Discovery using Commander
Performing resource discovery through Keeper Commander CLI
Overview
In this guide, you will learn how to discover resources within your target infrastructure using Discovery with Keeper Commander.
Prerequisites
Prior to using Discovery on Commander, make sure to have the following:
An active license of KeeperPAM
Activate Enforcement Policies on the Admin Console to enable discovery
Deploy a Keeper Gateway using the latest Preview version
Install the latest Keeper Commander version supporting
pam action discover
Discovery Enforcement Policies
On the Admin Console Preview, the following Enforcement Policies affect the user's ability to run Discovery jobs:
Can run discovery
Allow users to run discovery jobs
Discovery can also be enabled on the Keeper Commander CLI using the enterprise-role
command:
Installing the Keeper Gateway
The Keeper Gateway is a service that is installed on the customer's network to enabled zero-trust access to target infrastructure. Typically this service is installed on a Linux or Docker environment in each of the networks under management.
Populating PAM User records
Before running a Discovery job, it is recommended to create PAM User records for any administrative credentials you expect to use. Save these credentials as PAM User record types within the Shared Folder that is associated with your Application and Keeper Gateway.
PAM Configuration
To get started with Discovery, you need a PAM Configuration set up for your target infrastructure. The PAM Configuration directs the discovery process where to locate resources.
Network Discovery
Local network discovery utilize a CIDR for scanning. In order for discovery to locate a resource, it must be listening on the required port. Below is the PAM Configuration data required for a successful discovery.
Network ID
Unique ID for the network
This is for the user's reference
Ex: My Network
Network CIDR
Subnet of the IP address
Port Mapping
If non-standard ports are being used, this ensures that discovery will find the resources.
Example: ssh=2222 rdp=3390
AWS Discovery
AWS discovery makes use of whatever AWS Role Policies have been granted to the Keeper Gateway in order to discover resources. The PAM Configuration filters against the provided region names to limit the findings.
In order for the Keeper Gateway to discover an AWS resource, it must be able to communicate to the target over standard ports (e.g. port 22 for SSH, 3389 for RDP, etc). If a non-standard port is being used, this needs to be specified in the PAM Configuration. Discovery will only add the resources to the Keeper vault if it can successfully communicate over the port. Adjust your security groups as necessary to allow this.
Below is the PAM Configuration data required for a successful discovery.
AWS ID
Identifier selected by user
This is just used for reference.
Access Key ID
Access Key only when required
If instance role is applied to the Gateway, this is not required.
Secret Access Key
Secret Key only when required
If instance role is applied to the Gateway, this is not required.
Region Names
A list of AWS region names separated by newlines. Discovery will only find resources that match.
Example: us-west-1 us-east-2
Port Mapping
If non-standard ports are being used, this ensures that discovery will find the resources.
Example: ssh=2222 rdp=3390
Azure Discovery
Azure discovery makes use of whatever permissions have been granted to the role assigned to the Keeper Gateway in order to discover resources. The PAM Configuration filters against the provided region names to limit the findings.
In order for the Keeper Gateway to discover an Azure resource, it must be able to communicate to the target over standard ports (e.g. port 22 for SSH, 3389 for RDP, etc). If a non-standard port is being used, this needs to be specified in the PAM Configuration. Discovery will only add the resources to the Keeper vault if it can successfully communicate over the port. Adjust your Network Security Groups as necessary to allow this.
Below is the PAM Configuration data required for a successful discovery.
Azure ID
A unique id for your instance of Azure
Required, This is for the user's reference
Ex: Azure-1
Client ID
The application/client id (UUID) of the Azure application
Required
Client Secret
The client credentials secret for the Azure application
Required
Subscription ID
The UUID of the subscription (i.e. Pay-As-You-GO).
Required
Tenant ID
The UUID of the Azure Active Directory
Required
Resource Groups
A list of resource groups to be checked. If left blank, all resource groups will be checked. Newlines should separate each resource group.
Discovery Action
Once you have finished meeting all the requirements in the Prerequisites section, login to Keeper Commander to run discovery.
List the Gateways
Run the command pam gateway list
or pam g l
command to list all gateways
The Gateway UID is required to start the discovery process.
Start Discovery Job
Run the pam action discover start
command to start a discovery job. The Gateway UID must be provided with the -g
option.
View Status of Discovery Job
View the status of the active discovery job by with pam action discover status
Proceed to the next step once the Discovery job's status is COMPLETE. Depending on how big your environment is, this may take a few minutes.
Process the Discovery Results
Once the discovery job is completed, you can process the findings with the provided Job ID.
An interactive CLI session will start where you will be shown information on discovered assets and will be able to provision them as PAM Record types in your vault.
During the Discovery process, you may be prompted to provide a PAM User record or create one on the fly to associate administrative credentials with the target resource.
Once the initial process is complete and administrative credentials have been supplied, you can run another Discovery job. This subsequent job leverages the provided credentials to delve deeper into the target resources, identifying local user accounts, services, and scheduled tasks.
Activating PAM Features
After a Discovery process has been completed, you can edit the vault records to activate advanced features such as Rotation, Connections, and Tunnels.
Exploring Commander Capabilities
Keeper Commander provides many advanced capabilities for managing gateways, configurations, rotations and discovery. See the KeeperPAM Commands for a list of all available options.
Last updated
Was this helpful?