Targeting the Linux Server system
For each Linux Server system, add a target system in Bravura Security Fabric (Manage the system > Resources > Target systems):
Type is
Generic Linux Server (SSH) (known as Generic Linux Server NewGen (SSH) in Connector Pack 4.5 or earlier)
Or
Generic Linux Server (SSH) (Legacy) (known as Generic Linux Server (SSH) in Connector Pack 4.5 or earlier).
Address uses options described in the table below.
The full list of target parameters is explained in Target system options .
Option | Description |
|---|---|
Options marked with a | |
Script file | Must be set to (key: script) |
Server | The IP address/domain name of the Linux Server server. (key: server) |
Privilege escalation type | Select:
If the sudo password is configured to be different than the log-in password, add another set of credentials for sudo and select the System password option. The Administrator ID can be arbitrary. This is the default setting.
|
Enable SSH public and authorized key discovery | Default is false, select this option to list all SSH public and authorized keys on the server. SSH key files must be in OpenSSH format and must be less than 100,000 KB (by default) in order to be listed. To change the file size limit, modify the maximum file size to parse in unix-sshkey.psl . (key: discoverkeys) |
Advanced | |
Port | TCP Port number. Default is 22. (key: port) |
Compression | Select to enable data compression for SSH connections. Default is false. (key: compression) |
Action for host keys | Select AllowAppend (default) or DenyUnmatch. For new targets, AllowAppend is recommended. AllowAppend connects to SSH hosts whose public host keys have been previously recorded and have not been changed, and to SSH hosts whose keys have not been previously recorded. It will reject SSH hosts whose keys were previously recorded but have changed. DenyUnmatch only connects to SSH hosts whose public host keys have been previously recorded and have not been changed. It will reject SSH hosts whose keys have not been previously recorded or were previously recorded but have changed. (key: hostkeys) |
Host keys file | Specify the name of the public host key file. It must be located in the \<instance>\script\ directory. The file consists of a KVGroup with an entry that contains the host information as the key and the hostkey as the value. This information can be extracted from the PuTTY registry entries (HKEY_CURRENT_USER \Software\SimonTatham\PuTTY\SshHostKeys) where "Name" corresponds to the key and "Data" corresponds to the value. (key: file) |
Authentication method ( | The authentication methods to use for authentication keys. Default is Password. Other options include RSA, ED25519, ECDSA, and DSA. (key: authmethod) |
Authentication key file | This attribute can be assigned to the administrator’s private key. This key must have a passphrase assigned which will be entered into the credential password field. Managing of this passphrase is not supported. If an SSHv1 key file is provided, ensure that the Force SSH v1? option is also selected. (key: authkey) WarningKeys generated from an older version of Bravura Security Fabric may no longer work using this method. |
Timeout for connection | Amount of time the connector will wait for a response. (key: timeout) |
Force SSH v1? | Force SSH connection via SSH protocol version 1. This does not meet current security standards; use only for legacy systems that support nothing else. (key: enable_ssh_1) |
Unprivileged and password management operations only | The passwdAccessOnly option is useful for Bravura Pass and Bravura Privilege implementations where only passwords on Unix systems need to be managed. When configuring for passwdAccessOnly with sudo escalation, the sudoer file can be secured down to one command: /usr/bin/passwd. With this authorization, the Modification of the sudoer file would look something like the following example for the psadmin user:
(key: passwdAccessOnly) |
Max read timeout | The maximum time the connector will read data. Default is 6 seconds. (key: maxReadTimeout) |
Max write timeout | The maximum time the connector will write data. Default is 20 seconds. (key: maxWriteTimeout) |
Max read size | The maximum data read size. Default is 16384 characters. (key: maxReadSize) |
Max read lines | The maximum number of lines to read. Default is 50000 lines. (key: maxReadLines) |
Enter the filenames (comma delimited) to get the public keys from. Must be in the user’s /.ssh directory | The public key files to list from the server. Default is "id_rsa.pub,id_dsa.pub". (key: pubkeyfiles) |
Delete all matching keys upon access revocation | Default is true, deselect this option to remove only one copy of the specified public key upon access revocation. (key: delallkeys) |
Calculate SHA1 hashes of discovered public and authorized keys | Default is true, deselect this option to turn off calculation of hashes for public and authorized keys. (key: makekeyhashes) |
Enable on unlock | Default is true, since enable and unlock are the same operation on Linux systems. Deselect this option to disable the unlock operation for this target. (key: EnableOnUnlock) |
Enable on reset | Default is false, which maintains an account’s status (enabled/disabled) after a password reset. Select this option to also enable accounts with password reset. (key: EnableOnReset) |
Supports gshadow | Default is false. If gshadow is supported on the system, select this option to enable the ability to discover, add and delete group owners. (key:isGshadowNeeded) |
Code page encoding ( | If targeting a UNIX operating system that is not the running UTF-8 code page, the code page encoding allows converting from the target encoding to UTF-8 in product. (key: codePage) |
Trace Logging ( | Provides detailed multiline logging for connectors. Default is None. Other options include Low, Medium, and High. (key: trace) |
