from Jeff Limpert to Everyone:
Good morning, Kristen. I have no questions at this time.
from Kristen Malzone (CA) to Everyone:
Thanks, Jeff!
from Kristen Malzone (CA) to Everyone:
Welcome to Office Hours! We'll get started in a few minutes.
from Kristen Malzone (CA) to Everyone:
Alright, let's get started!
from Kristen Malzone (CA) to Everyone:
If you have a question about CA Privileged Access Manager (formerly XSuite), CA Privileged Identity Manager, or CA Shared Account Manager - ask it here in the chat window!
from Kristen Malzone (CA) to Everyone:
Our product experts are standing by to answer your questions in real-time!
from Kristen Malzone (CA) to Everyone:
If you haven't yet, please take a few minutes to fill out the CA Privileged Identity Manager product survey! Links found here:
from Kristen Malzone (CA) to Everyone:
Your feedback will impact the future of our products!
from Jeff Limpert to Everyone:
What is the purpose and functioning of the CLI Commands user account?
from Jeff Limpert to Everyone:
Is it used by the Java API to execute commands?
from Jeff Limpert to Everyone:
Her's what I found in the Reference Guide: You can use a command line interface to control and configure CA Privileged Access Manager Credential Management. This interface allows administrators to provide scripted functionality to complete management and integration tasks. The interface supports a limited subset of features that are available through the GUI and a few commands that are only available through the CLI.
from Jeff Limpert to Everyone:
Can you expand on that ?
from Kristen Malzone (CA) to Everyone:
@Daniel Hi! Welcome to Office Hours. Do you have a question for our product team today?
from shahn Soomro to Everyone:
@jeff..the CLI command user account is used to provide the "security context" of running the CLI based administrative commands ..
from Jeff Limpert to Everyone:
Would those adminstrative commands then be internal with no control by PAM admins ?
from shahn Soomro to Everyone:
@Jeff,.. you are close ..its not matter of control.. more of not usign "Admin/Superuser" context to run CLI based commands. as you know CLI interface needs to be 'enabled. first .. and that enables the functionality and CLI account
from Kristen Malzone (CA) to Everyone:
@Jeff - These are great questions. Is it ok if we follow up with you via email later today?
from Jeff Limpert to Everyone:
Thank you @ Shahn & Kristen
from Bill to Everyone:
Use case question: Are there any indications to start using CA PIM for FIM functions? If so will that be a future enhancement and will there be monitoring and reporting? The reason I am asking is because we are starting to set up FIM, HIPS and HIDS functions with PIM.
from Weldon Harris to Everyone:
What training is available for CA Privileged Access Management. The last time I looked at training listing it was very sparse, but I suppose there are events created for specific groups.
from Weldon Harris to Everyone:
Presales, partners, etc.
from shahn Soomro to Everyone:
@Bill....can you please clarify what you mean by FIM and what exactly the use case is ?
from Jeff Limpert to Everyone:
Can someone please expand on the concept of "Request Groups?" I see they can be used as filters, but are they limited to A2A ? Can you give a use example, please ?
from shahn Soomro to Everyone:
@Bill... I suppose you are asking about using the "Fine Grain Access Control" functionality of PIM?
from Colleen Doyle (CA Edu) to Everyone:
@Weldon, we're working on building content for Privileged Access Mgmt now. I can follow up with you offline for some training options available now.
from shahn Soomro to Everyone:
@Jeff.. yes Request Group is a group of "A2A Reequester Servers".. so they can be assigned various common control options without having to do it on per machine basis
from Bill to Everyone:
For example we are using file rules to monitor when a file is changed. This is FIM (File Integrity Monitoring). We combine the file rules with pgm acl's to create allowable functions and block all others. This gives us our HIPS/HIDS functions. We then use other tools (NSM, eHealth, Wily, Arcsight) to trigger alerts or other jobs for these issues.
from Jeff Limpert to Everyone:
Thank you.
from Bill to Everyone:
@shahn: yes but going to the next level.
from shahn Soomro to Everyone:
@Bill.. Got it thanks...i am confused about your question ..."Indication to start using FIM",..did you mean what to "monitor for" when using FIM?
from azita lecuire to Everyone:
Hello all, I have a question about the reporting. Could you please explain what is the output of the "Authorization Mappings" report
from shahn Soomro to Everyone:
@Azita...Authorization Mapping is used for A2A to map the controls to scripts for protection. the report provides you with a list of authorization mapping in use and
their usage
from Bill to Everyone:
I was thinking if the FIM/HIPS/HIDS functions could be brought into a central location. I would like to build the rules out, and have the monitors to not be in other
applications. If some one changes a file (and was allowed by the ACL's) could we set up a function to repor that this person changed the file? I would like a way to have our SOC follow up without having to use our other tools.
from Bill to Everyone:
Sorry so wordy.
from Bill to Everyone:
These are NEW use cases, not part of the standard process for CA PIM. I was just looking at using a better tracking system (CA PIM) than what Tripwire, Log Logic, and other FIM tools use.
from shahn Soomro to Everyone:
@Bill.. hmm.. well the policy development and distribution is centrally controlled. you can also forward CA PIM logs to a central log collector/ consolidator and can be tagged for specfici events of interest.. does that answer question?
from Jeff Limpert to Everyone:
I have a note from training that says services are unnecessary except for Web services. I didn't catch the full explaination at that time. Do I have this correct?
from Reatesh Sanghi (CA) to Everyone:
@Bill :: We can monitor for certain aspects of the FILE which if modified witout an proper ACL in place we can deny execution of this FILE , is this some thing you are looking at?
from shahn Soomro to Everyone:
@Bill.. you definitely get a LOT more value from CA PIM compared to Tripwire etc.. first of all PIM is a "proactive" as opposed to reactive solution.. in other words.. you can "prevent' things from happening as opposed to having to react to them after the problem occurs. but I understand what you mean by monitoring you can do so by sending logs to central logging system
from David Miller to Everyone:
@Jeff Limpert: Are you referring to CA PAM TCP/UDP Services?
from Bill to Everyone:
@shahn: Partially. I was hoping to find a way to gather what was changed ina file as well. For example, if we set up a file monitor for /etc/services. I would like PIM to create a backup file and compare what was changed in the file. Not just the hash and sha of the file.
from Bill to Everyone:
@reatesh: We have that in place for HIPS. Deny all then add ACL's or program ACL's. That works great.
from Reatesh Sanghi (CA) to Everyone:
@Bill :: Monitoring content change inside the FILE is not covered in PIM scope
from Jeff Limpert to Everyone:
@David - That's what I missed. I understand the idea of services, but not my note. I was wondering if there was something special needed in the Windows environment - or maybe I should delete my note ?
from Reatesh Sanghi (CA) to Everyone:
@Bill : Ok for HIPS.
from Jeff Limpert to Everyone:
@David, if this isn't important, we can move on.
from David Miller to Everyone:
@ Jeff Limpert: The TCP/UDP Services allow you to utilize CA PAM to provide access through other Access Methods, such as HTTPS, or even to use PuTTy rather than the built in SSH terminal.
from shahn Soomro to Everyone:
@Bill.. I get you now.. well.. I agree that will be a very useful enhancement in FIM that we do not have right now.. you ca combind the recording with FIM to give you some of that.. but I will definitely pass the idea to PIM product team
from Jeff Limpert to Everyone:
@David, Thank you - I'
from Bill to Everyone:
Good for HIPS. Good for FIM overview. Not good for FIM inside the monitored object nor for HIDS if you want to see what was changed. I know it is not in scope. I was hoping to find out if this new use case could be added to give more value.
from Jeff Limpert to Everyone:
I'll think on that
from Bill to Everyone:
For example, when you create a file rule, copy the file then you can present a before and after the change view. This would really enhance the HIDS and FIM functions.
from shahn Soomro to Everyone:
@Bill..agreed...great ideas ..thanks.. I will find out if that is already on the enhancement list ..if not it should be ..
from Bill to Everyone:
@shahn: Thanks for passing this on. I am willing to dicuss more if they need it.
from shahn Soomro to Everyone:
@Bill..Sure thing. appreciate your comments/suggestions.
from Kristen Malzone (CA) to Everyone:
Any other questions out there? We have 20 minutes left!
from Kristen Malzone (CA) to Everyone:
If there are no more questions, then we will close this session early.
from Kristen Malzone (CA) to Everyone:
We'll post the chat transcript from today's session to the CA Security Community:
from Bill to Everyone:
Is there a way to create group functions for ACL's? For example gfiles. I want to use a Gacl function to say "You can do these 7 functions" with out having to build out each function indifidually in the via(pgm(function)) auth rule.
from Jeff Limpert to Everyone:
Will integration guides to other CA products like Service Desk available ?
from Kristen Malzone (CA) to Everyone:
@Bill That's a great idea to post to the CA Security Community under the CA Privileged Access Management category:
from Bill to Everyone:
- Thanks Kristen.
from Kristen Malzone (CA) to Everyone:
@Bill Other customers will be able to vote on the idea and provide feedback.
from Kristen Malzone (CA) to Everyone:
@Bill Here is a great video on how to create an idea in the Community: https://communities.ca.com/videos/1447
from Kristen Malzone (CA) to Everyone:
Alright, if there are no other questions at this time, we will close Office Hours early.
from Kristen Malzone (CA) to Everyone:
PAM Office Hours are held the first Wednesday of every month.
from Bill to Everyone:
Thank you.
from Kristen Malzone (CA) to Everyone:
See you next month!