Target Systems Technical Account Authorizations
In order to extract account profile information and account password hashes, the EPAS requires an account with special privileges on the target system. In order to prevent usage of administrative credentials, wherever possible, the following privileges / permissions are minimally required for the EPAS extraction process:
| System Type | Required Authorizations / Permissions |
|---|---|
| IBM System i - iSeries - AS/400 | A user authorized to call i5OS / OS/400 security APIs (e.g. QSECOFR) |
| IBM System p - pSeries - RS/6000 AIX | Read access to the following files: /etc/passwd /etc/security/passwd |
| IBM System z - zSeries - S/390 z/VM RACF IBM System z - zSeries - S/390 z/OS RACF |
A user authorized to read the chosen RACF data set and to connect via FTP, FTP-SSL or IND$FILE (e.g. having the SPECIAL attribute) |
| IBM Lotus Domino Application Server | Lotus Domino Administrator |
| Microsoft Active Directory Accounts | Domain Administrator or equivalent. If the domain administrator is part of Protected Users group, also make sure to configure EPAS DNS as described in the Network Configuration section. |
| Microsoft Windows Local Accounts | Domain User with local administrator privileges. If target system is not a domain member, ensure that the target system does not have Remote UAC enabled. |
| BSD Operating System | Read access to the following files: /etc/passwd /etc/master.passwd |
| Linux Operating System | Read access to the following files: /etc/passwd /etc/shadow |
| MacOS System Accounts | Remote Login (SSH) enabled with permissions set for the user. Local administrative account (with sudo rights) If the computer is integrated with Active Directory, a Domain user account (with sudo rights. To add the user sudo rights the following commands can be issued: sudo dscl . append /Groups/admin GroupMembership username sudo dscl . append /Groups/wheel GroupMembership username |
| Sun Solaris - SunOS | Read access to the following files: /etc/passwd /etc/shadow |
| Apache Basic - htpasswd | Normal user with access to the configured file path. |
| SAP NetWeaver - ABAP AS | The selected account must be an administrator in the chosen SAP client (e.g. SAP_ALL). |
| LDAP Authentication Server | Valid binding credentials to the configured LDAP directory service. Access to the objects and attributes which are being audited (e.g. uid, sid, cn, userPassword). |
| Cisco ISE, ASA, IOS, NX-OS Accounts | The user must be authorized to read the account and password hash from the running-config. This can be accomplished with privilege level 15 or with an optional enable password (enable password only works on IOS/NX-OS/ASA systems and not on ISE) |
| MSSQL System Accounts | Full read access on the following tables: MASTER..SYSXLOGINS MASTER.SYS.SQL_LOGINS Permission to use common functions, such as CONCAT, ISNULL, etc. On database servers newer than SQL Server 2000, it is also required to grant the following view definition: GRANT VIEW ANY DEFINITION TO <epas_service_account>; GRANT CONTROL SERVER TO <epas_service_account>; |
| MySQL System Accounts | Full read access on the following table: MYSQL.USER |
| Oracle System Accounts | Full read access on the following table: SYS.USER$ If Transparent Data Encryption (TDE) is used, permission to issue the following command: ALTER SYSTEM SET ENCRYPTION… |
| PostgreSQL System Accounts | Full read access on the following table: PG_CATALOG.PG_AUTHID |
| Sybase ASE System Accounts | Full read access on the following table: master..syslogins |
| MongoDB System Accounts | An account (LDAP, Username/Password, X509, X509+Username/Password) with read access on the following collection: admin |