CBH enables common authentication, authorization, account, and audit (AAAA) management. Users can obtain O&M permissions by submitting tickets and can invite O&M engineers to perform collaborative O&M.
Credential Authentication
CBH uses multi-factor authentication and remote authentication technologies to enhance O&M security.
- Multi-factor authentication: CBH authenticates users by mobile one-time passwords (OTPs), SMS messages, USB keys, and/or OTP tokens. This allows you to mitigate O&M risks caused by leaked credentials.
- Remote authentication: CBH interconnects with third-party authentication services or platforms to perform remote account authentication, prevent credential leakage, and ensure secure O&M. Currently, Active Directory (AD), Remote Authentication Dial-In User Service (RADIUS), Lightweight Directory Access Protocol (LDAP), and Azure AD remote authentication are available. CBH allows you to synchronize users from the AD domain server without modifying the original user directory structure.
Account Management
With a CBH system, you can centrally manage system user accounts and managed resource accounts, and establish a visible, controllable, and manageable O&M system that covers the entire account lifecycle.
Table 1 Account management
Feature |
Description |
System user accounts |
CBH enables you to grant a unique account with specific permissions to each system user based on their responsibilities. This eliminates security risks resulting from the use of shared accounts, temporary accounts, or privilege escalation.
- Batch importing
CBH enables you to synchronize users from a third-party server or import users in batches, eliminating the need to create users repeatedly.
- User groups
CBH allows you to add users of the same type in a group and assign permissions by user group.
- Batch management
CBH enables you to manage user accounts in batches, including deleting, enabling, and disabling user accounts, resetting user passwords, and modifying basic user configurations.
|
Managed resource accounts |
With a CBH system, you can centrally manage accounts of resources managed in the CBH system through the entire account lifecycle, log in to managed resources by using SSO portal, and seamlessly switch between resource management and O&M.
- Resource types
CBH supports management of a wide range of resource types, including host (such as Windows and Linux hosts), Windows application, and database (such as MySQL and Oracle) resources.
- Host resources of the client-server architecture, including hosts configured with the Secure Shell (SSH), Remote Desktop Protocol (RDP), Virtual Network Computing (VNC), Telnet, File Transfer Protocol (FTP), SSH File Transfer Protocol (SFTP), DB2, MySQL, SQL Server, Oracle, Secure Copy Protocol (SCP), or Rlogin protocol.
- Application resources of the browser-server architecture or the client-server architecture, including more than 12 types of browser- and client-side Windows applications, such as Microsoft Edge, Google Chrome, and Oracle tools.
- Resource management
- Batch importing
CBH enables quick auto-discovery, synchronization, and batch importing of cloud resources, such as Elastic Cloud Server (ECS) and Relational Database Server (RDS) DB instances on the cloud for centralized O&M.
- Account group management
CBH manages resource accounts by group. By placing resource accounts of the same attribute in the same group, you can assign permissions on a group basis and let accounts inherit the permissions directly from the group to which they belong.
- Password autofill
CBH uses the Advanced Encryption Standard (AES) 256-bit encryption technology to encrypt managed resource accounts and uses the password auto-filling technology to encrypt shared accounts, preventing data leakage.
- Automatic password change of managed resource accounts
CBH supports password change policies so that you can periodically change account passwords to keep managed accounts secure.
- Automatic synchronization of managed resource accounts
CBH allows you to configure account synchronization policies so that you can periodically check and synchronize account information between the CBH system and the managed host resources. When you create, modify, or delete an account on a host, the same operation is performed in CBH.
- Batch management
CBH allows you to batch manage information and accounts of managed resources, including deleting a resource, adding a resource label, modifying resource information, verifying a managed account, and deleting a managed account.
|
Permissions Management
CBH supports fine-grained permission management so that you have complete control over which user can access the CBH system and which managed resources can be accessed by a specific system user, enabling you to safeguard both the CBH system and managed resources.
Table 2 Permissions management
Function |
Description |
CBH system access permission |
You can assign permissions to a system user to log in to a CBH system and use different functional modules in the CBH system according to the user's responsibilities.
- System user roles
CBH supports role-based and module-based permission management so that you can allow a system user to access specific functional modules based on the user's responsibilities.
You can use default user roles or create custom roles by adding various functional modules.
- Departments
CBH enables department-based system user management, allowing you to specify departments of different levels for each system user. There are no limits on the number of department levels.
- Login restrictions
CBH controls system user logins from many dimensions, including login validity period, login duration, multi-factor verification, IP addresses, and MAC addresses.
|
Managed resource access permission |
You can assign permissions for resources by user, user group, account, and account group.
- Access control
You can control resource access by resource access validity period, access duration, and IP address. CBH also allows you to assign permissions to users for uploading and downloading files, transferring files, and using the clipboard. When an O&M initiates an O&M session, the watermark indicating their identity will be displayed in the background of the session window.
- Two-person authorization
You can configure multi-level authorization for users, allowing them to access to a specific resource, and thereby safeguard sensitive and mission-critical resources.
- Command interception
You can set command control policies or database control policies to forcibly block sensitive or high-risk operations on servers or databases, generate alarms, and review such operations. This gives you more control over key operations.
- Batch authorization
You can grant permissions for multiple resources to multiple users by user group or account group.
|
Operation Audit
In a CBH system, each system user has a unique identifier. After a system user logs in to the CBH system, the CBH system logs their operations and monitors and audits their operations on managed resources based on the unique identifier so that any security events can be discovered and reported in real time.
Table 3 Operation audit description
Function |
Description |
System operation audit |
All operations in a CBH system are recorded, and alarms are reported for misoperations, malicious operations, and unauthorized operations.
- System login logs
Details about a login, including the login mode, system user, source IP address, and login time, are recorded. System login logs can be exported with just a few clicks.
- System operation logs
All system operation actions are recorded. System operation logs can be exported with just a few clicks.
- System reports
CBH displays all operation details of users in one place, including user statuses, user and resource creation, login methods, abnormal logins, and session controls.
System reports can be exported with just a few clicks and periodically reported by email.
- Alarm notification
You can configure different alarm reporting methods and alarm severity levels for system operation and your application environment so that the CBH system sends alarm notifications by email or system messages as soon as it determines system exceptions and abnormal user operations.
|
Resource O&M audit |
A CBH system records user operations throughout the entire O&M process and supports multiple O&M auditing techniques. It audits user operations, identifies O&M risks, and provides the basis for tracing and analyzing security events.
- Auditing techniques
- Linux command audits
For command operations through character-oriented protocols (such as SSH and Telnet), a CBH system records the entire O&M process, parses operation commands, reproduces operation commands, and quickly locates and replays operations using keywords in input and output results.
- Windows operation audits
For operations on terminals and applications through graphics protocol (such as RDP and VNC), the CBH system records all remote desktop operations, including keyboard actions, function key operations, mouse operations, window instructions, window switchover, and clipboard copy.
- Database command audit
For command operations through database protocols (such as DB2, MySQL, Oracle, and SQL Server), the CBH system records the entire process from single sign-on (SSO) to database command operations, parses database operation instructions, and reproduces all operating instructions.
- File transfer audits
For file transfer operations through file transfer protocols (such as FTP, SFTP, and SCP), the CBH system audits the entire file transfer process on web browsers or clients, and records the names and destination paths of transferred files.
- O&M audit methods
- Real-time monitoring
Ongoing O&M sessions can be monitored, viewed, and terminated.
- History logs
All O&M operations are recorded and history session logs can be exported with just a few clicks.
- Session videos
Linux commands and Windows operations can be recorded by video.
Video files can be downloaded with just a few clicks.
- Operation reports
CBH uses various reports to display O&M statistics in one place, including O&M action distribution over time, resource access times, session duration, two-person authorization, command interception, number of commands, and number of transferred files.
Operation reports can be exported with just a few clicks and periodically sent by email.
- Log backup
CBH allows you to back up history session logs to a remote Syslog server, FTP/SFTP server, and OBS bucket for disaster recovery.
|
O&M Functions
CBH supports multiple architectures, tools, and methods to manage a wide range of resources.
Table 4 Efficient O&M functions
Function |
Description |
O&M using a web browser |
By leveraging HTML5 for remote logins, O&M engineers can implement O&M operations such as real-time operation monitoring and file uploading and downloading, without installing a client.
- One-stop O&M
O&M engineers can complete remote O&M anytime anywhere through Microsoft Edge, Google Chrome, or Mozilla Firefox browsers on Windows, Linux, Android, and iOS operating systems without installing plug-ins.
- Batch login
CBH supports one-click login to multiple authorized resources, enabling O&M engineers to manage the resources on the same tab page of a browser.
- Collaborative session
Allows multiple O&M engineers to perform O&M through a shared O&M session. The user who initiates the O&M session can invite other O&M personnel or experts to join the on-going session and locate problems. This greatly improves O&M efficiency when multiple O&M engineers work together.
- File transmission
CBH uses the WSS-based file management technology to upload, download, and manage files online, enabling file sharing among several hosts.
- Command group-sending
CBH supports the group sending function for multiple Linux resources. With this function enabled, when a command is executed in a session window, the same operation is performed in other session windows.
|
Third-party client O&M |
CBH enables one-click interconnection with multiple O&M tools, enabling you to perform O&M without changing client usage habits.
- O&M tools
SecureCRT, Xshell, Xftp, WinSCP, Navicat, and Toad for Oracle
- SSH clients
For host resources with character protocols configured, O&M engineers can log in to them through SSH clients.
- Database clients
For database-deployed host resources, O&M engineers can log in to databases using configured SSO tools.
- File transfer clients
For host resources with file transfer protocols configured, O&M engineers can log in to them through FTP or SFTP client.
|
Automatic O&M |
CBH enables automated O&M to simplify online complex operations, eliminating repetitive manual effort and improving efficiency.
- Script management
CBH manages offline scripts, including Shell and Python scripts.
- O&M tasks
CBH automatically executes one or more preset O&M tasks, such as command execution, script execution, and file transfer tasks.
|
O&M Ticket Application
During the O&M, if a system user does not have the required permissions for a certain resource, they can submit a ticket to apply for the permissions.
- O&M personnel can:
- Manually or automatically trigger the ticket system and submit access approval tickets, command approval tickets, and database approval tickets.
- Submit, query, send reminders for approving, cancel, and delete tickets.
- System administrators can:
- Customize approval processes, including multi-level approval processes.
- Approve one or more tickets at a time, as well as reject, cancel, query, and delete tickets.