine whether the port is blocked, use the
netstat
command. If necessary, open port 8550 using the command
iptables -I INPUT 1 -p tcp --dport 8550 -j ACCEPT
, and restart the SFA.
Troubleshoot a UNIX SFA
Use the
-v
option to turn on Verbose mode to generate detailed log messages.
The default location for log messages is
/var/log/gksfd.log
.
Uninstall a UNIX SFA
Follow these steps:
  1. Stop the
    gksfd
    daemon from the directory where the executable was installed. The following example is for Red Hat 6 Linux:
    [root]# /etc/init.d/rc.gksfd stop
  2. Delete the following files:
    • The executable, typically located at
      /usr/sbin/gksfd
    • The control script, typically located at
      /etc/init.d/rc.gksfd