View
2.200
Download
2
Category
Tags:
Preview:
DESCRIPTION
This session will discuss the implementation tasks needed to deploy Novell Privileged User Manager. It will particularly emphasize considerations for determining requirements for the initial phase and a roadmap for subsequent phases. We will also share tips on design and approaches for implementing Privileged User Manager based on implementations from Novell Services.We will discuss specifics of Privileged User Manager implementation in a service provider environment. The session will include technical details of integration with Novell Identity Manager and Novell Sentinel. These products will help you create a full solution for managing the lifecycle of privileged users, providing accountability to meet compliance requirements, and practicing solid corporate IT governance.
Citation preview
Creating a Full Privileged User Solution with Novell® Privileged User Manager, Novell® Identity Manager and Novell Sentinel™
Warren AlkireSenior Technology SpecialistNovell, Inc. /warren.alkire@novell.com
© Novell, Inc. All rights reserved.2
Agenda
Session Focus• Novell® Privileged User Manager Implementation Steps
– Scope– Requirements Assessment– Design– Develop/Build– Testing– Training– Deployment
• Integration with Novell® Identity Manager
• Integration with Novell Sentinel™
© Novell, Inc. All rights reserved.3
Session Focus
• Primary steps to successfully implement Novell®
Privileged User Manager• Not training on Novell Privileged User Manager• Share implementation tips and strategies• Adding Novell Identity Manager for a full privileged user
life cycle solution• Integration with Novell Sentinel™
• Context is privileged user management implementation – phase 1
© Novell, Inc. All rights reserved.4
Architecture Review
Agent Manager
Agent
Rules
Event Log I/O Log
2
1
35
6
4
Run Host
Summit Host
© Novell, Inc. All rights reserved.5
Compliance Audit Review
Each event record is color-coded according to the highest rated command risk
User ActivityValidate and secure user session
Add audit group and risk rating
Session event and keystroke log
Automated rules pull events into Compliance Auditor database according to pre-defined risk filters
Manager notified by e-mail each night of events waiting to be authorized
Manager logs into Compliance Auditor and authorizes events
Manager
Command Control
1
Rules AuditLog
ComplianceAuditor
2
34
5
Novell® Privileged User ManagerImplementation Steps – Scope and Time Line
© Novell, Inc. All rights reserved.7
Scope
Approach for phase 1– Just audit
> Authorize crush shell from sample commands and set as default> May need to authorize switch to root or other privileged accounts
– Audit and analyze> Above plus reporting – use for future privilege segregation
– Reduce sudoers file maintenance – one place> Likely require identity management integration
– Segregate privileges> Requires grouping/role definition of privileged users
– Full scale implementation> Usually not phase 1
© Novell, Inc. All rights reserved.8
Scope
Phase 1 considerations– Environments to manage
> Number of systems to manage> Number of different platforms (operating systems)
– Initial target systems> Non-production systems may be initial target
– Initial user population> Limited administrators – such as print queue creators> Administrators implementing Privileged User Manager
– Phasing implementation> Roll out by groups of privileged users> Roll out by groups of managed platforms
© Novell, Inc. All rights reserved.9
Environment Approach
Three Environments– Development, quality assurance/testing, production– Enables testing of roll-out procedures– Set-up for future solution expansion with minimal impact– May be driven by identity management co-project
• Two Environments– Development and production– Gives up testing of roll-out procedures
• Single Environment– Use built-in testing mechanisms– Extra caution doing future upgrades
© Novell, Inc. All rights reserved.10
How Long Will This Take?
• Obviously dependent on scope• Sample implementation assumptions
– No integration with identity management systems– Three environments – development, quality
assurance/testing, production– All Unix/Linux computers patched to required level– All Unix/Linux computers standardized as much as
possible – enables rapid deployment of Novell® Privileged User Manager
– Use existing software distribution mechanism– No more than 5 command control rules required– No more than 2 compliance reports required
© Novell, Inc. All rights reserved.11
Sample Project Time Estimate
• Requirements and design phase – 2 weeks– These phases often combined for Novell® Privileged User
Manager-only engagement– May not be critical path when combined with identity
management implementation• Develop/Build/Unit Test – 3 weeks• User Acceptance/System Integration Testing – 2 weeks
– Lengthened if part of identity management project
• Deployment to Production/Go live/Support – 2 weeks
© Novell, Inc. All rights reserved.12
Sample Project Team
• Novell® Privileged User Manager Specialist – 9 weeks• Project Manager – 9 weeks for 8 hours per week• Architect/Senior Specialist – 2 to 3 weeks
– Provides additional experience to requirements and design– Design of Novell® Privileged User Manager server requirements– Design of managed hosts structure– Validation of design
Novell® Privileged User ManagerImplementation Steps – Requirements
© Novell, Inc. All rights reserved.14
Requirements Assessment Tasks
• Determine Novell® Privileged User Manager administration – auditors and administrators
• Determine command control requirements– Based on approach determined in scope– May require grouping users into roles
© Novell, Inc. All rights reserved.15
Requirements Assessment Tasks
© Novell, Inc. All rights reserved.16
Requirements Assessment Tasks
• Determine Novell® Privileged User Manager administration – auditors and administrators
• Determine command control requirements– Based on approach determined in scope– May require grouping users into roles
• Determine auditing requirements– Audit logs fed to a syslog manager?– Report requirements– Audit rules– Access control within Novell Privileged User Manager– Archiving
© Novell, Inc. All rights reserved.17
Requirements Assessment Tasks (cont.)
© Novell, Inc. All rights reserved.18
Requirements Assessment Tasks (cont.)
• Determine account provisioning strategy for target systems
– Manual or existing account provisioning process– Integration with identity management system providing
account provisioning• Determine host structure, data center, fail over
requirements– Platform inventory– Platform location – data center structure– Command Control Manager requirements– Audit Manager requirements – auditing sent
separately
Novell® Privileged User ManagerImplementation Steps – Design
© Novell, Inc. All rights reserved.20
Design Tasks
Design host structure
© Novell, Inc. All rights reserved.21
Host Structure Design ExampleBad Design
Non-ProductionDomain
Data Center 1Domain
ProductionDomain
Framework Manager Agent 1
Audit Manager 1
Command ControlManager 1
Command ControlManager 2Command
Control Manager 3(future) Command
Control Manager 4(future)
?
© Novell, Inc. All rights reserved.22
Design Tasks
Design host structure– Previous example shows sample host design
– Not a good design> Production domain is a child of non-production domain> Updates to parent domain perpetrate to child domains> Upgrade to non-production domain updates production domain immediately> No way to test upgrades in non-production environment prior to deployment
– Better design> Make the “?” server a fail-over Command Control Manager> Make production and non-production domains peers
© Novell, Inc. All rights reserved.23
Design Tasks(cont.)
• Design host structure• Design command control rules• Design provisioning of access within Novell® Privileged
User Manager– Novell Privileged User Manager administrators– Novell Privileged User Manager auditors
• Design compliance manager reports• Solution design review
Novell® Privileged User ManagerImplementation Steps – Develop/Build
© Novell, Inc. All rights reserved.25
Development/Build Tasks
• Install Framework Manager• Create host structure• Install Framework Agent on all servers managed by
Novell® Privileged User Manager (by environment)• Push packages
– Audit Managers– Command Control Managers– Possibly some packages to all managed servers
• Build and test Command Control rules• Set up SYSLOG if required
© Novell, Inc. All rights reserved.26
Development/Build Tasks(cont.)
• Set up audit rules• Configure/develop audit reports• Set up access control within Novell® Privileged User
Manager• Develop aliases or functions for managed systems• Customer requirements checkpoint• Unit test solution
– Testing by the developer– Include positive and negative tests
Novell® Privileged User ManagerImplementation Steps –
Testing User Acceptance and System Integration
© Novell, Inc. All rights reserved.28
System Integration Testing
• Required if Novell® Privileged User Manager part of larger project for privileged user management
• Test with identity management system– Test full user life cycle – Test privileged access managed by Novell Privileged User
Manager granted when privileged account active– Test privileged access managed by Novell Privileged User
Manager revoked when privilege account is disabled/deleted
© Novell, Inc. All rights reserved.29
Deployment to Test Environment
• Prior to system integration or user acceptance testing – whichever done in Quality Assurance environment
• Software installation on Novell® Privileged User Manager servers and target systems
• Testing of any automated installation mechanisms – ZENworks®, scripts, jump boxes, Tivoli, etc.
• Migration of configuration from development environment
• Configuration of Mail (SMTP) server if used
© Novell, Inc. All rights reserved.30
User Acceptance/Go-Live Preparation
User (customer) acceptance testing– Customer testing to ensure stated requirements met– Change management important here
End user training– Part of testing for end users involved in project– Training for privileged users that will use the new solution– Communication!
Novell® Privileged User ManagerImplementation Steps – Go-Live
© Novell, Inc. All rights reserved.32
Deployment to Production Tasks
• Software installation on Novell® Privileged User Manager servers and target systems
– Novell Privileged User Manager servers (Command Control, Audit) – may use manual installation prior to go-live
– Novell Privileged User Manager Agent on managed servers – use automated process tested prior to Quality Assurance testing
• End user communications• Configuration migration from Quality Assurance Testing
environment• Configure production host structure• Customer additional go-live tasks
Integration with Novell® Identity Manager
© Novell, Inc. All rights reserved.34
Novell® Identity Manager Integration
Novell method to create a full privileged user solution• Account provisioning if root accounts currently shared• Novell Identity Manager tasks likely the critical path• Novell Identity Manager driver options
– Fan-out for Unix/Linux– Nx Settings driver– Unix/Linux bi-directional driver
• Fan-out and Nx Settings drivers most likely– Strength is managing large number of Unix/Linux systems– Few user account attributes to manage
© Novell, Inc. All rights reserved.35
Novell® Identity Manager Integration(cont.)
Sample Novell® privileged user solution– Novell® Privileged User Manager– Novell Identity Manager/Roles Based Provisioning Module
> Fan-Out driver> Nx Settings driver> eDirectory™ driver to Identity Vault> Scripting driver for Novell Privileged User Manager provisioning
– Novell Sentinel™
• Non-privileged account usual starting point for Novell Privileged User Manager granted privileges
• Need account and access provisioning/management
© Novell, Inc. All rights reserved.36
Novell® Identity Manager Integration(cont.)
• Unprivileged account provisioning options– Provision to etc/passwd and etc/shadow– Fan-out PAM re-direction – requires solution for home directory– Other PAM (non-Novell) – requires solution for home directory– “Brand X” provisioning (non-Novell)
• Password synchronization often desirable• Provisioning to Novell® Privileged User Manager
– May facilitate Command Control Manager authorization for privileged access using user account groups
– Done by scripting driver or fan-out driver scripts
© Novell, Inc. All rights reserved.37
Example Provisioning to Novell® Privileged User Manager
© Novell, Inc. All rights reserved.38
Testing
• Novell® Identity Manager and Novell® Privileged User Manager should be integration tested together
• Test full user life cycle• Test privileged command authorization• Ensure Novell Privileged User Manager does not allow
privileged access when rights revoked – negative tests• Test password synchronization
Integration with Novell® Identity Manager Account Group Provisioning
© Novell, Inc. All rights reserved.40
User Account Group Provisioning
• Method of adding/removing entries in a Privileged User manager “Account Group”
• Interface actually designed for importing/exporting Command Control policies
• Best available interface for current product versions• Implemented with scripts – scripting driver or fan-out
driver scripts• Not easy to create new groups – new group's key
needed for later update• Manipulate existing groups easily
© Novell, Inc. All rights reserved.41
User Account Group Provisioning(cont.)
• Command line tool to call CLI methods on certain modules
– /opt/novell/npum/sbin/unifi
• Uses the XML used by Command Control to export and update policies
• Two authentication methods– Pass admin user and password with -u and -p– Use the -n option and native maps in the Framework User
Manager to associate a native user on a Framework Manager computer with an admin user
• Following examples assume native maps option
© Novell, Inc. All rights reserved.42
User Account Group Provisioning(cont.)
• Export the Command Control policy– unifi -n cmdctrl export -c -f ccout.xml
• Exports the Command Control policy as XML
• Look for UserGroup entity and get key value
• Following example has a key value of “2214”
© Novell, Inc. All rights reserved.43
User Account Group Provisioning(cont.)
<UserGroup name="Entitlement" I.disabled="0" I.id="2214">
<UserGroup name="Entitlement" I.key="2214">
<Disabled b.value="0"/>
<Description value=""/>
<MgrName value=""/>
<MgrTel value=""/>
<MgrEmail value=""/>
<UserList>
<a.User value="admin1@host1:root,newgrp"/>
</UserList>
</UserGroup>
</UserGroup>
© Novell, Inc. All rights reserved.44
User Account Group Provisioning(cont.)
• Create a file that contains XML similar to the following <UserGroup I.key="2214"> <UserList> <a.User value="admin2@host1:root" action="add"/> </UserList> </UserGroup>
• Pass above XML into Command Control import function to load updates to the policy referenced by the key
– unifi -n cmdctrl import -f ccin.xml• File named ccin.xml for this example
© Novell, Inc. All rights reserved.45
User Account Group Provisioning(cont.)
• Use action='del' to remove an entry <UserGroup I.key="2214"> <UserList> <a.User value="admin2@host1:root" action="del"/> </UserList> </UserGroup>
© Novell, Inc. All rights reserved.46
User Account Group Provisioning(cont.)
• Use action='set' to set the entire list <UserGroup I.key="2214"> <UserList action="set"> <a.User value="admin1@host1:root"/> <a.User value="admin2@host1:root"/> <a.User value="admin3@host1:root"/> </UserList> </UserGroup>
© Novell, Inc. All rights reserved.47
User Account Group Provisioning(cont.)
• Example of using Novell® Identity Manager to provide authorization within Novell® Privileged User Manager
• Places entry in the Novell Privileged User Manager User Account Groups
• Conditional script checks for entry to authorize execution of privileged commands
• Scripts run on the Novell Privileged User Manager server running the master Command Control Manager
Integration with Novell® Sentinel™
© Novell, Inc. All rights reserved.49
Integration with Novell® Sentinel™
• Novell® Privileged User Manager audit options– Built in logging and compliance reporting– SYSLOG emitter– Novell Sentinel
• Novell Sentinel provides auditing of Novell® Identity Manager and Novell Privileged User Manager together
• Correlations can be developed
© Novell, Inc. All rights reserved.50
Integration with Novell® Sentinel™ (cont.)
• Home > Reporting > Syslog Settings• Set DNS name or IP address of Novell Sentinel Server• Default Novell Sentinel port is 1468
– Default syslog port is 514
• Do not change the format strings – ${}$– Novell Sentinel instrumented for the full Novell Privileged User
Manager strings
• Standard events shown in following slide
© Novell, Inc. All rights reserved.51
Novell® Sentinel™ Configuration
Questions and Answers
Unpublished Work of Novell, Inc. All Rights Reserved.This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.
General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.
Recommended