KeeperPAMコマンド
検出、パスワードローテーション、接続、トンネル接続などのKeeperPAM機能の管理
概要
KeeperPAMでは、検出、パスワードローテーション、PAM設定、Keeper Gateway設定が可能であり、コマンダーからpam
コマンドとサブコマンドを使用して制御および管理できます。これらのコマンドは、Keeperシークレットマネージャーのパスワードローテーション機能と検出機能をサポートしています。
pamコマンド
コマンド: pam
詳細: KeeperPAMの制御を行います。
My Vault> pam --help
pam command [--options]
Command Description
--------- -----------------------------
gateway Manage Gateways
config Manage PAM Configurations
rotation Manage Rotations
action Execute action on the Gateway
tunnel Manage Tunnels
サブコマンド: gateway
詳細: Keeperゲートウェイサービスを表示、作成、削除します。Keeperゲートウェイの詳細については、こちらのページご参照ください。
My Vault> pam gateway help
pam command [--options]
Command Description
--------- ------------------
list List Gateways
new Create new Gateway
remove Remove Gateway
サブコマンド: config
詳細: Keeper PAMの設定を表示、作成、編集、削除します。PAM設定とKeeperのローテーション機能の詳細については、パスワードローテーションのページをご参照ください。
My Vault> pam config help
pam command [--options]
Command Description
--------- -------------------------------------------------------------
new Create new PAM Configuration
edit Edit PAM Configuration
list List available PAM Configurations associated with the Gateway
remove Remove a PAM Configuration
サブコマンド: connection
要件: PAMユーザー認証情報、PAMマシンまたはPAMデータベースのレコードが共有フォルダに登録されており、ゲートウェイが構成済みで、すべてがPAM構成で連携されていることを確認してください。
このコマンドは、PAMマシンおよびPAMデータベースのレコードに紐づいたKCMの接続パラメータおよびユーザーアカウントを編集します。一括での処理には、run-batch
コマンドを使用できます。
edit
usage: pam connection edit [-h] [--configuration CONFIG] [--admin-user ADMIN]
[--protocol {,http,kubernetes,mysql,postgresql,rdp,sql-server,ssh,telnet,vnc}]
[--connections {on,off,default}] [--connections-recording {on,off,default}]
[--typescript-recording {on,off,default}]
[--connections-override-port CONNECTIONS_OVERRIDE_PORT] [--silent]
record
positional arguments:
record The record UID or path of the PAM resource record with network information to use for
connections
options:
-h, --help show this help message and exit
--configuration CONFIG, -c CONFIG
The PAM Configuration UID or path to use for connections. Use command `pam config list` to
view available PAM Configurations.
--admin-user ADMIN, -a ADMIN
The record path or UID of the PAM User record to configure the admin credential on the PAM
Resource
--protocol {,http,kubernetes,mysql,postgresql,rdp,sql-server,ssh,telnet,vnc}, -p {,http,kubernetes,mysql,postgresql,rdp,sql-server,ssh,telnet,vnc}
Set connection protocol
--connections {on,off,default}, -cn {on,off,default}
Set connections permissions
--connections-recording {on,off,default}, -cr {on,off,default}
Set recording connections permissions for the resource
--typescript-recording {on,off,default}, -tr {on,off,default}
Set TypeScript recording permissions for the resource
--connections-override-port CONNECTIONS_OVERRIDE_PORT, -cop CONNECTIONS_OVERRIDE_PORT
Port to use for connections. If not provided, the port from the record will be used.
--silent, -s Silent mode - don't print PAM User, PAM Config etc.
例
1. My Vault> pam connection edit "/Share Folder Name/Record Name" -c ocYDOuzwt3n0iYXuYk0lHw
-a "/Share Folder Name/Record Name" -p=rdp -cn=on -cr=on -cop=3389
2. My Vault> pam connection edit "/{{ Email }}/{{ Email }} SSH" -c ocYDOuzwt3n0iYXuYk0lHw
-a "/Share Folder Name/Record Name" -p=ssh -cn=on -cr=on -cop=22 -s
3. My Vault> pam connection edit "/{{ Email }}/{{ Email }} MSSQL" -c ocYDOuzwt3n0iYXuYk0lHw
-a "/Share Folder Name/Record Name" -p=sql-server -cn=on -tr=on -cop=1433
例1:RDP接続を作成し、管理用の認証情報およびPAM構成を割り当てます。接続を有効化し、画面録画を有効にします。
例2:SSH接続を作成し、管理用の認証情報およびPAM構成を割り当てます。接続を有効化し、画面録画を有効にしたうえで、出力を表示しないサイレントモードで実行します。
例3:MSSQL接続を作成し、管理用の認証情報およびPAM構成を割り当てます。接続を有効化し、typescript形式の録画を有効にします。
サブコマンド: rotation
詳細: レコードのKeeperローテーションの設定を表示および作成します。
My Vault> pam rotation help
pam command [--options]
Command Description
--------- -----------------------------------
set Set Record Rotation Configuration
list List Record Rotation Configurations
info Get Rotation Info
script Add, delete, or edit script field
edit
My Vault> pam rotation edit --help
usage: pam rotation edit [-h] (--record RECORD_NAME | --folder FOLDER_NAME) [--force] [--config CONFIG] [--iam-aad-config IAM_AAD_CONFIG_UID] [--resource RESOURCE]
[--schedulejson SCHEDULE_JSON_DATA | --schedulecron SCHEDULE_CRON_DATA | --on-demand | --schedule-config] [--complexity PWD_COMPLEXITY]
[--admin-user ADMIN] [--enable | --disable]
options:
-h, --help show this help message and exit
--record RECORD_NAME, -r RECORD_NAME
Record UID, name, or pattern to be rotated manually or via schedule
--folder FOLDER_NAME, -fd FOLDER_NAME
Used for bulk rotation setup. The folder UID or name that holds records to be configured
--force, -f Do not ask for confirmation
--config CONFIG, -c CONFIG
UID or path of the configuration record.
--iam-aad-config IAM_AAD_CONFIG_UID, -iac IAM_AAD_CONFIG_UID
UID of a PAM Configuration. Used for an IAM or Azure AD user in place of --resource.
--resource RESOURCE, -rs RESOURCE
UID or path of the resource record.
--schedulejson SCHEDULE_JSON_DATA, -sj SCHEDULE_JSON_DATA
JSON of the scheduler. Example: -sj '{"type": "WEEKLY", "utcTime": "15:44", "weekday": "SUNDAY", "intervalCount": 1}'
--schedulecron SCHEDULE_CRON_DATA, -sc SCHEDULE_CRON_DATA
Cron tab string of the scheduler. Example: to run job daily at 5:56PM UTC enter following cron -sc "56 17 * * *"
--on-demand, -od Schedule On Demand
--schedule-config, -sf
Schedule from Configuration
--complexity PWD_COMPLEXITY, -x PWD_COMPLEXITY
Password complexity: length, upper, lower, digits, symbols. Ex. 32,5,5,5,5[,SPECIAL CHARS]
--admin-user ADMIN, -a ADMIN
UID or path for the PAMUser record to configure the admin credential on the PAM Resource as the Admin when rotating
--enable, -e Enable rotation
--disable, -d Disable rotation
list
My Vault> pam rotation list --help
usage: pam rotation list [-h] [--verbose]
optional arguments:
-h、--help show this help message and exit
--verbose、-v Verbose output
info
My Vault> pam rotation info --help
usage: dr-router-get-rotation-info-parser [-h] --record-uid RECORD_UID
optional arguments:
-h、--help show this help message and exit
--record-uid RECORD_UID, -r RECORD_UID
Record UID to rotate
script
My Vault> pam rotation script --help
pam command [--options]
Command Description
--------- ---------------------------------
list List script fields
add List Record Rotation Schedulers
edit Add, delete, or edit script field
delete Delete script field
サブコマンド: action
詳細: Keeperゲートウェイを介して特権アカウントを検出
My Vault> pam action help
pam command [--options]
Command Description
------------------- ----------------
gateway-info Info command
unreleased-discover Discover command
rotate Rotate command
job-info View Job details
job-cancel View Job details
gateway-info
My Vault> pam action gateway-info --help
usage: dr-info-command [-h] [--gateway GATEWAY_UID] [--verbose]
optional arguments:
-h、--help show this help message and exit
--gateway GATEWAY_UID, -g GATEWAY_UID
Gateway UID
--verbose、-v Verbose Output
discover
My Vault> pam action discover --help
pam command [--options]
Command Description
--------- ----------------------------------
start Start a discovery process
status Status of discovery jobs
remove Cancel or remove of discovery jobs
process Process discovered items
rule Manage discovery rules
discover start
My Vault> pam action discover start --help
usage: dr-discover-start-command [-h] --gateway GATEWAY [--resource RESOURCE_UID] [--lang LANGUAGE] [--include-machine-dir-users] [--inc-azure-aadds]
[--skip-rules] [--skip-machines] [--skip-databases] [--skip-directories] [--skip-cloud-users] [--cred CREDENTIALS]
[--cred-file CREDENTIAL_FILE]
options:
-h, --help show this help message and exit
--gateway GATEWAY, -g GATEWAY
Gateway name of UID.
--resource RESOURCE_UID, -r RESOURCE_UID
UID of the resource record. Set to discover specific resource.
--lang LANGUAGE Language
--include-machine-dir-users
Include directory users found on the machine.
--inc-azure-aadds Include Azure Active Directory Domain Service.
--skip-rules Skip running the rule engine.
--skip-machines Skip discovering machines.
--skip-databases Skip discovering databases.
--skip-directories Skip discovering directories.
--skip-cloud-users Skip discovering cloud users.
--cred CREDENTIALS List resource credentials.
--cred-file CREDENTIAL_FILE
A JSON file containing list of credentials.
discover status
My Vault> pam action discover status --help
usage: dr-discover-status-command [-h] [--gateway GATEWAY] [--job-id JOB_ID] [--history]
options:
-h, --help show this help message and exit
--gateway GATEWAY, -g GATEWAY
Show only discovery jobs from a specific gateway.
--job-id JOB_ID, -j JOB_ID
Detailed information for a specific discovery job.
--history Show history
discover remove
My Vault> pam action discover remove --help
usage: dr-discover-command-process [-h] --job-id JOB_ID
options:
-h, --help show this help message and exit
--job-id JOB_ID, -j JOB_ID
Discovery job id.
discover process
My Vault> pam action discover process --help
usage: dr-discover-command-process [-h] --job-id JOB_ID [--add-all] [--debug-gs-level DEBUG_LEVEL]
options:
-h, --help show this help message and exit
--job-id JOB_ID, -j JOB_ID
Discovery job to process.
--add-all Respond with ADD for all prompts.
--debug-gs-level DEBUG_LEVEL
GraphSync debug level. Default is 0
discover rule
My Vault> pam action discover rule --help
pam command [--options]
Command Description
--------- --------------
add Add a rule
list List all rules
remove Remove a rule
update Update a rule
discover rule add
My Vault> pam action discover rule add --help
usage: dr-discover-rule-add [-h] --gateway GATEWAY --action {add,ignore,prompt} --priority PRIORITY [--ignore-case] [--shared-folder-uid SHARED_FOLDER_UID]
--statement STATEMENT
options:
-h, --help show this help message and exit
--gateway GATEWAY, -g GATEWAY
Gateway name of UID.
--action {add,ignore,prompt}, -a {add,ignore,prompt}
Action to take if rule matches
--priority PRIORITY, -p PRIORITY
Rule execute priority
--ignore-case Ignore value case. Rule value must be in lowercase.
--shared-folder-uid SHARED_FOLDER_UID
Folder to place record.
--statement STATEMENT, -s STATEMENT
Rule statement
rotate
My Vault> pam action rotate --help
usage: dr-rotate-command [-h] --record-uid RECORD_UID
optional arguments:
-h、--help show this help message and exit
--record-uid RECORD_UID, -r RECORD_UID
Record UID to rotate
job-info
My Vault> pam action job-info --help
usage: pam-action-job-command [-h] [--gateway GATEWAY_UID] job_id
positional arguments:
job_id
optional arguments:
-h、--help show this help message and exit
--gateway GATEWAY_UID, -g GATEWAY_UID
Gateway UID.Needed only if there are more than one gateway running
job-cancel
My Vault> pam action job-cancel --help
usage: pam-action-job-command [-h] [--gateway GATEWAY_UID] job_id
positional arguments:
job_id
optional arguments:
-h、--help show this help message and exit
--gateway GATEWAY_UID, -g GATEWAY_UID
Gateway UID.Needed only if there are more than one gateway running
service list
My Vault> pam action service list -h
usage: pam-action-service-list [-h] --gateway GATEWAY
options:
-h, --help show this help message and exit
--gateway GATEWAY, -g GATEWAY
Gateway name or UID
service add
My Vault> pam action service add -h
usage: pam-action-service-add [-h] --gateway GATEWAY --machine-uid MACHINE_UID --user-uid
USER_UID --type {service,task}
options:
-h, --help show this help message and exit
--gateway GATEWAY, -g GATEWAY
Gateway name or UID
--machine-uid MACHINE_UID, -m MACHINE_UID
The UID of the Windows Machine record
--user-uid USER_UID, -u USER_UID
The UID of the User record
--type {service,task}, -t {service,task}
Relationship to add [service, task]
service remove
My Vault> pam action service remove -h
usage: pam-action-service-remove [-h] --gateway GATEWAY --machine-uid MACHINE_UID --user-uid
USER_UID --type {service,task}
options:
-h, --help show this help message and exit
--gateway GATEWAY, -g GATEWAY
Gateway name or UID
--machine-uid MACHINE_UID, -m MACHINE_UID
The UID of the Windows Machine record
--user-uid USER_UID, -u USER_UID
The UID of the User record
--type {service,task}, -t {service,task}
Relationship to remove [service, task]
サブコマンド: tunnel
詳細: ローカルマシンから対象インフラへのKeeperトンネルの表示および作成を行います。
My Vault> pam tunnel help
pam command [--options]
Command Description
--------- -------------------------
start Start Tunnel
list List all Tunnels
stop Stop Tunnel to the server
tail View Tunnel Log
edit Edit Tunnel settings
start
My Vault> pam tunnel start -h
usage: pam tunnel start [-h] [--host HOST] [--port PORT] uid
positional arguments:
uid The Record UID of the PAM resource record with network information to use for tunneling
options:
-h, --help show this help message and exit
--host HOST, -o HOST The address on which the server will be accepting connections. It could be an IP address or a
hostname. Ex. set to 127.0.0.1 as default so only connections from the same machine will be accepted.
--port PORT, -p PORT The port number on which the server will be listening for incoming connections. If not set, random
open port on the machine will be used.
list
My Vault> pam tunnel list -h
usage: pam tunnel list [-h]
options:
-h, --help show this help message and exit
stop
My Vault> pam tunnel stop -h
usage: pam tunnel stop [-h] uid
positional arguments:
uid The Tunnel UID or Record UID
options:
-h, --help show this help message and exit
tail
My Vault> pam tunnel tail -h
usage: pam tunnel tail [-h] uid
positional arguments:
uid The Tunnel UID
options:
-h, --help show this help message and exit
edit
My Vault> pam tunnel edit -h
usage: pam tunnel edit [-h] [--configuration CONFIG] [--enable-tunneling] [--tunneling-override-port TUNNELING_OVERRIDE_PORT]
[--disable-tunneling] [--remove-tunneling-override-port]
uid
positional arguments:
uid The Record UID of the PAM resource record with network information to use for tunneling
options:
-h, --help show this help message and exit
--configuration CONFIG, -c CONFIG
The PAM Configuration UID to use for tunneling. Use command `pam config list` to view available PAM
Configurations.
--enable-tunneling, -et
Enable tunneling on the record
--tunneling-override-port TUNNELING_OVERRIDE_PORT, -top TUNNELING_OVERRIDE_PORT
Port to use for tunneling. If not provided, the port from the record will be used.
--disable-tunneling, -dt
Disable tunneling on the record
--remove-tunneling-override-port, -rtop
Remove tunneling override port
最終更新