Terminal integration lets you integrate your CA ControlMinder endpoints with SAM to track the activities of users who check out privileged accounts. Terminal integration also lets you specify that a user must use automatic login to log in to a CA ControlMinder endpoint with the privileged account.
Before you configure terminal integration, verify the following:
Note: Terminal integration is enabled by default when you install CA ControlMinder with the SAM integration feature enabled. If you enable terminal integration but do not configure it, CA ControlMinder does not enforce terminal integration on any accounts.
For example, if users use SSH to connect to the endpoint, verify that CA ControlMinder uses PAM login interception to intercept SSH logins.
Note: For more information about PAM login interception and the LOGINAPPL class, see the selang Reference Guide.
The following procedure explains how to configure terminal integration for a single privileged account. You can use a policy to configure terminal integration for privileged accounts with the same name on multiple endpoints.
Follow these steps:
Note: For more information about how to manage users in CA ControlMinder Endpoint Management, see the Online Help.
The General tab of the Modify User task page appears.
Specifies that CA ControlMinder uses the name of the user who checked out the privileged account, not the privileged account user name, when it writes audit records and makes authorization decisions.
Specifies that a user must use automatic login to log in to the endpoint with this privileged account. Automatic login lets a user check out a password and automatically log in to an endpoint from CA ControlMinder Enterprise Management.
You have enabled and configured terminal integration for the privileged account.
Example: A Policy That Configures Terminal Integration
The following policy configures terminal integration for an account named administrator. The policy specifies that CA ControlMinder uses the original user name when it writes audit records and makes authorization decisions, and that users must use automatic login to log in to the endpoint as administrator:
editusr administrator pupm_flags(use_original_identity) editusr administrator pupm_flags(required_checkout)
Copyright © 2013 CA Technologies.
All rights reserved.
|
|