Previous: Find vulnerable software packages
Next: Inspect network traffic
Inspect server accounts
Server Account Management
The Server Account Management security module allows you to monitor and audit remote access to your servers by all of the servers' local user accounts. Halo scans your servers at a frequency that you specify, gathering account information and login history for all servers, then displaying it in a centralized location where you can review and act on it.
The module also provides basic account-management capabilities, allowing you to create, edit, or deactivate server accounts.
In an elastic cloud environment in which you may have hundreds of servers that come and go dynamically, using Halo for these purposes can save you time and also help to ensure complete coverage of your server installation.
Halo regularly performs server access scans and presents detailed results in the Halo portal. The results identify all local accounts on each server, noting each account's access privileges and recent login activity. From this information you can easily identify unexpected accounts, inappropriate privileges, and suspicious login activity on any of your servers.
You can improve the general level of security in your organization by making sure that every user account on every server has only the access privileges appropriate to the role of the account's user, and no more.
One way to accomplish this is by performing access scans on your servers, and then inspecting the server-local accounts for excessive privilege levels or unauthorized logins.
- If you do not see any server access scan results in the portal, Server Account Management may not be enabled. Open the main menu ( ), choose Site Administration, then open the Settings tab and the Agent Settings subtab.
Under Agent Scanning, locate the "SAM" row and ensure that the value of "Automatically Scan" is not "Never". Then click Save.
- If Server Account Management is enabled but no server access scan has yet run, you can launch a scan manually from the Halo portal environment screen:
- Select a server group in the group tree and click the Servers view button.
- Use the checkboxes to select one or more servers to scan.
- From the New menu, select Scans, and then select "Server Access Scan" from the Launch Scans dialog.
- Click Scan. The scan should complete in less than a minute.
- When the scan completes, select a server from the group and click Scans, then scroll or filter until you find the latest server access scan. Click the scan's status (such as "Complete") to view a list of that server's accounts on the Server Access Details page.
For a given account, note its summary information in the list, looking especially for multiple accounts with root privileges (UID = 0), and for any accounts that have duplicate UIDs. Look also for accounts that have anomalous "last login" times, and for accounts whose names that you do not recognize.
- To get additional information on an individual account, click its name to see the account details.
Based on the account's username, comments, group membership, and the organizational responsibilities of its user (based on your own understanding or information about the user), assess whether this account should have its privileges (including sudo or SSH settings) adjusted, or whether the account should be deleted. For more information on adjusting account privileges, see View details of one account in the Server Account Management Setup Guide.
- You can make some privilege changes from within Halo, by clicking the Edit link in the account details. On the Edit Local Account page, you can
- Change the account's UID.
- Change or delete the account's group memberships.
- Change or delete the account's shell path. Specifying the shell as
/bin/falseeffectively prevents remote access.
Also, you can use the CloudPassage API to update an account's SSH keys. To make other account changes, you'll need to locally administer the user's account on that server.
- Repeat this procedure for other accounts on the server, and other servers in the group.
Note: You can use the CloudPassage API to automate much of the drudgery of combing through many local accounts on many servers. See, for example, the Server Accounts API endpoint description in the Halo REST API Developer Guide.
// <![CDATA[ var pdfTitle="Halo QuickStart and Tour"; var pdfURL="http://res.cloudinary.com/ljufltxil/image/upload/document_images/quickstart2/halo-quickstart-and-tour.pdf"; specifyPDF(pdfTitle, pdfURL); // ]]>