Creating a Full Privileged User Solution with Novell Privileged User Manager, Novell Identity...

54
Creating a Full Privileged User Solution with Novell® Privileged User Manager, Novell® Identity Manager and Novell Sentinel Warren Alkire Senior Technology Specialist Novell, Inc. /[email protected]

description

This session will discuss the implementation tasks needed to deploy Novell Privileged User Manager. It will particularly emphasize considerations for determining requirements for the initial phase and a roadmap for subsequent phases. We will also share tips on design and approaches for implementing Privileged User Manager based on implementations from Novell Services.We will discuss specifics of Privileged User Manager implementation in a service provider environment. The session will include technical details of integration with Novell Identity Manager and Novell Sentinel. These products will help you create a full solution for managing the lifecycle of privileged users, providing accountability to meet compliance requirements, and practicing solid corporate IT governance.

Transcript of Creating a Full Privileged User Solution with Novell Privileged User Manager, Novell Identity...

Page 1: Creating a Full Privileged User Solution with Novell Privileged User Manager, Novell Identity Manager and Novell Sentinel

Creating a Full Privileged User Solution with Novell® Privileged User Manager, Novell® Identity Manager and Novell Sentinel™

Warren AlkireSenior Technology SpecialistNovell, Inc. /[email protected]

Page 2: Creating a Full Privileged User Solution with Novell Privileged User Manager, Novell Identity Manager and Novell Sentinel

© Novell, Inc. All rights reserved.2

Agenda

Session Focus• Novell® Privileged User Manager Implementation Steps

– Scope– Requirements Assessment– Design– Develop/Build– Testing– Training– Deployment

• Integration with Novell® Identity Manager

• Integration with Novell Sentinel™

Page 3: Creating a Full Privileged User Solution with Novell Privileged User Manager, Novell Identity Manager and Novell Sentinel

© Novell, Inc. All rights reserved.3

Session Focus

• Primary steps to successfully implement Novell®

Privileged User Manager• Not training on Novell Privileged User Manager• Share implementation tips and strategies• Adding Novell Identity Manager for a full privileged user

life cycle solution• Integration with Novell Sentinel™

• Context is privileged user management implementation – phase 1

Page 4: Creating a Full Privileged User Solution with Novell Privileged User Manager, Novell Identity Manager and Novell Sentinel

© Novell, Inc. All rights reserved.4

Architecture Review

Agent Manager

Agent

Rules

Event Log I/O Log

2

1

35

6

4

Run Host

Summit Host

Page 5: Creating a Full Privileged User Solution with Novell Privileged User Manager, Novell Identity Manager and Novell Sentinel

© Novell, Inc. All rights reserved.5

Compliance Audit Review

Each event record is color-coded according to the highest rated command risk

User ActivityValidate and secure user session

Add audit group and risk rating

Session event and keystroke log

Automated rules pull events into Compliance Auditor database according to pre-defined risk filters

Manager notified by e-mail each night of events waiting to be authorized

Manager logs into Compliance Auditor and authorizes events

Manager

Command Control

1

Rules AuditLog

ComplianceAuditor

2

34

5

Page 6: Creating a Full Privileged User Solution with Novell Privileged User Manager, Novell Identity Manager and Novell Sentinel

Novell® Privileged User ManagerImplementation Steps – Scope and Time Line

Page 7: Creating a Full Privileged User Solution with Novell Privileged User Manager, Novell Identity Manager and Novell Sentinel

© Novell, Inc. All rights reserved.7

Scope

Approach for phase 1– Just audit

> Authorize crush shell from sample commands and set as default> May need to authorize switch to root or other privileged accounts

– Audit and analyze> Above plus reporting – use for future privilege segregation

– Reduce sudoers file maintenance – one place> Likely require identity management integration

– Segregate privileges> Requires grouping/role definition of privileged users

– Full scale implementation> Usually not phase 1

Page 8: Creating a Full Privileged User Solution with Novell Privileged User Manager, Novell Identity Manager and Novell Sentinel

© Novell, Inc. All rights reserved.8

Scope

Phase 1 considerations– Environments to manage

> Number of systems to manage> Number of different platforms (operating systems)

– Initial target systems> Non-production systems may be initial target

– Initial user population> Limited administrators – such as print queue creators> Administrators implementing Privileged User Manager

– Phasing implementation> Roll out by groups of privileged users> Roll out by groups of managed platforms

Page 9: Creating a Full Privileged User Solution with Novell Privileged User Manager, Novell Identity Manager and Novell Sentinel

© Novell, Inc. All rights reserved.9

Environment Approach

Three Environments– Development, quality assurance/testing, production– Enables testing of roll-out procedures– Set-up for future solution expansion with minimal impact– May be driven by identity management co-project

• Two Environments– Development and production– Gives up testing of roll-out procedures

• Single Environment– Use built-in testing mechanisms– Extra caution doing future upgrades

Page 10: Creating a Full Privileged User Solution with Novell Privileged User Manager, Novell Identity Manager and Novell Sentinel

© Novell, Inc. All rights reserved.10

How Long Will This Take?

• Obviously dependent on scope• Sample implementation assumptions

– No integration with identity management systems– Three environments – development, quality

assurance/testing, production– All Unix/Linux computers patched to required level– All Unix/Linux computers standardized as much as

possible – enables rapid deployment of Novell® Privileged User Manager

– Use existing software distribution mechanism– No more than 5 command control rules required– No more than 2 compliance reports required

Page 11: Creating a Full Privileged User Solution with Novell Privileged User Manager, Novell Identity Manager and Novell Sentinel

© Novell, Inc. All rights reserved.11

Sample Project Time Estimate

• Requirements and design phase – 2 weeks– These phases often combined for Novell® Privileged User

Manager-only engagement– May not be critical path when combined with identity

management implementation• Develop/Build/Unit Test – 3 weeks• User Acceptance/System Integration Testing – 2 weeks

– Lengthened if part of identity management project

• Deployment to Production/Go live/Support – 2 weeks

Page 12: Creating a Full Privileged User Solution with Novell Privileged User Manager, Novell Identity Manager and Novell Sentinel

© Novell, Inc. All rights reserved.12

Sample Project Team

• Novell® Privileged User Manager Specialist – 9 weeks• Project Manager – 9 weeks for 8 hours per week• Architect/Senior Specialist – 2 to 3 weeks

– Provides additional experience to requirements and design– Design of Novell® Privileged User Manager server requirements– Design of managed hosts structure– Validation of design

Page 13: Creating a Full Privileged User Solution with Novell Privileged User Manager, Novell Identity Manager and Novell Sentinel

Novell® Privileged User ManagerImplementation Steps – Requirements

Page 14: Creating a Full Privileged User Solution with Novell Privileged User Manager, Novell Identity Manager and Novell Sentinel

© Novell, Inc. All rights reserved.14

Requirements Assessment Tasks

• Determine Novell® Privileged User Manager administration – auditors and administrators

• Determine command control requirements– Based on approach determined in scope– May require grouping users into roles

Page 15: Creating a Full Privileged User Solution with Novell Privileged User Manager, Novell Identity Manager and Novell Sentinel

© Novell, Inc. All rights reserved.15

Requirements Assessment Tasks

Page 16: Creating a Full Privileged User Solution with Novell Privileged User Manager, Novell Identity Manager and Novell Sentinel

© Novell, Inc. All rights reserved.16

Requirements Assessment Tasks

• Determine Novell® Privileged User Manager administration – auditors and administrators

• Determine command control requirements– Based on approach determined in scope– May require grouping users into roles

• Determine auditing requirements– Audit logs fed to a syslog manager?– Report requirements– Audit rules– Access control within Novell Privileged User Manager– Archiving

Page 17: Creating a Full Privileged User Solution with Novell Privileged User Manager, Novell Identity Manager and Novell Sentinel

© Novell, Inc. All rights reserved.17

Requirements Assessment Tasks (cont.)

Page 18: Creating a Full Privileged User Solution with Novell Privileged User Manager, Novell Identity Manager and Novell Sentinel

© Novell, Inc. All rights reserved.18

Requirements Assessment Tasks (cont.)

• Determine account provisioning strategy for target systems

– Manual or existing account provisioning process– Integration with identity management system providing

account provisioning• Determine host structure, data center, fail over

requirements– Platform inventory– Platform location – data center structure– Command Control Manager requirements– Audit Manager requirements – auditing sent

separately

Page 19: Creating a Full Privileged User Solution with Novell Privileged User Manager, Novell Identity Manager and Novell Sentinel

Novell® Privileged User ManagerImplementation Steps – Design

Page 20: Creating a Full Privileged User Solution with Novell Privileged User Manager, Novell Identity Manager and Novell Sentinel

© Novell, Inc. All rights reserved.20

Design Tasks

Design host structure

Page 21: Creating a Full Privileged User Solution with Novell Privileged User Manager, Novell Identity Manager and Novell Sentinel

© Novell, Inc. All rights reserved.21

Host Structure Design ExampleBad Design

Non-ProductionDomain

Data Center 1Domain

ProductionDomain

Framework Manager Agent 1

Audit Manager 1

Command ControlManager 1

Command ControlManager 2Command

Control Manager 3(future) Command

Control Manager 4(future)

?

Page 22: Creating a Full Privileged User Solution with Novell Privileged User Manager, Novell Identity Manager and Novell Sentinel

© Novell, Inc. All rights reserved.22

Design Tasks

Design host structure– Previous example shows sample host design

– Not a good design> Production domain is a child of non-production domain> Updates to parent domain perpetrate to child domains> Upgrade to non-production domain updates production domain immediately> No way to test upgrades in non-production environment prior to deployment

– Better design> Make the “?” server a fail-over Command Control Manager> Make production and non-production domains peers

Page 23: Creating a Full Privileged User Solution with Novell Privileged User Manager, Novell Identity Manager and Novell Sentinel

© Novell, Inc. All rights reserved.23

Design Tasks(cont.)

• Design host structure• Design command control rules• Design provisioning of access within Novell® Privileged

User Manager– Novell Privileged User Manager administrators– Novell Privileged User Manager auditors

• Design compliance manager reports• Solution design review

Page 24: Creating a Full Privileged User Solution with Novell Privileged User Manager, Novell Identity Manager and Novell Sentinel

Novell® Privileged User ManagerImplementation Steps – Develop/Build

Page 25: Creating a Full Privileged User Solution with Novell Privileged User Manager, Novell Identity Manager and Novell Sentinel

© Novell, Inc. All rights reserved.25

Development/Build Tasks

• Install Framework Manager• Create host structure• Install Framework Agent on all servers managed by

Novell® Privileged User Manager (by environment)• Push packages

– Audit Managers– Command Control Managers– Possibly some packages to all managed servers

• Build and test Command Control rules• Set up SYSLOG if required

Page 26: Creating a Full Privileged User Solution with Novell Privileged User Manager, Novell Identity Manager and Novell Sentinel

© Novell, Inc. All rights reserved.26

Development/Build Tasks(cont.)

• Set up audit rules• Configure/develop audit reports• Set up access control within Novell® Privileged User

Manager• Develop aliases or functions for managed systems• Customer requirements checkpoint• Unit test solution

– Testing by the developer– Include positive and negative tests

Page 27: Creating a Full Privileged User Solution with Novell Privileged User Manager, Novell Identity Manager and Novell Sentinel

Novell® Privileged User ManagerImplementation Steps –

Testing User Acceptance and System Integration

Page 28: Creating a Full Privileged User Solution with Novell Privileged User Manager, Novell Identity Manager and Novell Sentinel

© Novell, Inc. All rights reserved.28

System Integration Testing

• Required if Novell® Privileged User Manager part of larger project for privileged user management

• Test with identity management system– Test full user life cycle – Test privileged access managed by Novell Privileged User

Manager granted when privileged account active– Test privileged access managed by Novell Privileged User

Manager revoked when privilege account is disabled/deleted

Page 29: Creating a Full Privileged User Solution with Novell Privileged User Manager, Novell Identity Manager and Novell Sentinel

© Novell, Inc. All rights reserved.29

Deployment to Test Environment

• Prior to system integration or user acceptance testing – whichever done in Quality Assurance environment

• Software installation on Novell® Privileged User Manager servers and target systems

• Testing of any automated installation mechanisms – ZENworks®, scripts, jump boxes, Tivoli, etc.

• Migration of configuration from development environment

• Configuration of Mail (SMTP) server if used

Page 30: Creating a Full Privileged User Solution with Novell Privileged User Manager, Novell Identity Manager and Novell Sentinel

© Novell, Inc. All rights reserved.30

User Acceptance/Go-Live Preparation

User (customer) acceptance testing– Customer testing to ensure stated requirements met– Change management important here

End user training– Part of testing for end users involved in project– Training for privileged users that will use the new solution– Communication!

Page 31: Creating a Full Privileged User Solution with Novell Privileged User Manager, Novell Identity Manager and Novell Sentinel

Novell® Privileged User ManagerImplementation Steps – Go-Live

Page 32: Creating a Full Privileged User Solution with Novell Privileged User Manager, Novell Identity Manager and Novell Sentinel

© Novell, Inc. All rights reserved.32

Deployment to Production Tasks

• Software installation on Novell® Privileged User Manager servers and target systems

– Novell Privileged User Manager servers (Command Control, Audit) – may use manual installation prior to go-live

– Novell Privileged User Manager Agent on managed servers – use automated process tested prior to Quality Assurance testing

• End user communications• Configuration migration from Quality Assurance Testing

environment• Configure production host structure• Customer additional go-live tasks

Page 33: Creating a Full Privileged User Solution with Novell Privileged User Manager, Novell Identity Manager and Novell Sentinel

Integration with Novell® Identity Manager

Page 34: Creating a Full Privileged User Solution with Novell Privileged User Manager, Novell Identity Manager and Novell Sentinel

© Novell, Inc. All rights reserved.34

Novell® Identity Manager Integration

Novell method to create a full privileged user solution• Account provisioning if root accounts currently shared• Novell Identity Manager tasks likely the critical path• Novell Identity Manager driver options

– Fan-out for Unix/Linux– Nx Settings driver– Unix/Linux bi-directional driver

• Fan-out and Nx Settings drivers most likely– Strength is managing large number of Unix/Linux systems– Few user account attributes to manage

Page 35: Creating a Full Privileged User Solution with Novell Privileged User Manager, Novell Identity Manager and Novell Sentinel

© Novell, Inc. All rights reserved.35

Novell® Identity Manager Integration(cont.)

Sample Novell® privileged user solution– Novell® Privileged User Manager– Novell Identity Manager/Roles Based Provisioning Module

> Fan-Out driver> Nx Settings driver> eDirectory™ driver to Identity Vault> Scripting driver for Novell Privileged User Manager provisioning

– Novell Sentinel™

• Non-privileged account usual starting point for Novell Privileged User Manager granted privileges

• Need account and access provisioning/management

Page 36: Creating a Full Privileged User Solution with Novell Privileged User Manager, Novell Identity Manager and Novell Sentinel

© Novell, Inc. All rights reserved.36

Novell® Identity Manager Integration(cont.)

• Unprivileged account provisioning options– Provision to etc/passwd and etc/shadow– Fan-out PAM re-direction – requires solution for home directory– Other PAM (non-Novell) – requires solution for home directory– “Brand X” provisioning (non-Novell)

• Password synchronization often desirable• Provisioning to Novell® Privileged User Manager

– May facilitate Command Control Manager authorization for privileged access using user account groups

– Done by scripting driver or fan-out driver scripts

Page 37: Creating a Full Privileged User Solution with Novell Privileged User Manager, Novell Identity Manager and Novell Sentinel

© Novell, Inc. All rights reserved.37

Example Provisioning to Novell® Privileged User Manager

Page 38: Creating a Full Privileged User Solution with Novell Privileged User Manager, Novell Identity Manager and Novell Sentinel

© Novell, Inc. All rights reserved.38

Testing

• Novell® Identity Manager and Novell® Privileged User Manager should be integration tested together

• Test full user life cycle• Test privileged command authorization• Ensure Novell Privileged User Manager does not allow

privileged access when rights revoked – negative tests• Test password synchronization

Page 39: Creating a Full Privileged User Solution with Novell Privileged User Manager, Novell Identity Manager and Novell Sentinel

Integration with Novell® Identity Manager Account Group Provisioning

Page 40: Creating a Full Privileged User Solution with Novell Privileged User Manager, Novell Identity Manager and Novell Sentinel

© Novell, Inc. All rights reserved.40

User Account Group Provisioning

• Method of adding/removing entries in a Privileged User manager “Account Group”

• Interface actually designed for importing/exporting Command Control policies

• Best available interface for current product versions• Implemented with scripts – scripting driver or fan-out

driver scripts• Not easy to create new groups – new group's key

needed for later update• Manipulate existing groups easily

Page 41: Creating a Full Privileged User Solution with Novell Privileged User Manager, Novell Identity Manager and Novell Sentinel

© Novell, Inc. All rights reserved.41

User Account Group Provisioning(cont.)

• Command line tool to call CLI methods on certain modules

– /opt/novell/npum/sbin/unifi

• Uses the XML used by Command Control to export and update policies

• Two authentication methods– Pass admin user and password with -u and -p– Use the -n option and native maps in the Framework User

Manager to associate a native user on a Framework Manager computer with an admin user

• Following examples assume native maps option

Page 42: Creating a Full Privileged User Solution with Novell Privileged User Manager, Novell Identity Manager and Novell Sentinel

© Novell, Inc. All rights reserved.42

User Account Group Provisioning(cont.)

• Export the Command Control policy– unifi -n cmdctrl export -c -f ccout.xml

• Exports the Command Control policy as XML

• Look for UserGroup entity and get key value

• Following example has a key value of “2214”

Page 43: Creating a Full Privileged User Solution with Novell Privileged User Manager, Novell Identity Manager and Novell Sentinel

© Novell, Inc. All rights reserved.43

User Account Group Provisioning(cont.)

<UserGroup name="Entitlement" I.disabled="0" I.id="2214">

<UserGroup name="Entitlement" I.key="2214">

<Disabled b.value="0"/>

<Description value=""/>

<MgrName value=""/>

<MgrTel value=""/>

<MgrEmail value=""/>

<UserList>

<a.User value="admin1@host1:root,newgrp"/>

</UserList>

</UserGroup>

</UserGroup>

Page 44: Creating a Full Privileged User Solution with Novell Privileged User Manager, Novell Identity Manager and Novell Sentinel

© Novell, Inc. All rights reserved.44

User Account Group Provisioning(cont.)

• Create a file that contains XML similar to the following <UserGroup I.key="2214"> <UserList> <a.User value="admin2@host1:root" action="add"/> </UserList> </UserGroup>

• Pass above XML into Command Control import function to load updates to the policy referenced by the key

– unifi -n cmdctrl import -f ccin.xml• File named ccin.xml for this example

Page 45: Creating a Full Privileged User Solution with Novell Privileged User Manager, Novell Identity Manager and Novell Sentinel

© Novell, Inc. All rights reserved.45

User Account Group Provisioning(cont.)

• Use action='del' to remove an entry <UserGroup I.key="2214"> <UserList> <a.User value="admin2@host1:root" action="del"/> </UserList> </UserGroup>

Page 46: Creating a Full Privileged User Solution with Novell Privileged User Manager, Novell Identity Manager and Novell Sentinel

© Novell, Inc. All rights reserved.46

User Account Group Provisioning(cont.)

• Use action='set' to set the entire list <UserGroup I.key="2214"> <UserList action="set"> <a.User value="admin1@host1:root"/> <a.User value="admin2@host1:root"/> <a.User value="admin3@host1:root"/> </UserList> </UserGroup>

Page 47: Creating a Full Privileged User Solution with Novell Privileged User Manager, Novell Identity Manager and Novell Sentinel

© Novell, Inc. All rights reserved.47

User Account Group Provisioning(cont.)

• Example of using Novell® Identity Manager to provide authorization within Novell® Privileged User Manager

• Places entry in the Novell Privileged User Manager User Account Groups

• Conditional script checks for entry to authorize execution of privileged commands

• Scripts run on the Novell Privileged User Manager server running the master Command Control Manager

Page 48: Creating a Full Privileged User Solution with Novell Privileged User Manager, Novell Identity Manager and Novell Sentinel

Integration with Novell® Sentinel™

Page 49: Creating a Full Privileged User Solution with Novell Privileged User Manager, Novell Identity Manager and Novell Sentinel

© Novell, Inc. All rights reserved.49

Integration with Novell® Sentinel™

• Novell® Privileged User Manager audit options– Built in logging and compliance reporting– SYSLOG emitter– Novell Sentinel

• Novell Sentinel provides auditing of Novell® Identity Manager and Novell Privileged User Manager together

• Correlations can be developed

Page 50: Creating a Full Privileged User Solution with Novell Privileged User Manager, Novell Identity Manager and Novell Sentinel

© Novell, Inc. All rights reserved.50

Integration with Novell® Sentinel™ (cont.)

• Home > Reporting > Syslog Settings• Set DNS name or IP address of Novell Sentinel Server• Default Novell Sentinel port is 1468

– Default syslog port is 514

• Do not change the format strings – ${}$– Novell Sentinel instrumented for the full Novell Privileged User

Manager strings

• Standard events shown in following slide

Page 51: Creating a Full Privileged User Solution with Novell Privileged User Manager, Novell Identity Manager and Novell Sentinel

© Novell, Inc. All rights reserved.51

Novell® Sentinel™ Configuration

Page 52: Creating a Full Privileged User Solution with Novell Privileged User Manager, Novell Identity Manager and Novell Sentinel

Questions and Answers

Page 53: Creating a Full Privileged User Solution with Novell Privileged User Manager, Novell Identity Manager and Novell Sentinel
Page 54: Creating a Full Privileged User Solution with Novell Privileged User Manager, Novell Identity Manager and Novell Sentinel

Unpublished Work of Novell, Inc. All Rights Reserved.This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.

General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.