Discovery using Commander

Performing resource discovery through Keeper Commander CLI

Overview

In this guide, you will learn how to discover resources within your target infrastructure using Discovery with Keeper Commander.

Prerequisites

Prior to using Discovery on Commander, make sure to have the following:

Discovery Enforcement Policies

On the Admin Console Preview, the following Enforcement Policies affect the user's ability to run Discovery jobs:

Enforcement Policy
Enforcement Policy
Definition

Can run discovery

ALLOW_PAM_DISCOVERY

Allow users to run discovery jobs

Discovery can also be enabled on the Keeper Commander CLI using the enterprise-role command:

enterprise-role "My Role" --enforcement "ALLOW_PAM_DISCOVERY":true

Installing the Keeper Gateway

The Keeper Gateway is a service that is installed on the customer's network to enabled zero-trust access to target infrastructure. Typically this service is installed on a Linux or Docker environment in each of the networks under management.

Populating PAM User records

Before running a Discovery job, it is recommended to create PAM User records for any administrative credentials you expect to use. Save these credentials as PAM User record types within the Shared Folder that is associated with your Application and Keeper Gateway.

PAM Configuration

To get started with Discovery, you need a PAM Configuration set up for your target infrastructure. The PAM Configuration directs the discovery process where to locate resources.

Network Discovery

Local network discovery utilize a CIDR for scanning. In order for discovery to locate a resource, it must be listening on the required port. Below is the PAM Configuration data required for a successful discovery.

Field
Description
Notes

Network ID

Unique ID for the network

This is for the user's reference

Ex: My Network

Network CIDR

Subnet of the IP address

Port Mapping

If non-standard ports are being used, this ensures that discovery will find the resources.

Example: ssh=2222 rdp=3390

AWS Discovery

AWS discovery makes use of whatever AWS Role Policies have been granted to the Keeper Gateway in order to discover resources. The PAM Configuration filters against the provided region names to limit the findings.

In order for the Keeper Gateway to discover an AWS resource, it must be able to communicate to the target over standard ports (e.g. port 22 for SSH, 3389 for RDP, etc). If a non-standard port is being used, this needs to be specified in the PAM Configuration. Discovery will only add the resources to the Keeper vault if it can successfully communicate over the port. Adjust your security groups as necessary to allow this.

Below is the PAM Configuration data required for a successful discovery.

Field
Description
Notes

AWS ID

Identifier selected by user

This is just used for reference.

Access Key ID

Access Key only when required

If instance role is applied to the Gateway, this is not required.

Secret Access Key

Secret Key only when required

If instance role is applied to the Gateway, this is not required.

Region Names

A list of AWS region names separated by newlines. Discovery will only find resources that match.

Example: us-west-1 us-east-2

Port Mapping

If non-standard ports are being used, this ensures that discovery will find the resources.

Example: ssh=2222 rdp=3390

Azure Discovery

Azure discovery makes use of whatever permissions have been granted to the role assigned to the Keeper Gateway in order to discover resources. The PAM Configuration filters against the provided region names to limit the findings.

In order for the Keeper Gateway to discover an Azure resource, it must be able to communicate to the target over standard ports (e.g. port 22 for SSH, 3389 for RDP, etc). If a non-standard port is being used, this needs to be specified in the PAM Configuration. Discovery will only add the resources to the Keeper vault if it can successfully communicate over the port. Adjust your Network Security Groups as necessary to allow this.

Below is the PAM Configuration data required for a successful discovery.

Field
Description
Notes

Azure ID

A unique id for your instance of Azure

Required, This is for the user's reference Ex: Azure-1

Client ID

The application/client id (UUID) of the Azure application

Required

Client Secret

The client credentials secret for the Azure application

Required

Subscription ID

The UUID of the subscription (i.e. Pay-As-You-GO).

Required

Tenant ID

The UUID of the Azure Active Directory

Required

Resource Groups

A list of resource groups to be checked. If left blank, all resource groups will be checked. Newlines should separate each resource group.

Discovery Action

Once you have finished meeting all the requirements in the Prerequisites section, login to Keeper Commander to run discovery.

$ keeper shell

List the Gateways

Run the command pam gateway list or pam g l command to list all gateways

My Vault> pam gateway list
KSM Application Name (UID) Gateway Name    Gateway UID             Status
-------------------------------------------------------------------------
AWS Rotation               Canada AWS      ce_Gg4jGS2a1ywiMo61Sow  ONLINE
Azure AD                   Azure useast1   j-xC9HwOQEKCfVsdyfdeLg  ONLINE
KeeperPAM US-WEST-1        US-WEST-1       QPkRsR8KQmf_4vnHTcofZA  ONLINE
Windows Domain             lureydemo.local rB8bR3drQrqPErKDzbKl9g  ONLINE

My Vault>

The Gateway UID is required to start the discovery process.

Start Discovery Job

Run the pam action discover start command to start a discovery job. The Gateway UID must be provided with the -g option.

pam action discover start -g QPkRsR8KQmf_4vnHTcofZA

View Status of Discovery Job

View the status of the active discovery job by with pam action discover status

My Vault> pam action discover status

Job ID         Gateway Name    Gateway UID            Status
============== =============== ====================== ============
JOBGQyK8PQYlhc KeeperPAM GW1   QPkRsR8KQmf_4vnHTcofZA COMPLETE

There is one COMPLETED job. To process, use the following command.
  pam action discover process -j JOBsR5G0VQBVV0

Proceed to the next step once the Discovery job's status is COMPLETE. Depending on how big your environment is, this may take a few minutes.

Process the Discovery Results

Once the discovery job is completed, you can process the findings with the provided Job ID.

pam action discover process -j JOBsR5G0VQBVV0

An interactive CLI session will start where you will be shown information on discovered assets and will be able to provision them as PAM Record types in your vault.

My Vault> pam action discover process -j JOBsR5G0VQBVV0

AWS EC2, us-west-1, Gateway3 - RHEL8, 10.0.0.139
Record Title: Aws AWS-US-WEST-1, EC2 us-west-1 Gateway3 - RHEL8
  Label: pamHostname, Type: pamHostname, Value: Hostname: 10.0.0.139, Port: 22
  Label: operatingSystem, Type: text, Value: linux
  Label: sslVerification, Type: checkbox, Value: False
  Label: instanceName, Type: text, Value: Gateway3 - RHEL8
  Label: instanceId, Type: text, Value: i-0319d6e8703875706
  Label: providerGroup, Type: text, Value: None
  Label: providerRegion, Type: text, Value: us-west-1
[2/2] (E)dit, (A)dd to Resources, Add to (F)older, (S)kip, (I)gnore, (Q)uit> A
Adding record to save queue.

During the Discovery process, you may be prompted to provide a PAM User record or create one on the fly to associate administrative credentials with the target resource.

Once the initial process is complete and administrative credentials have been supplied, you can run another Discovery job. This subsequent job leverages the provided credentials to delve deeper into the target resources, identifying local user accounts, services, and scheduled tasks.

Activating PAM Features

After a Discovery process has been completed, you can edit the vault records to activate advanced features such as Rotation, Connections, and Tunnels.

Exploring Commander Capabilities

Keeper Commander provides many advanced capabilities for managing gateways, configurations, rotations and discovery. See the KeeperPAM Commands for a list of all available options.

Last updated

Was this helpful?