Your SlideShare is downloading. ×
Creating a Full Privileged User Solution with Novell Privileged User Manager, Novell Identity Manager and Novell Sentinel
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Creating a Full Privileged User Solution with Novell Privileged User Manager, Novell Identity Manager and Novell Sentinel

2,158
views

Published on

This session will discuss the implementation tasks needed to deploy Novell Privileged User Manager. It will particularly emphasize considerations for determining requirements for the initial phase and …

This session will discuss the implementation tasks needed to deploy Novell Privileged User Manager. It will particularly emphasize considerations for determining requirements for the initial phase and a roadmap for subsequent phases. We will also share tips on design and approaches for implementing Privileged User Manager based on implementations from Novell Services.

We will discuss specifics of Privileged User Manager implementation in a service provider environment. The session will include technical details of integration with Novell Identity Manager and Novell Sentinel. These products will help you create a full solution for managing the lifecycle of privileged users, providing accountability to meet compliance requirements, and practicing solid corporate IT governance.


0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
2,158
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
162
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Creating a Full Privileged User Solution with Novell Privileged User Manager, ® Novell Identity Manager and Novell Sentinel ® ™ Warren Alkire Senior Technology Specialist Novell, Inc. /warren.alkire@novell.com
  • 2. Agenda Session Focus • Novell Privileged User Manager Implementation Steps ® – Scope – Requirements Assessment – Design – Develop/Build – Testing – Training – Deployment • Integration with Novell Identity Manager ® • Integration with Novell Sentinel ™ 2 © Novell, Inc. All rights reserved.
  • 3. Session Focus • Primary steps to successfully implement Novell ® Privileged User Manager • Not training on Novell Privileged User Manager • Share implementation tips and strategies • Adding Novell Identity Manager for a full privileged user life cycle solution • Integration with Novell Sentinel ™ • Context is privileged user management implementation – phase 1 3 © Novell, Inc. All rights reserved.
  • 4. Architecture Review 1 Agent 4 Manager Summit Host 2 5 3 Rules Agent 6 Run Host Event Log I/O Log 4 © Novell, Inc. All rights reserved.
  • 5. Compliance Audit Review Session event and keystroke log Command Control Validate and secure Add audit group User Activity 1 user session 2 and risk rating Audit Rules Log Automated rules pull events into Compliance Manager notified by e-mail 3 Auditor database according to pre- 4 each night of events defined risk filters waiting to be authorized Compliance Auditor Manager logs into Manager 5 Compliance Auditor and authorizes events Each event record is color-coded according to the highest rated command risk 5 © Novell, Inc. All rights reserved.
  • 6. Novell Privileged User Manager ® Implementation Steps – Scope and Time Line
  • 7. Scope Approach for phase 1 – Just audit > Authorize crush shell from sample commands and set as default > May need to authorize switch to root or other privileged accounts – Audit and analyze > Above plus reporting – use for future privilege segregation – Reduce sudoers file maintenance – one place > Likely require identity management integration – Segregate privileges > Requires grouping/role definition of privileged users – Full scale implementation > Usually not phase 1 7 © Novell, Inc. All rights reserved.
  • 8. Scope Phase 1 considerations – Environments to manage > Number of systems to manage > Number of different platforms (operating systems) – Initial target systems > Non-production systems may be initial target – Initial user population > Limited administrators – such as print queue creators > Administrators implementing Privileged User Manager – Phasing implementation > Roll out by groups of privileged users > Roll out by groups of managed platforms 8 © Novell, Inc. All rights reserved.
  • 9. Environment Approach Three Environments – Development, quality assurance/testing, production – Enables testing of roll-out procedures – Set-up for future solution expansion with minimal impact – May be driven by identity management co-project • Two Environments – Development and production – Gives up testing of roll-out procedures • Single Environment – Use built-in testing mechanisms – Extra caution doing future upgrades 9 © Novell, Inc. All rights reserved.
  • 10. How Long Will This Take? • Obviously dependent on scope • Sample implementation assumptions – No integration with identity management systems – Three environments – development, quality assurance/testing, production – All Unix/Linux computers patched to required level – All Unix/Linux computers standardized as much as possible – enables rapid deployment of Novell ® Privileged User Manager – Use existing software distribution mechanism – No more than 5 command control rules required – No more than 2 compliance reports required 10 © Novell, Inc. All rights reserved.
  • 11. Sample Project Time Estimate • Requirements and design phase – 2 weeks – These phases often combined for Novell Privileged User ® Manager-only engagement – May not be critical path when combined with identity management implementation • Develop/Build/Unit Test – 3 weeks • User Acceptance/System Integration Testing – 2 weeks – Lengthened if part of identity management project • Deployment to Production/Go live/Support – 2 weeks 11 © Novell, Inc. All rights reserved.
  • 12. Sample Project Team • Novell Privileged User Manager Specialist – 9 weeks ® • Project Manager – 9 weeks for 8 hours per week • Architect/Senior Specialist – 2 to 3 weeks – Provides additional experience to requirements and design – Design of Novell Privileged User Manager server requirements ® – Design of managed hosts structure – Validation of design 12 © Novell, Inc. All rights reserved.
  • 13. Novell Privileged User Manager ® Implementation Steps – Requirements
  • 14. Requirements Assessment Tasks • Determine Novell Privileged User Manager ® administration – auditors and administrators • Determine command control requirements – Based on approach determined in scope – May require grouping users into roles 14 © Novell, Inc. All rights reserved.
  • 15. Requirements Assessment Tasks 15 © Novell, Inc. All rights reserved.
  • 16. Requirements Assessment Tasks • Determine Novell Privileged User Manager ® administration – auditors and administrators • Determine command control requirements – Based on approach determined in scope – May require grouping users into roles • Determine auditing requirements – Audit logs fed to a syslog manager? – Report requirements – Audit rules – Access control within Novell Privileged User Manager – Archiving 16 © Novell, Inc. All rights reserved.
  • 17. Requirements Assessment Tasks (cont.) 17 © Novell, Inc. All rights reserved.
  • 18. Requirements Assessment Tasks (cont.) • Determine account provisioning strategy for target systems – Manual or existing account provisioning process – Integration with identity management system providing account provisioning • Determine host structure, data center, fail over requirements – Platform inventory – Platform location – data center structure – Command Control Manager requirements – Audit Manager requirements – auditing sent separately 18 © Novell, Inc. All rights reserved.
  • 19. Novell Privileged User Manager ® Implementation Steps – Design
  • 20. Design Tasks Design host structure 20 © Novell, Inc. All rights reserved.
  • 21. Host Structure Design Example Bad Design Data Center 1 Domain Non-Production Framework Domain Manager Agent 1 Production Command Domain Audit Control Manager 1 Manager 1 Command Control Command Manager 2 Control ? Manager 3 Command (future) Control Manager 4 (future) 21 © Novell, Inc. All rights reserved.
  • 22. Design Tasks Design host structure – Previous example shows sample host design – Not a good design > Production domain is a child of non-production domain > Updates to parent domain perpetrate to child domains > Upgrade to non-production domain updates production domain immediately > No way to test upgrades in non-production environment prior to deployment – Better design > Make the “?” server a fail-over Command Control Manager > Make production and non-production domains peers 22 © Novell, Inc. All rights reserved.
  • 23. Design Tasks (cont.) • Design host structure • Design command control rules • Design provisioning of access within Novell Privileged ® User Manager – Novell Privileged User Manager administrators – Novell Privileged User Manager auditors • Design compliance manager reports • Solution design review 23 © Novell, Inc. All rights reserved.
  • 24. Novell Privileged User Manager ® Implementation Steps – Develop/Build
  • 25. Development/Build Tasks • Install Framework Manager • Create host structure • Install Framework Agent on all servers managed by Novell Privileged User Manager (by environment) ® • Push packages – Audit Managers – Command Control Managers – Possibly some packages to all managed servers • Build and test Command Control rules • Set up SYSLOG if required 25 © Novell, Inc. All rights reserved.
  • 26. Development/Build Tasks (cont.) • Set up audit rules • Configure/develop audit reports • Set up access control within Novell Privileged User ® Manager • Develop aliases or functions for managed systems • Customer requirements checkpoint • Unit test solution – Testing by the developer – Include positive and negative tests 26 © Novell, Inc. All rights reserved.
  • 27. Novell Privileged User Manager ® Implementation Steps – Testing User Acceptance and System Integration
  • 28. System Integration Testing • Required if Novell Privileged User Manager part of ® larger project for privileged user management • Test with identity management system – Test full user life cycle – Test privileged access managed by Novell Privileged User Manager granted when privileged account active – Test privileged access managed by Novell Privileged User Manager revoked when privilege account is disabled/deleted 28 © Novell, Inc. All rights reserved.
  • 29. Deployment to Test Environment • Prior to system integration or user acceptance testing – whichever done in Quality Assurance environment • Software installation on Novell Privileged User ® Manager servers and target systems • Testing of any automated installation mechanisms – ZENworks , scripts, jump boxes, Tivoli, etc. ® • Migration of configuration from development environment • Configuration of Mail (SMTP) server if used 29 © Novell, Inc. All rights reserved.
  • 30. User Acceptance/Go-Live Preparation User (customer) acceptance testing – Customer testing to ensure stated requirements met – Change management important here End user training – Part of testing for end users involved in project – Training for privileged users that will use the new solution – Communication! 30 © Novell, Inc. All rights reserved.
  • 31. Novell Privileged User Manager ® Implementation Steps – Go-Live
  • 32. Deployment to Production Tasks • Software installation on Novell Privileged User ® Manager servers and target systems – Novell Privileged User Manager servers (Command Control, Audit) – may use manual installation prior to go-live – Novell Privileged User Manager Agent on managed servers – use automated process tested prior to Quality Assurance testing • End user communications • Configuration migration from Quality Assurance Testing environment • Configure production host structure • Customer additional go-live tasks 32 © Novell, Inc. All rights reserved.
  • 33. Integration with Novell Identity Manager ®
  • 34. Novell Identity Manager Integration ® Novell method to create a full privileged user solution • Account provisioning if root accounts currently shared • Novell Identity Manager tasks likely the critical path • Novell Identity Manager driver options – Fan-out for Unix/Linux – Nx Settings driver – Unix/Linux bi-directional driver • Fan-out and Nx Settings drivers most likely – Strength is managing large number of Unix/Linux systems – Few user account attributes to manage 34 © Novell, Inc. All rights reserved.
  • 35. Novell Identity Manager Integration ® (cont.) Sample Novell privileged user solution ® – Novell Privileged User Manager ® – Novell Identity Manager/Roles Based Provisioning Module > Fan-Out driver > Nx Settings driver > eDirectory driver to Identity Vault ™ > Scripting driver for Novell Privileged User Manager provisioning – Novell Sentinel ™ • Non-privileged account usual starting point for Novell Privileged User Manager granted privileges • Need account and access provisioning/management 35 © Novell, Inc. All rights reserved.
  • 36. Novell Identity Manager Integration ® (cont.) • Unprivileged account provisioning options – Provision to etc/passwd and etc/shadow – Fan-out PAM re-direction – requires solution for home directory – Other PAM (non-Novell) – requires solution for home directory – “Brand X” provisioning (non-Novell) • Password synchronization often desirable • Provisioning to Novell Privileged User Manager ® – May facilitate Command Control Manager authorization for privileged access using user account groups – Done by scripting driver or fan-out driver scripts 36 © Novell, Inc. All rights reserved.
  • 37. Example Provisioning to Novell ® Privileged User Manager 37 © Novell, Inc. All rights reserved.
  • 38. Testing • Novell Identity Manager and Novell Privileged User ® ® Manager should be integration tested together • Test full user life cycle • Test privileged command authorization • Ensure Novell Privileged User Manager does not allow privileged access when rights revoked – negative tests • Test password synchronization 38 © Novell, Inc. All rights reserved.
  • 39. Integration with Novell Identity Manager ® Account Group Provisioning
  • 40. User Account Group Provisioning • Method of adding/removing entries in a Privileged User manager “Account Group” • Interface actually designed for importing/exporting Command Control policies • Best available interface for current product versions • Implemented with scripts – scripting driver or fan-out driver scripts • Not easy to create new groups – new group's key needed for later update • Manipulate existing groups easily 40 © Novell, Inc. All rights reserved.
  • 41. User Account Group Provisioning (cont.) • Command line tool to call CLI methods on certain modules – /opt/novell/npum/sbin/unifi • Uses the XML used by Command Control to export and update policies • Two authentication methods – Pass admin user and password with -u and -p – Use the -n option and native maps in the Framework User Manager to associate a native user on a Framework Manager computer with an admin user • Following examples assume native maps option 41 © Novell, Inc. All rights reserved.
  • 42. User Account Group Provisioning (cont.) • Export the Command Control policy – unifi -n cmdctrl export -c -f ccout.xml • Exports the Command Control policy as XML • Look for UserGroup entity and get key value • Following example has a key value of “2214” 42 © Novell, Inc. All rights reserved.
  • 43. User Account Group Provisioning (cont.) <UserGroup name="Entitlement" I.disabled="0" I.id="2214"> <UserGroup name="Entitlement" I.key="2214"> <Disabled b.value="0"/> <Description value=""/> <MgrName value=""/> <MgrTel value=""/> <MgrEmail value=""/> <UserList> <a.User value="admin1@host1:root,newgrp"/> </UserList> </UserGroup> </UserGroup> 43 © Novell, Inc. All rights reserved.
  • 44. User Account Group Provisioning (cont.) • Create a file that contains XML similar to the following <UserGroup I.key="2214"> <UserList> <a.User value="admin2@host1:root" action="add"/> </UserList> </UserGroup> • Pass above XML into Command Control import function to load updates to the policy referenced by the key – unifi -n cmdctrl import -f ccin.xml • File named ccin.xml for this example 44 © Novell, Inc. All rights reserved.
  • 45. User Account Group Provisioning (cont.) • Use action='del' to remove an entry <UserGroup I.key="2214"> <UserList> <a.User value="admin2@host1:root" action="del"/> </UserList> </UserGroup> 45 © Novell, Inc. All rights reserved.
  • 46. User Account Group Provisioning (cont.) • Use action='set' to set the entire list <UserGroup I.key="2214"> <UserList action="set"> <a.User value="admin1@host1:root"/> <a.User value="admin2@host1:root"/> <a.User value="admin3@host1:root"/> </UserList> </UserGroup> 46 © Novell, Inc. All rights reserved.
  • 47. User Account Group Provisioning (cont.) • Example of using Novell Identity Manager to provide ® authorization within Novell Privileged User Manager ® • Places entry in the Novell Privileged User Manager User Account Groups • Conditional script checks for entry to authorize execution of privileged commands • Scripts run on the Novell Privileged User Manager server running the master Command Control Manager 47 © Novell, Inc. All rights reserved.
  • 48. Integration with Novell Sentinel ® ™
  • 49. Integration with Novell Sentinel ® ™ • Novell Privileged User Manager audit options ® – Built in logging and compliance reporting – SYSLOG emitter – Novell Sentinel • Novell Sentinel provides auditing of Novell Identity ® Manager and Novell Privileged User Manager together • Correlations can be developed 49 © Novell, Inc. All rights reserved.
  • 50. Integration with Novell Sentinel ® ™ (cont.) • Home > Reporting > Syslog Settings • Set DNS name or IP address of Novell Sentinel Server • Default Novell Sentinel port is 1468 – Default syslog port is 514 • Do not change the format strings – ${}$ – Novell Sentinel instrumented for the full Novell Privileged User Manager strings • Standard events shown in following slide 50 © Novell, Inc. All rights reserved.
  • 51. Novell Sentinel Configuration ® ™ 51 © Novell, Inc. All rights reserved.
  • 52. Questions and Answers
  • 53. Unpublished Work of Novell, Inc. All Rights Reserved. This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability. General Disclaimer This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.

×