About Container Linux by CoreOS
Engineering Challenges
We had to overcome some challenges based on how Container Linux is architected.
- No package manager (required to deploy our solutions).
- Read-only /usr filesystem (Centrify usually installs under /usr/share/centrifydc and audit under /usr/share/centrifyda).
- No Perl (required by group policy and other utilities).
- Kernel not compiled with auditd support (required for file/monitoring).
Solution
- Centrify provides an installation tarball with the 2017.3 agent bundle that includes Access and Audit components.
- A special version of the install.sh utility will allow for interactive or automatic installations.
- Centrify software is installed in the /opt/centrify folder.
- Limitations: Express mode, deployment manager installation and monitoring service are not available.
Host-Based Security
- Increased accountability
- Container Linux users can sign-in with their Active Directory
account. We provide identity assurance with Multi-Factor
Authentication.
In AWS deployments, organizations don't need to rely on the shared SSH Key-based credential called "core" - Centralized administration - Organizations don't have to duplicate effort and continue to leverage Active Directory as the directory of record. No modifications required.
- Identity Management - Leverage Centrify zones to maintain a consistent UNIX namespace.
You can leverage AD groups to control the memberships in the docker secondary UNIX group. - Role-based Access Control - Use Centrify zones to control who can access a system, and what commands can be run with privilege. For example:
- You can create a role that defines who can elevate to root or the core accounts.
- You can use Active Directory group membership to define who is a member of the docker(233) secondary group.
- You can define very granular docker commands that can be granted to minimize risk or enforce separation of duties.
- Attestation and Security Operations - Leverage Centrify Reports to facilitate attestation and Centrify Audit Trail to enrich security operations.
- Advanced Auditing - Enjoy audit trail events as well as session capture and replay.
- Extend host-based security to Linux Containers (LXC) - Centrify "bridges" capabilities to Linux Containers to enjoy the same level of accountability at the container level.
- Shared Account Password Management - if you need to use shared credentials, use the Centrify Privilege Service vault and enjoy the deployment flexibility and traditional password-related controls.
- Secure Access - privilege Service connector infrastructure allows for Web, Native or SSH jumpbox client access regardless of on-premises or IaaS deployments.
- Session Proctoring, termination and recording - Enjoy the benefits of session control as well as auditing without the need to add local capabilities.
Videos - Centrify + Container Linux in action
What's different in Container Linux

Host-based Access Control, Identity Assurance and Role-Based Privilege Management

Vault-based Access Control, Shared Accounts and Secure Access

Using Role-based Access Control to manage and establish accountability for Docker operations

Centrify and Linux Containers (LXC)

No comments:
Post a Comment