How to check out passwords from the CLI using Centrify Infrastructure ServicesAs
part of the security toolbox, we must deal with shared credentials,
more specifically passwords. Many of you know how Infrastructure
Services can secure credentials, however, a lot of work is going on to enhance the
DevOps or automation use cases. In this article we'll discover the options available to retrieve passwords from the
CLI and we'll focus on using it as a way for programs or scripts to retrieve them.
Using shared passwords in CLI scenarios while maintaining assurance
Passwords have been hard to get rid of, unfortunately, even with old technologies like
Kerberos and
PKI we must accommodate
for the need to securely retrieve credentials. However, at the same
time we need to maintain assurance and enforce principles like:
- Try to eliminate passwords
- Limit lateral movement
- Just in time/just enough access/privileges
- Identity Assurance
- Monitoring and Auditing
- Policy enforcement, etc
The maturity model illustrates this best:
Eliminate Passwords
Centrify eliminates passwords in this use case by relying on
PKI credentials; the process happens during enrollment when a system is
onboarded by an authorized party. The enrollment process looks like this:
Each system is represented by a service account in
Centrify Infrastructure Service. Please note that in order to modify the
PKI
settings on a system, you must have administrative rights (you you
require privileged access on the client side), plus you must have either
an enrollment code or a user credential of a user that can enroll a
system.
In Linux, this is implemented with the
cenroll command. If ther's a manual enrollment, we also ask for MFA based on
authentication profiles like here:
sudo cenroll --tenant vault.centrify.vms --user admin@opie.demo
--verbose --features all --agentauth identity-broker-users
--name centos7 --address centos7.centrify.vms
If
an Enrollment code is available, you can use it (the most common way of
doing this, especially for automation), here's how it looks on Windows,
with a code:
Enroll-CIPSystem -EnrollCode "THISIS-YADA-YADA-CODE-682DBEF6CA78"
-FQDN 'member.centrify.vms' -ResourceName 'member-vault'
-Endpoint 'https://vault.centrify.vms'
Access Control, Entitlements and VisibilityCentrify
relies heavily on role-based access, but this is an interesting use
case because it's highly-related to automation. In this scenario, most
likely a system will be built, and as part of the
on-boarding it will automatically enroll to the
Centrify platform.
Centrify includes a built-in group called:
Centrify Agent Computers; by default, this group has visibility to systems, domains and databases.
As a best practice, don't overload the
Centrify Agent Computers built-in group. Just use it for visibility purposes. Create sets and other roles, and leverage those instead.
Permissions
For accounts, there are several entitlements
This means that you need View+Check out at the account level to check out a password. This is a mechanism for least access and limiting lateral movement.
Policy Enforcement and Monitoring
The most common password checkout policies (like
multi-checkout or lifetime) are geared towards interactive use, but for machine communications,
Centrify offers the ability to override the checkout lifetime settings at the account level.
A great policy that can be implemented is the use of internal/external,
datetime or even Risk. This can be applied at the account level.
Monitoring
Because
a compromised system, although with limited access is still a potential
"stakeout" point, monitoring service account checkouts outside the
applicable time or at a rate that is out of the blue, the monitoring and
alerting
capabilites of
CIP provide several tools like: Dashboards, Reports or the ability to send events to a security operations or
SIEM tool.
Deployment Utilities
- Enrollment codes: allow Centrify
clients to enroll the platform automatically. The benefit of codes is
that you can add restrictions (like how many times or from which
networks they can be used) or organizational options like sets or RBAC.
- Sets: Sets are collections of objects in CPS; they allow for dynamic or static membership as well as controlling permissions.
- Packages: The CLI toolkits are delivered as part of the Centrify clients for Linux or Windows.
Implementations
The
Centrify Agent for Linux, leverages the
cgetaccount command (checking out the
opieadmin local account password from as system called
engcen6 for 5 minutes).
Here's
more info about cgetaccount.
Here's how it looks in
PowerShell (checking out the
sa SQL server account from the database enterprise for 2 minutes)
Note
that these examples are interactive checkouts. Ideally, a script or
program would call this command to retrieve the password string and use
it or assign it to a variable. Notice that you can specify the checkout
lifetime.
Futures
This is an area of a lot of interest for
Centrify. Stay tuned.
