KeeperPAMコマンド

検出、パスワードローテーション、接続、トンネル接続などのKeeperPAM機能の管理

概要

KeeperPAMでは、検出、パスワードローテーション、PAM設定、Keeper Gateway設定が可能であり、コマンダーからpamコマンドとサブコマンドを使用して制御および管理できます。これらのコマンドは、Keeperシークレットマネージャーのパスワードローテーション機能と検出機能をサポートしています。

pamコマンド

コマンド: pam

詳細: KeeperPAMの制御を行います。

My Vault> pam --help
pam command [--options]

Command    Description
---------  -----------------------------
gateway    Manage Gateways
config     Manage PAM Configurations
rotation   Manage Rotations
action     Execute action on the Gateway
tunnel     Manage Tunnels

サブコマンド: gateway

詳細: Keeperゲートウェイサービスを表示、作成、削除します。Keeperゲートウェイの詳細については、こちらのページご参照ください。

My Vault> pam gateway help
pam command [--options]

Command    Description
---------  ------------------
list       List Gateways
new        Create new Gateway
remove     Remove Gateway

サブコマンド: config

詳細: Keeper PAMの設定を表示、作成、編集、削除します。PAM設定とKeeperのローテーション機能の詳細については、パスワードローテーションのページをご参照ください。

My Vault> pam config help
pam command [--options]

Command    Description
---------  -------------------------------------------------------------
new        Create new PAM Configuration
edit       Edit PAM Configuration
list       List available PAM Configurations associated with the Gateway
remove     Remove a PAM Configuration

サブコマンド: connection

要件: PAMユーザー認証情報、PAMマシンまたはPAMデータベースのレコードが共有フォルダに登録されており、ゲートウェイが構成済みで、すべてがPAM構成で連携されていることを確認してください。

このコマンドは、PAMマシンおよびPAMデータベースのレコードに紐づいたKCMの接続パラメータおよびユーザーアカウントを編集します。一括での処理には、run-batch コマンドを使用できます。

edit

usage: pam connection edit [-h] [--configuration CONFIG] [--admin-user ADMIN]
                           [--protocol {,http,kubernetes,mysql,postgresql,rdp,sql-server,ssh,telnet,vnc}]
                           [--connections {on,off,default}] [--connections-recording {on,off,default}]
                           [--typescript-recording {on,off,default}]
                           [--connections-override-port CONNECTIONS_OVERRIDE_PORT] [--silent]
                           record

positional arguments:
  record                The record UID or path of the PAM resource record with network information to use for
                        connections

options:
  -h, --help            show this help message and exit
  --configuration CONFIG, -c CONFIG
                        The PAM Configuration UID or path to use for connections. Use command `pam config list` to
                        view available PAM Configurations.
  --admin-user ADMIN, -a ADMIN
                        The record path or UID of the PAM User record to configure the admin credential on the PAM
                        Resource
  --protocol {,http,kubernetes,mysql,postgresql,rdp,sql-server,ssh,telnet,vnc}, -p {,http,kubernetes,mysql,postgresql,rdp,sql-server,ssh,telnet,vnc}
                        Set connection protocol
  --connections {on,off,default}, -cn {on,off,default}
                        Set connections permissions
  --connections-recording {on,off,default}, -cr {on,off,default}
                        Set recording connections permissions for the resource
  --typescript-recording {on,off,default}, -tr {on,off,default}
                        Set TypeScript recording permissions for the resource
  --connections-override-port CONNECTIONS_OVERRIDE_PORT, -cop CONNECTIONS_OVERRIDE_PORT
                        Port to use for connections. If not provided, the port from the record will be used.
  --silent, -s          Silent mode - don't print PAM User, PAM Config etc.

1. My Vault> pam connection edit "/Share Folder Name/Record Name" -c ocYDOuzwt3n0iYXuYk0lHw 
-a "/Share Folder Name/Record Name" -p=rdp -cn=on -cr=on -cop=3389

2. My Vault> pam connection edit "/{{ Email }}/{{ Email }} SSH" -c ocYDOuzwt3n0iYXuYk0lHw 
-a "/Share Folder Name/Record Name" -p=ssh -cn=on -cr=on -cop=22 -s

3. My Vault> pam connection edit "/{{ Email }}/{{ Email }} MSSQL" -c ocYDOuzwt3n0iYXuYk0lHw 
-a "/Share Folder Name/Record Name" -p=sql-server -cn=on -tr=on -cop=1433

例1:RDP接続を作成し、管理用の認証情報およびPAM構成を割り当てます。接続を有効化し、画面録画を有効にします。

例2:SSH接続を作成し、管理用の認証情報およびPAM構成を割り当てます。接続を有効化し、画面録画を有効にしたうえで、出力を表示しないサイレントモードで実行します。

例3:MSSQL接続を作成し、管理用の認証情報およびPAM構成を割り当てます。接続を有効化し、typescript形式の録画を有効にします。

サブコマンド: rotation

詳細: レコードのKeeperローテーションの設定を表示および作成します。

My Vault> pam rotation help
pam command [--options]

Command    Description
---------  -----------------------------------
set        Set Record Rotation Configuration
list       List Record Rotation Configurations
info       Get Rotation Info
script     Add, delete, or edit script field

edit

My Vault> pam rotation edit --help
usage: pam rotation edit [-h] (--record RECORD_NAME | --folder FOLDER_NAME) [--force] [--config CONFIG] [--iam-aad-config IAM_AAD_CONFIG_UID] [--resource RESOURCE]
                         [--schedulejson SCHEDULE_JSON_DATA | --schedulecron SCHEDULE_CRON_DATA | --on-demand | --schedule-config] [--complexity PWD_COMPLEXITY]
                         [--admin-user ADMIN] [--enable | --disable]

options:
  -h, --help            show this help message and exit
  --record RECORD_NAME, -r RECORD_NAME
                        Record UID, name, or pattern to be rotated manually or via schedule
  --folder FOLDER_NAME, -fd FOLDER_NAME
                        Used for bulk rotation setup. The folder UID or name that holds records to be configured
  --force, -f           Do not ask for confirmation
  --config CONFIG, -c CONFIG
                        UID or path of the configuration record.
  --iam-aad-config IAM_AAD_CONFIG_UID, -iac IAM_AAD_CONFIG_UID
                        UID of a PAM Configuration. Used for an IAM or Azure AD user in place of --resource.
  --resource RESOURCE, -rs RESOURCE
                        UID or path of the resource record.
  --schedulejson SCHEDULE_JSON_DATA, -sj SCHEDULE_JSON_DATA
                        JSON of the scheduler. Example: -sj '{"type": "WEEKLY", "utcTime": "15:44", "weekday": "SUNDAY", "intervalCount": 1}'
  --schedulecron SCHEDULE_CRON_DATA, -sc SCHEDULE_CRON_DATA
                        Cron tab string of the scheduler. Example: to run job daily at 5:56PM UTC enter following cron -sc "56 17 * * *"
  --on-demand, -od      Schedule On Demand
  --schedule-config, -sf
                        Schedule from Configuration
  --complexity PWD_COMPLEXITY, -x PWD_COMPLEXITY
                        Password complexity: length, upper, lower, digits, symbols. Ex. 32,5,5,5,5[,SPECIAL CHARS]
  --admin-user ADMIN, -a ADMIN
                        UID or path for the PAMUser record to configure the admin credential on the PAM Resource as the Admin when rotating
  --enable, -e          Enable rotation
  --disable, -d         Disable rotation

list

My Vault> pam rotation list --help
usage: pam rotation list [-h] [--verbose]

optional arguments:
  -h、--help     show this help message and exit
  --verbose、-v  Verbose output

info

My Vault> pam rotation info --help 
usage: dr-router-get-rotation-info-parser [-h] --record-uid RECORD_UID

optional arguments:
  -h、--help            show this help message and exit
  --record-uid RECORD_UID, -r RECORD_UID
                        Record UID to rotate

script

My Vault> pam rotation script --help
pam command [--options]

Command    Description
---------  ---------------------------------
list       List script fields
add        List Record Rotation Schedulers
edit       Add, delete, or edit script field
delete     Delete script field

サブコマンド: action

詳細: Keeperゲートウェイを介して特権アカウントを検出

My Vault> pam action help
pam command [--options]

Command              Description
-------------------  ----------------
gateway-info         Info command
unreleased-discover  Discover command
rotate               Rotate command
job-info             View Job details
job-cancel           View Job details

gateway-info

My Vault> pam action gateway-info --help
usage: dr-info-command [-h] [--gateway GATEWAY_UID] [--verbose]

optional arguments:
  -h、--help            show this help message and exit
  --gateway GATEWAY_UID, -g GATEWAY_UID
                        Gateway UID
  --verbose、-v         Verbose Output

discover

My Vault> pam action discover --help
pam command [--options]

Command    Description
---------  ----------------------------------
start      Start a discovery process
status     Status of discovery jobs
remove     Cancel or remove of discovery jobs
process    Process discovered items
rule       Manage discovery rules

discover start

My Vault> pam action discover start --help
usage: dr-discover-start-command [-h] --gateway GATEWAY [--resource RESOURCE_UID] [--lang LANGUAGE] [--include-machine-dir-users] [--inc-azure-aadds]
                                 [--skip-rules] [--skip-machines] [--skip-databases] [--skip-directories] [--skip-cloud-users] [--cred CREDENTIALS]
                                 [--cred-file CREDENTIAL_FILE]

options:
  -h, --help            show this help message and exit
  --gateway GATEWAY, -g GATEWAY
                        Gateway name of UID.
  --resource RESOURCE_UID, -r RESOURCE_UID
                        UID of the resource record. Set to discover specific resource.
  --lang LANGUAGE       Language
  --include-machine-dir-users
                        Include directory users found on the machine.
  --inc-azure-aadds     Include Azure Active Directory Domain Service.
  --skip-rules          Skip running the rule engine.
  --skip-machines       Skip discovering machines.
  --skip-databases      Skip discovering databases.
  --skip-directories    Skip discovering directories.
  --skip-cloud-users    Skip discovering cloud users.
  --cred CREDENTIALS    List resource credentials.
  --cred-file CREDENTIAL_FILE
                        A JSON file containing list of credentials.

discover status

My Vault> pam action discover status --help
usage: dr-discover-status-command [-h] [--gateway GATEWAY] [--job-id JOB_ID] [--history]

options:
  -h, --help            show this help message and exit
  --gateway GATEWAY, -g GATEWAY
                        Show only discovery jobs from a specific gateway.
  --job-id JOB_ID, -j JOB_ID
                        Detailed information for a specific discovery job.
  --history             Show history

discover remove

My Vault> pam action discover remove --help
usage: dr-discover-command-process [-h] --job-id JOB_ID

options:
  -h, --help            show this help message and exit
  --job-id JOB_ID, -j JOB_ID
                        Discovery job id.

discover process

My Vault> pam action discover process --help
usage: dr-discover-command-process [-h] --job-id JOB_ID [--add-all] [--debug-gs-level DEBUG_LEVEL]

options:
  -h, --help            show this help message and exit
  --job-id JOB_ID, -j JOB_ID
                        Discovery job to process.
  --add-all             Respond with ADD for all prompts.
  --debug-gs-level DEBUG_LEVEL
                        GraphSync debug level. Default is 0

discover rule

My Vault> pam action discover rule --help
pam command [--options]

Command    Description
---------  --------------
add        Add a rule
list       List all rules
remove     Remove a rule
update     Update a rule

discover rule add

My Vault> pam action discover rule add --help
usage: dr-discover-rule-add [-h] --gateway GATEWAY --action {add,ignore,prompt} --priority PRIORITY [--ignore-case] [--shared-folder-uid SHARED_FOLDER_UID]
                            --statement STATEMENT

options:
  -h, --help            show this help message and exit
  --gateway GATEWAY, -g GATEWAY
                        Gateway name of UID.
  --action {add,ignore,prompt}, -a {add,ignore,prompt}
                        Action to take if rule matches
  --priority PRIORITY, -p PRIORITY
                        Rule execute priority
  --ignore-case         Ignore value case. Rule value must be in lowercase.
  --shared-folder-uid SHARED_FOLDER_UID
                        Folder to place record.
  --statement STATEMENT, -s STATEMENT
                        Rule statement

rotate

My Vault> pam action rotate --help
usage: dr-rotate-command [-h] --record-uid RECORD_UID

optional arguments:
  -h、--help            show this help message and exit
  --record-uid RECORD_UID, -r RECORD_UID
                        Record UID to rotate

job-info

My Vault> pam action job-info --help
usage: pam-action-job-command [-h] [--gateway GATEWAY_UID] job_id

positional arguments:
  job_id

optional arguments:
  -h、--help            show this help message and exit
  --gateway GATEWAY_UID, -g GATEWAY_UID
                        Gateway UID.Needed only if there are more than one gateway running

job-cancel

My Vault> pam action job-cancel --help
usage: pam-action-job-command [-h] [--gateway GATEWAY_UID] job_id

positional arguments:
  job_id

optional arguments:
  -h、--help            show this help message and exit
  --gateway GATEWAY_UID, -g GATEWAY_UID
                        Gateway UID.Needed only if there are more than one gateway running

service list

My Vault> pam action service list -h
usage: pam-action-service-list [-h] --gateway GATEWAY

options:
  -h, --help            show this help message and exit
  --gateway GATEWAY, -g GATEWAY
                        Gateway name or UID

service add

My Vault> pam action service add -h
usage: pam-action-service-add [-h] --gateway GATEWAY --machine-uid MACHINE_UID --user-uid
                              USER_UID --type {service,task}

options:
  -h, --help            show this help message and exit
  --gateway GATEWAY, -g GATEWAY
                        Gateway name or UID
  --machine-uid MACHINE_UID, -m MACHINE_UID
                        The UID of the Windows Machine record
  --user-uid USER_UID, -u USER_UID
                        The UID of the User record
  --type {service,task}, -t {service,task}
                        Relationship to add [service, task]

service remove

My Vault> pam action service remove -h
usage: pam-action-service-remove [-h] --gateway GATEWAY --machine-uid MACHINE_UID --user-uid
                                 USER_UID --type {service,task}

options:
  -h, --help            show this help message and exit
  --gateway GATEWAY, -g GATEWAY
                        Gateway name or UID
  --machine-uid MACHINE_UID, -m MACHINE_UID
                        The UID of the Windows Machine record
  --user-uid USER_UID, -u USER_UID
                        The UID of the User record
  --type {service,task}, -t {service,task}
                        Relationship to remove [service, task]

サブコマンド: tunnel

詳細: ローカルマシンから対象インフラへのKeeperトンネルの表示および作成を行います。

My Vault> pam tunnel help
pam command [--options]

Command    Description
---------  -------------------------
start      Start Tunnel
list       List all Tunnels
stop       Stop Tunnel to the server
tail       View Tunnel Log
edit       Edit Tunnel settings

start

My Vault> pam tunnel start -h
usage: pam tunnel start [-h] [--host HOST] [--port PORT] uid

positional arguments:
  uid                   The Record UID of the PAM resource record with network information to use for tunneling

options:
  -h, --help            show this help message and exit
  --host HOST, -o HOST  The address on which the server will be accepting connections. It could be an IP address or a
                        hostname. Ex. set to 127.0.0.1 as default so only connections from the same machine will be accepted.
  --port PORT, -p PORT  The port number on which the server will be listening for incoming connections. If not set, random
                        open port on the machine will be used.

list

My Vault> pam tunnel list -h
usage: pam tunnel list [-h]

options:
  -h, --help  show this help message and exit

stop

My Vault> pam tunnel stop -h
usage: pam tunnel stop [-h] uid

positional arguments:
  uid         The Tunnel UID or Record UID

options:
  -h, --help  show this help message and exit

tail

My Vault> pam tunnel tail -h
usage: pam tunnel tail [-h] uid

positional arguments:
  uid         The Tunnel UID

options:
  -h, --help  show this help message and exit

edit

My Vault> pam tunnel edit -h
usage: pam tunnel edit [-h] [--configuration CONFIG] [--enable-tunneling] [--tunneling-override-port TUNNELING_OVERRIDE_PORT]
                       [--disable-tunneling] [--remove-tunneling-override-port]
                       uid

positional arguments:
  uid                   The Record UID of the PAM resource record with network information to use for tunneling

options:
  -h, --help            show this help message and exit
  --configuration CONFIG, -c CONFIG
                        The PAM Configuration UID to use for tunneling. Use command `pam config list` to view available PAM
                        Configurations.
  --enable-tunneling, -et
                        Enable tunneling on the record
  --tunneling-override-port TUNNELING_OVERRIDE_PORT, -top TUNNELING_OVERRIDE_PORT
                        Port to use for tunneling. If not provided, the port from the record will be used.
  --disable-tunneling, -dt
                        Disable tunneling on the record
  --remove-tunneling-override-port, -rtop
                        Remove tunneling override port

最終更新