How to setup and test Socket Filter Agent (SFA)

Document ID : KB000124856
Last Modified Date : 17/01/2019
Show Technical Document Details
Introduction:
This is to provide step by step process on how to install, setup and test Socket Filter Agent (SFA)
Instructions:
Use case:
AIX 7.1 server is the target device. (lodibm24ab.ca.com,192.168.0.1)
You do not want users SSH'ing to another machine(lodibm24aa.ca.com,192.168.0.2).

Please follow the steps to install/configure/test the SFA feature.

Step1: Create Target Device and Target Account in PAM.
Create Target Device
You can setup SSH Access Method or create a Putty Service to access the target device.
In this case I will use "Putty" Service. 
You can also add the "SSH" method in the "Access Method" as well. This makes it easier to transfer the SFA installer to the machine.
If you want to allow file transfer from "SSH" Access Method, you will need to switch on the "SSH Terminal File Transfer" option in the "Global Settings -> Applet Customization".
Applet Customization

Now add the "Putty Local" service.
Add putty service

Putty Service

I am using auto-login so the "Client Application" is set as below.
"C:\Program Files\PuTTY\putty.exe" -ssh -l <Username> -pw <Password> <Local IP> <First Port>

Create "Socket Filters" which is located at "Policies --> Manage Policy Filters --> Socket Filters"
In this sample I named it "SFABlackList".

You will need to select the Type as "Blacklist" as we will only block those registered.
Enter the IP Address of the other server(not the target server but the one that you want to block users from SSH'ing to).
In this case it is 192.168.0.2 and port is 22.
BlackList

Click OK to save.
SocketFilter

You can click on the "CONFIG" button to enable "SFA Monitoring" which you can see which SFA are active. It is just for monitoring purpose. Note that SFA are by default listening on TCP Port 8550.
Do not check "Log All Access" as that is going to generate lots of entries in the sessions log.
SocketFilterConfig

You will need to have 2 Target Accounts for this testing.
Account1: root
Account2: non-root

Note that root account is not affected by the SFA Blacklist and they can SSH to other machines even if you have configured a blacklist. Only non-root accounts would be affected.
TargetAccounts


Create a Policy to allow both root and kimsu05 user to have access to the target device.
Policy
PolicyUsers


Now you should see the Access Buttons as below.
Access Page

Now, let's install the socket filter agent on the AIX7.1 machine.
Logon to AIX7.1 as root using the "SSH" Access Method.
Transfer

When using Mindterm, when you press [ENTER] key, it would append ^E to the command so you will see "xterm" in the command line.
You need to execute "set -o emacs" and that problem will go away.
set emacs

At the "Plugins" menu you can select either one of the transfer options and it will bring up the window to transfer files.
Transfer the SFA installer that matches the target device.
copy

Check if there is anything listening on the port 8550.
If anything is listening on that port it would be either you already have SFA installed and running or you have 3rd party software that is also occupying the same port which would conflict with SFA.
If you already had SFA installed and if it was running then you must turn it off.
(# /etc/rc.d/init.d/rc.gksfd stop)
netstat


Also, you need to ensure the following 2 requirement.
    1. TCP 8550 port is open at the target device for incoming direction.
    2. TCP 443 port is open to PAM Servers for outgoing direction.


You can now execute the installer. This must be run as "root".
install


The installation is pretty quick and simple.
In the following case, I already had SFA installed and the installer would simply overwrite it if you tell it to.
installed


The installer has installed the following.
/etc/rc.d/init.d/rc.gksfd
/etc/gksfd.cfg
/usr/sbin/gksfd
/usr/sbin/gksfdconf

rc.gksfd is used for starting or stopping the SFA service.
Usage: /etc/rc.d/init.d/rc.gksfd (start|stop|restart|reload)
#!/bin/ksh
#
#       This script starts the CA's SFA daemon process

# Checking permission
invoker=`id | cut -c5,5`

if [ $invoker != "0" ]
then
        echo "You have no permission to execute. Should be super-user."
        exit 0
fi

# Checking disk space
available=`df -Pk /var | tail -1 | awk '{print $4}'`
minimumspace="10240"
if [ $1 = "start" -o $1 = "restart" ]; then
        if [ $available -lt $minimumspace ]; then
                echo "Not enough disk space in /var. You need at least 10M of free disk space to start the Socket Filtering Service."
                exit 0
        fi
fi

case "$1" in
start)
        # startsrc -s gksfd
        pid=`ps -ef | grep -e '\/gksfd$' -e '\/gksfd ' -e ' gksfd$' -e ' gksfd ' | grep -v grep|awk  '{print $2}'`
        if [ "X$pid" = "X" ] ; then
                if [ -f /usr/sbin/gksfd ] ; then
                        echo "Starting the Socket Filtering Service"
                        /usr/sbin/gksfd
                fi
        fi
        ;;
stop)
        # stopsrc -s gksfd
        status=0
        pid=`ps -ef | grep -e '\/gksfd$' -e '\/gksfd ' -e ' gksfd$' -e ' gksfd ' | grep -v grep|awk  '{print $2}'`
        for p in $pid; do
                kill $p
                if [ $? -ne 0 ]; then
                        status=1
                fi
        done
        if [ "$status" = 0 ]; then
                echo "Socket Filtering Service stopped"
        else
                echo "Unable to stop Socket Filtering Service"
        fi
        ;;
restart)
        $0 stop
        $0 start
        ;;
reload)
    status=0
    /usr/sbin/gksfdconf
    if [ $? -ne 0 ]; then
        status=1
    fi
    if [ "$status" != 0 ]; then
        echo "Unable to reload Socket Filtering Service"
    fi
    ;;
* )
        echo "Usage: $0 (start|stop|restart|reload)"
        ;;
esac
exit 0
 

gksfd.cfg file stores SFA configuration.
# gksfd configuration
# policy mode (user: user-based policy, session: session-based policy)
POLICY=session
# verbose mode (0: non-verbose, 1: verbose)
VERBOSE=0
# secure login mode (0: allow login from non-GK, 1: allow login from GK ONLY)
SECURE_LOGIN=0
# secure user list
# use comma(,) as delimiter and not allowed any white-space
SECURE_USER=



gksfd is used for starting SFA with extra parameters
usage: gksfd [-h] [-v] [-ver] [-p port#] [-l log-file]        
-h           print usage help        
-ver         print version number        
-v           set log-level to verbose mode (default: info level)        
-p port#     set agent port number (default: 8550)        
-l log-file  set log file (default: /var/tmp/gksfd.log)


gksfdconf is used for reconfiguring SFA service.


Once the SFA is installed, before you can start the gksfd you can enable verbose mode by updating the /etc/gksfd.cfg file to set VERBOSE=1.
verbose


Then start the SFA by running gksfd
You will then see the following content in the /var/tmp/gksfd.log
<5>gksfd: 2019-01-16 19:53:05 ## =============================== ##
<5>gksfd: 2019-01-16 19:53:05 ##         Process Started         ##
<5>gksfd: 2019-01-16 19:53:05 ## =============================== ##
<5>gksfd: 2019-01-16 19:53:05 ## version: gksfd 3.2.0
<5>gksfd: 2019-01-16 19:53:05 ## process-id: 7799014
<5>gksfd: 2019-01-16 19:53:05 ## argument[0]: gksfd
<6>gksfd: 2019-01-16 19:53:05 POLICY=session
<6>gksfd: 2019-01-16 19:53:05 VERBOSE=1
<6>gksfd: 2019-01-16 19:53:05 SECURE_LOGIN=0
<6>gksfd: 2019-01-16 19:53:05 SECURE_USER=
<6>gksfd: 2019-01-16 19:53:05 >>>>> configuration <<<<<
<6>gksfd: 2019-01-16 19:53:05 policy-mode = [session-based policy]
<6>gksfd: 2019-01-16 19:53:05 log-level = [debug]
<6>gksfd: 2019-01-16 19:53:05 secure-login = [disabled]
<6>gksfd: 2019-01-16 19:53:05 # of secure-user = [0]
<6>gksfd: 2019-01-16 19:53:05 >>>>> end of configuration <<<<<
<6>gksfd: 2019-01-16 19:53:05 Set verbose mode logging
<6>gksfd: 2019-01-16 19:53:05 init_policy: size poilcy_t(66016) max_policy(1024) max_list(4096)
<6>gksfd: 2019-01-16 19:53:05 init_session: size session_t(66080) max_session(1024)
<6>gksfd: 2019-01-16 19:53:05 init_cm: size conninfo_t [443]
<6>gksfd: 2019-01-16 19:53:05 init_cm: TLS support
<6>gksfd: 2019-01-16 19:53:05 init_cm: initialized openssl library
<7>gksfd: 2019-01-16 19:53:05 old stack size = [192] kbytes
<6>gksfd: 2019-01-16 19:53:05 new stack size = [1024] kbytes
<6>gksfd: 2019-01-16 19:53:05 init_thread: main inited.
<6>gksfd: 2019-01-16 19:53:05 start signal handler service
<6>gksfd: 2019-01-16 19:53:05 interface information: 192.168.0.1
<6>gksfd: 2019-01-16 19:53:05 sig_handler: signal(20) - ignore
<6>gksfd: 2019-01-16 19:53:05 start packet capture service
<7>gksfd: 2019-01-16 19:53:05 pm: ether=14 ip=20 tcp=20
<6>gksfd: 2019-01-16 19:53:05 init_thread: pm inited.
<6>gksfd: 2019-01-16 19:53:05 pm: filter = [tcp[13] = 18 and ( dst host 192.168.0.1 )]

It has started up fine.

Now, if you try to ssh to the blacklisted(lodibm24aa.ca.com, 192.168.0.2) you will see the following
<6>gksfd: 2019-01-16 20:26:33 pm: src(192.168.0.2:22) dst(192.168.0.1:52161) flags=18
test1


If you are seeing the "RSA key fingerprint xxxx" then the connection is already established to the destination.
This was supposed to be blocked but it went through because the test user in this case was a "root" account.

So, now you need to open a new SSH session as non-root user.
When you try with a non-root user, you will see the following screen and log.
test2
<6>gksfd: 2019-01-16 20:31:00 new connection accepted from 192.168.0.100 (11)
<6>gksfd: 2019-01-16 20:31:00 init_thread: cm inited.
<6>gksfd: 2019-01-16 20:31:00 pm: src(192.168.0.2:22) dst(192.168.0.1:52176) flags=18
<6>gksfd: 2019-01-16 20:31:00 build_proc: n_proc = [105]
<6>gksfd: 2019-01-16 20:31:00 search_proc_tree: pid(6357198) -- pid(7995612)'s tree
<6>gksfd: 2019-01-16 20:31:00 >>> G session[0]: (1) st(2) uid(205) pid(5767412,7995612) tid(1335) pty(pts/2) ti(190116 203035) peer(155.35.245.249)
<6>gksfd: 2019-01-16 20:31:00 apply_policy: uid(205) (8dca29cc:22) in bl(8dca29cc/ffffffff:22-22)
<6>gksfd: 2019-01-16 20:31:00 sm: kill. cmd(ssh) uid(205) pid(6357198)
<6>gksfd: 2019-01-16 20:31:00 sm: report bl. cmd(ssh) uid(205) pid(6357198)
<6>gksfd: 2019-01-16 20:31:00 gkhttps: cmd=[https://192.168.0.51/ajax_cmd.php?cmd=AGNLOG&host=192.168.0.2&port=22&PHPSESSID=5210a19bbfd7110a71b2d16b896b7802&src_host=192.168.0.100&nat_host=192.168.0.100&h_id=33&tsk_name=ssh&svc_name=<&gkhost=lodibm24ab.ca.com&pid=105&log_level=ERROR&policy_type=bl]
<6>gksfd: 2019-01-16 20:31:00 cm: peek message = GKSFD_NOTIFY 873140652:3442068109 (33)
<6>gksfd: 2019-01-16 20:31:00 cm: should be <= CAPAM 2.7, non TLS mode
<6>gksfd: 2019-01-16 20:31:00 do_hello: (11) len(27) ver(2) id(1) st(0) res(0) param(873140652:3442068109|)
<6>gksfd: 2019-01-16 20:31:00 do_server: (11) connection dropped

IP 192.168.0.1(lodibm24ab.ca.com) is the AIX7.1 Target Server
IP 192.168.0.2(lodibm24aa.ca.com) is the other machine which we want to blacklist so users cannot SSH from 192.168.0.1 to 192.168.0.2
IP 192.168.0.100 is the Windows Client Machine I am accessing PAM server from.
IP 192.168.0.51 is the PAM server

If everything is working fine you can update the "/etc/gksfd.cfg" to change back the VERBOSE=1 to 0.
Then just restart the SFA (/etc/rc.d/init.d/rc.gksfd restart)

You should also find the status of this SFA from PAM.
status1
status2