Más contenido relacionado La actualidad más candente (17) Similar a Introducing Novell Privileged User Manager and Securing Novell Open Enterprise Server 2 (20) Introducing Novell Privileged User Manager and Securing Novell Open Enterprise Server 21. Intro to Novell ®
Privileged User Manager
and Securing Novell Open Enterprise Server 2
Brett A. Berger Aaron Burgemeister
Global Technical Support Global Technical Support
Novell, Inc/bberger@novell.com Novell, Inc/ab@novell.com
2. Novell Privileged User Manager
®
• Introduction to Novell Privileged User Manager
– Business Challenges
– Novell Privileged User Manager solutions
• The Framework
– Framework Components
– Framework Deployment
• Command Control
– Configuration - Rules
– Configuration - Commands
– Configuration - Scripts
2 © Novell, Inc. All rights reserved.
3. Novell Privileged User Manager
®
(cont.)
• Audit, Compliance, and Reporting
– Overview
• Demo
– Agent installation and registration
– Patching Agents and Managers
– Using NPUM to secure OES2
> eDirectory ™
> Novell-tomcat
> etc.
• Questions and Answers
3 © Novell, Inc. All rights reserved.
5. The IT Landscape is Changing
The risks and challenges of computing across multiple
Linux/Unix environments must be eliminated.
Users should have unimpeded, secure and compliant
access to the computing services they need to do their
jobs right.
Computing should be secure and compliant.
5 © Novell, Inc. All rights reserved.
6. Business challenges
Linux/UNIX Administrators require elevated
(superuser) privileges to do their job
Uncontrolled superuser access leaves the data
center open to back door entries
Audit Weakness
– Rogue admins/users covering their tracks
Compliance and Reporting
6 © Novell, Inc. All rights reserved.
7. Delegating Superuser Privileges
• Linux/UNIX admins require elevated (Superuser)
privileges to do their jobs
IT Manager System Admin
root
root
DBA App Developer
Admin Security Admin
Novell Privileged User Manager
®
can solve this
7 © Novell, Inc. All rights reserved.
8. Uncontrolled Superuser Access
Uncontrolled Superuser access
leaves the data center open to
Backdoor entry.
Novell Privileged User Manager
®
can solve this
8 © Novell, Inc. All rights reserved.
9. Audit Weakness
Audit weakness –
users covering their tracks.
Novell Privileged User Manager
®
can solve this
9 © Novell, Inc. All rights reserved.
10. Compliance and Reporting
Compliance and reporting
user access.
Novell Privileged User Manager
®
can solve this
10 © Novell, Inc. All rights reserved.
12. Novell Privileged User Manager
®
• Control user access to
root privileges
• Audit all user activity with
100% keystroke logging
• Simplify audit activity with
the most relevant,
context-based information
• Analyze potential threats
based on policy-based
risk ratings
12 © Novell, Inc. All rights reserved.
14. The Framework
• The Framework is made up of three primary
components:
Framework Framework Framework
Manager Console Agent
1 2 3
14 © Novell, Inc. All rights reserved.
15. Framework Manager
Audit
Novell Privileged Use Manager
Command
Control
Agent
Compliance
Back Up Manager
Reporting
Agent
®
Package
Manager
Primary Manager
Agent
15 © Novell, Inc. All rights reserved.
17. Framework Agent
Command
Novell Privileged Use Manager
Control
Registry
Agent
Distribution
Back Up Manager
Store and Forward Agent
®
System Information
(optional)
Primary Manager
Agent
17 © Novell, Inc. All rights reserved.
18. Underlying Modular Architecture
Audit databases can be placed in multiple Multiple Managers provide fail-over
Internet locations for redundancy and security capability and load-balancing.
Audit Manager
Command Control
Framework Console Audit Manager Command Control
Port Agent Agent Agent
443
Web Browser
(Administrative Access)
Port Port Port Port Port
29120 29120 29120 29120 29120
Host to host communications
Command Control
Groups of Agents can be added to Agent Agent Agent Agent
logical domains for load-balancing,
redundancy and traffic segregation
Port Port Port Port Port
29120 29120 29120 29120 29120
Host to host communications
18 © Novell, Inc. All rights reserved.
20. NPUM Prerequisites
Admin Console requires Browser with
Adobe Flash installed
Open ports 443 (manager) and 29120 (agents and
manager)
Servers must be resolvable (DNS/hosts/etc)
Time in sync (use ntp)
For SUSE Linux Enterprise Server (SLES) – See
®
TID#7003992 - usrun reports /bin/ls: cannot read symbolic link
/proc/$$/exe: Permission denied
20 © Novell, Inc. All rights reserved.
21. Configuration
Manager
• Novell Privileged User Manager 2.2.1 -
®
– rpm -ivh novell-npum-manager-2.2.1-linux-2.X-XXX.rpm
– Verify install in /opt/novell/npum/logs/unifid.log
• Login to https://ipaddress_of_framework_manager
– User: admin
– Pwd: novell
– Default port of Framework Manager is 443
– /opt/novell/npum/service/local/admin/connector.xml
– <Connector ssl_ctx="https" port="443"mode="https"/>
21 © Novell, Inc. All rights reserved.
22. Simple Deployment
Step 1
Install Framework Manager
• Only one Framework Manager
Manager is installed
• Framework Manager can
be installed on any
supported host operating
SLES 11 OES2 SP2
system
RedHat
AIX
Solaris
22 © Novell, Inc. All rights reserved.
23. Simple Deployment
Step 2
Pre-register Agents
• Log onto Web Console
Manager
• Enter the names of the
agents that will be added to
this Framework.
SLES 11 OES2 SP2
RedHat
AIX
Solaris
23 © Novell, Inc. All rights reserved.
24. Configuration
Agents
• Installing and registering an NPUM Agent
– rpm -ivh novell-npum-agent-2.2.1-linux-2.X-XXXX.rpm
– Register the Agent
> sd145:/ # /opt/novell/npum/sbin/unifi regclnt register
Please provide the hostname or address for the framework manager :
() 151.155.128.68
Please provide the port number for the framework manager: (29120)
Please provide the hostname or address for this agent: (sd145)
Please provide the registered agent name for this agent: (sd145)
24 © Novell, Inc. All rights reserved.
25. Simple Deployment
Step 3
Install Framework Agents
• Each Framework Agent has a
unique installer for the Manager Agent
platform.
• During the install process the
Framework Manager address
SLES 11 OES2 SP2
is entered together with valid
Framework credentials to
register the new Agent into the Agent
Agent
Framework.
• The Agent and Manager Agent
handshake and a trust RedHat
AIX
relationship is established.
Solaris
25 © Novell, Inc. All rights reserved.
27. Novell Privileged User Manager
®
Non- Log in as root submit user: root
controlled runuser: root
submit user: aaron Command Control
authorization DB
NPUM Log in as aaron remote shell
controlled
remote shell
runuser: root
– User logs in with own non-privileged account
– Commands authorized before being executed remotely
– Known as ‘root delegation’
27 © Novell, Inc. All rights reserved.
28. Configuration
Setting up Rules
• Rules provide the means by which you can control
commands. Commands can be authorized to run, or
not authorized to run.
• Optional rule conditions.
– The command being submitted
– The user and host submitting the command
– The user and host assigned to run the command
– The time the command is submitted
– etc.
28 © Novell, Inc. All rights reserved.
29. Configuration
Setting up Commands
• Commands
– Commands
> novell-tomcat5*
» Would allow all options after novell-tomcat5
» Examples: novell-tomcat5 start or novell-tomcat5 stop, etc
– Commands, using regular expressions
> =~#^(|/etc/init.d/)novell-tomcat5(s+|$)#
» Would allow /etc/init.d/novell-tomcat5 or novell-tomcat5 with
any options afterwards.
» Examples: /etc/init.d/novell-tomcat5 start or novell-tomcat5
stop, etc
29 © Novell, Inc. All rights reserved.
30. Configuration
Setting up Scripts
• Scripts
– In addition to commands, perl scripts can be added to rules to
do additional processing such as:
> Send an email when a command is run
> Execute Run users profile
> Define Illegal commands
> Truncate stdin/stdout/sterr captured by KB
30 © Novell, Inc. All rights reserved.
31. Configuration
Running Commands
• usrun – usrun [command]
– usrun passes the command to the Command Control Manager and for
authorization. Command is allowed or denied based on configured
rules.
– Examples:
> usrun /etc/init.d/ndsd stop
> usrun novell-tomcat5 restart
• Rush – usrun rush
– Rush shell is based off the Korn (ksh) shell. Rush allows for complete
session capture. Configure Command risk.
• Crush - Change users logon shell to /usr/bin/crush. Crush allows for
complete session capture, without granting superuser privileges.
31 © Novell, Inc. All rights reserved.
33. Audit/Reporting
• Independent audit events are sent to the configured
Audit servers from each agent
• Audit events include the following
– Capture (Full keystroke session playback)
– Start time/End time
– User, Host, Command
– Authorized/Unauthorized
33 © Novell, Inc. All rights reserved.
34. Compliance
• Compliance Auditor collects, filters and generates
reports of audit data for analysis and sign-off by
authorized personnel.
• Rules can be configured to pull any number of audit
events matching a given filter at a specific interval.
• When an audit event is viewed, auditors can authorize
the event, mark it as unauthorized, escalate it, or
assign it to someone else for further review.
– Each change is recorded as an “Audit trail”
• Automatic reports can be generated and e-mailed to
appropriate personnel
34 © Novell, Inc. All rights reserved.
35. Workflow for
Novell Privileged User Manager
®
Session event and
keystroke log
Command Control
Validate and secure Add audit group
User Activity 1 user session 2 and risk rating
Audit
Rules
Log
Automated rules pull
events into Compliance
Manager notified by e-mail 3 Auditor database
according to pre-
4 each night of events defined risk filters
waiting to be authorized
Compliance
Auditor
Manager logs into
Manager 5 Compliance Auditor and
authorizes events
Each event record is color-coded according to the highest rated command risk
35 © Novell, Inc. All rights reserved.
37. Demo
Agent install and registration
• Agent installation
– rpm -ivh novell-npum-agent-2.2.1-linux-2.4-intel.rpm
• Agent must be entered into the GUI
– Host | Select the desired domain | “Add Hosts”
• Agent registration
– Please remember to register this installation with the
Novell Privileged User Manager using the command:
/opt/novell/npum/sbin/unifi regclnt register
37 © Novell, Inc. All rights reserved.
38. Demo
Agent install and registration
• Agent registration (client side)
sles11-npum2:~ # /opt/novell/npum/sbin/unifi regclnt register
Please provide the hostname or address for the framework manager : () 151.155.130.142
Please provide the port number for the framework manager: (29120)
Please provide the hostname or address for this agent: () 151.155.128.131
Please provide the registered agent name for this agent: (sles11-npum2)
Framework manager: 151.155.130.142:29120
Agent hostname or address : 151.155.128.131
Agent name : sles11-npum2
Is this correct: (y)
Please enter the name and password of an account with permission to register this host.
User name: (admin)
Password:
38 © Novell, Inc. All rights reserved.
39. Demo
Patching Hosts
• Once the Agent has been installed, patches can be
deployed through GUI to all registered hosts.
• Login to GUI | Hosts | select the desired host | Update
Packages
• Patches may be applied on a single host or by domain,
or by all hosts in the environment
39 © Novell, Inc. All rights reserved.
40. Demo
Securing OES2 Services
• On OES2 Linux, most of the “services” such as
eDirectory , novell-tomcat5, LUM, etc must be
™
configured and administered as root
• With Novell Privileged User Manager, simple rules can
®
be created to allow administrators of these services to
run their commands with root privileges WITHOUT
knowing roots password or logging in as root.
40 © Novell, Inc. All rights reserved.
41. Demo
Securing OES2 Services (cont.)
• Sample rule to Start/Stop eDirectory ™
• Begin Rule: eDirectory Stop/Start
If (command IN eDir Start/Stop AND user IN eDirAdminFull)
Then
Set Authorize: yes
Set runUser = "root"
Run Script: Execute RunUsers Profile()
Stop if authorized
End If
End Rule: eDirectory Stop/Start
41 © Novell, Inc. All rights reserved.
42. Demo
Securing OES2 Services (cont.)
From this example, user “bergerbr” which is apart of the
eDirAdminFull group, logged in with normal privileges
would be able to run “usrun /etc/init.d/ndsd stop” or
“usrun /etc/init.d/ndsd start”
42 © Novell, Inc. All rights reserved.
45. Unpublished Work of Novell, Inc. All Rights Reserved.
This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc.
Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope
of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified,
translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc.
Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.
General Disclaimer
This document is not to be construed as a promise by any participating company to develop, deliver, or market a
product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in
making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents
of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any
particular purpose. The development, release, and timing of features or functionality described for Novell products
remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to
make changes to its content, at any time, without obligation to notify any person or entity of such revisions or
changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc.
in the United States and other countries. All third-party trademarks are the property of their respective owners.