Jump to content

Buckit

Members
  • Content count

    78
  • Joined

  • Last visited

  • Days Won

    1

Buckit last won the day on December 1 2017

Buckit had the most liked content!

About Buckit

  • Rank
    Advanced Member
  1. LDAP over SSL

    That's great! I love that you've added this!
  2. Awesome sauce! But does this also mean that PasswordState will hold onto any messages it could not send because the host was down?
  3. Yup! Definitely make it selectable. As I said, in some cases we'll even see TLS-encrypted syslog, which you certainly won't find everywhere. Then again, with audit logging like this? Maybe it'd pay off to make it an option because the logs contain a treasuretrove of useful info.
  4. Thanks for considering this feature guys. On the Linux-side of things, we've been doing centralized syslog with both TCP and TLS for quite some time now. It'd be great if that finds its way into PState.
  5. Hi guys, I'm very happy that Passwordstate offers external log forwarding! This allows us to send our audit logs into a syslog box that cannot be tampered with. Today we discovered that Passwordstate does not buffer messages if the syslog target goes down. Funnily enough it does buffer all the logs if you've never configured Syslog before, thus barfing thousands of entries into the newly minted target. But if you've already configured Syslog and the box goes down, then you'll never receive any of the logs between the down and up of the host. Would you please consider adding buffering to the external Syslog connection? Don't rely on UDP, make it TCP with connection-testing. And if the connection fails, mark the moment where you'll need to start buffering. Cheers, Thomas
  6. Well, for starters it looks like you've left all filters blank, so there won't be any matches EDIT: Disregard this. I'm wrong One thing you can do though, is take a gander at the contents of the actual discovery script and then run the important parts of the script manually on one of the target hosts. That way you can troubleshoot the issue step-by-step.
  7. Error during upgrade

    Good catch!
  8. Huh, well I'll be. I didn't know that feature exists. Thing is, the user in question is not a security admin permanently, as we've linked our access rights to an IAM solution where access privs are activated on-demand for specific cases. So even if I were to impersonate the user, I'd not have access to the hosts because their rights were dropped when they went on holiday. And given the nature of our environment I really do not want to set a precedent by resetting the user's password and actually using their account. That certainly would not fly here. So: a big floppy trout it is! Next time I'll see'm *slap!*.
  9. API Auditing Enhancement

    I'd like to second Sarge's request. Great idea for the future!
  10. Hi again! in the Administration tab, you'll find menu options like Password Lists and Password Folders. These are awesome, because it sometimes happens that somebody does lots of work, then leaves after locking all other users out of these objects. These options in the admin-section allow you to manually fix broken access permissions. Now... If only the Hosts and Hosts Folders had the same feature! We're currently in a bind because colleague X set up the auto-discovery jobs and target folders, but set them exclusively to their account. And now they're on a holiday! Yikes! I really don't want to hack these lists through MSSQL, so could you guys add a management feature to the admin-panel that allows us to fix permissions on Hosts Folders? Cheers, Thomas
  11. Personally, I'd never expose it through the web, but that's me. I'd go for yet another option: VPN! Setup a VPN server so you can connect to the internal network from anywhere in the world, in a safe and secure manner.
  12. Alternatively @GeoffO, you could consider building a Powershell script that talks to the API: a script to make a new password object and, if it detects the host does not exist yet, it will ask you for the requisite details.
  13. Good morning! While working with PasswordState in our ACC-environment I realized that I'm needlessly hopping back and forth between screens and tabs, trying to get information. I would like to request that you extend the information on a host's page with the following: List of password objects related to this host, similar to the results screen of a normal search for password objects. Right now, all it says is "Linked credentials: N matching credentials". That's not very useful. Audit history for the host in question, e.g. discovery / manual add / manual remove / config change / heartbeat / password change etc. Right now, the hosts tab feels a bit disconnected from the whole: it looks like it only manages hosts' information, while in fact it's an integral part of managing the password objects. Cheers, Thomas
  14. Browser Extension for Edge

    Like Sarge, we've got our Passwordstate API working just fine with a cert from our internal CA. Don't have much time to spare to help in troubleshooting, but if you have specific questions you know where to reach me through email.
  15. Browser Extension for Edge

    Well, either that, or you ensure that your PasswordState server is provided official certificates by your in-house PKI. That would make life a lot easier and cheaper (assuming you have many in-house servers that need certs).
×