Limiting access to Authentication Manager ( operations Console and SSH )
I moved your post to the SecurID Access discussions space where it will be seen by customers, partners and our support team. Be sure to bookmark the page and come back often to see new content and ask questions.
Welcome to the RSA community!
There is not configuration on the Authentication Manager server that would restrict access to the administration consoles or to SSH by IP address. This is something you should discuss with your network team.
Edited to add*: An option would be to create additional Operations Console administrators within the Security Console. This would provide repudiation for user logins that can be tracked.
- Create a home directory for a new user e.g. mkdir /home/OSadmin
- Use useradd (useradd OSadmin -d /home/OSadmin -G rsaadmin)
- Update /etc/ssh/shhd_config, change 'AllowUsers rsaadmin' to 'AllowUsers rsaadmin OSadmin
- Update /etc/sudoers to add a user privilege specification for the user to match rsaadmin e.g. OSadmin ALL = (ALL) ALL, NOPASSWD: /opt/rsa/am/utils/bin/appliance/*.sh, NOPASSWD: /opt/rsa/am/utils/bin/appliance/*.py
* Edits thanks to @JayGuillette
ok , so other than putting it behind a firewall and restricting ports 7002/7004/22 there is no built in option?
No software firewall?
I could potentially use tcp.wrappers for SSH bu tdon't think that will work for the operations console.
Authentication Manager is an appliance and it has Suse Enterprise Linux as the OS, which includes iptables, so there is the potential to modify them to accomplish what you want. Because it is a Security Appliance we recommend against manual modifications to the OS and other components. There is no guarantee that a patch would not overwrite your iptables modification, and a high likelihood that the patch would overwrite changes to iptables.
The Security philosophy is basically keep things limited and simple, so that the Security profile/surface attack area is as small as it can be. This includes not treating the AM appliance like a server, controlling modifications through the AM patch process. As Erica pointed out, we do support user ACLs on SSH (and Ops console) access via a modification to Linux with adduser and passwd for SSH (Ops Console UserIDs and Password are configurable in Security Console).
There is an Admin SDK which is part of the extras folder in the AM 8.x software downloads.
You could write your own Administration console app, to customize it.
Another option is AM Prime, aka AMIS (Auth Manager Integration Server). It kind of runs on top of Authentication Manager to provide more granularity and customization in both Administration (Help Desk Admin Portal, HDAP) and Self-Service (Self-Service Portal). This product was originally developed by RSA Professional Services. Many customers use this in a variety of ways.
Prime AMIS Developer's Guide
Prime Kit quick setup guide