Appendix
Appendix I: Table with Possible Values for System Services and Listeners
| Return | Description |
|---|---|
| LISTEN | Waiting for a connection request from a remote TCP application. This is the state in which you can find the listening socket of a local TCP server. |
| SYN-SENT | Awaiting confirmation from the remote terminal after sending a connection request. Results after step 1 of the three-way TCP handshake. |
| SYN-RECEIVED | This terminal received a connection request and sent a confirmation. This endpoint is awaiting final confirmation that the other endpoint has received confirmation from this endpoint from the original connection request. Results after step 2 of the three-way TCP handshake. |
| ESTABLISHED | Represents a fully established connection; This is the normal state of the data transfer phase of the connection. |
| FIN-WAIT-1 | Awaiting acknowledgment of the end-of-connection request or a remote TCP simultaneous end-of-connection request. This state is usually short lived. |
| FIN-WAIT-2 | Waiting for a remote TCP connection termination request after this terminal has sent its connection termination request. This state is usually short-lived, but if the remote socket endpoint does not close its socket shortly after receiving information that this socket endpoint has terminated the connection, it may last for some time. Excessive FIN-WAIT-2 states may indicate an error in remote application coding. |
| CLOSE-WAIT | This endpoint has received a close request from the remote endpoint and this TCP is waiting for a local application connection termination request. |
| CLOSING | Awaiting confirmation of remote TCP connection termination request. This state is entered when this terminal receives a request to close the local application, sends a termination request to the remote terminal, and receives a termination request before receiving confirmation from the remote terminal. |
| LAST-ACK | Awaiting acknowledgment of the connection termination request previously sent to remote TCP. This state is entered when this endpoint receives a termination request before submitting its termination request. |
| TIME-WAIT | Waiting long enough to pass to make sure that remote TCP has received confirmation of your connection termination request. |
| CLOSED | It does not represent any connection state. |
| ACTIVE | Service is operating. |
| INACTIVE | Service is not operating |
| DISABLED | Service is not enabled |
Appendix II: Notifications that can be sent by e-mail
Access control
Notifications from workflow process. Every product/module that has workflow process can send this kind of message.
Founded request: A new approval request has been made by a user. Approvers will receive an email with details;
Request approved: Some approver user has accepted the request;
Request Disapproved: Some approver user has rejected the request;
Audit trail
Changes at major entities records.
- Audit trail: When a major entity is created, updated or inactivated, a detailed log is registered and can be also notified;
Authentication
Messages from authentication process.
- Authentication messages: When a user is authenticated or some authentication process failure;
Certificates
Messages from Certificate Manager module.
Certificate bond with device: When a certificate is configured into a device;
Certificate creation: When a certificate is created. Can be triggered by automatically issue or manual import;
Certificate expiration alert: 1 day: Some certificates will be expired on 1 day;
Certificate expiration alert: 30 days: Some certificates will be expired on 30 days;
Certificate expiration alert: 7 days: Some certificates will be expired on 7 days;
Certificate expiration alert: Today: Some certificates will be expired today;
Certificate expiration warning: 15 days: Some certificates will be expired on 15 days;
Certificate expiration warning: 60 days: Some certificates will be expired on 60 days;
Certificate expiration warning: 90 days: Some certificates will be expired on 90 days;
Certificate password view: Some user has viewed the certificate password on plain-text;
Certificate renewal: A certificate has been renewed at targets devices;
Certificate revocation: A certificate has been revoked at targets devices;
Download: Some user has downloaded a certificate from senhasegura . This certificate can be a valid and published one, an old one or even a unused certificate;
Publish profile management: A publish profile configuration has been created or changed;
Request management: A certificate request CSR has been created or changed;
Request password view: A certificate request CSR password has been viewed;
Command audit
SSH Proxy session audited command execution.
Command detected - Allow: Some user has executed an audited command;
Command detected - Block: Some user has tried to execute an audited command configured to be blocked;
Command detected - Block and interrupt session: Some user has tried to execute an audited command configured to be blocked. His session was immediately interrupted;
Command detected - High Urgency: Some user has tried to execute an audited command configured with high score;
Command detected - Low Urgency: Some user has tried to execute an audited command configured with low score;
Command detected - Medium Urgency: Some user has tried to execute an audited command configured with medium score;
Credentials
PAM Credentials operations.
Credential Owner configuration: Some credential has been created or changed to has a dedicated owner;
Password changed: Some credential has it password changed manually or by Execution module template;
Password daily summary: A report with credentials operations summary;
Password Expired: A report with credentials with expired password;
Password Viewed: A report with credentials that has been requested by users to see its plain-text passwords;
Devices
PAM Devices monitoring.
Lost of connectivity: Devices that lost connectivity over the configured ports;
Reestabilished Connectivity: Devices that recovery connectivity after been flagged as connectivity lost;
Monitoring
Server instance resources monitoring.
CPU Usage - Critical: CPU is running over 90% usage over 10 minutes;
CPU Usage - High: CPU is running over 70% usage over 10 minutes;
Daily report of change of passwords: A report with credentials operations summary;
Low disk space - High Urgency: Storage is running under 10% of free space;
Low disk space - Low Urgency: Storage is running under 30% of free space;
Low disk space - Medium Urgency: Storage is running under 20% of free space;
Memory Usage - Critical: RAM is running over 90% usage over 10 minutes;
Memory Usage - High: RAM is running over 70% usage over 10 minutes;
Space disk - Daily notification: Storage usage daily report;
User downloaded the PDF with system dashboard: Some user has downloaded a dashboard as PDF. This alert exists to make clear that some data has exported by some user;
Password backup
Backup procedures.
Backup performed: A privileged information backup has been made using the master key. This backup execution can be executed automatically by system schedule, or manually by user request.
Ceremony process completed: A master key ceremony has been made;
Ceremony process started: A master key ceremony has been started;
Error on backup: An error occurred during a privileged information backup;
User downloaded the PDF with his part of the key: Some Master Key Fraction Guardian has downloaded its own key fraction as PDF document;
User has seen his part of the key: Some Master Key Fraction Guardian has viewed its own key fraction as plain-text;
Password operation
PAM credentials operations running by Execution module.
Activation executed: A credential has been activated into target device by Execution module;
Change Executed: A credential has taken its password changed into target device by Execution module;
Error on activation: An error occurred when tried to activate into target device by Execution module;
Error on change: An error occurred when tried to change password into target device by Execution module;
Protected information
PAM Protected information operations.
Information changed: Some protected information has been changed;
Information expired: Some protected information has expired;
Information viewed: Some user requested protected information data. This user had access to its password, file or content;
Remote session
senhasegura Proxy operations.
Generate video for download: Some user requested MP4 video generate;
Indexed text session: senhasegura finished to index a proxy session texts;
Session file modified: A session had its audit source file changed;
Session started: A proxy session is started;
Session terminated: A proxy session is finished;
Video scheduled for download: The requested video generate has finished;
High Risk Session: It was identified a high-risk session;
User behavior
Unusual behaviors detected by User behavior module.
Access unusual origin: A proxy session started by some user from an unusual origin for that user or credential;
Access with unusual average length: A proxy session with a unusual duration time for that user or credential;
Accesses at unusual time: A proxy session with a unusual starting time for that user or credential;
Excessive number of accesses: Some credential are been requested more than the usual. Or some user is requesting credentials more than usual;
Unusual accesses: Some device is been accessed into an unusual time, user or IP;
Excessive views: Some credential is been requested as plain-text more than the usual;
Views on unusual time: Some credential is been requested as plain-text into unusual date time;
Unusual credential views: Some user is requesting plain-text view of an unusual credential for him;
Views with unusual origin: Some user is requesting plain-text view of an unusual origin IP;
New geoip location login: Some user made Domum login from a new geoip location;
Unauthorized geoip login attempt: Some user tried to access Domum from an unauthorized geoip location;
Workstation
senhasegura.go for Windows or Linux.
Application completed: An impersoned application execution has ended;
Application started: An impersoned application execution started;
Control panel: An impersoned control panel applet has been accessed;
Copy password: A credential password has been copied;
Credential use for network access: A credential has been used to access a network sharing;
Directory and file scan - Change: The directory and file scan changed some permission policies based on backoffice configuration;
Directory and file scan - Exclusion: The directory and file scan removed some permission policies based on backoffice configuration;
Directory and file scan - Inclusion: The directory and file scan added some permission policies based on backoffice configuration;
Download of senhasegura.go version performed: The senhasegura.go client has downloaded a new version from backoffice;
Error retrieving credentials: An error occurred when the senhasegura.go client tried to request the user credential list;
Go offline: The user requested to start senhasegura.go offline mode;
Go online: The user requested to stop senhasegura.go offline mode;
Macro: A macro was executed by some user;
Network Adapter: A network adapter settings applet was accessed by some user;
Network share: A network share path has been registered by some user;
New senhasegura.go version: A new senhasegura.go version is available at senhasegura backoffice;
Runas: An impersoned application execution started from Windows context menu;
senhasegura.go version approved: The MSI installer has been approved by administrator to be installed automatically from senhasegura.go client;
senhasegura.go version disabled: The MSI installer has been rejected by administrator to be installed automatically from senhasegura.go client;
senhasegura.go version installed: Some workstation has installed the new version and reported to backoffice;
Uninstall: The user uninstalled some application using senhasegura.go elevation;
Untrusted DLL: The user tried to execute an application that has a DLL considered as untrusted;
User: The workstation local user has been approved to use senhasegura.go ;
Using UAC: The user used senhasegura.go to authenticate Windows UAC prompt;
View password: The user viewed the credential password as plain-text;
Workstation approved: The workstation has been approved to use senhasegura.go ;
Workstation registration: The workstation requested authorization to use senhasegura.go ;