Safety functions

Default authentication indicates that it will be carried out using the internal Pandora FMS database. For security, superadmin type users are always authenticated in this way, the rest of the authentication types have the local option as a backup (fallback).

• Automatically create remote users: Enables or disables automatic creation of remote users. This option makes it possible for Pandora FMS to create users automatically once they log in. If you enable this feature, the following fields will be available:
• Save Password: If activated, it allows you to save AD passwords in the local Pandora FMS database.
• Advanced Configuration AD: If this option is enabled, the Advanced Permissions AD configuration will be used.
  • Advanced Permissions AD: Lists the advanced permissions that have been added in Add new permissions.
• Automatically create profile: When the automatic creation of remote users is active, this field makes it possible to assign a type of profile to these users that are created automatically. The default profiles are: Chief Operator, Group Coordinator, Operator (Read), Operator (Write) and Pandora Administrator. The different profiles available can be consulted in the Profiles → Profile management section.
• Automatically create profile group: When activating the automatic creation of remote users, this field makes it possible to assign a group to these automatically created users. The different groups available can be consulted in the Profiles → Manage agent groups section.
• Automatically create profile tags: When the automatic creation of remote users is active, this field makes it possible to assign a profile to a group with the desired tags. The different available groups can be consulted in the Profiles section → Module tags.
• Autocreate blacklist: Allows you to write a list of users, separated by commas, that will not be created automatically.
• Active Directory server: Define here the path where our Active Directory server is located.
• Active Directory port: To define the port number of the Active Directory server (389 by default).
• Start TLS: Defines whether or not the Transport Layer Security (TLS) protocol will be used in communications between the client and the server.
• Enable secondary active directory: Allows you to activate the connection to a secondary Active Directory server. It has the same fields as the primary server but also supports configuring a search expiration time (AD search timeout) with a default value of 5 seconds.
• Double authentication: Users can choose whether to enable two-step authentication on their accounts. To learn more about how to enable two-step authentication on an account, you can read this section. This functionality requires that the server and mobile devices have a synchronized and as accurate date and time as possible.
• In the event that there is a user password change, MS Windows® allows you to use an old password by default for 60 minutes in Active Directory. Being a Windows configuration, this behavior is totally foreign to Pandora FMS. If you wish to modify, you can consult the documentation at Microsoft® .
• Domain: Define the domain that the Active Directory will use.
  • At this time a user's primary groups are not supported with advanced group settings in AD Authentication.
  • If you are using Advanced Configuration AD, be sure to set the full path in the domain field (Domain).
  • If the Active Directory installation is with LDAP, you must define here the LDAP path in which the server is located, generally:

ldap://addc.mydomain

• In order to use this mode, OpenLDAP dependencies must be installed.
• Depending on the operating system used, the commands used are:

yum install openldap*

Or

apt install ldap-utils

Important fields:

• LDAP server and Secondary LDAP server: Depending on the environment, the host may be accessed directly (x.x.x.x.x) or by URL (ldap://x.x.x.x.x, ldaps://x.x.x.x.x).
• Login attribute and Secondary Login attribute: Both fields are case sensitive.
• Fallback to local authentication: Should this option be enabled, local authentication will be performed if LDAP fails. Administrator users will always have fallback enabled, in order not to lose access to Pandora FMS in case of remote authentication system failure.
• Automatically create remote users: It enables or disables remote user automatic creation. This option allows Pandora FMS to create the users automatically once they have logged in (login) using LDAP.
• LDAP function: When searching LDAP, you may choose whether to use the native PHP function or the local ldapsearch command. It is recommended to use the local command for those environments that have an LDAP with many elements.

Advanced Config LDAP

• Should this option be enabled, a list of all saved advanced permissions will be displayed. New permissions may be added by selecting the profile, groups and tags, next to the attribute filter. If any user meets any of these attributes (e.g. a particular organizational unit or group), then the user will be created.
• If this option is not activated, the simple system will be used for user profile creation (Automatically create profile, Automatically create profile group, Automatically create profile tags, Automatically assigned no hierarchy).

• Enable secondary LDAP: If you enable a secondary LDAP server as a backup, the corresponding primary LDAP server fields will appear.
• Double authentication: Users will be able to choose whether to enable two-step authentication on their accounts. This feature requires server and mobile devices to have the most accurate date and time synchronization possible.

To use this feature the administrator must activate double authentication in the authentication section of Pandora FMS Web Console global configuration:

Management → Settings → System Settings → Authentication → Double authentication.

Users may choose whether to enable two-step authentication on their accounts by accessing the Edit my user option.

It will also be necessary to have the code generator application on a mobile device owned by each user. To find out where and how to download it:

Force 2FA for all users is enabled

Enabling this option will force all users to use the two-step authentication.

SAML is an open XML-based authentication and authorization standard. Pandora FMS can work as a service provider with its internal SAML identity provider.

Download SimpleSAMLphp version 2.3.2 from its official repository:

and then upload it to Pandora FMS server. If PFMS server has internet access and wget is installed, you may use the following command directly in a directory with sufficient space and write permissions:

wget https://github.com/simplesamlphp/simplesamlphp/releases/download/v2.3.2/simplesamlphp-2.3.2-full.tar.gz

Unzip the downloaded file with:

tar -xvf simplesamlphp-2.3.2-full.tar.gz

The folder must be moved to its final location:

mv simplesamlphp-2.3.2 /opt/simplesamlphp

To share access with Pandora FMS, create the following symbolic link:

ln -s /opt/simplesamlphp/public /var/www/html/simplesamlphp

SimpleSAMLphp bases its configuration on the config.php file. With the final location established above, the default template must be renamed:

mv /opt/simplesamlphp/config/config.php.dist /opt/simplesamlphp/config/config.php

This will generate the full path to the configuration file in:

/opt/simplesamlphp/config/config.php

The following values should be edited using your favorite text editor (note that pandora.local must be replaced by PFMS web console URL and keep the comma at the end of the line, as it is part of the instruction blocks):

/opt/simplesamlphp/config/config.php

'baseurlpath' => 'https://pandora.local/simplesamlphp/',
'auth.adminpassword' => '123pandora',

Save the changes to the file and go to the command line.

mkdir /var/cache/simplesamlphp && chown apache:apache /var/cache/simplesamlphp

This will get SimpleSAMLphp up and running, and it should display the home page at URL https://pandora.local/simplesamlphp/ (replace pandora.local with PFMS web console's URL).

To access SimpleSAMLphp management, first rename file. authsources.php.dist:

mv /opt/simplesamlphp/config/authsources.php.dist /opt/simplesamlphp/config/authsources.php

Copy the contents of the previously downloaded XML, paste it, and process it; this will generate a configuration text for PHP, which is copied and added to file /opt/simplesamlphp/metadata/saml20-idp-remote.php. Then save these additions and exit the file editor.

It may be accessed through URL https://pandora.local/simplesamlphp/admin/ (replace pandora.local by PFMS web console's URL):

The following values are common:

Some notable fields:

• SAML group name attribute: SAML field where to search for the group name (while auto-create remote users is enabled).
• SimpleSAML path: Directory where the folder is located simplesamlphp.
• SAML source: Name authsource, for example example-userpass.
• SAML email attribute: SAML field where to search for the user's email address (while auto-create remote users is enabled)

In Azure® services, you must access the Extra ID section:

Then go to Business Applications:

A new application is created (or an existing one is used):

Single sign-on access:

Edit the basic SAML configuration:

Fill in the following fields with the ID for the application, the address of the installed SimpleSAMLphp (replace pandora.local with the URL of the PFMS web console) and the address to which Azure® will redirect when the session is closed:

Download the XML file with federation metadata, which will be used later:

Finally, save the ID from the previous step and the URL of the extra identifier:

The file /opt/simplesamlphp/config/authsources.php must be edited with the following values:

And on the SimpleSAMLphp website, go to the Federation menu and then to the Tools section for converting XML to PHP:

The name saml20-idp-remote.php.dist must be changed to:

mv /opt/simplesamlphp/metadata/saml20-idp-remote.php.dist /opt/simplesamlphp/metadata/saml20-idp-remote.php

Copy the contents of the previously downloaded XML file, paste it, and process it. This will generate a configuration text for PHP, which you should copy and paste into the file /opt/simplesamlphp/config/authsources.php, replacing all of its contents.

If everything is correct, proceed to perform a test:

Obtaining the following result:

The email address and user ID can be taken from the attributes returned by Azure® in the test performed above:

For advanced configuration, you can delve deeper into the mapping of properties or select a default one if none match:

Pandora FMS allows to encrypt the passwords stored in the database.

The encryption key is generated from a user-supplied password and is not stored in the database (neither the password nor the key), so that passwords cannot be recovered from a database dump.

Once the user sets the password, the encryption works transparently to the user.

Passwords are encrypted using the Rijndael cipher with 128-bit blocks in ECB mode. A 256-bit key is generated at startup from the MD5 of the password set by the user.

To enable key encryption, the password must be configured both in the Pandora FMS Server and in the Web Console.

The steps to follow for encryption are as follows:

• Stop the server, both in Command Center (Metaconsole) and in the nodes.

• Update the encryption_passphrase fields in /etc/pandora/pandora_server.conf and /var/www/html/pandora_console/include/config.php, both in Command Center (Metaconsole) and in nodes.

$config["encryption_passphrase"]="passphrase";

• Launch the encryption script both in Command Center (Metaconsole) and in the nodes.

/usr/bin/pandora_encrypt_db /etc/pandora/pandora_server.conf

It is possible to change the encryption password in case it has been compromised. You must first decrypt the passwords stored in the database:

/usr/bin/pandora_encrypt_db -d /etc/pandora/pandora_server.conf

Then, after having changed the encryption password (as described in the section for configuration in a new installation), you can encrypt it again:

/usr/bin/pandora_encrypt_db /etc/pandora/pandora_server.conf

Credential store:

If you have an encrypted database, in order to continue using the credential manager without losing data decrypt everything except the tcredential_store table.

To do so, execute the following commands:

/usr/bin/pandora_encrypt_db -d -m /etc/pandora/pandora_server.conf

It will be deciphered.

Once decrypted, it will be re-encrypted again:

/usr/bin/pandora_encrypt_db /etc/pandora/pandora_server.conf

If you only want to encrypt from scratch, just execute the last command.

• Stop the server, both in Command Center (Metaconsole) and in the nodes.
• Launch the decryption script both in Command Center (Metaconsole) and in the nodes.

/usr/bin/pandora_encrypt_db -d /etc/pandora/pandora_server.conf

• Comment encryption_passphrase in /etc/pandora/pandora_server.conf and /var/www/html/pandora_console/include/config.php both in Command Center (Metaconsole) and in nodes.

# $config["encryption_passphrase"]="your encryption passphrase";

To activate the password policy, you must have an administrator profile (Pandora administrator) or be a superadmin .

Important fields:

• Enable password policy: Disabled by default, enabling it will display the rest of the fields.
• Min. password size: By default, four characters is the minimum password length.
• Password expiration: Default zero 0 days (passwords without expiration).
• The password must include numbers: The password must include numbers, disabled by default.
• The password must include symbols: The password must include symbols, disabled by default.
• Force password change on first login: Force password change on first login after user creation, disabled by default.
• Block user if login fails and Number of failed login attempts: Minutes (default 5) that the user remains locked out if they use up the maximum number of failed attempts (default 5 attempts).
• Apply password policy to admin users: Applies the password policy also to administrator users, activated by default.
• Enable password history and Compare to previous password: They work together to prevent users from reusing passwords. The first token must be enabled and the second must be greater than zero (default 3). That way, a user's new password will be compared with passwords previously used by the same user.
• Activate reset password: Disabled by default, if enabled, it allows users to recover forgotten passwords.
• Exclusion word list for passwords: It allows you to add a list of passwords explicitly excluded from use in Pandora FMS.

Pandora FMS stores a log with all changes and important actions carried out in the Pandora FMS Console. There you can see a series of entries related to Console activity, including user information, type of action, date, and a brief description of the recorded events.

You can filter which entries are displayed by different criteria, including actions, user, and IP address. You can also perform a text search and define the maximum time range to search, with the option to save that filter if it is frequently used.

Back to the Pandora FMS documentation index