Friday, December 29, 2017

Centrify 2017.3 - Container Linux by CoreOS is now supported

In this article, we'll discuss Centrify's support for Container Linux by CoreOS introduced with 2017.3 (5.4.3).  This is based on an article I wrote for the Centrify Community.

About Container Linux by CoreOS
"Container Linux by CoreOS (formerly CoreOS Linux) is an open-source lightweight operating system based on the Linux kernel and designed for providing infrastructure to clustered deployments, while focusing on automation, ease of application deployment, security, reliability and scalability. As an operating system, Container Linux provides only the minimal functionality required for deploying applications inside software containers, together with built-in mechanisms for service discovery and configuration sharing." - Source: Wikipedia.

Engineering Challenges
We had to overcome some challenges based on how Container Linux is architected.
  • No package manager (required to deploy our solutions).
  • Read-only /usr filesystem (Centrify usually installs under /usr/share/centrifydc and audit under /usr/share/centrifyda).
  • No Perl (required by group policy and other utilities).
  • Kernel not compiled with auditd support (required for file/monitoring).
Needless to say, our Engineering team was up to the task and was able to provide a solution that enabled our capabilities and maintained the ease-of-use that is common with Centrify solutions.

Solution
  • Centrify provides an installation tarball with the 2017.3 agent bundle that includes Access and Audit components.
  • A special version of the install.sh utility will allow for interactive or automatic installations.
  • Centrify software is installed in the /opt/centrify folder.
  • Limitations:  Express mode, deployment manager installation and monitoring service are not available.
Features
Host-Based Security
  • Increased accountability - Container Linux users can sign-in with their Active Directory account.  We provide identity assurance with Multi-Factor Authentication.
    In AWS deployments, organizations don't need to rely on the shared SSH Key-based credential called "core"
  • Centralized administration - Organizations don't have to duplicate effort and continue to leverage Active Directory as the directory of record.  No modifications required.
  • Identity Management - Leverage Centrify zones to maintain a consistent UNIX namespace.
    You can leverage AD groups to control the memberships in the docker secondary UNIX group.
  • Role-based Access Control - Use Centrify zones to control who can access a system, and what commands can be run with privilege.  For example:
    • You can create a role that defines who can elevate to root or the core accounts.
    • You can use Active Directory group membership to define who is a member of the docker(233) secondary group.
    • You can define very granular docker commands that can be granted to minimize risk or enforce separation of duties.
  • Attestation and Security Operations -  Leverage Centrify Reports to facilitate attestation and Centrify Audit Trail to enrich security operations.
  • Advanced Auditing -  Enjoy audit trail events as well as session capture and replay. 
  • Extend host-based security to Linux Containers (LXC) - Centrify "bridges" capabilities to Linux Containers to enjoy the same level of accountability at the container level.
Vault-Based Security 
  • Shared Account Password Management - if you need to use shared credentials, use the Centrify Privilege Service vault and enjoy the deployment flexibility and traditional password-related controls.
  • Secure Access -  privilege Service connector infrastructure allows for Web, Native or SSH jumpbox client access regardless of on-premises or IaaS deployments. 
  • Session Proctoring, termination and recording - Enjoy the benefits of session control as well as auditing without the need to add local capabilities.

Videos - Centrify + Container Linux in action

What's different in Container Linux

Host-based  Access Control, Identity Assurance and Role-Based Privilege Management
 
Vault-based Access Control, Shared Accounts and Secure Access

Using Role-based Access Control to manage and establish accountability for Docker operations


Centrify and Linux Containers (LXC)


No comments:

Post a Comment