CyberArk PAM-DEF - CyberArk Defender - PAM

 PSM captures a record of each command that was executed in Unix by using the SSH text recorder. This is a feature that enables PSM to record all the keystrokes that are typed during privileged sessions on SSH connections, including Unix systems. The SSH text recorder can be configured in the Platform Management settings for each platform that uses the SSH protocol. The text recordings are stored and protected in the Vault server and are accessible to authorized auditors. The text recordings can also be used for auditing and compliance purposes, as they provide a detailed trace of the actions performed by the users on the target systems1. References:

1: Introduction to PSM for SSH, How it works subsection, Text recordings paragraph

The following statements are not true when enabling PSM recording for a target Windows server:

A. The PSM software must be instated on the target server. This is not true, because the PSM software is installed on a dedicated server that acts as a proxy between the user and the target server. The PSM server intercepts the user’s connection request, initiates the connection to the target server, and records the privileged session. The target server does not need to have the PSM software installed on it1.

C. PSMConnect must be added as a local user on the target server. This is not true, because PSMConnect is a predefined user that is created on the PSM server during the installation. This user is used to establish the connection between the PSM server and the target server, and to run the PSM processes. The target server does not need to have a local user named PSMConnect on it2.

The following statements are true when enabling PSM recording for a target Windows server:

B. PSM must be enabled in the Master Policy (either directly, or through exception). This is true, because the Master Policy is a centralized overview of the security and compliance policy of privileged accounts in the organization. It allows the administrator to configure compliance driven rules that are defined as the baseline for the enterprise. One of the rules in the Master Policy is the Session Isolation rule, which determines whether or not privileged sessions are isolated and recorded by PSM. This rule can be enabled either directly in the Master Policy, or through an exception for a specific scope of accounts3.

D. RDP must be enabled on the target server. This is true, because RDP is the protocol that is used by PSM to connect to Windows servers. The target server must have RDP enabled and configured properly to allow the PSM server to access it. The PSM server must also have the RDP client installed on it4.

References:

1: Privileged Session Manager

2: PSMConnect and PSMAdminConnect

3: Session Isolation

4: Configure RDP for PSM

The address field of an Account is used to identify the target system where the Account is located. The CPM uses this address to connect to the target system and perform password management operations. Therefore, the address field can be any name that is resolvable on the CPM server, such as a FQDN, an IP address, a NetBIOS name, or a custom name defined in the hosts file of the CPM server. References:

Defender PAM Sample Items Study Guide, page 9, question 91

CyberArk Privileged Access Security Implementation Guide, page 75, section “Address”

A user with the appropriate permissions can generate a report in the PVWA (Privileged Vault Web Access) under the Reports section1. Users who belong to the group specified in the ManageReportsGroup parameter in the Reports section of the Web Access Options in the System Configuration page are able to generate reports in the PVWA. By default, this group is the PVWAMonitor group1. Additionally, reports can be generated using the PrivateArk Client, which is a desktop application that provides a direct interface to manage the CyberArk Vault and its contents, including the generation of reports2.

References:

CyberArk Docs - Reports in PVWA1

CyberArk Docs - Generate the Report2

 To add an LDAP group to a CyberArk group, you need to use the Private Ark client and follow these steps1:

In the Users and Groups tree, select the CyberArk group that you want to add the LDAP group to.

In the Properties pane, click Member Of.

Click Add > LDAP Group.

In the LDAP Group dialog box, enter the name of the LDAP group and click OK. References: Add an LDAP group to a Vault group

 A linked account is an account that is associated with another account to enable the password management process. A linked account can be used for various purposes, such as logging on to a target system, changing the password of another account, or enabling privileged commands. A linked account can be defined either on the platform level or on the account level, depending on the type and scope of the linked account. The types of linked accounts that are supported by CyberArk are1:

Logon account: An account that contains the password required to log on to a remote machine in order to perform a task using the regular account. A common use case for using a logon account is managing root accounts on a Unix system. The best practice for Unix systems is to disallow the root user from logging in using SSH. However, SSH is what the CPM uses to sign in to a system to manage the password. To manage the root password without violating this practice, the CPM establishes the session with a non-root account and then SUs to root (the target account). This is done using a linked account called a logon account.

Reconcile account: An account that contains the password used in reconciliation processes. Reconciliation is a process that restores the password of a privileged account to the value that is stored in the Vault, in case it is changed or out of sync. A reconcile account is a privileged account that has the permission to reset the password of another account on the target system. By associating a reconcile account with the target account, the CPM can use the reconcile account to restore the password of the target account, in case it is changed or out of sync.

Other additional accounts: Additional accounts can be used in various cases. For example:

Enable password: when managing network devices that require an enable password to access privileged mode.

Jump account: when using a custom plugin in a complex work flow that requires to first log on to a jump server.

The other options are not the purpose of a linked account, because:

A. To ensure that a particular collection of accounts all have the same password. This is not the purpose of a linked account, but of a group account. A group account is an account that is associated with multiple target systems that share the same credentials. A group account allows the CPM to manage the password of multiple systems with a single password object in the Vault2.

B. To ensure a particular set of accounts all change at the same time. This is not the purpose of a linked account, but of a password change schedule. A password change schedule is a feature that allows the administrator to define a time frame for changing the passwords of a set of accounts. A password change schedule can be configured either in the Master Policy or in the Platform settings3.

C. To connect the CPNI to a target system. This is not the purpose of a linked account, but of a service account. A service account is an account that is used by a service or an application to connect to a target system. A service account can be managed by the Central Credential Provider (CCP), which is a component that provides applications and services with the credentials they need to access target systems4.

References:

1: Linked Accounts

2: Group Accounts

3: Password Change Schedule

4: Service Accounts

 To ensure that certain accounts do not have their passwords updated during business hours, you can configure the password change parameters within the platform settings to specify the permitted time frame for updates. This involves setting the FromHour and ToHour parameters to define a window outside of business hours during which the CyberArk Central Policy Manager (CPM) will perform automatic password changes1. By doing so, you can control when password changes occur and ensure compliance with the specified requirement.

References:

CyberArk Community: Discussion on configuring automatic password change parameters

 The Use Accounts permission enables Safe members to log in to a remote machine through a PSM connection from the Accounts List or the Account Details page. The List Accounts permission enables Safe members to view the Accounts list. However, to show or copy the password, the Safe members also need the Retrieve Accounts permission, which allows them to view and copy the account value in the Account Details page or the Accounts list. Therefore, the combination of Use Accounts and List Accounts will allow end users to log in to a remote machine transparently but not show or copy the password. References:

Safe Members - CyberArk1, section “Permissions”

Safes and Safe members - CyberArk2, section “Safe members overview”

In a default CyberArk installation, to view the “reports” page in the PVWA (Privileged Web Access), a user must be a member of the PVWAMonitor group1. This group is specified in the ManageReportsGroup parameter in the Reports section of the Web Access Options in the System Configuration page. Being a member of this group grants the user the necessary permissions to generate and view reports within the PVWA.

References:

CyberArk’s official documentation on Reports in PVWA outlines the requirement for users to belong to the PVWAMonitor group to access the reports page and generate reports1.