Like most sales managers, our internal sales manager needed access to the Call Record Database of our AsteriskNOW implementation. This blog explains how we used our Privileged Task Management module to grant secure access, whilst protecting our privileged credentials.
We had a business need for our internal sales manager to access the Call Record Database of our AsteriskNow implementation. The private branch exchange (PBX) is located on its own network with a dedicated internet connection, and is separated from our corporate network by two firewalls.
We wouldn’t expect our internal sales manager to understand the AsteriskCDRDB format or even the tools needed to access it. We also wouldn’t want to dish out the privileged credentials or allow web access to the PBX system.
Looking at the AsteriskNow implementation, it has a well-protected implementation of MySQL. By default, it is limited to access from the local host only. Given that PBX systems are prime hacking targets, it would be prudent not to change this access.
What we did
We wrote a short Python Program to access the AsteriskCDRDB. The key here is that we didn’t want to embed the credentials in this code, since if the system was compromised any attacker could modify this database to conceal calls made from our PBX.
Here’s the code fragment that we use to connect to MySQL:
The key things to note is that we are using ‘getpass’ to ensure that the passwords are neither echoed or stored in command line history. The other notable technique is that password is set to ‘None’ as soon as the database connection has been tried. This means that it’s not hanging around in memory to be scraped.
Here’s the code that executes the query:
‘execute_query()’ formats the data the way we need it.
On the PxM Platform, we have a task template that is used to drive the Python on the PBX system. The key lines are here:
You can see now the inputs are marshalled, and how timeouts and error conditions are handled. These are seen from the application perspective since it should not be possible for the user to enter a wrong value. The SysAdmin could configure the wrong values and hence these paths would get triggered.
The other notable action is that the remote file is retrieved to the PxM Platform environment, where it is well secured. This means that there’s no GDPR actionable data hanging around in files on the PBX system.
Here’s the PxM Platform’s SysAdmin interface:
In this case “Caller Names” is a list of our sales staff mapped to extension numbers. The business users interface looks like this (we’ve omitted the dropdown list from the screenshot above for GDPR compliance):
Here’s the results page:
The ‘disk’ icon is a direct link to the download.
Using our analytics module, we can see that our PBX task is very popular:
If you’d like to try this against your own implementation of AsteriskNow, or any other Asterisk based PBX, check out our PxM Express product. A ‘no cost’ offering, PxM Express is a scaled down version of the full PxM Platform, and includes task functionality.
Related Articlesterm->name is Task Automation
Why Privileged Access Management should be on every Operations Managers’ wish list
We demonstrate how a Privileged Access Management solution helps Operations Managers in their daily roles, bringing speed and simplicity to everyday… Read Post