This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.
JohnYogore
Beginner
Beginner
‎2018-09-24 01:38 PM

RSA Authentication Agent Decommission Process

Jump to solution
We have an authentication agent auto registration process for our 8.3 Authentication Manager deployment, but there is always been a question I’ve had about having an automated agent removal. Is there such a thing, or do we just let the RSA database grow as new hosts get added but never removed?
 
Is there any guidance on a an automated agent removal process supported by RSA?
Are there any security concerns for removal or retention of these authentication agents in the database?
Labels (1)
Labels
0 Likes
Reply
1 Solution

Accepted Solutions
EdwardDavis
Employee
Employee
‎2018-09-24 01:51 PM

Jump to solution

There is no automatic removal.

The security concerns of deleting an agent or retaining them would have to be something you can determine on site...

-delete the wrong one you can lock out users by mistake,

-keep them configured but unused is low risk...

 

You can run a report to look up all 'stale' agents that used to do auto-reg, but haven't in a while, to determine which ones may be candidates for deletion.

 

Agents not updated by auto-registration more than a given number of days

 

This report lists all agents that were not updated by the auto-registration service for more than a given number of days

 

 

View solution in original post

0 Likes
Reply
5 Replies
EdwardDavis
Employee
Employee
‎2018-09-24 01:51 PM

Jump to solution

There is no automatic removal.

The security concerns of deleting an agent or retaining them would have to be something you can determine on site...

-delete the wrong one you can lock out users by mistake,

-keep them configured but unused is low risk...

 

You can run a report to look up all 'stale' agents that used to do auto-reg, but haven't in a while, to determine which ones may be candidates for deletion.

 

Agents not updated by auto-registration more than a given number of days

 

This report lists all agents that were not updated by the auto-registration service for more than a given number of days

 

 

0 Likes
Reply
JohnYogore
Beginner
Beginner
‎2018-09-24 02:42 PM

Jump to solution

Is there any benefit at all for removing "stale" agents?  

0 Likes
Reply
EdwardDavis
Employee
Employee
In response to JohnYogore
‎2018-09-24 02:50 PM

Jump to solution

Sure, keeping all network and security devices updated with current and relevant information, keeps things 'tidy' and it's always a good idea to keep things relevant. You have a cleaner config, showing only current information, and also not listing names and IP's of machines that don't need to be listed on RSA server (revealing too much/need to know). 

0 Likes
Reply
JohnYogore
Beginner
Beginner
‎2018-09-24 03:36 PM

Jump to solution

We agree that keeping up on the house cleaning would be the choice. To achieve the goal, if I understand correctly we can run reports and then manually remove these agent definitions. However, if there is no automated process to do this, how do we construct the automation(what API)? Is the level of effort larger than the benefit of keeping stale records, and is this just busy work that nobody else does?

0 Likes
Reply
JayGuillette
Apprised Contributor Apprised Contributor
Apprised Contributor
‎2018-09-24 03:44 PM

Jump to solution

Keeping Ed's caveats in mind, you could delete agents in bulk in two ways, but you'll want to ensure somehow that you only delete dead agents.  If you delete auto-registered agents that still exist, they'll re-register but the agent will have a node secret while the new agent entry on the AM server will not.  If you delete other agents by accident, first they will fail with unknown agent, then after you add the agent you would also need to delete the node secret on the agent, or they will fail with node secret mismatch, cleared on server not on agent - like the auto-registered ones.

 

In the Security Console, you could select 500 agents at a time through search criteria, then delete them in bulk.  Maybe you can safely determine that if an agent has not auto-registered since a certain date you can assume they are no longer needed.

pastedImage_1.png

 

Or you could use Authentication Manager Bulk Administration, AMBA, with an input list of agents you want to delete in bulk.  I actually stole this from Ed.  I've made a successful career on Ed's emails...

1) example

 

agent host is 3.3.3.3

  pastedImage_2.png

2) input file

 

aah-remove.csv

 

action,operation,agenthostname

aah,remove,3.3.3.3

 

3) run

 

./rsautil AMBulkAdmin  -a admin -P support1! --verbose -m 0 -i aah-remove.csv

 

4) results

  1. a)

 pastedImage_3.png

  1. b)

 pastedImage_4.png

  1. c) log

 

Info   :                       Line     1                               -Header Line

Info   :                                                                -Entering AddAgentHost(...)

Info   :                                                                -addAgentHost(...) - Key: Operation = Value: remove

Info   :                                                                -addAgentHost(...) - Key: Linenumber = Value: 2

Info   :                                                                -addAgentHost(...) - Key: Action = Value: aah

Info   :                                                                -addAgentHost(...) - Key: AgentHostName = Value: 3.3.3.3

Success: 2018-09-14 10:13:14 : Line     2 - addAgent , operation - remove-3.3.3.3

Info   :                                                                -Leaving addAgent

Info   :                                                                -Closing input file

Info   :                                                                -Closing rejected actions file

Info   :                                                                -Closing unsupported actions file

Info   :                                                                -Log File Closed

Info   :                                                                -Exit code: 0

EOJ    : 2018-09-14 10:13:14 - Terminating

0 Likes
Reply
© 2023 RSA Security LLC or its affiliates. All rights reserved.