Sunday, January 19, 2014

Basics: Privilege Management Implemeting (Do) on UNIX/Linux using Centrify and Active Directory

Background


This is the implementation portion of the 4-part series around Privilege Management with Centrify for UNIX/Linux.  Read the previous post to catch up.  The basic knowledge for this post, although focused on UNIX, it's applicable with the exception of rights, applies to Windows too.  The activities required to implement roles with Centrify requires:
  1. Create Computer Roles if needed
  2. Create and Configure Roles
    • Build the PAM access rights if needed
    • Build the Commands if needed
  3. Assign the role

Creating Computer Roles

Centrify computer roles are groupings of systems that perform a particular role.  I like to call them computer groups.  Systems can be grouped any way it makes sense to you.  The real power of computer roes is that they are based on AD Security groups, this means that you can have computers (just like users) that have multiple roles.   Examples:

  • Fragmented (vertical) model:  Web, Database, Utility, Network Services, etc.
  • Mixed mode (horizontal/cross funtional)l:  Application X - Dev; Application X - Prod  (Application X has Database, Web and Application servers).


To create a computer role:
  1. Create an AD Security Group  (this is the Computer Role container)
  2. In Access Manager, Open the Zone, and expand Authorization > Computer Roles
  3. Right click Computer Roles and select Create New Computer Role
  4. Set the name, and browse for the AD group created in step 1.

What happens when you create a Computer Role?

A computer role adds a new scope to assign RBAC and to categorize systems.  The operations associated with Computer Roles are role assignment and member add/moves/changes.

The add/moves/changes for roles are performed within the AD group that grants the role, this makes the Role Assignment a first time/adjustment activity.

Creating Roles

Centrify roles are the building blocks for Role-Based Access Controls.  Roles are defined, then assigned to AD security principals.  In UNIX roles are composed of PAM Access and Commands.

  • PAM Access:  Defines the PAM-aware protocols that are allowed in the the role.  Examples:  Secure Shell (ssh), xdm, VNC, and of course, not recommended:  pure telnet & FTP.  The built-in login-all  PAM right allows access on all protocols including the console.
    Note for AIX:  Some AIX platforms are configured for LAM can't provide granular access.
  • Commands:  are the privileged (or non-privileged) commands defined for the role.  They can be defined explicitly, or with regular expressions, tied to the Centrify restricted shell, scoped for a particular user, and defined with additional authentication requirements.

To create roles:

You need to know how the role will access the system (e.g. via SSH), what privileged commands it needs (e.g. service control for httpd), any time restrictions and if you have Centrify Enterprise, you

  1. In Access Manager open the Zone > Authorization > Role Definitions
  2. First, always review your roles to see if a role exists that can be reused.
  3. Examine PAM The UNIX Rights definitions node for PAM and Commands and make sure the building blocks exist.
  4. Right Click Role definitions and Select Add Role
  5. Name the role, use the description field and add any time/day restrictions if needed.
  6. Go to the System Rights tab.  Define the logon experience. 
    • Password login and non-password login (SSO) are allowed:  if  you plan to use both SSO and passwords  (check it)
    • Non-Password SSO login allowed:  You would uncheck the one above and only check this if you're in a Smart Card scenario.  (check it)
    • Account disabled in AD can be used by sudo, cron, etc:  Only required if you're defining a role for a service account managed from AD.  (leave unchecked)
    • Login with a non-Restricted Shell:  This is going to be not selected if using the Centrify Restricted shell (white-list mode).  (check it)

      Note the Windows rights, not covered in this posting.
  7. If using Enterprise Edition, go to the Audit Tab, and select the appropriate option:
    Especially when Auditing roles for Windows, the integration of RBAC and auditing can result in auditing risky actions and less storage usage in the Audit database.
  8. Press OK.
    Very important: At this point, the role is defined, but it has no rights assigned to it, this has to be the most common mistake in the area of RBAC along with assigning a role without granting an identity.  
  9. Right-click the newly-created role and select Add Rights
    Check all the rights (PAM) and commands for the role and press OK.
Now the role is ready to use (be assigned).


Assigning Roles

As described, Role assignment is the granting of a UNIX (or Windows) role to an AD Security Principal in the correct scope.  Roles can be assigned at:

  • Zone Level:  This role will apply to all systems in the zone.  (Limited Use)
  • Child Zone:  This role will apply to the child zone (Depends on your design)
  • Computer Role:  This role will apply just to the set of systems in the role (Optimal usage)
  • Computer:  This is a local override or exception  (If you find yourself doing this a lot, you have a governance problem)
Time-bounding Role Assignments
Permanent vs. Temporary Role assignments:  Time-bounding of role assignments is a powerful feature of Centrify, this allows for scenarios like this:
  • Change-control windows:  You can have your population be regular users all the time, and only get a role with privileges when a change control has been granted.  The access/rights expire automatically at the time specified.
  • Contractor scenarios:  A set of external users may need access to systems in a specified period of time.
With the AD Group, scope and time, all the information is ready for do do an assignment.

  1. In Access Manager, go to Zone > Authorization
  2. At this point, it's time to pick the scope:
    • To assign at the zone/child zone level, select the Role Assignments node right under authorization.
    • To assign at the Computer Role level, expand Computer Roles, find the correct system group, and expand to expose Role assignments
    • Exception:  At the system level, go to the Computers node, find the computer, expand it and find Role Assignments.
  3. Right click Role Assignments and select Assign Role, then pick the role you are going to assign.
  4. In the Assign Role box, time-bound based on your information (scope or permanent), then use the Add AD Account button and find the Group (or user -not recommended- promotes exceptions) that you will grant the role to and press OK.
Process Reuse: The biggest benefit of assigning the role to a group is that this makes the integration with other tools and process reuse much easier.

In the next post we will talk about the Check (Verify the implementation) portion of Privilege Management.

No comments:

Post a Comment