Challenge Accepted!
In a previous post, we outlined the PCI DSS3 Requirement 7 10-minute challenge.This entry is to outline current environment, high level steps and verification protocol.
Here's the current environment as of today (excluding the 2-node Hadoop cluster):
Here's what we're adding for the challenge:
The cast of characters
- J. Peterman and Elaine Benes are the PCI Developers
- On Windows - PCI Developers shall perform developer tasks like:
- Opening SQL Server Studio
- Resetting IIS websites
- Control System Services
- On Linux - PCI Developers shall perform LAMP functions like:
- Control the httpd service
- Elevate to the mysql account (without knowing the credentials)
- Edit the httpd daemon config file /etc/httpd/conf/httpd.conf
- Jerry Seinfeld is a Domain Admin
- George Constanza is the UNIX Sysadmin
Steps to the Challenge - 10 minutes
Planning- Will use a new zone to prove this concept (may be needed for separation of duties) - name: PCI
- Will reuse the existing ZPA service (provisioning has nothing to do with PCI, will control access with Roles)
- A Combined UNIX/Windows role will be created with the following access:
- Role Properties
- Available 24x7
- Password Login and SSO enabled
- Non-Restricted Shell
- Access Rights
- PAM SSH
- Remote (Windows)
- UNIX Commands
- systemctl (start|stop|restart)*httpd as root (authenticated)
- su - mysql as root (authenticated)
- vi /etc/httpd/conf/httpd.conf
- Windows Applications
- iisreset.exe as local administrator
- services.msc as local administrator
- SQL Management studio as local administrator
- PCI Developers group will be called - PCI Developers
Implementation
On the management station:
- In ADUC create the PCI Developers role
- In access manager set up the new zone.
- Set up the Unix identity properties
- Set up the UNIX commands
- Set up the Windows Applications
- Create the PCI Developers role, set up properties, add the rights
- Perform the role assignment at the zone level.
- Unpack the Centrify agent bits
- Run adcheck
- Join the zone
- Run adquery user and dzinfo
On APP2
- Install the Centrify Agent
- Join the Zone and Reboot
Test Plan (Check) - 5 minutes
- We'll verify that PCI developers can:
- Only log in via SSH (Linux) and RDP (Windows)
- Perform administrative tasks on APP2 (Win Server 2012 R2)
Not a member of Local Administrators or Domain Admins - Perform LAMP admin duties on CEN2 (CentOS 7)
They shall not know the root account. - Windows Domain admins should not be allowed to log in to the PCI systems (Jerry)
- Enterprise UNIX admins - should not be allowed to log in to the PCI systems (George)
- Any other users can't access the systems (Soup Nazi)
- The model should work for both Unix/Linux and Windows.
No comments:
Post a Comment