Discovery using Commander

Performing resource discovery through Keeper Commander CLI

Overview

In this guide, you will learn how to discover resources within your target infrastructure using Discovery with Keeper Commander.

Prerequisites

Prior to using Discovery on Commander, make sure to review the Discovery Basics documentation.

Starting Commander

Login to Keeper Commander CLI using the keeper shell command.

$ keeper shell

List the Gateways

Run the command pam gateway list or pam g l command to list all gateways

My Vault> pam gateway list
KSM Application Name (UID) Gateway Name    Gateway UID             Status
-------------------------------------------------------------------------
AWS Rotation               Canada AWS      ce_Gg4jGS2a1ywiMo61Sow  ONLINE
Azure AD                   Azure useast1   j-xC9HwOQEKCfVsdyfdeLg  ONLINE
KeeperPAM US-WEST-1        US-WEST-1       QPkRsR8KQmf_4vnHTcofZA  ONLINE
Windows Domain             lureydemo.local rB8bR3drQrqPErKDzbKl9g  ONLINE

My Vault>

The Gateway UID is required to start the discovery process.

Start Discovery Job

Run the pam action discover start command to start a discovery job. The Gateway UID must be provided with the -g option.

pam action discover start -g QPkRsR8KQmf_4vnHTcofZA

View Status of Discovery Job

View the status of the active discovery job by with pam action discover status

My Vault> pam action discover status

Job ID         Gateway Name    Gateway UID            Status
============== =============== ====================== ============
JOBGQyK8PQYlhc KeeperPAM GW1   QPkRsR8KQmf_4vnHTcofZA COMPLETE

There is one COMPLETED job. To process, use the following command.
  pam action discover process -j JOBsR5G0VQBVV0

After a discovery job is complete, the detailes status information can be viewed by running:

pam action discover status -j JOBsR5G0VQBVV0

Proceed to the next step once the Discovery job's status is COMPLETE. Depending on how big your environment is, this may take a few minutes.

Process the Discovery Results

Once the discovery job is completed, you can process the findings with the provided Job ID.

pam action discover process -j JOBsR5G0VQBVV0

An interactive CLI session will start where you will be shown information on discovered assets and will be able to provision them as PAM Record types in your vault.

My Vault> pam action discover process -j JOBsR5G0VQBVV0

AWS EC2, us-west-1, Gateway3 - RHEL8, 10.0.0.139
Record Title: Aws AWS-US-WEST-1, EC2 us-west-1 Gateway3 - RHEL8
  Label: pamHostname, Type: pamHostname, Value: Hostname: 10.0.0.139, Port: 22
  Label: operatingSystem, Type: text, Value: linux
  Label: sslVerification, Type: checkbox, Value: False
  Label: instanceName, Type: text, Value: Gateway3 - RHEL8
  Label: instanceId, Type: text, Value: i-0319d6e8703875706
  Label: providerGroup, Type: text, Value: None
  Label: providerRegion, Type: text, Value: us-west-1
[2/2] (E)dit, (A)dd to Resources, Add to (F)older, (S)kip, (I)gnore, (Q)uit> A
Adding record to save queue.

During the Discovery process, you may be prompted to provide a PAM User record or create one on the fly to associate administrative credentials with the target resource.

Once the initial process is complete and administrative credentials have been supplied, you can run another Discovery job. This subsequent job leverages the provided credentials to delve deeper into the target resources, identifying local user accounts, services, and scheduled tasks.

Exploring Commander Capabilities

Keeper Commander provides many advanced capabilities for managing gateways, configurations, rotations and discovery. See the KeeperPAM Commands for a list of all available options.

PreviousDiscovery BasicsNextDiscovery using the Vault

Last updated

Was this helpful?