Sunday, May 10, 2015

Scripting - Using Centrify PowerShell to Automate Access and Privilege Operations

Background

In some of the examples that we use in this blog, we leverage a basic reference design that consists of a Centrify Active Directory zone, a few computer roles, a UNIX and Windows SysAdmin role and some basic assignments at the Zone, Computer Role and System levels.  Since some of you have told me that you use the blog to follow along, I've decided to share the PowerShell code for this purpose.

There are several cast of characters that I create  (in this case, the Simpsons), but you can change it as needed.

Why post this?
As I meet with many of the current or prospective Centrify customers I see 3 common threads: many more of you are using public/private cloud (as evidenced by some of the recent posts) and want tools and examples of automation;  many of you are looking to leverage IT Service Management solutions for  workflow/approvals (like ServiceNow) and combine it with automation; this post provides some examples.

Disclaimer:  I am not a programmer.  I've made my forays into scripting in the past (mostly vbscript) but I'm not a PowerShell, Bash or any other type of programmer.  This is done for illustration purposes.  When working with scripts in production environments, you.must.add.error.handling!!!

The Basic Reference Design

The cadence will be the same as the GUI.  Create the zone, define rights, define roles, populate the roles and assign them.  These are considered the infrequent steps.
The normal operations are UNIX-enabling users, and performing role assignments directly or leveraging AD groups.  This is the same for Windows and UNIX.



PowerShell Modules

You'll need the Active Directory and the Centrify DirectManage PowerShell modules.

Import-Module ActiveDirectory
Import-Module Centrify.DirectControl.PowerShell

Notice that I'm assuming the default location.


Creating the Zone

$zone = New-CdmZone -Name "Model" -Description "Reference Zone" -Type hierarchical -Container "cn=Zones,ou=Unix,dc=example,dc=com"

Notice that I'm using a shortcut to create the zone and add it to a variable.  Obviously the Container assumes that your domain is example.com and there's a UNIX OU with a Zones SubOU contained within.

Defining the Rights

$cmd1 = New-CdmCommandRight -Zone $zone -Name "Run any command as root" -Pattern "*" -MatchPath "*" -DzdoRunAsUser root -Authentication user 

Creates the sensitive command to run any command as root and requests authentication.

$criteria = New-CdmMatchCriteria -Description "Event Viewer" -FileType "exe" -FileName "eventvwr.exe" -Path "C:\Windows\System32\"


$cmd2 = New-CdmApplicationRight -Zone $zone -Name "Audit Windows Event Log" -MatchCriteria $criteria -RunasSelfGroups "Builtin\Administrators"


Creates Event viewer as Administrator.  The first part is to create the application criteria (a Windows application may contain multiple criterion), then we create the right with the proper criteria.

$cmd3 = Get-CdmPamRight -Zone $zone -Name "sshd" 

This is getting the stock sshd right.  Keep in mind that work in most Linux, but probably you'll have to create something different for Ubuntu or Solaris.

$cmd4 = New-CdmCommandRight -Zone $zone -Name "Audit RHEL Secure Log" -Pattern "tail /var/log/secure" -DzshRunas root

This is another platform-dependent command right.  

$cmd5 = Get-CdmPamRight -Zone $zone -Name "login-all"

This gets, the stock "login-all" PAM right for the SysAdmin Role.

Defining the Roles

$role1 = New-CdmRole -Zone $zone -Name "Mixed Auditor" -UnixSysRights login, ssologin, nondzsh -WinSysRights remote

Defines the Mixed Auditor Role with the ability to log in with a password and with SSO to unix systems and via Citrix or RDP to Windows systems.

Add-CdmCommandRight -Right $cmd4 –Role $role1 
Add-CdmApplicationRight -Right $cmd2 –Role $role1 
Add-CdmPamRight  -Right $cmd3 –Role $role1 

The previous 3 commands add the unix command, windows application and ssh rights into the Mixed Auditor role.

$role2 = New-CdmRole -Zone $zone -Name "UNIX Sysadmin" -UnixSysRights login, ssologin, nondzsh 
Add-CdmCommandRight -Right $cmd1 –Role $role2
Add-CdmPamRight -Right $cmd5 –Role $role2

The defines the UNIX SysAdmin role and adds the "Run any command as root" and login-all PAM right.

Defining Computer Roles

Computer Roles are groupings of systems.  They may contain UNIX or Windows systems that exist within the zone.  Computer Roles are stored within AD Security groups, therefore we have to define some groups, and groups have to be put in an OU.  In this case an OU called Demo.

$oupath = (Get-ADOrganizationalUnit -Filter 'Name -like "Demo"').DistinguishedName
New-ADGroup -Name "Centrify-Model-CR-WebServers" -Path $oupath -GroupScope Global
New-ADGroup -Name "Centrify-Model-CR-DatabaseServers" -Path $oupath -GroupScope Global
$crgroup1 = Get-ADGroup -Filter 'Name -like "Centrify-Model-CR-WebServers"'
$crgroup2 = Get-ADGroup -Filter 'Name -like "Centrify-Model-CR-DatabaseServers"'

The naming convention is easy to figure out for these AD groups:  Centrify-NameofZone-Type of Group-Description.

$crweb = New-CdmComputerRole -Zone $zone -Name "Web Servers"  -Group $crgroup1
$crdb = New-CdmComputerRole -Zone $zone -Name "Database Servers" -Group $crgroup2

At this point there's an empty zone, with a basic security access and privilege model.

UNIX-Enabling Users

To access a UNIX/Linux system, users need to have a UNIX identity in the Centrify Zone in AD;  this is quite simple using PowerShell.  In addition, they must have a role as well.

New-CdmUserProfile -Zone $zone –User marge.simpson@example.com -login marge.simpson -UseAutoUid -AutoPrivateGroup –HomeDir "%{home}/%{user}" –Gecos "%{u:displayName}" –Shell "%{shell}"

New-CdmUserProfile -Zone $zone –User bart.simpson@example.com -login bart -UseAutoUid -AutoPrivateGroup –HomeDir "%{home}/%{user}" –Gecos "%{u:displayName}" –Shell "%{shell}"

New-CdmUserProfile -Zone $zone –User maggie.simpson@example.com –login maggie.simpson -UseAutoUid -AutoPrivateGroup –HomeDir "%{home}/%{user}" –Gecos "%{u:displayName}" –Shell "%{shell}"

New-CdmUserProfile -Zone $zone –User homer.simpson@example.com–login homer -UseAutoUid -AutoPrivateGroup –HomeDir "%{home}/%{user}" –Gecos "%{u:displayName}" –Shell "%{shell}"

Since this is a clean environment, I'm using very few overrides and all UID/GID info is generated based on the user's SID.  

Granting access and Assigning Roles

A permanent assignment at the zone level

$role1 = Get-CdmRole -Zone $zone -Name "UNIX SysAdmin"  
New-CdmRoleAssignment -Zone $zone -Role $role1 -ADTrustee marge.simpson@example.com

As discussed in previous postings, these are rare and only assigned to senior trusted admins

A permanent assignment at the computer role level (WebServers)

$role2 = Get-CdmRole -Zone $zone -Name "Mixed Auditor" 
$crweb = Get-CdmComputerRole -Zone $zone -Name "Web Servers" 

New-CdmRoleAssignment -ComputerRole $crweb  -Role $role2 -ADTrustee bart.simpson@example.com

Note that this is a mixed role.  If the computer role has IIS and Apache servers, this auditor can review both the event log and the secure log.

A time-bound role assignment (perhaps a change control Window or a break-glass scenario) to an individual system

$role3 = Get-CdmRole -Zone $zone -Name "UNIX login"  
$comp = Get-CdmManagedComputer -Zone $zone -Name "your-zone-enabled-system" 
New-CdmRoleAssignment -Computer $comp -Role $role3 -ADTrustee homer.simpson@example.com -StartTime (Get-Date) -EndTime (Get-Date).AddMinutes(60)

In this example, Homer is getting the ability to log in to this system for an hour.  

Video